KubeKanvas Logo
  • Features
  • Pricing
  • Templates
    • How KubeKanvas works
    • Docs
    • Downloads
    • Blog
    • E-Book
    • Tutorials
  • FAQs
  • Contact
  • Features
  • Pricing
  • Templates
    • How KubeKanvas works
    • Docs
    • Downloads
    • Blog
    • E-Book
    • Tutorials
  • FAQs
  • Contact
Back to Templates

Deploy cert-manager + Let's Encrypt on Kubernetes: Secure NGINX Ingress

Created by:
Siddiqui
Deploy cert-manager + Let's Encrypt on Kubernetes: Secure NGINX Ingress template preview
0 uses
KubeKanvas Logo
Visual Kubernetes cluster design tool that helps you create, manage, and deploy your applications with ease.
Product
  • Features
  • Pricing
  • Templates
Resources
  • Blog
  • Tutorials
Company
  • About Us
  • Contact
  • Terms of Service
  • Privacy Policy
  • Responsible AI Policy
  • Impressum
XGitHubLinkedIn
© 2026 KubeKanvas. All rights reserved.

Automate production-grade HTTPS routing by deploying an NGINX web server secured with cert-manager and Let's Encrypt. This NGINX Kubernetes template configures automated HTTP-01 challenge completion to dynamically provision and renew SSL certificates. Implementing this setup solves the overhead of manual certificate management for developers looking to deploy NGINX on Kubernetes with native TLS termination.

What's Included

ComponentTypePortRole
defaultNamespaceN/AIsolates the application resources within the cluster
letsencrypt-productionClusterIssuerN/AAuthenticates with Let's Encrypt to issue certificates cluster-wide
production-web-appDeployment80Runs two replicas of the lightweight NGINX Alpine web server container
production-web-serviceService80Exposes the NGINX pods internally inside the cluster network
production-secure-ingressIngress80, 443Routes external traffic, enforces SSL redirection, and triggers TLS generation

Architecture Overview

The Ingress controller handles external HTTPS traffic on port 443, automatically terminating TLS using certificates stored in a dedicated Secret vault. Inside the cluster, the Ingress forwards unencrypted traffic to the internal Service on port 80, which load-balances requests across the active web server pods. When the Ingress manifest applies, cert-manager detects the cluster issuer annotation and communicates with the ACME API to solve the network challenge, dynamically creating the TLS secret without manual file creation.

Prerequisites

  • An active Kubernetes cluster with an NGINX Ingress Controller installed.
  • Administrative control over a public domain name with an A Record pointing to your cluster's public IP address.
  • The cert-manager controller system installed and active in the cluster.
  • KubeKanvas CLI installed and running on your computer (Optional, if you want to use one-click deployment)

How to Deploy

  1. Open the configuration manifest and update the email field in the ClusterIssuer block to your active DevOps alerts email address.
  2. Replace all instances of api.yourcompany.com in the Ingress specification with your actual public domain name.
  3. Deploy the template to your cluster via the Play button in the top right bar. If you prefer to deploy manually, download the YAML and apply it with kubectl.
  4. Wait for all pods to reach Running status. You can monitor progress in the Release Monitor screen.

How to Test

  1. Run kubectl get certificate api-production-tls-vault to verify that the certificate resource status is ready.
  2. Execute kubectl get secret api-production-tls-vault to confirm that cert-manager imperatively created and populated the cryptographic keys.
  3. Send a verbose curl request to your public endpoint using curl -v https://your-domain.com and verify that the handshake completes successfully over TLS.

Use Cases

  • Secure Static Site Hosting: Hosting lightweight web assets or documentation behind a secure, automated reverse proxy.
  • Ingress Validation Testing: Verifying the correctness of cluster-wide cert-manager and Ingress controller integrations before deploying heavy applications.
  • Automated Renewal Pipelines: Setting up hands-free certificate lifecycles for public-facing microservices that require continuous uptime.
  • Production Boilerplate Blueprint: Serving as a clean, standardized foundation for deploying encrypted containerized applications.

Summary

This template configures an automated NGINX web server deployment complete with an active Ingress route and a self-renewing Let's Encrypt TLS certificate lifecycle.