Skip to content

Latest commit

 

History

History
170 lines (120 loc) · 5.01 KB

External_Nginx_Ingress_Controller_Cert_Manager.md

File metadata and controls

170 lines (120 loc) · 5.01 KB

External Nginx Ingress Controller Cert Manager

Exercise Overview: External Nginx Ingress Controller with Cert Manager Setup.This exercise guides participants through the process of setting up an Azure Kubernetes Service (AKS) cluster with a Standard External Load Balancer, Nginx Ingress Controller, and Cert Manager for managing SSL certificates. The objective is to deploy a sample application with HTTPS support, ensuring secure communication.

Requirements

  • Azure Kubernetes Service (AKS) Cluster (Perform steps 1 to 4 if not already running)
  • Basic Load Balancer
  • Cert Manager
  • Nginx Ingress Controller
Solution

1. Create Resource Group

Creates an Azure Resource Group for organizing and managing resources.

az group create --location westeurope --resource-group demo-weu-rg

2. Create Service Principal

Generates a Service Principal for AKS with the necessary permissions.

az ad sp create-for-rbac --skip-assignment -n "spn-aks"

3. Create Azure Kubernetes Service

NOTE: Replace placeholders in --subscription, --service-principal, and --client-secret with actual values.

Deploys an AKS cluster with specified configurations.

az aks create \
  --location westeurope \
  --subscription <Your-Subscription-ID> \
  --resource-group demo-weu-rg \
  --name <Your-AKS-Cluster-Name> \
  --ssh-key-value $HOME/.ssh/id_rsa.pub \
  --service-principal "<Your-Service-Principal-ID>" \
  --client-secret "<Your-Client-Secret>" \
  --network-plugin kubenet \
  --load-balancer-sku standard \
  --outbound-type loadBalancer \
  --node-vm-size Standard_B2s \
  --node-count 1 \
  --tags 'ENV=Demo' 'OWNER=Corporation Inc.'

4. Get Kubeconfig

Retrieves and merges the AKS cluster's kubeconfig into the local environment.

az aks get-credentials \
  --resource-group demo-weu-rg \
  --name <Your-AKS-Cluster-Name> \
  --admin

5. Create Static IP address

Creates a static public IP address for the AKS cluster.

az network public-ip create \
    --resource-group MC_demo-weu-rg_<Your-AKS-Cluster-Name>_westeurope \
    --name myStandardPublicIP \
    --version IPv4 \
    --sku Standard \
    --dns-name <Your-AKS-Cluster-Name>

6. Create an Ingress Controller with Static IP

Sets up an Ingress Controller with a static IP using Helm charts, ensuring proper configuration for Linux nodes and Azure Load Balancer health checks.

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx --version 4.1.3 --namespace ingress-nginx --create-namespace --set controller.replicaCount=1 --set controller.nodeSelector."kubernetes\.io/os"=linux --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux --set controller.service.loadBalancerIP=STATIC-IP-ADDRESS

7. Check the Load Balancer Service

Monitors the Ingress Controller service to ensure successful deployment and obtain relevant details.

kubectl get services --namespace ingress-nginx -o wide -w ingress-nginx-controller

8. Deploy Cert Manager

Deploys Cert Manager using Helm charts and installs Custom Resource Definitions (CRDs).

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm upgrade cert-manager jetstack/cert-manager \
    --install \
    --create-namespace \
    --wait \
    --namespace cert-manager \
    --set installCRDs=true

9. Check Deployed Cert Manager Resources

Verifies the deployment of Cert Manager resources in the cert-manager namespace.

kubectl -n cert-manager get all

10. Deploy Cluster Issuer

  1. Change the email address in clusterissuer.yaml.
  2. Deploy the cluster issuer with the command kubectl apply -f clusterissuer.yaml

11. Deploy Sample Application and Ingress

Deploys a sample application on the AKS cluster with associated services and ingress resources.

kubectl apply -f files/deployment.yaml
kubectl apply -f files/service.yaml
kubectl apply -f files/ingress.yaml

Testing

1.Check if SSL Certificates are Created

# Get CertificateRequests
kubectl get certificaterequest

# See the state of the request
kubectl describe certificaterequest some-certificaterequest-name

# Check the Order
kubectl get order
kubectl describe order some-order-name

# Check Challenge
kubectl get challenge
kubectl describe challenge some-challenge-name

2.Check if Domain has Proper SSL

  1. Open URL "<https://.westeurope.cloudapp.azure.com/>" in browser and check SSL
  2. Go to https://www.sslshopper.com/ssl-checker.html and check domain .westeurope.cloudapp.azure.com

Clean Up

1. Remove all resources

Deletes the resource group and associated resources.

az group delete -n demo-weu-rg --yes --no-wait