Https Namecheap Subdomain Pointing to an Azure AKS using Automatic Ingress TLS with LetsEncrypt
Note: The article might be missing some steps at the end. I wrote it a while back and didn’t have time to look back. The content at the beginning can still get you quite far in the process.
If you haven’t setup kubernetes deployment yet see: https://medium.com/coding-spaghetti/setting-up-servers-on-kubernetes-via-azure-fa1c847abb0f
I will be building on top of it.
Ensure you cli has access to the cluster
RESOURCE_GROUP=scoop-dev-rg
CLUSTER_NAME=scoop-dev-cluster
az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME
In your kubernetes cluster create a namespace.
To know which cluster you’re working with
kubectl config current-context
Select the cluster you want to work with
CLUSTER_NAME=facets-dev-cluster
kubectl config use-context $CLUSTER_NAME
Installing Certificate
Check the latest version of cert-manager https://github.com/cert-manager/cert-manager/releases
Install cert-manager: Ensure that cert-manager
is installed on your cluster. You can do this using Helm or directly with kubectl
applying the cert-manager
YAML manifests. Here's how you can install it using Helm:
# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
# Update your local Helm chart repository cache
helm repo update
# Install the cert-manager Helm chart
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.5.3 \
--set installCRDs=true
Verify CRD Installation: After installation, you can verify that the CRDs have been installed successfully by running the following command:
kubectl get crd | grep 'cert-manager.io'
Open the bash terminal and create a file at the
vi letsencrypt-clusterissuer.yaml
update the following with your email and paste it into the terminal
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
# The ACME server URL for Let's Encrypt's production environment
# Use "https://acme-staging-v02.api.letsencrypt.org/directory" for the staging environment
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: your_email@gmail.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
podTemplate:
spec:
nodeSelector:
"kubernetes.io/os": linux
control+c
to exit :wq
to keep changes
Run the following after replacing with your own namespace that match the namespace you will host your services in
NAMESPACE=facets-services-namespace
kubectl apply --namespace $NAMESPACE -f letsencrypt-clusterissuer.yaml
If you need to undo changes for whatever reason you can use
kubectl delete --namespace $NAMESPACE -f letsencrypt-clusterissuer.yaml
You can check your certificate using
kubectl get clusterissuer.cert-manager.io -n $NAMESPACE
You can delete using where the last prop is the metadata name
kubectl delete clusterissuer.cert-manager.io letsencrypt
To get services in the namespace:
kubectl get svc -n $NAMESPACE
Setup file for domains using the ssl certificate
vi facets-tls-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: facets-ssl-tls-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/websocket-services: "chat-service"
nginx.ingress.kubernetes.io/proxy-body-size: "0" # Allow unlimited size, or set a specific size like 50m
spec:
ingressClassName: nginx
tls:
- hosts:
- chat.facets.one
- backend.facets.one
- fileservice.facets.one
secretName: facets-cert
rules:
- host: chat.facets.one
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: chat-service
port:
number: 7200
- host: backend.facets.one
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: backend-service
port:
number: 4000
- host: fileservice.facets.one
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: fileservice-service
port:
number: 4040
control+c
to exit :wq
to keep changes
kubectl apply --namespace $NAMESPACE -f facets-tls-ingress.yaml
kubectl get ingress facets-ssl-tls-ingress — namespace $NAMESPACE