Member-only story
Kubernetes and SSL Certificate Management
Manage SSL certificate orders in K8s with Helm and Let’s Encrypt
Security is becoming more important than ever and needs to be integrated with any technical solution — even for testing environments. One of the most popular techniques is to use HTTPS protocol with SSL certificates instead of using the plain HTTP protocol. This technique provides us with two main benefits:
- Communications between the client and the server are encrypted.
- The identity of the services or the websites can be verified by the clients using the trusted certificate authorities.
Ordering and using valid SSL certificates cost both money and time (some certificate authorities take three days to issue the needed certificates). As a result, there was a need to automate the creation and issuance of the SSL certificates. Most of the major cloud platforms can generate SSL certificates within hours. However, the generated SSL certificates are not free.
Luckily, there is a tool called Let’s Encrypt that enables users to generate free SSL certificates for their websites.
“Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).” — Let’s Encrypt website
With Let’s Encrypt, it is possible to automate the creation and renewal of the needed SSL certificates. The only requirement for the automation process is the ability to automate the creation of DNS records or creating files to the webserver. However, Let’s Encrypt has a limit on the number of certificates issued for each domain per week (50 certificates per week).
In the Kubernetes world, managing the creation of the SSL certificates can be done easily with the use of cert-manager.
“cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, or self signed.
It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.” — cert-manager docs
