Skip to content

Adding certificates to ingress

Manually adding certificate

Create a secret from the certificate files:

kubectl create secret tls <secret-name> \
    --namespace <namespace> \
    --key server.key \
    --cert server.crt

Replace the name you want to give to the secret and the namespace where you want the secret to be created, should be the same as where the application lives.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myIngress
  namespace: myIngress
spec:
  rules:
  - host: example.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: myservice
            port:
              number: 80
  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
  - hosts:
    - example.com
    secretName: myingress-cert

Replace the secretName with the secret name you entered when creating the secret.

Automatic letsencrypt

For automatic letsencrypt, its required to have cert-manager running in the cluster.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # add an annotation indicating the issuer to use.
    cert-manager.io/cluster-issuer: nameOfClusterIssuer
    kubernetes.io/tls-acme: "true"
  name: myIngress
  namespace: myIngress
spec:
  rules:
  - host: example.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: myservice
            port:
              number: 80
  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
  - hosts:
    - example.com
    secretName: myingress-cert # < cert-manager will store the created certificate in this secret.

Production Cluster issuer is needed to get valid certificates, however please besure your IP is pointing to the cluster before attempting to get certs. Failure todo so will result in your cluster being blocked from the letsencrypt service, we as true cannot undo this.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: example@domain.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: nginx

Reference: https://cert-manager.io/docs/usage/ingress/

Let's encrypt wildcard certificates with AzureDNS

For this to work you will need to have a DNS zone in Azure configured. Also our public cloud team needs to configure a Managed Identity in your Azure environment.

The key difference is a few extra lines in the ClusterIssuer manifest, the Ingress configuration itself will not change.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: $EMAIL_ADDRESS
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - dns01:
        azureDNS:
          # hostedZoneName: domain.com # Target specific DNS zone, leave empty to let cert-manager choose.
          resourceGroupName: $AZURE_RESOURCE_GROUP
          subscriptionID: $AZURE_SUBSCRIPTION_ID
          environment: AzurePublicCloud
          managedIdentity:
            clientID: $IDENTITY_CLIENT_ID

$EMAIL_ADDRESS needs to be filled in accordinly, the other variables are supplied by our Publc cloud team.

To perform a test validation first, you can use these values: - change spec.acme.server to "https://acme-staging-v02.api.letsencrypt.org/directory" - change spec.acme.privateKeySecretRef.name to "letsencrypt-staging" - change metadata.name to "letsencrypt-staging" :warn: This will not issue a certificate, but the entire process before that will be the same.

Reference: https://cert-manager.io/docs/configuration/acme/dns01/azuredns/#managed-identity-using-aad-pod-identity