This addon installs Cert Manager. Cert-Manager is the de-facto standard solution for certificate management in Kubernetes clusters. It supports x.509 certificate management for Kubernetes and OpenShift clusters, retrieving certificates from private (internal) or public issuers, and ensures they are properly rotated and kept up to date.
Install this addon with:
microk8s enable cert-manager
One of the common use-cases of Cert-Manager is to configure Kubernetes Ingress resources with automatic TLS certificates from Let’s Encrypt.
A MicroK8s cluster with a public IP address. This is required to complete the HTTP challenges of Let’s Encrypt.
A hostname that resolves to your public IP address, e.g.
A properly configured ingress class for your MicroK8s cluster. The simplest way to do this is to use the ingress addon:
microk8s enable ingress dns
ClusterIssuer resource is used to configure an account with Let’s Encrypt. All you need is an email address (make sure to use a valid email address).
Create a ClusterIssuer called
lets-encrypt with the command below. Make sure to replace
firstname.lastname@example.org below with your email. Note that Let’s Encrypt will refuse to register accounts that use the
microk8s kubectl apply -f - <<EOF --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: lets-encrypt spec: acme: email: email@example.com server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: # Secret resource that will be used to store the account's private key. name: lets-encrypt-priviate-key # Add a single challenge solver, HTTP01 using nginx solvers: - http01: ingress: class: public EOF
Verify that the ClusterIssuer was created successfully with
microk8s kubectl get clusterissuer -o wide, which should produce output similar to:
NAME READY STATUS AGE lets-encrypt True The ACME account was registered with the ACME server 2m19s
For this example, we will deploy a simple microbot deployment:
microk8s kubectl create deploy --image cdkbot/microbot:1 --replicas 3 microbot microk8s kubectl expose deploy microbot --port 80 --type ClusterIP
Ensure the service is up and running with
microk8s kubectl get pod,svc:
NAME READY STATUS RESTARTS AGE pod/microbot-b6996696-sbp76 1/1 Running 0 11s pod/microbot-b6996696-xmplm 1/1 Running 0 11s pod/microbot-b6996696-8b82c 1/1 Running 0 11s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kubernetes ClusterIP 10.152.183.1 <none> 443/TCP 16m service/microbot ClusterIP 10.152.183.134 <none> 80/TCP 3s
Next, create a Kubernetes ingress resource that forwards requests made to
https://my-service.example.com to our microbot service.
Note that the
cert-manager.io/cluster-issuer: lets-encrypt annotation tells Cert-Manager to automatically retrieve TLS certificates for our domain. The following example needs to reference the correct hostnames for your deployment - please substitute appropriately before running this command:
microk8s kubectl apply -f - <<EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: microbot-ingress annotations: cert-manager.io/cluster-issuer: lets-encrypt spec: tls: - hosts: - my-service.example.com secretName: microbot-ingress-tls rules: - host: my-service.example.com http: paths: - backend: service: name: microbot port: number: 80 path: / pathType: Exact EOF
After a while, Cert-Manager will automatically request a certificate from Let’s Encrypt, populate the
microk8s-ingress-tls with it and configure the ingress. Finally, you should be able to access your service at its fully qualified domain.