Skip to main content
Skip table of contents

Integrating Let's Encrypt with KubeDNA

This guide explains how to configure automatic TLS certificates from Let's Encrypt within a KubeDNA cluster. The example below is with Cloudflare but the same principle are applied to other DNS providers

Prerequisites

  • Account at DNS Provider that has support ACME clients here is the list.


1. Create a ClusterIssuer with DNS‑01 Validation

A ClusterIssuer defines the ACME server and email contact. When using DNS‑01 challenge, you must supply credentials for your DNS provider API (for example, Cloudflare).

  1. Create a secret for your DNS provider API token in the cert-manager namespace:

    CODE
    apiVersion: v1
    kind: Secret
    metadata:
      name: cloudflare-api-token-secret
      namespace: cert-manager
    type: Opaque
    stringData:
      api-token: "<CLOUDFLARE_API_TOKEN>"  # replace with your token
    
  2. Define the ClusterIssuer using DNS‑01 solver:

    CODE
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: letsencrypt-prod
    spec:
      acme:
        server: https://acme-v02.api.letsencrypt.org/directory
        email: admin@yourdomain.com              # change to your email
        privateKeySecretRef:
          name: letsencrypt-prod-key
        solvers:
        - dns01:
            cloudflare:
              email: admin@yourdomain.com
              apiTokenSecretRef:
                name: cloudflare-api-token-secret
                key: api-token
    
  3. Save both resources in a file called cluster-issuer.yaml and apply:

    CODE
    kubectl apply -f cluster-issuer.yaml
    

2. Define a Certificate Resource

Create a Certificate resource to request and manage the TLS certificate.

CODE
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com-tls
  namespace: default
spec:
  secretName: example-com-tls-secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: example.com
  dnsNames:
  - example.com
  - www.example.com
  1. Save as certificate.yaml.

  2. Apply with:

    CODE
    kubectl apply -f certificate.yaml
    

3. Configure Your Ingress

Annotate your Ingress to use the ClusterIssuer and reference the generated secret.

CODE
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - example.com
    secretName: example-com-tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80
  1. Save as ingress.yaml.

  2. Apply with:

    CODE
    kubectl apply -f ingress.yaml
    

4. Verify Installation

  1. Check Cert-Manager resources:

    CODE
    kubectl get certificates,orders,challenges
    
  2. Ensure the TLS secret exists:

    CODE
    kubectl get secret example-com-tls-secret
    
  3. Visit https://example.com to confirm the certificate is valid.


Congratulations! Your KubeDNA cluster now automatically provisions and renews TLS certificates via Let's Encrypt.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.