Kubernetes Nginx Ingress Controller LetsEncrypt-cert-manager,TLS

In this article we are going to cover Kubernetes Nginx Ingress Controller LetsEncrypt [cert-manager, TLS], Install Helm 3 on Kubernetes Cluster, Install Nginx Ingress Controller Kubernetes using Helm, Creating Deployment and service for nginx app.

Creating Nginx Ingress Resources and Exposing the apps, Configure cert manager for Nginx Ingress, Creating Nginx Ingress Let’s Encrypt TLS Certificate, Point Nginx Ingress Let’s Encrypt Certificate in Nginx Ingress, Pointing Domain Name to Nginx Ingress LoadBalancer.

Prerequisites:

  • Kubernetes Cluster with v1.19.0+

Follow below article to Setup Kubernetes on AWS using KOPS and kubeadm method

9 Steps to Setup Kubernetes on AWS using KOPS

How To Setup Kubernetes Cluster Using Kubeadm on Ubuntu 18.04/16.04 LTS

#1: Install Helm 3 on Kubernetes Cluster

Install helm3 on Kubernetes Cluster on Kubernetes Cluster using below command

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

To check helm3 version

helm version

Output:

version.BuildInfo{Version:"v3.5.3", GitCommit:"041ce5a2c17a58be0fcd5f5e16fb3e7e95fea622", GitTreeState:"dirty", GoVersion:"go1.15.8"}

#2: Install Nginx Ingress Controller Kubernetes using Helm

Add the nginx ingress helm repo in Kubernetes kops cluster, follow this Nginx ingress official page to install latest nginx ingress helm chart

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

Update the helm repo

helm repo update

Install Nginx Ingress Controller Kubernetes KOPS using Helm 3

helm install ingress-nginx ingress-nginx/ingress-nginx

Output:

Output:

NAME: ingress-nginx
LAST DEPLOYED: wed Apr 21 07:10:01 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace default get services -o wide -w ingress-nginx-controller'

An example Ingress that makes use of the controller:

  apiVersion: networking.k8s.io/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: nginx
    name: example
    namespace: foo
  spec:
    rules:
      - host: www.example.com
        http:
          paths:
            - backend:
                serviceName: exampleService
                servicePort: 80
              path: /
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
        - hosts:
            - www.example.com
          secretName: example-tls

If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
  metadata:
    name: example-tls
    namespace: foo
  data:
    tls.crt: <base64 encoded cert>
    tls.key: <base64 encoded key>
  type: kubernetes.io/tls

To check nginx ingress controller

kubectl get services ingress-nginx-controller

Output:

NAME                       TYPE           CLUSTER-IP      EXTERNAL-IP                                                               PORT(S)                      AGE
ingress-nginx-controller   LoadBalancer   100.65.85.238   a8e1355c94fdd438a9d207181b50ea1d-213346636.ap-south-1.elb.amazonaws.com   80:30710/TCP,443:31894/TCP   5m15s

#3. Creating Deployment and service for nginx app

Lets deploy the sample nginx app on nginx ingress controller

Create the nginx app deployment

sudo nano nginx-deploy.yml

paste the below deployment

kind: Deployment
apiVersion: apps/v1
metadata:
  name: nginx-app
  namespace: default
  labels:
    app: nginx-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-app
  template:
    metadata:
      labels:
        app: nginx-app
    spec:
      containers:
      - name: nginx
        image: "nginx"

Create the nginx app service

sudo nano nginx-svc.yml

paste the below code

apiVersion: v1
kind: Service
metadata:
  name: nginx-app
  namespace: default
spec:
  selector:
    app: nginx-app
  ports:
  - name: http
    targetPort: 80
    port: 80

deploy the nginx app deployment and service on kubernetes

kubectl create -f nginx-deploy.yml
kubectl create -f nginx-svc.yml

#4. Creating Nginx Ingress Resources and Exposing the apps

Lets create the nginx ingress resource on Kubernetes to expose the apps

sudo nano nginx-ingress.yml

Paste the below nginx app details, here service name should match with service.yml’s

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: nginx   
spec:
  rules:
  - host: nginxapp.fosstechnix.info
    http:
      paths:
      - backend:
          service:
            name: nginx-app
            port:
              number: 80
        path: /
        pathType: Prefix

deploy the nginx ingress resource on Kubernetes cluster

kubectl create -f nginx-ingress.yml

To check Kubernetes pods using kubectl

kubectl get pods

Output:

kubectl get pods
NAME                                        READY   STATUS    RESTARTS   AGE
ingress-nginx-controller-6f5454cbfb-2jvcf   1/1     Running   0          41m
nginx-app-d6ff45774-hp7s4  

To check kubernetes deployments using kubectl

kubectl get deploy

Output:

NAME                       READY   UP-TO-DATE   AVAILABLE   AGE
ingress-nginx-controller   1/1     1            1           42m
nginx-app                  1/1     1            1           41m

To check Kubernetes service using kubectl

kubectl get svc

Output:

NAME                                 TYPE           CLUSTER-IP       EXTERNAL-IP                                                                PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   100.64.113.132   afbcd905b614842c29702ddd7481784d-1960968212.ap-south-1.elb.amazonaws.com   80:30375/TCP,443:31354/TCP   43m
ingress-nginx-controller-admission   ClusterIP      100.67.218.51    <none>                                                                     443/TCP                      43m
kubernetes                           ClusterIP      100.64.0.1       <none>                                                                     443/TCP                      48m
nginx-app                            ClusterIP      100.68.218.6     <none>                                                                     80/TCP                       42m

To check kubernetes ingress using kubectl

kubectl get ingress

Output:

NAME            CLASS    HOSTS                       ADDRESS                                                                    PORTS     AGE
nginx-ingress   <none>   nginxapp.fosstechnix.info   afbcd905b614842c29702ddd7481784d-1960968212.ap-south-1.elb.amazonaws.com   80, 443   42m

#5. Pointing Nginx Ingress Loadbalancer in Domain Name provider to Access app using Domain Name

To access your application/domain name using browser you can either access using Loadbalancer URL or you can point Loadbalancer URL by adding CNAME record in Domain Provider.

Here We have added CNAME record in GoDaddy with Domain nginxapp.fosstechnix.info

Kubernetes Nginx Ingress Controller LetsEncrypt-cert-manager,TLS 1

#6: Configure cert manager for Nginx Ingress

once nginx ingress controller setup is done on your Kubernetes cluster, Lets install and configure cert manager using below kubectl command for Kubernetes version 1.16+

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager.yaml

Sample Output:

service/cert-manager created
service/cert-manager-webhook created
deployment.apps/cert-manager-cainjector created
deployment.apps/cert-manager created
deployment.apps/cert-manager-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created

for Kubernetes <1.16 version

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager-legacy.yaml

it will install cert manager packages on your k8s cluster

#7: Kubernetes Nginx Ingress Controller LetsEncrypt

To configure Kubernetes Nginx Ingress Controller LetsEncrypt , navigate to cert manager acme ingress page, go to Configure Let’s Encrypt Issuer, copy the let’s encrypt issuer yml and change as shown below.

sudo nano  letsencrypt-issuer.yml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: default
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx
kubectl apply -f letsencrypt-issuer.yml

We have deployed let’s encrypt issuer which issues certificates,

#8: Creating Nginx Ingress Let’s Encrypt TLS Certificate

Now lets create Nginx Ingress Let’s Encrypt TLS certificate for your microservice.

sudo nano letsencrypt-cert.yml

Modify the Nginx Ingress Let’s Encrypt TLS certificate as per your micro service/domain name

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: nginxapp.fosstechnix.info
  namespace: default
spec:
  secretName: nginxapp.fosstechnix.info-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: nginxapp.fosstechnix.info
  dnsNames:
  - nginxapp.fosstechnix.info
kubectl apply -f letsencrypt-cert.yml

once done, it will create a Nginx ingress letsencrypt TLS certificate for domain nginxapp.fosstechnix.info and injects into Kubernetes secrets.

Lets check the certificate is created

kubectl get certificates nginxapp.fosstechnix.info 

Output:

kubectl get certificates nginxapp.fosstechnix.info
NAME                        READY   SECRET                          AGE
nginxapp.fosstechnix.info   True    nginxapp.fosstechnix.info-tls   32s

Let’s check secrets to check Nginx Ingress letsencrypt TLS

kubectl get secrets nginxapp.fosstechnix.info-tls

Output:

kubectl get secrets nginxapp.fosstechnix.info-tls
NAME                            TYPE                DATA   AGE
nginxapp.fosstechnix.info-tls   kubernetes.io/tls   2      2m50s

We have covered Kubernetes Nginx Ingress Controller LetsEncrypt [cert-manager, TLS]

#9: Point Nginx Ingress Let’s Encrypt Certificate in Nginx Ingress

Now point/refer the generated Nginx Ingress Let’s Encrypt in your Kubernetes nginx Ingress as shown below.

Add the highlighted lines in nginx ingress resource.

kubectl edit ingress nginx-ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
  creationTimestamp: "2021-04-22T03:20:24Z"
  generation: 2
  name: nginx-ingress
  namespace: default
  resourceVersion: "5902"
  uid: 62300582-7b91-4f56-a229-75f9664f9334
spec:
  rules:
  - host: nginxapp.fosstechnix.info
    http:
      paths:
      - backend:
          service:
            name: nginx-app
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - nginxapp.fosstechnix.info
    secretName: nginxapp.fosstechnix.info-tls
status:
  loadBalancer:
    ingress:
    - hostname: afbcd905b614842c29702ddd7481784d-1960968212.ap-south-1.elb.amazonaws.com

Here we have referenced secret nginxapp.fosstechnix.info-tls and added annotation cert-manager.io/cluster-issuer: letsencrypt-prod.

Note: secret and certificates should be in same namespace as ingress.

#10: Accessing Nginx Ingress Resources using Let’s Encrypt

Finally we can see your application site https://nginxapp.fosstechnix.info using Lets’s Encrypt SSL (Kubernetes Nginx Ingress Controller LetsEncrypt-cert-manager,TLS).

https://nginxapp.fosstechnix.info

Output:

Kubernetes Nginx Ingress Controller LetsEncrypt-cert-manager,TLS 2

Conclusion:

We have covered Kubernetes Nginx Ingress Controller LetsEncrypt [cert-manager, TLS], Install Helm 3 on Kubernetes Cluster, Install Nginx Ingress Controller Kubernetes using Helm, Creating Deployment and service for nginx app.

Creating Nginx Ingress Resources and Exposing the apps, Configure cert manager for Nginx Ingress, Creating Nginx Ingress Let’s Encrypt TLS Certificate, Point Nginx Ingress Let’s Encrypt Certificate in Nginx Ingress, Pointing Domain Name to Nginx Ingress LoadBalancer and Kubernetes Nginx Ingress Controller LetsEncrypt.

Related Articles:

Reference:

FOSS TechNix

FOSS TechNix (Free,Open Source Software's and Technology Nix*) founded in 2019 is a community platform where you can find How-to Guides, articles for DevOps Tools,Linux and Databases.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link