Certificate Management in Kubernetes Using cert-manager: A Comprehensive Guide

By Rajesh Gheware

One of the most powerful features of cert-manager is its ability to automatically issue certificates for Kubernetes Ingress resources, simplifying the process of securing your applications with HTTPS. This capability allows developers to automatically secure their applications without the need to manually create and renew certificates for each Ingress. Here, we'll delve into how to set up an Ingress resource to automatically request and apply certificates using cert-manager.

Step 1: Define an Ingress Resource

First, ensure your Kubernetes cluster has an Ingress controller installed. The Nginx Ingress Controller is a common choice and can be deployed from the Kubernetes official documentation or through Helm charts.

With an Ingress controller in place, define your Ingress resource. Here's an example that routes traffic to a sample web application:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-application
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-application-service
            port:
              number: 80
  tls:
  - hosts:
    - example.com
    secretName: example-com-tls

In this Ingress definition, note the following key points:

• The cert-manager.io/cluster-issuer annotation specifies the ClusterIssuer to use for obtaining a certificate. Replace "letsencrypt-prod" with the name of your ClusterIssuer.
• The kubernetes.io/ingress.class annotation is set to "nginx", indicating that this Ingress should be handled by the Nginx Ingress Controller.
• The tls section requests a TLS certificate for the host example.com, which cert-manager will automatically provision and store in the specified secretName.

Step 2: Deploy the Ingress Resource

Deploy the Ingress resource to your cluster using kubectl apply -f ingress.yaml, where ingress.yaml is the file containing the Ingress resource definition.

Step 3: Automatic Certificate Issuance

Upon deployment, cert-manager detects the new Ingress resource and reads the annotations to understand that a certificate is requested. It then communicates with the specified ClusterIssuer to issue a certificate for the hosts defined under the tls section. The process involves:

• Performing domain validation as per the ClusterIssuer's configuration (e.g., HTTP-01 challenge for Let's Encrypt).
• Once validated, cert-manager obtains the certificate and stores it in the specified Kubernetes secret (example-com-tls in this case).
• The Ingress controller then uses the certificate from the secret to secure traffic to the example.com domain.

Step 4: Verifying the Certificate

After a few minutes, you can verify that the certificate has been successfully applied by accessing your application over HTTPS (https://example.com) and checking the certificate details. Additionally, you can inspect the Kubernetes secret (example-com-tls) to see the certificate and private key:

kubectl get secret example-com-tls -o yaml

Conclusion

By automating certificate issuance and renewal for Ingress resources, cert-manager significantly simplifies the process of securing Kubernetes applications. Developers can focus on their application's functionality, knowing that their Ingress URLs are automatically secured with valid TLS certificates. This approach not only enhances security but also streamlines deployment workflows, making it an essential practice for modern Kubernetes-based applications.