Azure Kubernetes Service (AKS)

Create AKS Cluster Settings for Testing vs. Production

Here are settings for testing vs. production:

Setting Testing Production
Node Size B2 series D series with 8+GB of RAM
Node Count 1 or 2 3+
VM scale sets Disabled Enabled
Enable container monitoring No Yes



Installing Helm, nginx-ingress, and cert-manager

Installing Helm

This instruction is based on Helm v3.1.2

You should use Helm v3.3.1 or newer if you want to install CRD together in cert-manager v0.16 or newer. See

Visit Helm Installation Guide to install Helm on your local.

Verify the current version.

helm version
version.BuildInfo{Version:"v3.1.2", GitCommit:"d878d4d45863e42fd5cff6743294a11d28a9abce", GitTreeState:"clean", GoVersion:"go1.13.8"}

Add the official Helm stable repository.

helm repo add stable

The stable repository URL has been changed to 

"stable" has been added to your repositories

Verify repository.

helm repo list

Update repo to get the latest list of charts

helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈

Installing nginx-ingress

Install nginx-ingress.

helm install stable/nginx-ingress --namespace kube-system --set controller.replicaCount=2 --generate-name
NAME: nginx-ingress-1576935072
LAST DEPLOYED: Sat Dec 21 20:31:17 2019
NAMESPACE: kube-system
STATUS: deployed
The nginx-ingress controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace kube-system get services -o wide -w nginx-ingress-1576935072-controller'

An example Ingress that makes use of the controller:

  apiVersion: extensions/v1beta1
  kind: Ingress
    annotations: nginx
    name: example
    namespace: foo
      - host:
            - backend:
                serviceName: exampleService
                servicePort: 80
              path: /
    # This section is only required if TLS is to be enabled for the Ingress
        - hosts:
          secretName: example-tls

If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
    name: example-tls
    namespace: foo
    tls.crt: <base64 encoded cert>
    tls.key: <base64 encoded key>

Get the LoadBalancer public IP address by waiting until EXTERNAL-IP changed from <Pending>.

kubectl get service -l app=nginx-ingress --namespace kube-system
NAME                                       TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
nginx-ingress-1576935072-controller        LoadBalancer   80:31434/TCP,443:30957/TCP   2m43s
nginx-ingress-1576935072-default-backend   ClusterIP    <none>          80/TCP                       2m43s

Installing cert-manager

This instruction is based on cert-manager v.0.14 which support Kubernetes v1.15+.
See cert-manager on Kubernetes Installation Guide for more information

In v0.16 or newer, you can install cert-manager along with CRDs in one shot using command:
helm install cert-manager jetstack/cert-manager --set installCRDs=true --namespace cert-manager

Installing custom resource definitions (CRD).

kubectl apply --validate=false -f created created created created created created

Create namespace.

kubectl create namespace cert-manager
namespace/cert-manager created

Add the Jetstack's Helm repository.

helm repo add jetstack
"jetstack" has been added to your repositories

Update local charts from the repositories.

helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈

Install cert-manager.

helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.14.0
NAME: cert-manager
LAST DEPLOYED: Sat Mar 28 10:40:54 2020
NAMESPACE: cert-manager
STATUS: deployed
cert-manager has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`

Verify all pods are up and running.

kubectl get pod --namespace=cert-manager
NAME                                       READY     STATUS    RESTARTS   AGE
cert-manager-5d8d74bb4d-g4jzs              1/1       Running   0          36s
cert-manager-cainjector-5db54b6b45-bnjpv   1/1       Running   0          36s
cert-manager-webhook-7cd5d4fdd7-59mwk      1/1       Running   0          36s

Configuring ACME as ClusterIssuer

See cert-manager ACME Configuration Guide for more information.

Create file cluster-issuer.yaml  with below content for configuring ACME as the ClusterIssuer with HTTP01 challenge solver configuration.

Don't forget to update email with your email address.

kind: ClusterIssuer
  name: letsencrypt-prod
      name: letsencrypt-prod
    - http01:
          class: nginx

Apply the configuration.

$ kubectl apply -f cluster-issuer.yaml created

Verify ClusterIssuer is ready (READY must be True).

kubectl get clusterissuer,issuer,certificates --all-namespaces
NAME                                             READY   AGE   True    20s

Listing All Installed Releases

helm list --all-namespaces
NAME                            NAMESPACE       REVISION        UPDATED                                 STATUS         CHART                  APP VERSION
cert-manager                    cert-manager    1               2020-03-28 10:40:54.2689133 +0700 +07   deployed       cert-manager-v0.14.0   v0.14.0
nginx-ingress-1585365422        kube-system     1               2020-03-28 10:17:06.6095955 +0700 +07   deployed       nginx-ingress-1.34.2   0.30.0