Use Case :
Application need to be able to be access from public. There are a bunch of application that have been deployed in kubernetes. Each application service has specific hostname that identified by domain. So, we need an ingress gateway to route each domain to particular service. In this case we are using Nginx-Ingress.
The connection between user and server also must be a secure connection. So we need to enable TLS to be able to use HTTPS protocol. In this case, we decided to use Cert-Manager as certificate issuer.
Nginx-Ingress Deployment
Referring to the this documentation, you can simply apply this manifest to deploy Ingress-Nginx.
|
|
Check that all pods are running and create an ingress to ensure Nginx-Ingress is working properly.
Cert-Manager Deployment
please notice that cert-manager require you to register your domain first to verify so your certificate will be valid
Check this refference for more details.
Cert-Manager can be deployed by applying this manifest.
|
|
Check if cert-manager already running.
|
|
Result will be as shown below.
Create Cluster Issuer
Cluster issuer is an issuer that can be used by all namespaces in the cluster. Below is the manifest to create cluster issuer.
|
|
Apply the manifest
|
|
you can also create namespace issuer instead of clusterIssuer if needed
Utilize Cluster Issuer
Basically, we need to define the issuer in ingress manifest so that ingress can request a valid certificate to the Cert-Manager.
Here is the ingress for example :
|
|
Please notice there are two main section :
- annotations inside metadata
- tls inside spec
Here is the template of nginx-ingress with TLS-enabled. You can change the value inside bracket [] :
|
|
Please ensure you have create the respective domain records in Route53 before running this step
explaination :
- metadata.name = name of the ingress by using your service with ingress prefix
- metadata.namespace = namespace where the service resides
- metadata.annotations = you still can add more annotations but annotations defined in this template is mandatory.
- spec.tls.hosts[] = the domain name that will be used for certificate request
- rules = routing configuration