Skip to main content

Secure nginx with Let's Encrypt on Ubuntu 18.04

Configure Nginx Ingress Kubernetes with TLS


Secure your kubernetes cluster with nginx ingress with TLS and LetsEncrypt.

Note : Make sure you have intalled helm in your pc.
  • Role : Create role for accessing helm to the cluster.
$ kubectl create clusterrolebinding tiller-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
$ helm init
  • Installation : Install Nginx ingress using helm.
$ helm install stable/nginx-ingress --namespace kube-system
  • Deploy : Deploy Sample Example App. We will deploy nginx webserver in our cluster and access it with nginx ingress, You can deploy whatever app you want.
$ helm install stable/nginx --name nginx-app
  • Expose : Expose it to the Cluster IP. Expose the deployed nginx app to the cluster ip so that ingress can communicate with it.
$ kubectl expose deployment nginx-app --type=ClusterIP
  • Ingress : Create Ingress object to access.

Now we will create Nginx ingress to access our app.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myapp
  annotations:
    kubernetes.io/ingress.class: nginx
    # Add to generate certificates for this ingress
spec:
  rules:
    - host: imvishalvyas.ml
      http:
        paths:
          - backend:
              serviceName: myapp
              servicePort: 80
            path: /

Save the file and apply the ingress.
$ kubectl apply -f basic-ingress.yaml
After some moments you can access your site {deployment} from nginx ingress controller external. You can find that external ip from below command.
$ kubectl --namespace kube-system get services -o wide -w funky-labradoodle-nginx-ingress-controller
  • Configure TLS with LetsEncrypt and Kube-Lego. Now our app is ready and working over http but we want to make it secure, So we will configured TLS for our app, Kubelego will install letsenrypt cert for your app, LetsEncrypt is free TLS certificate authority, Run the below command to install and configure Kube-Lego chart using helm and make sure that you have changed your email address.
helm install stable/kube-lego --namespace kube-system --set config.LEGO_EMAIL=YOUR_EMAIL_ID,config.LEGO_URL=https://acme-v01.api.letsencrypt.org/directory

Now we have to Modify TLS settings in our ingress file with our domain name and apply it.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myapp
  annotations:
    kubernetes.io/ingress.class: nginx
    # Add to generate certificates for this ingress
    kubernetes.io/tls-acme: 'true'
spec:
  rules:
    - host: imvishalvyas.ml
      http:
        paths:
          - backend:
              serviceName: myapp
              servicePort: 80
            path: /
  tls:
    # With this configuration kube-lego will generate a secret in namespace foo called `example-tls`
    # for the URL `www.example.com`
    - hosts:
        - "imvishalvyas.ml"
      secretName: kube-lego-ssl

Save the ingress file and apply new changes.
$ kubectl apply -f tls-ingress.yaml
Now you can access your website using your domain name and with SSL.
curl https://mywebsite.com

Optional

Manually configure TLS.

$ kubectl create secret tls yourwebsite-ssl-secret --key /path/tls.key --cert /path/tls.crt
this command will create secret key name 'yourwebsite-ssl-secret' with the certificate. now we have to add them in ingress file like below.
  tls:

    # With this configuration kube-lego will generate a secret in namespace foo called `example-tls`

    # for the URL `www.example.com`

    - hosts:

        - "vishalvyas.com"

      secretName: mysite-tls

Configure Multiple Domain Nginx Ingress Kubernetes

We can configure and manage multiple domain in single kubernetes cluster using nginx ingress. you need to just update your nginx file 'spec' like below. Also we can use path base routing in ingress. you can see in 1st host abc.com i have use multipath routing. We can access it from abc.com and also abc.com/
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myapp
  annotations:
    kubernetes.io/ingress.class: nginx
    # Add to generate certificates for this ingress
    kubernetes.io/tls-acme: 'true'
spec:
  rules:
    - host: imvishalvyas.ml
      http:
        paths:
          - backend:
              serviceName: myapp
              servicePort: 80
            path: /
    - host: linuxguru.com
    http:
      paths:
      - backend:
          serviceName: apache
          servicePort: 80
        path: /
  tls:
    # With this configuration kube-lego will generate a secret in namespace foo called `example-tls`
    # for the URL `www.example.com`
    - hosts:
        - "imvishalvyas.ml"
      secretName: imvishalvyas-tls
    - hosts:
        - "linuxguru.com"
      secretName: linuxguru-tls
  • How to assign static ip to the nginx ingress.
Use the below command while installing nginx ingress controller kubernetes, you will have to define your static ip to the command, it will allocate your static ip to the ingress.
$ helm install stable/nginx-ingress --namespace kube-system --set controller.service.loadBalancerIP=myip --set rbac.create=true
Note: ingress controller and static ip should be in same region.

Comments

Popular posts from this blog

Another instance of Certbot is already running - Solved - Linux guru

Error : Another instance of Certbot is already runningcertbot --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns --installer nginx -d *.vishalvyas.com Another instance of Certbot is already running Reason : when you run certbot form your machine and unexpectedly stop the command, Then cert bot is not running but it left some .certbot.lock files behind.You need to kill the certbot instance form your machine. Solution : Run the below command to find killed certbot.find / -type f -name ".certbot.lock" You can see result of the command, If there are, you can remove them. Run below command to remove them.find / -type f -name ".certbot.lock" -exec rm {} \; And try again.

Install Apache Using Ansible Playbooks

Ansible is a automation tool which is widely used, you can install and install, configure and manage number of system and services remotely. you can install software and manage services and tasks without needing manually log in to each servers. you have to install ansible in one machine and use ssh to communicate host each other.



Ansible uses Playbooks which is written in YAML format. it's uses module base format. with playbook can run multiple tasks at time and provide more advance functionality, YAML file always start with "---" syntax. In this article we will see how to install and configure apahce2 using ansible YAML script. Master server : 10.80.253.11 [Ansible server, ] Slave 1 : 10.80.253.12 [need to install apache2 in slave 1] Slave 2 : 10.80.253.13 [need to install apache2 in slave 2] We need to configure slave server info in our ansible configuration file, click here to know how to add client machine to ansible. Let's update our apache2.yml file and install…

Create aws s3 bucket using cli

In this article i will explain you to how to manage s3 bucket and objects using AWS cli command line interface. for that you will have to configure AWS cli interface to your local linux machine. You can configure cli from. HERE.




After configured aws cli to your local machine, you can run all below commands. How to create bucket using AWS Cli.root@master:~# aws s3 mb s3://linuxgurubucket make_bucket: linuxgurubucket Listing Bucket : To list all bucket : root@master:~# aws s3 ls 2018-05-01 15:28:37 linuxgurubucket To list all objects from bucket :root@master:~# aws s3 ls s3://linuxgurubucket 2018-05-01 15:32:16 71515 vishal.jpg How to copy local file to s3 using aws cp command :root@master:~# aws s3 cp ansible.sh s3://linuxgurubucket/ upload: ./ansible.sh to s3://linuxgurubucket/ansible.sh To check it's upload or not :root@master:~# aws s3 ls s3://linuxgurubucket/ 2018-05-01 15:34:19 82 ansible.sh 2018-05-01 15:32:16 71515 vishal.jpg To remove file from s3 bucket using cli: