Using letsencrypt SSL certs with K8s ingress

Photo by Jeremy Lanfranchi on Unsplash

Letsencyrpt is a global certificate authority(CA) which provides free SSL certificates valid for 90 days with auto renew option. With letsencrypt we can create SSL certificates with wild cards, specific subdomains. In this article we will see how to generate SSL certificates with letsencrypt as CA using certbot and how to use them with k8s ingress.

Steps:

• Install certbot on your local, the details on how to install certbot are available here, https://certbot.eff.org/instructions?ws=other&os=osx

eg: for macos

brew install certbot

• To generate a wildecard SSL certificate for pkc.web.online.

certbot certonly — manual -d *.pkc-web.com -d pkc-web.com — agree-tos — manual-public-ip-logging-ok — preferred-challenges dns-01 — server https://acme-v02.api.letsencrypt.org/directory — register-unsafely-without-email — rsa-key-size 4096

• The above command generates a TXT validation record, which needs to be added to your DNS hosted zone (in some instances you need to repeat this multiple times, until the validation is done.

• Once the TXT record validation is done, the certificates are generated under this location

• Now to add the tls to your ingress, login to your K8s cluster(not covered here), using whatever mechanism you have and create the secret, make sure the location of the certificate is correctly provided in the CLI

kubectl create secret tls pkc-web-tls-cert --cert=fullchain.pem --key=privkey.pem -n your-namespace

• Provide the created secret in the ingress manifest, something similar like this

  ingressClassName: nginx
  rules:
  - host: dev.pkc-web.com
    http:
      paths:
      - backend:
          service:
            name: dev-pkc-web
            port:
              number: 9080
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - dev.pkc-web.com
    secretName: pkc-web-tls-cert

• Once you access, access your dns for which you have configured the tls on ingress, you can check the validity of your certificate on your browser and tools like https://www.sslshopper.com/ssl-checker.html

Done, this was a short hands-on tutorial, hope it helps!!!