In this blog post, we are going to learn how to secure a WordPress deployment on Azure Kubernetes Service (AKS) using an SSL certificate and Letsencrypt.
In the previous blog post about WordPress, we learned how to run WordPress on AKS without SSL. The process to get SSL working involves deploying a reverse proxy service in the form of an Nginx and Letsencrypt.
Create a Namespace and configure Cert Manager
The first step will start with creating a new namespace (ingress-ns) in our AKS cluster using the following command.
kubectl create namespace ingress-ns
Next we will add the Nginx helm repo.
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
Let’s install the Nginx controller.
helm install nginx-ingress ingress-nginx/ingress-nginx --namespace ingress-basic --set controller.replicaCount=2 --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
After deploying the controller, we need to get the external IP address that we will use to point our blog to using the following command.
Note: Take a note of the external IP addresss
kubectl --namespace ingress-ns get services -o wide -w nginx-ingress-ingress-nginx-controller
Run the command below to configure Cert Manager which is our letsencrypt deployment.
kubectl label namespace ingress-basic cert-manager.io/disable-validation=true
We also need to install jetstack
helm repo add jetstack https://charts.jetstack.io
Update helm using
helm repo update
And now we can install cert manager Helm chart.
helm install cert-manager --namespace ingress-basic --version v0.16.1 --set installCRDs=true --set nodeSelector."beta\.kubernetes\.io/os"=linux jetstack/cert-manager
Create a Cluster Issuer
Now we need to create a cluster issuer deployment which will handle all the certificate requests. Copy the YAML file below and run the deployment command.
IMPORTANT: You must enter a valid email address in the email filed in the file below.
apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: name: letsencrypt spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: EMAILADDRESS privateKeySecretRef: name: letsencrypt solvers: - http01: ingress: class: nginx podTemplate: spec: nodeSelector: "kubernetes.io/os": linux
Save the file as YAML and run as shown below.
kubectl apply -f cluster-issuer.yaml
Deploy WordPress with SSL
The final part is to deploy WordPress with Helm and configure the SSL settings in the YAML file shown below.
service: type: ClusterIP ingress: enabled: true certManager: true hostname: www.deploycontainers.com tls: true annotations: kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: "true" cert-manager.io/cluster-issuer: "letsencrypt"
To complete the deployment I will run the helm command as shown below:
helm install deploycontainers bitnami/wordpress --values=wp.yaml --namespace ingress-ns
If you go and visit https:///www.deploycontainers.com you will see the SSL certificate and the blog that is running on WordPress.