Kubernetes: Automatic Let’s Encrypt Certificates for Services

Preparation: Install Nginx Ingress

curl -sLS https://dl.get-arkade.dev | sudo sh
> arkade install nginx-ingressRelease "nginx-ingress" has been upgraded. Happy Helming!
NAME: nginx-ingress
LAST DEPLOYED: Fri May 8 14:11:09 2020
NAMESPACE: default
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
The nginx-ingress controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
...

Deploy an Application

apiVersion: apps/v1
kined: Deployment
namespace: demo
metadata:
name: echo
namespace: demo
spec:
selector:
matchLabels:
app: echo
replicas: 2
template:
metadata:
labels:
app: echo
spec:
containers:
- name: echo
image: hashicorp/http-echo
args: ['--listen', ':5678', '--text', 'echo']
ports:
- containerPort: 5678
> kb apply -f deployment.yaml> kb get allNAME                        READY   STATUS    RESTARTS   AGE
pod/echo-7b86d65bc8-6crzv 1/1 Running 0 9s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/echo 1/1 2 2 9s

Configure Ingress

apiVersion: v1
kind: Service
metadata:
name: echo
spec:
ports:
- port: 80
targetPort: 5678
selector:
app: echo
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: echo
namespace: demo
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: echo.admantium.com
http:
paths:
- backend:
serviceName: echo
servicePort: 5678
> kubectl apply -f echo-service.yml> kubectl describe ingress echoName:             echo
Namespace: default
Address: 49.12.45.26
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
letsencrypt-staging terminates echo.admantium.com
Rules:
Host Path Backends
---- ---- --------
echo.admantium.com
echo:5678 (10.42.1.155:5678,10.42.2.165:5678)
Annotations: cert-manager.io/cluster-issuer: letsencrypt-staging
kubernetes.io/ingress.class: nginx
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal UPDATE 2m25s (x4 over 159m) nginx-ingress-controller Ingress default/echo

Install cert-manager

arkade install cert-manager
Using helm3
Client: x86_64, Darwin
...NAME: cert-manager
LAST DEPLOYED: Mon Apr 27 19:58:05 2020
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 3
TEST SUITE: None
NOTES:
cert-manager has been deployed successfully!

Configuring Cert-Manager

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: cert-manager
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: staging@admantium.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
kubectl logs -n cert-manager deploy/cert-manager -f

Configuring Ingress Resource to use TLS

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: echo
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
rules:
- host: echo.admantium.com
http:
paths:
- backend:
serviceName: echo
servicePort: 80
tls:
- hosts:
- echo.admantium.com
secretName: letsencrypt-staging
I0508 12:19:24.176712       1 pod.go:58] cert-manager/controller/challenges/http01/selfCheck/http01/ensurePod "level"=0 "msg"="found one existing HTTP01 solver pod" "dnsName"="echo.admantium.com" "related_resource_kind"="Pod" "related_resource_name"="cm-acme-http-solver-pmn4v" "related_resource_namespace"="default" "resource_kind"="Challenge" "resource_name"="letsencrypt-staging-1985468592-3302894823-3409218764" "resource_namespace"="default" "type"="http-01"
----
I0508 12:29:41.771005 1 acme.go:166] cert-manager/controller/certificaterequests-issuer-acme/sign "level"=0 "msg"="certificate issued" "related_resource_kind"="Order" "related_resource_name"="letsencrypt-staging-1985468592-3302894823" "related_resource_namespace"="default" "resource_kind"="CertificateRequest" "resource_name"="letsencrypt-staging-1985468592" "resource_namespace"="default"

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store