Table of contents

• Introduction

• Parts

  • Cert-Manager
  • What is cert-manager?
  • Enable cert-manger
  • Add ClusterIssuer
  • Production Issuer
  • Staging issuer

• Setup nginx

  • What is Ingress
  • Enable Ingress

• Testing Ingress and cert-manager

  • Deploy

• Conclusion

Introduction

In this post we will see how to setup nginx reverse proxy and cert-manager in microk8s. We will use the nginx ingress controller to create a reverse proxy for our applications. We will also use cert-manager to create and manage SSL certificates for our applications.

Parts

Part 1. Setup MicroK8s With Ubuntu

Part 2. Setup Nginx and cert-manager in MicroK8s (this post)

Part 3. Deploy docker registry and postgres database in MicroK8s

Part 4. Create and deploy .Net application in MicroK8s

Cert-Manager

What is cert-manager?

cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.

It can issue certificates from a variety of supported sources, including Let's Encrypt, HashiCorp Vault, and Venafi as well as private PKI. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.

We are going to use Let's Encrypt for the ssl certificates.

Enable cert-manger

cert-manager comes as an addon for the microk8s. Make sure the addon is enabled. To check if the addons is enabled. just check the status of the microk8s.

1microk8s status

cert-manager addons should be inside the enabled section.

If it is not available in the enabled section. then, run the following command to enable it.

1microk8s enable cert-manager

This will enable the cert-manager in microk8s.

Add ClusterIssuer

The first thing you'll need to configure after you've enabled cert-manager is an Issuer or a ClusterIssuer. These are resources that represent certificate authorities (CAs) able to sign certificates in response to certificate signing requests.

Production Issuer

lets create a production issuer which can be used to get the ssl certificate from lets encrypt.

1apiVersion: cert-manager.io/v1
2kind: ClusterIssuer
3metadata:
4 name: lets-encrypt
5spec:
6 acme:
7   email:  username@yourdomain.com # Change the email here
8   server: https://acme-v02.api.letsencrypt.org/directory
9   privateKeySecretRef:
10     name: lets-encrypt-prod
11   solvers:
12   - http01:
13       ingress:
14         class: public

Staging issuer

1apiVersion: cert-manager.io/v1
2kind: ClusterIssuer
3metadata:
4 name: lets-encrypt-staging
5spec:
6 acme:
7   server: https://acme-staging-v02.api.letsencrypt.org/directory
8   email: username@yourdomain.com # Change the email here
9   privateKeySecretRef:
10     name: lets-encrypt-staging
11   solvers:
12   - http01:
13       ingress:
14         class:  public

Setup nginx

What is Ingress

Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name-based virtual hosting. An Ingress controller is responsible for fulfilling the Ingress, usually with a load balancer, though it may also configure your edge router or additional frontends to help handle the traffic.

We are going to use NGINX Ingress Controller which comes as an addon for the microk8s.

Enable Ingress

The first step is to make sure the addon is enabled. To verify the that just run the status command.

1microk8s status

Make sure ingress is inside the enabled section.

If it is not available in the enabled section. then, run the following command to enable it.

1microk8s enable ingress

This will enable the ingress in microk8s.

Testing Ingress and cert-manager

Now, we have our ingress and cert-manager enabled. lets test these with deploying a simple whoami application.

1kind: Deployment
2apiVersion: apps/v1
3metadata:
4  name: whoami
5  labels:
6    app: traefiklabs
7    name: whoami
8
9spec:
10  replicas: 1
11  selector:
12    matchLabels:
13      app: traefiklabs
14      task: whoami
15  template:
16    metadata:
17      labels:
18        app: traefiklabs
19        task: whoami
20    spec:
21      containers:
22        - name: whoami
23          image: traefik/whoami
24          ports:
25            - containerPort: 80
26          resources:
27            requests:
28              memory: "100Mi"
29              cpu: "250m"
30            limits:
31              memory: "200Mi"
32              cpu: "500m"
33
34---
35apiVersion: v1
36kind: Service
37metadata:
38  name: whoami-service
39spec:
40  ports:
41    - name: http
42      port: 80
43  selector:
44    app: traefiklabs
45    task: whoami
46---
47apiVersion: networking.k8s.io/v1
48kind: Ingress
49metadata:
50  name: http-ingress-whoami
51  annotations:
52    cert-manager.io/cluster-issuer: "lets-encrypt"
53    kubernetes.io/ingress.class: "public"
54spec:
55  tls:
56    - hosts:
57      -  whoami.kdev.antosubash.com
58      secretName: whoami-tls
59  rules:
60  - host: "whoami.kdev.antosubash.com"
61    http:
62      paths:
63      - path: /
64        pathType: Prefix
65        backend:
66          service: 
67            name: whoami-service
68            port: 
69              number: 80

you can also find this file in the repo here

Deploy

We will use the kubectl to deploy this application.

1kubectl apply -f whoami.yaml

Conclusion

In this post we enabled and configured two addons of microk8s. its cert-manager and ingress and to test these addons we also deployed a sample app. In the next post we will see how to deploy registry and postgres database.

Part 3. Deploy docker registry and postgres database in MicroK8s