Installing Helm, nginx-ingress, and cert-manager
Installing Helm
This instruction is based on Helm v3.1.2
You should use Helm v3.3.1 or newer if you want to install CRD together in cert-manager v0.16 or newer. See
Visit Helm Installation Guide to install Helm on your local.
Verify the current version.
helm version
version.BuildInfo{Version:"v3.1.2", GitCommit:"d878d4d45863e42fd5cff6743294a11d28a9abce", GitTreeState:"clean", GoVersion:"go1.13.8"}
Add the official Helm stable repository.
helm repo add stable https://kubernetes-charts.storage.googleapis.com/
The stable
repository URL has been changed to https://charts.helm.sh/stable
"stable" has been added to your repositories
Verify repository.
helm repo list
NAME URL
stable https://kubernetes-charts.storage.googleapis.com/
Update repo to get the latest list of charts
helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈
Installing nginx-ingress
Install nginx-ingress.
helm install stable/nginx-ingress --namespace kube-system --set controller.replicaCount=2 --generate-name
NAME: nginx-ingress-1576935072
LAST DEPLOYED: Sat Dec 21 20:31:17 2019
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The nginx-ingress controller has been installed.
It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status by running 'kubectl --namespace kube-system get services -o wide -w nginx-ingress-1576935072-controller'
An example Ingress that makes use of the controller:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: example
namespace: foo
spec:
rules:
- host: www.example.com
http:
paths:
- backend:
serviceName: exampleService
servicePort: 80
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: example-tls
If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
Get the LoadBalancer public IP address by waiting until EXTERNAL-IP changed from <Pending>.
kubectl get service -l app=nginx-ingress --namespace kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-ingress-1576935072-controller LoadBalancer 10.0.211.130 20.43.176.132 80:31434/TCP,443:30957/TCP 2m43s
nginx-ingress-1576935072-default-backend ClusterIP 10.0.41.247 <none> 80/TCP 2m43s
Installing cert-manager
This instruction is based on cert-manager v.0.14 which support Kubernetes v1.15+.
See cert-manager on Kubernetes Installation Guide for more information
In v0.16 or newer, you can install cert-manager along with CRDs in one shot using command:helm install cert-manager jetstack/cert-manager --set installCRDs=true --namespace cert-manager
Installing custom resource definitions (CRD).
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.0/cert-manager.crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
Create namespace.
kubectl create namespace cert-manager
namespace/cert-manager created
Add the Jetstack's Helm repository.
helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
Update local charts from the repositories.
helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈
Install cert-manager.
helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.14.0
NAME: cert-manager
LAST DEPLOYED: Sat Mar 28 10:40:54 2020
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://docs.cert-manager.io/en/latest/reference/issuers.html
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://docs.cert-manager.io/en/latest/reference/ingress-shim.html
Verify all pods are up and running.
kubectl get pod --namespace=cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-5d8d74bb4d-g4jzs 1/1 Running 0 36s
cert-manager-cainjector-5db54b6b45-bnjpv 1/1 Running 0 36s
cert-manager-webhook-7cd5d4fdd7-59mwk 1/1 Running 0 36s
Configuring ACME as ClusterIssuer
See cert-manager ACME Configuration Guide for more information.
Create file cluster-issuer.yaml
with below content for configuring ACME as the ClusterIssuer with HTTP01 challenge solver configuration.
Don't forget to update email with your email address.
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your.email@domain.com
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
Apply the configuration.
$ kubectl apply -f cluster-issuer.yaml
clusterissuer.cert-manager.io/letsencrypt-prod created
Verify ClusterIssuer is ready (READY must be True).
kubectl get clusterissuer,issuer,certificates --all-namespaces
NAME READY AGE
clusterissuer.cert-manager.io/letsencrypt-prod True 20s
Listing All Installed Releases
helm list --all-namespaces
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
cert-manager cert-manager 1 2020-03-28 10:40:54.2689133 +0700 +07 deployed cert-manager-v0.14.0 v0.14.0
nginx-ingress-1585365422 kube-system 1 2020-03-28 10:17:06.6095955 +0700 +07 deployed nginx-ingress-1.34.2 0.30.0