Auto Renew/Provision SSL Certificates For Kubernetes Ingress Domains

Auto Renew/Provision SSL Certificates For Kubernetes Ingress Domains

In this, We will setup an auto renew/provision SSL certificate for any Kubernetes ingress domain with the help of cert-manager and the Let’s Encrypt certificate authority. Kubernetes Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster, with traffic routing controlled by rules defined on the Ingress resource. Cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, simplifying the process of obtaining, renewing, and using those certificates. SSL certificates display important information for verifying website ownership and encrypting web traffic with SSL/TLS.

Prerequisites

• Basic Knowledge of kubernetes ingress, cert-manager, SSL Certificate, and Let’s Encrypt required

Basic introduction of the services and tools

• kubernetes ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource.
• cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters and simplifies the process of obtaining, renewing, and using those certificates.
• SSL Certificate display important information for verifying the owner of a website and encrypting web traffic with SSL/TLS, including the public key, the issuer of the certificate, and the associated subdomains.
• Let’s Encrypt is a nonprofit Certificate Authority that provides TLS certificates to 300 million websites.

Let's Start!!!

• Install cert-manager in your Kubernetes cluster with the help of the helm chart.

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.12.0 --set installCRDs=true

• Create a ClusterIssuer as given below in the Kubernetes cluster-issue.yaml. (Update <YOUR_EMAIL> field with your own email ID.)

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: cert-issuer
spec:
  acme:
    # The ACME production api URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: <YOUR_EMAIL>
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: cert-issuer-secret
    solvers:
    # An empty 'selector' means that this solver matches all domains
    - selector: {}
      http01:
        ingress:
          class: nginx

• Run the below command to create a ClusterIssuer resource in Kubernetes.

kubectl apply -f cluster-issue.yaml

• Install ingress-nginx as an Ingress controller for Kubernetes. Refer to your cloud provider’s instructions for configuring the ExternalDNS service.

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx --namespace ingress-nginx --create-namespace

• Make the following YAML files for the deployment, service, and ingress rules of Kubernetes resources. I’ve used Nginx’s straightforward deployment as an example here. You are welcome to utilize your own microservice setup.

Create a deployment.yaml file.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
          name: nginx-port

Create a service.yaml file.

apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
      targetPort: nginx-port

Create an ingress.yaml file.

• Check out cert-manager.io/cluster-issuer and cert-manager.io/renew-before ingress rule annotations, which will automatically generate certificates for a particular host and renew based on the specified renew-before time.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx
  annotations:
    cert-manager.io/cluster-issuer: cert-issuer
    cert-manager.io/renew-before: 360h
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - www.patelchirag.in
      secretName: www-patelchirag-in
  rules:
  - http:
      paths:
      - path: /
        pathType: ImplementationSpecific
        backend:
          service:
            name: nginx
            port:
              number: 80

• Run the command shown below to build the deployment, service, and ingress rules for nginx for the specified hostname.

kubectl apply -f deployment.yaml
kubectl apply -f service.yaml
kubectl apply -f ingress.yaml

• Make sure your given host name points to the ingress-nginx load balancer’s IP or DNS name in order to verify domain ownership.
• After a short while, check the secret name mentioned in the ingress specification. In our case, www-patelchirag-in secret will be generated with SSL certificate containing keys tls.crt and tls.key.
• Visit the www.patelchirag.in URL in your preferred browser, and you will get your site secured with a Let’s Encrypt SSL certificate.

Wohoo !!! You have successfully set up the auto-renew and auto-provision SSL certificates for Kubernetes ingress domains.

Connect with me on social media and other platforms.

• LinkedIn • Instagram • Twitter • Facebook • Portfolio • BuyMeCoffee •