By Rajesh Gheware
One of the most powerful features of cert-manager is its ability to automatically issue certificates for Kubernetes Ingress resources, simplifying the process of securing your applications with HTTPS. This capability allows developers to automatically secure their applications without the need to manually create and renew certificates for each Ingress. Here, we'll delve into how to set up an Ingress resource to automatically request and apply certificates using cert-manager.
Step 1: Define an Ingress Resource
First, ensure your Kubernetes cluster has an Ingress controller installed. The Nginx Ingress Controller is a common choice and can be deployed from the Kubernetes official documentation or through Helm charts.
With an Ingress controller in place, define your Ingress resource. Here's an example that routes traffic to a sample web application:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-application
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-application-service
port:
number: 80
tls:
- hosts:
- example.com
secretName: example-com-tls
In this Ingress definition, note the following key points:
- The
cert-manager.io/cluster-issuerannotation specifies the ClusterIssuer to use for obtaining a certificate. Replace"letsencrypt-prod"with the name of your ClusterIssuer. - The
kubernetes.io/ingress.classannotation is set to"nginx", indicating that this Ingress should be handled by the Nginx Ingress Controller. - The
tlssection requests a TLS certificate for the hostexample.com, whichcert-managerwill automatically provision and store in the specifiedsecretName.
Step 2: Deploy the Ingress Resource
Deploy the Ingress resource to your cluster using kubectl apply -f ingress.yaml, where ingress.yaml is the file containing the Ingress resource definition.
Step 3: Automatic Certificate Issuance
Upon deployment, cert-manager detects the new Ingress resource and reads the annotations to understand that a certificate is requested. It then communicates with the specified ClusterIssuer to issue a certificate for the hosts defined under the tls section. The process involves:
- Performing domain validation as per the ClusterIssuer's configuration (e.g., HTTP-01 challenge for Let's Encrypt).
- Once validated,
cert-managerobtains the certificate and stores it in the specified Kubernetes secret (example-com-tlsin this case). - The Ingress controller then uses the certificate from the secret to secure traffic to the
example.comdomain.
Step 4: Verifying the Certificate
After a few minutes, you can verify that the certificate has been successfully applied by accessing your application over HTTPS (https://example.com) and checking the certificate details. Additionally, you can inspect the Kubernetes secret (example-com-tls) to see the certificate and private key:
kubectl get secret example-com-tls -o yaml
Conclusion
By automating certificate issuance and renewal for Ingress resources, cert-manager significantly simplifies the process of securing Kubernetes applications. Developers can focus on their application's functionality, knowing that their Ingress URLs are automatically secured with valid TLS certificates. This approach not only enhances security but also streamlines deployment workflows, making it an essential practice for modern Kubernetes-based applications.
Top comments (0)