| title | date | author | cover |
|---|---|---|---|
Kubernetes : Cluster init with nginx-ingress + cert-manager |
2020-04-04 |
mikamboo |
A Quick K8S snippet tutorial to install nginx-ingress controller and cert-manager on a new cluster.
WARNING : This installation method will create a Loadbancer, dont forget to delete it on cloud dashboard if necessaray for a complete cleanup.
For baremetal install nginx-ingress can be configured as DaemonSet on ports 80 and 443. This avoids LoadBalancer Service fees but boring to manage (require manual DNS config updat to point to nodes public IPs)
- Fresh kubernetes cluste v1.6+ on a cloud provider
- The
kubectltool installed an configured (admin) - Helm v3 installed on local computer
- https://cert-manager.io/docs/installation/kubernetes
- https://kubernetes.github.io/ingress-nginx/deploy/#using-helm
CERT_MANGER_VERSION=v0.14.3
helm repo add stable https://kubernetes-charts.storage.googleapis.com
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl create namespace nginx-ingress
helm install nginx-ingress stable/nginx-ingress --namespace nginx-ingress --set rbac.create=true
kubectl create namespace cert-manager
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/$CERT_MANGER_VERSION/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version $CERT_MANGER_VERSION- Wait Ingress controller service creation to complete
- Get the ingres controller service public IP (LoadBalancer IP :
kubectl get svc -n nginx-ingress) - Go to your DNS provider dashboard and add A record pointing to LoadBalancer IP
Create an expose a sample app
kubectl create namespace demo-tls
kubectl create deployment demo-tls-app --image nginx:alpine -n demo-tls
kubectl expose deployment demo-tls-app --type ClusterIP --port 80 -n demo-tlsAdd certificate issuers
cat <<EOF | kubectl apply -n demo-tls -f -
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
EOF
cat <<EOF | kubectl apply -n demo-tls -f -
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
EOFCreate TLS Ingress to acces our application
# staging ingress
cat <<EOF | kubectl apply -n demo-tls -f -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-tls-app
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- demo-tls-app.do.yourdomain.co
secretName: demo-tls-app
rules:
- host: demo-tls-app.do.africa-up.io
http:
paths:
- path: /
backend:
serviceName: demo-tls-app
servicePort: 80
EOF
# production ingress
cat <<EOF | kubectl apply -n demo-tls -f -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: demo-tls-app-prod
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- demo-tls-app-prod.yourdomain.co
secretName: demo-tls-app-prod
rules:
- host: demo-tls-app-prod.yourdomain.co
http:
paths:
- path: /
backend:
serviceName: demo-tls-app
servicePort: 80
EOFkubectl delete namespace demo-tls
Links
https://cert-manager.io/docs/tutorials/acme/ingress
https://kubernetes.github.io/ingress-nginx
See also :
BKPR - https://github.com/bitnami/kube-prod-runtime