ingress: cert-manager, letsencrypt, and travisloyd.xyz -> www.travisloyd.xyz

It seemed for awhile that the popular web browsers would automatically redirect travisloyd.xyz to www.travisloyd.xyz if travisloyd.xyz didn’t work.  But, after awhile that no longer seemed to happen.  So, let’s do this right.

Here’s an ingress to perform the redirect from travisloyd.xyz to www.travisloyd.xyz:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    #nginx.ingress.kubernetes.io/proxy-body-size: 1000m
    nginx.ingress.kubernetes.io/server-snippet: |
      return 301 https://www.travisloyd.xyz$request_uri;
  name: ingress-redirect
spec:
  ingressClassName: nginx
  rules:
  - host: travisloyd.xyz
  tls:
  - hosts:
    - travisloyd.xyz
    secretName: travisloyd.xyz-tls

But what about an automatic certificate via letsencrypt? Do we need it? Yes, otherwise https://travisloyd.xyz displays an invalid certificate before performing the redirect. But, we can’t just add the annotations for cert-manager to this redirect because the call back from lets encrypt will not verify correctly with the redirect. Instead, we need an ingress specifically for handling the letsencrypt callback:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/issuer: cluster-letsencrypt-issuer
    cert-manager.io/issuer-kind: ClusterIssuer
    #nginx.ingress.kubernetes.io/proxy-body-size: 1000m
  name: ingress-redirect-letsencrypt
spec:
  ingressClassName: nginx
  rules:
  - host: travisloyd.xyz
    http:
      paths:
      - backend:
          service:
            name: exp-wordpress-xyz-travisloyd-www
            port:
              name: http
        path: /.well-known
        pathType: Prefix
  tls:
  - hosts:
    - travisloyd.xyz
    secretName: travisloyd.xyz-tls

Perfect, now when the certs expire they’ll be renewed automatically via letsencrypt.

Posted in Infrastructure, Kubernetes.

Leave a Reply