Journey towards to securely deploy websites on Kubernetes (Part:2)

In this blog we will walk through the end to end steps to understand how a real world ecommerce application issue certificate and also expose application via Ingress controller on the most popular cloud provider such as AWS using Cert Manager , Let's Encrypt & AWS ALB Ingress controller .

Step 1: Setting Up Your Kubernetes Cluster on AWS

First things first, you need a Kubernetes cluster running on AWS. If you haven’t set up one already, Amazon EKS is a popular choice due to its seamless integration with other AWS services.

• Tip: Use eksctl or the AWS Management Console to set up your cluster. Make sure your cluster is properly configured with access to your VPC and subnets.

Step 2: Installing AWS Load Balancer Controller

The AWS Load Balancer Controller is essential for managing your ALB in Kubernetes. It automatically provisions an ALB when an Ingress resource is created.

1. Add the Helm repository:

helm repo add eks https://aws.github.io/eks-charts helm repo update        

2. Install the AWS Load Balancer Controller:

kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=main"

 helm install aws-load-balancer-controller eks/aws-load-balancer-controller \ 
         --set clusterName=<your-cluster-name> \ 
         --set serviceAccount.create=false \
         --set region=<your-region> \ 
        --set vpcId=<your-vpc-id> \ 
        --set serviceAccount.name=aws-load-balancer-controller \
         -n kube-system        

Step3. Installing Cert Manager :- Cert Manager simplifies the process of obtaining and managing TLS certificates in your Kubernetes cluster.

• Add the Cert Manager Helm repository:

helm repo add jetstack https://charts.jetstack.io helm repo update        

• Install Cert Manager

kubectl create namespace cert-manager 
helm install cert-manager jetstack/cert-manager \ 
     --namespace cert-manager \ 
     --version v1.12.0 \
     --set installCRDs=true        

• Configure Let's Encrypt Issuer

Cert Manager uses an Issuer to request certificates. Let’s Encrypt provides free SSL/TLS certificates, and you can set up both staging and production issuers.

• Staging Issuer: For testing purpose . Certificates issued here are not trusted by browsers.
• Production Issuer: For live environments. These certificates are trusted by all major browsers.

Create ClusterIssuer resources:

• Production Issuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
      name: letsencrypt-production
    solvers:
    - http01:
        ingress:
          class: alb        

Please note that you can first test or undergo a POC in staging environment as well , then after you leverage the same in production . Below is the sample code .

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: mycoolwebsite-cert
spec:
  secretName: mycoolwebsite-tls
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: mycoolwebsite.com
  dnsNames:
  - mycoolwebsite.com        

5 . Deploying Your eCommerce Application

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ecommerce-app
  labels:
    app: ecommerce
spec:
  replicas: 3
  selector:
    matchLabels:
      app: ecommerce
  template:
    metadata:
      labels:
        app: ecommerce
    spec:
      containers:
      - name: ecommerce-container
        image: your-docker-image:latest
        ports:
        - containerPort: 80

---
apiVersion: v1
kind: Service
metadata:
  name: ecommerce-service
spec:
  selector:
    app: ecommerce
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  type: NodePort        

It's recommended to create a separate service manifests for this deployment .

6 . Create an Ingress Resource to expose the application

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ecommerce-ingress
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    cert-manager.io/cluster-issuer: letsencrypt-production  # Use 'letsencrypt-staging' for testing
    kubernetes.io/ingress.class: alb
spec:
  rules:
  - host: your-ecommerce-domain.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: ecommerce-service
            port:
              number: 80
  tls:
  - hosts:
    - your-ecommerce-domain.com
    secretName: ecommerce-tls        

Step 7: Accessing Your Application Securely

Once your Ingress resource is applied, the AWS ALB automatically routes traffic to your application. Cert Manager handles the issuance of a certificate from Let’s Encrypt, and the certificate is stored as a Kubernetes secret.

• Monitor Certificate Issuance: Use kubectl describe certificate ecommerce-tls to check the certificate status. Your application is now accessible via https://your-ecommerce-domain.com.

The advantage of Cert Manager with Let's Encrypt via ACME protocol is just not restricted with certificate issuance , renewal etc but it also integrates seamlessly with cloud providers to establish Ingress & expose application securely , make robust and ensure organization Audit & Compliance norms .