How to Use Let's Encrypt with Kubernetes Ingress Controllers for Secure Microservices

Securing your microservices in a Kubernetes environment is essential to protect data and ensure trustworthiness. One effective way to achieve this is by using Let's Encrypt to obtain free SSL/TLS certificates, combined with Kubernetes ingress controllers. This guide walks you through the process of setting up Let's Encrypt with your Kubernetes ingress controllers to enable secure communication.

Prerequisites

• A running Kubernetes cluster (version 1.16 or higher recommended)
• kubectl configured to access your cluster
• Helm installed for easier deployment
• Domain names pointing to your ingress controller's IP address

Deploying an Ingress Controller with Cert-Manager

First, install Cert-Manager, which automates the process of obtaining and renewing SSL certificates from Let's Encrypt.

Use Helm to deploy Cert-Manager:

helm repo add jetstack https://charts.jetstack.io

helm repo update

helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.8.0 --set installCRDs=true

Configuring Let's Encrypt Issuer

Create an Issuer resource that specifies Let's Encrypt as the CA. Use the following YAML manifest:

Save this as letsencrypt-issuer.yaml:

apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: letsencrypt-prod namespace: default spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: [email protected] privateKeySecretRef: name: letsencrypt-prod solvers: - http01: ingress: class: nginx

Apply the issuer:

kubectl apply -f letsencrypt-issuer.yaml

Creating a TLS Certificate Resource

Define a Certificate resource to request a certificate for your domain:

Save as certificate.yaml:

apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: mydomain-tls namespace: default spec: secretName: mydomain-tls-secret issuerRef: name: letsencrypt-prod dnsNames: - yourdomain.com

Apply the certificate:

kubectl apply -f certificate.yaml

Configuring the Ingress Resource

Finally, create an Ingress resource that uses the TLS secret and routes traffic to your services:

Save as ingress.yaml:

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-ingress namespace: default annotations: kubernetes.io/ingress.class: "nginx" cert-manager.io/cluster-issuer: "letsencrypt-prod" spec: tls: - hosts: - yourdomain.com secretName: mydomain-tls-secret rules: - host: yourdomain.com http: paths: - path: / pathType: Prefix backend: service: name: my-service port: number: 80

Apply the ingress:

kubectl apply -f ingress.yaml

Conclusion

Using Let's Encrypt with Kubernetes ingress controllers simplifies the process of securing your microservices. Automating certificate management with Cert-Manager ensures your applications stay protected without manual intervention. Follow these steps to enhance your cluster's security and build trust with your users.