How to get Free SSL Certificate for Kubernetes Cluster using Let's Encrypt
Using SSL is essential for any website that wants to protect its users' sensitive information. Without SSL, data can be intercepted and stolen by hackers, putting users' privacy and security at risk.
Introduction
When you visit a website that uses SSL, your browser and the web server exchange encrypted information that helps to protect your data from being intercepted by unauthorized parties. SSL is essential for websites that collect sensitive information from users, such as credit card numbers or login credentials.
Using SSL is essential for any website that wants to protect its users' sensitive information. Without SSL, data can be intercepted and stolen by hackers, putting users' privacy and security at risk. By using SSL, websites can ensure that their users' data is encrypted and secure, helping to build trust with their audience.
An SSL (Secure Sockets Layer) certificate is a digital certificate that is used to establish a secure encrypted connection between a web server and a user's web browser. SSL certificates are issued by a trusted third-party Certificate Authority (CA) and verify that the website being accessed is authentic and that data transmitted between the user's browser and the web server is encrypted and secure.
How to get SSL Certificate?
To get an SSL certificate, you need to follow these general steps:
Choose a certificate authority (CA): There are many CAs available, such as Let's Encrypt, Comodo, DigiCert, and others. Consider factors such as cost, reputation, and the type of certificate you need.
Generate a Certificate Signing Request (CSR): A CSR is a file that contains your website's information and is used to request an SSL certificate from the CA.
Submit the CSR to the CA: Once you have generated your CSR, you need to submit it to the CA to get your SSL certificate. The CA will verify your information and issue your certificate.
Install the SSL certificate on your web server: Once you receive your SSL certificate, you need to install it on your web server. The process for doing this will depend on the web server you are using.
Verify that SSL is working: After installing the SSL certificate, you need to verify that SSL is working correctly on your website. You can use online tools such as SSL Checker or test your website in a web browser.
The steps involved may appear quite complicated if performed manually. Fortunately, Let's Encrypt offers free SSL certificates and simplifies the installation process, particularly when using Kubernetes. This allows for a more efficient and user-friendly approach to securing your applications and services.
Free SSL Certificate by Let's Encrypt for Kubernetes Cluster
Prerequisites
First, let's assume we are using Nginx as Kubernetes Ingress. So first, let's setup Ingress Nginx.
Install Ingress Nginx
The most highly recommended way to install Ingress Nginx is through Helm Chart.
Create Helm's values deployment.yaml
---
controller:
config:
compute-full-forwarded-for: "true"
use-forwarded-headers: "true"
proxy-body-size: "0"
ingressClassResource:
name: external-nginx
enabled: true
default: false
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- ingress-nginx
topologyKey: "kubernetes.io/hostname"
replicaCount: 1
admissionWebhooks:
enabled: false
service:
annotations:
cloud.google.com/load-balancer-type: External
metrics:
enabled: false
resources:
requests:
cpu: 500mInstall with Helm
~$ helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
~$ helm repo update
~$ helm install ingress-nginx ingress-nginx/ingress-nginx --namespace ingress-nginx --version 4.2.5 --values deployment.yaml --create-namespaceVerify Installation
~$ kubectl -n ingress-nginx get pods
NAME READY STATUS RESTARTS AGE
ingress.. 1/1 Running 0 4d18hWe can get external IP Address from Ingress Service, we will use that IP Address later when setting A Record for our domain.
~$ kubectl -n ingress-nginx get service
NAME TYPE CLUSTER-IP EXTERNAL-IP
ingress.. LoadBalancer 10.22.22.22 33.333.333.333 Setup Let's Encrypt
To obtain an SSL Certificate, the first step is to install Cert Manager. Cert Manager is a Kubernetes add-on that automates the management and issuance of TLS/SSL certificates for applications running in a Kubernetes cluster. It is an open-source tool that integrates with Let's Encrypt and other Certificate Authorities (CAs) to provide automated certificate management.
Cert Manager can be installed using various methods, including using Helm, which is a package manager for Kubernetes. Installing Cert Manager with Helm is a recommended way to install it. Once installed, Cert Manager can be configured to automatically request and manage SSL/TLS certificates for applications running in the Kubernetes cluster.
~$ helm repo add jetstack https://charts.jetstack.io
~$ helm repo update
~$ helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.5.3 --set installCRDs=trueThere is optional step to install kubectl cert-manager. kubectl cert-manager is a kubectl plugin that can help you to manage cert-manager resources inside your cluster.
~$ curl -L -o kubectl-cert-manager.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/kubectl-cert_manager-linux-amd64.tar.gz
~$ tar xzf kubectl-cert-manager.tar.gz
~$ sudo mv kubectl-cert_manager /usr/local/binThe next step is creating a ClusterIssuer resource in the Kubernetes cluster. This resource will act as a certificate issuer that can be used by any applications across namespaces in the cluster. In fact, only one ClusterIssuer is needed for the entire cluster.
A ClusterIssuer is a Kubernetes resource that specifies the settings for a certificate issuer, such as Let's Encrypt, that can automatically issue and renew SSL/TLS certificates for applications running in the Kubernetes cluster. The ClusterIssuer resource includes configuration details such as the CA endpoint, email address, and any necessary authentication credentials.
Once the ClusterIssuer resource is created, applications running in any namespace within the Kubernetes cluster can request SSL/TLS certificates from Let's Encrypt using the cert-manager tool. The cert-manager tool automatically manages the certificate issuance and renewal process using the settings specified in the ClusterIssuer resource.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-issuer
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your.email@example.com
privateKeySecretRef:
name: letsencrypt-issuer
solvers:
- http01:
ingress:
class: nginxSome crucial details that need your attention are:
spec.acme.email: Let's Encrypt will send emails to this email address regarding any issues, including notifications about certificate expiryspec.acme.solvers.http01.ingress.class:nginx: We use Ingress Nginx, installed earlier, as a certificate solver. Let's Encrypt will create an ingress resource that will be used as a domain validator when issuing an SSL certificate.
Generate SSL Certificate for Applications
Once Cert Manager and Let's Encrypt Cluster Issuer are set up, they can be used to generate SSL Certificates for applications running in the Kubernetes cluster. For this example, we will create a Deployment, Service, and Ingress for Uptime Kuma. This deployment can be accessed through
https://uptime.example.com
.
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: uptime
labels:
app: uptime
spec:
selector:
matchLabels:
app: uptime
template:
metadata:
labels:
app: uptime
spec:
containers:
- name: uptime
image: louislam/uptime-kuma:1.21.2-debian
imagePullPolicy: Always
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
name: uptime
labels:
app: uptime
spec:
selector:
app: uptime
ports:
- protocol: TCP
port: 80
targetPort: 3001
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: uptime
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-issuer
labels:
app: uptime
spec:
rules:
- host: uptime.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: uptime
port:
number: 80
tls:
- hosts:
- uptime.example.com
secretName: tls-uptimeThere are some important parts of the deployment above, especially in Ingress section:
annotations.kubernetes.io/ingress.class: nginx: This annotation sets Nginx as the Ingress Class, which will use the Ingress Nginx that was previously installed.annotations.cert-manager.io/cluster-issuer: letsencrypt-issuer: This annotation sets the Cluster Issuer toletsencrypt-issuer, which was previously installed.spec.tls.hosts: uptimekuma.example.com: It specifies the domain that will use SSL. When the SSL certificate is generated, it will be namedtls-uptime
Install to Kubernetes Cluster
~$ kubectl apply -f deployment.yamlWe can verify SSL Certification generation by take a look on Ingress process
~$ kubectl get ingress
NAME HOSTS ADDRESS PORTS
uptime uptime.example.com 33.333.333.333 80, 443
cm-acme-http.. uptime.example.com 33.333.333.333 80Create A Record on DNS Server that point IP Address 33.333.333.333 to uptime.example.com , and wait several minutes until SSL Certificate is created and you are to access Uptime on https://uptime.example.com
About 8grams
We are a small DevOps Consulting Firm that has a mission to empower businesses with modern DevOps practices and technologies, enabling them to achieve digital transformation, improve efficiency, and drive growth.
Ready to transform your IT Operations and Software Development processes? Let's join forces and create innovative solutions that drive your business forward.
Subscribe to our newsletter for cutting-edge DevOps practices, tips, and insights delivered straight to your inbox!