Secure your Kubernetes services with Let's Encrypt and cert-manager
Discover how to secure your Kubernetes services using Let's Encrypt and cert-manager. Follow our step-by-step tutorial for easy implementation.
Written by
Marketing Team @ Civo
Written by
Marketing Team @ Civo
In this guide you will learn how to obtain a free wildcard certificate from Let's Encrypt using cert-manager and Okteto's Civo DNS Webhook.
Prerequisites
- A Kubernetes cluster on Civo, you deploy one by using the dashboard or the command line in minutes. You can sign up here.
- A working KUBECONFIG and kubectl setup. Once you have a new or existing cluster, get your kubectl command-line to point at it and verify that with kubectl config get-contexts. See also: Install and Set Up kubectl.
- Helm installed. I recommend you use Helm 3, since it's newer and more secure.
- A domain name you own, added in Civo. If you don't have one, you can register it for little as $2 from namecheap.com or other DNS providers.
Create a Kubernetes cluster
To create a cluster using the Civo CLI, run the following command:
civo k3s create --create-firewall --nodes 1 -m --save --switch --wait cert-manager-demo
This will launch a one-node Kubernetes cluster in your Civo account, the -m flag would merge the kubeconfig for the new cluster with your existing kubeconfig, --switch points your kube-context to the newly created cluster.
Install cert-manager
If you're using Civo's managed Kubernetes service, you can directly install cert-manager from the Application Marketplace.
If you are not using Civo's instance, you can install it with the commands below:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml
More information on this is available on cert-manager's installation guide.
Install Okteto's Civo DNS Webhook
When getting a wildcard certificate, Let's Encrypt asks you to prove that you control the DNS for your domain name by putting a specific value in a TXT record under that domain name. This is known as a DNS01 challenge. cert-manager has support for a few providers out of the box, which you can extend via Webhooks. cert-manager doesn't support Civo out of the box, so we went ahead and created one.
To install the webhook, run the commands below:
helm install cert-manager-webhook-civo oci://ghcr.io/okteto/cert-manager-webhook-civo --version 0.5.4
Configuring the Civo DNS issuer
Issuers are used by cert-manager to identify or authenticate your user with Let's Encrypt and your DNS provider. We'll use a DNS01 issuer to identify you and to create the required DNS records in your Civo DNS domain. The Civo DNS Issuer requires your API Key to be able to create the required DNS records. To retrieve it, sign into your Civo account and go the settings page. You will find your API key in its own section.
Create a secret in your cluster using the commands below:
Retrieve your Civo API key:
export APIKEY=$(civo apikey show -o json | jq .key)
Create a secret in your cluster using the command below:
kubectl create secret generic civo-dns --namespace=cert-manager --from-literal=key=$APIKEY
Save the below file as issuer.yaml, changing the email field to yours:
kubectl apply -f- <<EOFapiVersion: cert-manager.io/v1kind: Issuermetadata:name: civospec:acme:email: example@example.comprivateKeySecretRef:name: letsencrypt-prodserver: https://acme-v02.api.letsencrypt.org/directorysolvers:- dns01:webhook:solverName: "civo"groupName: civo.webhook.okteto.comconfig:apiKeySecretRef:key: keyname: civo-dnsEOF
And apply it to your cluster:
kubectl apply -f issuer.yaml --namespace=cert-manager
Issue the certificate
Finally, we'll create the Certificate. Creating it will prompt cert-manager to request a certificate with Let's Encrypt and perform the DNS01 challenge.
Apply the manifest below as replacing the dnsNames fields with the wildcard domains you want for your certificate:
kubectl apply -f- <<EOFapiVersion: cert-manager.io/v1kind: Certificatemetadata:name: wildcard-certificatespec:dnsNames:- '*.example.com'issuerRef:kind: Issuername: civosecretName: wildcard-example-com-tlsEOF
And apply it:
kubectl apply -f certificate.yaml --namespace=cert-manager
Your certificate will be verified after a few minutes. You can check the state of it by running the command below:
Once the certificate is valid, the public and private keys and the CA information will be stored in a secret named wildcard-example-com-tls. The certificate will be valid for 90 days, and it will be renewed automatically by cert-manager.
Wrapping up
In this guide we installed cert-manager, the Civo DNS Webhook and generated a wildcard certificate for your services. The certificate is valid, and it will be automatically renewed by cert-manager.
You now have a valid wild card certificate in your Kubernetes cluster. You can then use this to validate the identity of any service you have running on that domain.
Contributing
This webhook is open source. If you have an idea or find a bug, feel free to file an issue or submit a PR. All the required information is here.
Marketing Team @ Civo
Civo is the Sovereign Cloud and AI platform designed to help developers and enterprises build without limits. We bridge the gap between the openness of the public cloud and the rigorous security of private environments, delivering full cloud parity across every deployment. As a team, we are dedicated to providing scalable compute, lightning-fast Kubernetes, and managed services that are ready in minutes. Through CivoStack Enterprise and our FlexCore appliance, we empower organizations to maintain total data sovereignty on their own hardware.
Our mission is to make the cloud faster, simpler, and fairer. By providing enterprise-grade NVIDIA GPUs and streamlined model management, we ensure that high-performance AI and machine learning are accessible to everyone. Built for transparency and performance, the Civo Team is here to give you total control over your infrastructure, your data, and your spend.
Share this article