Mastering Kubernetes: Taming the HTTPS Beast, A Practical Guide to Cert-Manager
Is there anything more gut-wrenchingly unprofessional than visiting a URL only to be greeted by that dreaded "Your connection is not private" warning? It’s the digital equivalent of showing up to a black-tie event in your pajamas. For tech-savvy wizards like us, this is unacceptable. But do you know what else is unacceptable? Manually renewing SSL certificates every 90 days like some sort of medieval scribe copying scrolls—only to forget one day and cause an outage that ruins your weekend.
Fear not, dear reader! There’s a better way—one that’ll save your reputation and your sanity. Enter cert-manager, the trusty sidekick you never knew you needed for Kubernetes. Let’s dive into the world of automated certificate management and get you set up so securely that even hackers will give up and say, “Nah, too much effort.”
What is Cert-Manager Anyway?
Cert-manager is like that reliable friend who remembers everyone’s birthday—except instead of birthdays, it tracks, renews, and manages your SSL/TLS certificates. Once set up, it:
- Automatically handles certificate creation, validation, and renewal.
- Monitors expiry dates like a hawk and renews certificates before you can even panic.
- Frees you up to focus on more important tasks—like debugging your CI/CD pipeline or deciding what to eat for lunch.
It’s an absolute game-changer if you’re managing multiple domains or frequently deploying new services. And the best part? It’s incredibly simple to set up (once you get past the YAML files).
Setting Up Cert-Manager: The Easy Way
The setup is straightforward—assuming you have Helm installed. (If you don’t, I think you should but it's not essential. Think of Helm as the npm or pip of Kubernetes. Seriously, you’ll wonder how you ever lived without it.)
Step 1: Install Cert-Manager
With Helm, installing cert-manager is as easy as this:
helm repo add jetstack https://charts.jetstack.io --force-update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.16.3 \
--set crds.enabled=truePrefer kubectl over Helm? I respect your boldness. You can install cert-manager using this command instead:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.16.3/cert-manager.yaml
Wait a minute or two, then verify it’s installed:
kubectl get pods --namespace cert-managerIf you see a bunch of pods happily running, congratulations! Cert-manager is alive and well.
Choosing Your Certificate Solver: HTTP vs. DNS
Cert-manager uses Let’s Encrypt to issue certificates, and Let’s Encrypt isn’t just handing out certs like free samples at a supermarket. You’ve got to prove that you own your domain. There are two main ways to do this:
1. HTTP-01 Challenge
Let’s Encrypt will ask you to host a specific file on a specific endpoint to prove ownership. Simple, right? Sure, until your networking setup hiccups or you accidentally block traffic with your overly complex firewall rules. Been there, done that, cried a little.
2. DNS-01 Challenge (Highly Recommended)
This method asks you to add a TXT record to your DNS configuration. It’s far more reliable because once you’ve set it up, it’s hands-off. Plus, it’s managed by your DNS provider (like Cloudflare), which probably has better uptime than your homemade Kubernetes cluster.
My advice? Go with DNS-01. Trust me, your future self will thank you.
Setting Up DNS-01 Solver with Cloudflare
Using Cloudflare as your DNS provider? Perfect! Here’s how to get a non-expiring API token for cert-manager:
- Head to User Profile > API Tokens > Create Token.
- Grant the following permissions:
- Zone - DNS - Edit
- Zone - Zone - Read
- Copy your shiny new API token.
Next, create a Kubernetes Secret to store the token
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
type: Opaque
stringData:
api-token: <API Token>Apply the file:
kubectl apply -f cloudflare-secret.yamlCreating a ClusterIssuer
Time to connect the dots and create a ClusterIssuer. This is the boss that tells cert-manager how to handle certificates for your domains.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: your@email.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
cloudflare:
email: your@email.com
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
Save and apply this YAML file:
kubectl apply -f clusterissuer.yamlAdding an Ingress
Now that cert-manager is ready to rumble, let’s create an Ingress that uses your ClusterIssuer to request a certificate:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
namespace: default
annotations:
spec.ingressClassName: traefik
cert-manager.io/cluster-issuer: letsencrypt-prod
acme.cert-manager.io/http01-edit-in-place: 'true'
traefik.ingress.kubernetes.io/redirect-entry-point: websecure
spec:
rules:
- host: subdomain.yourdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: your-service
port:
number: 80
tls:
- secretName: your-service-tls
hosts:
- subdomain.yourdomain.com
Apply the file:
kubectl apply -f example-ingress.yamlWatching the Magic Happen
Run this to check your certificate’s status:
kubectl get certificates -AYou’ll likely see Ready: False initially—don’t panic! Cert-manager is just doing its thing. Within a few minutes, your certificate will be issued, and you can sip your coffee while cert-manager handles all the heavy lifting.
Once issued, you’ll see the TXT records added to your DNS provider, which cert-manager will clean up automatically when it’s done. Now you’re set up to confidently secure your domains like a pro.
Wrapping Up
Cert-manager is the real MVP of Kubernetes. It ensures you never have to worry about expired certificates or manual renewals ever again. Plus, it’s ridiculously satisfying to automate one more tedious task in your workflow. So go ahead, set it up, and enjoy the peace of mind that comes with knowing your HTTPS connections are locked down tighter than a bank vault.
Thanks for sticking around, and happy automating!