Kubernetes Nginx Ingress in aws With Certbot Letsencrypt

Kubernetes Ingresses allow you to flexibly route traffic from outside your Kubernetes cluster to Services inside of your cluster.

Related content:

Setting up Ingress in AWS

In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controller behind a Service of Type=LoadBalancer.

NETWORK LOAD BALANCER (NLB):

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.43.0/deploy/static/provider/aws/deploy.yaml

Verify installation

kubectl get pods -n ingress-nginx \
  -l app.kubernetes.io/name=ingress-nginx --watch

Cert Manager

cert-manager runs within your Kubernetes cluster as a series of deployment resources. It utilizes CustomResourceDefinitions to configure Certificate Authorities and request certificates.

Installing with Helm

Please ensure helm v3 is installed.

Steps

Create the namespace for cert-manager:

kubectl create namespace cert-manager

Add the Jetstack Helm repository:

helm repo add jetstack https://charts.jetstack.io
helm repo update

cert-manager requires a number of CRD resources to be installed into your cluster as part of installation.

To automatically install and manage the CRDs as part of your Helm release, you must add the –set installCRDs=true flag to your Helm installation command.

To install the cert-manager Helm chart:

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.1.0 \
  --set installCRDs=true

Verifying the installation

Once you’ve installed cert-manager, you can verify it is deployed correctly by checking the cert-manager namespace for running pods:

kubectl get pods --namespace cert-manager

You should see the cert-manager, cert-manager-cainjector, and cert-manager-webhook pod in a Running state.

The following steps will confirm that cert-manager is set up correctly and able to issue basic certificate types.

Create an Issuer to test the webhook works okay.

$ cat <<EOF > test-resources.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager-test
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: test-selfsigned
  namespace: cert-manager-test
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: selfsigned-cert
  namespace: cert-manager-test
spec:
  dnsNames:
    - example.com
  secretName: selfsigned-cert-tls
  issuerRef:
    name: test-selfsigned
EOF

Create the test resources.

kubectl apply -f test-resources.yaml

Check the status of the newly created certificate. You may need to wait a few seconds before cert-manager processes the certificate request.

kubectl describe certificate -n cert-manager-test

Clean up the test resources.

kubectl delete -f test-resources.yaml

Configuring your first Issuer

Before you can begin issuing certificates, you must configure at least one Issuer or ClusterIssuer resource in your cluster.

Use this to create a cluster issuer.

cat > cluster-issuer.yaml <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging-issuer
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: admin@citizix.com
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress:
            class: nginx
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod-issuer
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: admin@citizix.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: nginx
EOF

Then apply the changes

kubectl apply -f cluster-issuer.yaml

Check the resources

kubectl get clusterissuer
kubectl describe clusterissuer letsencrypt-prod-issuer
kubectl describe clusterissuer letsencrypt-staging-issuer

Ref:

comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy