How to setup letsencrypt on kubernetes on azure?

Question

I am learning kube.netes and trying to setup letsencrypt for my web app.

I have bought a domain from amazon route 53. Lets just called it example.com

Then I go and create a cluster in azure, install all applications that needed:

1. Install helm choco install kube.netes-helm
2. helm repo add ingress-nginx https://kube.netes.github.io/ingress-nginx
3. helm repo update
4. Apply deployment.yml file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp1-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp1
  template:
    metadata:
      name: myapp1-pod
      labels: # Dictionary 
        app: myapp1       
    spec:
      containers: # List
        - name: myapp1-container
          image: stacksimplify/kubenginx:1.0.0
          ports:
            - containerPort: 80

5. Apply service.yml

apiVersion: v1
kind: Service
metadata:
  name: myapp1-loadbalancer
  labels: 
    app: myapp1
spec:  
  selector:
    app: myapp1
  ports: 
    - port: 80
      targetPort: 80

6. Apply ingress.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp-ingress-demo
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: cluster-issuer-name
    cert-manager.io/acme-challenge-type: http01
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:  
  rules:  
  - host: "example.com"
    http:
      paths:
      - path: /   
        pathType: Prefix     
        backend:
          service:
            name: myapp1-loadbalancer
            port:
              number: 80
  tls:
    - hosts:
      - example.com
      secretName: secret-name

7. In Azure portal, look for public Ip that is associated with the cluster that you created at the beginning. By default, when an k8 cluster is created, azure will create one public ip associated to this cluster. Look for it, go to front end configuration, and take note of the ip.

8. Run this command below, replace the ip that you have

# Use Helm to deploy an NGINX ingress controller
helm install ingress-nginx ingress-nginx/ingress-nginx
    --set controller.replicaCount=2 \
    --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
    --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
    --set controller.service.externalTrafficPolicy=Local \
    --set controller.service.loadBalancerIP="YOUR IP" 

9. If done correctly, you should have load balancer service running now. Verify it with kubernetes: `kubectl get svc`. Take note of this ip address for the load balancer

10. Go to Amazon route 53 dashboard, add a record with the ip address that you have at step 9 for your domain name that you have in ingress.yml

11. Enjoy your work:)

Thank you

I have update my questions with steps on how to product the result. Thanks SOF for awesome support. Hopefully that if someone run into this issue again, they know how to configure it properly.

Answer 1

You are missing few minor things which you might need to do and try updating once again.

URL in cluster issue is not for Prod you are using staging, i would recommend using the prod URL only for any case instead of the staging.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging  
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: abc@abc.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: nginx

Use: https://acme-v02.api.letsencrypt.org/directory

Second :

You have not attached your secret to ingress which ideally will be storing your TLS cert.

How process work is like,

cert-manager get the certificate and store it inside the kube.netes secret, in your case it will be, letsencrypt-staging you have mentioned in clusterissuer .

This secret also should be attached to ingress so that when anyone hits endpoint ingress use this cert for HTTPS traffic.

Full reference example:

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: cluster-issuer-name
  namespace: development
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: harsh@example.com
    privateKeySecretRef:
      name: secret-name
    solvers:
    - http01:
        ingress:
          class: nginx-class-name
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-class-name
    cert-manager.io/cluster-issuer: cluster-issuer-name
    nginx.ingress.kubernetes.io/rewrite-target: /
  name: example-ingress
spec:
  rules:
  - host: sub.example.com
    http:
      paths:
      - path: /api
        backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - sub.example.com
    secretName: secret-name

in above example i have used the annotatino in ingress: cert-manager.io/cluster-issuer: cluster-issuer-name

it will trigger clusterissuer to generate cert whenever ingress is created, once cert is created it will be stored in K8s secret. so to attach SSL/TLS cert secret with ingress i have added TLS block at last of ingress YAML.

If you are applying my suggested changes you wont need to create this

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ssl-cert-staging
  namespace: default
spec:
  secretName: ssl-cert-staging
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer  
  dnsNames:
  - example.com

cert-manager will auto-create for you, you can remove this also and just apply above example snippet with minor changes required of name and etc.