SSL with Docker and Kubernetes

SSL certificates in containerized environments.

SSL certificate management in container environments presents unique challenges. Containers are ephemeral, deployments frequent, and automation is essential.

This guide covers strategies for Docker and Kubernetes, from simple approaches to enterprise solutions with cert-manager.

Whether you use Traefik, nginx-ingress, or another ingress controller, you'll find best practices for your infrastructure.

Container Challenges

Why SSL is different with containers:

  • Ephemeral: containers can be recreated at any time, secrets must persist.
  • Scalability: multiple replicas share the same certificate.
  • Automation: renewal must be automatic without restart.
  • Security: private keys must be stored securely.

Available Solutions

Main approaches for SSL in containers:

  • Ingress Controller: centralizes SSL at the ingress level (Traefik, nginx-ingress).
  • cert-manager: Kubernetes operator for automatic certificate management.
  • Sidecar: sidecar proxy that handles TLS (Envoy, Linkerd).
  • Secrets mounts: mount certificates as volumes from secrets.

Implementation

Steps for SSL in Kubernetes with cert-manager:

  1. Install cert-manager: deploy cert-manager in your cluster.
  2. Configure Issuer: create a ClusterIssuer for Let's Encrypt.
  3. Annotate Ingress: add annotations for automatic certificate creation.
  4. Verify: check that the certificate is issued and renewed.

Configuration Examples

cert-manager with Let's Encrypt:

# ClusterIssuer Let's Encrypt
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

# Ingress with automatic TLS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts: [example.com]
    secretName: example-tls

cert-manager automatically creates and renews the certificate in the specified secret.

Best Practices

Tips for SSL in containers:

  • Use cert-manager: it's the standard solution for Kubernetes.
  • Centralize SSL at ingress: avoid managing SSL in each container.
  • External monitor: monitor your certificates from outside with MoniTao.
  • Test renewal: simulate expiration to verify renewal works.

SSL Containers Checklist

  • cert-manager deployed
  • Issuer/ClusterIssuer configured
  • Ingress annotated
  • Certificate successfully issued
  • Automatic renewal tested
  • External monitoring configured

Frequently Asked Questions

cert-manager or Traefik built-in?

cert-manager is more flexible and works with any ingress. Traefik built-in is simpler for Traefik alone.

How to debug cert-manager?

kubectl describe certificate and kubectl logs of the cert-manager pod.

Wildcard in Kubernetes?

Use DNS01 challenge with cert-manager. Configure your DNS provider.

Can I use my own certificates?

Yes, create a Secret containing tls.crt and tls.key, reference it in the ingress.

mTLS between services?

Use a service mesh like Istio or Linkerd for automatic mTLS.

How to monitor expiration?

MoniTao monitors your HTTPS endpoints and alerts you before certificate expiration.

Automated SSL in Containers

Containerized environments require an automated approach to SSL. cert-manager and modern ingress controllers make this simple.

Always monitor your certificates from outside with MoniTao to detect issues before your users do.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing