Deploy cert-manager + Let's Encrypt on Kubernetes: Secure NGINX Ingress

Automate production-grade HTTPS routing by deploying an NGINX web server secured with cert-manager and Let's Encrypt. This NGINX Kubernetes template configures automated HTTP-01 challenge completion to dynamically provision and renew SSL certificates. Implementing this setup solves the overhead of manual certificate management for developers looking to deploy NGINX on Kubernetes with native TLS termination.
| Component | Type | Port | Role |
|---|---|---|---|
| default | Namespace | N/A | Isolates the application resources within the cluster |
| letsencrypt-production | ClusterIssuer | N/A | Authenticates with Let's Encrypt to issue certificates cluster-wide |
| production-web-app | Deployment | 80 | Runs two replicas of the lightweight NGINX Alpine web server container |
| production-web-service | Service | 80 | Exposes the NGINX pods internally inside the cluster network |
| production-secure-ingress | Ingress | 80, 443 | Routes external traffic, enforces SSL redirection, and triggers TLS generation |
The Ingress controller handles external HTTPS traffic on port 443, automatically terminating TLS using certificates stored in a dedicated Secret vault. Inside the cluster, the Ingress forwards unencrypted traffic to the internal Service on port 80, which load-balances requests across the active web server pods. When the Ingress manifest applies, cert-manager detects the cluster issuer annotation and communicates with the ACME API to solve the network challenge, dynamically creating the TLS secret without manual file creation.
api.yourcompany.com in the Ingress specification with your actual public domain name.kubectl get certificate api-production-tls-vault to verify that the certificate resource status is ready.kubectl get secret api-production-tls-vault to confirm that cert-manager imperatively created and populated the cryptographic keys.curl -v https://your-domain.com and verify that the handshake completes successfully over TLS.This template configures an automated NGINX web server deployment complete with an active Ingress route and a self-renewing Let's Encrypt TLS certificate lifecycle.