Certificate

Kubernetes can issue and manage custom trusted certificates using the ACME protocol. Certificates are stored as secrets.

This is especially important for enabling TLS when exposing non-web applications (without Ingress).

There are currently four issuers available:

• The letsencrypt-prod issuer is web-only and automatically checks the web on the specified domain name during the issuance process. It is automatically used when exposing an application via Ingress.
• The letsencrypt-prod-dns issuer is for other applications. The difference is the DNS check. However, the DNS check is slower because DNS changes must propagate first.
• letsencrypt-stage is the same as letsencrypt-prod but uses staging servers suitable for testing.
• letsencrypt-stage-dns is the same as letsencrypt-prod-dns but uses staging servers suitable for testing.

To issue a Kubernetes-managed certificate, use the following configuration:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: application-dyn-cloud-e-infra-cz-tls
spec:
  secretName: application-dyn-cloud-e-infra-cz-tls
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: letsencrypt-prod-dns
  dnsNames:
  - "application.dyn.cloud.e-infra.cz"
  usages:
  - digital signature
  - key encipherment

In this configuration, metadata.name and spec.secretName refer to the name of the generated certificate. The spec.dnsNames items are the target DNS names for the certificate. The issuer is specified in spec.issuerRef.name and should be set to letsencrypt-prod-dns.

This configuration generates a secret (specified in spec.secretName) containing the certificate and private key pair.