How to use cert-manager to secure your applications in Kubernetes

If you’re running microservices in Kubernetes, chances are good you need to expose some of them for public access, secured with TLS.

In Kubernetes, we have cert-manager to deal with certificate management for us – most prominently it acquires free SSL certificates from LetsEncrypt for our ingress resources if configured correctly.

Install cert-manager to your Kubernetes cluster

We’re using HELM to install cert-manager into our Kubernetes cluster. The steps are taken from the official documentation.

kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.2.0 \
  --create-namespace \
  --set installCRDs=true

Create certificate issuers

To correctly issue certificates from LetsEncrypt, cert-manager needs to be configured. We need to add so called Issuers (or ClusterIssuers) to our Kubernetes clusters that configure the integration with LetsEncrypt.

Create a file called le-issuers.yml and add the following content to it:

apiVersion: cert-manager.io/
kind: ClusterIssuer           
metadata:
    name: letsencrypt-staging
    namespace: "cert-manager"
spec:
    acme:
      server: https://acme-staging-v02.api.letsencrypt.org/directory
      email: "you@example.com"
      privateKeySecretRef:
        name: letsencrypt-staging
      solvers:
        - http01:
            ingress:
              class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer           
metadata:
    name: letsencrypt-prod
    namespace: "cert-manager"     
spec:
    acme:
      server: https://acme-v02.api.letsencrypt.org/directory
      email: "info@example.com"
      privateKeySecretRef:
        name: letsencrypt-prod
      solvers:
         - http01:
            ingress:
              class: nginx

Apply the changes to your Kubernetes cluster by running the following command:

kubectl --namespace cert-manager apply -f le-issuers.yml

This will create 2 ClusterIssuers (they can be referenced from any namespace) you can invoke to create certificates for your ingress objects. This configuration assumes you’re using nginx as your ingress router – learn how to install nginx in your Kubernetes cluster here:

How to use nginx as ingress router to expose your microservices in Kubernetes

Many applications running Kubernetes are web applications that need to serve HTTP traffic. For scenarios like this, Kubernetes has so called ingress objects that can be used to direct traffic to microservices. Under the hood, the Ingress Controller is powered by tools like Traefik, Istio or nginx. To expose a service to the public with […]