Installing Helm, nginx-ingress, and cert-manager

Installing Helm

This instruction is based on Helm v3.1.2

Visit Helm Installation Guide to install Helm on your local.

Verify the current version.

helm version
version.BuildInfo{Version:"v3.1.2", GitCommit:"d878d4d45863e42fd5cff6743294a11d28a9abce", GitTreeState:"clean", GoVersion:"go1.13.8"}

Add the official Helm stable repository.

helm repo add stable https://kubernetes-charts.storage.googleapis.com/
"stable" has been added to your repositories

Verify repository.

helm repo list
NAME    URL
stable  https://kubernetes-charts.storage.googleapis.com/

Update repo to get the latest list of charts

helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈

Installing nginx-ingress

Install nginx-ingress.

helm install stable/nginx-ingress --namespace kube-system --set controller.replicaCount=2 --generate-name
NAME: nginx-ingress-1576935072
LAST DEPLOYED: Sat Dec 21 20:31:17 2019
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The nginx-ingress controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace kube-system get services -o wide -w nginx-ingress-1576935072-controller'

An example Ingress that makes use of the controller:

  apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: nginx
    name: example
    namespace: foo
  spec:
    rules:
      - host: www.example.com
        http:
          paths:
            - backend:
                serviceName: exampleService
                servicePort: 80
              path: /
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
        - hosts:
            - www.example.com
          secretName: example-tls

If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
  metadata:
    name: example-tls
    namespace: foo
  data:
    tls.crt: <base64 encoded cert>
    tls.key: <base64 encoded key>
  type: kubernetes.io/tls

Get the LoadBalancer public IP address by waiting until EXTERNAL-IP changed from <Pending>.

kubectl get service -l app=nginx-ingress --namespace kube-system
NAME                                       TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
nginx-ingress-1576935072-controller        LoadBalancer   10.0.211.130   20.43.176.132   80:31434/TCP,443:30957/TCP   2m43s
nginx-ingress-1576935072-default-backend   ClusterIP      10.0.41.247    <none>          80/TCP                       2m43s

Installing cert-manager

This instruction is based on cert-manager v.0.14 which support Kubernetes v1.15+.
See cert-manager on Kubernetes Installation Guide for more information

Installing custom resource definitions (CRD).

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.0/cert-manager.crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created

Create namespace.

kubectl create namespace cert-manager
namespace/cert-manager created

Add the Jetstack's Helm repository.

helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories

Update local charts from the repositories.

helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈

Install cert-manager.

helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.14.0
NAME: cert-manager
LAST DEPLOYED: Sat Mar 28 10:40:54 2020
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://docs.cert-manager.io/en/latest/reference/issuers.html

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://docs.cert-manager.io/en/latest/reference/ingress-shim.html

Verify all pods are up and running.

kubectl get pod --namespace=cert-manager
NAME                                       READY     STATUS    RESTARTS   AGE
cert-manager-5d8d74bb4d-g4jzs              1/1       Running   0          36s
cert-manager-cainjector-5db54b6b45-bnjpv   1/1       Running   0          36s
cert-manager-webhook-7cd5d4fdd7-59mwk      1/1       Running   0          36s

Configuring ACME as ClusterIssuer

See cert-manager ACME Configuration Guide for more information.

Create file cluster-issuer.yaml  with below content for configuring ACME as the ClusterIssuer with HTTP01 challenge solver configuration.

Don't forget to update email with your email address.

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your.email@domain.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx

Apply the configuration.

$ kubectl apply -f cluster-issuer.yaml
clusterissuer.cert-manager.io/letsencrypt-prod created

Verify ClusterIssuer is ready (READY must be True).

kubectl get clusterissuer,issuer,certificates --all-namespaces
NAME                                             READY   AGE
clusterissuer.cert-manager.io/letsencrypt-prod   True    20s

Listing All Installed Releases

helm list --all-namespaces
NAME                            NAMESPACE       REVISION        UPDATED                                 STATUS         CHART                  APP VERSION
cert-manager                    cert-manager    1               2020-03-28 10:40:54.2689133 +0700 +07   deployed       cert-manager-v0.14.0   v0.14.0
nginx-ingress-1585365422        kube-system     1               2020-03-28 10:17:06.6095955 +0700 +07   deployed       nginx-ingress-1.34.2   0.30.0

 


Revision #4
Created Sat, Dec 21, 2019 1:17 PM by Chairat (Par)
Updated Sat, Mar 28, 2020 3:49 AM by Chairat (Par)