When deploying applications in an Amazon EKS (Elastic Kubernetes Service) environment, securing them with SSL/TLS is essential to protect sensitive data and ensure secure communication. One of the most popular and free methods to obtain TLS certificates is through Let’s Encrypt. This guide walks you through the process of setting up TLS certificates on an EKS cluster using Cert-Manager and NGINX Ingress Controller.
Prerequisites
Before starting, ensure you have the following:
- An EKS Cluster set up with worker nodes.
- kubectl configured to access your cluster.
- A registered domain name pointing to the EKS load balancer.
- NGINX Ingress Controller installed on the cluster.
Step 1: Install Cert-Manager
Cert-Manager automates the management of TLS certificates within Kubernetes.
Install Cert-Manager
Run the following command to apply the official Cert-Manager manifests:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.2/cert-manager.yaml
Verify the pods:
kubectl get pods --namespace cert-manager
You should see the following pods running:
-
cert-manager
-
cert-manager-cainjector
-
cert-manager-webhook
Step 2: Create a ClusterIssuer
A ClusterIssuer is a resource in Kubernetes that defines how Cert-Manager should obtain certificates. We’ll create one using Let’s Encrypt’s production endpoint.
ClusterIssuer YAML File:
Create a file named letsencrypt-cluster-issuer.yaml with the following content:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your.email@example.com # Change this to your email
privateKeySecretRef:
name: letsencrypt-prod-private-key
solvers:
- http01:
ingress:
class: nginx
Apply the YAML:
kubectl apply -f letsencrypt-cluster-issuer.yaml
Verify that the ClusterIssuer is created successfully:
kubectl get clusterissuer
Step 3: Create an Ingress Resource with TLS
The Ingress resource will route external traffic to services within the cluster and configure TLS.
Ingress YAML File:
Create a file named ingress.yaml with the following content:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app-ingress
namespace: default
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
rules:
- host: yourdomain.com # Replace with your domain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-service
port:
number: 80
tls:
- hosts:
- yourdomain.com
secretName: my-app-tls
Apply the YAML:
kubectl apply -f ingress.yaml
Step 4: Verify the TLS Certificate
Check the status of the certificate request:
kubectl describe certificate my-app-tls
You should see a message indicating that the certificate was successfully issued. Cert-Manager will create a Kubernetes Secret named my-app-tls that contains the TLS certificate and key.
List the secrets to verify:
kubectl get secrets
You should see my-app-tls listed.
Step 5: Test the HTTPS Connection
Once the certificate is issued, test the connection:
-
Open a browser and navigate to https://yourdomain.com.
-
Verify that the connection is secure by checking for a valid TLS certificate.
Troubleshooting Tips:
-
Ensure the domain correctly resolves to the EKS load balancer.
-
Check for errors in the Cert-Manager logs using:
kubectl logs -n cert-manager -l app=cert-manager
Step 6: Renewing and Managing Certificates
Let’s Encrypt certificates are valid for 90 days. Cert-Manager automatically renews them before expiry.
To check if the renewal is working:
kubectl get certificates
Look for the renewal time and ensure it’s set before the expiration date.
Step 7: Clean Up (Optional)
If you want to remove the configurations:
kubectl delete -f ingress.yaml
kubectl delete -f letsencrypt-cluster-issuer.yaml
kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.2/cert-manager.yaml
Conclusion
Congratulations! You have successfully secured your applications on an EKS cluster using Let’s Encrypt certificates. With the help of Cert-Manager, you can automate certificate issuance, management, and renewal, ensuring your applications always maintain secure communications. By following this guide, you have taken a significant step towards enhancing the security posture of your Kubernetes environment.