Create an Ingress Controller

In order to route traffic to applications deployed in Kubernetes it is good practice to use an Ingress Controller which proxies incoming request to the correct services and can handle things like TLS offloading. For more information on Ingress resources and Ingress Controllers see the official Kubernetes documentation.

NGINX Ingress Controller

A popular ingress controller is the nginx ingress controller.

Installation

You can install it manually through Helm. This will automatically create a Load Balancer service for you.

Depending on the wanted outcome, follow the below mentioned steps that apply to you. You can create the ingress controller within another existing namespace.

External only

helm install ingress-nginx ingress-nginx/ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx
--namespace ingress-nginx \
--create-namespace \

Internal and External

This will create a internal and external Load Balancer service. The internal loadbalancer will be named nginx-ingress-ingress-nginx-controller-internal and the internal IP can be found via the EXTERNAL IP field via e.g. kubectl get svc -n nginx-ingress -o wide

helm install ingress-nginx ingress-nginx/ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
-f values.yml
# example values.yml
controller:
  service:
    enabled: true
    internal:
      enabled: true
      annotations:
        service.beta.kubernetes.io/openstack-internal-load-balancer: true

Internal only

To create only an internal loadbalancer, the same principle applies like mentioned above.

helm install ingress-nginx ingress-nginx/ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
-f values.yml
# example values.yml
controller:
  service:
    enabled: true
    external:
      enabled: false
    internal:
      enabled: true
      annotations:
        service.beta.kubernetes.io/openstack-internal-load-balancer: true

Cert-Manager

If you want to use Let's Encrypt to automatically manage TLS certificates for your ingress resources, you also have to install cert-manager.

Cert-Manager Installation

Manual installation

This can be done through Helm:

helm repo add jetstack https://charts.jetstack.io

helm repo update

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.11.0 \
  --set installCRDs=true

If you want to use the SysEleven DNS service for certificate DNS validation (e.g. required for wildcard certificates) you need to install the designate webhook in the cluster. Please follow instructions from the provided README.

Configure cluster issuer

After installing the cert-manager you have to configure how it shall fetch certificates. For that you have to add a ClusterIssuer to your Kubernetes cluster:

cat <<'EOF' | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: your-email@example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

If you want to use DNS validation, please use the ClusterIssuer accordingly:

cat <<'EOF' | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: your-email@example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Use designate webhook for DNS01 validations
    solvers:
    - dns01:
        webhook:
          groupName: acme.syseleven.de
          solverName: designatedns
EOF

In Deploy Application you can see how you can use this issuer to fetch a certificate.

Further information