Kubernetes Setup
For Kubernetes clusters and Ingress-based deployments.
Use cert-manager with External Account Binding (EAB).
Basics
- Certificates and keys usually live as Kubernetes Secrets.
- HTTPS is usually handled by an Ingress Controller such as NGINX Ingress or Traefik.
- The EAB MAC key must be stored as a Secret, not in a public repository.
1. Install cert-manager
Helm example:
bash
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set crds.enabled=true2. Create EAB Secret
bash
kubectl create secret generic 12ssl-eab \
--namespace cert-manager \
--from-literal=secret="your EAB MAC key"3. Create ClusterIssuer
yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: 12ssl-acme
spec:
acme:
email: [email protected]
server: "your Server URL"
privateKeySecretRef:
name: 12ssl-acme-account-key
externalAccountBinding:
keyID: "your EAB MAC ID"
keySecretRef:
name: 12ssl-eab
key: secretApply it:
bash
kubectl apply -f clusterissuer.yaml4. Ingress Example
yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
annotations:
cert-manager.io/cluster-issuer: 12ssl-acme
spec:
tls:
- hosts:
- example.com
secretName: example-com-tls
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 805. Check
bash
kubectl describe certificate
kubectl get secret example-com-tls
curl -I https://example.comTraefik Note
Traefik supports ACME directly, but using cert-manager centrally is usually easier to audit, rotate, and reuse across Ingress resources.