Oct 09 2021
Auto Renew LetsEncrypt Certificates on Kubernetes
Install cert-manager
Cert-manager comes as a Helm chart with its own custom resources you can install on your Kubernetes cluster. It helps certificates automation, renewal and management. It is a MUST have when you deal with certificate providers who offer APIs that let you automate these processes. On the side, you’d better renew LetsEncrypt certificate automatically since they are valid for a 3 month period.
cert-manager is available on the Jetstack Helm repository, add it to your Helm repository list
helm repo add jetstack https://charts.jetstack.io
helm repo update
Cert-manager runs in its own namespace, so first create it, and install cert-manager helm chart
kubectl create namespace cert-manager
helm install cert-manager \
--namespace cert-manager jetstack/cert-manager \
--set installCRDs=true–set installCRDs=true tells cert-manager to install custom resources such as certificaterequests, certificates or clusterissuers.
LetsEncrypt Cluster issuer
A cluster issuer will contain information about a certificate provider. If you want to get your SSL certificates signed by LetsEncrypt, you will need to apply this yaml file to the Kubernetes cluster:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: it@company.xxx
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: public-iks-k8s-nginx
LetsEncrypt belongs to the ACME issuers category, meaning it is trusted by most web browsers. It provides a certificate after checking you are the owner of the domain. The check can be done in 2 ways: either a DNS TXT entry or an HTTP challenge. Kubernetes serves HTTP so most people will go for the HTTP01 challenge. This is defined in the solvers section.
The second important piece of information is the class. cert-manager will look at ingresses whose class matches and will provide them with an SSL certificate. IBM Cloud public ingress class annotation is called public-iks-k8s-nginx, so you need to set it in your cluster issuer configuration. Check your ingress to adapt to your own needs.
Ingress Definition
Now that you have a cluster issuer and cert-manager installed, you need to tell them which ingress they should provide certificates to. This is done with ingress annotations.
Simply set the cluster issuer in the cert-manager.io/cluster-issuer annotation.
As seen before, the kubernetes.io/ingress.class annotation is set to public-iks-k8s-nginx on IKS. Set whatever suits your setup.
Add acme.cert-manager.io/http01-edit-in-place wether you want to create a separate ingress for the HTTP challenge or want it to be part of the existing ingress.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
labels:
name: app-ingress
annotations:
acme.cert-manager.io/http01-edit-in-place: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: public-iks-k8s-nginx
spec:
tls:
- hosts:
- www.netexpertise.eu
secretName: letsencrypt-netexpertise
rules:
- host: www.netexpertise.eu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-backend-app
port:
number: 80
Renew LetsEncrypt Certificate
Cert-manager will create ingress, service and pod in your own namespace that will provide a web page for the HTTP challenge. They will disappear as soon as LetsEncrypt certificate has been renewed and delivered into the secret defined in secretName.
If something goes wrong, you can check the logs of the different pods in the cert-manager namespace, as well as the certificate resource status. A kubectl describe cert should give all necessary information.