Azure Kubernetes Service (AKS)

Create AKS Cluster Settings for Testing vs. Production

Here are settings for testing vs. production:

Setting Testing Production
Node Size B2 series D series with 8+GB of RAM
Node Count 1 or 2 3+
VM scale sets Disabled Enabled
Enable container monitoring No Yes

 

 

Installing Helm, nginx-ingress, and cert-manager

Installing Helm

This instruction is based on Helm version 3.0.2. See this page for more information.

Install helm on your local.

$ brew install helm

Verify current version.

$ helm version
version.BuildInfo{Version:"v3.0.2", GitCommit:"19e47ee3283ae98139d98460de796c1be1e3975f", GitTreeState:"clean", GoVersion:"go1.13.5"}

Add the official Helm stable charts.

$ helm repo add stable https://kubernetes-charts.storage.googleapis.com/
"stable" has been added to your repositories

Update repo to get the latest list of charts

$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈

Installing nginx-ingress

Install nginx-ingress.

$ helm install stable/nginx-ingress --namespace kube-system --set controller.replicaCount=2 --generate-name
NAME: nginx-ingress-1576935072
LAST DEPLOYED: Sat Dec 21 20:31:17 2019
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The nginx-ingress controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace kube-system get services -o wide -w nginx-ingress-1576935072-controller'

An example Ingress that makes use of the controller:

  apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: nginx
    name: example
    namespace: foo
  spec:
    rules:
      - host: www.example.com
        http:
          paths:
            - backend:
                serviceName: exampleService
                servicePort: 80
              path: /
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
        - hosts:
            - www.example.com
          secretName: example-tls

If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
  metadata:
    name: example-tls
    namespace: foo
  data:
    tls.crt: <base64 encoded cert>
    tls.key: <base64 encoded key>
  type: kubernetes.io/tls

Get the LoadBalancer public IP (wait until EXTERNAL-IP shows up).

$ kubectl get service -l app=nginx-ingress --namespace kube-system
NAME                                       TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
nginx-ingress-1576935072-controller        LoadBalancer   10.0.211.130   20.43.176.132   80:31434/TCP,443:30957/TCP   2m43s
nginx-ingress-1576935072-default-backend   ClusterIP      10.0.41.247    <none>          80/TCP                       2m43s

Installing cert-manager

This instruction is based on cert-manager version 0.12. See this page for more information

Installing custom resource definitions (CRD).

$ kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created

Create namespace.

$ kubectl create namespace cert-manager
namespace/cert-manager created

Add the Jetstack Helm repository.

$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories

Update local chart repo.

$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈

Install cert-manager.

$ helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.12.0
NAME: cert-manager
LAST DEPLOYED: Sat Dec 21 20:51:53 2019
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://docs.cert-manager.io/en/latest/reference/issuers.html

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://docs.cert-manager.io/en/latest/reference/ingress-shim.html

Verify all pods are up and running.

$ kubectl get pod --namespace=cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-5fd56d487b-xc6xf              1/1     Running   0          3m
cert-manager-cainjector-6bdbb96457-zgr6c   1/1     Running   0          3m
cert-manager-webhook-6f78788cd-x8pqd       1/1     Running   0          3m

Configuring ACME as ClusterIssuer

See this page for more information.

Create file cluster-issuer.yaml  with below content for configuring ACME as the ClusterIssuer with HTTP01 challenge solver configuration.

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your.email@domain.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

Apply the configuration.

$ kubectl apply -f cluster-issuer.yaml
clusterissuer.cert-manager.io/letsencrypt-prod created

Verify ClusterIssuer is ready (READY = True).

$ kubectl get clusterissuer,issuer,certificates --all-namespaces
NAME                                             READY   AGE
clusterissuer.cert-manager.io/letsencrypt-prod   True    20s

Listing All Installed Releases

$ helm list --all-namespaces
NAME                    	NAMESPACE   	REVISION	UPDATED                             	STATUS  	CHART               APP VERSION
cert-manager            	cert-manager	1       	2019-12-21 20:51:53.731413 +0700 +07	deployed	cert-manager-v0.12.0v0.12.0
nginx-ingress-1576935072	kube-system 	1       	2019-12-21 20:31:17.718229 +0700 +07	deployed	nginx-ingress-1.27.00.26.1