Skip to main content

Let's encrypt

kkrolikowski4/7/24About 1 minGuidekubernetes

cert-manager

cert-manager is responsible for installing SSL certificates for applications that have SSL support configured. The installed certificates are stored in the default namespace, where the applications run.

ingress:
  enabled: true
  ssl: true

Installation

Note

At the time of writing this documentation, the current version of cert-manager is v1.20.2. When setting up a new cluster, it is worth choosing the latest version:
installation documentation

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.20.2/cert-manager.yaml

cert-manager installs into the cert-manager namespace.

🖥️ kubectl get pods --namespace cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-69c7fcbf78-hdvl4              1/1     Running   0          3h4m
cert-manager-cainjector-69f8c8cdbf-rcfjq   1/1     Running   0          3h4m
cert-manager-webhook-84fd89df64-z9gtp      1/1     Running   0          3h4m

Cluster Issuer

During application installation in the cluster, a cluster-issuer pod starts simultaneously. It issues a CSR (Certificate Signing Request) on behalf of the application, exposed at http://app.domain.com/.well-known/. Let's Encrypt fetches the CSR from that address, signs it, and makes it available for download. cert-manager then installs the signed certificate in the cluster. This happens automatically. Once the task is complete, the cert-manager pod terminates.

Lets encrypt infrastructure
Lets encrypt infrastructure

DNS

In the current architecture, proper operation of cert-manager requires an internal DNS zone example.com that resolves subdomains to internal IP addresses.

To enable SSL certificate generation, a ClusterIssuer resource must be installed on the cluster.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
  namespace: default
spec:
  acme:
    email: admin@domain.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt
    solvers:
      - http01:
          ingress:
            class: traefik

Middleware

The Middleware component is used to automatically configure HTTP → HTTPS redirects.

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
  namespace: default
spec:
  redirectScheme:
    scheme: https
    permanent: true

Deployment with Flux

Since the cluster runs Flux, it is enough to create the apps/certmanager directory with both manifests: ClusterIssuer and Middleware. Once the files are published to the repository, Flux will automatically deploy them.

Traefik

The following configuration applies to Traefik, which acts as the ingress controller in the Kubernetes cluster.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd

With this configuration, Traefik communicates with the cluster-issuer to request certificate issuance, and configures HTTPS redirects for applications using the Middleware component.

HelmChart

This configuration is automatically generated by the HelmChart when the ssl: true option is enabled in the ingress configuration.

Last Updated:
Contributors: Krzysztof Królikowski,Claude Sonnet 4.6
Default footer
Copyright © 2026 kkrolikowski