Deploying secure applications on Kubernetes often requires obtaining and managing SSL/TLS certificates. Let's Encrypt provides free certificates, and Helm charts simplify deploying applications and their dependencies. This guide explains how to integrate Let's Encrypt with Helm charts for Kubernetes-based deployments.
Prerequisites
- A Kubernetes cluster up and running
- Helm installed and configured
- kubectl configured to access your cluster
- Domain name pointing to your cluster's ingress IP
Using Cert-Manager for Automatic SSL Certificates
Cert-Manager is a Kubernetes add-on that automates the management and issuance of TLS certificates, including those from Let's Encrypt.
Install Cert-Manager
Use Helm to install Cert-Manager:
helm repo add jetstack https://charts.jetstack.io helm repo update helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.10.0 --set installCRDs=true
Create ClusterIssuer for Let's Encrypt
Define a ClusterIssuer resource to request certificates from Let's Encrypt:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
Configure Your Helm Chart for Ingress with TLS
Modify your application's Helm chart to include an ingress resource that references the ClusterIssuer for TLS certificates.
ingress:
enabled: true
hosts:
- host: your.domain.com
paths:
- /
tls:
- secretName: your-tls-secret
hosts:
- your.domain.com
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
Deploy and Verify
Deploy your application with Helm:
helm install your-release your-chart/
Check the status of the certificate:
kubectl describe certificate your-tls-secret
Once issued, your website will be accessible via HTTPS with a valid Let's Encrypt certificate.