Skip to main content
Version: 0.7

Certificates

It's a common requirement to expose applications, either publicly or internally, with secure, TLS-encrypted endpoints.

Web applications should use HTTPS endpoints, and it's a strong security recommendation to use end-to-end encryption for internal communication between your applications and services.

Kore installs and configures the cert-manager application in each managed Kubernetes cluster, which automatically creates and manages X.509 certificates (used by TLS) for Kubernetes Ingress objects and other requirements.

cert-manager#

cert-manager builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide certificates as a service to developers working within your Kubernetes cluster.

As an administrator you don't need additional setup for cert-manager.

To learn more, see the cert-manager documentation.

Certificate issuers#

In order to issue certificates, cert-manager requires configuration of Issuer or ClusterIssuer objects for each certificate provider. An Issuer can only be used in the namespace where it was created, but ClusterIssuers can be used in any namespace.

Kore automatically installs the following ClusterIssuers in a cluster.

ClusterIssuerDescription
prod-le-dns01Recommended. Generation normally takes 1-2 minutes. Uses Let's Encrypt to issue TLS certificates for HTTPS endpoints. Domain ownership is validated by cert-manager creating a TXT record on the domain for which a certificate is created.
prod-le-http01Generation normally takes 5-6 minutes. Let's Encrypt to issue TLS certificates for HTTPS endpoints. Domain ownership is validated by cert-manager creating a temporary HTTP application that serves the required validation information on a specific path on the domain for which a certificate is created.

This validation can only be used if there is an ingress controller called external that is accessible from the Internet.
self-signedCan be used to generate self-signed certificates in the cluster. Self-signed certificates are commonly used for encrypting internal traffic between the application and the ingress controller.
Last updated on May 24, 2021