Ingress with the wildcard ssl certificate of Lets Encrypt on AKS

From ESS-WIKI
Jump to: navigation, search

Prerequisites

    1. Have an Azure DNS Zone and delegate your domain name to it. (please refer to Host your domain in Azure DNS)

    2. Have an AKS and make sure it's Linux-based.

    3. Note down the name($AKS_NAME) and resource group($AKS_RESOURCE_GROUP) of the AKS.

    4. Make sure that there are no other installed instances of the ingress and the cert-manager.

First thing on Azure

    1. Please refer to Quickstart for Bash in Azure Cloud Shell and enter the azure bash.

    2. Show you account information by using "az account show" and note down your subscription id($SUBSCRIPTION_ID) and tenant id($TENANT_ID) be shown as the following picture.

        Subscription Id and Tenant Id

    3. Use "az aks get-credentials --resource-group $AKS_RESOURCE_GROUP --name $AKS_NAME" to get the access right of kubectl.

    4. Make sure that you have the ability to install packages with helm. If not, please refer to Install applications with Helm in Azure Kubernetes Service (AKS)

Upload and Install

    1. Download File:AKSLE.zip.

    2. Unzip it and upload AKSLE.sh as the following picture.

        Upload

    3. Change the file mode by using "chmod 777 AKSLE.sh"

    4. Install it and it will generate a file "route.yaml" by using 'AKSLE.sh   $DOMAIN_NAME   $ADMIN_EMAIL_ADDRESS   $SUBSCRIPTION_ID   $TENANT_ID' 

   Example: 'AKSLE.sh "edgecenter.io" "fred.chang@advantech.com.tw" "12345679-1234-1234-1234-123456789012" "abcdefgh-abcd-abcd-abcd-abcdefghijkl"'

          P.S. If you have an azure public IP interface for ingress, you can use 'AKSLE.sh $DOMAIN_NAME $ADMIN_EMAIL_ADDRESS $SUBSCRIPTION_ID $TENANT_ID $PUBLIC_IP'

    5. Show EXTERNAL-IP by using 'kubectl get service/nginx-ingress-controller' and update it on Azure DNS zone.

Configuration

  • You can modify the file "route.yaml" as the following picture to fit your scenario, and apply it by using "kubectl apply -f route.yaml".

            Route

  • You need to update the related records on Azure DNS zone.

            DNS Zone

Production version

Above example is for testing, and the certificate is fake and untrusted.

  Fake

If you are ready to deploy a real certificate and the result of the above test is well, you can run the production procedure.

The production procedure is just

  1. Use File:Delete.zip with the command './delete.sh $DOMAIN_NAME'
  2. Use File:AKSLE-prod.zip with the same flow of the test procedure.

And then you will get

  Production

Retrieved from "https://ess-wiki.advantech.com.tw/wiki/index.php?title=Ingress_with_the_wildcard_ssl_certificate_of_Lets_Encrypt_on_AKS&oldid=16954"