Cert-manager Integration with Let's Encrypt

If you decide to use automatically managed TLS certificates, you can install cert-manager and configure it according to your requirements. Follow cert-manager documentation for details specific to your environment. In this example, we will show you how to use the Let’s Encrypt Certificate Authority.

Note

Before you can follow these steps, you must have installed Helm.

Add a CAA record to your DNS domain

company.com. CAA 0 issue "letsencrypt.org"

Create a namespace and install cert-manager.

helm repo add jetstack https://charts.jetstack.io
helm --namespace cert-manager install cert-manager \
    jetstack/cert-manager --set installCRDs=true \
    --create-namespace

Configure ClusterIssuer

Generate the configuration for the ACME issuer that points to Let’s Encrypt API into the file issuer-letsencrypt-production.yaml. Set the value of email to a valid e-mail address.

# File issuer-letsencrypt-production.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ENTER-YOUR-EMAIL-HERE
    privateKeySecretRef:
      name: letsencrypt-production
    solvers:
    - http01:
        ingress:
          class: nginx

Apply the configuration file using the following command:

kubectl -n cert-manager apply -f issuer-letsencrypt-production.yaml

Warning

The above Issuer configuration example uses the HTTP-01 challenge solver. This means that the ingress controller must be reachable from the internet. If this is not an option, configure and use the DNS-01 solver instead.

TLS Configuration

Ingress Controller in AWS