Sling Academy
Home/DevOps/How to Set Up SSL with Let’s Encrypt in Kubernetes

How to Set Up SSL with Let’s Encrypt in Kubernetes

Last updated: February 01, 2024

Table of Contents

  1. Introduction
  2. Step-by-Step Instructions
    1. Step 1: Installing Cert-Manager
    2. Step 2: Setting Up Let’s Encrypt Issuer
    3. Step 3: Deploying an Application
    4. Step 4: Configuring an Ingress Resource
    5. Step 5: Testing Your Setup
  3. Closing Thoughts

Introduction

With web security becoming a top priority for both users and search engines, Secure Sockets Layer (SSL) has become a necessity for any production application. Let’s Encrypt is a popular and free way to implement SSL encryption on your sites. When it comes to deploying applications on Kubernetes, setting up SSL might seem daunting, but automation tools like Cert-Manager simplify this process.

In this tutorial, we will go through the steps of setting up SSL with Let’s Encrypt for a web service on Kubernetes. We will use Cert-Manager, a native Kubernetes certificate management tool, to automate the issuance and renewal of SSL certificates.

Prerequisites

  • An up and running Kubernetes cluster.
  • kubectl command-line tool installed and configured to communicate with your cluster.
  • Access to a domain name and the ability to manually edit its DNS records, or alternatively, a dynamic DNS service can be used.

Step-by-Step Instructions

Step 1: Installing Cert-Manager


kubectl create namespace cert-manager
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.0/cert-manager.yaml

Verify the installation with:

kubectl get pods --namespace cert-manager

Wait for the pods in the cert-manager namespace to be running before continuing to the next step.

Step 2: Setting Up Let’s Encrypt Issuer

Cert-Manager uses Issuers to manage the certificate lifecycle. Create an Issuer or a ClusterIssuer if you want to manage certificates cluster-wide.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: nginx

Modify [email protected] with your email address. The staging environment should be used first to ensure everything is set up correctly without hitting production rate limits.

Step 3: Deploying an Application

Deploy a simple web application that you want to secure with SSL using Let’s Encrypt.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-web-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: my-web-app
  template:
    metadata:
      labels:
        app: my-web-app
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80

Expose the application with a service and an ingress resource that will use the Cert-Manager for SSL.

Step 4: Configuring an Ingress Resource

Create a Kubernetes Ingress resource that tells Cert-Manager to secure your application.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-web-app-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
  tls:
  - hosts:
    - your-domain.com
    secretName: my-web-app-tls
  rules:
  - host: your-domain.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-web-app
            port:
              number: 80

Make sure to replace your-domain.com with your actual domain. The secretName will be used by Cert-Manager to store the SSL certificate for your domain.

Step 5: Testing Your Setup

Once your application is exposed and paired with an Ingress resource pointing to your domain, and after Cert-Manager has issued the certificates, you should be able to access your service over HTTPS.

Closing Thoughts

This tutorial covered the essentials of setting up SSL with Let’s Encrypt in a Kubernetes environment using Cert-Manager. Remember to switch from the staging environment to the production Let’s Encrypt server by changing letsencrypt-staging to letsencrypt-production in your Issuer resource once you’re ready to serve your application to the public.

By ensuring that your applications use SSL certificates, you not only protect your users’ data but also improve your service’s credibility and trustworthiness.

Next Article: Kubernetes: How to run a container forever (and improve uptime)

Previous Article: How to Handle Batch Jobs and Cron Jobs in Kubernetes

Series: Kubernetes Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide