TLS Certificate generation with Let's encrypt

Context

K8SaaS provides a TLS certificate generation service featured by letsencrypt.org.

Use case

• Use a valid certificate in my application (SSL passthrough use case)
• Use a fake certificate for testing
• Warning: use this tutorial if you want to configure your ingress with both a valid certificate and a domain

What to do ?

prerequisites: you should have the devops-namespace-role role in your cluster.

First, describe in a YAML the certificate you want to generate.

$ touch my-certificate.yml

Here is an example for lja-certificate.kaas.thalesdigital.io :

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: lja-kaas-certificate # Name of the kubernetes object Certificate
  namespace: dev # namespace to store the kubernetes object
spec:
  commonName: lja-certificate.kaas.thalesdigital.io # Certificate Common Name
  dnsNames:
  - 'lja-certificate.kaas.thalesdigital.io' # Certificate dns names
  privateKey:
    encoding: PKCS8
  secretName: lja-kaas-certificate-tls-secret # name of the kubernetes secret where the certificate will be stored
  issuerRef:
    name: letsencrypt-staging # cluster issuer to be used (prod or staging)
    kind: ClusterIssuer

Then apply the file into kubernetes

$ kubectl apply -f my-certificate.yml
certificate.cert-manager.io/lja-kaas-certificate created

Look at the events of the cluster in the right namespace

$ kubectl get events -w -n dev
LAST SEEN   TYPE     REASON         OBJECT                                                       MESSAGE
6s          Normal   Started        challenge/lja-kaas-certificate-p96kg-2849556651-4050213589   Challenge scheduled for processing
5s          Normal   Presented      challenge/lja-kaas-certificate-p96kg-2849556651-4050213589   Presented challenge using DNS-01 challenge mechanism
7s          Normal   Created        order/lja-kaas-certificate-p96kg-2849556651                  Created Challenge resource "lja-kaas-certificate-p96kg-2849556651-4050213589" for domain "lja-certificate.kaas.thalesdigital.io"
10s         Normal   OrderCreated   certificaterequest/lja-kaas-certificate-p96kg                Created Order resource dev/lja-kaas-certificate-p96kg-2849556651
10s         Normal   OrderPending   certificaterequest/lja-kaas-certificate-p96kg                Waiting on certificate issuance from order dev/lja-kaas-certificate-p96kg-2849556651: ""
10s         Normal   Issuing        certificate/lja-kaas-certificate                             Issuing certificate as Secret does not exist
10s         Normal   Generated      certificate/lja-kaas-certificate                             Stored new private key in temporary Secret resource "lja-kaas-certificate-g6nx5"
10s         Normal   Requested      certificate/lja-kaas-certificate                             Created new CertificateRequest resource "lja-kaas-certificate-p96kg"
0s          Normal   DomainVerified   challenge/lja-kaas-certificate-p96kg-2849556651-4050213589   Domain "lja-certificate.kaas.thalesdigital.io" verified with "DNS-01" validation
0s          Normal   Complete         order/lja-kaas-certificate-p96kg-2849556651                  Order completed successfully
0s          Normal   CertificateIssued   certificaterequest/lja-kaas-certificate-p96kg                Certificate fetched from issuer successfully
0s          Normal   Issuing             certificate/lja-kaas-certificate                             The certificate has been successfully issued

You should have this line: "Order completed successfully" ! It should take between 1 or 2 minutes.

Then get your certificate:

$ kubectl get secrets -n dev | grep lja-kaas-certificate-tls-secret
lja-kaas-certificate-tls-secret      kubernetes.io/tls                     2      4m49s

$ kubectl get secret lja-kaas-certificate-tls-secret -n dev -o=yaml

You should have from the latest command:

• tls.crt which is the certificate itself encoded in base64
• tls.key which is the private key encoded in base64

Next steps

Learn on TLS encryption here