Addon: cert-manager

From 1.25

This addon installs Cert Manager. Cert-Manager is the de-facto standard solution for certificate management in Kubernetes clusters. It supports x.509 certificate management for Kubernetes and OpenShift clusters, retrieving certificates from private (internal) or public issuers, and ensures they are properly rotated and kept up to date.

Install this addon with:

microk8s enable cert-manager

Automatically generating Let’s Encrypt certificates for Ingress

One of the common use-cases of Cert-Manager is to configure Kubernetes Ingress resources with automatic TLS certificates from Let’s Encrypt.

Requirements

  1. A MicroK8s cluster with a public IP address. This is required to complete the HTTP challenges of Let’s Encrypt.

  2. A hostname that resolves to your public IP address, e.g. my-service.example.com.

  3. A properly configured ingress class for your MicroK8s cluster. The simplest way to do this is to use the ingress addon:

microk8s enable ingress dns

Create a ClusterIssuer

A ClusterIssuer resource is used to configure an account with Let’s Encrypt. All you need is an email address (make sure to use a valid email address).

Create a ClusterIssuer called lets-encrypt with the command below. Make sure to replace microk8s@example.com below with your email. Note that Let’s Encrypt will refuse to register accounts that use the example.com domain.

microk8s kubectl apply -f - <<EOF
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
 name: lets-encrypt
spec:
 acme:
   email: microk8s@example.com
   server: https://acme-v02.api.letsencrypt.org/directory
   privateKeySecretRef:
     # Secret resource that will be used to store the account's private key.
     name: lets-encrypt-priviate-key
   # Add a single challenge solver, HTTP01 using nginx
   solvers:
   - http01:
       ingress:
         class: public
EOF

Verify that the ClusterIssuer was created successfully with microk8s kubectl get clusterissuer -o wide, which should produce output similar to:

NAME           READY   STATUS                                                 AGE
lets-encrypt   True    The ACME account was registered with the ACME server   2m19s

Deploy a service

For this example, we will deploy a simple microbot deployment:

microk8s kubectl create deploy --image cdkbot/microbot:1 --replicas 3 microbot
microk8s kubectl expose deploy microbot --port 80 --type ClusterIP

Ensure the service is up and running with microk8s kubectl get pod,svc:

NAME                          READY   STATUS    RESTARTS   AGE
pod/microbot-b6996696-sbp76   1/1     Running   0          11s
pod/microbot-b6996696-xmplm   1/1     Running   0          11s
pod/microbot-b6996696-8b82c   1/1     Running   0          11s

NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
service/kubernetes   ClusterIP   10.152.183.1     <none>        443/TCP   16m
service/microbot     ClusterIP   10.152.183.134   <none>        80/TCP    3s

Configure ingress

Next, create a Kubernetes ingress resource that forwards requests made to https://my-service.example.com to our microbot service.

Note that the cert-manager.io/cluster-issuer: lets-encrypt annotation tells Cert-Manager to automatically retrieve TLS certificates for our domain. The following example needs to reference the correct hostnames for your deployment - please substitute appropriately before running this command:

microk8s kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
 name: microbot-ingress
 annotations:
   cert-manager.io/cluster-issuer: lets-encrypt
spec:
 tls:
 - hosts:
   - my-service.example.com
   secretName: microbot-ingress-tls
 rules:
 - host: my-service.example.com
   http:
     paths:
     - backend:
         service:
           name: microbot
           port:
             number: 80
       path: /
       pathType: Exact
EOF

After a while, Cert-Manager will automatically request a certificate from Let’s Encrypt, populate the microk8s-ingress-tls with it and configure the ingress. Finally, you should be able to access your service at its fully qualified domain.

Hi, @evilnick
Is there any way to use under microk8s 1.22 ?
I look forward to your reply.
Thanks.

@amo.mycena thanks for the message. Unfortunately no, this relies on features which were added in 1.25

Thanks for your reply.