Automation of SSL for Nginx Ingress using Cert-Manager
Hey, Hope you are doing good and glad you stumble upon my article. The document is a long read due to screenshots and files. Just to make sure everyone understands the process. Believe me it is simple!!
There are tons of article out there and here is my version of it. Hope this helps whoever looking to streamline their SSL application in Kubernetes cluster using cert-manager.
Use Case: 3 node Kubernetes cluster using KOPS version 1.16 and Nginx Ingress Controller to manage the reverse Proxy for the applications. The SSL process was meant to be streamlined.
Steps to do on a high level:
1.DNS Creation (I presume you already know)
2. Cert-manager installation
a. Cluster Issuer Creation
b. Certificate Creation
3. Ingress controller creation
4. Sample App ingress creation
Cert-manager Installation :
Cert-Manager Architecture:
Here I used the Issuer Type ACME (Letsencrypt) & http01 Challenge type.
- Install cert-manager v0.16.1 using the below command.
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.16.1/cert-manager.yaml
2. I have created ClusterIssuer. This is similar to the Issuer but can be referenced by Certificates from multiple namespaces.
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: *********(your email ID)
privateKeySecretRef:
name: letsencrypt-staging
solvers:
--http01:
ingress:
class: nginx
Note: You can use “letsencrypt-staging” for test certificate creations and then later you can change it to “letsencrypt-prod” and server name too(Screenshot is given below).
Command to check whether the cluster issuer is working as expected.
kubectl describe clusterissuer
3. Once the ACME account gets registered, Create a certificate using the below yaml file.
kubectl apply -f <yaml filename> --validate=false { I faced an issue with API versions and hence I used --validate=false }
Yaml file:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: letsencrypt-prod
namespace: <your namespace>
spec:
secretName: letsencrypt-prod-crt
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: <domain name ex: mediumblog.example.com>
dnsNames:
--<domain name>
acme:
solvers:
--http01:
ingress:
class: nginx
domains:
— <domain name>
4. Post the creation of certificate, please validate the status of the certificate created.
kubectl describe certificates letsencrypt-prod
Troubleshooting: When you create Certificate, it creates a CertificateRequest ,an Order and a Challenge. So always go to the steps and validate if there are any errors . ex: kubectl describe Challenge.
Nginx- Ingress Controller Creation:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/do/deploy.yaml
Once you have the nginx-ingress controller pods and svc created like the below screen. We are good to create an ingress for the sample application.
Sample application chosen was jenkins, I used the helm bitnami jenkins chart to get SSL tested.
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install jenkins bitnami/jenkinsThe jenkins app will be listening in ‘/’ endpoint by default. Once you have the jenkins application’s service creation complete, you can create the ingress for jenkins. Below, I am giving the sample file for the ingress.
Post the completion of the ingress creation for your sample app, please check the Domain URL ex: https://mediumblog.example.com/.
Hurray!!! I got a secure URL for my application.
Thanks for reading. I hope this helped you in securing your server URL.
