I am learning kubernetes and trying to setup letsencrypt for my web app.
I have bought a domain from amazon route 53. Lets just called it example.com
Then I go and create a cluster in azure, install all applications that needed:
- Install helm
choco install kubernetes-helm
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
- Apply
deployment.yml
file
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp1-deployment
spec:
replicas: 3
selector:
matchLabels:
app: myapp1
template:
metadata:
name: myapp1-pod
labels: # Dictionary
app: myapp1
spec:
containers: # List
- name: myapp1-container
image: stacksimplify/kubenginx:1.0.0
ports:
- containerPort: 80
- Apply
service.yml
apiVersion: v1
kind: Service
metadata:
name: myapp1-loadbalancer
labels:
app: myapp1
spec:
selector:
app: myapp1
ports:
- port: 80
targetPort: 80
- Apply
ingress.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-ingress-demo
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: cluster-issuer-name
cert-manager.io/acme-challenge-type: http01
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: "example.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp1-loadbalancer
port:
number: 80
tls:
- hosts:
- example.com
secretName: secret-name
In Azure portal, look for public Ip that is associated with the cluster that you created at the beginning. By default, when an k8 cluster is created, azure will create one public ip associated to this cluster. Look for it, go to front end configuration, and take note of the ip.
Run this command below, replace the ip that you have
# Use Helm to deploy an NGINX ingress controller
helm install ingress-nginx ingress-nginx/ingress-nginx
--set controller.replicaCount=2 \
--set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set controller.service.externalTrafficPolicy=Local \
--set controller.service.loadBalancerIP="YOUR IP"
9. If done correctly, you should have load balancer service running now. Verify it with kubernetes: `kubectl get svc`. Take note of this ip address for the load balancer
Go to Amazon route 53 dashboard, add a record with the ip address that you have at step 9 for your domain name that you have in
ingress.yml
Enjoy your work :)
Thank you
I have update my questions with steps on how to product the result. Thanks SOF for awesome support. Hopefully that if someone run into this issue again, they know how to configure it properly.
CodePudding user response:
You are missing few minor things which you might need to do and try updating once again.
URL in cluster issue is not for Prod you are using staging, i would recommend using the prod URL only for any case instead of the staging.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
Use : https://acme-v02.api.letsencrypt.org/directory
Second :
You have not attached your secret to ingress which ideally will be storing your TLS cert.
How process work is like,
cert-manager get the certificate and store it inside the kubernetes secret, in your case it will be, letsencrypt-staging you have mentioned in clusterissuer.
This secret also should be attached to ingress so that when anyone hits endpoint ingress use this cert for HTTPS traffic.
Full reference example:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: [email protected]
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name
in above example i have used the annotatino in ingress : cert-manager.io/cluster-issuer: cluster-issuer-name
it will trigger clusterissuer to generate cert whenever ingress is created, once cert is created it will be stored in K8s secret. so to attach SSL/TLS cert secret with ingress i have added TLS block at last of ingress YAML.
If you are applying my suggested changes you wont need to create this
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ssl-cert-staging
namespace: default
spec:
secretName: ssl-cert-staging
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
dnsNames:
- example.com
cert-manager will auto-create for you, you can remove this also and just apply above example snippet with minor changes required of name and etc.