TLS Certificate generation with Let's encrypt
Context
K8SaaS provides a TLS certificate generation service featured by letsencrypt.org.
Use case
- Use a valid certificate in my application (SSL passthrough use case)
- Use a fake certificate for testing
- Warning: use this tutorial if you want to configure your ingress with both a valid certificate and a domain
What to do ?
prerequisites: you should have the devops-namespace-role role in your cluster.
First, describe in a YAML the certificate you want to generate.
$ touch my-certificate.yml
Here is an example for lja-certificate.kaas.thalesdigital.io :
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: lja-kaas-certificate # Name of the kubernetes object Certificate
namespace: dev # namespace to store the kubernetes object
spec:
commonName: lja-certificate.kaas.thalesdigital.io # Certificate Common Name
dnsNames:
- 'lja-certificate.kaas.thalesdigital.io' # Certificate dns names
privateKey:
encoding: PKCS8
secretName: lja-kaas-certificate-tls-secret # name of the kubernetes secret where the certificate will be stored
issuerRef:
name: letsencrypt-staging # cluster issuer to be used (prod or staging)
kind: ClusterIssuer
Then apply the file into kubernetes
$ kubectl apply -f my-certificate.yml
certificate.cert-manager.io/lja-kaas-certificate created
Look at the events of the cluster in the right namespace
$ kubectl get events -w -n dev
LAST SEEN TYPE REASON OBJECT MESSAGE
6s Normal Started challenge/lja-kaas-certificate-p96kg-2849556651-4050213589 Challenge scheduled for processing
5s Normal Presented challenge/lja-kaas-certificate-p96kg-2849556651-4050213589 Presented challenge using DNS-01 challenge mechanism
7s Normal Created order/lja-kaas-certificate-p96kg-2849556651 Created Challenge resource "lja-kaas-certificate-p96kg-2849556651-4050213589" for domain "lja-certificate.kaas.thalesdigital.io"
10s Normal OrderCreated certificaterequest/lja-kaas-certificate-p96kg Created Order resource dev/lja-kaas-certificate-p96kg-2849556651
10s Normal OrderPending certificaterequest/lja-kaas-certificate-p96kg Waiting on certificate issuance from order dev/lja-kaas-certificate-p96kg-2849556651: ""
10s Normal Issuing certificate/lja-kaas-certificate Issuing certificate as Secret does not exist
10s Normal Generated certificate/lja-kaas-certificate Stored new private key in temporary Secret resource "lja-kaas-certificate-g6nx5"
10s Normal Requested certificate/lja-kaas-certificate Created new CertificateRequest resource "lja-kaas-certificate-p96kg"
0s Normal DomainVerified challenge/lja-kaas-certificate-p96kg-2849556651-4050213589 Domain "lja-certificate.kaas.thalesdigital.io" verified with "DNS-01" validation
0s Normal Complete order/lja-kaas-certificate-p96kg-2849556651 Order completed successfully
0s Normal CertificateIssued certificaterequest/lja-kaas-certificate-p96kg Certificate fetched from issuer successfully
0s Normal Issuing certificate/lja-kaas-certificate The certificate has been successfully issued
You should have this line: "Order completed successfully" ! It should take between 1 or 2 minutes.
Then get your certificate:
$ kubectl get secrets -n dev | grep lja-kaas-certificate-tls-secret
lja-kaas-certificate-tls-secret kubernetes.io/tls 2 4m49s
$ kubectl get secret lja-kaas-certificate-tls-secret -n dev -o=yaml
You should have from the latest command:
- tls.crt which is the certificate itself encoded in base64
- tls.key which is the private key encoded in base64
Next steps
Learn on TLS encryption here