The NGINX Ingress Controller is an Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer. The NGINX Ingress Controller is maintained by the Kubernetes community.
The deployment configuration in Imixs-Cloud contains already a setup for TLS certificates issued by Let’s Encrypt. So there is no further configuration needed to use Let’s Encrypt. To support certificates the cert-manager is needed. This service can be deployed from the cert-manager repo on Github:
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.yaml
Verify the installation of the cert-manager with:
$ kubectl get pods --namespace cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-5597cff495-z454k 1/1 Running 0 6h23m
cert-manager-cainjector-bd5f9c764-vxlbf 1/1 Running 0 6h23m
cert-manager-webhook-5f57f59fbc-cpgp2 1/1 Running 0 6h23m
The deployment of the NGINX Ingress Controller is based on kustzomize. In this way you can control and customize the deployment in an easy way. The deployment is based on the official cloud provider configuration maintained on Github. The origin deployment template can be found here
Before you deploy just edit the file 020-service.yaml and replace {YOUR_CLUSTER_IP} with the ip address of your master node
In the file 030-cluster-issuer.yaml replace the email address with a valid address from your organization. This email address will become the issuer for the Let’s Encrypt certificates.
Next you can start the deployment using kustomize:
$ kubectl apply --kustomize management/nginx
The deployment may take some seconds. You can verify the deployment process with:
$ kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=120s
...
pod/ingress-nginx-controller-56c75d774d-rm27c condition met
The Let’s Encrypt integration is configured in the file 030-cluster-issuer.yaml. This file defines separate configuration for staging and production
The Let’s Encrypt staging server has no rate-limits for requests made against it, so for testing purposes you should use the staging configuration. If everything works fine you can change to the production cluster-issuer.
Now you can issue a TLS certificate for your domains. You can use the Let’s Encrypt ClusterIssuer either in the staging or in the production mode. In a Ingress manifest just add the annotation for the corresponding cluster-issue and also add a ‘tls’ configuration. See the following example for the whoami service:
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: myingress
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
tls:
- hosts:
- whoami.foo.com
secretName: echo-tls
rules:
- host: whoami.foo.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
port:
number: 80
To apply the update of the ingress configuration run:
$ kubectl apply -f apps/whoami/030-ingress.yaml
You can track the state of the Ingress with a describe:
$ kubectl describe ingress
The cert-manager has the concept of Certificates that define a desired x509 certificate which will be renewed and kept up to date.
The certificates are stored in the corresponding secret defined in the ingress definition. You can describe the secret for further information:
$ kubectl describe secret tls-whoami
Name: tls-whoami
Namespace: default
Labels: <none>
Annotations: cert-manager.io/alt-names: whoami.ixbunic.imixs.com
cert-manager.io/certificate-name: tls-whoami
cert-manager.io/common-name: whoami.ixbunic.imixs.com
cert-manager.io/ip-sans:
cert-manager.io/issuer-group: cert-manager.io
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: letsencrypt-staging
cert-manager.io/uri-sans:
Type: kubernetes.io/tls
Data
====
tls.crt: 3570 bytes
tls.key: 1679 bytes
Once a certificate has been successfully created, you can run a describe for further information:
$ kubectl describe certificate tls-whoami
.....
.......
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 5m19s cert-manager Issuing certificate as Secret does not exist
Normal Generated 5m19s cert-manager Stored new private key in temporary Secret resource "tls-whoami-b5x84"
Normal Requested 5m19s cert-manager Created new CertificateRequest resource "tls-whoami-hxdmz"
Normal Issuing 5m17s cert-manager The certificate has been successfully issued
Find more information about the cert-manager here.
It is recommend upgrading the cert-manager one minor version at a time, always choosing the latest patch version for the minor version. Find a detailed description here.
To backup all of your cert-manager configuration resources, run:
$ kubectl get --all-namespaces -oyaml issuer,clusterissuer,cert > cert-manager-backup.yaml
Find more details here.
The cert-manager can be upgraded in a similar way to how you first installed them.
To begin the upgrade process run:
$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/<version>/cert-manager.yaml
Replace
Once you have deployed the new version of cert-manager, you can verify the installation by checking the cert-manager namespace for running pods:
$ kubectl get pods --namespace cert-manager
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes
https://www.linuxtechi.com/setup-nginx-ingress-controller-in-kubernetes/
https://blog.dbi-services.com/setup-an-nginx-ingress-controller-on-kubernetes/