January 6, 2021 - Patrick Kerwood
Here's a quick how-to on installing Cert Manager in your Kubernetes cluster and setting up Issuers with Let's Encrypt HTTP and DNS validation. With Helm 3 the installation process is a breeze.
A prerequisite for installing Cert Manager with Helm is of course Helm. Go to the Helm install docs (opens new window) and get a piece of that cake.
Efter installing Helm, add the Jetstack repo and update your Helm repositories.
helm repo add jetstack https://charts.jetstack.io
helm repo update
Create a namespace for Cert Manager.
kubectl create namespace cert-manager
Before installing, go to the install docs (opens new window), verify the latest version and replace it in the example below.
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v1.6 \
--set installCRDs=true
That's it! Cert Manager is installed.
Below is is an example of a ClusterIssuer
, named le-http01
, that uses HTTP-01 validation. This is the easiest method because there's no more configuration than below manifest. The only drawback is that your cluster has to be accessible from the internet, for Let's Encrypt to validate the domain name.
Change the email
property, save below yaml to a file and apply it to your cluster.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: le-http01
spec:
acme:
email: your-email@example.org
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: le-http01-account-key
solvers:
- http01:
ingress:
class: nginx
When using the DNS validation, you can request certificates from a cluster that's not accessible from the internet, via a DNS providers API. You can find a list of supported providers here. (opens new window)
In this example I will be using Cloudflare as the DNS provider.
Login to your Cloudflare account, go to "My Profile" -> "API Tokens" and create a token with the following permissions.
If you want you can lock the token down for a specific zone.
Create a secret with the Cloudflare token.
kubectl create secret generic cloudflare-api-token --from-literal=api-token=<insert-token-here> -n cert-manager
Change the email
property, save below yaml to a file and apply it to your cluster.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: le-dns01
spec:
acme:
email: your-email@example.org
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: le-dns01-account-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token
Below is an example of an ingress definition with TLS enabled, using the le-http01
cluster issuer.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: hello-world
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: le-http01
spec:
tls:
- hosts:
- hello.example.org
secretName: hello-le-secret
rules:
- host: hello.example.org
http:
paths:
- path: /
backend:
serviceName: hello-world
servicePort: 80