Kubernetes automatic SSL certificate provisioning


There is an open source project from JetStack called kube-lego. It allows you to automatically request SSL certificates for your Kubernetes cluster using Let’s Encrypt free service. Working with Let’s Encrypt using Kube-lego is quite straightforward. Nginx Ingress Controller has built-in support for kube-lego. Having RBAC might seem like a complication but in fact it doesn’t add much of a complexity to the solution.


  • Kubernetes 1.8.0 or higher with Nginx Ingress Controller deployed
  • 30 minutes of spare time


Let’s Encrypt is a service that provides you with automatic TLS/SSL certificate provisioning for your website. If you have hobby cluster at home, just as I do, this solution is perfect for you. Let’s Encrypt is a free and automated way for your Kubernetes cluster to issue and assign SSL certificates to ingress resources in your Kubernetes Cluster.

Step 1. Create kube-lego deployment, RBAC Roles and ConfigMap

Get the yaml file below, replace you@email.com with your email and apply it to your cluster. This will create kube-lego namespace with all components required, including RBAC resources. This configuration uses staging environment of Let’s encrypt. After we have tested the staging configuration we will delete issued secrets and change the configmap to poi
nt to production Let’s Encrypt API.

Let’s save the file below and run

Step 2. Create an ingress resource to test SSL provisioning

Let’s create simple nginx service and see if we can get a green lock in browser after creating an ingress. Remember that ingress must have tls.acme annotation as shown below in order for kube-lego to work!

Create the resources below in your Kubernetes cluster.

After a few minutes, let’s do curl on the resource:

If kube-lego works, you will get something like:

Which says that the issuer this time is Let’s Encrypt indeed:

Now you can also go to the web browser and verify that you get a green lock when browsing to the URL:

Leave a Reply

Close Menu