How to use cert-manager to secure your applications in Kubernetes

Published 28.03.2021

Author Fabian Peter

Categories Engineering

Tags

If you’re running microservices in Kubernetes, chances are good you need to expose some of them for public access, secured with TLS.

In Kubernetes, we have cert-manager to deal with certificate management for us – most prominently it acquires free SSL certificates from LetsEncrypt for our ingress resources if configured correctly.

Install cert-manager to your Kubernetes cluster

We’re using HELM to install cert-manager into our Kubernetes cluster. The steps are taken from the official documentation.

kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.2.0 \
  --create-namespace \
  --set installCRDs=true

Create certificate issuers

To correctly issue certificates from LetsEncrypt, cert-manager needs to be configured. We need to add so called Issuers (or ClusterIssuers) to our Kubernetes clusters that configure the integration with LetsEncrypt.

Create a file called le-issuers.yml and add the following content to it:

apiVersion: cert-manager.io/
kind: ClusterIssuer           
metadata:
    name: letsencrypt-staging
    namespace: "cert-manager"
spec:
    acme:
      server: https://acme-staging-v02.api.letsencrypt.org/directory
      email: "you@example.com"
      privateKeySecretRef:
        name: letsencrypt-staging
      solvers:
        - http01:
            ingress:
              class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer           
metadata:
    name: letsencrypt-prod
    namespace: "cert-manager"     
spec:
    acme:
      server: https://acme-v02.api.letsencrypt.org/directory
      email: "info@example.com"
      privateKeySecretRef:
        name: letsencrypt-prod
      solvers:
         - http01:
            ingress:
              class: nginx

Apply the changes to your Kubernetes cluster by running the following command:

kubectl --namespace cert-manager apply -f le-issuers.yml

This will create 2 ClusterIssuers (they can be referenced from any namespace) you can invoke to create certificates for your ingress objects. This configuration assumes you’re using nginx as your ingress router – learn how to install nginx in your Kubernetes cluster here:

More stories from our blog

Unikernel Vs Container Vs VMs: Here is what you should use

Unikernel Vs Container Vs VMs: Here is what you should use

If you’d gone through Containers, Unikernels and VMs, I would bet you’re confused about which one to try for your new venture. It’s normal and happens to everyone while experimenting with adopting new technology. Remember the age-old dilemma of you thinking which...

How to build a Kubernetes cluster on HETZNER with k3s

How to build a Kubernetes cluster on HETZNER with k3s

HETZNER is a german cloud provider having very competitive prices for linux-based VMs. It's a great place to run Kubernetes, as HETZNER provides many integrations with their systems we can leverage when running Kubernetes: CSI IntegrationTerraform...

The DevOps Roadmap: Docker

The DevOps Roadmap: Docker

The containerization revolution has just begun, which means you have heard about docker at least once in your professional life. Containerization has made our apps’ deployment cycle faster and efficient. Leading the containerization wave is docker, the most popular...

Why you should focus on enough instead of more?

Why you should focus on enough instead of more?

Time is a precious commodity, and you might have heard this a thousand times now. But the stuff more important than time is the focus. I have seen people achieve more in less time due to the exceptional focus skills they have. Focus leads to productivity, and...

CNCF Meetup Saar #1

CNCF Meetup Saar #1

The first edition of our CNCF Meetup Saar was on February 25th from 11:00 to 13:00 CET. It was a very fun event with enlightening talks and a few quirks. You can enjoy a recap of the event and the talks below. Recap Full Event...

Why overstimulation sucks your happiness?

Why overstimulation sucks your happiness?

It’s small-time I have been here on this planet, and a trait is occurring for the last few years. I am not so joyful I used to be. It’s hard to pinpoint some reasons, but when a thing bothers you every day and keeps you awake with heartache, it must become your...

Serverless, FaaS and why do you need them?

Serverless, FaaS and why do you need them?

In recent years, serverless adoption has started, with more and more individuals depending on serverless technology to meet organizations’ specific needs. A survey conducted by Serverless Inc showed in 2018 that half of the respondents used serverless in their job,...

The DevOps Roadmap: Unikernels

The DevOps Roadmap: Unikernels

Containerization is one of the core building principles of clouds and DevOps, but traditional VMs and containers lack the security and agility that modern infrastructure craves. We are moving towards workloads that are smaller, faster, and more secure than the...

Interested in what we do? Looking for help? Wanna talk about software strategy?