1. Install Helm and the add-on applications through Helm

Before we install our add-on tools, we need to take care of Helm and Tiller. Let’s look at their application as defined by Helm docs:

Helm is a tool that streamlines installing and managing Kubernetes applications. Think of it like apt/yum/homebrew for Kubernetes. Helm has two parts: a client ( helm ) and a server ( tiller ) Tiller runs inside of your Kubernetes cluster, and manages releases (installations) of your charts. (source)

Now you will need to make sure that you are on the correct Kubernetes context. To check which context you are on, run:

$ kubectl config current-context

Now you can install Helm on your computer by running the following:

$ brew install kubernetes-helm

If you are not using MacOS, you can find other ways of installing Helm here.

Now that you have installed Helm (client) you will need to install Tiller (server) on your Kubernetes cluster.

In rbac-config.yaml insert the following:

apiVersion: v1

kind: ServiceAccount

metadata:

name: tiller

namespace: kube-system

---

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

name: tiller

roleRef:

apiGroup: rbac.authorization.k8s.io

kind: ClusterRole

name: cluster-admin

subjects:

- kind: ServiceAccount

name: tiller

namespace: kube-system

Now run the following to install Tiller on your cluster along with its role:

$ kubectl apply -f rbac-config.yaml

$ helm init --service-account tiller

You are now ready to install the add-ons (cert-manager and external-dns) using Helm. Note that each of these installations needs a few variables to be set.

nginx-ingress

With the NGINX Ingress Controller for Kubernetes, you get basic load balancing, SSL/TLS termination, support for URI rewrites, and upstream SSL/TLS encryption (source). It enables enterprise level application delivery on K8S. Using an ingress controller and ingress rules, a single IP address can be used to route traffic to multiple services in a Kubernetes cluster (source).

This also makes it clear as to why we do not expose our app as a LoadBalancer service. Later we will see how to use a static IP for our ingress controller.

You can install the Nginx Ingress Controller through the following command. I have chosen the default namespace for this run, however, you can install it in the kube-system namespace, or any other.

$ helm install \

--name nginx-ingress \

--namespace default \

--set controller.service.loadBalancerIP=[YOUR_STATIC_IP]

--set controller.publishService.enabled=true stable/nginx-ingress

In case you do not already own a static IP, you can remove the variable from this command, and you will automatically receive a public IP. This IP will be the external IP address of your ingress controller, which essentially is the IP address to which the traffic will be directed before it hits your services.

cert-manager

Installing cert-manager in my experience is a bit more difficult than the rest of the add-ons, and that is because this tool gets updated pretty frequently, but you can always be sure that you are installing the latest version by following this link. For the sake of this tutorial, here is the installation method that currently works.

$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.7/deploy/manifests/00-crds.yaml $ kubectl label namespace default certmanager.k8s.io/disable-validation=true $ helm repo add jetstack https://charts.jetstack.io $ helm repo update $ helm install \

--name cert-manager \

--namespace default \

--version v0.7.2 \

--set ingressShim.defaultACMEChallengeType=dns01 \

--set ingressShim.defaultACMEDNS01ChallengeProvider=route53 \

--set ingressShim.defaultIssuerName=letsencrypt-prod \

--set ingressShim.defaultIssuerKind=ClusterIssuer \

jetstack/cert-manager

Note: the variables addressed with the --set flag pertain to the fact that we are using Route53 and DNS01 challenge in this example. You can remove these variables in case you do not need them.

external-dns

The following command installs external-dns and authorizes the add-on to make changes on my DNS provider end. We will be using this tool to automatically generate sub-domain records on Route53.

You can set your own variables in case you are not using Route53. Check this link to find suitable auth variables.

Note that we are setting the policy to upsert-only , which doesn’t allow external-dns to delete any records but only create them, as well note that I am setting domainFilters variable. This allows me to limit my AWS role permissions to only include my given domain zone and not my other domains.

$ helm install \

--name external-dns \

--set aws.accessKey=XX \

--set aws.secretKey=XX \

--set aws.region=us-east-1 \

--set policy=upsert-only \

--set domainFilters={example.com} \

stable/external-dns

The following shows the limited permissions needed for the installed tool to function properly: