This article shows how to deploy your web application (HTTP server), and securely expose it to the Internet over HTTPS protocol.
- kubectl and Helm to be installed on your computer. If you’re using Puzl, you may find the personalised config, necessary to set up kubectl, in the API section of the Dashboard.
- Kubernetes cluster must support Services with
type and have cert-manager installed. On Puzl, both load balancers and cert-manager are already available in your free Kubernetes namespace out of the box.
- Your application must be containerized (packed in a Docker image), pushed to a Docker registry, and support HTTP protocol. The application itself does not have to support SSL or TLS: it will be running behind the Nginx ingress controller connected by HTTP, so you don’t need to tune anything in your code.
‼︎ Caution: Performing the following steps will result in requesting computing resources from the Kubernetes cluster.
Setup ingress controller
The following code snippet deploys NGINX Ingress Controller using Helm, and creates a load balancer with a dedicated IP address, which is allocated automatically if you use Puzl.
— unique name for the controller
— if you’re using Puzl, you’ll find it in the API section in your Puzl Dashboard
— class name for ingress object must be unique. On Puzl, the name ‘nginx’ is reserved and cannot be used.
— name of the account with the permissions to access API,
is your service account name on Puzl.
The following flags are relevant in case you’re using Puzl:
— tell the controller to look for ingress resources only in your namespace.
— do not give excess permissions to create roles and role bindings
After performing the step, you can get Pod and Service using kubectl or you should see a Pod and a TCP/UDP Balancer in your dashboard if you’re using Puzl.
In case of troubles check out NGINX Ingress Controller Troubleshooting.
Get external IP of load balancer
- To get IP, run the following code and find the
- Check that IP is accessible from outside:
- Assuming that you already own a custom domain, create DNS ‘A’ record to match your domain or its subdomain to a given IP address.
Create cert issuer to request TLS certificate from Let’s Encrypt
Kubernetes can be extended with a native certificate management controller — cert-manager. It can help with issuance of TLS certificates from various providers like Let’s Encrypt, a signing key pair or self-signed. At the moment Puzl supports only letsencrypt certificates.
At this step you need a cert-manager installed.
Signed certificates are generated by a special Kubernetes resource — Issuer. We use ACME type of Issuer — Automated Certificate Management Environment (ACME). A website with TLS certificate backed by ACME Issuer is trusted by most client’s web browsers by default.
- Describe the Issuer configuration in a
- To create an Issuer run:
The signed certificate is stored as a Secret named
Run your web application in Kubernetes
In the code snippet below we’re deploying an example sanic server by creating a Deployment with 1 replica and Service for it.
However, you can use Docker image with any web server (Apache, built-in PHP, etc.) and tune the configuration up to your requirements.
Describe your app configuration in a
Apply previously created
to deploy your app:
Create ingress object
Ingress is used to expose HTTPS routes from outside of the cluster to services within the cluster (by default Kubernetes isolates Pods from the external world)
— must be different from a Secret name used for the Issuer.
You should see a Pod launched to obtain a certificate. This process may take a few minutes. To check its status run:
To check that our web server is working open in the browser: