Generating TLS certificates with cert-manager and Let's Encrypt

In this guide we will show you how to add cert-manager to a cluster bootstrapped with Weave GitOps, and how to configure the use of Let's Encrypt to issue TLS certificates.

Pre-requisites

• A Kubernetes cluster such as Kind cluster running a Flux-supported version of Kubernetes
• Weave GitOps is installed

What is cert-manager?

cert-manager, a CNCF project, provides a way to automatically manage certificates in Kubernetes and OpenShift clusters. "It will obtain certificates from a variety of Issuers, both popular public Issuers as well as private Issuers, and ensure the certificates are valid and up-to-date, and will attempt to renew certificates at a configured time before expiry".

Install cert-manager

As cert-manager can be installed using a Helm Chart, we can simply create a HelmRepository and a HelmRelease to have Flux install everything.

Commit the following to a location being reconciled by Flux.

---
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
  name: cert-manager
  namespace: cert-manager
spec:
  interval: 1h
  url: https://charts.jetstack.io
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: cert-manager
  namespace: cert-manager
spec:
  interval: 5m
  chart:
    spec:
      chart: cert-manager
      version: 1.8.0
      sourceRef:
        kind: HelmRepository
        name: cert-manager
        namespace: cert-manager
      interval: 1m
  values:
    installCRDs: true

cert-manager version

At time of writing, cert manager v1.8.0 was the latest available release and a newer version may exist, please ensure to check https://github.com/cert-manager/cert-manager/tags for updates.

Now that cert-manager is running, we can create a ClusterIssuer to represent the certificate authority from which we will obtain signed certificates, in this example we are using Let's Encrypt. After changing the email address, commit this to the same location as above.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: weave-gitops@example.tld
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-prod-account-key
    solvers:
    # Add a single challenge solver, HTTP01 using nginx
    - http01:
       ingress:
         class: nginx

Once this ClusterIssuer resource is installed, the cluster is now configured to request and use certificates generated by Cert Manager.

This could be manually requested through the creation of a Certificate resource or configured to be automatic as shown in our Configuring OIDC with Dex and GitHub guide.