In this article we are going to cover Kubernetes Nginx Ingress Controller LetsEncrypt [cert-manager, TLS], Install Helm 3 on Kubernetes Cluster, Install Nginx Ingress Controller Kubernetes using Helm, Creating Deployment and service for nginx app.
Creating Nginx Ingress Resources and Exposing the apps, Configure cert manager for Nginx Ingress, Creating Nginx Ingress Let’s Encrypt TLS Certificate, Point Nginx Ingress Let’s Encrypt Certificate in Nginx Ingress, Pointing Domain Name to Nginx Ingress LoadBalancer.
Prerequisites:
- Kubernetes Cluster with v1.19.0+
Follow below article to Setup Kubernetes on AWS using KOPS and kubeadm method
9 Steps to Setup Kubernetes on AWS using KOPS
How To Setup Kubernetes Cluster Using Kubeadm on Ubuntu 18.04/16.04 LTS
#1: Install Helm 3 on Kubernetes Cluster
Install helm3 on Kubernetes Cluster on Kubernetes Cluster using below command
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
To check helm3 version
helm version
Output:
version.BuildInfo{Version:"v3.5.3", GitCommit:"041ce5a2c17a58be0fcd5f5e16fb3e7e95fea622", GitTreeState:"dirty", GoVersion:"go1.15.8"}#2: Install Nginx Ingress Controller Kubernetes using Helm
Add the nginx ingress helm repo in Kubernetes kops cluster, follow this Nginx ingress official page to install latest nginx ingress helm chart
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
Update the helm repo
helm repo update
Install Nginx Ingress Controller Kubernetes KOPS using Helm 3
helm install ingress-nginx ingress-nginx/ingress-nginx
Output:
Output:
NAME: ingress-nginx
LAST DEPLOYED: wed Apr 21 07:10:01 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace default get services -o wide -w ingress-nginx-controller'
An example Ingress that makes use of the controller:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: example
namespace: foo
spec:
rules:
- host: www.example.com
http:
paths:
- backend:
serviceName: exampleService
servicePort: 80
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: example-tls
If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tlsTo check nginx ingress controller
kubectl get services ingress-nginx-controller
Output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 100.65.85.238 a8e1355c94fdd438a9d207181b50ea1d-213346636.ap-south-1.elb.amazonaws.com 80:30710/TCP,443:31894/TCP 5m15s#3. Creating Deployment and service for nginx app
Lets deploy the sample nginx app on nginx ingress controller
Create the nginx app deployment
sudo nano nginx-deploy.yml
paste the below deployment
kind: Deployment
apiVersion: apps/v1
metadata:
name: nginx-app
namespace: default
labels:
app: nginx-app
spec:
replicas: 1
selector:
matchLabels:
app: nginx-app
template:
metadata:
labels:
app: nginx-app
spec:
containers:
- name: nginx
image: "nginx"Create the nginx app service
sudo nano nginx-svc.yml
paste the below code
apiVersion: v1
kind: Service
metadata:
name: nginx-app
namespace: default
spec:
selector:
app: nginx-app
ports:
- name: http
targetPort: 80
port: 80deploy the nginx app deployment and service on kubernetes
kubectl create -f nginx-deploy.yml
kubectl create -f nginx-svc.yml
#4. Creating Nginx Ingress Resources and Exposing the apps
Lets create the nginx ingress resource on Kubernetes to expose the apps
sudo nano nginx-ingress.yml
Paste the below nginx app details, here service name should match with service.yml’s
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: nginxapp.fosstechnix.info
http:
paths:
- backend:
service:
name: nginx-app
port:
number: 80
path: /
pathType: Prefixdeploy the nginx ingress resource on Kubernetes cluster
kubectl create -f nginx-ingress.yml
To check Kubernetes pods using kubectl
kubectl get pods
Output:
kubectl get pods
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-6f5454cbfb-2jvcf 1/1 Running 0 41m
nginx-app-d6ff45774-hp7s4 To check kubernetes deployments using kubectl
kubectl get deploy
Output:
NAME READY UP-TO-DATE AVAILABLE AGE
ingress-nginx-controller 1/1 1 1 42m
nginx-app 1/1 1 1 41m
To check Kubernetes service using kubectl
kubectl get svc
Output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 100.64.113.132 afbcd905b614842c29702ddd7481784d-1960968212.ap-south-1.elb.amazonaws.com 80:30375/TCP,443:31354/TCP 43m
ingress-nginx-controller-admission ClusterIP 100.67.218.51 <none> 443/TCP 43m
kubernetes ClusterIP 100.64.0.1 <none> 443/TCP 48m
nginx-app ClusterIP 100.68.218.6 <none> 80/TCP 42mTo check kubernetes ingress using kubectl
kubectl get ingress
Output:
NAME CLASS HOSTS ADDRESS PORTS AGE
nginx-ingress <none> nginxapp.fosstechnix.info afbcd905b614842c29702ddd7481784d-1960968212.ap-south-1.elb.amazonaws.com 80, 443 42m#5. Pointing Nginx Ingress Loadbalancer in Domain Name provider to Access app using Domain Name
To access your application/domain name using browser you can either access using Loadbalancer URL or you can point Loadbalancer URL by adding CNAME record in Domain Provider.
Here We have added CNAME record in GoDaddy with Domain nginxapp.fosstechnix.info
#6: Configure cert manager for Nginx Ingress
once nginx ingress controller setup is done on your Kubernetes cluster, Lets install and configure cert manager using below kubectl command for Kubernetes version 1.16+
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager.yaml
Sample Output:
service/cert-manager created
service/cert-manager-webhook created
deployment.apps/cert-manager-cainjector created
deployment.apps/cert-manager created
deployment.apps/cert-manager-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook createdfor Kubernetes <1.16 version
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager-legacy.yaml
it will install cert manager packages on your k8s cluster
#7: Kubernetes Nginx Ingress Controller LetsEncrypt
To configure Kubernetes Nginx Ingress Controller LetsEncrypt , navigate to cert manager acme ingress page, go to Configure Let’s Encrypt Issuer, copy the let’s encrypt issuer yml and change as shown below.
sudo nano letsencrypt-issuer.yml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: default
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: fosstechnixinfo@gmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
kubectl apply -f letsencrypt-issuer.yml
We have deployed let’s encrypt issuer which issues certificates,
#8: Creating Nginx Ingress Let’s Encrypt TLS Certificate
Now lets create Nginx Ingress Let’s Encrypt TLS certificate for your microservice.
sudo nano letsencrypt-cert.yml
Modify the Nginx Ingress Let’s Encrypt TLS certificate as per your micro service/domain name
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nginxapp.fosstechnix.info
namespace: default
spec:
secretName: nginxapp.fosstechnix.info-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: nginxapp.fosstechnix.info
dnsNames:
- nginxapp.fosstechnix.info
kubectl apply -f letsencrypt-cert.ymlonce done, it will create a Nginx ingress letsencrypt TLS certificate for domain nginxapp.fosstechnix.info and injects into Kubernetes secrets.
Lets check the certificate is created
kubectl get certificates nginxapp.fosstechnix.info
Output:
kubectl get certificates nginxapp.fosstechnix.info
NAME READY SECRET AGE
nginxapp.fosstechnix.info True nginxapp.fosstechnix.info-tls 32sLet’s check secrets to check Nginx Ingress letsencrypt TLS
kubectl get secrets nginxapp.fosstechnix.info-tls
Output:
kubectl get secrets nginxapp.fosstechnix.info-tls
NAME TYPE DATA AGE
nginxapp.fosstechnix.info-tls kubernetes.io/tls 2 2m50sWe have covered Kubernetes Nginx Ingress Controller LetsEncrypt [cert-manager, TLS]
#9: Point Nginx Ingress Let’s Encrypt Certificate in Nginx Ingress
Now point/refer the generated Nginx Ingress Let’s Encrypt in your Kubernetes nginx Ingress as shown below.
Add the highlighted lines in nginx ingress resource.
kubectl edit ingress nginx-ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
creationTimestamp: "2021-04-22T03:20:24Z"
generation: 2
name: nginx-ingress
namespace: default
resourceVersion: "5902"
uid: 62300582-7b91-4f56-a229-75f9664f9334
spec:
rules:
- host: nginxapp.fosstechnix.info
http:
paths:
- backend:
service:
name: nginx-app
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- nginxapp.fosstechnix.info
secretName: nginxapp.fosstechnix.info-tls
status:
loadBalancer:
ingress:
- hostname: afbcd905b614842c29702ddd7481784d-1960968212.ap-south-1.elb.amazonaws.comHere we have referenced secret nginxapp.fosstechnix.info-tls and added annotation cert-manager.io/cluster-issuer: letsencrypt-prod.
Note: secret and certificates should be in same namespace as ingress.
#10: Accessing Nginx Ingress Resources using Let’s Encrypt
Finally we can see your application site https://nginxapp.fosstechnix.info using Lets’s Encrypt SSL (Kubernetes Nginx Ingress Controller LetsEncrypt-cert-manager,TLS).
https://nginxapp.fosstechnix.info
Output:
Conclusion:
We have covered Kubernetes Nginx Ingress Controller LetsEncrypt [cert-manager, TLS], Install Helm 3 on Kubernetes Cluster, Install Nginx Ingress Controller Kubernetes using Helm, Creating Deployment and service for nginx app.
Creating Nginx Ingress Resources and Exposing the apps, Configure cert manager for Nginx Ingress, Creating Nginx Ingress Let’s Encrypt TLS Certificate, Point Nginx Ingress Let’s Encrypt Certificate in Nginx Ingress, Pointing Domain Name to Nginx Ingress LoadBalancer and Kubernetes Nginx Ingress Controller LetsEncrypt.
Related Articles:
Reference:
