NGINX Ingress Controller - with TLS termination ¶
Using these instructions
These instructions are for reference purposes, as such they should be used for development and testing purposes only! See the official instructions for Deploying and configuring the controller.
These instructions are composed of 3 high-level parts:
- Controller installation and configuration
- Certificate manager installation and configuration
- Ingress resource configuration
Controller installation and configuration ¶
We recommend installing the controller using its official Helm Charts. You can also use the instructions below.
1. Add controller repository ¶
ingress-nginx Helm repository:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
2. Install controller ¶
Create a new namespace for the Ingress controller:
kubectl create namespace ingress
helm install ingress-nginx ingress-nginx/ingress-nginx --namespace ingress
This will take couple of minutes.
Confirm your ingress controller is installed:
kubectl get pods --namespace ingress
3. DNS setup ¶
Once created, associate the DNS record with the auto provisioned load balancer that was created in Step 2. above. To do this first identify the name of the auto provisioned LB, this can be done by examining the deployed ingress services i.e.:
kubectl get service -n ingress | grep ingress-nginx
ingress-nginx-controller LoadBalancer 10.100.22.16 b834z142d8118406795a34df35e10b17-38927090.eu-west-1.elb.amazonaws.com 80:32615/TCP,443:31787/TCP 76m ingress-nginx-controller-admission ClusterIP 10.100.5.36 <none> 443/TCP 76m
LoadBalancerand using it as a value update the DNS record so that traffic is routed to it.
It can take a few minutes for the DNS to resolve these changes.
Certificate manager installation and configuration ¶
Kubernetes certificate management is handled using cert-manager.
1. Install cert-manager ¶
Add the cert-manager repository
helm repo add jetstack https://charts.jetstack.io
helm repo update
Install the cert-manager using Helm
helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.3.1 \ --set installCRDs=true
Confirm the cert-manager is appropriately installed:
kubectl get pods --namespace cert-manager
2. Create certificate issuer ¶
yaml specification below create and apply the certificate
Ensure that the certificate issuer is installed in the same namespace that the Atlassian product will be deployed to.
apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: letsencrypt-prod namespace: <product_deployment_namespace> spec: acme: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration email: <user_email> # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-prod # Enable the HTTP-01 challenge provider solvers: - http01: ingress: class: nginx
kubectl apply -f issuer.yaml
Ingress resource configuration ¶
Now that the Ingress controller and certificate manager are setup the Ingress resource can be configured accordingly by updating the
1. Ingress resource config ¶
For TLS cert auto-provisioning and TLS termination update the
ingress stanza within the products
ingress: create: true nginx: true maxBodySize: 250m host: <dns_record> path: "/" annotations: cert-manager.io/issuer: "letsencrypt-prod" # Using https://letsencrypt.org/ https: true tlsSecretName: tls-certificate
In this case the
<dns_record> would correspond to the record name that was created in 3. DNS setup above
Bitbucket SSH configuration ¶
Bitbucket requires additional Ingress config to allow for
SSH access. See NGINX Ingress controller config for SSH connections for details.
Next step - Database
Having created the Ingress controller continue with provisioning the next piece of prerequisite infrastructure, the database.