Tweak the cert-manager ingress
In part #6 we had rendered the manifest using helm, fixed the storage class and the service. In the previous post, we looked at what we need to do to get TLS ingress and a certificate for our site.
Do delete the ingress part from manifest.yaml, starting at one line before kind: Ingress delete all lines associated with ingress. Create a new file, called ingress-https-letsencrypt.yaml, and paste this content.
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wordpress-2 namespace: "wordpress" labels: app.kubernetes.io/name: wordpress helm.sh/chart: wordpress-15.2.17 app.kubernetes.io/instance: wordpress app.kubernetes.io/managed-by: Helm annotations: cert-manager.io/cluster-issuer: letsencrypt-prod spec: ingressClassName: "traefik" rules: - host: "blog.mydomain.tld" http: paths: - path: / pathType: Prefix backend: service: name: wordpress port: number: 5681 tls: - hosts: - "blog.mydomain.tld" secretName: blog-tls
Change the blog.mydomain.tld hostname to your host.
Next, you need to make sure that the DNS resolution works and is pointing to your external WAN IP address. Port forwarding rules must of course also be in place, as discussed earlier.
Next, let us create another file, ingress-https.yaml, with the following content, replacing blog.mydomain.tld with your actual domain.
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd name: wordpress namespace: "wordpress" labels: app.kubernetes.io/name: wordpress helm.sh/chart: wordpress-15.2.17 app.kubernetes.io/instance: wordpress app.kubernetes.io/managed-by: Helm spec: tls: - hosts: - "blog.mydomain.tld" secretName: blog-tls rules: - host: "blog.mydomain.tld" http: paths: - path: / pathType: Prefix backend: service: name: wordpress port: number: 5681
Start the deployment and service
Next, start the wordpress, mariadb. Go to a terminal, change to the folder where your edited rendered manifest is and.
kubectl apply -f manifest.yaml
It will take a few minutes for both database and wordpress pods to come up. Check with kubectl get pod -n wordpress
Next, create the service
kubectl apply -f service.yaml
That one should be quick.
Apply cert-manager ingress to get a TLS certificate
We are now going to get the certificate.
kubectl apply -f ingress-https-letsencrypt.yaml
Wait a minute or so, until you get
$ kubectl get secret (k3d-k3d-cluster/wordpress) NAME TYPE DATA AGE wordpress-mariadb Opaque 2 9d wordpress Opaque 1 9d blog-tls kubernetes.io/tls 2 9d redirect-tls kubernetes.io/tls 2 8d
The blog-tls secret name should be named just like shown, without hex suffix. When the secret is ready, the fake ingress is no longer needed
kubectl delete -f ingress-https-letsencrypt.yaml
Create the https ingress
kubectl apply -f ingress-https.yaml
This will create the ingress that is actually used.
Login to your wordpress site
Now you can login to your new site with your favorite browser, at https://blog.mydomain.tld/admin. Use the username and password that was in the shell script to run helm. This should get you to the admin interface of wordpress.
Final thoughts
This brings this series to a close, I hope this was helpful. Why would you do all of this work? Running WordPress with Kubernetes has some advantages — Kubernetes will restart WordPress if it crashes. Rolling your own is a good way to learn how these systems work and how they are configured, and what configuration options exist.