Deploy web app with Let's Encrypt certificate using Kubernetes cert-manager

Deploy web app with Let's Encrypt certificate using Kubernetes cert-manager

by Puzl Team
Last updated on May 01, 2021

This article shows how to deploy your web application (HTTP server), and securely expose it to the Internet over HTTPS protocol.

Requirements

  1. kubectl and Helm to be installed on your computer. If you’re using Puzl, you may find the personalised config, necessary to set up kubectl, in the API section of the Dashboard.
  2. Kubernetes cluster must support Services with
    type and have cert-manager installed. On Puzl, both load balancers and cert-manager are already available in your free Kubernetes namespace out of the box.
  3. Your application must be containerized (packed in a Docker image), pushed to a Docker registry, and support HTTP protocol. The application itself does not have to support SSL or TLS: it will be running behind the Nginx ingress controller connected by HTTP, so you don’t need to tune anything in your code.

‼︎ Caution: Performing the following steps will result in requesting computing resources from the Kubernetes cluster.

Setup ingress controller

The following code snippet deploys NGINX Ingress Controller using Helm, and creates a load balancer with a dedicated IP address, which is allocated automatically if you use Puzl.

  • — unique name for the controller
  • — if you’re using Puzl, you’ll find it in the API section in your Puzl Dashboard
  • — class name for ingress object must be unique. On Puzl, the name ‘nginx’ is reserved and cannot be used.
  • — name of the account with the permissions to access API,
    is your service account name on Puzl.

The following flags are relevant in case you’re using Puzl:

  • — tell the controller to look for ingress resources only in your namespace.
  • — do not give excess permissions to create roles and role bindings

After performing the step, you can get Pod and Service using kubectl or you should see a Pod and a TCP/UDP Balancer in your dashboard if you’re using Puzl.

In case of troubles check out NGINX Ingress Controller Troubleshooting.

Get external IP of load balancer

  1. To get IP, run the following code and find the
    column.
  1. Check that IP is accessible from outside:

Expected response:

  1. Assuming that you already own a custom domain, create DNS ‘A’ record to match your domain or its subdomain to a given IP address.

Create cert issuer to request TLS certificate from Let’s Encrypt

Kubernetes can be extended with a native certificate management controller — cert-manager. It can help with issuance of TLS certificates from various providers like Let’s Encrypt, a signing key pair or self-signed. At the moment Puzl supports only letsencrypt certificates.

At this step you need a cert-manager installed.

Signed certificates are generated by a special Kubernetes resource — Issuer. We use ACME type of Issuer — Automated Certificate Management Environment (ACME). A website with TLS certificate backed by ACME Issuer is trusted by most client’s web browsers by default.

  1. Describe the Issuer configuration in a
    :

See other options of solvers.

  1. To create an Issuer run:

The signed certificate is stored as a Secret named

.

Run your web application in Kubernetes

In the code snippet below we’re deploying an example sanic server by creating a Deployment with 1 replica and Service for it.

However, you can use Docker image with any web server (Apache, built-in PHP, etc.) and tune the configuration up to your requirements.

Describe your app configuration in a

file:

Apply previously created

to deploy your app:

Create ingress object

Ingress is used to expose HTTPS routes from outside of the cluster to services within the cluster (by default Kubernetes isolates Pods from the external world)

  1. Describe:

— must be different from a Secret name used for the Issuer.

  1. Apply:

You should see a Pod launched to obtain a certificate. This process may take a few minutes. To check its status run:

should be
.

To check that our web server is working open in the browser:

Check that web server is working

Don’t forget to subscribe to our Twitter to not miss the important updates!