K8s Cert manager and Let’s Encrypt

Mohammed Ragab
Dec 18, 2020 · 5 min read

In this article I will explain how to auto generate a free SSL certificate from let’s encrypt automatically for your k8s services

What is let ‘s Encrypt

Let’s Encrypt is an open and automated certificate authority that uses the ACME (Automatic Certificate Management Environment ) protocol to provide free TLS/SSL certificates to any compatible client. These certificates can be used to encrypt communication between your web server and your users.

How let ‘s Encrypt works

The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server.

There are two steps to this process. First, the agent proves to the CA that the web server controls a domain. Then, the agent can request, renew, and revoke certificates for that domain.

How let ‘s Encrypt validate the domains

Let’s Encrypt identifies the server administrator by public key. The first time the agent software interacts with Let’s Encrypt, it generates a new key pair and proves to the Let’s Encrypt CA that the server controls one or more domains. This is similar to the traditional CA process of creating an account and adding domains to that account.

After let ‘s Encrypt explanation and how it works we need to know about cert-manager and how it works , how can setup into our kubernetes cluster.

What is Cert-manager ?

cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.It is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects such as kube-cert-manager.

before going to install and use cert-manager I need to explain some concepts around the cert-manager.

Issuer

Is a Kubernetes resources that represent certificate authorities (CAs) that are able to generate signed certificates by honoring certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition to attempt to honor the request.

Certificate

cert-manager has the concept of certificates that define a desired x509 certificate which will be renewed and kept up to date. A certificate is a namespace resource that references an Issuer that determine what will be honoring the certificate request.

Certificate request

The certificate request is a namespace resource in cert-manager that is used to request x509 certificates from an issuer . The resource contains a base64 encoded string of a PEM encoded certificate request which is sent to the referenced issuer. A successful issuance will return a signed certificate, based on the certificate signing request.

ACME order and challenges

cert-manager supports requesting certificates from Automatic Certificate Management Environment (ACME) servers, including from Let’s Encrypt, with use of the ACME Issuer. These certificates are typically trusted on the public Internet by most computers. To successfully request a certificate, cert-manager must solve ACME Challenges which are completed in order to prove that the client owns the DNS addresses that are being requested.

Web-hooks

cert-manager makes use of extending the K8s API server using a Web-hook server to provide dynamic admission control over cert-manager resources. This means that cert-manager benefits from most of the same behavior that core K8s resource have.

CA Injector

CA injector controller is responsible for injecting the CA bundle into the web-hook’s Validating-Webhook-Configuration and Mutating-Webhook-Configuration resources in order to allow the K8s API server to ‘trust’ the web-hook API server.

How to install Cert-manager on K8s cluster

Install cert-manger on K8s is very simple

1- create a namespace for cert-manager

kubectl create namespace cert-manager

2- we will use helm package manager if you do not have helm you can see follow these steps to setup helm https://helm.sh/docs/intro/install/

3- Add the jetstack helm repository

helm repo add jetstack https://charts.jetstack.io

4- update the helm repositories

helm repo update

5- Install the cert-manager using helm package manager

helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v1.0.4

6- Now we have a cert-manager on our K8s cluster to check the pods status

kubectl get pods -n cert-managerNAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-5c6866597-zw7kh 1/1 Running 0 2m
cert-manager-cainjector-577f6d9fd7-tr77l 1/1 Running 0 2m
cert-manager-webhook-787858fcdb-nlzsq 1/1 Running 0 2m

How to use Cert-manager

To use cert-manager we need to deploy a cert-manager issuer for let’s Encrypt on our namespace.

1- Create a yaml file include setup issuer K8s component

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: regoo707@gmail.com
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class: nginx

2- Deploy the issuer on your app namespace using kubectl

kubectl apply -f cert-manager-issuer.yaml -n myapps

3- Finally we need to configure our ingress rule to use the issuer and defined a name for the new generated certificate

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ssl-tls-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
— hosts:
— backend-app.mohammedragab.com //change this to your dns
secretName: app-web-cert
rules:
— host: backend-app.mohammedragab.com //change this to your dns
http:
paths:
— backend:
serviceName: backend-app-svc //change this to your app service
servicePort: 80 // change this to your service running port
path: /

4- Finally deploy the ingress rule and you will have a 3 moth renewal and free SSL certificate issued by Let’s Encrypt.

Resources :

Nerd For Tech

From Confusion to Clarification

Nerd For Tech

NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit https://www.nerdfortech.org/.

Mohammed Ragab

Written by

Software engineer

Nerd For Tech

NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit https://www.nerdfortech.org/.