Cert-manager Integration with Let's Encrypt

TODO - these pages need to be revisited and updated after TLS and Organizations updates.

If you decide to use automatically managed TLS certificates, you can install cert-manager and configure according to your requirements. Follow cert-manager documentation for details specific to your environment. In this example, we will show you how to get free TLS certificate from non-profit Let’s Encrypt Certificate Authority.

  1. Add CAA record to your DNS domain
company.com. CAA 0 issue "letsencrypt.org"
  1. Create namespace and install cert-manager. Please make sure you’re using Helm version 3.3.1 to avoid bug with deeply nested CRDs.
$ helm repo add jetstack https://charts.jetstack.io
$ helm --namespace cert-manager install cert-manager \
    jetstack/cert-manager --set installCRDs=true \
  1. Configure ClusterIssuer Prepare configuration of ACME issuer pointing to Let’s Encrypt API into file issuer-letsencrypt-production.yaml. Don’t forget to set email value to valid e-mail address.
# File issuer-letsencrypt-production.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
  name: letsencrypt-production
    server: https://acme-v02.api.letsencrypt.org/directory
      name: letsencrypt-production
    - http01:
          class: nginx

Apply configuration using command:

$ kubectl -n cert-manager apply -f issuer-letsencrypt-production.yaml
  1. Pay attention to the following configuration options of the GoodData.CN Helm Chart in the upcoming steps as these are closely related to the usage of cert-manager:
  • dex.ingress.authHost
  • dex.ingress.annotations
  • dex.ingress.tls.authSecretName