NGINX Ingress + cert-manager + Let's Encrypt Setup on AKS Cluster

[santosh]

NGINX Ingress + cert-manager + Let's Encrypt Setup on AKS Cluster

Overview
This guide covers installing NGINX Ingress Controller, cert-manager and Let's Encrypt ClusterIssuer on Azure Kubernetes Service (AKS). This is specifically configured for AKS single-node clusters with CriticalAddonsOnly=true taint.

Environment

• Platform: Azure Kubernetes Service (AKS)
  
• Ingress: NGINX Ingress Controller
  
• TLS: cert-manager with Let's Encrypt
  
• Node Taint: CriticalAddonsOnly=true
  
• OS: Linux nodes
  

Prerequisites

• kubectl installed and configured
  
• Helm v3 installed
  
• AKS cluster running and accessible
  
• Domain names pointed to cluster external IP
  
• Valid email address for Let's Encrypt notifications
  

Step 1 - Add Helm Repositories
Run on: Local machine or CI/CD pipeline

Add required Helm repos:

Code:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo add jetstack https://charts.jetstack.io
helm repo update

Verify repos added:

Code:

helm repo list

Step 2 - Install NGINX Ingress Controller
Run on: Local machine with kubectl access

Create namespace:

Code:

kubectl create namespace ingress-basic

Install NGINX Ingress with tolerations for CriticalAddonsOnly taint:

Code:

helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
  --namespace ingress-basic \
  --set controller.nodeSelector."kubernetes\.io/os"=linux \
  --set controller.tolerations[0].key="CriticalAddonsOnly" \
  --set controller.tolerations[0].operator="Exists" \
  --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux \
  --set controller.admissionWebhooks.patch.tolerations[0].key="CriticalAddonsOnly" \
  --set controller.admissionWebhooks.patch.tolerations[0].operator="Exists"

Check Ingress Controller status:

Code:

kubectl get svc -n ingress-basic
kubectl get pods -n ingress-basic

Expected output:

Code:

NAME                                TYPE          CLUSTER-IP    EXTERNAL-IP      PORT(S)
ingress-nginx-controller            LoadBalancer  10.0.x.x      YOUR_EXTERNAL_IP 80:xxx/TCP,443:xxx/TCP

Important: Copy the EXTERNAL-IP and point your domain DNS records to it.
Example: yourdomain.com -> YOUR_EXTERNAL_IP

Step 3 - Install cert-manager
Run on: Local machine with kubectl access

Create namespace:

Code:

kubectl create namespace cert-manager

Install cert-manager with CRDs and tolerations:

Code:

helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --set installCRDs=true \
  --set nodeSelector."kubernetes\.io/os"=linux \
  --set tolerations[0].key="CriticalAddonsOnly" \
  --set tolerations[0].operator="Exists" \
  --set cainjector.nodeSelector."kubernetes\.io/os"=linux \
  --set cainjector.tolerations[0].key="CriticalAddonsOnly" \
  --set cainjector.tolerations[0].operator="Exists" \
  --set webhook.nodeSelector."kubernetes\.io/os"=linux \
  --set webhook.tolerations[0].key="CriticalAddonsOnly" \
  --set webhook.tolerations[0].operator="Exists" \
  --set startupapicheck.tolerations[0].key="CriticalAddonsOnly" \
  --set startupapicheck.tolerations[0].operator="Exists" \
  --set startupapicheck.nodeSelector."kubernetes\.io/os"=linux

Verify all cert-manager pods are running:

Code:

kubectl get pods -n cert-manager

Expected outpu