EDIT 2019-10-31: I tried to update this guide to 0.11, as a lot of things have changed since the original publication. I haven’t tested the full guide in the new version yet, but it should work. EDIT 2019-12-09: Updated for 0.12 and helm3

This post will show you how to use cert-manager to automatically create and use certificates with Let’s Encrypt on Kubernetes. This is especially useful if you are looking for a successor to kube-lego, which is no longer maintained. Take a look at the offical docs, if you want more information about how each component works.

Prerequisites for this guide:

Running kubernetes cluster Nginx Ingress Controller installed Helm 3 installed

DNS entries pointed towards the node running your ingress controller

First we need to install cert-manager with helm

helm repo add jetstack https://charts.jetstack.io helm repo update kubectl create ns cert-manager kubectl apply --validate = false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml helm install --name cert-manager --namespace cert-manager --version v0.12.0 jetstack/cert-manager

Install clusterissuers, which instruct Cert Manager to use Let’s Encrypt. Replace the email with yours

apiVersion : cert-manager.io/v1alpha2 kind : ClusterIssuer metadata : name : letsencrypt-prod namespace : default spec : acme : email : youremail@example.com server : https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef : name : letsencrypt-prod solvers : - http01 : ingress : class : nginx

Enable usage of the issuer we just created:

helm upgrade cert-manager stable/cert-manager --namespace cert-manager --set ingressShim.defaultIssuerName = letsencrypt-prod --set ingressShim.defaultIssuerKind = ClusterIssuer

Create ingress resources for your services with kubectl apply -f e.g.:

apiVersion : extensions/v1beta1 kind : Ingress metadata : name : www-ingress namespace : default annotations : # This needs to be set to enable automatic certificates kubernetes.io/tls-acme : " true" kubernetes.io/ingress.class : " nginx" spec : tls : - hosts : - www.example.com # The secret will be created automatically secretName : www-tls rules : # The host must be identical to the above one - host : www.example.com http : paths : - path : / backend : # The name of your service serviceName : www-service servicePort : 80

This is the minimal configuration that gives you SSL. Your website should no be accessible via https at www.example.com .

Working with authentication

If you use nginx.ingress.kubernetes.io/auth-* annotations you will need to whitelist the ACME challenge location in order to succeed in proving that you operate the website to Let’s Encrypt. If you set up Nginx ingress correctly there should be a configmap for configuring nginx. Modify it (by e.g. running EDITOR=nano kubectl edit cm -n ingress-nginx nginx-configuration ) to add the annotation no-auth-locations so that it looks similar to this: