kubernetes nginx ingress controller letsencrypt

Kubernetes Nginx Ingress Controller LetsEncrypt-cert-manager,TLS

In this article we are going to cover Kubernetes Nginx Ingress Controller LetsEncrypt [cert-manager, TLS], Install Helm 3 on Kubernetes Cluster, Install Nginx Ingress Controller Kubernetes using Helm, Creating Deployment and service for nginx app.

Creating Nginx Ingress Resources and Exposing the apps, Configure cert manager for Nginx Ingress, Creating Nginx Ingress Let’s Encrypt TLS Certificate, Point Nginx Ingress Let’s Encrypt Certificate in Nginx Ingress, Pointing Domain Name to Nginx Ingress LoadBalancer.

Prerequisites:

  • Kubernetes Cluster with v1.19.0+

Follow below article to Setup Kubernetes on AWS using KOPS and kubeadm method

9 Steps to Setup Kubernetes on AWS using KOPS

How To Setup Kubernetes Cluster Using Kubeadm on Ubuntu 18.04/16.04 LTS

#1: Install Helm 3 on Kubernetes Cluster

Install helm3 on Kubernetes Cluster on Kubernetes Cluster using below command

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

To check helm3 version

helm version

Output:

version.BuildInfo{Version:"v3.5.3", GitCommit:"041ce5a2c17a58be0fcd5f5e16fb3e7e95fea622", GitTreeState:"dirty", GoVersion:"go1.15.8"}

#2: Install Nginx Ingress Controller Kubernetes using Helm

Add the nginx ingress helm repo in Kubernetes kops cluster, follow this Nginx ingress official page to install latest nginx ingress helm chart

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

Update the helm repo

helm repo update

Install Nginx Ingress Controller Kubernetes KOPS using Helm 3

helm install ingress-nginx ingress-nginx/ingress-nginx

Output:

Output:

NAME: ingress-nginx
LAST DEPLOYED: wed Apr 21 07:10:01 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace default get services -o wide -w ingress-nginx-controller'

An example Ingress that makes use of the controller:

  apiVersion: networking.k8s.io/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: nginx
    name: example
    namespace: foo
  spec:
    rules:
      - host: www.example.com
        http:
          paths:
            - backend:
                serviceName: exampleService
                servicePort: 80
              path: /
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
        - hosts:
            - www.example.com
          secretName: example-tls

If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
  metadata:
    name: example-tls
    namespace: foo
  data:
    tls.crt: <base64 encoded cert>
    tls.key: <base64 encoded key>
  type: kubernetes.io/tls

To check nginx ingress controller

kubectl get services ingress-nginx-controller

Output:

NAME                       TYPE           CLUSTER-IP      EXTERNAL-IP                                                               PORT(S)                      AGE
ingress-nginx-controller   LoadBalancer   100.65.85.238   a8e1355c94fdd438a9d207181b50ea1d-213346636.ap-south-1.elb.amazonaws.com   80:30710/TCP,443:31894/TCP   5m15s

#3. Creating Deployment and service for nginx app

Lets deploy the sample nginx app on nginx ingress controller

Create the nginx app deployment

sudo nano nginx-deploy.yml

paste the below deployment

kind: Deployment
apiVersion: apps/v1
metadata:
  name: nginx-app
  namespace: default
  labels:
    app: nginx-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-app
  template:
    metadata:
      labels:
        app: nginx-app
    spec:
      containers:
      - name: nginx
        image: "nginx"

Create the nginx app service

sudo nano nginx-svc.yml

paste the below code

apiVersion: v1
kind: Service
metadata:
  name: nginx-app
  namespace: default
spec:
  selector:
    app: nginx-app
  ports:
  - name: http
    targetPort: 80
    port: 80

deploy the nginx app deployment and service on kubernetes

kubectl create -f nginx-deploy.yml
kubectl create -f nginx-svc.yml

#4. Creating Nginx Ingress Resources and Exposing the apps

Lets create the nginx ingress resource on Kubernetes to expose the apps

sudo nano nginx-ingress.yml

Paste the below nginx app details, here service name should match with service.yml’s

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: nginx   
spec:
  rules:
  - host: nginxapp.fosstechnix.info
    http:
      paths:
      - backend:
          service:
            name: nginx-app
            port:
              number: 80
        path: /
        pathType: Prefix

deploy the nginx ingress resource on Kubernetes cluster

kubectl create -f nginx-ingress.yml

To check Kubernetes pods using kubectl

kubectl get pods

Output:

kubectl get pods
NAME                                        READY   STATUS    RESTARTS   AGE
ingress-nginx-controller-6f5454cbfb-2jvcf   1/1     Running   0          41m
nginx-app-d6ff45774-hp7s4  

To check kubernetes deployments using kubectl

kubectl get deploy

Output:

NAME                       READY   UP-TO-DATE   AVAILABLE   AGE
ingress-nginx-controller   1/1     1            1           42m
nginx-app                  1/1     1            1           41m

To check Kubernetes service using kubectl

kubectl get svc

Output:

NAME                                 TYPE           CLUSTER-IP       EXTERNAL-IP                                                                PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   100.64.113.132   afbcd905b614842c29702ddd7481784d-1960968212.ap-south-1.elb.amazonaws.com   80:30375/TCP,443:31354/TCP   43m
ingress-nginx-controller-admission   ClusterIP      100.67.218.51    <none>                                                                     443/TCP                      43m
kubernetes                           ClusterIP      100.64.0.1       <none>                                                                     443/TCP                      48m
nginx-app                            ClusterIP      100.68.218.6     <none>                                                                     80/TCP                       42m

To check kubernetes ingress using kubectl

kubectl get ingress

Output:

NAME            CLASS    HOSTS                       ADDRESS                                                                    PORTS     AGE
nginx-ingress   <none>   nginxapp.fosstechnix.info   afbcd905b614842c29702ddd7481784d-1960968212.ap-south-1.elb.amazonaws.com   80, 443   42m

#5. Pointing Nginx Ingress Loadbalancer in Domain Name provider to Access app using Domain Name

To access your application/domain name using browser you can either access using Loadbalancer URL or you can point Loadbalancer URL by adding CNAME record in Domain Provider.

Here We have added CNAME record in GoDaddy with Domain nginxapp.fosstechnix.info

Kubernetes Nginx Ingress Controller LetsEncrypt-cert-manager,TLS 1

#6: Configure cert manager for Nginx Ingress

once nginx ingress controller setup is done on your Kubernetes cluster, Lets install and configure cert manager using below kubectl command for Kubernetes version 1.16+

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager.yaml

Sample Output:

service/cert-manager created
service/cert-manager-webhook created
deployment.apps/cert-manager-cainjector created
deployment.apps/cert-manager created
deployment.apps/cert-manager-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created

for Kubernetes <1.16 version

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager-legacy.yaml

it will install cert manager packages on your k8s cluster

#7: Kubernetes Nginx Ingress Controller LetsEncrypt

To configure Kubernetes Nginx Ingress Controller LetsEncrypt , navigate to cert manager acme ingress page, go to Configure Let’s Encrypt Issuer, copy the let’s encrypt issuer yml and change as shown below.

sudo nano  letsencrypt-issuer.yml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: default
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx
kubectl apply -f letsencrypt-issuer.yml

We have deployed let’s encrypt issuer which issues certificates,

#8: Creating Nginx Ingress Let’s Encrypt TLS Certificate

Now lets create Nginx Ingress Let’s Encrypt TLS certificate for your microservice.

sudo nano letsencrypt-cert.yml

Modify the Nginx Ingress Let’s Encrypt TLS certificate as per your micro service/domain name

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: nginxapp.fosstechnix.info
  namespace: default
spec:
  secretName: nginxapp.fosstechnix.info-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: nginxapp.fosstechnix.info
  dnsNames:
  - nginxapp.fosstechnix.info
kubectl apply -f letsencrypt-cert.yml

once done, it will create a Nginx ingress letsencrypt TLS certificate for domain nginxapp.fosstechnix.info and injects into Kubernetes secrets.

Lets check the certificate is created

kubectl get certificates nginxapp.fosstechnix.info 

Output:

kubectl get certificates nginxapp.fosstechnix.info
NAME                        READY   SECRET                          AGE
nginxapp.fosstechnix.info   True    nginxapp.fosstechnix.info-tls   32s

Let’s check secrets to check Nginx Ingress letsencrypt TLS

kubectl get secrets nginxapp.fosstechnix.info-tls

Output:

kubectl get secrets nginxapp.fosstechnix.info-tls
NAME                            TYPE                DATA   AGE
nginxapp.fosstechnix.info-tls   kubernetes.io/tls   2      2m50s

We have covered Kubernetes Nginx Ingress Controller LetsEncrypt [cert-manager, TLS]

#9: Point Nginx Ingress Let’s Encrypt Certificate in Nginx Ingress

Now point/refer the generated Nginx Ingress Let’s Encrypt in your Kubernetes nginx Ingress as shown below.

Add the highlighted lines in nginx ingress resource.

kubectl edit ingress nginx-ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
  creationTimestamp: "2021-04-22T03:20:24Z"
  generation: 2
  name: nginx-ingress
  namespace: default
  resourceVersion: "5902"
  uid: 62300582-7b91-4f56-a229-75f9664f9334
spec:
  rules:
  - host: nginxapp.fosstechnix.info
    http:
      paths:
      - backend:
          service:
            name: nginx-app
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - nginxapp.fosstechnix.info
    secretName: nginxapp.fosstechnix.info-tls
status:
  loadBalancer:
    ingress:
    - hostname: afbcd905b614842c29702ddd7481784d-1960968212.ap-south-1.elb.amazonaws.com

Here we have referenced secret nginxapp.fosstechnix.info-tls and added annotation cert-manager.io/cluster-issuer: letsencrypt-prod.

Note: secret and certificates should be in same namespace as ingress.

#10: Accessing Nginx Ingress Resources using Let’s Encrypt

Finally we can see your application site https://nginxapp.fosstechnix.info using Lets’s Encrypt SSL (Kubernetes Nginx Ingress Controller LetsEncrypt-cert-manager,TLS).

https://nginxapp.fosstechnix.info

Output:

Kubernetes Nginx Ingress Controller LetsEncrypt-cert-manager,TLS 2

Conclusion:

We have covered Kubernetes Nginx Ingress Controller LetsEncrypt [cert-manager, TLS], Install Helm 3 on Kubernetes Cluster, Install Nginx Ingress Controller Kubernetes using Helm, Creating Deployment and service for nginx app.

Creating Nginx Ingress Resources and Exposing the apps, Configure cert manager for Nginx Ingress, Creating Nginx Ingress Let’s Encrypt TLS Certificate, Point Nginx Ingress Let’s Encrypt Certificate in Nginx Ingress, Pointing Domain Name to Nginx Ingress LoadBalancer and Kubernetes Nginx Ingress Controller LetsEncrypt.

Related Articles:

Reference:

Install Traefik Ingress Controller Kubernetes using Helm

Install Traefik Ingress Controller on Kubernetes using Helm 3

In this article we are going to cover Install Helm 3 on Kubernetes Cluster, Install Traefik Ingress Controller on Kubernetes using Helm 3.

Creating Deployment and service for nginx app and NodeJs app, Creating Traefik Ingress Resources and Exposing the apps.

Pointing Traefik Ingress Loadbalancer in Domain Name provider and Accessing Traefik Dashboard.

Here we are installing Traefik 2 on Kubernetes Cluster.

Prerequisites:

  • Kubernetes KOPS Cluster with v1.19.0+

#1: Install Helm 3 on Kubernetes Cluster

Install helm3 on Kubernetes Cluster on Kubernetes Cluster using below command

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

To check helm3 version

helm version

Output:

version.BuildInfo{Version:"v3.5.3", GitCommit:"041ce5a2c17a58be0fcd5f5e16fb3e7e95fea622", GitTreeState:"dirty", GoVersion:"go1.15.8"}

#2: Install Traefik Ingress Controller on Kubernetes using Helm 3

Add the Traefik ingress helm repo in Kubernetes kops cluster, follow this Traefik ingress official page to install latest Traefik ingress helm chart

helm repo add traefik https://helm.traefik.io/traefik

Update the helm repo

helm repo update

Install Traefik Ingress Controller on Kubernetes using Helm 3

helm install traefik traefik/traefik

To install Traefik in specific namespace use below commands

kubectl create ns traefik-v2
helm install --namespace=traefik-v2 \
    traefik traefik/traefik

To check Traefik ingress controller service

kubectl get svc

Output:

NAME         TYPE           CLUSTER-IP     EXTERNAL-IP                                                               PORT(S)                      AGE
kubernetes   ClusterIP      100.64.0.1     <none>                                                                    443/TCP                      9m35s
traefik      LoadBalancer   100.71.30.91   ad51e01b1a2064541852a2e6e8227e26-764563388.ap-south-1.elb.amazonaws.com   80:30915/TCP,443:32466/TCP   5m21s

We have covered Install Traefik Ingress Controller on Kubernetes using Helm 3

#3. Creating Deployment and service for nginx app and NodeJs app

Lets deploy the sample nginx and nodejs app on Traefik ingress controller

#3.1. Creating Deployment and service for Nginx app

Create the nginx app deployment

sudo nano nginx-deploy.yml

paste the below deployment

kind: Deployment
apiVersion: apps/v1
metadata:
  name: nginx-web
  namespace: default
  labels:
    app: nginx-web
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-web
  template:
    metadata:
      labels:
        app: nginx-web
    spec:
      containers:
      - name: nginx
        image: "nginx"

Create the nginx app service

sudo nano nginx-svc.yml

paste the below code

apiVersion: v1
kind: Service
metadata:
  name: nginx-web
  namespace: default
spec:
  selector:
    app: nginx-web
  ports:
  - name: http
    targetPort: 80
    port: 80

deploy the nginx app deployment and service on kubernetes

kubectl create -f nginx-deploy.yml
kubectl create -f nginx-svc.yml

#3.2. Creating Deployment and service for nodejs app

Create the nodejs app deployment

sudo nano nodejs-deploy.yml

paste the below code, here we are using sample nodejs AWS ECR image

kind: Deployment
apiVersion: apps/v1
metadata:
  name: nodejs-app
  namespace: default
  labels:
    app: nodejs-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nodejs-app
  template:
    metadata:
      labels:
        app: nodejs-app
    spec:
      containers:
      - name: nodejs-app
        image: "908198849120.dkr.ecr.ap-south-1.amazonaws.com/nodejsapp:latest"
        ports:
          - containerPort: 3000

Create the nodejs app service

sudo nano nodejs-svc.yml

paste the below code

apiVersion: v1
kind: Service
metadata:
  name: nodejs-app
  namespace: default
spec:
  selector:
    app: nodejs-app
  ports:
  - name: http
    targetPort: 3000
    port: 80

deploy the nodejs app deployment and service on kubernetes

kubectl create -f nodejs-deploy.yml
kubectl create -f nodejs-svc.yml

#4. Creating Traefik Ingress Resources and Exposing the apps

Lets create the Traefik ingress resource on Kubernetes to expose the apps

sudo nano traefik-ingress.yml

Paste the below nginx and nodejs app details, here service name should match with service.yml’s

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: traefik-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - host: nginxapp.fosstechnix.info
    http:
      paths:
      - backend:
          service:
            name: nginx-web
            port:
              number: 80
        path: /
        pathType: Prefix
  - host: nodejsapp.fosstechnix.info
    http:
      paths:
      - backend:
          service:
            name: nodejs-app
            port:
              number: 80
        path: /
        pathType: Prefix

deploy the traefik ingress resource on Kubernetes KOPS cluster

kubectl create -f traefik-ingress.yml   

To check Kubernetes pods using kubectl

kubectl get pods

Output:

NAME                          READY   STATUS    RESTARTS   AGE
nginx-web-5bf45d88df-zs42j    1/1     Running   0          11m
nodejs-app-76c4545979-b5jm7   1/1     Running   0          10m
traefik-5c454b7c44-jwx4j      1/1     Running   0          33m

To check kubernetes deployments using kubectl

kubectl get deploy

Output:

NAME         READY   UP-TO-DATE   AVAILABLE   AGE
nginx-web    1/1     1            1           11m
nodejs-app   1/1     1            1           10m
traefik      1/1     1            1           33m

To check Kubernetes service using kubectl

kubectl get svc

Output:

NAME         TYPE           CLUSTER-IP       EXTERNAL-IP                                                               PORT(S)                      AGE
kubernetes   ClusterIP      100.64.0.1       <none>                                                                    443/TCP                      37m
nginx-web    ClusterIP      100.64.219.116   <none>                                                                    80/TCP                       11m
nodejs-app   ClusterIP      100.70.17.76     <none>                                                                    80/TCP                       10m
traefik      LoadBalancer   100.71.30.91     ad51e01b1a2064541852a2e6e8227e26-764563388.ap-south-1.elb.amazonaws.com   80:30915/TCP,443:32466/TCP   33m

To check kubernetes ingress using kubectl

kubectl get ingress

Output:

NAME              CLASS    HOSTS                                                  ADDRESS   PORTS   AGE
traefik-ingress   <none>   nginxapp.fosstechnix.info,nodejsapp.fosstechnix.info 

#5. Pointing Traefik Ingress Loadbalancer in Domain Name provider

To access apps using domain name, here we have pointed loadbalancer url in Domain name provider as CNAME.

How to Install Nginx Ingress Controller Kubernetes KOPS using Helm 3 1

Now access nginx app using domain name

nodejsapp.fosstechnix.info
How to Install Nginx Ingress Controller Kubernetes KOPS using Helm 3 2

Now access nodejs app using domain name

How to Install Nginx Ingress Controller Kubernetes KOPS using Helm 3 3

#6: Accessing Traefik Dashboard

By default traefik dashboard is not exposed when we install traefik using helm chart for security reason,

There are multiple ways to access traefik dashboard, lets access traefik dashboard by forwarding traefik pod to any address using below command.

kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) --address 0.0.0.0 9000:9000

Now you can access traefik with IP address of instance from instance.

http://127.0.0.1:9000/dashboard/

OR

Cluster Node IP with port number

http://65.2.81.244:9000/dashboard/#/
Install Traefik Ingress Controller on Kubernetes using Helm 3 3

Conclusion:

We have covered Install Helm 3 on Kubernetes Cluster, Install Traefik Ingress Controller on Kubernetes using Helm 3.

Creating Deployment and service for nginx app and NodeJs app, Creating Traefik Ingress Resources and Exposing the apps.

Pointing Traefik Ingress Loadbalancer in Domain Name provider and Accessing Traefik Dashboard.

Related Articles:

How to Install Nginx Ingress Controller Kubernetes KOPS using Helm 3

Reference:

Traefik Ingress GitHub Page