Best Practice: Managing sandbox-manager Self-Signed Certificates with cert-manager

This document provides a best practice for managing and deploying sandbox-manager self-signed certificates using cert-manager.

Prerequisites

sandbox-manager is installed in the cluster
Ensure kubectl command-line tool is available with appropriate permissions

Step 1: Install cert-manager

If you haven't installed cert-manager yet, please refer to the official documentation for installation.

Step 2: Automatic Certificate Management with cert-manager

Replace "*.your.domain.com" and "your.domain.com" in cert-manager.yaml with your domain.
Add the configuration to the Kubernetes cluster: kubectl apply -f cert-manager.yaml

Step 3: Verify Certificate Status

Check if certificates are created and issued correctly:

kubectl get certificates -n sandbox-system
kubectl describe certificate sandbox-manager-ingress-cert -n sandbox-system
kubectl describe secret sandbox-manager-tls -n sandbox-system

Check Ingress status:

kubectl get ingress sandbox-manager -n sandbox-system
kubectl describe ingress sandbox-manager -n sandbox-system

Step 4: Configure Client Trust

Since you are using self-signed certificates, clients need to trust the root CA certificate.

4.1 Obtain CA Certificate

kubectl get secret sandbox-ca-key-pair -n sandbox-system -o jsonpath='{.data.tls\.crt}' | base64 -d > ca.crt

4.2 Configure Client

Clients need to set the environment variable SSL_CERT_FILE to the path of the obtained CA certificate:

export SSL_CERT_FILE=/path/to/ca.crt

Prerequisites​

Step 1: Install cert-manager​

Step 2: Automatic Certificate Management with cert-manager​

Step 3: Verify Certificate Status​

Step 4: Configure Client Trust​

4.1 Obtain CA Certificate​

4.2 Configure Client​