Automate TLS/SSL Certificate Issuance & Renewal - Part V
This is the 5th and final part in our $65 Kubernetes Cluster on DigitalOcean series, you can goto Part I to read on how to setup your cluster if you haven't done so yet.
There's also a video tutorial here for those who prefer to watch instead of read.
Introduction
Transport Layer Security ( TLS ) – and its predecessor, Secure Sockets Layer ( SSL ) are cryptographic protocols that provide communications security over a computer network. It activates the padlock and the https protocol and allows secure connections from a web server to a browser.
Traditionally these certificates can cost anywhere from $30 to $500 depending on the level of encryption and validation required. But for most websites a simple and basic TLS/SSL certificate should do and letsencrypt.org offers them for free!
What we will focus on today is how to automate our kubernetes cluster in issuing TLS/SSL certificates from the letsencrypt.org api using a tool called cert-manager.
Step 1 - Install Cert-Manager
We'll be using helm to install cert-manager, if you don't have helm installed you can read up here to quickly have it installed. Also the nginx-ingress should already be installed fully configured, you can read up here to quickly install it.
The command below will install cert-manager to the kube-system namespace.
helm install --name cert-manager --namespace kube-system stable/cert-manager
Step 2 - Configure Certificate Issuer
Before cert-manager can vend certificates, it needs a backing certifictate issuer, we will be using letsencrypt.org for certificate issuance.
Note : Replace Lines 8 & 20 with your email address, this is needed to generate your key pair for issuing certificates from letsencrypt.
Save this yaml file as cert-manager-cluster-issuer.yaml
kubectl apply -f ./cert-manager-cluster-issuer.yaml
Step 3 - Example TLS/SSL Deployment
Now everything should be configured correctly. Let's test it out by creating a sample tls/ssl deployment.
Note : Replace Lines 49 & 52 with your domain name (this domain should already point to your kubernetes cluster), this is needed to generate your key pair for issuing certificates from letsencrypt.
Save file as echo-server-tls.yaml
kubectl apply -f ./echo-server-tls.yaml
Goto your domain at echo.[your-domain-goes-here] and you should see that it has been configured with a TLS/SSL certificate.
Conclusion
There is more information in the official docs about configuring other Issuers and also other annotations that can be used in your ingress manifests.
I hope this helps.
Originally published at iamchuka.com on May 24, 2018.
