How to use cert-manager to secure your applications in Kubernetes

Published 28.03.2021

Author Fabian Peter

Categories Engineering

Tags

If you’re running microservices in Kubernetes, chances are good you need to expose some of them for public access, secured with TLS.

In Kubernetes, we have cert-manager to deal with certificate management for us – most prominently it acquires free SSL certificates from LetsEncrypt for our ingress resources if configured correctly.

Install cert-manager to your Kubernetes cluster

We’re using HELM to install cert-manager into our Kubernetes cluster. The steps are taken from the official documentation.

kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.2.0 \
  --create-namespace \
  --set installCRDs=true

Create certificate issuers

To correctly issue certificates from LetsEncrypt, cert-manager needs to be configured. We need to add so called Issuers (or ClusterIssuers) to our Kubernetes clusters that configure the integration with LetsEncrypt.

Create a file called le-issuers.yml and add the following content to it:

apiVersion: cert-manager.io/
kind: ClusterIssuer           
metadata:
    name: letsencrypt-staging
    namespace: "cert-manager"
spec:
    acme:
      server: https://acme-staging-v02.api.letsencrypt.org/directory
      email: "you@example.com"
      privateKeySecretRef:
        name: letsencrypt-staging
      solvers:
        - http01:
            ingress:
              class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer           
metadata:
    name: letsencrypt-prod
    namespace: "cert-manager"     
spec:
    acme:
      server: https://acme-v02.api.letsencrypt.org/directory
      email: "info@example.com"
      privateKeySecretRef:
        name: letsencrypt-prod
      solvers:
         - http01:
            ingress:
              class: nginx

Apply the changes to your Kubernetes cluster by running the following command:

kubectl --namespace cert-manager apply -f le-issuers.yml

This will create 2 ClusterIssuers (they can be referenced from any namespace) you can invoke to create certificates for your ingress objects. This configuration assumes you’re using nginx as your ingress router – learn how to install nginx in your Kubernetes cluster here:

More stories from our blog

Serverless, FaaS and why do you need them?

Serverless, FaaS and why do you need them?

In recent years, serverless adoption has started, with more and more individuals depending on serverless technology to meet organizations’ specific needs. A survey conducted by Serverless Inc showed in 2018 that half of the respondents used serverless in their job,...

The DevOps Roadmap: Unikernels

The DevOps Roadmap: Unikernels

Containerization is one of the core building principles of clouds and DevOps, but traditional VMs and containers lack the security and agility that modern infrastructure craves. We are moving towards workloads that are smaller, faster, and more secure than the...

The DevOps Roadmap: 7 Containerization Best Practices

The DevOps Roadmap: 7 Containerization Best Practices

Containers have the opportunity for developers to build predictable environments isolated from other applications. The application's software dependencies can also be bundled in containers, such as particular versions of programming language runtimes and other...

The DevOps Roadmap: Virtualization

The DevOps Roadmap: Virtualization

The Full-Stack Developer's Roadmap Part 1: FrontendThe Full-Stack Developer's Roadmap Part 2: BackendThe Full-Stack Developer's Roadmap Part 3: DatabasesThe Full-Stack Developer's Roadmap Part 4: APIsThe DevOps Roadmap: Fundamentals with CI/CDThe DevOps Roadmap: 7...

How to Increase Your Luck Surface Area

How to Increase Your Luck Surface Area

In September 2020, I was actively looking to grow as a freelancer. I applied to hundreds of position and sometimes underbid, but results didn’t even make me smile. Opportunities don’t come to you when you start; you need to create them for yourself. I assumed I am not...

Cloud Computing models: SaaS vs IaaS vs PaaS

Cloud Computing models: SaaS vs IaaS vs PaaS

Companies embrace cloud computing worldwide, and the forecasted size of 1025.9 billion USD by 2026 says the same story. Owning and managing infrastructure comes with a considerable cost and improper utilization of human resources. Companies are meant to foster...

What is Cloud Computing?

What is Cloud Computing?

"Cloud Computing" describes a set of terms that you hear everywhere nowadays. It might be in your morning newspaper, or the cool kid you know talks about it with few jargon terms like scalability, elasticity, etc. and now you want to know about these terms. I might...

How To Stop Taking Things Personally

How To Stop Taking Things Personally

Some things hide until we realize that they’re a part of us. I was also a victim of my mind and never discovered this dark side until recently. Whenever I wasn’t taken into consideration or mistreated, I couldn't stop taking things personally. I used to give control...

The Ins and Outs of Content Delivery Networks (CDN)

The Ins and Outs of Content Delivery Networks (CDN)

It is not a hidden fact that everybody’s day-to-day operations would become slow without caching. For example, the amount of time required for each component to load in a web application will add up quickly and might drive our users towards using alternatives. Ask any...

Interested in what we do? Looking for help? Wanna talk about software strategy?