Kubernetes Ingress Playlist – Part 6: Securing the Kubernetes Ingress Using Cert-Manager with HTTPS

#kubernetes #ingress #certmanager #https

In the previous parts of our Kubernetes Ingress playlist, we covered installing the NGINX Ingress Controller, implementing host/path-based routing, and enabling authentication and self-signed TLS. Now, it's time to move a step ahead and automate certificate management using Cert-Manager — a powerful tool that simplifies issuing and renewing SSL/TLS certificates within your Kubernetes cluster.

In this part, we’ll:

Deploy the simple-nodejs-app
Install and configure Cert-Manager
Automatically issue TLS certificates via Let’s Encrypt using ClusterIssuer
Secure our NGINX Ingress endpoint with HTTPS

What is Cert-Manager?

Cert-Manager is a native Kubernetes certificate management controller that helps manage and automate the issuance, renewal, and use of TLS certificates. It supports multiple certificate issuers such as:

Let’s Encrypt (ACME)
HashiCorp Vault
Self-signed certificates
Venafi, and more

With Cert-Manager, you don’t need to manually generate and rotate certificates. It integrates seamlessly with Kubernetes and works great with Ingress resources.

As in previous parts, we’ll use the simple-nodejs-app exposed via a Kubernetes Service and secured via Ingress. The key difference this time is: we'll use Cert-Manager to get a real TLS certificate from Let’s Encrypt, making HTTPS truly production-ready.

Step 1: Install Cert-Manager using Helm

We will use helm to install cert manager. Following commands will install the Cert-Manager controller and its required CustomResourceDefinitions (CRDs).

helm repo add jetstack https://charts.jetstack.io helm repo update helm install cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.14.3 \ --set installCRDs=true

You will see output:

NAME: cert-manager LAST DEPLOYED: Wed Aug 6 00:16:00 2025 NAMESPACE: cert-manager STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: cert-manager v1.14.3 has been deployed successfully!

You can verify the installation

$ kubectl get pods --namespace cert-manager NAME READY STATUS RESTARTS AGE cert-manager-6c4645d66c-vlrd7 1/1 Running 0 4m23s cert-manager-cainjector-55c5b94bfc-mnhln 1/1 Running 0 4m23s cert-manager-webhook-549d7475d7-f9rzw 1/1 Running 0 4m23s

Step 2: Create a ClusterIssuer for Let’s Encrypt (Staging)

Cert-Manager needs an Issuer to request certificates from a Certificate Authority (CA) like Let’s Encrypt. We’ll create a ClusterIssuer, which issues certificates for the entire Kubernetes cluster. You can create a ClusterIssuer in any namespace — it's a cluster-wide resource, not namespace-scoped.

Create manifest (cluster_issuer.yaml)

apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-nginx-cert spec: # ACME issuer configuration # `email` - the email address to be associated with the ACME account (make sure it's a valid one) # `server` - the URL used to access the ACME server’s directory endpoint # `privateKeySecretRef` - Kubernetes Secret to store the automatically generated ACME account private key acme: server: https://acme-v02.api.letsencrypt.org/directory email: newabog237@misehub.com privateKeySecretRef: name: letsencrypt-nginx-cert solvers: - http01: ingress: class: nginx

Apply it and verify it:

$ kubectl apply -f cluster_issuer.yaml clusterissuer.cert-manager.io/letsencrypt-ngionx-cert created $ kubectl get clusterissuer.cert-manager.io/letsencrypt-nginx-cert NAME READY AGE letsencrypt-nginx-cert True 4m20s

Step 3: Create a TLS-enabled Ingress

Cert-Manager will automatically provision a TLS certificate and store it in the simple-nodejs-tls-secret secret.

Create manifest file (nginx-ingress-with-cert-manager.yaml)

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: simple-nodejs-ingress namespace: simple-nodejs-app annotations: cert-manager.io/cluster-issuer: "letsencrypt-nginx-cert" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/rewrite-target: / spec: ingressClassName: nginx tls: - hosts: - chinmayto.com secretName: simple-nodejs-tls-secret rules: - host: chinmayto.com http: paths: - path: / pathType: Prefix backend: service: name: service-nodejs-app port: number: 80

Apply it and verify:

$ kubectl apply -f nginx-ingress-with-cert-manager.yaml ingress.networking.k8s.io/simple-nodejs-ingress created $ kubectl get ingress -n simple-nodejs-app NAME CLASS HOSTS ADDRESS PORTS AGE simple-nodejs-ingress nginx chinmayto.com a4374e0452f8c4e0c99602307d9cb013-4fe3550df37ae3d7.elb.us-east-1.amazonaws.com 80, 443 43s $ kubectl get secret -n simple-nodejs-app NAME TYPE DATA AGE simple-nodejs-tls-secret kubernetes.io/tls 2 23s

This will also create a certificate, describe it to get event log:

$ kubectl get certificate -n simple-nodejs-app NAME READY SECRET AGE simple-nodejs-tls-secret True simple-nodejs-tls-secret 64s $ kubectl describe certificate -n simple-nodejs-app Name: simple-nodejs-tls-secret Namespace: simple-nodejs-app Labels: <none> Annotations: <none> API Version: cert-manager.io/v1 Kind: Certificate Metadata: Creation Timestamp: 2025-08-05T19:25:19Z Generation: 1 Owner References: API Version: networking.k8s.io/v1 Block Owner Deletion: true Controller: true Kind: Ingress Name: simple-nodejs-ingress UID: 60ff8b31-a5d0-43ef-a01d-d50c308870ab Resource Version: 14728 UID: 17601f42-7597-44c8-be5e-096434d8be46 Spec: Dns Names: chinmayto.com Issuer Ref: Group: cert-manager.io Kind: ClusterIssuer Name: letsencrypt-nginx-cert Secret Name: simple-nodejs-tls-secret Usages: digital signature key encipherment Status: Conditions: Last Transition Time: 2025-08-05T19:25:42Z Message: Certificate is up to date and has not expired Observed Generation: 1 Reason: Ready Status: True Type: Ready Not After: 2025-11-03T18:27:11Z Not Before: 2025-08-05T18:27:12Z Renewal Time: 2025-10-04T18:27:11Z Revision: 1 Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Issuing 3m26s cert-manager-certificates-trigger Issuing certificate as Secret does not exist Normal Generated 3m25s cert-manager-certificates-key-manager Stored new private key in temporary Secret resource "simple-nodejs-tls-secret-vcvkp" Normal Requested 3m25s cert-manager-certificates-request-manager Created new CertificateRequest resource "simple-nodejs-tls-secret-1" Normal Issuing 3m3s cert-manager-certificates-issuing The certificate has been successfully issued

Now access https://chinmayto.com in your browser and inspect the certificate. It should be signed by Let’s Encrypt. Even if you try to access http://chinmayto.com it gets redirected to https.

Note: If by any reason certificate status is not READY, try to get reason by describing it. If there is an issue issuing certificate, describe the challenge to troubleshoot.

Conclusion

Using Cert-Manager, we’ve automated the entire TLS certificate lifecycle within our Kubernetes cluster. Instead of relying on self-signed certs or manual renewals, Cert-Manager:

Automatically provisions and renews certificates
Integrates with Ingress resources for seamless HTTPS
Supports both staging and production issuers

This boosts security, ensures reliability, and simplifies operational overhead. It’s a production-grade solution for securing Kubernetes services via Ingress and a must-have for modern cloud-native applications.