Introduction

In this post, I will show how I made the service publicly available and how to automatically obtain TLS certificates with Let’s Encrypt.

Ingress

Since I wanted to expose the service publicly and did not want to have to update DNS records each time a node IP changes, based on Publishing Services documentation I wanted a LoadBalancer type.

With LoadBalancer, if I ran additional services on the same cluster, I would have needed an additional load balancer for each one. On DigitalOcean, load balancers are $10 per month, so this is cost prohibitive and unnecessary for serving a low traffic static site.

With Ingress, I can have one load balancer and configure the ingress to specify traffic routing to services.

I followed the directions to user Nginx Ingress: https://kubernetes.github.io/ingress-nginx/deploy/#using-helm

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/issuer: "letsencrypt-prd"
  name: andrewtchin-com-nginx-ingress
  namespace: default
spec:
  tls:
  - hosts:
    - andrewtchin.com
    - www.andrewtchin.com
    secretName: andrewtchin-com-tls
  rules:
  - host: andrewtchin.com
    http:
      paths:
      - path: /
        backend:
          serviceName: andrewtchin-com
          servicePort: 80
  - host: www.andrewtchin.com
    http:
      paths:
      - path: /
        backend:
          serviceName: andrewtchin-com
          servicePort: 80

Let’s Encrypt

The current best way I found to use Let’s Encrypt is to leverage cert-manager. I followed the directions from here https://cert-manager.io/docs/installation/kubernetes/#installing-with-helm

kubectl create namespace cert-manager
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml
kubectl get pods --namespace cert-manager

I then configured the ACME issuer to enable Let’s Encrypt certs: https://cert-manager.io/docs/configuration/acme/.

⇒  kubectl get certificate
NAME                    READY   SECRET                  AGE
andrewtchin-com-tls     True    andrewtchin-com-tls     1d

Although I did not configure it initially (see part 3), currently the Let’s Encrypt certificate has 2 DNS SANs for andrewtchin.com and www.andrewtchin.com. This is configured in the ingress (see above) and cert-manager obtains the certificate correctly.

Conclusion

The setup was fairly easy to get up and running, but I did run into a few issues, which I will discuss in the next part.