snormore · February 29, 2024 06:29 · Jul 20, 2018 · Jul 20, 2018 · Jul 9, 2018 · Jul 8, 2018
diff --git a/README.md b/README.md
@@ -42,6 +42,7 @@ helm init --service-account tiller --wait --upgrade
 
 ```bash
 export CERT_ISSUER="letsencrypt-staging"  # this can also be letsencrypt-prod
+# Don't `--set controller.hostNetwork=true` on minikube
 helm install stable/nginx-ingress --namespace kube-system --name ingress --set rbac.create=true --set controller.hostNetwork=true
 helm install stable/cert-manager --name cert --namespace kube-system --wait --set ingressShim.extraArgs=\{--default-issuer-name=${CERT_ISSUER},--default-issuer-kind=ClusterIssuer\}
 ```

diff --git a/app-deployment.yaml b/app-deployment.yaml
@@ -21,7 +21,7 @@ spec:
       - name: foobar
         image: gcr.io/google-samples/hello-app:1.0
         ports:
-        - containerPort: 80
+        - containerPort: 8080
 ---
 apiVersion: v1
 kind: Service
@@ -34,7 +34,7 @@ spec:
     - name: http
       protocol: 'TCP'
       port: 80
-      targetPort: 80
+      targetPort: 8080
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress

diff --git a/README.md b/README.md
@@ -69,7 +69,7 @@ kubectl get ingress
 
 ## Test it
 
-If your tests fail, keep trying for a few minutes until `cert-manager` has gone through the motions and provisioned your cert with Let's Encrypt.
+If your tests fail, keep trying for a few minutes until `cert-manager` has gone through the motions and provisioned your cert with Let's Encrypt. You can always check the `cert-manager` pod container logs with `kubectl logs` to see if there's a problem.
 
 First notice that a request to the HTTP endpoint will result in a redirect to the HTTPS version.
 

diff --git a/README.md b/README.md
@@ -124,4 +124,4 @@ gcloud projects delete foobar-app  # if you don't want it anymore
 
 ## Conclusion
 
-There's a bit too much manual work happening here, this is where https://github.com/ksonnet/ksonnet and https://github.com/ksonnet/kubecfg can play a role.
+There's a bit too much manual work happening here, this is where https://github.com/ksonnet/ksonnet and https://github.com/ksonnet/kubecfg can play a role, or even just a custom / local Helm package.
diff --git a/README.md b/README.md
@@ -61,14 +61,16 @@ kubectl apply -f app-deployment.yaml
 
 ## Update DNS with the ingress IP
 
-If you're using a real domain and not `ngrok`, at this point you need to grab the ingress IP using the following command and update your DNS with an A record pointing to it.
+If you're using a real domain and not `ngrok`, at this point you need to grab the ingress IP using the following command and update your DNS with an A record pointing to it. You might have to wait a few minutes for everything to be ready and the IP to show up.
 
 ```bash
 kubectl get ingress
 ```
 
 ## Test it
 
+If your tests fail, keep trying for a few minutes until `cert-manager` has gone through the motions and provisioned your cert with Let's Encrypt.
+
 First notice that a request to the HTTP endpoint will result in a redirect to the HTTPS version.
 
 ```bash

diff --git a/README.md b/README.md
@@ -61,7 +61,7 @@ kubectl apply -f app-deployment.yaml
 
 ## Update DNS with the ingress IP
 
-If you're using GKE, you should grab the ingress IP using the following command and update your DNS with an A record pointing to it.
+If you're using a real domain and not `ngrok`, at this point you need to grab the ingress IP using the following command and update your DNS with an A record pointing to it.
 
 ```bash
 kubectl get ingress

diff --git a/README.md b/README.md
@@ -59,6 +59,14 @@ kubectl apply -f cert-issuers.yaml
 kubectl apply -f app-deployment.yaml
 ```
 
+## Update DNS with the ingress IP
+
+If you're using GKE, you should grab the ingress IP using the following command and update your DNS with an A record pointing to it.
+
+```bash
+kubectl get ingress
+```
+
 ## Test it
 
 First notice that a request to the HTTP endpoint will result in a redirect to the HTTPS version.

diff --git a/README.md b/README.md
@@ -55,8 +55,8 @@ kubectl apply -f cert-issuers.yaml
 # Before running this you should replace instances of
 # 1. "foobar" with your own app name
 # 2. "foo.example.com" with your own hostname or the ngrok hostname if you're using that
-kubectl apply -f app-deployment.yaml
 # 3. "letsencrypt-staging" with "letsencrypt-prod" if that's the issuer you're using
+kubectl apply -f app-deployment.yaml
 ```
 
 ## Test it

diff --git a/README.md b/README.md
@@ -109,6 +109,7 @@ minikube delete
 
 ```bash
 gcloud container clusters delete foobar
+gcloud projects delete foobar-app  # if you don't want it anymore
 ```
 
 ## Conclusion

diff --git a/README.md b/README.md
@@ -42,7 +42,7 @@ helm init --service-account tiller --wait --upgrade
 
 ```bash
 export CERT_ISSUER="letsencrypt-staging"  # this can also be letsencrypt-prod
-helm install stable/nginx-ingress --namespace kube-system --name ingress --set rbac.create=true
+helm install stable/nginx-ingress --namespace kube-system --name ingress --set rbac.create=true --set controller.hostNetwork=true
 helm install stable/cert-manager --name cert --namespace kube-system --wait --set ingressShim.extraArgs=\{--default-issuer-name=${CERT_ISSUER},--default-issuer-kind=ClusterIssuer\}
 ```
 

diff --git a/README.md b/README.md
@@ -26,7 +26,7 @@ ngrok http $(minikube ip):80
 # Head over to https://console.cloud.google.com/ and create a project
 gcloud config set project foobar-app
 gcloud services enable container.googleapis.com
-gcloud container clusters create foobar --num-nodes 3 --machine-type f1-micro
+gcloud container clusters create foobar --num-nodes 1 --machine-type g1-small
 gcloud container clusters get-credentials foobar
 ```
 
@@ -43,7 +43,7 @@ helm init --service-account tiller --wait --upgrade
 ```bash
 export CERT_ISSUER="letsencrypt-staging"  # this can also be letsencrypt-prod
 helm install stable/nginx-ingress --namespace kube-system --name ingress --set rbac.create=true
-helm install stable/cert-manager --name cert --wait --set ingressShim.extraArgs=\{--default-issuer-name=${CERT_ISSUER},--default-issuer-kind=ClusterIssuer\}
+helm install stable/cert-manager --name cert --namespace kube-system --wait --set ingressShim.extraArgs=\{--default-issuer-name=${CERT_ISSUER},--default-issuer-kind=ClusterIssuer\}
 ```
 
 ## Install the Let's Encrypt cert issuers

diff --git a/README.md b/README.md
@@ -56,6 +56,7 @@ kubectl apply -f cert-issuers.yaml
 # 1. "foobar" with your own app name
 # 2. "foo.example.com" with your own hostname or the ngrok hostname if you're using that
 kubectl apply -f app-deployment.yaml
+# 3. "letsencrypt-staging" with "letsencrypt-prod" if that's the issuer you're using
 ```
 
 ## Test it
@@ -108,4 +109,8 @@ minikube delete
 
 ```bash
 gcloud container clusters delete foobar
-```
+```
+
+## Conclusion
+
+There's a bit too much manual work happening here, this is where https://github.com/ksonnet/ksonnet and https://github.com/ksonnet/kubecfg can play a role.
diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ ngrok http $(minikube ip):80
 gcloud config set project foobar-app
 gcloud services enable container.googleapis.com
 gcloud container clusters create foobar --num-nodes 3 --machine-type f1-micro
+gcloud container clusters get-credentials foobar
 ```
 
 ## Install Helm and Tiller

diff --git a/README.md b/README.md
@@ -22,6 +22,13 @@ ngrok http $(minikube ip):80
 
 ### Google Kubernetes Engine
 
+```bash
+# Head over to https://console.cloud.google.com/ and create a project
+gcloud config set project foobar-app
+gcloud services enable container.googleapis.com
+gcloud container clusters create foobar --num-nodes 3 --machine-type f1-micro
+```
+
 ## Install Helm and Tiller
 
 ```bash
@@ -86,4 +93,18 @@ $ curl https://64c3c5b3.ngrok.io
 Hello, world!
 Version: 1.0.0
 Hostname: foobar-666c49cb6d-b7hdp
+```
+
+## Clean up
+
+### MiniKube
+
+```bash
+minikube delete
+```
+
+### GKE
+
+```bash
+gcloud container clusters delete foobar
 ```
diff --git a/README.md b/README.md
@@ -46,7 +46,7 @@ kubectl apply -f cert-issuers.yaml
 
 # Before running this you should replace instances of
 # 1. "foobar" with your own app name
-# 2. "foo.example.com" with your own hostname or the the ngrok hostname if you're using that
+# 2. "foo.example.com" with your own hostname or the ngrok hostname if you're using that
 kubectl apply -f app-deployment.yaml
 ```
 

diff --git a/README.md b/README.md
@@ -74,16 +74,16 @@ Then try the same thing but using `curl -L` so that we follow the redirect.
 
 ```bash
 $ curl -L 64c3c5b3.ngrok.io
-...
-<title>Hello World</title>
-...
+Hello, world!
+Version: 1.0.0
+Hostname: foobar-666c49cb6d-b7hdp
 ```
 
 And similarly if you hit the HTTPS endpoint directly.
 
 ```bash
 $ curl https://64c3c5b3.ngrok.io
-...
-<title>Hello World</title>
-...
+Hello, world!
+Version: 1.0.0
+Hostname: foobar-666c49cb6d-b7hdp
 ```
diff --git a/app-deployment.yaml b/app-deployment.yaml
@@ -19,7 +19,7 @@ spec:
     spec:
       containers:
       - name: foobar
-        image: nginxdemos/hello:latest
+        image: gcr.io/google-samples/hello-app:1.0
         ports:
         - containerPort: 80
 ---

diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ kubectl apply -f cert-issuers.yaml
 kubectl apply -f app-deployment.yaml
 ```
 
-## Test with curl
+## Test it
 
 First notice that a request to the HTTP endpoint will result in a redirect to the HTTPS version.
 

diff --git a/README.md b/README.md
@@ -16,6 +16,7 @@ brew cask reinstall minikube
 minikube start --memory=4096 --cpus=2
 
 # Grab a hostname from ngrok with forwarding to MiniKube
+brew cask install ngrok
 ngrok http $(minikube ip):80
 ```
 

diff --git a/README.md b/README.md
@@ -47,4 +47,42 @@ kubectl apply -f cert-issuers.yaml
 # 1. "foobar" with your own app name
 # 2. "foo.example.com" with your own hostname or the the ngrok hostname if you're using that
 kubectl apply -f app-deployment.yaml
+```
+
+## Test with curl
+
+First notice that a request to the HTTP endpoint will result in a redirect to the HTTPS version.
+
+```bash
+$ curl -v 64c3c5b3.ngrok.io
+* Rebuilt URL to: 64c3c5b3.ngrok.io/
+...
+< Location: https://64c3c5b3.ngrok.io/
+<
+<html>
+<head><title>308 Permanent Redirect</title></head>
+<body bgcolor="white">
+<center><h1>308 Permanent Redirect</h1></center>
+<hr><center>nginx/1.13.12</center>
+</body>
+</html>
+* Connection #0 to host 64c3c5b3.ngrok.io left intact
+```
+
+Then try the same thing but using `curl -L` so that we follow the redirect.
+
+```bash
+$ curl -L 64c3c5b3.ngrok.io
+...
+<title>Hello World</title>
+...
+```
+
+And similarly if you hit the HTTPS endpoint directly.
+
+```bash
+$ curl https://64c3c5b3.ngrok.io
+...
+<title>Hello World</title>
+...
 ```
diff --git a/README.md b/README.md
@@ -14,6 +14,9 @@ brew cask reinstall minikube
 
 # Start it up
 minikube start --memory=4096 --cpus=2
+
+# Grab a hostname from ngrok with forwarding to MiniKube
+ngrok http $(minikube ip):80
 ```
 
 ### Google Kubernetes Engine
@@ -37,9 +40,11 @@ helm install stable/cert-manager --name cert --wait --set ingressShim.extraArgs=
 ## Install the Let's Encrypt cert issuers
 
 ```bash
-# Before running this you should replace instances of [email protected] in cert-issuers.yaml with your own email
+# Before running this you should replace instances of "[email protected]" with your own email
 kubectl apply -f cert-issuers.yaml
 
-# Before running this you should replace instances of "foobar" in app-deployment.yaml with your own app name
+# Before running this you should replace instances of
+# 1. "foobar" with your own app name
+# 2. "foo.example.com" with your own hostname or the the ngrok hostname if you're using that
 kubectl apply -f app-deployment.yaml
 ```
diff --git a/app-deployment.yaml b/app-deployment.yaml
@@ -47,10 +47,10 @@ metadata:
 spec:
   tls:
   - hosts:
-    - 43a79216.ngrok.io
+    - foo.example.com
     secretName: foobar
   rules:
-  - host: 43a79216.ngrok.io
+  - host: foo.example.com
     http:
       paths:
       - path: "/"

diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ helm init --service-account tiller --wait --upgrade
 
 ```bash
 export CERT_ISSUER="letsencrypt-staging"  # this can also be letsencrypt-prod
-helm install stable/nginx-ingress --namespace kube-system --wait --name ingress --set rbac.create=true
+helm install stable/nginx-ingress --namespace kube-system --name ingress --set rbac.create=true
 helm install stable/cert-manager --name cert --wait --set ingressShim.extraArgs=\{--default-issuer-name=${CERT_ISSUER},--default-issuer-kind=ClusterIssuer\}
 ```
 

diff --git a/README.md b/README.md
@@ -30,13 +30,16 @@ helm init --service-account tiller --wait --upgrade
 
 ```bash
 export CERT_ISSUER="letsencrypt-staging"  # this can also be letsencrypt-prod
-helm install stable/nginx-ingress --namespace kube-system --name ingress --set rbac.create=true
-helm install stable/cert-manager --name cert --set ingressShim.extraArgs=\{--default-issuer-name=CERT_ISSUER,--default-issuer-kind=ClusterIssuer\}
+helm install stable/nginx-ingress --namespace kube-system --wait --name ingress --set rbac.create=true
+helm install stable/cert-manager --name cert --wait --set ingressShim.extraArgs=\{--default-issuer-name=${CERT_ISSUER},--default-issuer-kind=ClusterIssuer\}
 ```
 
 ## Install the Let's Encrypt cert issuers
 
 ```bash
+# Before running this you should replace instances of [email protected] in cert-issuers.yaml with your own email
 kubectl apply -f cert-issuers.yaml
+
+# Before running this you should replace instances of "foobar" in app-deployment.yaml with your own app name
 kubectl apply -f app-deployment.yaml
 ```
diff --git a/_README.md → README.md b/_README.md → README.md
diff --git a/README.md → _README.md b/README.md → _README.md
@@ -7,14 +7,18 @@ You can do this with MiniKube for development and testing, or Google Cloud's GKE
 ### MiniKube
 
 ```bash
-minikube delete  # optional
-minikube start --memory=4096 --cpus=2
+# Make sure you have MiniKube installed and it's the latest
+brew update
+minikube delete || echo "You don't have MiniKube installed yet."
+brew cask reinstall minikube
 
+# Start it up
+minikube start --memory=4096 --cpus=2
 ```
 
 ### Google Kubernetes Engine
 
-## Install and set up Helm
+## Install Helm and Tiller
 
 ```bash
 kubectl create serviceaccount --namespace kube-system tiller
@@ -25,35 +29,14 @@ helm init --service-account tiller --wait --upgrade
 ## Install nginx-ingress and cert-manager using Helm
 
 ```bash
+export CERT_ISSUER="letsencrypt-staging"  # this can also be letsencrypt-prod
 helm install stable/nginx-ingress --namespace kube-system --name ingress --set rbac.create=true
-helm install stable/cert-manager --name cert --set ingressShim.extraArgs=\{--default-issuer-name=letsencrypt-staging,--default-issuer-kind=ClusterIssuer\}
+helm install stable/cert-manager --name cert --set ingressShim.extraArgs=\{--default-issuer-name=CERT_ISSUER,--default-issuer-kind=ClusterIssuer\}
 ```
 
 ## Install the Let's Encrypt cert issuers
 
-```yaml
----
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-staging
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: [email protected]
-    privateKeySecretRef:
-      name: letsencrypt-staging
-    http01: {}
----
-apiVersion: certmanager.k8s.io/v1alpha1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-prod
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: [email protected]
-    privateKeySecretRef:
-      name: letsencrypt-prod
-    http01: {}
+```bash
+kubectl apply -f cert-issuers.yaml
+kubectl apply -f app-deployment.yaml
 ```
diff --git a/README.md b/README.md
@@ -0,0 +1,59 @@
+# Deploying a web app to Kubernetes with SSL using Let's Encrypt via cert-manager and nginx-ingress
+
+## Spin up a Kubernetes cluster
+
+You can do this with MiniKube for development and testing, or Google Cloud's GKE for the real thing.
+
+### MiniKube
+
+```bash
+minikube delete  # optional
+minikube start --memory=4096 --cpus=2
+
+```
+
+### Google Kubernetes Engine
+
+## Install and set up Helm
+
+```bash
+kubectl create serviceaccount --namespace kube-system tiller
+kubectl create clusterrolebinding tiller-binding --clusterrole=cluster-admin --serviceaccount kube-system:tiller
+helm init --service-account tiller --wait --upgrade
+```
+
+## Install nginx-ingress and cert-manager using Helm
+
+```bash
+helm install stable/nginx-ingress --namespace kube-system --name ingress --set rbac.create=true
+helm install stable/cert-manager --name cert --set ingressShim.extraArgs=\{--default-issuer-name=letsencrypt-staging,--default-issuer-kind=ClusterIssuer\}
+```
+
+## Install the Let's Encrypt cert issuers
+
+```yaml
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    http01: {}
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    http01: {}
+```
diff --git a/app-deployment.yaml b/app-deployment.yaml
@@ -0,0 +1,59 @@
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+  name: foobar
+  labels:
+    app: foobar
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: foobar
+  template:
+    metadata:
+      labels:
+        app: foobar
+    spec:
+      containers:
+      - name: foobar
+        image: nginxdemos/hello:latest
+        ports:
+        - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: foobar-service
+spec:
+  selector:
+    app: foobar
+  ports:
+    - name: http
+      protocol: 'TCP'
+      port: 80
+      targetPort: 80
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: foobar-ingress
+  annotations:
+    certmanager.k8s.io/cluster-issuer: letsencrypt-staging
+    ingress.kubernetes.io/rewrite-target: /
+    kubernetes.io/tls-acme: "true"
+spec:
+  tls:
+  - hosts:
+    - 43a79216.ngrok.io
+    secretName: foobar
+  rules:
+  - host: 43a79216.ngrok.io
+    http:
+      paths:
+      - path: "/"
+        backend:
+          serviceName: foobar-service
+          servicePort: http
diff --git a/cert-issuers.yaml b/cert-issuers.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    http01: {}
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    http01: {}