WordPress on Kubernetes

The Definitive Guide to WordPress on k8s

Start Learning

SSL/TLS & HTTPS with Cert Manager

We briefly touched on TLS and HTTPS in an earlier section when configuring our Nginx Ingress controller. We will further expand on that in this section, and introduce cert-manager. We’ll use cert-manager to issue and manage a certificate using Let’s Encrypt for our WordPress application Ingress.

Note: all code samples from this section are available on GitHub.

Simple TLS

TLS certificates are native to Kubernetes, it’s a type of Secret called kubernetes.io/tls. As demonstrated in an earlier section, you can create these secrets from .crt and .key files, for example:

$ kubectl create secret tls wordpress-tls \
    --key example.key --cert example.crt 
secret/wordpress-tls created

Your WordPress Ingress can then reference this certificate using a tls section in the manifest:

spec:
  ingressClassName: nginx
  tls:
    - hosts:
      - example.org
      secretName: wordpress-tls

This is quite useful for self-signed certificates and long lasting certificates, as you can import these into your cluster fairly easily. However, managing a large number of these can quickly become tedious, especially with short-lived certificates in the mix, such as ones from Let’s Encrypt. Forgetting to renew or update a certificate can cause downtime.

This is a problem that cert-manager tries to address.

What is cert-manager?

cert-manager is a certificate controller, which comes in the form of some CRDs (Issuers, Certificates, Challenges, etc.), services and deployments for Kubernetes. These take care of requesting and renewing certificates from an Issuer, such as Let’s Encrypt.

You can use Helm to configure and install cert-manager, or you can install it using the default settings using kubectl:

$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.yaml

Next, we’ll need to define one or more Issuers. We’ll use Let’s Encrypt for this tutorial, and define two issuers: staging and production. Here’s our letsencrypt-staging.issuer.yml manifest:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: [email protected]
    profile: tlsserver
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            ingressClassName: nginx

This will generate a new private key called letsencrypt-staging, and will use it to register a client with Let’s Encrypt, using the provided email address. It’s important to use a real email address as you may receive important communication from Let’s Encrypt about your usage.

This article is for premium members only. Memberships start from $125/year and unlock access to all existing and future content on kubeadm.org, including all reference architectures.

Get Premium Access

Already a member? Login here

Getting Started

Running WordPress

Scaling WordPress

Scaling the Database

Caching

Ingress