Generating TLS certificates with cert-manager and Let's Encrypt
This guide shows you how to add cert-manager to a cluster bootstrapped with Weave GitOps, and how to configure the use of Let's Encrypt to issue TLS certificates.
Prerequisites
- A Kubernetes cluster such as Kind, running a Flux-supported version of Kubernetes
- Weave GitOps is installed.
What Is cert-manager?
cert-manager, a CNCF project, provides a way to automatically manage certificates in Kubernetes and OpenShift clusters. "It will obtain certificates from a variety of Issuers, both popular public Issuers as well as private Issuers, and ensure the certificates are valid and up-to-date, and will attempt to renew certificates at a configured time before expiry."
Install cert-manager
As cert-manager can be installed using a Helm Chart, we can
simply create a HelmRepository and a HelmRelease to have Flux install everything.
Commit the following to a location being reconciled by Flux.
Expand to see manifest contents
---
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
  name: cert-manager
  namespace: cert-manager
spec:
  interval: 1h
  url: https://charts.jetstack.io
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: cert-manager
  namespace: cert-manager
spec:
  interval: 5m
  chart:
    spec:
      chart: cert-manager
      version: 1.8.0
      sourceRef:
        kind: HelmRepository
        name: cert-manager
        namespace: cert-manager
      interval: 1m
  values:
    installCRDs: true
At time of writing, cert manager v1.8.0 was the latest available release and a newer version may exist, please ensure to check https://github.com/cert-manager/cert-manager/tags for updates.
Now that cert-manager is running, we can create a ClusterIssuer to represent the certificate authority
from which we will obtain signed certificates, in this example we are using Let's Encrypt. After changing
the email address, commit this to the same location as above.
Expand to see manifest contents
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: weave-gitops@example.tld
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-prod-account-key
    solvers:
    # Add a single challenge solver, HTTP01 using nginx
    - http01:
       ingress:
         class: nginx
Once this ClusterIssuer resource is installed, the cluster is now configured to request and use certificates generated by cert-manager.
This could be manually requested through the creation of a Certificate resource or configured to be automatic, as shown in our Configuring OIDC with Dex and GitHub guide.