Nginx Ingress with Cert-Manager Kubernetes

Spread the love
We will use Helm to install Cert Manager to our Cluster. Cert-Manager is a Kubernetes native certificate manager. One of the most significant features that Cert-Manager provides is its ability to automatically provision TLS certificates. Based on the annotations in a Kubernetes ingress resource, the cert-manager will talk to Let’s Encrypt and acquire a certificate on your service’s behalf.
Note : Ensure that you are using Helm v2.12.1 or later.
Prerequisites :
  • A Kubernetes cluster version 1.8+
  • The kubectl CLI installed and configured
  • Helm and Tiller should be installed.

1. Connect the cluster :

 gcloud container clusters get-credentials yourclustername --zone zonename --project projectname

2. Create a namespace cert-manager.

Before installing cert-manager. We will create a namespace for the cert-manager. 

kubectl create namespace cert-manager

3. Install Cert-manager

Now, Install the cert-manager and CRDS. it will install the issuer and cluster issuer also.
kubectl apply --validate=false -f
You should get the below output. configured
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply configured
service/cert-manager created
service/cert-manager-webhook created
deployment.apps/cert-manager-cainjector created
deployment.apps/cert-manager created
deployment.apps/cert-manager-webhook created created
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply configured

Verify the installation by the below command.
kubectl get pods --namespace cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-cainjector-58f48c4cb9-2q8wp   1/1     Running   0          1m
cert-manager-cb5f48858-zpzh2               1/1     Running   0          1m
cert-manager-webhook-74d98fdc7b-nbv8x      1/1     Running   0          1m
Now we have Successfully installed cert-manager in the cluster.  Now we will create a certificate issuer to obtain an x509 certificate for our website.

4. Create Let’sencrypt issuer

Now let’s create issuer file to issue TLS certificates to the domains. You can create staging issuer to test, But we will directly create production issuer.
kind: ClusterIssuer
  name: letsencrypt-prod
  namespace: cert-manager
    # The ACME server URL
    # Email address used for ACME registration
    # Name of a secret used to store the ACME account private key
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    - http01:
          class: nginx
email = your email id.
We then specify an email address to register the certificate and create a Kubernetes Secret called letsencrypt-prod to store the ACME account’s private key. We also enable the HTTP-01 challenge mechanism.

5. Apply the issuer file :

kubectl apply -f prod_issuer.yaml

6. Make the following changes in the ingress file :

Apply these changes in your Nginx ingress file.
Add Below annotation to the ingress file. "letsencrypt-prod"
Add Your host which you need to run on https. and give the secret name to letsencrypt-prod.
  - hosts:
    secretName: letsencrypt-prod
We will now perform a test using curl to verify that HTTPS is working correctly.
We have successfully configured HTTPS using a Let’s Encrypt certificate for our Nginx Ingress.

Leave a Comment