From 1.25
This addon installs Cert Manager. Cert-Manager is the de-facto standard solution for certificate management in Kubernetes clusters. It supports x.509 certificate management for Kubernetes and OpenShift clusters, retrieving certificates from private (internal) or public issuers, and ensures they are properly rotated and kept up to date.
Install this addon with:
microk8s enable cert-manager
Automatically generating Let’s Encrypt certificates for Ingress
One of the common use-cases of Cert-Manager is to configure Kubernetes Ingress resources with automatic TLS certificates from Let’s Encrypt.
Requirements
-
A MicroK8s cluster with a public IP address. This is required to complete the HTTP challenges of Let’s Encrypt.
-
A hostname that resolves to your public IP address, e.g.
my-service.example.com. -
A properly configured ingress class for your MicroK8s cluster. The simplest way to do this is to use the ingress addon:
microk8s enable ingress dns
Create a ClusterIssuer
A ClusterIssuer resource is used to configure an account with Let’s Encrypt. All you need is an email address (make sure to use a valid email address).
Create a ClusterIssuer called lets-encrypt with the command below. Make sure to replace microk8s@example.com below with your email. Note that Let’s Encrypt will refuse to register accounts that use the example.com domain.
microk8s kubectl apply -f - <<EOF
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: lets-encrypt
spec:
acme:
email: microk8s@example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: lets-encrypt-priviate-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: public
EOF
Verify that the ClusterIssuer was created successfully with microk8s kubectl get clusterissuer -o wide, which should produce output similar to:
NAME READY STATUS AGE
lets-encrypt True The ACME account was registered with the ACME server 2m19s
Deploy a service
For this example, we will deploy a simple microbot deployment:
microk8s kubectl create deploy --image cdkbot/microbot:1 --replicas 3 microbot
microk8s kubectl expose deploy microbot --port 80 --type ClusterIP
Ensure the service is up and running with microk8s kubectl get pod,svc:
NAME READY STATUS RESTARTS AGE
pod/microbot-b6996696-sbp76 1/1 Running 0 11s
pod/microbot-b6996696-xmplm 1/1 Running 0 11s
pod/microbot-b6996696-8b82c 1/1 Running 0 11s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.152.183.1 <none> 443/TCP 16m
service/microbot ClusterIP 10.152.183.134 <none> 80/TCP 3s
Configure ingress
Next, create a Kubernetes ingress resource that forwards requests made to https://my-service.example.com to our microbot service.
Note that the cert-manager.io/cluster-issuer: lets-encrypt annotation tells Cert-Manager to automatically retrieve TLS certificates for our domain. The following example needs to reference the correct hostnames for your deployment - please substitute appropriately before running this command:
microk8s kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: microbot-ingress
annotations:
cert-manager.io/cluster-issuer: lets-encrypt
spec:
tls:
- hosts:
- my-service.example.com
secretName: microbot-ingress-tls
rules:
- host: my-service.example.com
http:
paths:
- backend:
service:
name: microbot
port:
number: 80
path: /
pathType: Exact
EOF
After a while, Cert-Manager will automatically request a certificate from Let’s Encrypt, populate the microk8s-ingress-tls with it and configure the ingress. Finally, you should be able to access your service at its fully qualified domain.