First, use helm to install the ingress controller:

$ helm install stable/nginx-ingress --name nginx-ingress --set controller.publishService.enabled=true
NAME: nginx-ingress
LAST DEPLOYED: ...
NAMESPACE: default
STATUS: DEPLOYED
 
RESOURCES:
==> v1/ConfigMap
NAME DATA AGE
nginx-ingress-controller 1 0s
 
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
nginx-ingress-controller-7658988787-npv28 0/1 ContainerCreating 0 0s
nginx-ingress-default-backend-7f5d59d759-26xq2 0/1 ContainerCreating 0 0s
 
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-ingress-controller LoadBalancer 10.245.9.107 <pending> 80:31305/TCP,443:30519/TCP 0s
nginx-ingress-default-backend ClusterIP 10.245.221.49 <none> 80/TCP 0s
 
==> v1/ServiceAccount
NAME SECRETS AGE
nginx-ingress 1 0s
 
==> v1beta1/ClusterRole
NAME AGE
nginx-ingress 0s
 
==> v1beta1/ClusterRoleBinding
NAME AGE
nginx-ingress 0s
 
==> v1beta1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
nginx-ingress-controller 0/1 1 0 0s
nginx-ingress-default-backend 0/1 1 0 0s
 
==> v1beta1/Role
NAME AGE
nginx-ingress 0s
 
==> v1beta1/RoleBinding
NAME AGE
nginx-ingress 0s
 
NOTES:
...

Then wait for it to become available:

$ kubectl get services -o wide -w nginx-ingress-controller

Then you need to add the jetstack helm repo:

$ helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories

Then, you can install cert-manager:

$ helm install --name cert-manager --namespace cert-manager jetstack/cert-manager --set installCRDs=true
NAME: cert-manager
LAST DEPLOYED: ...
NAMESPACE: cert-manager
STATUS: DEPLOYED
 
RESOURCES:
==> v1/ClusterRole
NAME AGE
cert-manager-edit 3s
cert-manager-view 3s
cert-manager-webhook:webhook-requester 3s
 
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
cert-manager-5d669ffbd8-rb6tr 0/1 ContainerCreating 0 2s
cert-manager-cainjector-79b7fc64f-gqbtz 0/1 ContainerCreating 0 2s
cert-manager-webhook-6484955794-v56lx 0/1 ContainerCreating 0 2s
 
...
 
NOTES:
cert-manager has been deployed successfully!
 
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
 
More information on the different types of issuers and how to configure them
can be found in our documentation:
 
https://docs.cert-manager.io/en/latest/reference/issuers.html
 
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
 
https://docs.cert-manager.io/en/latest/reference/ingress-shim.html

Lastly, set up an issuer which takes care of managing the certificates:

production-issuer.yaml

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: pieter@yellowduck.be
privateKeySecretRef:
name: letsencrypt-production
solvers:
- http01:
ingress:
class: nginx

Deploy it:

$ kubectl apply -f production-issuer.yaml
clusterissuer.certmanager.k8s.io/letsencrypt-production created

Before we can issue the certificates, we need to create A records on the DNS server pointing to the load balancer. First, get the external IP address of the load balancer:

$ kubectl get service nginx-ingress-controller
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-ingress-controller LoadBalancer 10.0.254.55 52.136.238.205 80:30753/TCP,443:32721/TCP 17m

The external IP address is 52.136.238.205 in this case.

On the DNS server, add the following records:

mywebsite.webhost.com A 52.136.238.205

Once you did this, create the ingress defintion:

ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
annotations:
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-production
spec:
tls:
- hosts:
- mywebsite.webhost.com
secretName: letsencrypt-prod
rules:
- host: mywebsite.webhost.com
http:
paths:
- backend:
serviceName: <my-service>
servicePort: 80

Apply this as well and you're done.

$ kubectl apply -f ingress.yaml

If you now browse to https://mywebsite.webhost.com, the correct content should show up and you should see that it's using a Let's Encrypt certificate.