How to Encrypt Kubernetes Traffic with cert-manager, Let's Encrypt, and Internal TLS

                     How to Encrypt Kubernetes Traffic with cert-manager, Let's Encrypt, and Internal TLS
               



Tópico:
                     How to Encrypt Kubernetes Traffic with cert-manager, Let's Encrypt, and Internal TLS
               
Categoria: Tutoriais | FreeCodeCamp Premium
Idioma Principal: Português (Conteúdo de Tecnologia)

Conteúdo do Tutorial / Guia Passo a Passo:
-------------------------------------------------------------------------
Most engineers assume their Kubernetes cluster encrypts all of its traffic. It doesn't. The commands you run with

Código Selecionar Expandir

kubectlare encrypted — your client and the API server speak TLS. The API server talking to etcd is usually encrypted too, depending on how the cluster was provisioned.

But traffic between your pods? Plaintext by default. Ingress traffic from the internet to your services? Only encrypted if you explicitly configure TLS. And certificates for internal services? You have to provision those yourself.

This is not a Kubernetes oversight. It's a deliberate design choice — Kubernetes provides the primitives and leaves the implementation to you. The problem is that certificate management is notoriously painful. Certificates expire. Provisioning them manually doesn't scale. Forgetting to rotate them causes outages.

cert-manager solves this. It runs as a controller inside your cluster, watches for

Código Selecionar Expandir

Certificateresources, requests certificates from configured issuers, stores them in Kubernetes Secrets, and rotates them automatically before they expire. You declare what you want, cert-manager makes it happen and keeps it that way.

In this article you'll work through how cert-manager's core model works, automate public Ingress TLS using Let's Encrypt, set up an internal Certificate Authority for service-to-service encryption, and understand how certificate rotation works so outages caused by expired certificates become a thing of the past.

Prerequisites

• A kind cluster with the nginx Ingress controller installed

• Helm 3 installed

• A domain name with DNS you control — needed for the Let's Encrypt demo

• Basic understanding of TLS: you know what a certificate, a private key, and a CA are

All demo files are in the DevOps-Cloud-Projects GitHub repository.

Table of Contents

• What Is and Isn't Encrypted in Kubernetes

• How cert-manager Works

• The Four Core Resources

• Issuers and ClusterIssuers

• The Certificate Lifecycle

• ACME Challenges: HTTP-01 vs DNS-01

• Demo 1 — Install cert-manager and Issue a Let's Encrypt Certificate

• How to Get a Wildcard Certificate with DNS-01

• Demo 2 — Set Up an Internal CA for Service-to-Service TLS

• How Certificate Rotation Works

• Cleanup

• Conclusion

What Is and Isn't Encrypted in Kubernetes?

Before installing anything, it's worth being precise about what the cluster already protects and what it leaves open.

Traffic path
Encrypted by default?
Notes

Código Selecionar Expandir

kubectl→ API server
Yes
TLS with the cluster CA

API server → etcd
Usually
Depends on cluster provisioner — verify with your setup

API server → kubelet
Yes
TLS, but kubelet cert verification depends on configuration

Pod → Pod (same cluster)
No
Plaintext unless you add a service mesh or mTLS

Internet → Ingress
No
Opt-in — requires TLS configuration on the Ingress resource

Pod → Kubernetes API
Yes
Via the service account token and cluster CA

The two gaps that matter most in practice are pod-to-pod traffic and Ingress TLS. This article covers both Ingress TLS with Let's Encrypt and internal service-to-service encryption using a private CA.

How cert-manager Works

cert-manager is a Kubernetes operator. It extends the Kubernetes API with custom resources that represent certificate requests and their configuration. When you create a

Código Selecionar Expandir

Certificateresource, cert-manager's controller pi

... [O tutorial continua no link abaixo] ...