Enable TLS with Let's Encrypt and the HAProxy Kubernetes Ingress Controller

blog20200724-01.sh

$ helm repo add haproxytech https://haproxytech.github.io/helm-charts
$ helm repo update
$ helm install haproxy haproxytech/kubernetes-ingress

blog20200724-02.sh

$ kubectl get service

NAME                        TYPE      CLUSTER-IP      EXTERNAL-IP  PORT(S)                                    AGE
haproxy-kubernetes-ingress  NodePort  10.101.232.155  <none>       80:32371/TCP,443:30110/TCP,1024:32052/TCP  21h

blog20200724-03.sh

$ helm install haproxy haproxytech/kubernetes-ingress \
  --set controller.service.nodePorts.http=30000 \
  --set controller.service.nodePorts.https=30001 \
  --set controller.service.nodePorts.stat=30002

blog20200724-04.sh

$ helm install haproxy haproxytech/kubernetes-ingress \
  --set controller.kind=DaemonSet
  --set controller.daemonset.useHostPort=true

blog20200724-05.sh

$ helm install haproxy haproxytech/kubernetes-ingress \
  --set controller.service.type=LoadBalancer

blog20200724-06.sh

$ kubectl get secret

NAME                                        TYPE               DATA   AGE
haproxy-kubernetes-ingress-default-cert  kubernetes.io/tls  2        2m22s

blog20200724-07.sh

$ kubectl get secret haproxy-kubernetes-ingress-default-cert -o yaml

apiVersion: v1
data:
  tls.crt: ABCDEFG123456...
  tls.key: ABCDEFG123456...

blog20200724-08.sh

$ openssl req -x509 \
  -newkey rsa:2048 \
  -keyout test.local.key \
  -out test.local.crt \
  -days 365 \
  -nodes \
  -subj "/C=US/ST=Ohio/L=Columbus/O=MyCompany/CN=test.local"

blog20200724-09.sh

$ kubectl create secret tls test-cert \
  --key="test.local.key" \
  --cert="test.local.crt"

blog20200724-10.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: haproxy-kubernetes-ingress
  namespace: haproxy-controller
data:
  ssl-certificate: "default/test-cert"

blog20200724-11.sh

$ openssl req -x509 \
  -newkey rsa:2048 \
  -keyout api.test.local.key \
  -out api.test.local.crt \
  -days 365 \
  -nodes \
  -subj "/C=US/ST=Ohio/L=Columbus/O=MyCompany/CN=api.test.com"

blog20200724-12.sh

$ kubectl create secret tls api-test-cert \
  --key="api.test.local.key" \
  --cert="api.test.local.crt"

blog20200724-13.yaml

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
 name: api-ingress
 namespace: default
spec:
 rules:
 - host: api.test.local
   http:
     paths:
     - path: /
       backend:
         serviceName: api-service
         servicePort: 80
 tls:
 - secretName: api-test-cert
   hosts:
   - api.test.local

blog20200724-14.sh

$ kubectl apply \
   -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml

blog20200724-15.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: myemail@company.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret used to store the account's private key.
      name: example-issuer-account-key
    # Add a ACME HTTP01 challenge solver
    solvers:
    - http01:
        ingress:
          ingressClassName: haproxy

blog20200724-16.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # add an annotation indicating the issuer to use
    cert-manager.io/cluster-issuer: letsencrypt-staging
  name: mysite-ingress
  namespace: default
spec:
  ingressClassName: haproxy
  rules:
  - host: mysite.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: mysite-service
            port: 
              number: 80
  tls:
  - # cert-manager will store the certificate and key in this secret
    secretName: mysite-cert 
    hosts:
    - mysite.com

blog20200724-17.sh

$ kubectl logs -f <cert-manager-pod> -n cert-manager