Automation of SSL for Nginx Ingress using Cert-Manager

Hey, Hope you are doing good and glad you stumble upon my article. The document is a long read due to screenshots and files. Just to make sure everyone understands the process. Believe me it is simple!!

There are tons of article out there and here is my version of it. Hope this helps whoever looking to streamline their SSL application in Kubernetes cluster using cert-manager.

Use Case: 3 node Kubernetes cluster using KOPS version 1.16 and Nginx Ingress Controller to manage the reverse Proxy for the applications. The SSL process was meant to be streamlined.

Steps to do on a high level:

1.DNS Creation (I presume you already know)
2. Cert-manager installation
a. Cluster Issuer Creation
b. Certificate Creation
3. Ingress controller creation
4. Sample App ingress creation

Cert-manager Installation :

Cert-Manager Architecture:

Credit: certmanager docs website

Here I used the Issuer Type ACME (Letsencrypt) & http01 Challenge type.

  1. Install cert-manager v0.16.1 using the below command.

kubectl apply --validate=false -f

The cert-manager creates all these kubernetes objects.
Ensure the cert-manager is running

2. I have created ClusterIssuer. This is similar to the Issuer but can be referenced by Certificates from multiple namespaces.

kind: ClusterIssuer
name: letsencrypt-staging
email: *********(your email ID)
name: letsencrypt-staging
class: nginx

Note: You can use “letsencrypt-staging” for test certificate creations and then later you can change it to “letsencrypt-prod” and server name too(Screenshot is given below).

Ensure that cluster issuer is created

Command to check whether the cluster issuer is working as expected.

kubectl describe clusterissuer

3. Once the ACME account gets registered, Create a certificate using the below yaml file.

kubectl apply -f <yaml filename> --validate=false { I faced an issue with API versions and hence I used --validate=false }

Yaml file:

kind: Certificate
name: letsencrypt-prod
namespace: <your namespace>
secretName: letsencrypt-prod-crt
name: letsencrypt-prod
kind: ClusterIssuer
commonName: <domain name ex:>
--<domain name>
class: nginx
— <domain name>

For proper indentation :)

4. Post the creation of certificate, please validate the status of the certificate created.

kubectl describe certificates letsencrypt-prod

Troubleshooting: When you create Certificate, it creates a CertificateRequest ,an Order and a Challenge. So always go to the steps and validate if there are any errors . ex: kubectl describe Challenge.

Example of a Challenge error

Nginx- Ingress Controller Creation:

kubectl apply -f

Once you have the nginx-ingress controller pods and svc created like the below screen. We are good to create an ingress for the sample application.

Nginx Ingress Controller Pods

Sample application chosen was jenkins, I used the helm bitnami jenkins chart to get SSL tested.

helm repo add bitnami
helm install jenkins bitnami/jenkins

The jenkins app will be listening in ‘/’ endpoint by default. Once you have the jenkins application’s service creation complete, you can create the ingress for jenkins. Below, I am giving the sample file for the ingress.

Post the completion of the ingress creation for your sample app, please check the Domain URL ex:

Hurray!!! I got a secure URL for my application.

Certificate validation on the DNS

Thanks for reading. I hope this helped you in securing your server URL.

Technology Architect with profound understanding on the Multi-Cloud Platform engineering with a strong DevOps Solutioning Experience.