Get TLS for OpenFaaS the easy way with k3sup

TLS certificates are offered for free by LetsEncrypt and cert-manager, a popular tool from Jetstack makes the management and renewal automatic. The tooling changes often and even experienced Kubernetes users find the process confusing.

For that reason there is documentation on the OpenFaaS website for how to configure a TLS certificate for your OpenFaaS Gateway. Once in place, traffic between your users and your Kubernetes cluster is encrypted.

Today I'll show you how to bootstrap everything from scratch on a managed Kubernetes service using one tool: k3sup. k3sup began life as an easy way to automate k3s clusters, but now it can install helm charts to any compliant cluster.

Provision your Kubernetes cluster

You can provision a cluster wherever you want, whether that be Google Kubernetes Engine, DigitalOcean Kubernetes, AWS EKS or somewhere else.

I suggest you create a cluster with DigitalOcean since it's fast, cheap, and a fully managed cluster. Once you have everything working, move on to your preferred choice for your company or team.

Product page for: DOKS

  • Setup a cluster in your preferred region with around 2-4GB RAM total and at least 2x vCPUs.
  • Download your KUBECONFIG file and run export KUBECONFIG=~/Downloads/kube.config (replace the path with the actual name)

Get k3sup

k3sup can be used to create Kubernetes clusters using k3s, and to add apps. The way an app is installed is by using its helm chart to generate YAML manifest files and then apply them. This process bypasses tiller completely, something which will be deprecated in helm 3.

curl -SLsf | sudo sh

You'll get a new binary k3sup in /usr/local/bin/

Install nginx IngressController

We need an IngressController to use with cert-manager, so let's install nginx-ingress.

k3sup app install nginx-ingress

Install cert-manager

k3sup app install cert-manager

This command installs JetStack's cert-manager using the helm chart, but without tiller.

Install openfaas

k3sup app install openfaas

This command installs OpenFaaS using the helm chart, but without tiller. Try the output given by k3sup to check the installation worked correctly.

Configure your Ingress

Let's say that you have a domain called If you don't have a domain yet, just buy one from Google Domains or from They start at under 2 USD, so there is no reason not to.

We'll use a sub-domain of openfaas so the full address would be:

export DOMAIN=openfaas.$TOP_DOMAIN

export EMAIL=webmaster@$DOMAIN
k3sup app install openfaas-ingress \
 --domain $DOMAIN \
 --email $EMAIL

This creates an Issuer with your email address and an Ingress record, which cert-manager will use to create your TLS certificate automatically.

Update your DNS record

In order for the certificate to be issued, your new LoadBalancer created for Nginx needs to point at the domain name you used in the previous step i.e. echo $DOMAIN.

Now find the IP with kubectl get svc - you'll see Nginx has an EXTERNAL-IP.

  • For EKS create a DNS CNAME record for the DNS entry given
  • For all other cluster create a DNS A record with the IP given

If you have the DigitalOcean CLI installed doctl then you can run:

export IP="" # populate from above
doctl compute domain create $DOMAIN --ip-address $IP

Wait a little

You now need to wait for your DNS entry to propagate and for cert-manager to obtain a certificate.

Check how things are going with:

kubectl logs deploy/cert-manager -n cert-manager -f

Log-in to OpenFaaS with TLS

export OPENFAAS_URL=https://$DOMAIN

PASSWORD=$(kubectl get secret -n openfaas basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode; echo)

echo $PASSWORD | faas-cli login -s

faas-cli store deploy nodeinfo
faas-cli list -v

faas-cli invoke figlet

You can also open the OpenFaaS UI over an encrypted connection:

echo Open a browser at https://$DOMAIN


Wrapping up

When I proposed that k3sup should configure TLS for OpenFaaS in a single command, it was because I wanted to make the whole process less painful and repetitive, and to guard users from the many breaking changes we've seen in cert-manager over the course of the last 12 months.

I think I achieved that aim, but make up your own mind. Compare the following with the single line we typed in above:

Interest in OpenFaaS and k3sup is growing rapidly, so for me it's even more important that users have easy access to TLS certificates to encrypt their traffic.

If you'd like to see new "apps" (helm charts) supported in k3sup, then let me know on the GitHub repository and add your ⭐️ to show support.

Keep on learning with:

Or connect with the community on Slack and Twitter, happy #FaaSFriday!

Alex Ellis

Read more posts by this author.

Subscribe to alex ellis' blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!