Buying certificates, even the extended validation ones, is (in my opinion) part of the old ways. I personally don’t see the value in authorizing more than domain, or IP-address, ownership when issuing certificates via the PKI model. This can be done with Let’s Encrypt, and automated with cert-manager in your Kubernetes cluster. Here’s how I’ve done it:
First, Create a namespace, add, update and install cert-manager via helm.
~$ kubectl create namespace cert-manager
~$ helm repo add jetstack https://charts.jetstack.io
~$ helm repo update
~$ helm install certmgr jetstack/cert-manager \
--set installCRDs=true \
--namespace cert-managerSecond, Add a cluster-issuer (HTTP Solver is fine)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: YOUREMAILADDRESS
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
class: nginxThird, Add the issuer annotation to your ingress:
cert-manager.io/cluster-issuer: "letsencrypt-production"Example ingress (Nginx):
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt-production"
spec:
tls:
- hosts:
- www.example.com
secretName: example-tls
rules:
- host: www.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80HTTPS Everywhere! 👾