Easy steps to install K3s with SSL certificate by traefik, cert manager and Let’s Encrypt
- 6 mins
How to install k3s + Traefik + CertManager + LetsEncrypt
Why use k3s?
k3s is a lightweight Kubernetes distribution designed to be minimal and efficient, making it well-suited for resource-constrained environments and use cases where simplicity and ease of deployment are important. It was created by Rancher Labs and is intended to simplify the installation and management of Kubernetes clusters.
In this example use k3s with Traefik ingress controller so it’s a default by K3s and it’s a lightweight, easy, and fast solution, but if you prefer another one feel free to use it.
Why use cert manager?
Using cert-manager on Kubernetes simplifies SSL/TLS certificate management, automates the renewal process, integrates seamlessly with Kubernetes resources, and provides the flexibility to work with various certificate issuers. This results in enhanced security and reduced operational overhead for securing your Kubernetes applications.
1. Install k3s
curl -sfL https://get.k3s.io | sh -If you want to have access to the k3s cluster outside the node, you can use the following parameter when creating the cluster --tls-san.
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--tls-san <public ip address or hostname>" sh -By default, you do not have to execute permissions on k3.conf to resolve you need to move the file and give it the necessary permissions.
NOTE : It’s not recommended to give permissions to the original file.
mkdir $HOME/.kube
sudo cp /etc/rancher/k3s/k3s.yaml $HOME/.kube/config
sudo chmod 644 $HOME/.kube/config
export KUBECONFIG=~/.kube/configYou can add
KUBECONFIG=~/.kube/configto your~/.profileor~/.bashrcto make it persist on reboot.
2. Install helm (optional)
This step is completely optional in order to follow the tutorial but highly recommended.
Helm is a package manager for Kubernetes that simplifies the deployment and management of applications in Kubernetes clusters.
Install Helm on K3s is really easy, just execute the script and you don’t need to modify any config !
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh3. Install cert manager
Mainly, we have two ways to install with helm or with kubectl. Personally I prefer to use the helm package manager with all the advantages that comes with it.
Option 1: Install by Helm (recommended)
Add the oficial repository on Helm
helm repo add jetstack https://charts.jetstack.ioUpdate your local Helm chart repository
helm repo updateAnd install de cert-manager with namespace cert-manager
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=trueNOTE : You can find the all config parameters on the oficial chart page: https://artifacthub.io/packages/helm/cert-manager/cert-manager
Option 2: Install by kubectl
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.4/cert-manager.crds.yaml3.1 Verify the cert manager installation
kubectl -n cert-manager get pod
4. Create the ClusterIssuer resource
Create ClusterIssuer for staging environment
# cluster-issuer-staging.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: default
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: <YOUR_EMAIL> # replace for your valid email
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- selector: {}
http01:
ingress:
class: traefikkubectl apply -f cluster-issuer-staging.yamlCreate ClusterIssuer for production environment
# cluster-issuer-production.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
namespace: default
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <YOUR_EMAIL> # replace for your valid email
privateKeySecretRef:
name: letsencrypt-production
solvers:
- selector: {}
http01:
ingress:
class: traefikkubectl apply -f cluster-issuer-production.yamlVerify that it has been properly applied
kubectl get ClusterIssuer -A
And check the status of ClusterIssuer
kubectl describe clusterissuer letsencrypt-staging
kubectl describe clusterissuer letsencrypt-production5. Let’s play!
Finally we are going to create our certificate
5.1 Create a dummy application
In this step just create a very basic dummy nginx application, if you already have an application you can go to the next step.
Create a deployment using a default image from nginx:alpine
kubectl create deployment nginx --image nginx:alpineShow the deployments status
kubectl get deployments
kubectl describe deployment nginxExpose the server at port 80
kubectl expose deployment nginx --port 80 --target-port 80Check that the service is correct and running
kubectl get svc
5.2 Create a ingress traefik controller
Define the trafik ingress with the cert-manager annotations and the tsl section to be able to manage our certificate.
# ingress ingress-nginx.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
kubernetes.io/ingress.class: traefik
labels:
app: nginx
name: nginx
namespace: default
spec:
rules:
- host: example.com # Change by your domain
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- example.com # Change by your domain
secretName: example-com-tlskubectl apply -f ingress-nginx.yamlVerify that the certificate has actually been created
kubectl get cert -n defaultNOTE : I change the host
example.comto letsencrypt-k3s.albertcolom.com and changeexample-com-tlsto letsencryptk3s-albertcolom-com-tls .
You can show the valid certificated by Let’s Encrypt!
Conclusion
Once you have installed cert manager it is really easy to manage your certificates together with traefik. You just have to set a couple of parameters in the ingress and the system takes care of everything.
No more excuses for not using a valid certificate!
You can read the article on Medium
Albert Colom
Backend developer