Skip to content

Set up ingress

Introduction

In this section, you will install and configure the Kubernetes-maintained version of the Nginx Ingress Controller. Then, you're going to issue TLS certificates for your hosts (thus enabling TLS termination), and route traffic to your backend applications.

Prerequisites

To complete this section you will need:

  1. Helm installed as explained in the Installing required tools section.
  2. A Kubernetes cluster (DOKS) up and running as explained in the Set up DOKS section.
  3. The online boutique sample application deployed to your cluster as explained in the Deploying the app section.
  4. A valid domain available and configured to point to DigitalOcean name servers. More information is available in this article. Digital Ocean is not a domain registrar, so you will need to purchase the domain from a well known vendor, such as GoDaddy.

Installing the Nginx Ingress Controller

In this section you will install the community maintained version of the Nginx ingress controller. Please follow below steps to install Nginx using Helm:

  1. Add the Ingress Nginx Helm repository:

    helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

helm repo update ingress-nginx

helm search repo ingress-nginx

  2. Install the Nginx Ingress Controller using Helm:

    helm install ingress-nginx ingress-nginx/ingress-nginx --version 4.1.3 \
    --namespace ingress-nginx \
    --create-namespace

    Note

    To check if the installation was successful, run the helm ls -n ingress-nginx command, and confirm the deployment status.

  3. Configure DNS for Nginx Ingress Controller:

    doctl compute domain create <YOUR_DOMAIN_NAME>

    Info

    Please note that this domain matches the domain you purchased in the Prerequisites section. You will use this domain to create additional sub-domains to use with the microservices app you will deploy in this section. You can also use the domain you already created in the Development ingress setup section.

  4. Create an A record for your host (make sure to replace the <> placeholders first):

    doctl compute domain records create <YOUR_DOMAIN_NAME> \
    --record-type "A" --record-name <YOUR_RECORD_NAME> \
    --record-data "<YOUR_STAGING_LB_IP_ADDRESS>" \
    --record-ttl "30"

  5. Add the Jetstack Helm repository:

    helm repo add jetstack https://charts.jetstack.io

helm repo update jetstack

  6. Install the jetstack/cert-manager chart using Helm:

    helm install cert-manager jetstack/cert-manager --version 1.8.0 \
    --namespace cert-manager \
    --create-namespace \
    --set installCRDs=true

    Note

    To check if the installation was succesfull you can run the helm ls -n cert-manager and confirm the deployment status.

  7. Create a Kubernetes Secret for the DigitalOcean Provider that cert-manager is going to use to perform the DNS-01 challenge using a DigitalOcean API token:

    DO_API_TOKEN="<YOUR_DO_API_TOKEN_HERE>"

kubectl create secret generic "digitalocean-dns" \
    --namespace microservices-demo-staging \
    --from-literal=access-token="$DO_API_TOKEN"

    Note

    The secret must be created in the same namespace where the Issuer CRD is located - in this case the microservides-demo-staging namespace.

  8. Create an issuer resource for cert-manager using kubectl (make sure to replace the <> placeholders first):

    The issuer manifest file looks like the following:

    Click to expand issuer manifest file 
    apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-nginx-wcard
namespace: microservices-demo-staging
spec:
# ACME issuer configuration:
# `email` - the email address to be associated with the ACME account (make sure it's a valid one).
# `server` - the URL used to access the ACME server’s directory endpoint.
# `privateKeySecretRef` - Kubernetes Secret to store the automatically generated ACME account private key.
acme:
    email: <YOUR_EMAIL_ADDRESS>
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
    name: letsencrypt-nginx-wcard-private
    # List of challenge solvers that will be used to solve ACME challenges for the matching domains.
    solvers:
    # Use the DigitalOcean DNS API to manage DNS01 challenge records.
    - dns01:
        digitalocean:
            # Kubernetes secret that contains the DO API token .
            # Must be in the same namespace as the Issuer CRD.
            tokenSecretRef:
            name: digitalocean-dns
            key: access-token

    Apply via kubectl:

    kubectl apply -f docs/03-staging/assets/manifests/cert-manager-wildcard-issuer.yaml

    Info

    Running kubectl get issuer letsencrypt-nginx-wcard -n microservices-demo-staging should result in the True value being displayed under the READY column.

    Note

    If the Issuer object displays a Not Ready state you can describe the object to get additional information using: kubectl describe issuer letsencrypt-nginx-wcard -n microservices-demo-staging to get more information.

  9. Create the wildcard certificates resource using kubectl and the provided manifest file (make sure to replace the <> placeholders first):

    The certificate manifest file looks like the following:

    Click to expland the certificate resource 
    apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: <YOUR_DOMAIN_NAME>
# Cert-Manager will put the resulting Secret in the same Kubernetes namespace as the Certificate.
namespace: microservices-demo-staging
spec:
# Secret name to create, where the private key and certificate should be stored.
secretName: <YOUR_DOMAIN_NAME>
# What Issuer to use for getting the certificate.
issuerRef:
    name: letsencrypt-nginx-wcard
    kind: Issuer
    group: cert-manager.io
# Common name to be used on the Certificate.
commonName: "*.<YOUR_DOMAIN_NAME>"
# List of DNS subjectAltNames to be set on the Certificate.
dnsNames:
    - "<YOUR_DOMAIN_NAME>"
    - "*.<YOUR_DOMAIN_NAME>"

    Apply via kubectl:

    kubectl apply -f docs/03-staging/assets/manifests/cert-manager-wildcard-certificate.yaml

    To verify the certificate status run:

    kubectl get certificate <YOUR_DOMAIN_NAME> -n microservices-demo-staging

    Info

    This may take a few minutes to complete. If the Certificate object displays a not ready state you can run: kubectl logs -l app=cert-manager,app.kubernetes.io/component=controller -n cert-manager

  10. Add the Ingress Nginx host using kubectl and the provided manifest file (make sure to replace the <> placeholders first):

    The ingress host manifest file looks like the following:

    Click to expand the ingress host resource 
    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-microservices-demo-staging
namespace: microservices-demo-staging
spec:
tls:
    - hosts:
        - "*.<YOUR_DOMAIN_NAME>"
    secretName: <YOUR_DOMAIN_NAME>
rules:
    - host: <YOUR_A_RECORD>.<YOUR_DOMAIN_NAME>
    http:
        paths:
        - path: /
            pathType: Prefix
            backend:
            service:
                name: frontend
                port:
                number: 80
ingressClassName: nginx

    Apply via kubectl:

    kubectl apply -f docs/03-staging/assets/manifests/ingress-host.yaml

  11. Open a web browser and point to <YOUR_A_RECORD>.<YOUR_DOMAIN>. You should see the online boutique welcome page. The connection is secure and the certificate is a valid one issued by Let's Encrypt.

    staging environment online boutique

Next you will install and configure the Prometheus stack for monitoring your DOKS cluster, Loki to fetch and aggregate logs from your cluster's resources and view them in Grafana and configure AlertManager to alert and notify when there is a critical issue in your cluster. You will also configure the events exporter tool to grab Kubernetes events and send and store them in Loki as they are a great way to monitor the health and activity of your K8s clusters.