Cert Manager Nginx Ingress Integration
External DNS has a crucial role to play in populating the DNS records when using nginx ingress. When an ingress rule is created external DNS automatically populates the records in external DNS.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: httpbin
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: ca-issuer
spec:
tls:
- hosts:
- in.logpoint.com.np
secretName: logpoint-ingress
rules:
- host: in.logpoint.com.np
http:
paths:
- backend:
serviceName: httpbin
servicePort: 8000
path: /
The ingress host value in.logpoint.com.np will be automatically populated as DNS records by external DNS. The annotation cert-manager.io/cluster-issuer: ca-isssuer references to the cluster issuser we have set up for issuing the certificates. Issuers can be based on namespaces to allow multi-tenancy. However in our case we are the single tenant on the cluster so we used the cluster-issuer. For namespace based issuer the annotation would look like cert-manager.io/issuer: ca-ns-issuer. The issuer ca-ns-issuer must be present on the cluster prior to issuing the command.
The certificate would use hosts in the tls hosts as subject alternative name (SAN) and store the output tls.key and tls.cert on the secret named logpoint-ingress. The ingress is able to make the use of certificates generated by cert-manager automatically.
Some useful commands to debug the output of certificate generation are
Also details about what has happened in each process can be viewed using
kubectl describe certificate <certname>
kubectl describe certificaterequirements <certrequirementsname>
kubectl describe secrets <secretsname>
To access the service via ingress use curl command to access service exposed via ingress