{"id":18833991,"url":"https://github.com/jetstack/jetstack-secure-gcm","last_synced_at":"2026-01-27T04:31:44.607Z","repository":{"id":43788786,"uuid":"331633831","full_name":"jetstack/jetstack-secure-gcm","owner":"jetstack","description":"Contains configuration and user guide for the Jetstack Secure for cert-manager offering on the Google Cloud Marketplace.","archived":false,"fork":false,"pushed_at":"2022-09-08T08:49:52.000Z","size":828,"stargazers_count":1,"open_issues_count":11,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-29T17:53:33.438Z","etag":null,"topics":["cert-manager","google-cloud-marketplace","jetstack-secure"],"latest_commit_sha":null,"homepage":"https://platform.jetstack.io/docs/google-cloud-marketplace","language":"Mustache","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jetstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-21T13:18:51.000Z","updated_at":"2022-09-07T15:47:51.000Z","dependencies_parsed_at":"2022-08-21T14:20:25.560Z","dependency_job_id":null,"html_url":"https://github.com/jetstack/jetstack-secure-gcm","commit_stats":null,"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/jetstack/jetstack-secure-gcm","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fjetstack-secure-gcm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fjetstack-secure-gcm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fjetstack-secure-gcm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fjetstack-secure-gcm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jetstack","download_url":"https://codeload.github.com/jetstack/jetstack-secure-gcm/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jetstack%2Fjetstack-secure-gcm/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28802061,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T03:44:14.111Z","status":"ssl_error","status_checked_at":"2026-01-27T03:43:33.507Z","response_time":168,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cert-manager","google-cloud-marketplace","jetstack-secure"],"created_at":"2024-11-08T02:06:03.171Z","updated_at":"2026-01-27T04:31:44.590Z","avatar_url":"https://github.com/jetstack.png","language":"Mustache","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Jetstack Secure for cert-manager on the Google Cloud Marketplace\n\n## Overview\n\nJetstack Secure runs inside the Kubernetes clusters and provides higher\nlevels of control and management around machine identity protection. It\nexists to solve real enterprise problems from a lack of control and\nvisibility of machine identities and how they map to the organisation's\ncloud infrastructure. As workloads start to scale, the need for machine\nidentity management grows.\n\nJetstack Secure is built on top of cert-manager and uses native integration\nwith the Kubernetes API to secure workloads between clusters and nodes to\nprotect from outside malicious intent, and provide real-time visual status\non cluster integrity. cert-manager has become the de facto solution for\nissuing and renewing certificates from popular public and private\ncertificate issuers. Platform operators can provide fast and easy\nself-service to development teams, whilst maintaining control and\nprotection at all times.\n\nKey benefits of Jetstack Secure:\n\n- Builds a detailed view of the security posture using a management UI to\n  monitor and manage the TLS certificates assigned to each cluster\n- Integrates natively with Kubernetes and OpenShift\n- Automates the full X.509 certificate lifecycle\n- Prevents certificate-related outages and security breaches\n- Modern declarative \"as code\" configuration and automation\n- Ensures workloads comply with corporate security best practice\n- Enforces security through continuous monitoring of machine identities\n\n## How it works\n\nA lightweight agent is installed to clusters to observe the status and\nhealth of machine identities, including those that have been manually\ncreated by developers. The web based management interface gives visibility\nof these identities and the context such as pod, namespace and cluster, to\nquickly identify and troubleshoot misconfigurations that risk operational\nand security posture. As the infrastructure scales, Jetstack Secure\nprovides a rich set of additional tools and support capabilities to give\nmore effective overall management of clusters.\n\n**Contents:**\n\n- [Overview](#overview)\n- [How it works](#how-it-works)\n- [Click-to-deploy installation](#click-to-deploy-installation)\n  - [Step 1: Install Jestack Secure for cert-manager](#step-1-install-jestack-secure-for-cert-manager)\n  - [Step 2: log into the Jetstack Secure dashboard](#step-2-log-into-the-jetstack-secure-dashboard)\n  - [Step 3 (optional): set up the Google Certificate Authority Service](#step-3-optional-set-up-the-google-certificate-authority-service)\n- [CLI installation](#cli-installation)\n  - [Prerequisites](#prerequisites)\n    - [Set up command line tools](#set-up-command-line-tools)\n    - [Select a GCP project](#select-a-gcp-project)\n    - [Create a Google Kubernetes Engine cluster](#create-a-google-kubernetes-engine-cluster)\n    - [Configure kubectl to connect to the cluster](#configure-kubectl-to-connect-to-the-cluster)\n    - [Clone this repo](#clone-this-repo)\n    - [Install the Application resource definition](#install-the-application-resource-definition)\n  - [Install the application](#install-the-application)\n    - [Configure the application with environment variables](#configure-the-application-with-environment-variables)\n  - [Download and apply the license](#download-and-apply-the-license)\n  - [Expand the manifest template](#expand-the-manifest-template)\n    - [Apply the manifest to your Kubernetes cluster](#apply-the-manifest-to-your-kubernetes-cluster)\n    - [View the app in the Google Cloud Console](#view-the-app-in-the-google-cloud-console)\n\n⚠ Due to a [breaking change][breaking] in the Application CRD, the\nversions **1.1** and **1.3** available on the Google Cloud Marketplace cannot be\ninstalled anymore. Installing version 1.1 or 1.3 leads to the following error:\n\n```\nerror: error validating \"/data/resources.yaml\": error validating data:\nValidationError(Application.spec.descriptor): unknown field \"info\" in\nio.k8s.app.v1beta1.Application.spec.descriptor; if you choose to ignore\nthese errors, turn validation off with --validate=false\n```\n\nThe versions **1.1** and **1.3** are deprecated since 24 June 2021 and will be\nremoved on 14 January 2022. We invite users to upgrade to the latest version of\nthe application.\n\n[breaking]: https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/issues/566\n\n## Click-to-deploy installation\n\nThis guide describes how to install Jetstack Secure for cert-manager via\nthe Google Cloud Marketplace web UI. Alternatively, you can follow the [CLI\ninstallation instructions](#cli-installation).\n\n### Step 1: Install Jestack Secure for cert-manager\n\nHead over to the [Jetstack Secure for\ncert-manager](https://console.cloud.google.com/marketplace/details/jetstack-public/jetstack-secure-for-cert-manager)\nsolution page on the Google Cloud Marketplace and click on the \"Configure\" button.\n\nOn the next screen, you will be asked to either select an existing cluster\nor create a new one, as well as choosing the Kubernetes namespace in which\nthe application will be created in.\n\nNote that this application is not meant to be running on multiple instances\non the same cluster. Before installing the application on a cluster, make\nsure that no other instance of Jetstack Secure for cert-manager is\nrunning on that cluster.\n\nWe recommend avoiding installing Jetstack Secure for cert-manager in the\n`default` namespace. Prefer using a different namespace name such as\n`jetstack-secure`.\n\nRegarding the App instance name, we recommend using an application name\nsuch as `jetstack-secure`. This app instance name will appear as a prefix\nof all the Kubernetes objects.\n\nThe remaining of the settings can be left to their default values.\n\nWhen you are done, click the \"Deploy\" button:\n\n\u003cimg src=\"https://user-images.githubusercontent.com/2195781/109023553-31b87200-76bd-11eb-8fc4-a9e46ae44582.png\" width=\"600px\" alt=\"this screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\nThis will install Jetstack Secure for cert-manager, and will redirect to\nthe [Applications](https://console.cloud.google.com/kubernetes/application) page:\n\n\u003cimg src=\"https://user-images.githubusercontent.com/2195781/110795922-a96acd00-8277-11eb-959e-bf7ea51ae992.png\" width=\"500\" alt=\"The application page for test-1 shows that all the deployments are green. This screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\n**Note:** by default, the `preflight` deployment is scaled to 0. After\ncompleting the steps in the [next\nsection](#step-2-log-into-the-jetstack-secure-dashboard), the deployment will\nstart working.\n\n### Step 2: log into the Jetstack Secure dashboard\n\nHead to \u003chttps://platform.jetstack.io\u003e and click on the \"Getting started\"\nbutton:\n\n\u003cimg src=\"https://user-images.githubusercontent.com/6227720/116088811-1e645b80-a69a-11eb-8ea7-8489cb8124f9.png\" width=\"600px\" alt=\"The Jetstack Secure platform landing page. This screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\nYou will be prompted to log in. If you do not already have an account, you\nwill be able to create one:\n\n\u003cimg src=\"https://user-images.githubusercontent.com/2195781/109153999-f7f37400-776d-11eb-9042-fb34a2e8accc.png\" width=\"600px\" alt=\"The Jetstack Secure login page. This screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\nWhen you create a new account, you will have to accept the ToS. Once read, if you're happy to continue, check the \"I accept the Terms of Service\" box and submit. Optionally, you can enable general marketing information to be sent to you.\n\n\u003cimg src=\"https://user-images.githubusercontent.com/6227720/116088589-eb21cc80-a699-11eb-8f1d-48804ecbffd9.png\" width=\"600px\" alt=\"The Jetstack Secure ToS page. This screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\nWhen you create a new account, you'll be presented with the \"Cluster Summary\" screen, where you can add a new cluster by pressing the \"Add Cluster\" button.\n\n\u003cimg src=\"https://user-images.githubusercontent.com/6227720/116088269-9ed68c80-a699-11eb-9676-01a0fa5f0e5c.png\" width=\"600px\" alt=\"Add cluster button. This screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\nChoose a name for your cluster. This name is not related to the Google\nKubernetes Engine cluster you selected when you deployed the application.\nThis name is only used to show your cluster in the Jetstack Secure\ndashboard. Cluster names can only contain alphanumeric values, dots and\nunderscores.\n\nAfter picking a name, press the \"Save cluster name\" button:\n\n\u003cimg src=\"https://user-images.githubusercontent.com/6227720/116088112-777fbf80-a699-11eb-8f08-418a8777917a.png\" width=\"600px\" alt=\"Choose your cluster name and click the save cluster name button. This screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\nAt this stage, you have two options depending on which Kubernetes namespace you installed Jetstack Secure in. If you chose the `jetstack-secure` namespace, you can click the \"Copy Installation Command To Clipboard\" button, which will be enabled once a cluster name is set. This command contains manifests to create a namespace, configuration \u0026 secrets to be used by the agent as well as the manifests to install the agent itself.\n\nAs the installation of the agent has been performed by the google cloud marketplace steps earlier, the only parts of this command you need are the `ConfigMap` and `Secret` resources. Using a text editor, isolate those parts of the command and apply them, excluding the namespace and agent manifests:\n\n```yaml\napiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: agent-config\ndata:\n  config.yaml: |-\n    server: \"https://platform.jetstack.io\"\n    organization_id: \"jetstack\"\n    cluster_id: \"foobar\"\n    data-gatherers:\n    # pods data is used in the pods and application_versions packages\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/pods\"\n      config:\n        resource-type:\n          resource: pods\n          version: v1\n    # gather services for pod readiness probe rules\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/services\"\n      config:\n        resource-type:\n          resource: services\n          version: v1\n    # gather higher level resources to ensure data to determine ownership is present\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/deployments\"\n      config:\n        resource-type:\n          version: v1\n          resource: deployments\n          group: apps\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/replicasets\"\n      config:\n        resource-type:\n          version: v1\n          resource: replicasets\n          group: apps\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/statefulsets\"\n      config:\n        resource-type:\n          version: v1\n          resource: statefulsets\n          group: apps\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/daemonsets\"\n      config:\n        resource-type:\n          version: v1\n          resource: daemonsets\n          group: apps\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/jobs\"\n      config:\n        resource-type:\n          version: v1\n          resource: jobs\n          group: batch\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/cronjobs\"\n      config:\n        resource-type:\n          version: v1beta1\n          resource: cronjobs\n          group: batch\n    # gather resources for cert-manager package\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/secrets\"\n      config:\n        resource-type:\n          version: v1\n          resource: secrets\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/certificates\"\n      config:\n        resource-type:\n          group: cert-manager.io\n          version: v1\n          resource: certificates\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/ingresses\"\n      config:\n        resource-type:\n          group: networking.k8s.io\n          version: v1beta1\n          resource: ingresses\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/certificaterequests\"\n      config:\n        resource-type:\n          group: cert-manager.io\n          version: v1\n          resource: certificaterequests\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/issuers\"\n      config:\n        resource-type:\n          group: cert-manager.io\n          version: v1\n          resource: issuers\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/clusterissuers\"\n      config:\n        resource-type:\n          group: cert-manager.io\n          version: v1\n          resource: clusterissuers\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/googlecasissuers\"\n      config:\n        resource-type:\n          group: cas-issuer.jetstack.io\n          version: v1alpha1\n          resource: googlecasissuers\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/googlecasclusterissuers\"\n      config:\n        resource-type:\n          group: cas-issuer.jetstack.io\n          version: v1alpha1\n          resource: googlecasclusterissuers\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/mutatingwebhookconfigurations\"\n      config:\n        resource-type:\n          group: admissionregistration.k8s.io\n          version: v1\n          resource: mutatingwebhookconfigurations\n    - kind: \"k8s-dynamic\"\n      name: \"k8s/validatingwebhookconfigurations\"\n      config:\n        resource-type:\n          group: admissionregistration.k8s.io\n          version: v1\n          resource: validatingwebhookconfigurations\n---\napiVersion: v1\nkind: Secret\nmetadata:\n  name: agent-credentials\ndata:\n  credentials.json: \u003cdata\u003e\n```\n\nAfter making the required modifications, save the file. It will be referred to as `agent-config.yaml` for the remainder of this tutorial.\n\nFor the next step, make sure you have the following information available\nto you:\n\n- The **namespace** and **cluster name** on which you installed the\n  application. If you are not sure about this, you can open the\n  [Applications](https://console.cloud.google.com/kubernetes/application)\n  page:\n\n  \u003cimg src=\"https://user-images.githubusercontent.com/2195781/109160123-ad75f580-7775-11eb-9da6-2b912ab3de96.png\" width=\"600px\" alt=\"Grab the namespace and cluster name on the  applications page in the Google Kubernetes Engine console. this screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\n- The **location** of the cluster in which you installed the application;\n  if you are not sure about this, you can open the\n  [Applications](https://console.cloud.google.com/kubernetes/application)\n  page and click on the name of the cluster:\n\n  \u003cimg src=\"https://user-images.githubusercontent.com/2195781/109160131-af3fb900-7775-11eb-9a46-c1bcebdf8315.png\" width=\"600px\" alt=\"Click on the cluster name on the applications page in the Google Kubernetes Engine console. this screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\n  \u003cimg src=\"https://user-images.githubusercontent.com/2195781/109160135-afd84f80-7775-11eb-9f74-0847413cab7f.png\" width=\"600px\" alt=\"Grab the cluster location on the GKE console page of your GKE cluster. this screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\nThe next steps require to have a terminal open as well as to have the\n[gcloud](https://cloud.google.com/sdk/docs/install) and\n[kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) tools\ninstalled.\n\nIn the terminal window, set the variables from the information we gathrered\nin the previous step:\n\n```sh\nCLUSTER=foobar\nLOCATION=us-east1-b\nNAMESPACE=jetstack-secure\n```\n\nThe next step will make sure `kubectl` can connect to your cluster:\n\n```sh\ngcloud auth login\ngcloud container clusters get-credentials --zone=$LOCATION $CLUSTER\n```\n\nApply the `agent-config.yaml` manifests, so that the agent can communicate with the Jetstack Secure platform:\n\n```sh\nkubectl -n $NAMESPACE apply -f agent-config.yaml\nkubectl -n $NAMESPACE rollout restart $(kubectl -n $NAMESPACE get deploy -oname | grep agent)\n```\n\nYou will now be able to \"activate\" the Preflight deployment:\n\n```sh\nkubectl -n $NAMESPACE scale deploy --replicas=1 --selector=app.kubernetes.io/name=agent\n```\n\nYou should eventually see that the pod is `READY 1/1`:\n\n```sh\n% kubectl -n $NAMESPACE get pod -l app.kubernetes.io/component=preflight\nNAME                                         READY   STATUS     AGE\nagent-6b8d5ccb6f-6gnjm                       1/1     Running    20h\n```\n\nAfter seeing `READY 1/1`, return to the dashboard. Once the agent has started communicating with the preflight platform, you will be taken to the cluster view. At this point, installation is complete and you can begin to monitor resources within the dashboard.\n\nBelow is an example of how to issue a certificate:\n\nLet us try with an example. We can create a self-signed issuer and sign a\ncertificate that only lasts for 30 days:\n\n```sh\nkubectl apply -f- \u003c\u003cEOF\napiVersion: cert-manager.io/v1\nkind: Issuer\nmetadata:\n  name: example-selfsigned-issuer\nspec:\n  selfSigned: {}\n---\napiVersion: cert-manager.io/v1\nkind: Certificate\nmetadata:\n  name: example-cert\nspec:\n  duration: 721h # very short time to live\n  secretName: example-cert-tls\n  commonName: example-cert\n  dnsNames:\n  - example.com\n  issuerRef:\n    name: example-selfsigned-issuer\n    kind: Issuer\nEOF\n```\n\nA few seconds later, you will see the certificate `example-cert` appear in\nthe Jetstack Secure Platform UI:\n\n\u003cimg src=\"https://user-images.githubusercontent.com/2195781/110807883-bf7e8a80-8283-11eb-9d0d-57be5c063d3d.png\" width=\"500\" alt=\"The certificate example-cert shows in the UI at platform.jetstack.io. This screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\n### Step 3 (optional): set up the Google Certificate Authority Service\n\n[Google Certificate Authority Service][google-cas] is a highly available,\nscalable Google Cloud service that enables you to simplify, automate, and\ncustomize the deployment, management, and security of private certificate\nauthorities (CA).\n\nIf you wish to use [Google Certificate Authority Service][google-cas] to issue\ncertificates, you can create a root certificate authority and a subordinate\ncertificate authority (i.e., an intermediate CA) on your Google Cloud project.\nTo create a root and a subordinate CA, please follow the [official\ndocumentation](https://cloud.google.com/certificate-authority-service/docs/creating-certificate-authorities).\n\n[google-cas]: https://cloud.google.com/certificate-authority-service/\n\nAfter creating the root and subordinate, set the following variable with\nthe subordinate name:\n\n```sh\nLOCATION=europe-west1\nSUBORDINATE=example-ca-1\n```\n\n\u003e Note that you can list your current subordinate CAs with the following\n\u003e command:\n\u003e\n\u003e ```sh\n\u003e % gcloud beta privateca subordinates list\n\u003e NAME          LOCATION      STATE         NOT_BEFORE         NOT_AFTER\n\u003e example-ca-1  europe-west1  ENABLED       2021-02-02T11:41Z  2024-02-03T05:08Z\n\u003e ```\n\nThe next step is to create a Google service account that will be used by\nthe application in order to reach the Google Certificate Authority Service\nAPI:\n\n```sh\n# The app instance name is the name of the application you created. If you\n# forgot which name you gave to your application, take a look at:\n# https://console.cloud.google.com/kubernetes/application.\nAPP_INSTANCE_NAME=some-name\n\n# This is the namespace in which the application has been deployed.\nNAMESPACE=some-namespace\n\ngcloud iam service-accounts create $APP_INSTANCE_NAME\n```\n\nGive the Google service account the permission to issue certificates using\nthe Google CAS API:\n\n```sh\ngcloud beta privateca subordinates add-iam-policy-binding $SUBORDINATE \\\n  --role=roles/privateca.certificateRequester \\\n  --member=serviceAccount:$APP_INSTANCE_NAME@$(gcloud config get-value project | tr ':' '/').iam.gserviceaccount.com\n```\n\nFinally, bind this Google service account to the Kubernetes service account\nthat was created by the above `kubectl apply` command. To bind them, run\nthe following:\n\n```sh\ngcloud iam service-accounts add-iam-policy-binding $APP_INSTANCE_NAME@$(gcloud config get-value project | tr ':' '/').iam.gserviceaccount.com \\\n  --role roles/iam.workloadIdentityUser \\\n  --member \"serviceAccount:$(gcloud config get-value project | tr ':' '/').svc.id.goog[$NAMESPACE/google-cas-issuer]\"\n```\n\nYou can now create a cert-manager Google CAS issuer and have a certificate\nissued with the following:\n\n```sh\ncat \u003c\u003cEOF | tee /dev/stderr | kubectl apply -f -\napiVersion: cas-issuer.jetstack.io/v1alpha1\nkind: GoogleCASIssuer\nmetadata:\n  name: googlecasissuer\nspec:\n  project: $(gcloud config get-value project | tr ':' '/')\n  location: $LOCATION\n  certificateAuthorityID: $SUBORDINATE\n---\napiVersion: cert-manager.io/v1\nkind: Certificate\nmetadata:\n  name: demo-certificate\nspec:\n  secretName: demo-cert-tls\n  commonName: example.com\n  dnsNames:\n    - example.com\n  duration: 24h\n  renewBefore: 8h\n  issuerRef:\n    group: cas-issuer.jetstack.io\n    kind: GoogleCASIssuer\n    name: googlecasissuer\nEOF\n```\n\nYou can check that the certificate has been issued with:\n\n```sh\n% kubectl describe cert demo-certificate\nEvents:\n  Type    Reason     Age   From          Message\n  ----    ------     ----  ----          -------\n  Normal  Issuing    20s   cert-manager  Issuing certificate as Secret was previously issued by GoogleCASIssuer.cas-issuer.jetstack.io/googlecasissuer-sample\n  Normal  Reused     20s   cert-manager  Reusing private key stored in existing Secret resource \"demo-cert-tls\"\n  Normal  Requested  20s   cert-manager  Created new CertificateRequest resource \"demo-certificate-v2rwr\"\n  Normal  Issuing    20s   cert-manager  The certificate has been successfully issued\n```\n\n## CLI installation\n\nYou can use [Google Cloud Shell](https://cloud.google.com/shell/) or a\nlocal workstation to complete these steps.\n\n[![Open in Cloud Shell](https://gstatic.com/cloudssh/images/open-btn.svg)](https://console.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/jetstack/jetstack-secure-gcm\u0026cloudshell_working_dir=/)\n\nThe pricing using the CLI to install is identical to using the click-to-deploy\nmethod: each cluster is priced at $50 a month, billed hourly ($0.07/hour). Note\nthat the cert-manager controller deployment should always have a number of\nreplicas equal to 1. High-availability for the cert-manager controller is not\nsupported yet.\n\n### Prerequisites\n\n#### Set up command line tools\n\nYou'll need the following tools in your environment. If you are using Cloud Shell, these tools are installed in your environment by default.\n\n- [gcloud](https://cloud.google.com/sdk/gcloud/)\n- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)\n- [docker](https://docs.docker.com/install/)\n- [openssl](https://www.openssl.org/)\n- [helm](https://helm.sh/docs/using_helm/#installing-helm)\n- [git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)\n\nConfigure `gcloud` as a Docker credential helper:\n\n```sh\ngcloud auth configure-docker\n```\n\n#### Select a GCP project\n\nYou can get the list of projects available with `gcloud projects list`.\n\nThen select one with `gcloud config set project \u003cPROJECT_ID\u003e`\n\n#### Create a Google Kubernetes Engine cluster\n\nThe [workload\nidentity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)\nmust be enabled on your cluster. To create a cluster that has _workload\nidentity_ feature enabled, run the following command:\n\n```sh\nexport CLUSTER=jetstack-cluster\nexport ZONE=europe-west1-c\n\ngcloud container clusters create $CLUSTER --zone $ZONE \\\n  --workload-pool=$(gcloud config get-value project | tr ':' '/').svc.id.goog\n```\n\n\u003e For an existing cluster, you can turn the feature on (will restart the\n\u003e GKE control plane) with the following command:\n\u003e\n\u003e ```sh\n\u003e gcloud container clusters update $CLUSTER --zone $ZONE \\\n\u003e   --workload-pool=$(gcloud config get-value project | tr ':' '/').svc.id.goog\n\u003e ```\n\n#### Configure kubectl to connect to the cluster\n\n```sh\ngcloud container clusters get-credentials \"$CLUSTER\" --zone \"$ZONE\"\n```\n\n#### Clone this repo\n\nClone this repo and the associated tools repo:\n\n```shell\ngit clone https://github.com/jetstack/jetstack-secure-gcm\ncd jetstack-secure-gcm\n```\n\n#### Install the Application resource definition\n\nAn Application resource is a collection of individual Kubernetes\ncomponents, such as Services, Deployments, and so on, that you can manage\nas a group.\n\nTo set up your cluster to understand Application resources, run the\nfollowing command:\n\n```sh\nkubectl apply -f \"https://raw.githubusercontent.com/GoogleCloudPlatform/marketplace-k8s-app-tools/master/crd/app-crd.yaml\"\n```\n\nYou need to run this command once for each cluster.\n\nThe Application resource is defined by the [Kubernetes\nSIG-apps](https://github.com/kubernetes/community/tree/master/sig-apps)\ncommunity. The source code can be found on\n[github.com/kubernetes-sigs/application](https://github.com/kubernetes-sigs/application).\n\n### Install the application\n\n#### Configure the application with environment variables\n\nChoose an instance name and\n[namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)\nfor the application.\n\n```shell\nAPP_INSTANCE_NAME=jetstack-secure-1\nNAMESPACE=jetstack-secure\n```\n\nCreate the namespace:\n\n```sh\nkubectl create namespace $NAMESPACE\n```\n\nSet up the image tag, for example:\n\n```shell\nTAG=\"1.4.0-gcm.0\"\n```\n\nwhere `1.4.0` stands for the cert-manager version, and `gcm.1` is the\nGoogle Marketplace \"build\" version.\n\n\u003e Note: the upstream cert-mananger images are re-built with a\n\u003e `/LICENSES.txt` file as well as re-tagged with the Marketplace versioning\n\u003e described above, e.g. `1.4.0-gcm.0`. This was done in order to order to\n\u003e abide by the\n\u003e [schema.md](https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/d9d3a6f/docs/schema.md)\n\u003e rules, which states that \"when users deploy the app from the Google Cloud\n\u003e Marketplace, the final image names may be different, but they will follow\n\u003e the same release tag and name prefix rule.\"\n\n### Download and apply the license\n\nClick the \"Generate license key\". This will download a `license.yaml` file\nto your disk.\n\n\u003cimg src=\"https://user-images.githubusercontent.com/2195781/108194095-7de04100-7116-11eb-8bd5-fa11c4fbbcf5.png\" width=\"500\" alt=\"this screenshot is stored in this issue: https://github.com/jetstack/jetstack-secure-gcm/issues/21\"\u003e\n\nThen, add the license to your cluster:\n\n```sh\nkubectl apply -n $NAMESPACE -f license.yaml\n```\n\n### Expand the manifest template\n\nUse `helm template` to expand the template. We recommend that you save the\nexpanded manifest file for future updates to the application.\n\n```shell\nhelm template \"$APP_INSTANCE_NAME\" chart/jetstack-secure-gcm \\\n  --namespace \"$NAMESPACE\" \\\n  --set cert-manager.global.rbac.create=true \\\n  --set cert-manager.serviceAccount.create=true \\\n  --set cert-manager.image.tag=\"$TAG\" \\\n  --set cert-manager.acmesolver.image.tag=\"$TAG\" \\\n  --set cert-manager.webhook.image.tag=\"$TAG\" \\\n  --set cert-manager.webhook.serviceAccount.create=true \\\n  --set cert-manager.cainjector.image.tag=\"$TAG\" \\\n  --set cert-manager.cainjector.serviceAccount.create=true \\\n  --set google-cas-issuer.image.tag=\"$TAG\" \\\n  --set google-cas-issuer.serviceAccount.create=true \\\n  --set google-cas-issuer.serviceAccount.name=google-cas-issuer \\\n  --set preflight.image.tag=\"$TAG\" \\\n  --set preflight.serviceAccount.create=true \\\n  --set preflight.rbac.create=true \\\n  --set cert-manager.ubbagent.image.tag=\"$TAG\" \\\n  --set cert-manager.ubbagent.reportingSecretName=jetstack-secure-for-cert-mana-1-license \\\n  \u003e \"${APP_INSTANCE_NAME}_manifest.yaml\"\n```\n\n\u003e Note: you can also change the default repository values, e.g., with:\n\u003e\n\u003e ```sh\n\u003e --set cert-manager.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager\n\u003e --set cert-manager.acmesolver.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-acmesolver\n\u003e --set cert-manager.cainjector.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-cainjector\n\u003e --set cert-manager.webhook.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-webhook\n\u003e --set google-cas-issuer.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/cert-manager-google-cas-issuer\n\u003e --set preflight.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/preflight\n\u003e --set cert-manager.ubbagent.image.repository=marketplace.gcr.io/jetstack-public/jetstack-secure-for-cert-manager/ubbagent\n\u003e ```\n\n#### Apply the manifest to your Kubernetes cluster\n\nUse `kubectl` to apply the manifest to your Kubernetes cluster:\n\n```shell\nkubectl apply -f \"${APP_INSTANCE_NAME}_manifest.yaml\"\n```\n\n#### View the app in the Google Cloud Console\n\nTo get the GCP Console URL for your app, run the following command:\n\n```shell\necho \"https://console.cloud.google.com/kubernetes/application/${ZONE}/${CLUSTER}/${NAMESPACE}/${APP_INSTANCE_NAME}\"\n```\n\nTo view the app, open the URL in your browser.\n\nOptionally, you can also:\n\n- Enable the Jetstack Secure web dashboard by following the steps\n  [here](#step-2-log-into-the-jetstack-secure-dashboard),\n- Set up the Google Certificate Authority Service by following the steps\n  [here](#step-3-optional-set-up-the-google-certificate-authority-service).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fjetstack-secure-gcm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjetstack%2Fjetstack-secure-gcm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjetstack%2Fjetstack-secure-gcm/lists"}