Configure Nginx Ingress Kubernetes with TLS

Secure your kubernetes cluster with nginx ingress with TLS and LetsEncrypt.




  • Role : Create role for accessing helm to the cluster.
$ kubectl create clusterrolebinding tiller-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default


  • Nginx : Install Nginx ingress using helm.
$ helm install stable/nginx-ingress --namespace kube-system
$ helm init


  • Deploy : Deploy Sample Example App.
$ helm install stable/nginx --name nginx-ingress


  • Expose : Expose it to the Cluster IP.
kubectl expose deployment nginx-ingress --type=ClusterIP


  • Ingress : Create Ingress object to access.


apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: mysite
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  rules:
  - host:
    http:
      paths:
      - path: /
        backend:
          serviceName: mysite
          servicePort: 80

Save the file and apply the ingress.

$ kubectl apply -f basic-ingress.yaml


After some moments you can access your site {deployment} from nginx ingress controller external. You can find that external ip from below command.

$ kubectl --namespace kube-system get services -o wide -w funky-labradoodle-nginx-ingress-controller




  • Configure TLS with LetsEncrypt and Kube-Lego.
Run below command to install and configure Kube-Lego chart using helm and make sure that you have changed your email address.

$ helm install stable/kube-lego --namespace kube-system --set \ config.LEGO_EMAIL=YOUR_EMAIL,config.LEGO_URL=https://acme- \ v01.api.letsencrypt.org/directory


Now we have to configure TLS settings in our ingress file with our domain name and apply it.






apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: mysite
  annotations:
    kubernetes.io/ingress.class: nginx
    # Add to generate certificates for this ingress
    kubernetes.io/tls-acme: 'true'
spec:
  rules:
    - host: vishalvyas.com
      http:
        paths:
          - backend:
              serviceName: mysite
              servicePort: 80
            path: /
  tls:
    # With this configuration kube-lego will generate a secret in namespace foo called `example-tls`
    # for the URL `www.example.com`
    - hosts:
        - "vishalvyas.com"
      secretName: mysite-tls

Save the ingress file and apply new changes.

$ kubectl apply -f tls-ingress.yaml


Now you can access your website using your domain name and with SSL.


  • Manually configure TLS.
$ kubectl create secret tls yourwebsite-ssl-secret --key /path/tls.key --cert /path/tls.crt

this command will create secret key name 'yourwebsite-ssl-secret' with the certificate. now we have to add them in ingress file like below.





  tls:
    # With this configuration kube-lego will generate a secret in namespace foo called `example-tls`
    # for the URL `www.example.com`
    - hosts:
        - "vishalvyas.com"
      secretName: mysite-tls


  • Configure Multiple Domain Nginx Ingress Kubernetes
We can configure and manage multiple domain in single kubernetes cluster using nginx ingress. you need to just update your nginx file 'spec' like below. Also we can use path base routing in ingress. you can see in 1st host abc.com i have use multipath routing. We can access it from abc.com and also abc.com/



spec:
  rules:
  - host: vishalvyas.com
    http:
      paths:
      - backend:
          serviceName: mysite
          servicePort: 8080
        path: /
      - backend:
          serviceName: mysite-pathbase
          servicePort: 3000
        path: /mypath
  - host: vishalvyas.net
    http:
      paths:
      - backend:
          serviceName: mynet
          servicePort: 80
        path: /
  tls:
  - hosts:
    - vishalvyas.com
    secretName: mytls-tls
  - hosts:
    - vishalvyas.net
    secretName: mytls1-tls



How to assign static ip to the nginx ingress.


Use the below command while installing nginx ingress controller kubernetes, you will have to define your static ip to the command, it will allocate your static ip to the ingress.

$ helm install stable/nginx-ingress --namespace kube-system --set controller.service.loadBalancerIP=myip --set rbac.create=true

Note : ingress controller and static ip should be in same region.

Comments