Integrating Let's Encrypt with KubeDNA

This guide explains how to configure automatic TLS certificates from Let's Encrypt within a KubeDNA cluster. The example below is with Cloudflare but the same principle are applied to other DNS providers

Prerequisites

• Account at DNS Provider that has support ACME clients here is the list.

---

1. Create a ClusterIssuer with DNS‑01 Validation

A ClusterIssuer defines the ACME server and email contact. When using DNS‑01 challenge, you must supply credentials for your DNS provider API (for example, Cloudflare).

1. Create a secret for your DNS provider API token in the cert-manager namespace:

   apiVersion: v1
   kind: Secret
   metadata:
     name: cloudflare-api-token-secret
     namespace: cert-manager
   type: Opaque
   stringData:
     api-token: "<CLOUDFLARE_API_TOKEN>"  # replace with your token
   

2. Define the ClusterIssuer using DNS‑01 solver:

   apiVersion: cert-manager.io/v1
   kind: ClusterIssuer
   metadata:
     name: letsencrypt-prod
   spec:
     acme:
       server: https://acme-v02.api.letsencrypt.org/directory
       email: admin@yourdomain.com              # change to your email
       privateKeySecretRef:
         name: letsencrypt-prod-key
       solvers:
       - dns01:
           cloudflare:
             email: admin@yourdomain.com
             apiTokenSecretRef:
               name: cloudflare-api-token-secret
               key: api-token
   

3. Save both resources in a file called cluster-issuer.yaml and apply:

   kubectl apply -f cluster-issuer.yaml
   

---

2. Define a Certificate Resource

Create a Certificate resource to request and manage the TLS certificate.

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com-tls
  namespace: default
spec:
  secretName: example-com-tls-secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: example.com
  dnsNames:
  - example.com
  - www.example.com

1. Save as certificate.yaml.
2. Apply with:

   kubectl apply -f certificate.yaml
   

---

3. Configure Your Ingress

Annotate your Ingress to use the ClusterIssuer and reference the generated secret.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - example.com
    secretName: example-com-tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80

1. Save as ingress.yaml.
2. Apply with:

   kubectl apply -f ingress.yaml
   

---

4. Verify Installation

1. Check Cert-Manager resources:

   kubectl get certificates,orders,challenges
   

2. Ensure the TLS secret exists:

   kubectl get secret example-com-tls-secret
   

3. Visit https://example.com to confirm the certificate is valid.

---

Congratulations! Your KubeDNA cluster now automatically provisions and renews TLS certificates via Let's Encrypt.