Sela. | Cloud Better.

Cert-Manager with Kubernetes

When strategizing the migration of a customer's application from On-Premises or one Cloud to another Cloud Provider, the potential for Application Modernization always exists. Despite having all applications in the Cloud, there is always some room for improvement.

Rakesh Kanchalwar, Tech Lead - Cloud & DevOps at Sela

When strategizing the migration of a customer's application from On-Premises or one Cloud to another Cloud Provider, the potential for Application Modernization always exists. Despite having all applications in the Cloud, there is always some room for improvement. This improvement proposed due to several factors, as: 

  1. Disparities in the Infrastructure and Services available between On-Premises and Cloud. 
  2. Lack of awareness among customers of the tech team regarding the services offered by the new cloud provider. 
  3. Consideration of cost-effectiveness.  

Issue Overview 

One of our clients operates in the hospitality sector, engaging in both aspects B2C and B2B2C. In B2C services, end customer is catered by a web application. On the other hand, in B2B2C services, our client provides a way for small businesses to register as an agent and use the application to cater the end customers.  

In B2C, this application is served with our client’s own domain name, whereas in B2B2C, the application is served with the agent's own domain name. On an average, three to four agents register to B2B2C on a daily basis.  

Securing these domains with valid HTTPS certificates is essential for trusted communication. For B2C, it is simple to configure a client's certificate as it is already obtained. But, in case of agent domains, these certificates need to be acquired and renewed at runtime, as agents do not provide or maintain them.  

Cert-Manager 

To address the issue of certificate generation we used Cert-Manager. Cert-Manager is an open-source tool, specifically designed to work with Kubernetes. It handles operations for obtaining and renewing the certificates. 

It can issue certificates from variety of sources such as, 

It ensures issued certificates are valid and up to date. 
It also renews certificates at a configured time before expiry

Cert-Manager Documentation.  

 

 

Existing Implementation 

The current implementation involves Admin/Internal users registering agent domains using an Admin app. This app triggers Cert-Util applications to generate certificates and add their entries to the Nginx server. These certificates have a 90-day expiry as it is generated using "Let's Encrypt". Cert-Util also has this additional responsibility of renewing these certificates. On a daily basis, Cert-Util runs a script to check and renew certificates.  

All these applications were running on the same virtual machines, which in turn was causing the performance issue. 

To ease this load, additional Nginx instances had been provisioned, with each Nginx on an individual VM serving as a Name Server (NS). 

 

 

Solution Implementation 

As part of the Application Modernization process, we opted to leverage Google Kubernetes Engine (GKE). Given that the applications are already dockerized, migrating them to Kubernetes with the assistance of Helm charts required minimal configurations.  

For the given issue of certificate management, we replaced Nginx Installation on VM by Nginx Controller deployment on GKE. Also, we replaced Cert-Util with Cert-Manager deployment. Now Cert-Manager handles the certificate generation and renewal process by looking at the Ingress configurations.  

We also introduced a new application “Ingress Helper App”, it has the capability to execute kubectl commands on GKE. Whenever the Admin app receives the request to register a new Agent domain, it connects with the helper app and creates a Nginx Ingress entry on the Nginx Controller. 

 

 

To understand the process of Agent domain registration, consider following example. 

When Ingress Helper App receives a request from Admin App, it creates an ingress configuration and executes the kubectl command to create this ingress entry. Cert-Manager keeps looking for such ingress entries. As soon as it finds the ingress entry with “cert-manager.io/cluster-issuer” annotation, it raises a request for certificate generation. These generated certificates are then stored in Kubernetes secret.  

Below is the sample Ingress file, here Cert-Manager uses secretName to store the certificate in Kubernetes secret for agent1-domain

 

 

Depending on the usage of this certificate, Cert-Manager advises to use appropriate issuer value for the annotation “cert-manager.io/cluster-issuer”.  

  • letsencrypt-staging – Use it for testing and learning purposes, like when ingress is being recreated multiple times. 

 

 

  • letsencrypt-prod – Use it for actual certificate issuance.