origo
  1. Home
  2. /
  3. Origo OS
  4. /
  5. Guides
  6. /
  7. Ghost Blog with Automatic...

Ghost Blog with Automatic DNS and TLS Certificate Provisioning in Kubernetes

The goal of this guide is to install a web application in Kubernetes running in a Origo OS environment, with automatic provisioning of a DNS domain name and automatic provisioning of a TLS certificate, provisioned by the infrastructure entirely from the Kubernetes configuration.

For provisioning DNS we will use the Kubernetes project External DNS in conjunction with the Origo DNS Services.
External DNS monitors your Kubernetes loadbalancers and ingresses for domain name annotations, and integrates with your DNS provider to create, update and delete domain names in DNS. For this example we will of course use the the Origo DNS Services. You must either be using Origo Cloud or an on-prem Origo OS installation that is linked to Origo Registry, to access the Origo DNS Services. You may import your own domain names into Origo DNS Services, but every user also has access to the default domain “uncloud.co”, so that’s what we’ll be using for this example. External DNS comes with baked-in support for a number of cloud vendors – they call these “providers”. We have built our own provider, and hope to have it included in the project sometime in the future. For now, we simply use our own custom External DNS Docker image with our provider included.

For provisioning TLS certificates we use the Kubernetes project cert-manager in conjunction with Let’s Encrypt, which of course is the leading provider of free TLS certificates. Cert-manager monitors the ingresses you configure for host names, and provisions TLS certificates from Let’s Encrypt.

The web application we will install and configure https access to, is the excellent Ghost blog application.

For the rest of this guide you will be typing commands into a ssh terminal on the control plane of your Origo OS Kubernetes cluster. The procedure to install a Kubernetes cluster and ssh into the control plane server is the same as for the other guides. You should do this before continuing this guide.

Install Ghost to your Kubernetes cluster

First install Ghost using this yaml file. The yaml file creates a Kubernetes deployment and a Kubernetes service.
After typing in the command below, the yaml file will be opened in your default editor. Please change “your-domain-name” to whatever domain name you want to create in the uncloud.co zone (i.e. change “your-domain-name.uncloud.co” to “something-else.uncloud.co”), and save the file.

kubectl apply -f https://pub.origo.io/support/attachments/download/126/ghost4.yaml
kubectl edit -f https://pub.origo.io/support/attachments/download/126/ghost4.yaml

IMPORTANT: Next you must assign add an internal IP address to your Kubernetes cluster using the stack UI by clicking “add internal IP address”. This internal IP address is not really used for anything, but since the Kubernetes service is of type loadbalancer, it needs an IP address in order not to be stuck waiting for one.

Install External DNS

Install External DNS using the yaml file distributed with the Kubernetes stack.

kubectl apply -f external-dns-stabile-test.yaml

Install the Nginx ingress Controller

We need an ingress controller, and use the standard Nginx controller for this example.

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.1/deploy/static/provider/cloud/deploy.yaml

IMPORTANT: You must now assign another IP address to your Kubernetes cluster using the stack UI by clicking “add IP address mapping”. If your Origo OS environment supports it, you may also click “add external IP address”.

Patch the ingress controller with the external IP address you were just assigned

External DNS has no idea that the IP address it is seeing is not actually an external one, wo we have to help it a little.

kubectl patch svc ingress-nginx-controller -p '{"spec":{"externalIPs":["xx.xx.xx.xx"]}}' -n ingress-nginx

NOTE: This only needs to be done, if you are using an “ipmapping” in Origo OS.

Annotate the ingress controller with your domain name

The Nginx ingress controller will typically listen on a single IP address and route incoming requests based on host names. If we annotate the ingress controller with our desired domain name, DNS registration should happen automatically. You can verify that the domain name is actually registered using the Origo DNS Service UI. To annotate your new ingress, replace “your-domain-name” with your actual domain name, and type this command:

kubectl -n ingress-nginx annotate service ingress-nginx-controller "external-dns.alpha.kubernetes.io/hostname=your-domain-name.uncloud.co"

Install cert-manager

Install cert-manager from the yaml file the developer has made available:

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.7.1/cert-manager.yaml

Configure cert-manager for Let’s Encrypt

Configure cert-manager by editing and applying this yaml file. Please replace “your-email@uncloud.co” with your email address:

kubectl apply -f https://pub.origo.io/support/attachments/download/129/certmanager-acme.yaml
kubectl edit -f https://pub.origo.io/support/attachments/download/129/certmanager-acme.yaml

Create the actual ingress

Finally create the ingress using this yaml file. You must replace the two ocurrences of “your-domain-name.uncloud.co” with the domain name you have chosen.

kubectl apply -f https://pub.origo.io/support/attachments/download/130/nginx-ghost-ingress.yaml
kubectl edit -f https://pub.origo.io/support/attachments/download/130/nginx-ghost-ingress.yaml

IMPORTANT: After a few minutes, your Ghost blog should be up and running on the domain name you have chosen and have a valid TLS certificate. You should then head straight to https://your-domain-name.uncloud.co/ghost and set up an account. This is because, after installing Ghost, anyone can set up an account, so you should either do this promptly, or delete the Ghost deployment.

Create more ingresses

Now that you have installed and configured External DNS and cert-manager, you can easily create ingresses like the one above, whenever you have a service you want external https access to. DNS registration of domain names and provisioning of TLS certificates will be done automatically.

Leave a Comment

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.