Skip to main content

TLS Certificate generation with Let's encrypt


K8SaaS provides a TLS certificate generation service featured by


Use case

  • Use a valid certificate in my application (SSL passthrough use case)
  • Use a fake certificate for testing
  • Warning: use this tutorial if you want to configure your ingress with both a valid certificate and a domain

What to do ?

prerequisites: you should have the devops-namespace-role role in your cluster.

First, describe in a YAML the certificate you want to generate.

$ touch my-certificate.yml

Here is an example for :

kind: Certificate
name: lja-kaas-certificate # Name of the kubernetes object Certificate
namespace: dev # namespace to store the kubernetes object
commonName: # Certificate Common Name
- '' # Certificate dns names
encoding: PKCS8
secretName: lja-kaas-certificate-tls-secret # name of the kubernetes secret where the certificate will be stored
name: letsencrypt-staging # cluster issuer to be used (prod or staging)
kind: ClusterIssuer

Then apply the file into kubernetes

$ kubectl apply -f my-certificate.yml created

Look at the events of the cluster in the right namespace

$ kubectl get events -w -n dev
6s Normal Started challenge/lja-kaas-certificate-p96kg-2849556651-4050213589 Challenge scheduled for processing
5s Normal Presented challenge/lja-kaas-certificate-p96kg-2849556651-4050213589 Presented challenge using DNS-01 challenge mechanism
7s Normal Created order/lja-kaas-certificate-p96kg-2849556651 Created Challenge resource "lja-kaas-certificate-p96kg-2849556651-4050213589" for domain ""
10s Normal OrderCreated certificaterequest/lja-kaas-certificate-p96kg Created Order resource dev/lja-kaas-certificate-p96kg-2849556651
10s Normal OrderPending certificaterequest/lja-kaas-certificate-p96kg Waiting on certificate issuance from order dev/lja-kaas-certificate-p96kg-2849556651: ""
10s Normal Issuing certificate/lja-kaas-certificate Issuing certificate as Secret does not exist
10s Normal Generated certificate/lja-kaas-certificate Stored new private key in temporary Secret resource "lja-kaas-certificate-g6nx5"
10s Normal Requested certificate/lja-kaas-certificate Created new CertificateRequest resource "lja-kaas-certificate-p96kg"
0s Normal DomainVerified challenge/lja-kaas-certificate-p96kg-2849556651-4050213589 Domain "" verified with "DNS-01" validation
0s Normal Complete order/lja-kaas-certificate-p96kg-2849556651 Order completed successfully
0s Normal CertificateIssued certificaterequest/lja-kaas-certificate-p96kg Certificate fetched from issuer successfully
0s Normal Issuing certificate/lja-kaas-certificate The certificate has been successfully issued

You should have this line: "Order completed successfully" ! It should take between 1 or 2 minutes.

Then get your certificate:

$ kubectl get secrets -n dev | grep lja-kaas-certificate-tls-secret
lja-kaas-certificate-tls-secret 2 4m49s

$ kubectl get secret lja-kaas-certificate-tls-secret -n dev -o=yaml

You should have from the latest command:

  • tls.crt which is the certificate itself encoded in base64
  • tls.key which is the private key encoded in base64

Next steps

Learn on TLS encryption here