1

I'm been doing the steps in this tutorial: Create an ingress controller with a static public IP address in Azure Kubernetes Service (AKS)

When I finish the tutorial, I can browse to the DNS name label for the static ip: https://demo-aks-ingress.eastus.cloudapp.azure.com

What I don't get is, lets say I have a sub-domain hello.john.com. How can I configure the DNS of the sub-domain to point to https://demo-aks-ingress.eastus.cloudapp.azure.com so it will work with https and letsencrypt that I setup in the AKS tutorial above?

gunnarst
  • 53
  • 5

1 Answers1

3

Based on this issue comment on k8s github repo, it looks like it should work if you do the following:

  • create a CNAME record for hello.john.com domain and point it to demo-aks-ingress.eastus.cloudapp.azure.com
  • add second domain to ingress (so that ingress knows how to route it)
  • add second domain to certificate object (so that cert-manager can generate a valid certificate for this domain)

Ingress part:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: hello-world-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-staging
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/server-alias: "hello.john.com"  #
spec:
  tls:
  - hosts:
    - demo-aks-ingress.eastus.cloudapp.azure.com
    - hello.john.com      #
    secretName: tls-secret
  rules:
  - host: demo-aks-ingress.eastus.cloudapp.azure.com
    http:
      paths:
      - backend:
          serviceName: aks-helloworld
          servicePort: 80
        path: /hello-world-one(/|$)(.*)
      - backend:
          serviceName: ingress-demo
          servicePort: 80
        path: /hello-world-two(/|$)(.*)
      - backend:
          serviceName: aks-helloworld
          servicePort: 80
        path: /(.*)

Docs:

Certificate part:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: tls-secret
  namespace: ingress-basic
spec:
  secretName: tls-secret
  dnsNames:
  - demo-aks-ingress.eastus.cloudapp.azure.com
  - hello.john.com      #
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - demo-aks-ingress.eastus.cloudapp.azure.com
      - hello.john.com      #
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer

Docs:

Matt
  • 7,419
  • 1
  • 11
  • 22
  • Awesome, thanks! :-) "create a CNAME record for hello.john.com domain and point it to demo-aks-ingress.eastus.cloudapp.azure.com" Would it matter if the cname would point to the ip of the cluster vs. the DNS name label (demo-aks-ingress.eastus.cloudapp.azure.com)? Which is recommended? – gunnarst Apr 28 '21 at 08:39
  • CNAME can only point to other doman. If you want to use IP use record A. Which is recommended? It's not like its recommended - you use one which fits best your usecase. Just make sure they both point to the nginx ingres IP. – Matt Apr 28 '21 at 09:07