Quick start to using the Kong ingress controller with Let’s Encrypt.

  • Install the Kong ingress controller:
$ kubectl create -f https://bit.ly/k4k8s
  • Install the cert-manager CRDs:
  • If you are using GKE create the following role binding for your user’s IAM account before installing cert-manager:
$ kubectl create clusterrolebinding cluster-admin-binding \
    --clusterrole=cluster-admin \
    --user=$(gcloud config get-value core/account)
$ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
  • Create a ClusterIssuer for Let’s Encrypt:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    email: mike@donthurt.us
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: kong
  • Create an ingress resource for your application:
  • The konghq.com annotations aren’t required
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hugo-blog
  namespace: hugo-blog
  annotations:
    kubernetes.io/tls-acme: "true"
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: kong
    konghq.com/https-redirect-status-code: 301
    konghq.com/protocols: https
spec:
  tls:
  - secretName: blog-tls
    hosts:
    - blog.donthurt.us
  rules:
  - host: blog.donthurt.us
    http:
      paths:
      - path: /
        backend:
          serviceName: hugo-blog
          servicePort: 80
  • After some time you should see the following in the certificate resource for the certificate you requested:
$ kubectl get certificate hugo-blog -n hugo-blog
...
Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Issuing    33m   cert-manager  Issuing certificate as Secret does not exist
  Normal  Generated  33m   cert-manager  Stored new private key in temporary Secret resource "blog-tls-m67hw"
  Normal  Requested  33m   cert-manager  Created new CertificateRequest resource "blog-tls-rrckz"
  Normal  Issuing    33m   cert-manager  The certificate has been successfully issued
  • You can verify the SSL is valid using OpenSSL:
$ openssl s_client -connect blog.donthurt.us:443 -servername blog.donthurt.us 2>&1 </dev/null | openssl x509 -noout -text -subject -issuer -dates | tail -n 4
subject= /CN=blog.donthurt.us
issuer= /C=US/O=Let's Encrypt/CN=R3
notBefore=Apr  7 07:59:40 2021 GMT
notAfter=Jul  6 07:59:40 2021 GMT