K8s Cert manager and Let’s Encrypt
In this article I will explain how to auto generate a free SSL certificate from let’s encrypt automatically for your k8s services
What is let ‘s Encrypt
Let’s Encrypt is an open and automated certificate authority that uses the ACME (Automatic Certificate Management Environment ) protocol to provide free TLS/SSL certificates to any compatible client. These certificates can be used to encrypt communication between your web server and your users.
How let ‘s Encrypt works
The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.
There are two steps to this process. First, the agent proves to the CA that the web server controls a domain. Then, the agent can request, renew, and revoke certificates for that domain.
How let ‘s Encrypt validate the domains
Let’s Encrypt identifies the server administrator by public key. The first time the agent software interacts with Let’s Encrypt, it generates a new key pair and proves to the Let’s Encrypt CA that the server controls one or more domains. This is similar to the traditional CA process of creating an account and adding domains to that account.
After let ‘s Encrypt explanation and how it works we need to know about cert-manager and how it works , how can setup into our kubernetes cluster.
What is Cert-manager ?
cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.It is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects such as kube-cert-manager.
before going to install and use cert-manager I need to explain some concepts around the cert-manager.
Issuer
Is a Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition to attempt to honor the request.
Certificate
cert-manager has the concept of certificates that define a desired x509 certificate which will be renewed and kept up to date. A certificate is a namespace resource that references an Issuer that determine what will be honoring the certificate request.
Certificate request
The certificate request is a namespace resource in cert-manager that is used to request x509 certificates from an issuer . The resource contains a base64 encoded string of a PEM encoded certificate request which is sent to the referenced issuer. A successful issuance will return a signed certificate, based on the certificate signing request.
ACME order and challenges
cert-manager supports requesting certificates from Automatic Certificate Management Environment (ACME) servers, including from Let’s Encrypt, with use of the ACME Issuer. These certificates are typically trusted on the public Internet by most computers. To successfully request a certificate, cert-manager must solve ACME Challenges which are completed in order to prove that the client owns the DNS addresses that are being requested.
Web-hooks
cert-manager makes use of extending the K8s API server using a Web-hook server to provide dynamic admission control over cert-manager resources. This means that cert-manager benefits from most of the same behavior that core K8s resource have.
CA Injector
CA injector controller is responsible for injecting the CA bundle into the web-hook’s Validating-Webhook-Configuration and Mutating-Webhook-Configuration resources in order to allow the K8s API server to ‘trust’ the web-hook API server.
How to install Cert-manager on K8s cluster
Install cert-manger on K8s is very simple
1- create a namespace for cert-manager
kubectl create namespace cert-manager2- we will use helm package manager if you do not have helm you can see follow these steps to setup helm https://helm.sh/docs/intro/install/
3- Add the jetstack helm repository
helm repo add jetstack https://charts.jetstack.io4- update the helm repositories
helm repo update5- Install the cert-manager using helm package manager
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v1.0.46- Now we have a cert-manager on our K8s cluster to check the pods status
kubectl get pods -n cert-managerNAME READY STATUS RESTARTS AGE
cert-manager-5c6866597-zw7kh 1/1 Running 0 2m
cert-manager-cainjector-577f6d9fd7-tr77l 1/1 Running 0 2m
cert-manager-webhook-787858fcdb-nlzsq 1/1 Running 0 2m
How to use Cert-manager
To use cert-manager we need to deploy a cert-manager issuer for let’s Encrypt on our namespace.
1- Create a yaml file include setup issuer K8s component
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: regoo707@gmail.com
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class: nginx2- Deploy the issuer on your app namespace using kubectl
kubectl apply -f cert-manager-issuer.yaml -n myapps3- Finally we need to configure our ingress rule to use the issuer and defined a name for the new generated certificate
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ssl-tls-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
— hosts:
— backend-app.mohammedragab.com //change this to your dns
secretName: app-web-cert
rules:
— host: backend-app.mohammedragab.com //change this to your dns
http:
paths:
— backend:
serviceName: backend-app-svc //change this to your app service
servicePort: 80 // change this to your service running port
path: /4- Finally deploy the ingress rule and you will have a 3 moth renewal and free SSL certificate issued by Let’s Encrypt.
Resources :
