|
| 1 | +--- |
| 2 | +title: 'Expose an Application Securely Using TLS' |
| 3 | +--- |
| 4 | + |
| 5 | +In this guide, we'll walk through the standard process of deploying a simple HTTP server secured with TLS and exposed via Ingress. |
| 6 | + |
| 7 | +To securely deploy your applications on Ubicloud Kubernetes clusters using TLS, simply set up an Ingress controller along with Cert-Manager. This setup handles all your TLS needs. |
| 8 | + |
| 9 | +Follow this step-by-step guide to deploy and expose an HTTPS application on your Kubernetes cluster. Before you begin, ensure that Helm is installed on your system. |
| 10 | + |
| 11 | +### Prerequisites |
| 12 | +To complete this tutorial, Helm must be installed. You can follow the official installation guide available on the [Helm website](https://helm.sh/docs/intro/install/) |
| 13 | + |
| 14 | +You’ll also need an active domain and access to the control panel for managing DNS records in order to complete this guide. |
| 15 | + |
| 16 | +### Installing the required addons |
| 17 | +You'll need an email to register yourself with letsencrypt. |
| 18 | +```bash |
| 19 | +export KUBECONFIG=/path/to/your/kubeconfig |
| 20 | +export CLUSTER_ISSUER_EMAIL=email@yourcompany.com |
| 21 | +``` |
| 22 | + |
| 23 | +Next, we'll add the ingress-nginx and jetstack Helm repositories to install the Ingress NGINX Controller and Cert Manager. |
| 24 | + |
| 25 | +```bash |
| 26 | +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx |
| 27 | +helm repo add jetstack https://charts.jetstack.io |
| 28 | +helm repo update |
| 29 | + |
| 30 | +helm install ingress-nginx ingress-nginx/ingress-nginx -n ingress-nginx --create-namespace |
| 31 | +helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set crds.enabled=true |
| 32 | +``` |
| 33 | + |
| 34 | +We'll also create a ClusterIssuer in order to get certificates from letsencrypt for our service |
| 35 | +```bash |
| 36 | +kubectl apply -f <(cat <<EOF |
| 37 | +apiVersion: cert-manager.io/v1 |
| 38 | +kind: ClusterIssuer |
| 39 | +metadata: |
| 40 | + name: letsencrypt |
| 41 | +spec: |
| 42 | + acme: |
| 43 | + server: https://acme-v02.api.letsencrypt.org/directory |
| 44 | + email: $CLUSTER_ISSUER_EMAIL |
| 45 | + privateKeySecretRef: |
| 46 | + name: letsencrypt |
| 47 | + solvers: |
| 48 | + - http01: |
| 49 | + ingress: |
| 50 | + class: nginx |
| 51 | +EOF |
| 52 | +) |
| 53 | +``` |
| 54 | +Once all the commands have been executed, you’ll notice a Service named `ingress-nginx-controller` created in the `ingress-nginx` namespace. This Service is of type LoadBalancer, and the `EXTERNAL-IP` column will display a domain that resolves to the IPs of your worker nodes. |
| 55 | + |
| 56 | +You can see this service using the command below |
| 57 | +```bash |
| 58 | +kubectl -n ingress-nginx get service ingress-nginx-controller |
| 59 | +``` |
| 60 | + |
| 61 | +Here's a sample output of the command: |
| 62 | +``` |
| 63 | +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE |
| 64 | +ingress-nginx-controller LoadBalancer 10.105.61.236 xgmdaw248d-services.k8s.ubicloud.com 80:32271/TCP,443:30363/TCP 8m15s |
| 65 | +``` |
| 66 | + |
| 67 | +### Add DNS record to route the traffic to the cluster |
| 68 | +Next, create a CNAME record with your DNS provider pointing *.ingress.yourdomain.com to the domain listed in the EXTERNAL-IP. Feel free to use any subdomain that best suits your setup. |
| 69 | + |
| 70 | +### Deploy your application |
| 71 | +```bash |
| 72 | +export DOMAIN_SUFFIX=ingress.yourdomain.com |
| 73 | + |
| 74 | +kubectl apply -f - <<EOF |
| 75 | +apiVersion: apps/v1 |
| 76 | +kind: Deployment |
| 77 | +metadata: |
| 78 | + name: hello-world-deployment |
| 79 | +spec: |
| 80 | + replicas: 1 |
| 81 | + selector: |
| 82 | + matchLabels: |
| 83 | + app: hello-world |
| 84 | + template: |
| 85 | + metadata: |
| 86 | + labels: |
| 87 | + app: hello-world |
| 88 | + spec: |
| 89 | + containers: |
| 90 | + - name: hello-world |
| 91 | + image: nginx |
| 92 | + ports: |
| 93 | + - containerPort: 80 |
| 94 | +--- |
| 95 | +apiVersion: v1 |
| 96 | +kind: Service |
| 97 | +metadata: |
| 98 | + name: hello-world-service |
| 99 | +spec: |
| 100 | + selector: |
| 101 | + app: hello-world |
| 102 | + ports: |
| 103 | + - port: 80 |
| 104 | +EOF |
| 105 | + |
| 106 | +kubectl apply -f - <<EOF |
| 107 | +apiVersion: networking.k8s.io/v1 |
| 108 | +kind: Ingress |
| 109 | +metadata: |
| 110 | + name: hello-world |
| 111 | + annotations: |
| 112 | + cert-manager.io/cluster-issuer: letsencrypt |
| 113 | +spec: |
| 114 | + ingressClassName: nginx |
| 115 | + tls: |
| 116 | + - hosts: |
| 117 | + - hello-world.$DOMAIN_SUFFIX |
| 118 | + secretName: hello-world-ingress-tls |
| 119 | + rules: |
| 120 | + - host: hello-world.$DOMAIN_SUFFIX |
| 121 | + http: |
| 122 | + paths: |
| 123 | + - path: / |
| 124 | + pathType: Prefix |
| 125 | + backend: |
| 126 | + service: |
| 127 | + name: hello-world-service |
| 128 | + port: |
| 129 | + number: 80 |
| 130 | +EOF |
| 131 | +``` |
| 132 | + |
| 133 | +Now you can visit https://hello-world.ingress.yourdomain.com! |
0 commit comments