In this blog post, we will see if you have an existing or new Kubernetes cluster with Ingress resources how do we auto-renew the certificates. If it's not auto-renewed things need to be manually done e.g. every three months you have to renew certificates, delete the expired certificate and secret, update with new certificate secrets accordingly. Manual is always tedious and not an ideal solution especially for your Test & Production environment.
Pre-requisites
- Install and setup kubectl
- Install and setup Helm
- Kubernetes cluster already provisioned with Ingress resources.
Note: The scope of the blog post is to show how the certificate renewal process can be automated, the same logic can be moved to your Deployment pipelines.
Install Cert Manager
Installing Cert-Manager CRDs using the below command.
#For Kubernetes 1.15+
kubectl apply --validate=false \
-f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.crds.yaml
We are installing the Cert Manager using helm. The below command adds Jetstack repo.
helm repo add jetstack https://charts.jetstack.io
helm repo update
Installing cert-manager. Let’s Encrypt has two environments staging and production. The staging environment issues certificates signed by ‘fake’ CAs.
helm install cert-manager \ jetstack/cert-manager \
--namespace cert-manager \
--set ingressShim.defaultIssuerName=letsencrypt-prod \
--set ingressShim.defaultIssuerKind=ClusterIssuer
Once you have installed can verify by checking cert-manager namespace for running pods
kubectl get pods -n cert-manager
Configure Cluster Issuer:
Create a file named letsEncrypt-ClusterIssuer.yaml with the below content. Update email id accordingly in the below content.
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <replace with your email address>
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
Apply the changes using the below command. We have created an Issuer in the default namespace.
kubectl apply -f letsencrypt-ClusterIssuer.yaml
To verify account registered successfully run the below command
kubectl describe clusterissuer cluster-issuer
With that now all set to go. When you create your Ingress add the following annotation, if it's existing Ingress modify it accordingly. Provide "TLS" secret name in the same ingress resource file.
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
kubernetes.io/tls-acme: "true"