Kubernetes – Issue Certificates With Cert-Manager And LetsEncrypt

Kubernetes logo

Buying certificates, even the extended validation ones, is (in my opinion) part of the old ways. I personally don’t see the value in authorizing more than domain, or IP-address, ownership when issuing certificates via the PKI model. This can be done with Let’s Encrypt, and automated with cert-manager in your Kubernetes cluster. Here’s how I’ve done it:

First, Create a namespace, add, update and install cert-manager via helm.

~$ kubectl create namespace cert-manager
~$ helm repo add jetstack https://charts.jetstack.io
~$ helm repo update
~$ helm install certmgr jetstack/cert-manager \
    --set installCRDs=true \
    --namespace cert-manager

Second, Add a cluster-issuer (HTTP Solver is fine)

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: YOUREMAILADDRESS
    privateKeySecretRef:
      name: letsencrypt-production
    solvers:
    - http01:
       ingress:
         class: nginx

Third, Add the issuer annotation to your ingress:

cert-manager.io/cluster-issuer: "letsencrypt-production"

Example ingress (Nginx):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"    
    cert-manager.io/cluster-issuer: "letsencrypt-production"

spec:
  tls:
  - hosts:
    - www.example.com
    secretName: example-tls
  rules:
  - host: www.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80

HTTPS Everywhere! ?

Leave a Reply

Your email address will not be published. Required fields are marked *