Generating TLS certificates with cert-manager and Let's Encrypt
In this guide we will show you how to add cert-manager to a cluster bootstrapped with Weave GitOps, and how to configure the use of Let's Encrypt to issue TLS certificates.
- A Kubernetes cluster such as Kind cluster running a Flux-supported version of Kubernetes
- Weave GitOps is installed
What is cert-manager?
cert-manager, a CNCF project, provides a way to automatically manage certificates in Kubernetes and OpenShift clusters. "It will obtain certificates from a variety of Issuers, both popular public Issuers as well as private Issuers, and ensure the certificates are valid and up-to-date, and will attempt to renew certificates at a configured time before expiry".
As cert-manager can be installed using a Helm Chart, we can
simply create a
HelmRepository and a
HelmRelease to have Flux install everything.
Commit the following to a location being reconciled by Flux.
At time of writing, cert manager v1.8.0 was the latest available release and a newer version may exist, please ensure to check https://github.com/cert-manager/cert-manager/tags for updates.
cert-manager is running, we can create a
ClusterIssuer to represent the certificate authority
from which we will obtain signed certificates, in this example we are using Let's Encrypt. After changing
the email address, commit this to the same location as above.
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
# Secret resource that will be used to store the account's private key.
# Add a single challenge solver, HTTP01 using nginx
ClusterIssuer resource is installed, the cluster is now configured to request and use certificates generated by Cert Manager.
This could be manually requested through the creation of a Certificate resource or configured to be automatic as shown in our Configuring OIDC with Dex and GitHub guide.