'How to setup Letsencrypt with Kubernetes microk8s using default Ingress?

Recently, I tried to setup letsencrypt using microk8s and the default ingress controller on a bare-metal server.

I found a few guides online that were very useful but it seems as if there must have been a recent update to microk8s that changed the way the ingress controller is configured.

To save you guys time, I wrote out exactly what I did.

Here are some useful resources if you get stuck or to get a better understanding.

https://cert-manager.io/docs/installation/kubernetes/

https://cert-manager.io/docs/tutorials/acme/ingress/

This link was really useful for troubleshooting

https://cert-manager.io/docs/faq/acme/



Solution 1:[1]

This guide is to set up Letsencrypt with Kubernetes using Microk8s and the default Ingress controller.

Versions used:

microk8s version 1.21/stable

cert-manager v1.3.1

Pre-requisite: Forward ports 80 & 443 to your server. Set up a domain name that points to your server.

Install microk8s

snap install microk8s --classic --channel=1.21/stable

Enable dns and ingress

sudo microk8s enable dns ingress

We'll create a test webserver deployment/service using the nginx webserver image to test web traffic

webserver-depl-svc.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: webserver-depl
spec:
  selector:
    matchLabels:
      app: webserver-app
  template:
    metadata:
      labels:
        app: webserver-app
    spec:
      containers:
        - name: webserver-app
          image: nginx:1.8
---
apiVersion: v1
kind: Service
metadata:
  name: webserver-svc
spec:
  selector:
    app: webserver-app
  ports:
  - name: webserver-app
    protocol: TCP
    port: 80
    targetPort: 80

apply the config file

sudo microk8s kubectl apply -f webserver-depl-svc.yaml

now to configure the default ingress to serve the test webserver

ingress-routes.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-routes
spec:
  rules:
#change yourdomain.com to your domain
  - host: yourdomain.com
    http:
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: webserver-svc
              port:
                number: 80

Apply the ingress routes

sudo microk8s kubectl apply -f ingress-routes.yaml

When you visit yourdomain.com, you should see the default "welcome to nginx!" splash screen.

Now to install cert-manager https://cert-manager.io/docs/installation/kubernetes/

sudo microk8s kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml

The next command should show 3 pods to confirm cert-manager is installed and running

sudo microk8s kubectl get pods --n=cert-manager

Now to create the certificate issuer config. A detail to notice is that the class used in this config is public as opposed to nginx. This may be microk8s specific. https://cert-manager.io/docs/tutorials/acme/ingress/

letsencrypt-staging.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
#change to your email
    email: [email protected]
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: public

letsencrypt-prod.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
#change to your email
    email: [email protected]
    privateKeySecretRef:
       name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: public

Apply both issuer configs

sudo microk8s kubectl apply -f letsencrypt-staging.yaml

sudo microk8s kubectl apply -f letsencrypt-prod.yaml

now to update ingress-routes.yaml to use the staging certificate.

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-routes
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
spec:
  tls:
  - hosts:
#change to your domain
    - yourdomain.com
    secretName: tls-secret
  rules:
#change to your domain
  - host: yourdomain.com
    http:
      paths:
        - path: /
        pathType: Prefix
        backend:
          service:
            name: webserver-svc
            port:
              number: 80

Apply the update

sudo microk8s kubectl apply -f ingress-routes.yaml

Run the next command to confirm Ready=True

sudo microk8s kubectl get certificate

If it returned true, that means HTTP-01 challenge was successful. You can see more detail at the end of output running the next command

sudo microk8s kubectl describe certificate tls-secret

Now to change ingress-routes.yaml to use the production certificate.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-routes
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
  - hosts:
#change to your domain
    - yourdomain.com
    secretName: tls-secret
  rules:
#change to your domain
  - host: yourdomain.com
    http:
      paths:
        - path: /
        pathType: Prefix
        backend:
          service:
            name: webserver-svc
            port:
              number: 80

Apply the update

sudo microk8s kubectl apply -f ingress-routes.yaml

Now the moment of truth. Run the next command to confirm a certificate was generated. Ready=True

sudo microk8s kubectl get certificate

Run the next command and look at the final output to verify the certificate was issued.

sudo microk8s kubectl describe certificate tls-secret

Now if you visit your domain. You should see the little lock of success! :-)

Solution 2:[2]

Update December 2021: I had to update ingress-routes.yaml to get this to work:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-routes
spec:
  rules:
#change yourdomain.com to your domain
  - host: yourdomain.com
    http:
      paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: webserver-svc
              port:
                number: 80

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Daniel Fisher lennybacon
Solution 2 KNOX