How to use LetsEncrypt for certificates in Kubernetes

Let’s Encrypt is a free, automated, and non-profit certificate authority.The certificates provided by Let’s Encrypt are valid for 90 days at no charge, and you can renewal at any time.The certificate generation and renewal can be automated using cert-bot and cert-manager (for k8's).

 cert-manager:

cert-manager is a Kubernetes tool that issues certificates from various certificate providers, including Let’s Encrypt.

To install cert-manager using helm:

Step 1:

$ kubectl apply --validate=false \-f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager.yaml

Jetstack is published repository for letsencrypt

Note: You might get some issues related to crds if using Kubernetes version less than 19.0.

Step 2: Create a namespace for cert-manager

$ kubectl create ns cert-manager

Step 3. Add the Jetstack Helm repository and update your local Helm chart repo cache.

$ helm repo add jetstack https://charts.jetstack.io

$ helm repo update

Step 4. Install the cert-manager Helm chart

$ helm install --name cert-manager \

--namespace cert-manager \

--version v0.15.0 jetstack\cert-manager

Now verify the installation:

$ kubectl get pods --namespace cert-manager

NAME                                      READY  STATUS   RESTARTS  AGE

cert-manager-5c6866597-zw7kh              1/1    Running  0         2m

cert-manager-cainjector-577f6d9fd7-tr77l  1/1    Running  0         2m

cert-manager-webhook-787858fcdb-nlzsq     1/1    Running  0         2m

Issuers:

Issuers (and ClusterIssuers) represent a certificate authority from which signed x509 certificates can be obtained, such as Let’s Encrypt.

You will need at least one Issuer or ClusterIssuer to begin issuing certificates within your cluster.

An Issuer is a namespaced resource, you will need to create an Issuer in each namespace you wish to obtain Certificates in.

If you want to create a single issuer that can be consumed in multiple namespaces, you should consider creating a ClusterIssuer resource.

Create a ClusterIssuer resource for Let’s Encrypt certificates: This is for all namespaces

Create a yaml called cluster-issuer.yaml

--- 

apiVersion: certmanager.k8s.io/v1alpha1

kind: Issuer

metadata: 

  name: letsencrypt-prod

spec: 

  acme: 

    email: "< [email protected] >"

    http01: {}

    privateKeySecretRef: 

      name: letsencrypt-prod

    server: "https://acme-v02.api.letsencrypt.org/directory"$ kubectl apply -f cluster-issuer.yaml

·     You can use staging or prod

·     Provide your email address

·     There will be different URL for staging

·     You will receive emails on certificate renewals

List cluster-issuer:

$ kubectl get clusterissuersNAME                  AGEletsencrypt-prod      2m

Ingress with cert-manager 

You must add an annotation in the ingress configuration with the issuer or cluster issuer name.

Create a file called cert-ingress.yaml

---

apiVersion: extensions/v1beta1

kind: Ingress

metadata:

annotations:

certmanager.k8s.io/cluster-issuer: letsencrypt-prod

kubernetes.io/ingress.class: nginx

name: frontend

spec:

rules:

-

host: app.mydomain.com

http:

paths:

-

backend:

serviceName: frontend

servicePort: 80

path: /

tls:

-

hosts:

- app.mydomain.com

secretName: app-mydomain-com

Run kubectl apply -f cert-ingress.yaml

Once the ingress is created, there should be a tls secret and certificate created.

$ kubectl get secrets

NAME               TYPE              DATA  AGEapp-mydomain-com   kubernetes.io/tls 3     1m

$ kubectl get certificates

NAME               READY  SECRET           AGEapp-mydomain-com   True   app-mydomain-com 1m

If all goes well, you will able to see the site over a secure TLS connection and you don’t have to worry about the renewal as well.