Optional but Recommended: This guide replaces the default self-signed certificate with a valid Let’s Encrypt certificate, eliminating browser security warnings for deployments.
After completing this guide, all deployments receiving Akash Provider hostnames within *.ingress.<yourdomain> will automatically have a valid Let’s Encrypt certificate.
Time: 20-30 minutes
STEP 1 - Install Cert-Manager
Add Jetstack Helm Repository
helm repo add jetstack https://charts.jetstack.iohelm repo updateInstall Cert-Manager
helm install cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.19.1 \ --set crds.enabled=trueVerify Installation
kubectl -n cert-manager get podsExpected output:
NAME READY STATUS RESTARTS AGEcert-manager-xxx 1/1 Running 0 2mcert-manager-cainjector-xxx 1/1 Running 0 2mcert-manager-webhook-xxx 1/1 Running 0 2mSTEP 2 - Configure DNS Provider
Choose your DNS provider:
Create API Token
- Log into Cloudflare dashboard
- Go to “My Profile” → “API Tokens” → “Create Token”
- Use “Custom token” template
- Set permissions:
- Zone - DNS - Edit
- Zone - Zone - Read
- Zone Resources: Include - All Zones
- Copy the generated token
Create Secret
cat > cloudflare-secret.yaml << 'EOF'apiVersion: v1kind: Secretmetadata: name: cloudflare-api-token-secret namespace: cert-managertype: OpaquestringData: api-token: your-cloudflare-api-tokenEOF
kubectl apply -f cloudflare-secret.yamlCreate ClusterIssuer
cat > letsencrypt-issuer.yaml << 'EOF'apiVersion: cert-manager.io/v1kind: ClusterIssuermetadata: name: letsencrypt-prodspec: acme: email: [email protected] # Replace with your email server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-prod-issuer-account-key solvers: - dns01: cloudflare: apiTokenSecretRef: key: api-token name: cloudflare-api-token-secret email: [email protected] # Replace with your email selector: dnsZones: - 'example.com' - 'ingress.example.com'EOF
kubectl apply -f letsencrypt-issuer.yamlCreate Service Account in GCP
-
Create Role:
- Name:
DNS Administrator Limited - ID:
dns.admin.light - Permissions:
dns.resourceRecordSets.*dns.changes.*dns.managedZones.list
- Name:
-
Create Service Account:
- Name:
dns01-solver - Assign the role created above
- Name:
-
Download Service Account Key (JSON format)
Create Secret
# Base64 encode the service account keycat your-gcp-service-account-key.json | base64 | tr -d '\n'
# Create the secretcat > gcp-dns-secret.yaml << 'EOF'apiVersion: v1kind: Secretmetadata: name: clouddns-gcp-dns01-solver-sa namespace: cert-managertype: Opaquedata: key.json: <your-base64-encoded-service-account-key>EOF
kubectl apply -f gcp-dns-secret.yamlCreate ClusterIssuer
cat > letsencrypt-issuer.yaml << 'EOF'apiVersion: cert-manager.io/v1kind: ClusterIssuermetadata: name: letsencrypt-prodspec: acme: email: [email protected] # Replace with your email server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-prod-issuer-account-key solvers: - dns01: cloudDNS: project: "your-gcp-project-id" serviceAccountSecretRef: name: clouddns-gcp-dns01-solver-sa key: key.jsonEOF
kubectl apply -f letsencrypt-issuer.yamlSTEP 3 - Request Wildcard Certificate
Create a wildcard certificate for your ingress domain:
cat > wildcard-cert.yaml << 'EOF'apiVersion: cert-manager.io/v1kind: Certificatemetadata: name: wildcard-yourdomain-com namespace: ingress-nginxspec: secretName: wildcard-yourdomain-com-tls issuerRef: name: letsencrypt-prod kind: ClusterIssuer commonName: '*.yourdomain.com' dnsNames: - '*.yourdomain.com' - '*.ingress.yourdomain.com'EOF
kubectl apply -f wildcard-cert.yamlImportant: Replace
yourdomain.comwith your actual domain. Keep the*.ingress.prefix as-is (wildcards don’t work for sub-sub domains per RFC 2818).
Verify Certificate
kubectl -n ingress-nginx get certificatekubectl -n ingress-nginx describe certificate wildcard-yourdomain-comWait for the certificate to show Ready: True (may take 1-2 minutes).
STEP 4 - Configure Ingress Controller
Update your ingress-nginx configuration to use the wildcard certificate:
Update Configuration
Edit your existing ingress-nginx-custom.yaml:
nano /root/ingress-nginx-custom.yamlAdd the extraArgs section:
controller: extraArgs: enable-ssl-passthrough: true default-ssl-certificate: "ingress-nginx/wildcard-yourdomain-com-tls" # Add this line service: type: ClusterIP # ... rest of your existing configUpgrade Ingress Controller
helm upgrade ingress-nginx ingress-nginx/ingress-nginx \ --namespace ingress-nginx \ -f /root/ingress-nginx-custom.yamlSTEP 5 - Verify SSL Certificates
Test Wildcard Certificate
echo "" | openssl s_client -connect test.ingress.yourdomain.com:443 -showcerts 2>&1 | \ openssl x509 -issuer -subject -dates -noout -text | \ grep -E '(Issuer:|Subject:|Not Before:|Not After :|DNS:)'Expected output:
Issuer: C = US, O = Let's Encrypt, CN = R3Not Before: Nov 28 10:40:06 2025 GMTNot After : Feb 26 10:40:05 2026 GMTSubject: CN = *.yourdomain.comDNS:*.ingress.yourdomain.com, DNS:*.yourdomain.comIf you see “Kubernetes Ingress Controller Fake Certificate”, the cert hasn’t been issued yet or ingress-nginx didn’t pick it up.
Check All Certificates
kubectl get certificates,certificaterequests,orders,challenges -ATroubleshooting
Certificate Not Issuing
Check cert-manager logs:
kubectl -n cert-manager logs -l app=cert-managerCheck certificate status:
kubectl -n ingress-nginx describe certificate wildcard-yourdomain-comkubectl -n ingress-nginx get certificaterequestDNS-01 Challenge Failing
Verify API token secret:
kubectl -n cert-manager get secret cloudflare-api-token-secret -o yamlCheck token has correct permissions in Cloudflare dashboard:
- Zone - DNS - Edit
- Zone - Zone - Read
- Zone Resources: All Zones
Verify service account secret:
kubectl -n cert-manager get secret clouddns-gcp-dns01-solver-sa -o yamlCheck service account has DNS admin permissions in GCP:
dns.resourceRecordSets.*dns.changes.*dns.managedZones.list
Still Seeing Fake Certificate
Wait 2-3 minutes for cert-manager to issue the certificate, then restart ingress-nginx:
kubectl -n ingress-nginx rollout restart deployment ingress-nginx-controllerNext Steps
Your provider now has automatic SSL certificates for all deployments!
Resources:
- Cert-Manager Documentation - Official cert-manager docs
- Let’s Encrypt - Free SSL certificate authority
