k3s HTTPS with Let’s Encrypt
July 2, 2019
This post was updated in November 2021 to be compatible with the latest K3s (v1.21.5+k3s2) and cert-manager (1.6.0) at the time of writing. Previously this post used Helm but this is no longer necessary.
K3s is a Certified Kubernetes distribution designed for production workloads in unattended, resource-constrained, remote locations or inside IoT appliances. It provides a ready to go Kubernetes instance packaged as a single binary.
This guide will show you how to easily set up k3s with HTTPS via Let’s Encrypt.
K3s comes with Traefik out of the box. Traefik itself supports automatic HTTPS via Let’s Encrypt, but setting this up with k3s turned out to be pretty cumbersome. Instead using the excellent cert-manager add-on, it's a breeze!
0: Setup k3s.
This guide assumes you have a working k3s instance and kubectl configured to talk to your k3s instance. If you haven't already just follow the docs and you'll be up and running in minutes.
1. Install cert-manager
cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources, amongst which Let’s Encrypt.
cert-manager can be installed in several ways. The most straightforward way is via kubectl apply:
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.0/cert-manager.yamlNote: 1.6.0 is the latest version of cert-manager at the time of writing. Be sure to check the latest version, but take into account that newer versions might not be fully compatible with instructions in this post.
It might take a minute or so for all components to be installed and up running. Verify the installation by checking all cert-manager pods are running:
kubectl get all -n cert-manager2. Configure cert-manager
With cert-manager installed we need to configure it to use Let’s Encrypt, by creating a certificate issuer:
cat <<EOF > letsencrypt-prod-issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration, update to your own.
email: user@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
# An empty 'selector' means that this solver matches all domains
- selector: {}
http01:
ingress: {}
EOF⚠️ Make sure to update the email address to your own.
And apply it:
kubectl apply -f letsencrypt-prod-issuer.yamlBy now, cert-manager is ready to provision Let’s Encrypt certificates as we need it.
3. Deploy a service with automatic HTTPS
To try this out let's deploy a simple service. You should have a DNS name pointed to your k3s cluster for this to work. The example below uses bootcamp.k3s.example.org, be sure to update this to your own hostname!
Create the manifest:
cat <<EOF > k8s-bootcamp.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: k8s-bootcamp
spec:
replicas: 1
selector:
matchLabels:
app: k8s-bootcamp
template:
metadata:
labels:
app: k8s-bootcamp
spec:
containers:
- name: k8s-bootcamp
image: gcr.io/google-samples/kubernetes-bootcamp:v1
---
apiVersion: v1
kind: Service
metadata:
name: k8s-bootcamp
spec:
ports:
- name: http
targetPort: 8080
port: 80
selector:
app: k8s-bootcamp
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: k8s-bootcamp
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
# Change this to your own hostname
- bootcamp.k3s.example.org
secretName: bootcamp-k3s-example-org-tls
rules:
# Change this to your own hostname
- host: bootcamp.k3s.example.org
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: k8s-bootcamp
port:
name: http
EOFAnd apply it:
kubectl apply -f k8s-bootcamp.yamlWait a minute or so and your endpoint should become available with a Let’s Encrypt certificate! 🎉
Note that the Traefik ingress doesn't automatically redirect HTTP to HTTPS, like the Nginx ingress does. I haven't dug into how to enable this with Traefik, as I've been using the Nginx ingress myself.
