Skip to content

HTTPS with Cert-Manager and Letsencrypt

Traefik could do https with letsencrypt on its own. But the added features we get from cert-manager are worth it, so we'll go with that. Most noteworthy is certificate sharing between nodes and pods.

Note: Make sure you have set the right environment variables, including email. When using the production ClusterIssuer, you might quickly run into problems if you try and fail too many times, causing letsencrypt to ignore you for a while.

Note: Consider setting up a separate load balancer that also handles tls termination.

First, Follow the steps in first-deploy

  • Apply the manifest
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.11.0/cert-manager.yaml
  • Wait until all pods are ready
kubectl get pods --namespace cert-manager

NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-7dd5854bb4-vtqjx              1/1     Running   0          42s
cert-manager-cainjector-64c949654c-8b7md   1/1     Running   0          42s
cert-manager-webhook-6bdffc7c9d-swgdj      1/1     Running   0          42s

Letsencrypt Production ClusterIssuer

cat letsencrypt-prod.yaml | envsubst | kubectl apply -f -
letsencrypt-prod.yaml 
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: ${EMAIL}
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: traefik

Add the traefik https redirect middleware

cat traefik-https-redirect-middleware.yaml | envsubst | kubectl apply -f -
traefik-https-redirect-middleware.yaml 
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
spec:
  redirectScheme:
    scheme: https
    permanent: true

Add the whoami-tls-ingress.yaml

cat ./whoami/whoami-ingress-tls.yaml | envsubst | kubectl apply -f -
whoami-ingress-tls.yaml 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: whoami-tls-ingress
  annotations:
    spec.ingressClassName: traefik
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
spec:
  rules:
    - host: whoami.${DOMAIN}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: whoami
                port:
                  number: 5678
  tls:
    - secretName: whoami-tls
      hosts:
        - whoami.${DOMAIN}

Test

point your browser to https://echo.dog.example.com . (It might be a few minutes until certificates are ready). You should get a 200 response, and a simple response of "echo1" showing in the webpage. You should now see your whoami service served with a fresh https certificate.

Troubleshooting

Se cert-managers official trouble shooting guide