Kubernetes, Part 2
In this post, I will show how I made the service publicly available and how to automatically obtain TLS certificates with Let’s Encrypt.
Since I wanted to expose the service publicly and did not want to have to update DNS records each time a node IP changes, based on Publishing Services documentation I wanted a
LoadBalancer, if I ran additional services on the same cluster, I would have needed an additional load balancer for each one. On DigitalOcean, load balancers are $10 per month, so this is cost prohibitive and unnecessary for serving a low traffic static site.
Ingress, I can have one load balancer and configure the ingress to specify traffic routing to services.
I followed the directions to user Nginx Ingress: https://kubernetes.github.io/ingress-nginx/deploy/#using-helm
The current best way I found to use Let’s Encrypt is to leverage cert-manager. I followed the directions from here https://cert-manager.io/docs/installation/kubernetes/#installing-with-helm
I then configured the ACME issuer to enable Let’s Encrypt certs: https://cert-manager.io/docs/configuration/acme/.
Although I did not configure it initially (see part 3), currently the Let’s Encrypt certificate has 2 DNS SANs for andrewtchin.com and www.andrewtchin.com. This is configured in the ingress (see above) and cert-manager obtains the certificate correctly.
The setup was fairly easy to get up and running, but I did run into a few issues, which I will discuss in the next part.