Skip to Content
This documentation is provided with the HEAT environment and is relevant for this HEAT instance only.
DeploymentSecurityEnabling SSL

Enabling SSL on Your Kubernetes Cluster

This guide explains how to set up SSL/TLS encryption on your Kubernetes cluster using cert-manager  and Let’s Encrypt.

Prerequisites

  • Access to a Kubernetes cluster
  • kubectl CLI installed and configured
  • DNS pointing to your ingress (e.g., dev.myapp.io)
  • Ingress controller set up and running (e.g., Azure Application Gateway Ingress Controller)
  • A domain you control (for ACME HTTP-01 validation)

Step 1: Install cert-manager

Apply the latest cert-manager manifests to your cluster:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml

Step 2: Verify cert-manager Pods

Make sure all cert-manager pods are up and running:

kubectl get pods --namespace cert-manager

You should see the following pods in a Running state:

  • cert-manager
  • cert-manager-cainjector
  • cert-manager-webhook

Step 3: Create a ClusterIssuer

Create a file named cluster-issuer.yaml with the following content:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: michael.akobundu@vrai.ie
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: webapprouting.kubernetes.azure.com

Apply the file using:

kubectl apply -f cluster-issuer.yaml

Note: You can apply this from any namespace. It is a ClusterIssuer and therefore available to all namespaces

Step 4: Annotate Your Ingress for SSL

In your Ingress YAML, ensure you add the following annotation:

annotations:
  cert-manager.io/cluster-issuer: letsencrypt-prod

Step 5: Add TLS Configuration to Ingress

Below the spec section of your Ingress, add the following tls configuration:

tls:
  - hosts:
      - dev.heatvr.io
    secretName: heat-tls

Note: The secretName (heat-tls) will be created automatically by cert-manager once the certificate is issued

Full Example Ingress Snippet

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
    - hosts:
        - dev.myapp.io
      secretName: myapp-tls
  rules:
    - host: dev.myapp.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: myapp-service
                port:
                  number: 80

Step 6: Verify Certificate Creation

After applying the Ingress, cert-manager will:

  • Request a certificate from Let’s Encrypt
  • Create the myapp-tls secret
  • Automatically bind the certificate to your Ingress

check the certificate status

kubectl describe certificate -n <your-namespace>

or check events

kubectl get events --sort-by=.metadata.creationTimestamp -n <your-namespace>

Get the secet to know if it was actually created and make sure it is a type of “kubernetes.io/tls”

kubectl get secret <secret-name-configured> -n <your-namespace>

You can describe it to get more details

kubectl describe secret <secret-name-configured> -n <your-namespace>
OverviewIntroduction