Configure Https / TLS / SSL on Kubernetes with Kube-Lego hosted on Azure Container Service

What if you can configure your infrastucture with a process that requests your SSL Certificates automatic. Not only this, but this process registeres the certificates in your infrastructure also. There is more. The process also requests new versions of certificates every 30 days so the certificate will not expire. All of this, complely automated. It’s even completely free! You or your traditional ops department won’t believe this is possible.

Enter the new world of infrastructure: Kube-Lego, ofcourse hosted on Kubernetes.
Now I hear you think: “This is to good to be true. It must be hard to configure”. The configuration is really easy actually, as you will see in this blogpost.


The Open source tool Kube-Lego uses service Let’s Encrypt to acquire SSL Certificates.
With Let’s Encrypt you can get SSL/TLS certificates for free. Let’s Encrypt wants a more secure internet and they offer this service with automation in mind. Kube-Lego makes this possible in practice for Kubernetes. Let’s Encrypt will even support wildcard certificates from January 2018.

To install Kube-Lego we are going to deploy 2 resources in Kubernetes. A ConfigMap and a Pod. Besides this we are going to add some configuration to our Ingress.

Steps to install and configure Kube-Lego


  • you should have Ingress configured on your Kubernetes cluster. You can read how to do this in my blogpost for a step by step manual.
  • you also need to have a DNS entry configured so the public IP Address of the Ingress Service can be accessed on a URL. Otherwise the certificate won’t be succesfully requested.

1. Install a ConfigMap

Change the emailaddress. It’s being used to create an account on Let’s Encrypt. I’ve chosen to install Kube-Lego in the kube-system namespace.

apiVersion: v1
kind: ConfigMap
  name: kube-lego
  namespace: kube-system
  # modify this to specify your address""
  # configure letsencrypt's production api
Kubectl apply -f KubeLegoConfigMap.yaml

2. Install Kube-Lego Pod

apiVersion: extensions/v1beta1
kind: Deployment
  name: kube-lego
  namespace: kube-system
  replicas: 1
        app: kube-lego
      name: kube-lego
        image: jetstack/kube-lego:0.1.5
        imagePullPolicy: Always
        containerPort: 8080
        name: LEGO_EMAIL
              name: kube-lego
        name: LEGO_URL
              name: kube-lego
              key: lego.url
        name: LEGO_NAMESPACE
              fieldPath: metadata.namespace
        name: LEGO_POD_IP
              fieldPath: status.podIP
            path: /healthz
            port: 8080
          initialDelaySeconds: 5
          timeoutSeconds: 1

kubectl apply -f KubeLego.yaml

3. Change the Ingress

Based on the Ingress from my blogpost on how to configure Ingress, you have to add the following:
– Add the following annotation:"true"

– Add tls configuration:

    secretName: tls-kubelego

The complete Ingress, looks like this:

apiVersion: extensions/v1beta1
kind: Ingress
  name: myingress  
    secretName: tls-kubelego
      path: /mywebapi
          serviceName: myapiservice
          servicePort: 80
kubectl apply -f DeployIngress.yaml

Wait a short time after deployment, so Kube-Lego can create an account at Let’s Encrypt for you and after that can request, download and register the certificate in a secret. When you have multiple host names in your Ingress, Kube-Lego will request a certificate for each of them.

Now you can access your services through https.

In case of problems:
You can take a look at the logs of Kube-Lego:
1. Get the name of the Pod which is running Kube-Lego:
kubectl get pods -n kube-system
2. Take a look at the log:
kubectl logs -f “kubelegopodname” -n kube-system

All files can be found on my github account


Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen. logo

Je reageert onder je account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s

Deze site gebruikt Akismet om spam te bestrijden. Ontdek hoe de data van je reactie verwerkt wordt.