Blog

Appearance

Cert-Manager ​

We have setup our ingress controller.
When deploying a web application, it requires a TLS certificate to manage HTTPS traffic.

The purpose of cert-manager is to automate the lifecycle of TLS certificate within the cluster.

Installation ​

The installation of Cert-Manager requires the Helm chart located at https://charts.jetstack.io.

yaml
cert-manager:
  installCRDs: true

Let's Encrypt ​

To obtain a certificate signed by Let's Encrypt, you need to create a ClusterIssuer in your cluster. The easiest way to get started with Let's Encrypt is to have the following configuration by creating a ACME issuer.

INFO

About ACME issuer, there are 2 solvers type available: http01 and dns01. For simplicity, I use the http01 solvers type. For more details on how it works, check the let's encrypt documentation

yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class:  nginx

Ingress ​

Now, that you have everything setup, the next step is to create an ingress with the following annotation cert-manager.io/cluster-issuer: letsencrypt-prod:

INFO

Note that you should have a domain (for example mydomain.com in this case) with A record pointing to your public IP address.

yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: awesome-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - mydomain.com
      secretName: mydomain.com
  rules:
    - host: mydomain.com
      http:
        paths:
          - path: "/"
            pathType: Prefix
            backend:
              service:
                name: awesome-ingress
                port:
                  number: 80

Under the hood, cert-manager will automatically request a TLS certificate from Let's Encrypt using the specified ClusterIssuer.

The issuer will validate the request via the http01 challenge, which is typically handled by an Nginx ingress controller.

The http01 challenge requires the client to prove domain ownership by serving a specific validation file over HTTP on a well-known URL (e.g., http://yourdomain/.well-known/acme-challenge/) to satisfy Let's Encrypt's validation process.

Once the challenge is successfully completed, Let's Encrypt will issue the certificate.

And voila !

Released under the MIT License.

Copyright © 2024 Kien Nguyen