Skip to main content
Skip table of contents

Integrating Let's Encrypt with KubeDNA

This guide explains how to configure automatic TLS certificates from Let's Encrypt within a KubeDNA cluster. The example below is with Cloudflare but the same principle are applied to other DNS providers

Prerequisites

  • Account at DNS Provider that has support ACME clients here is the list.

1. Create a ClusterIssuer with DNS‑01 Validation

A ClusterIssuer defines the ACME server and email contact. When using DNS‑01 challenge, you must supply credentials for your DNS provider API (for example, Cloudflare).

  1. Create a secret for your DNS provider API token in the cert-manager namespace:

    CODE 
    apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-token-secret
  namespace: cert-manager
type: Opaque
stringData:
  api-token: "<CLOUDFLARE_API_TOKEN>"  # replace with your token

  2. Define the ClusterIssuer using DNS‑01 solver:

    CODE 
    apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: admin@yourdomain.com              # change to your email
    privateKeySecretRef:
      name: letsencrypt-prod-key
    solvers:
    - dns01:
        cloudflare:
          email: admin@yourdomain.com
          apiTokenSecretRef:
            name: cloudflare-api-token-secret
            key: api-token

  3. Save both resources in a file called cluster-issuer.yaml and apply:

    CODE 
    kubectl apply -f cluster-issuer.yaml

2. Define a Certificate Resource

Create a Certificate resource to request and manage the TLS certificate.

CODE 
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com-tls
  namespace: default
spec:
  secretName: example-com-tls-secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: example.com
  dnsNames:
  - example.com
  - www.example.com

  1. Save as certificate.yaml.

  2. Apply with:

    CODE 
    kubectl apply -f certificate.yaml

3. Configure Your Ingress

Annotate your Ingress to use the ClusterIssuer and reference the generated secret.

CODE 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - example.com
    secretName: example-com-tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80

  1. Save as ingress.yaml.

  2. Apply with:

    CODE 
    kubectl apply -f ingress.yaml

4. Verify Installation

  1. Check Cert-Manager resources:

    CODE 
    kubectl get certificates,orders,challenges

  2. Ensure the TLS secret exists:

    CODE 
    kubectl get secret example-com-tls-secret

  3. Visit https://example.com to confirm the certificate is valid.

Congratulations! Your KubeDNA cluster now automatically provisions and renews TLS certificates via Let's Encrypt.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close