Integrating Let's Encrypt with KubeDNA
This guide explains how to configure automatic TLS certificates from Let's Encrypt within a KubeDNA cluster. The example below is with Cloudflare but the same principle are applied to other DNS providers
Prerequisites
Account at DNS Provider that has support ACME clients here is the list.
1. Create a ClusterIssuer with DNS‑01 Validation
A ClusterIssuer
defines the ACME server and email contact. When using DNS‑01 challenge, you must supply credentials for your DNS provider API (for example, Cloudflare).
Create a secret for your DNS provider API token in the
cert-manager
namespace:CODEapiVersion: v1 kind: Secret metadata: name: cloudflare-api-token-secret namespace: cert-manager type: Opaque stringData: api-token: "<CLOUDFLARE_API_TOKEN>" # replace with your token
Define the ClusterIssuer using DNS‑01 solver:
CODEapiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: admin@yourdomain.com # change to your email privateKeySecretRef: name: letsencrypt-prod-key solvers: - dns01: cloudflare: email: admin@yourdomain.com apiTokenSecretRef: name: cloudflare-api-token-secret key: api-token
Save both resources in a file called
cluster-issuer.yaml
and apply:CODEkubectl apply -f cluster-issuer.yaml
2. Define a Certificate Resource
Create a Certificate
resource to request and manage the TLS certificate.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-com-tls
namespace: default
spec:
secretName: example-com-tls-secret
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: example.com
dnsNames:
- example.com
- www.example.com
Save as
certificate.yaml
.Apply with:
CODEkubectl apply -f certificate.yaml
3. Configure Your Ingress
Annotate your Ingress to use the ClusterIssuer
and reference the generated secret.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- example.com
secretName: example-com-tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
Save as
ingress.yaml
.Apply with:
CODEkubectl apply -f ingress.yaml
4. Verify Installation
Check Cert-Manager resources:
CODEkubectl get certificates,orders,challenges
Ensure the TLS secret exists:
CODEkubectl get secret example-com-tls-secret
Visit https://example.com to confirm the certificate is valid.
Congratulations! Your KubeDNA cluster now automatically provisions and renews TLS certificates via Let's Encrypt.