How to Configure Cert-Manager for SSL in Kubernetes

Ensuring secure communication within your Kubernetes cluster is crucial for protecting data integrity and privacy. Cert-Manager is a popular solution for managing SSL/TLS certificates in Kubernetes environments. This tutorial will guide you through the configuration process of Cert-Manager in Kubernetes, leveraging its capabilities to automate the issuance and renewal of certificates.

Prerequisites

• A Kubernetes cluster (version 1.15+ recommended).
• Administrative access to the Kubernetes cluster.
• cert-manager documentation (Official site)

Step 1: Install Cert-Manager

To begin, install Cert-Manager using the Helm package manager (Official site):

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.7.1/cert-manager.yaml

This command installs the required Custom Resource Definitions (CRDs) and deploys Cert-Manager into your cluster.

Step 2: Create a ClusterIssuer

A ClusterIssuer is responsible for obtaining the SSL/TLS certificates. Create a YAML file named cluster-issuer.yaml:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

Apply the configuration:

kubectl apply -f cluster-issuer.yaml

Step 3: Annotate Ingress Resources

With Cert-Manager installed and the ClusterIssuer configured, annotate your Ingress resources to use the ACME certificates:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    cert-manager.io/issuer: "letsencrypt-prod"
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80
  tls:
  - hosts:
    - example.com
    secretName: example-tls

Troubleshooting

If the certificates are not being issued, check the logs of Cert-Manager’s pod:

kubectl logs -n cert-manager <cert-manager-pod-name>

Ensure that your ingress resources are compliant with Cert-Manager annotations and that your DNS records are properly configured.

Summary Checklist

• Ensure that your Kubernetes cluster is ready and compatible.
• Install Cert-Manager using Helm or Kubectl.
• Set up a ClusterIssuer with Let’s Encrypt or your desired issuer.
• Annotate your Ingress resources for SSL certificates issuance.
• Troubleshoot using logs from Cert-Manager for any issues.

By following these steps, you can successfully manage SSL/TLS certificates in your Kubernetes cluster using Cert-Manager, enhancing your application’s security.

For additional information about securing your Kubernetes deployment, check out our article on configuring NGINX Ingress Controller in Kubernetes.

About The Author

Dorian Kane

See author's posts

• 
  How to Install Velero for Efficient Backups
• 
  How to Use ExternalDNS in Kubernetes
• 
  How to Configure Cert-Manager for SSL in Kubernetes
• 
  How to Install Traefik Proxy: A Comprehensive Guide