In order to route traffic to applications deployed in Kubernetes it is good practice to use an Ingress Controller which proxies incoming request to the correct services and can handle things like TLS offloading. For more information on Ingress resources and Ingress Controllers see the official Kubernetes documentation.
A popular ingress controller is the nginx ingress controller.
You can install it manually through Helm:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install nginx-ingress ingress-nginx/ingress-nginx --namespace nginx-ingress --set "rbac.create=true" --set "controller.replicaCount=2" --set "defaultBackend.replicaCount=2"
to install the NGINX Ingress Controller in the cluster. This will automatically create a Load Balancer service for you.
If you want to use Let's Encrypt to automatically manage TLS certificates for your ingress resources, you also have to install cert-manager.
This can be done through Helm:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.11.0 \
--set installCRDs=true
If you want to use the SysEleven DNS service for certificate DNS validation (e.g. required for wildcard certificates) you need to install the designate webhook in the cluster. Please follow instructions from the provided README.
After installing the cert-manager you have to configure how it shall fetch certificates. For that you have to add a ClusterIssuer to your Kubernetes cluster:
cat <<'EOF' | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: your-email@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
EOF
If you want to use DNS validation, please use the ClusterIssuer accordingly:
cat <<'EOF' | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: your-email@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Use designate webhook for DNS01 validations
solvers:
- dns01:
webhook:
groupName: acme.syseleven.de
solverName: designatedns
EOF
In Deploy Application you can see how you can use this issuer to fetch a certificate.