In order to route traffic to applications deployed in Kubernetes it is good practice to use an Ingress Controller which proxies incoming request to the correct services and can handle things like TLS offloading. For more information on Ingress resources and Ingress Controllers see the official Kubernetes documentation.
A popular ingress controller is the nginx ingress controller.
The easiest way to install it in your cluster is by installing the fully managed NGINX Ingress Controller Add-On.
Alternatively you can install it manually through Helm. When Helm is ready to be used, run:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm install nginx-ingress ingress-nginx/ingress-nginx --namespace nginx-ingress --set "rbac.create=true" --set "controller.replicaCount=2" --set "defaultBackend.replicaCount=2"
to install the NGINX Ingress Controller in the cluster. This will automatically create a Type Load Balancer service for you.
The easiest way to install the cert-manager is to use the managed Add-On. After installation you only need to configure the issuers you want to use.
This can be done through Helm as well:
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml kubectl create namespace cert-manager kubectl label namespace cert-manager cert-manager.io/disable-validation=true helm repo add jetstack https://charts.jetstack.io helm repo update helm install cert-manager --namespace cert-manager --version v0.7.0 jetstack/cert-manager
If you want to use the SysEleven DNS service for certificate DNS validation (e.g. required for wildcard certificates) you need to install the designate webhook in the cluster. Please follow instructions from the provided README.
After installing the cert-manager you have to configure how it shall fetch certificates. For that you have to add a ClusterIssuer to your Kubernetes cluster:
cat <<'EOF' | kubectl apply -f - apiVersion: cert-manager.io/v1alpha3 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration email: email@example.com # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-prod # Add a single challenge solver, HTTP01 using nginx solvers: - http01: ingress: class: nginx EOF
If you want to use DNS validation, please use the ClusterIssuer accordingly:
cat <<'EOF' | kubectl apply -f - apiVersion: cert-manager.io/v1alpha3 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration email: firstname.lastname@example.org # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-prod # Use designate webhook for DNS01 validations solvers: - dns01: webhook: groupName: acme.syseleven.de solverName: designatedns EOF
In Deploy Application you can see how you can use this issuer to fetch a certificate.
There is a known issue on kubernetes 1.18 and 1.19 where cert-manager can't create certificates for your ingress. We are currently working on a solution and will keep you updated.