Hetzler LB, cert-manager, nginx-ingress example
I installed kubernetes in Hetner based on the repository.
I am using godaddy as DNS management
I have install cert manager in the cluster. I took it from here.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
Load balancer:
apiVersion: v1
kind: Service
metadata:
name: example-lb
annotations:
load-balancer.hetzner.cloud/location: hel1
spec:
selector:
app: example
ports:
- port: 80
targetPort: 5678
type: LoadBalancer
Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: example
spec:
selector:
matchLabels:
app: example
replicas: 1
template:
metadata:
labels:
app: example
spec:
containers:
- name: echo1
image: hashicorp/http-echo
args:
- "-text=echo1"
ports:
- containerPort: 5678
Load balancer got 32695 port
I open firewall for 32695 and 80 ports.
I made an A record to connect my load balancer with subdomain.
I can connect to my pod through the http URL.
ClusterIssuer manifest:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
email: my@email.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-issuer-account-key
solvers:
- http01:
ingress:
class: nginx
Certificate manifest
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: secure-homekube-io
namespace: default
spec:
secretName: secure-homekube-io-tls
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- my-org
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
dnsNames:
- my.sub.domain
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
group: cert-manager.io
The question is why certificate has false status?
Update
Describe Challenges:
Waiting for HTTP-01 challenge propagation: did not get expected response when querying endpoint, expected "some.sensitive.data." but got: echo1
Solution
- Create Hetzner project with next config:
hetzner_token:
cluster_name: echo
kubeconfig_path: "./kubeconfig"
k3s_version: v1.26.4+k3s1
public_ssh_key_path: "~/.ssh/id_rsa.pub"
private_ssh_key_path: "~/.ssh/id_rsa"
use_ssh_agent: false # set to true if your key has a passphrase or if SSH connections don't work or seem to hang without agent. See https://github.com/vitobotta/hetzner-k3s#limitations
# ssh_port: 22
ssh_allowed_networks:
- 0.0.0.0/0 # ensure your current IP is included in the range
api_allowed_networks:
- 0.0.0.0/0 # ensure your current IP is included in the range
private_network_subnet: 10.0.0.0/16 # ensure this doesn't overlap with other networks in the same project
disable_flannel: false # set to true if you want to install a different CNI
schedule_workloads_on_masters: false
cloud_controller_manager_manifest_url: "https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.18.0/ccm-networks.yaml"
csi_driver_manifest_url: "https://raw.githubusercontent.com/hetznercloud/csi-driver/v2.5.1/deploy/kubernetes/hcloud-csi.yml"
system_upgrade_controller_manifest_url: "https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml"
masters_pool:
instance_type: cx11
instance_count: 1
location: hel1
worker_node_pools:
- name: small-static
instance_type: cx21
instance_count: 1
location: hel1
- Install ingress-nginx
helm upgrade --install \
ingress-nginx ingress-nginx/ingress-nginx \
-f value.yaml \
--namespace ingress-nginx \
--create-namespace
value file:
controller:
kind: DaemonSet
metrics:
enabled: true
service:
annotations:
load-balancer.hetzner.cloud/location: hel1
load-balancer.hetzner.cloud/name: lb
load-balancer.hetzner.cloud/use-private-ip: "true"
load-balancer.hetzner.cloud/uses-proxyprotocol: 'true'
load-balancer.hetzner.cloud/hostname: sub.domain.name
load-balancer.hetzner.cloud/http-redirect-https: 'false'
replicaCount: 2
config:
use-proxy-protocol: "true"
- install Cert-manager
helm upgrade --install \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true \
cert-manager jetstack/cert-manager
Connect load-balancer public IP to your DNS
apply Cluster issuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
email: some@email.me
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-issuer-account-key
solvers:
- http01:
ingress:
class: nginx
- Apply Certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: secure-homekube-io
namespace: default
spec:
secretName: secure-homekube-io-tls
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- some-org
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
dnsNames:
- sub.domain.name
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
group: cert-manager.io
7 Ingress, service and deployment for test
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-test
namespace: ingress-nginx
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
rules:
- host: sub.domain.name
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: echo
port:
number: 80
tls:
- hosts:
- sub.domain.name
secretName: secure-homekube-io-tls
---
apiVersion: v1
kind: Service
metadata:
name: echo
namespace: ingress-nginx
spec:
selector:
app: echo
ports:
- protocol: TCP
port: 80
targetPort: 5678
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo
namespace: ingress-nginx
labels:
app: echo
spec:
selector:
matchLabels:
app: echo
replicas: 1
template:
metadata:
labels:
app: echo
spec:
containers:
- name: echo1
image: hashicorp/http-echo
args:
- "-text=echo1"
ports:
- containerPort: 5678
- Create kubernetes secret for docker registry - Terraform
- Kubectl error: memcache.go:265] couldn’t get current server API group list: Get
- Invalid resource manager ID in primary checkpoint record
- How can I view the config details of the current context in kubectl?
- Webhook call fails while deploying a new Couchbase cluster
- How can we create same resource in multiple terraform providers?
- 502 Bad Gateway on Azure Ingress for Kubernetes Service /microservice1/hello (Quarkus Application)
- Can't access a Minikube's NodePort service from outside
- Infinispan dual roles on Kubernetes as a Vert.x cluster manager and cache manager. Cache not being shared problem
- how to use kubectl command with flag --selector?
- Spring Boot with Kubernetes Issue for Prometheus (Cannot file prometheus yml file for configuration)
- EKS cluster pods unable to connect to internet
- kubernetes pod logging broken with journald logging driver
- Helm configMap support for binary files
- Usage of variables in Helm
- How to share a cephfs volume between pods in different k8s namespaces
- is it possible to use Gitlabci parallel matrix to build docker image with certain time delay for each image?
- How to resolve invalid character included yaml attributes from kubernetes
- Why kubectl exec --username=root does not work?
- How to enter a pod as root?
- How to exclude a resource when using namespace in kustomization.yaml?
- Kubernetes Ingress Routing HTTP with Kestrel
- How to pass brackets and other special characters using —set in Helm
- Problem installing Issuer (cert-manager) inside GKE cluster tls: failed to verify certificate: x509: certificate signed by unknown authority
- couldn't get current server API group list: the server has asked for the client to provide credentials error: You must be logged in to the server
- Spring Boot Application Fails to Create/Replace ConfigMap in Minikube After Upgrade
- GKE Autopilot: How to add/manage SSL Certificate to GKE autopilot
- Is it possible to allow egress traffic by hostname?
- helm chart error can't evaluate field Values in type interface {}
- What is the difference between Helm and Kustomize?