Kubernetes can issue and manage custom trusted certificates using ACME protocol. Certificates are stored as secrets.
This is especially important for enabling TLS when exposing non-web applications, therefore without ingress.
Currently, there are four issuers available:
letsencrypt-prodissuer is web-only and automatically checks the web on provided domain name during issuing process. It is automatically used when exposing application through ingress.
letsencrypt-prod-dnsissuer is for other applications. The difference is checking through dns. However, the dns checking is slower, because the dns change must be propagated first.
letsencrypt-stageis the same as
letsencrypt-prodbut it uses staging servers suitable for testing.
letsencrypt-stage-dnsis the same as
letsencrypt-prod-dnsbut it uses staging servers suitable for testing.
To issue a kubernetes-managed certificate, the following configuration can be used.
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: application-dyn-cloud-e-infra-cz-tls spec: secretName: application-dyn-cloud-e-infra-cz-tls issuerRef: group: cert-manager.io kind: ClusterIssuer name: letsencrypt-prod-dns dnsNames: - "application.dyn.cloud.e-infra.cz" usages: - digital signature - key encipherment
spec.secretName refer to the name of generated certificate. The
spec.dnsNames items are the target dns names of the certificate. Issuer is specified in the
spec.issuerRef.name and should be set to
The configuration generates an secret specified in
spec.secretName, containing certificate and private key pair.