Deploying Ingress with cert-manager and Let’s Encrypt

Deploying Ingress with cert-manager and Let’s Encrypt

This document will be the basis for deploying ingress on a Kubernetes cluster. We will demonstrate both Ingress NGINX Controller and traefik with cert-manager and Let’s Encrypt. The demonstration will use normal deployment as well as Helm Chart deployment. We will also use the whoami application as an example of an application which also give information about headers and client IP.

We will also indicate how to bind one of the /29 IPs given to each client when they order a managed Kubernetes cluster.

Version at time of writing are : cert-manager: v1.13.2, NGINX Controller: controller-v1.9.4, traefik: v2.10.5

cert-manager

We will start with cert-manager. This will be a basic installation with no customization needed and is agnostic of the ingress controller used.

Helm

We add the repo to be able to deploy from it:

cert-manager requires a number of Custom resource definitions (CRDs) to be installed to work so we need to add parameter to the helm deployment.

To install with the CRDs we need to execute this command:

kubectl deployment

This is the default static way which also include the CRDs:

More details and other information can be found on the official site : https://cert-manager.io/docs/.

NGINX Ingress

We will now deploy the NGINX ingress:

Helm

For the ingress to work properly we need to customize it to play nice with our Cloud Controller Manager (CCM). we will need to create a values.yml to add to the parameter needed. We are using a Loadbalancer name to make it easier for both the ingress and the certificate manager to function as expected. You will need to create the DNS entry for this domain.

To bind the ingress controller to a specific IP we can add the setting loadBalancerIP: ‘<IP_FROM_SUBNET_HERE>’

For example:

We then install the controller:

We then can validate that the annotation is correct, and the Load balancer was configured:

kubectl deployment

We will need to download the controller yaml file from the official github and then modify it so that it will work with our CloudStack load balancer.

Then edit ingress-nginx-controller.yml to add these parameters to the yaml file:

Example with a specified IP:

Then we deploy the modified yaml:

We can validate that everything is deploy correctly:

Cluster Issuer

We will now install let’s encrypt as our certificate issuer. We will use the http01 challenge to validate the control of the domain in question.

First let’s create the yaml file. In this example we will do both the staging and the production issuer. For the rest of the demonstration, we will use the staging Issuer.

And then we deploy them:

We can validate:

We can see that we are now register with the ACME server and ready to issue certificate.

whoami

We will then deploy an application and create an ingress which in turn will create and apply a certificate to it.

First deployment of the application:

helm

We add the repo for the application:

We will create a values.yml file with the ingress details needed.

We then deploy the app:

Then we can look at the result with a browser or we can use curl:

We can also look at the complete chain:

We can also get the certificate from the website/application:

This conclude the demonstration with ingress NGINX controller.

Traefik

We will now look at the traefik ingress controller. We need to create a values.yml file to add the relevant setting to enable proxy mode.

Helm

We then deploy the helm chart:

kubectl deployment

For the static deployment we use this yaml. It contains all the necessary ClusterRole, ServiceAccount, ClusterRoleBinding, Deployment and Service needed to work with our cluster.

If we want to specify the IP we modify the Service, the rest is the same.

We then apply the manifest:

We can validate with the following command:

With this result we know everything is now installed.

ClusterIssuer

As we did with the NGINX ingress we will define and deploy our clusterIssuer pointing to Let’s Encrypt and specifying traefik as the ingress class and using HTTP-01 challenge for verification.

We then deploy the manifest:

We validate:

whoami

We will deploy a sample app to test and validate that everything is working as expected.

helm

We add the repo for the application:

We will create a values.yml file with the ingress details needed:

We then deploy the app:

Then we can look at the result with a browser:

We can examine the complete chain: