There's also a video tutorial here for those who prefer to watch instead of read.
Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL) are cryptographic protocols that provide communications security over a computer network. It activates the padlock and the https protocol and allows secure connections from a web server to a browser.
Traditionally these certificates can cost anywhere from
$30 to $500 depending on the level of encryption and validation required. But for most websites a simple and basic TLS/SSL certificate should do and letsencrypt.org offers them for free!
What we will focus on today is how to automate our kubernetes cluster in issuing TLS/SSL certificates from the letsencrypt.org api using a tool called cert-manager.
Step 1 - Install Cert-Manager
We'll be using helm to install cert-manager, if you don't have helm installed you can read up here to quickly have it installed. Also the nginx-ingress should already be installed fully configured, you can read up here to quickly install it.
The command below will install cert-manager to the kube-system namespace.
helm install --name cert-manager --namespace kube-system stable/cert-manager
Step 2 - Configure Certificate Issuer
Before cert-manager can vend certificates, it needs a backing certifictate issuer, we will be using letsencrypt.org for certificate issuance.
Note: Replace Lines 8 & 20 with your email address, this is needed to generate your key pair for issuing certificates from letsencrypt.
Save this yaml file as
kubectl apply -f ./cert-manager-cluster-issuer.yaml
Step 3 - Example TLS/SSL Deployment
Now everything should be configured correctly. Let's test it out by creating a sample tls/ssl deployment.
Note: Replace Lines 49 & 52 with your domain name (this domain should already point to your kubernetes cluster), this is needed to generate your key pair for issuing certificates from letsencrypt.
Save file as
kubectl apply -f ./echo-server-tls.yaml
Goto your domain at echo.[your-domain-goes-here] and you should see that it has been configured with a TLS/SSL certificate.
There is more information in the official docs about configuring other Issuers and also other annotations that can be used in your ingress manifests.
I hope this helps.