/ Kubernetes

Automate TLS/SSL Certificate Issuance & Renewal - Part V

This is the 5th and final part in our $65 Kubernetes Cluster on DigitalOcean series, you can goto Part I to read on how to setup your cluster if you haven't done so yet.

There's also a video tutorial here for those who prefer to watch instead of read.


Transport Layer Security (TLS) ā€“ and its predecessor, Secure Sockets Layer (SSL) are cryptographic protocols that provide communications security over a computer network. It activates the padlock and the https protocol and allows secure connections from a web server to a browser.

Traditionally these certificates can cost anywhere from $30 to $500 depending on the level of encryption and validation required. But for most websites a simple and basic TLS/SSL certificate should do and letsencrypt.org offers them for free!

What we will focus on today is how to automate our kubernetes cluster in issuing TLS/SSL certificates from the letsencrypt.org api using a tool called cert-manager.

Step 1 - Install Cert-Manager

We'll be using helm to install cert-manager, if you don't have helm installed you can read up here to quickly have it installed. Also the nginx-ingress should already be installed fully configured, you can read up here to quickly install it.

The command below will install cert-manager to the kube-system namespace.

helm install --name cert-manager --namespace kube-system stable/cert-manager

Step 2 - Configure Certificate Issuer

Before cert-manager can vend certificates, it needs a backing certifictate issuer, we will be using letsencrypt.org for certificate issuance.

Note: Replace Lines 8 & 20 with your email address, this is needed to generate your key pair for issuing certificates from letsencrypt.

Save this yaml file as cert-manager-cluster-issuer.yaml

kubectl apply -f ./cert-manager-cluster-issuer.yaml

Step 3 - Example TLS/SSL Deployment

Now everything should be configured correctly. Let's test it out by creating a sample tls/ssl deployment.

Note: Replace Lines 49 & 52 with your domain name (this domain should already point to your kubernetes cluster), this is needed to generate your key pair for issuing certificates from letsencrypt.

Save file as echo-server-tls.yaml

kubectl apply -f ./echo-server-tls.yaml

Goto your domain at echo.[your-domain-goes-here] and you should see that it has been configured with a TLS/SSL certificate.


There is more information in the official docs about configuring other Issuers and also other annotations that can be used in your ingress manifests.

I hope this helps.

Chuka Ofili

Chuka Ofili

Iā€™m a technology lover with a great passion for knowledge share. Nurturing & growing technical background/awareness in our ecosystem is a personal goal and hope to achieve one article at a time.

Read More
Automate TLS/SSL Certificate Issuance & Renewal - Part V
Share this

Subscribe to Chuka Ofili