The goal of this step is leverage Let's Encrypt to perform TLS termination in the ingress controller.
The key component here is cert-manager that does automatically provision of TLS certificates in Kubernetes. Underneath the hood it does the required work to adquire certificates from Let's Encrypt. This example will rely on http validation.
Let's Encrypt has a production and a staging environment. Staging provides a fake certificates, but has a high rate limit. Production produces a valid certificate, but has rate limits. For testing purposes use the staging environment, otherwise rate limits might be reached, preventing the creation of new certificates.
- You have an AKS Cluster deployed
- You have kubectl installed on your machine
- Kubectl has access to AKS cluster
- You have helm installed on AKS cluster
- Azure CLI is installed
- NGINX is installed on AKS
- This repository is cloned/forked (or you will type yaml files)
1. Using helm, install cert-manager
helm install stable/cert-manager --name cm --set ingressShim.defaultIssuerName=letsencrypt --set ingressShim.defaultIssuerKind=ClusterIssuerapiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
#server: https://acme-v02.api.letsencrypt.org/directory # production
server: https://acme-staging-v02.api.letsencrypt.org/directory # staging
email: <your-email>
privateKeySecretRef:
name: letsencrypt
http01: {}apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: hello-world
spec:
secretName: hello-world
issuerRef:
name: letsencrypt
kind: ClusterIssuer
dnsNames:
- hello-world.<your-domain>
acme:
config:
- http01:
ingressClass: nginx
domains:
- hello-world.<your-domain>apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: hello-world
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: 'false'
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: 'true'
spec:
tls:
- hosts:
- hello-world.<your domain>
secretName: hello-world
rules:
- host: hello-world.<your domain>
http:
paths:
- path: /
backend:
serviceName: aks-helloworld
servicePort: 80kubectl describe certificates hello-world
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateOrder 39s cert-manager Created new ACME order, attempting validation...
Normal DomainVerified 4s cert-manager Domain "hello-world.<your domain>" verified with "http-01" validation
Normal IssueCert 3s cert-manager Issuing certificate...
Normal CertObtained 0s cert-manager Obtained certificate from ACME server
Normal CertIssued 0s cert-manager Certificate issued successfullyOnce the certificate has been issued successfully issued (it can take a few minutes) you can move to next step and test the ingress route.
Browse to https://hello-world.your-domain and verify that the AKS Hello World app is displayed.
If you are using the staging environment you will have to accept the invalid certificate.
Using http validation requires the creation of one certificate per domain (hello-world1.<your-domain>, hello-world2.<your-domain>, etc.). In the next step we will see how we can use cert-manager to handle wildcards certificates with Azure DNS.
$ kubectl delete ingress hello-world
ingress.extensions "hello-world" deleted
$ kubectl delete certificates hello-world
certificate.certmanager.k8s.io "hello-world" deleted
$ kubectl delete ClusterIssuer letsencrypt
clusterissuer.certmanager.k8s.io "letsencrypt" deleted
$ kubectl delete secrets letsencrypt hello-world
secret "letsencrypt" deleted
secret "hello-world" deleted