kubectl
configured to interact with your cluster
helm repo add nginx https://helm.nginx.com/stable
helm update
helm install nginx -ningress nginx/nginx-ingress -f helm-values/nginx-values.yaml --create-namespace=true
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager --create-namespace \
--version v1.9.1 --set installCRDs=true
kubectl get pods -n cert-manager
Cert-Manager requires an Issuer or ClusterIssuer to manage certificates. We’ll create a ClusterIssuer using Let’s Encrypt.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: cert-issuer
spec:
acme:
# The ACME production api URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: your@email.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: cert-issuer-secret
solvers:
# An empty 'selector' means that this solver matches all domains
- selector: {}
http01:
ingress:
class: nginx
kubectl apply -f cluster-issuer.yaml
Verify the issuer status:
kubectl describe clusterissuer cert-issuer
The sample application consists of an NGINX deployment that serves static content, exposed via a Kubernetes Service. The Ingress resource routes external traffic to the application and triggers Cert-Manager to request an SSL certificate from Let’s Encrypt. Once issued, the certificate is stored in a Kubernetes secret and automatically used by the Ingress controller to enable HTTPS.
nginx-deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
kubectl apply -f nginx-deployment.yaml
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
type: ClusterIP
Apply the service:
kubectl apply -f nginx-service.yaml
Create a file nginx-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
acme.cert-manager.io/http01-edit-in-place: "true"
cert-manager.io/cluster-issuer: cert-issuer
name: nginx-ingress
spec:
ingressClassName: nginx
rules:
- host: your.domain.com
http:
paths:
- backend:
service:
name:
port:
number:
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- your.domain.com
secretName: cert-issuer-secret
kubectl apply -f nginx-ingress.yaml
Check the status of the certificate:
kubectl get certificate
NAMESPACE NAME READY SECRET AGE
test cert-issuer-secret True cert-issuer-secret 73m
kubectl describe certificate cert-issuer-secret
Once the certificate is issued, test HTTPS access using a browser or curl
curl -v https://your.domain.com
If everything is set up correctly, your application will be served over HTTPS with a valid Let’s Encrypt certificate.