I am learning kube.netes and trying to setup letsencrypt for my web app.
I have bought a domain from amazon route 53. Lets just called it example.com
Then I go and create a cluster in azure, install all applications that needed:
choco install kube.netes-helm
helm repo add ingress-nginx https://kube.netes.github.io/ingress-nginx
helm repo update
deployment.yml
fileapiVersion: apps/v1
kind: Deployment
metadata:
name: myapp1-deployment
spec:
replicas: 3
selector:
matchLabels:
app: myapp1
template:
metadata:
name: myapp1-pod
labels: # Dictionary
app: myapp1
spec:
containers: # List
- name: myapp1-container
image: stacksimplify/kubenginx:1.0.0
ports:
- containerPort: 80
service.yml
apiVersion: v1
kind: Service
metadata:
name: myapp1-loadbalancer
labels:
app: myapp1
spec:
selector:
app: myapp1
ports:
- port: 80
targetPort: 80
ingress.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-ingress-demo
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: cluster-issuer-name
cert-manager.io/acme-challenge-type: http01
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: "example.com"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp1-loadbalancer
port:
number: 80
tls:
- hosts:
- example.com
secretName: secret-name
In Azure portal, look for public Ip that is associated with the cluster that you created at the beginning. By default, when an k8 cluster is created, azure will create one public ip associated to this cluster. Look for it, go to front end configuration, and take note of the ip.
Run this command below, replace the ip that you have
# Use Helm to deploy an NGINX ingress controller
helm install ingress-nginx ingress-nginx/ingress-nginx
--set controller.replicaCount=2 \
--set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set controller.service.externalTrafficPolicy=Local \
--set controller.service.loadBalancerIP="YOUR IP"
9. If done correctly, you should have load balancer service running now. Verify it with kubernetes: `kubectl get svc`. Take note of this ip address for the load balancer
Go to Amazon route 53 dashboard, add a record with the ip address that you have at step 9 for your domain name that you have in ingress.yml
Enjoy your work:)
Thank you
I have update my questions with steps on how to product the result. Thanks SOF for awesome support. Hopefully that if someone run into this issue again, they know how to configure it properly.
You are missing few minor things which you might need to do and try updating once again.
URL in cluster issue is not for Prod you are using staging, i would recommend using the prod URL only for any case instead of the staging.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: abc@abc.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: nginx
Use: https://acme-v02.api.letsencrypt.org/directory
Second :
You have not attached your secret to ingress which ideally will be storing your TLS cert.
How process work is like,
cert-manager get the certificate and store it inside the kube.netes secret, in your case it will be, letsencrypt-staging you have mentioned in clusterissuer .
This secret also should be attached to ingress so that when anyone hits endpoint ingress use this cert for HTTPS traffic.
Full reference example:
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: cluster-issuer-name
namespace: development
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: harsh@example.com
privateKeySecretRef:
name: secret-name
solvers:
- http01:
ingress:
class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx-class-name
cert-manager.io/cluster-issuer: cluster-issuer-name
nginx.ingress.kubernetes.io/rewrite-target: /
name: example-ingress
spec:
rules:
- host: sub.example.com
http:
paths:
- path: /api
backend:
serviceName: service-name
servicePort: 80
tls:
- hosts:
- sub.example.com
secretName: secret-name
in above example i have used the annotatino in ingress: cert-manager.io/cluster-issuer: cluster-issuer-name
it will trigger clusterissuer to generate cert whenever ingress is created, once cert is created it will be stored in K8s secret. so to attach SSL/TLS cert secret with ingress i have added TLS block at last of ingress YAML.
If you are applying my suggested changes you wont need to create this
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ssl-cert-staging
namespace: default
spec:
secretName: ssl-cert-staging
issuerRef:
name: letsencrypt-staging
kind: ClusterIssuer
dnsNames:
- example.com
cert-manager will auto-create for you, you can remove this also and just apply above example snippet with minor changes required of name and etc.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.