First, use helm to install the ingress controller:
1$ helm install stable/nginx-ingress --name nginx-ingress --set controller.publishService.enabled=true
2NAME: nginx-ingress
3LAST DEPLOYED: ...
4NAMESPACE: default
5STATUS: DEPLOYED
6
7RESOURCES:
8==> v1/ConfigMap
9NAME DATA AGE
10nginx-ingress-controller 1 0s
11
12==> v1/Pod(related)
13NAME READY STATUS RESTARTS AGE
14nginx-ingress-controller-7658988787-npv28 0/1 ContainerCreating 0 0s
15nginx-ingress-default-backend-7f5d59d759-26xq2 0/1 ContainerCreating 0 0s
16
17==> v1/Service
18NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
19nginx-ingress-controller LoadBalancer 10.245.9.107 <pending> 80:31305/TCP,443:30519/TCP 0s
20nginx-ingress-default-backend ClusterIP 10.245.221.49 <none> 80/TCP 0s
21
22==> v1/ServiceAccount
23NAME SECRETS AGE
24nginx-ingress 1 0s
25
26==> v1beta1/ClusterRole
27NAME AGE
28nginx-ingress 0s
29
30==> v1beta1/ClusterRoleBinding
31NAME AGE
32nginx-ingress 0s
33
34==> v1beta1/Deployment
35NAME READY UP-TO-DATE AVAILABLE AGE
36nginx-ingress-controller 0/1 1 0 0s
37nginx-ingress-default-backend 0/1 1 0 0s
38
39==> v1beta1/Role
40NAME AGE
41nginx-ingress 0s
42
43==> v1beta1/RoleBinding
44NAME AGE
45nginx-ingress 0s
46
47NOTES:
48...
Then wait for it to become available:
1$ kubectl get services -o wide -w nginx-ingress-controller
Then you need to add the jetstack helm repo:
1$ helm repo add jetstack https://charts.jetstack.io
2"jetstack" has been added to your repositories
Then, you can install cert-manager
:
1$ helm install --name cert-manager --namespace cert-manager jetstack/cert-manager --set installCRDs=true
2NAME: cert-manager
3LAST DEPLOYED: ...
4NAMESPACE: cert-manager
5STATUS: DEPLOYED
6
7RESOURCES:
8==> v1/ClusterRole
9NAME AGE
10cert-manager-edit 3s
11cert-manager-view 3s
12cert-manager-webhook:webhook-requester 3s
13
14==> v1/Pod(related)
15NAME READY STATUS RESTARTS AGE
16cert-manager-5d669ffbd8-rb6tr 0/1 ContainerCreating 0 2s
17cert-manager-cainjector-79b7fc64f-gqbtz 0/1 ContainerCreating 0 2s
18cert-manager-webhook-6484955794-v56lx 0/1 ContainerCreating 0 2s
19
20...
21
22NOTES:
23cert-manager has been deployed successfully!
24
25In order to begin issuing certificates, you will need to set up a ClusterIssuer
26or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
27
28More information on the different types of issuers and how to configure them
29can be found in our documentation:
30
31https://docs.cert-manager.io/en/latest/reference/issuers.html
32
33For information on how to configure cert-manager to automatically provision
34Certificates for Ingress resources, take a look at the `ingress-shim`
35documentation:
36
37https://docs.cert-manager.io/en/latest/reference/ingress-shim.html
Lastly, set up an issuer which takes care of managing the certificates:
production-issuer.yaml
1apiVersion: cert-manager.io/v1alpha2
2kind: ClusterIssuer
3metadata:
4 name: letsencrypt-prod
5spec:
6 acme:
7 server: https://acme-v02.api.letsencrypt.org/directory
8 email: pieter@yellowduck.be
9 privateKeySecretRef:
10 name: letsencrypt-production
11 solvers:
12 - http01:
13 ingress:
14 class: nginx
Deploy it:
1$ kubectl apply -f production-issuer.yaml
2clusterissuer.certmanager.k8s.io/letsencrypt-production created
Before we can issue the certificates, we need to create A
records on the DNS server pointing to the load balancer. First, get the external IP address of the load balancer:
1$ kubectl get service nginx-ingress-controller
2NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
3nginx-ingress-controller LoadBalancer 10.0.254.55 52.136.238.205 80:30753/TCP,443:32721/TCP 17m
The external IP address is 52.136.238.205
in this case.
On the DNS server, add the following records:
1mywebsite.webhost.com A 52.136.238.205
Once you did this, create the ingress defintion:
ingress.yaml
1apiVersion: extensions/v1beta1
2kind: Ingress
3metadata:
4 name: ingress
5 annotations:
6 nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
7 nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
8 kubernetes.io/ingress.class: nginx
9 certmanager.k8s.io/cluster-issuer: letsencrypt-production
10spec:
11 tls:
12 - hosts:
13 - mywebsite.webhost.com
14 secretName: letsencrypt-prod
15 rules:
16 - host: mywebsite.webhost.com
17 http:
18 paths:
19 - backend:
20 serviceName: <my-service>
21 servicePort: 80
Apply this as well and you're done.
1$ kubectl apply -f ingress.yaml
If you now browse to https://mywebsite.webhost.com
, the correct content should show up and you should see that it's using a Let's Encrypt certificate.
If this post was enjoyable or useful for you, please share it! If you have comments, questions, or feedback, you can email my personal email. To get new posts, subscribe use the RSS feed.