-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathnginx-ingresscontroller-use-tls.sh
165 lines (139 loc) · 5.03 KB
/
nginx-ingresscontroller-use-tls.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
# Nginx Ingress Automatic TLS
# https://docs.microsoft.com/en-us/azure/aks/ingress-tls
# AKS
rgName='aks-solution'
aksName='rkaks'
location='canadacentral'
# Create a namespace for your ingress resources
kubectl create namespace ingress-basic
# Add the official stable repo
helm repo add stable https://kubernetes-charts.storage.googleapis.com/
# Use Helm to deploy an NGINX ingress controller
helm install nginx stable/nginx-ingress \
--namespace ingress-basic \
--set controller.replicaCount=2 \
--set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
kubectl get service -l app=nginx-ingress --namespace ingress-basic
kubectl get service nginx-nginx-ingress-controller --namespace ingress-basic
# Public IP address of your ingress controller
# Look up in resource group in Azure Portal
publicIP='52.228.26.135'
## Add an A record to your DNS zone ##
# Set A record to GoDaddy DNS
# OR
# Name to associate with public IP address
DNSNAME="demo-aks-ingress"
# Get the resource-id of the public ip
PUBLICIPID=$(az network public-ip list --query "[?ipAddress!=null]|[?contains(ipAddress, '$IP')].[id]" --output tsv)
# Update public ip address with DNS name
az network public-ip update --ids $PUBLICIPID --dns-name $DNSNAME
# Display the FQDN
az network public-ip show --ids $PUBLICIPID --query "[dnsSettings.fqdn]" --output tsv
## Install cert-manager
# Install the CustomResourceDefinition resources separately
kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.13/deploy/manifests/00-crds.yaml
# Label the ingress-basic namespace to disable resource validation
kubectl label namespace ingress-basic cert-manager.io/disable-validation=true
# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
# Update your local Helm chart repository cache
helm repo update
# Install the cert-manager Helm chart
helm install \
cert-manager \
--namespace ingress-basic \
--version v0.13.0 \
jetstack/cert-manager
echo "apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: abc@outlook.com
privateKeySecretRef:
name: letsencrypt
solvers:
- http01:
ingress:
class: nginx" | kubectl apply -f -
# Demo application
helm repo add azure-samples https://azure-samples.github.io/helm-charts/
akshelloworldnamespace=aks-helloworld
kubectl create namespace $akshelloworldnamespace
helm install aks-helloworld azure-samples/aks-helloworld --namespace $akshelloworldnamespace
helm install aks-helloworld-two azure-samples/aks-helloworld \
--namespace $akshelloworldnamespace \
--set title="AKS Ingress Demo" \
--set serviceName="aks-helloworld-two"
AppDnsName=akshelloworld.rkim.ca
echo "apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-world-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- $AppDnsName
secretName: tls-secret
rules:
- host: $AppDnsName
http:
paths:
- pathType: Prefix
backend:
service:
name: aks-helloworld
port:
number: 80
path: /
- pathType: Prefix
backend:
service:
name: aks-helloworld-two
port:
number: 80
path: /hello-world-two(/|$)(.*) " | kubectl apply --namespace $akshelloworldnamespace -f -
echo "
# apiVersion: extensions/v1beta1
# kind: Ingress
# metadata:
# name: hello-world-ingress-static
# annotations:
# kubernetes.io/ingress.class: nginx
# nginx.ingress.kubernetes.io/rewrite-target: /static/$2
# cert-manager.io/cluster-issuer: letsencrypt
# spec:
# tls:
# - hosts:
# - $AppDnsName
# secretName: tls-secret
# rules:
# - host: $AppDnsName
# http:
# paths:
# - backend:
# serviceName: aks-helloworld
# servicePort: 80
# path: /static(/|$)(.*) " | kubectl apply --namespace $akshelloworldnamespace -f -
---
kubectl apply -f akshelloworld-hpa.yaml -n $akshelloworldnamespace #need hpa in same namespace as deployment or else <unknown> target
# Verify certificate
kubectl get certificate --namespace ingress-basic
kubectl get certificate --namespace $akshelloworldnamespace
kubectl describe certificate tls-secret --namespace $akshelloworldnamespace
kubectl get ingress -n ingress-basic
kubectl get ingress -n $akshelloworldnamespace
kubectl get ingress -n $akshelloworldnamespace
kubectl describe ingress -n $akshelloworldnamespace
kubectl describe ingress hello-world-ingress -n $akshelloworldnamespace
kubectl describe ingress hello-world-ingress-static -n $akshelloworldnamespace
kubectl get pods -n ingress-basic
kubectl logs -n ingress-basic nginx-nginx-ingress-controller-74bf9bd9f5-tzs7k
kubectl logs -n ingress-basic nginx-nginx-ingress-controller-74bf9bd9f5-4vcc9