Nginx Ingress Controller with HTTPS - Galactros/Ingress-Controller-Rancher GitHub Wiki
1. Create Project and Namespace in Rancher Server
- kubectl create namespace games
2. Deploy 2048 web application and services clusterIP
- kubectl create deployment games-2048 --image=alexwhen/docker-2048
- kubectl expose deployment games-2048 --type=ClusterIP--port 80 --target-port 80
3. Add Nginx Ingress via Rancher Apps
- Search for Nginx-Ingress in Catalogs
- Change Name for games-nginx-ingress and namespace for games
- Add a answer controller.ingressClass: games
- Configure dns for games-nginx-ingress. See external Ip in Tab LoadBalancer in Resourses through "View/Edit Yaml"
- Configure dns in Azure Dns
4. Install and Configure Cert-Manager
-
Install the CustomResourceDefinition resources separately kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/v0.13.0/deploy/manifests/00-crds.yaml
-
Label the games namespace to disable resource validation kubectl label namespace games certmanager.k8s.io/disable-validation=true
-
Add Jetstack Helm Repo catalog in Rancher Server: https://charts.jetstack.io
-
Search for Cert-Manager in Catalogs
-
See the version is equal the CustomResourceDefinition command
-
Add a answer ingressShim.defaultIssuerName: letsencrypt-staging
-
Add a answer ingressShim.defaultIssuerKind: ClusterIssuer
-
Add two answers webhook.enabled: false and global.leaderElection.namespace: cert-manager because deploy bug in Rancher
-
After deploy change answer webhook.enabled: true
5. Cluster Issuer
- Add two cluster issues via Import Yaml in tab Resourses in Rancher Server
- Add letsencrypt-staging issue with http01
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
labels:
name: letsencrypt-staging
name: letsencrypt-staging
spec:
acme:
## The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable HTTP01 validations
solvers:
- http01:
ingress:
class: games
- Add letsencrypt-prod issue with http01
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
labels:
name: letsencrypt-prod
name: letsencrypt-prod
spec:
acme:
## The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable HTTP01 validations
solvers:
- http01:
ingress:
class: games
- Add letsencrypt-staging issue with dns01 Azure
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
labels:
name: letsencrypt-staging
name: letsencrypt-staging
spec:
acme:
## The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable HTTP01 validations
solvers:
- dns01:
azuredns:
clientID: AZURE_CERT_MANAGER_SP_APP_ID
clientSecretSecretRef:
# The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.
name: azuredns-config
key: client-secret
subscriptionID: AZURE_SUBSCRIPTION_ID
tenantID: AZURE_TENANT_ID
resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP
hostedZoneName: AZURE_DNS_ZONE
# Azure Cloud Environment, default to AzurePublicCloud
environment: AzurePublicCloud
- Add letsencrypt-prod issue with dns01 Azure
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
labels:
name: letsencrypt-prod
name: letsencrypt-prod
spec:
acme:
## The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable HTTP01 validations
solvers:
- dns01:
azuredns:
clientID: AZURE_CERT_MANAGER_SP_APP_ID
clientSecretSecretRef:
# The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.
name: azuredns-config
key: client-secret
subscriptionID: AZURE_SUBSCRIPTION_ID
tenantID: AZURE_TENANT_ID
resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP
hostedZoneName: AZURE_DNS_ZONE
# Azure Cloud Environment, default to AzurePublicCloud
environment: AzurePublicCloud
6. Install and Configure Games-Ingress
- Import games-ingress-2048 via "Import Yaml" in Load Balacing tab in Resources
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: games-ingress-2048
namespace: games
annotations:
kubernetes.io/ingress.class: games
nginx.ingress.kubernetes.io/rewrite-target: /$2
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
tls:
- hosts:
- GAMES.YOURDOMAIN.COM
secretName: games-secret
rules:
- host: GAMES.YOURDOMAIN.COM
http:
paths:
- backend:
serviceName: game-2048
servicePort: 80
path: /2048(/|$)(.*)
7. Uninstall Cert Manager Resourses
-
Ensure that all cert-manager resources that have been created by users have been deleted kubectl get Issuers,ClusterIssuers,Certificates,CertificateRequests,Orders,Challenges --all-namespaces
-
Delete resources with below command: kubectl delete clusterissuer.cert-manager.io/letsencrypt-prod
-
Delete the installation manifests using a link to your currently running version v0.13.0 like so: kubectl delete -f https://github.com/jetstack/cert-manager/releases/download/v0.13.0/cert-manager.yaml