Skip to content

clusterissuer Setup Guide

This guide will walk you through setting up clusterissuer, certificate management for Kubernetes.

Prerequisites

Set Scale Nameservers

It is important to configure Scale with reliable nameserver to avoid issues handling DNS-01 challenges. Under Network -> Global Configuration-> Nameservers, we recommend setting 1.1.1.1/1.0.0.1 or 8.8.8.8/8.8.4.4.

clusterissuer scale nameservers

Install clusterissuer App

clusterissuer app card

Configure ACME Issuer

You can setup multiple domains and/or DNS providers with a single clusterissuer app.

Cloudflare DNS Provider

Create a Cloudflare API token

Login to Cloudflare dashboard and go to the Cloudflare API Tokens page. Select Edit Zone DNS template.

clusterissuer app card

The recommended API Token permissions are below: clusterissuer app card

Cloudflare ACME Issuer Settings

  • Name: Name of the issuer entry; such as “cert” or “cloudflareprod”. This name will be used later in the app ingress configuration
  • Type of DNS Provider: Cloudflare
  • Server: Letsencrypt-Production
  • Email: The email address you register with Let’s Encrypt for renewal/expiration notices
  • Cloudflare API key: Leave blank since API token will be used
  • Cloudflare API Token: Populate with token created from above.

clusterissuer edit dialog

More detail can be found on the upstream Cert-Manager documentation for Cloudflare.

Route 53 DNS Provider

To be completed

Akamai DNS Provider

To be completed

Digital Ocean DNS Provider

To be completed

Configure Ingress using clusterissuer

Here’s an example on how to add ingress to an app with clusterissuer for a single domain only.

Add the name of the ACME Issuer into certificateIssuer

configure ingress using clusterissuer

If you want to support multiple domains on a single app, use the Add button next to Hosts.

Verifying clusterissuer is working

Once installed using the Ingress settings above, you can see the Application Events for the app in question to pull the certificate and issue the challenge directly. See the example below:

clusterissuer4 clusterissuer5

Renewals are handled automatically by clusterissuer.