Using Certmanager with Cloudflare and Kubernetes
How to configure certmanager for DNS challenges with Cloudflare and Kubernetes
What is Certmanager
Certmanager is a native Kubernetes cluster certificate manager. This article aims to outline the process of using Certmanager to manage SSL certificate creation and renewals via letsencrypt. Prior to certificate issuance, letsencrypt requires a challenge to verify ownership of a domain. In this article, we will configure Certmanager and letsencrypt to use a
DNS-01 challenge against Cloudflare hosted DNS.
- A working Kubernetes Cluster
- Kubectl connected to your cluster
- A valid domain name that you own
- DNS for said damain hosted by Cloudflare
kubectl is connected to your cluster
You should see your Kubernetes nodes printed. If not, please configure your
kubectl to connect to your cluster
Cloudflare API Key
Let’s Encrypt offers several domain verification methods. The simplest solutions is their
HTTP-01 challenge, which uses a file hosted on your website as verification. This method is not always useful, as our websites may not be publicly accessible. In our case, we are going to make use of the
DNS-01 challenge. When using the
DNS-01 challenge, Let’s Encrypt will require the creation of a
TXT record with a random code. Certmanager will automate the creation and deletion of these
TXT challenge DNS recrods. To do so, we will need give our certmanager install access to manage our DNS records. In our case, we’re using Cloudflare, which makes use of API keys.
Obtaining your API Key
Certmanager can now use a Zone Specific API Key
- Log into your Cloudflare Dashboard
- Click on your Account Icon (top right of page)
- Click "My Profile"
- Click on "API Tokens"
- Click "Create Token"
- Create a Token with the following permissions
- Token Name: cert-manager
- Zone - Zone - Read
- Zone - DNS - Edit
Create a namespace, install CRDs and Certmanager
Updated on March 17th, 2020. Update the version tag below to the newest release of cert-manager
Verify that Cert Manager has Installed
Cloudflare API Secret
You need your Cloudflare API Key
This will create a new Kuberentes secret with your Cloudflare API Key for Certmanager to reference.
Create a Staging Issuer
Since Let's Encrypt imposes a limit of 50 certificates per domain per week, we should do all of our testing against their
Staging envrionment. Only use the
Production envrionment once you have finished your testing.
Create a Production Issuer
This will be used after your testing is complete
Add Ingress Annotations
Now that Certmanager is configure, we need to add annotations to our ingress documents to make use of it. Add the following
annotations to your ingress documents
Then add the following to the
spec section of your ingress document. Replace
domain.tld with your domain name. Add additional entries here for subdomains or alias domains. You will also provide a
secretName name here, this is where certmanager will store your private key and certificate