Use a letsencrypt certificate on Kubernetes with cert-manager and Traefik

traefik k3s ingress letsencrypt cert-manager

4 min read | by Jordi Prats

To be able to automatically request letsencrypt certificates for the TLS-eanble Ingress objects in a kubernetes cluster with the traefik ingress controller we can use the cert-manager controller.

First we'll be installing it using helm. To do se we don't need to add any values, unless we want it to configuew the ClusterIssuer for us. First we are going to load the repository and update it:s

$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update

Once ready we can install it as follows:

helm install cert-manager jetstack/cert-manager --namespace cert-manager

We'll need to give it a few seconds to spin up all the containers:

$ kubectl get pods -n cert-manager
NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager-6ffb79dfdb-mqkvm             1/1     Running   0          13s
cert-manager-cainjector-5fcd49c96-2zfmw   1/1     Running   0          13s
cert-manager-webhook-796ff7697b-9w67w     1/1     Running   0          13s

Once ready we can now create the ClusterIssuer objects, which defines how to connect to the external provider via the ingress controller. For this example we are going to use K3S's default ingress controller: traefik, requesting certificates to letsencrypt:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: email@pet2cattle.com
    privateKeySecretRef:
      name: letsencrypt-ca
    solvers:
      - http01:
          ingress:
            ingressTemplate:
              metadata:
                annotations:
                  "kubernetes.io/ingress.class": "traefik"

privateKeySecretRef is where the data is stored, it will be created for us.

We can use kubectl describe to check whether or now the ClusterIssuer is able to issue new certificates

$ kubectl describe clusterissuer letsencrypt
Name:         letsencrypt
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         ClusterIssuer
Metadata:
  (...)
Status:
  Acme:
    Last Registered Email:  jprats@systemadmin.es
    Uri:                    https://acme-v02.api.letsencrypt.org/acme/acct/1112900837
  Conditions:
    Last Transition Time:  2023-05-16T17:30:44Z
    Message:               The ACME account was registered with the ACME server
    Observed Generation:   1
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

Once we have the ClusterIssuer we'll need to make sure we have the application exposed using an Ingress with the tls options:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: awscost
spec:
  ingressClassName: traefik
  rules:
  - host: awscost.pet2cattle.com
    http:
      paths:
      - backend:
          service:
            name: awscost
            port:
              name: http
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - awscost.pet2cattle.com
    secretName: awscost-pet2cattle-https-cert

The secret referenced in secretName is where the certificate is going to be stored, we don't need to populate it with anything.

The requirements, depending on the issuer, we'll be different. For letsencrypt we'll need to make this reachable for them to validate it so we'll need to make sure DNS is updated as well.

With the application reachable we can now proceed to create the Certificate with the commonName and SAN (dnsNames) we need:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: awscost-pet2cattle-https-cert
spec:
  commonName: awscost.pet2cattle.com
  dnsNames:
  - awscost.pet2cattle.com
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt
  secretName: awscost-pet2cattle-https-cert

Once created, the cert-manager controller will need to request the certificate and with for the CA to create it. It's going to take a few minutes. We can check it's status directly with kubectl get looking as the READY column:

$ kubectl get certificate
NAME                            READY   SECRET                          AGE
awscost-pet2cattle-https-cert   False   awscost-pet2cattle-https-cert   6s
(...)
$ kubectl get certificate
NAME                            READY   SECRET                          AGE
awscost-pet2cattle-https-cert   True    awscost-pet2cattle-https-cert   5m42s

In the status section we can see some details of the certificate itself:

$ kubectl get certificate awscost-pet2cattle-https-cert -n awscost -o yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  (...)
spec:
  commonName: awscost.pet2cattle.com
  dnsNames:
  - awscost.pet2cattle.com
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt
  secretName: awscost-pet2cattle-https-cert
status:
  conditions:
  - lastTransitionTime: "2023-05-17T18:12:20Z"
    message: Certificate is up to date and has not expired
    observedGeneration: 2
    reason: Ready
    status: "True"
    type: Ready
  notAfter: "2023-08-15T17:12:18Z"
  notBefore: "2023-05-17T17:12:19Z"
  renewalTime: "2023-07-16T17:12:18Z"
  revision: 1

Posted on 23/05/2023

Categories