Table of contents
Introduction
In this post we will see how to setup nginx reverse proxy and cert-manager in microk8s. We will use the nginx ingress controller to create a reverse proxy for our applications. We will also use cert-manager to create and manage SSL certificates for our applications.
Parts
Part 1. Setup MicroK8s With Ubuntu
Part 2. Setup Nginx and cert-manager in MicroK8s (this post)
Part 3. Deploy docker registry and postgres database in MicroK8s
Part 4. Create and deploy .Net application in MicroK8s
Cert-Manager
What is cert-manager?
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.
It can issue certificates from a variety of supported sources, including Let's Encrypt, HashiCorp Vault, and Venafi as well as private PKI. It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.
We are going to use Let's Encrypt for the ssl certificates.
Enable cert-manger
cert-manager comes as an addon for the microk8s. Make sure the addon is enabled. To check if the addons is enabled. just check the status of the microk8s.
1microk8s status
cert-manager
addons should be inside the enabled section.
If it is not available in the enabled section. then, run the following command to enable it.
1microk8s enable cert-manager
This will enable the cert-manager in microk8s.
Add ClusterIssuer
The first thing you'll need to configure after you've enabled cert-manager is an Issuer or a ClusterIssuer. These are resources that represent certificate authorities (CAs) able to sign certificates in response to certificate signing requests.
Production Issuer
lets create a production issuer which can be used to get the ssl certificate from lets encrypt.
1apiVersion: cert-manager.io/v1 2kind: ClusterIssuer 3metadata: 4 name: lets-encrypt 5spec: 6 acme: 7 email: username@yourdomain.com # Change the email here 8 server: https://acme-v02.api.letsencrypt.org/directory 9 privateKeySecretRef: 10 name: lets-encrypt-prod 11 solvers: 12 - http01: 13 ingress: 14 class: public
Staging issuer
1apiVersion: cert-manager.io/v1 2kind: ClusterIssuer 3metadata: 4 name: lets-encrypt-staging 5spec: 6 acme: 7 server: https://acme-staging-v02.api.letsencrypt.org/directory 8 email: username@yourdomain.com # Change the email here 9 privateKeySecretRef: 10 name: lets-encrypt-staging 11 solvers: 12 - http01: 13 ingress: 14 class: public
Setup nginx
What is Ingress
Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name-based virtual hosting. An Ingress controller is responsible for fulfilling the Ingress, usually with a load balancer, though it may also configure your edge router or additional frontends to help handle the traffic.
We are going to use NGINX Ingress Controller which comes as an addon for the microk8s.
Enable Ingress
The first step is to make sure the addon is enabled. To verify the that just run the status
command.
1microk8s status
Make sure ingress
is inside the enabled section.
If it is not available in the enabled section. then, run the following command to enable it.
1microk8s enable ingress
This will enable the ingress in microk8s.
Testing Ingress and cert-manager
Now, we have our ingress
and cert-manager
enabled. lets test these with deploying a simple whoami
application.
1kind: Deployment 2apiVersion: apps/v1 3metadata: 4 name: whoami 5 labels: 6 app: traefiklabs 7 name: whoami 8 9spec: 10 replicas: 1 11 selector: 12 matchLabels: 13 app: traefiklabs 14 task: whoami 15 template: 16 metadata: 17 labels: 18 app: traefiklabs 19 task: whoami 20 spec: 21 containers: 22 - name: whoami 23 image: traefik/whoami 24 ports: 25 - containerPort: 80 26 resources: 27 requests: 28 memory: "100Mi" 29 cpu: "250m" 30 limits: 31 memory: "200Mi" 32 cpu: "500m" 33 34--- 35apiVersion: v1 36kind: Service 37metadata: 38 name: whoami-service 39spec: 40 ports: 41 - name: http 42 port: 80 43 selector: 44 app: traefiklabs 45 task: whoami 46--- 47apiVersion: networking.k8s.io/v1 48kind: Ingress 49metadata: 50 name: http-ingress-whoami 51 annotations: 52 cert-manager.io/cluster-issuer: "lets-encrypt" 53 kubernetes.io/ingress.class: "public" 54spec: 55 tls: 56 - hosts: 57 - whoami.kdev.antosubash.com 58 secretName: whoami-tls 59 rules: 60 - host: "whoami.kdev.antosubash.com" 61 http: 62 paths: 63 - path: / 64 pathType: Prefix 65 backend: 66 service: 67 name: whoami-service 68 port: 69 number: 80
you can also find this file in the repo here
Deploy
We will use the kubectl
to deploy this application.
1kubectl apply -f whoami.yaml
Conclusion
In this post we enabled and configured two addons of microk8s. its cert-manager and ingress and to test these addons we also deployed a sample app. In the next post we will see how to deploy registry and postgres database.
Part 3. Deploy docker registry and postgres database in MicroK8s