Did you ever dream of the day where there would be free TLS certs that were automatically created and renewed when a new service shows up? Well that day has arrived. If you’ve jumped on the cool train and are running Kubernetes in production, thencert-manageris a must have.cert-manageris a service that automatically creates and manages TLS certs in Kubernetes and it is as cool as its sounds.
Here are the steps I took to get cert-manager up and running.
Overview to setup cert-manager
To get this setup in a kubernetes cluster, there are 3 main moving pieces:
the cert-manager service which ensures TLS certs are valid, up to date, and renew them when needed.
the clusterIssuer resource which defines what Certificate Authority to use
the certificate resource which defines the certificate that should be created
The following steps assumenginx-ingress controlleris running in the kubernetes cluster and there is a way to create DNS records. Additionally, assumesHelmis installed.
Here is an overview of the steps I took to get cert-manger up and running in my Kubernetes cluster.
launch an app (with an ingress) in the kubernetes cluster to be access at a TLS endpoint.
create acertificateobject that describes how to create a TLS cert for the test app
Details to set up cert-manager
Here are the more detailed steps:
Deploy thecert-managerhelm chart. Create thevalues.yamlfile then run:helm-install --name my-release -f cert-manager-values.yaml cert-manager. cert-manager can be configured to automatically provision TLS certificates for Ingress resources via annotations on your Ingresses. This is how I set up cert-manager and therefore, I added a two settings to the values.yaml fileingressShim.defaultIssuerNameandingressShim.defaultIssuerKind. Read more aboutingressShim here. See my values filehere.
Create theletsencrypt CA cluster issuer. Here I used the letsencrypt staging ACME server just for testing, once this worked, I will switch over to letsencrypt production server. I created the following file by running:kubectl create -f letsencryp-clusterissuer-staging.yaml.
# The ACME server URL
server: https://acme-staging.api.letsencrypt.org/directory # Email address used for ACME registration email: firstname.lastname@example.org # Name of a secret used to store the ACME account private key
# Enable the HTTP-01 challenge provider
3. Create a test app configured with TLS. Create the kubernetes manifest files (I created a helm charthere) including adeployment,service, andingress. The ingress needsannotationsthat tell cert-manager what CA to use to create TLS certificates. The domainexample-nodejs.mydomain.commust have a DNS record that is configured to send traffic to the nginx ingress controller load balancer.
Once this resource is created, there should be a tls cert that is created. If not, then check the logs of the cert-manger service for errors.
Once all these pieces are setup, you will still get an error when trying to access the app in the browser since the certificate was created with thestaging letsencrypt serverhowever this still shows that the certwassuccessfully created.
Once this is setup successfully, then create aproduction cluster-issuerand replace all the references to theletsencrypt-stagingclusterissuer with theletsencrypt-prodclusterissuer.
Extra background info for fun if you are interested:
What is letsencrypt?Letsencrypt is a Certificate Authority that issues free TLS certificates. It was launch in 2016 and its purpose is to try to make a safer internet by making it easier and cheaper to use TLS.