Installing an NGINX Ingress controller with a Let's Encrypt® certificate manager
To use Kubernetes to create an NGINX Ingress controller and protect it with a certificate, follow these steps:
- Install the NGINX Ingress controller.
- Configure a DNS record for the Ingress controller.
- Install the certificate manager.
- Create a ClusterIssuer.
- Create objects to test cert-manager.
- Test TLS.
If you no longer need the resources you created, delete them.
Required paid resources
The support cost includes:
- Fee for a DNS zone and DNS requests (see Cloud DNS pricing).
- Fee for the Managed Service for Kubernetes cluster: using the master and outgoing traffic (see Managed Service for Kubernetes pricing).
- Cluster nodes (VM) fee: using computing resources, operating system, and storage (see Compute Cloud pricing).
- Fee for an NLB (see Network Load Balancer pricing).
- Fee for public IP addresses, if assigned to cluster nodes, and a public IP address for an NLB (see Virtual Private Cloud pricing).
Getting started
-
Create a service account with the
k8s.clusters.agent,vpc.publicAdmin,container-registry.images.puller, andload-balancer.adminroles for the folder. Theload-balancer.adminrole is required to create a network load balancer. -
Create security groups for the Managed Service for Kubernetes cluster and its node groups.
Warning
The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.
-
Create a Managed Service for Kubernetes cluster and a node group in any suitable configuration. In the cluster settings, specify the service account and the security groups created earlier.
-
Install kubect and configure it to work with the new cluster.
-
Optionally, install ExternalDNS with a plugin for Yandex Cloud DNS to automatically create a DNS record in Yandex Cloud DNS when creating an Ingress controller.
Install the NGINX Ingress controller
Install the Ingress NGINX application from Cloud Marketplace using this guide.
-
To install a Helm chart with the NGINX Ingress controller, run this command:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx && \ helm repo update && \ helm install ingress-nginx ingress-nginx/ingress-nginx
The created controller will be installed behind Yandex Network Load Balancer.
To set up the controller configuration yourself, follow the guidelines provided in the Helm documentation and edit the values.yaml file.
For specific port forwarding at NGINX Ingress controller installation, follow this guide.
Configure a DNS record for the Ingress controller
If you are using ExternalDNS with a plugin for Cloud DNS, you do not need to configure a DNS record: it is created automatically. Otherwise:
-
Find out the IP address of the Ingress controller (the value in the
EXTERNAL-IPcolumn):kubectl get svcResult:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ... ingress-nginx-controller LoadBalancer 10.96.164.252 84.201.153.122 80:31248/TCP,443:31151/TCP 2m19s ... -
Add an A record pointing to the Ingress controller's public IP to your DNS provider or to your own DNS server:
<your_domain> IN A <Ingress_controller_IP_address>
Install the certificate manager
You can install the certificate manager in one of the following ways:
-
Using Yandex Cloud Marketplace: To install cert-manager integrated with Cloud DNS.
This will create in the cluster a
ClusterIssuerobject configured to pass the DNS-01 challenge using Cloud DNS.If required, you can manually create and configure other objects:
IssuerorClusterIssuer. For more information about these objects, see the cert-manager documentation. -
Manually: To install cert-manager with no additional integrations.
You will need to create and configure any
IssuerandClusterIssuerobjects manually.
Install the cert-manager app with the Cloud DNS ACME webhook plugin by following this guide.
-
Install the latest version of cert-manager. For example, run the following command for version 1.21.1:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.1/cert-manager.yaml -
Make sure that the
cert-managernamespace has three pods, all of them being1/1ready and with theRunningstatus:kubectl get pods -n cert-manager --watchResult:
NAME READY STATUS RESTARTS AGE cert-manager-69********-ghw6s 1/1 Running 0 54s cert-manager-cainjector-76********-gnrzz 1/1 Running 0 55s cert-manager-webhook-77********-wz9bh 1/1 Running 0 54s
Create a ClusterIssuer
Create a ClusterIssuer object you can use to issue Let's Encrypt® certificates.
Certificates will be issued after you pass the HTTP-01 challenge using the Ingress controller you installed earlier.
Create an object with the required parameters:
-
Create the
http01-clusterissuer.yamlfile with the object manifest:apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: http01-clusterissuer spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: <your_email> privateKeySecretRef: name: http01-clusterissuer-secret solvers: - http01: ingress: class: nginx -
Create an object in the Managed Service for Kubernetes cluster:
kubectl apply -f http01-clusterissuer.yaml
Create objects to test cert-manager
To test the certificate manager, create the Ingress, Service, and Deployment objects:
-
Create the
app.yamlfile with manifests for theIngress,Service, andDeploymentobjects:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minimal-ingress annotations: cert-manager.io/cluster-issuer: "http01-clusterissuer" spec: ingressClassName: nginx tls: - hosts: - <your_domain_URL_address> secretName: domain-name-secret rules: - host: <your_domain_URL_address> http: paths: - path: / pathType: Prefix backend: service: name: app port: number: 80 --- apiVersion: v1 kind: Service metadata: name: app spec: selector: app: app ports: - protocol: TCP port: 80 targetPort: 80 --- apiVersion: apps/v1 kind: Deployment metadata: name: app-deployment labels: app: app spec: replicas: 1 selector: matchLabels: app: app template: metadata: labels: app: app spec: containers: - name: app image: nginx:latest ports: - containerPort: 80 -
Create objects in a Managed Service for Kubernetes cluster:
kubectl apply -f app.yaml
Test TLS
-
Make sure the domain rights verification was successful and the certificate has changed its status to
Issued:kubectl describe certificate domain-name-secretThe command output will contain similar events:
Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Issuing ... cert-manager-certificates-trigger Issuing certificate as Secret does not exist Normal Generated ... cert-manager-certificates-key-manager Stored new private key in temporary Secret resource...Certificates are used bundled with related Kubernetes secrets, which store key pairs and service information. If there is no secret, the certificate is reissued automatically and a new secret is created – with a notification in the events. For more information on what can cause the reissue of a certificate, see the cert-manager documentation.
As the certificate is being issued for the first time, it has no such related secret so far. The presence of notification events about the fact should not be considered an error.
Note
The verification of domain rights for a Let's Encrypt® certificate may take several hours.
-
Run this command:
curl https://<your_domain>Result:
<!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
Delete the resources you created
Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need: