Automated SSL certs for Kubernetes with letsencrypt and cert-manager - Reactive Ops

Tell us more

Community

Automated SSL certs for Kubernetes with letsencrypt and cert-manager

Automated SSL certs for Kubernetes with letsencrypt and cert-manager

Did you ever dream of the day where there would be free TLS certs that were automatically created and renewed when a new service shows up? Well that day has arrived. If you’ve jumped on the cool train and are running Kubernetes in production, then <a href="https://github.com/jetstack/cert-manager" data-href="https://github.com/jetstack/cert-manager" rel="noopener" target="_blank">cert-manager</a> is a must have. cert-manager is a service that automatically creates and manages TLS certs in Kubernetes and it is as cool as its sounds.

Here are the steps I took to get cert-manager up and running.

Overview to setup cert-manager

To get this setup in a kubernetes cluster, there are 3 main moving pieces:

  1. the cert-manager service which ensures TLS certs are valid, up to date, and renew them when needed.
  2. the clusterIssuer resource which defines what Certificate Authority to use
  3. the certificate resource which defines the certificate that should be created

The following steps assume nginx-ingress controller is running in the kubernetes cluster and there is a way to create DNS records. Additionally, assumes Helm is installed.

Here is an overview of the steps I took to get <strong>cert-manger</strong> up and running in my Kubernetes cluster.

  1. launch cert-manager from the official helm chart
  2. create a letsencrypt CA clusterIssuer k8s resource
  3. launch an app (with an ingress) in the kubernetes cluster to be access at a TLS endpoint.
  4. create a certificate object that describes how to create a TLS cert for the test app

Details to set up cert-manager

Here are the more detailed steps:

  1. Deploy the <a href="https://github.com/kubernetes/charts/tree/master/stable/cert-manager" data-href="https://github.com/kubernetes/charts/tree/master/stable/cert-manager" rel="noopener" target="_blank">cert-manager</a> helm chart. Create the values.yaml file then run: helm-install --name my-release -f cert-manager-values.yaml cert-manager. cert-manager can be configured to automatically provision TLS certificates for Ingress resources via annotations on your Ingresses. This is how I set up cert-manager and therefore, I added a two settings to the values.yaml fileingressShim.defaultIssuerName and ingressShim.defaultIssuerKind. Read more about ingressShim here. See my values file here.
  2. Create the letsencrypt CA cluster issuer. Here I used the letsencrypt staging ACME server just for testing, once this worked, I will switch over to letsencrypt production server. I created the following file by running: kubectl create -f letsencryp-clusterissuer-staging.yaml.
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
 name: letsencrypt-staging
spec:
 acme:
 # The ACME server URL
 server: <a href="https://acme-staging.api.letsencrypt.org/directory" data-href="https://acme-staging.api.letsencrypt.org/directory" rel="nofollow noopener" target="_blank">https://acme-staging.api.letsencrypt.org/directory</a>
 # Email address used for ACME registration
 email: <a href="mailto:[email protected]" data-href="mailto:[email protected]" rel="nofollow" target="_blank">[email protected]</a>
 # Name of a secret used to store the ACME account private key
 privateKeySecretRef:
 name: letsencrypt-staging
 # Enable the HTTP-01 challenge provider
 http01: {}

3. Create a test app configured with TLS. Create the kubernetes manifest files (I created a helm chart here) including a deployment, service, and ingress. The ingress needs annotations that tell cert-manager what CA to use to create TLS certificates. The domainexample-nodejs.mydomain.com must have a DNS record that is configured to send traffic to the nginx ingress controller load balancer.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: myapp-ingress
 annotations:
 kubernetes.io/ingress.class: nginx
 certmanager.k8s.io/cluster-issuer: letsencrypt-staging
spec:
 tls:
 - hosts:
 - example-nodejs.mydomain.com
 secretName: example-nodejs-crt
rules:
- host: example-nodejs.mydomain.com
 http:
 paths:
 - path: /
 backend:
 serviceName: example-nodejs
 servicePort: 8080

4. Create the <a href="https://github.com/JessicaGreben/example-nodejs/blob/master/deploy/charts/example-nodejs/templates/certificate.yaml" data-href="https://github.com/JessicaGreben/example-nodejs/blob/master/deploy/charts/example-nodejs/templates/certificate.yaml" rel="noopener" target="_blank">certificate</a> resource with acme http challenge configured.

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
 name: example-nodejs-crt
spec:
 secretName: example-nodejs-crt
 dnsNames:
 - example-nodejs.mydomain.com
 acme:
 config:
 - http01:
 ingressClass: nginx
 domains:
 - example-nodejs.mydomain.com
 issuerRef:
 name: letsencrypt-staging
 kind: ClusterIssuer

Once this resource is created, there should be a tls cert that is created. If not, then check the logs of the cert-manger service for errors.

Once all these pieces are setup, you will still get an error when trying to access the app in the browser since the certificate was created with the staging letsencrypt server however this still shows that the cert was successfully created.

Once this is setup successfully, then create a production cluster-issuer and replace all the references to the letsencrypt-staging clusterissuer with the letsencrypt-prod clusterissuer.

Extra background info for fun if you are interested:

What is letsencrypt? Letsencrypt is a Certificate Authority that issues free TLS certificates. It was launch in 2016 and its purpose is to try to make a safer internet by making it easier and cheaper to use TLS.

What is the ACME protocol? ACME stands for Automated Certificate Management Environment. It is a protocol for automating interactions between certificate authorities and their users’ web servers, allowing the automated deployment of public key infrastructure at very low cost. It was designed by the Internet Security Research Group(ISRG) for their Let’s Encrypt service.

Resources:

Other Developer Hub Posts

| Rob Scott

How we manage Kubernetes RBAC and IAM Roles on GKE

Read more

| Rob Scott

rbac-lookup: Reverse Lookup for Kubernetes Authorization

Read more

| ReactiveOps

The Benefits of Running Kubernetes on Google Container Engine

Read more

| Eric Hole

kops 102 - An Inside Look at Deploying Kubernetes on...

Read more