2

Wildcard Certificates with Traefik + cert-manager + Let's Encrypt in Kubernetes...

 2 years ago
source link: https://techno-tim.github.io/posts/kube-traefik-cert-manager-le/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Wildcard Certificates with Traefik + cert-manager + Let's Encrypt in Kubernetes Tutorial

Posted 2 hours ago Updated an hour ago 3 min read

Wildcard Certificates with Traefik + cert-manager + Let's Encrypt in Kubernetes Tutorial

Traefik, cert-manager, Cloudflare, and Let’s Encrypt are a winning combination when it comes to securing your services with certificates in Kubernetes. Today, we’ll install and configure Traefik, the cloud native proxy and load balancer, as our Kubernetes Ingress Controller. We’ll then install and configure cert-manager to manage certificates for our cluster. We’ll set up Let’s Encrypt as our Cluster Issuer so that cert-manager can automatically provision TLS certificates and even wildcard certificates using Cloudflare DNS challenge absolutely free. We’ll walk through all of this, step by step, so you can help secure your cluster today.

📺 Watch Video

A HUGE thanks to Datree for sponsoring this video!

Combat misconfigurations. Empower engineers.

https://www.datree.io

Getting Started

If you need to install a new kubernetes cluster you can use my Ansible Playbook to install one.

Resources

You can find all of the resources from this tutorial here

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

Installing

Verify you can communicate with your cluster

kubectl get nodes

NAME     STATUS   ROLES                       AGE   VERSION
k3s-01   Ready    control-plane,etcd,master   10h   v1.23.4+k3s1
k3s-02   Ready    control-plane,etcd,master   10h   v1.23.4+k3s1
k3s-03   Ready    control-plane,etcd,master   10h   v1.23.4+k3s1
k3s-04   Ready    <none>                      10h   v1.23.4+k3s1
k3s-05   Ready    <none>                      10h   v1.23.4+k3s1

Verify helm is installed

helm version

version.BuildInfo{Version:"v3.8.0", GitCommit:"d14138609b01886f544b2025f5000351c9eb092e", GitTreeState:"clean", GoVersion:"go1.17.5"}

Traefik

helm repo add traefik https://helm.traefik.io/traefik

helm repo update

helm install --namespace=traefik traefik traefik/traefik --values=values.yaml

Check the status of the Traefik ingress controller service

kubectl get svc --all-namespaces -o wide

should see traefik with the specified IP

NAMESPACE        NAME              TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                      AGE   SELECTOR
default          kubernetes        ClusterIP      10.43.0.1       <none>          443/TCP                      16h   <none>
kube-system      kube-dns          ClusterIP      10.43.0.10      <none>          53/UDP,53/TCP,9153/TCP       16h   k8s-app=kube-dns
kube-system      metrics-server    ClusterIP      10.43.182.24    <none>          443/TCP                      16h   k8s-app=metrics-server
metallb-system   webhook-service   ClusterIP      10.43.205.142   <none>          443/TCP                      16h   component=controller
traefik          traefik           LoadBalancer   10.43.156.161   192.168.30.80   80:30358/TCP,443:31265/TCP   22s   app.kubernetes.io/instance=traefik,app.kubernetes.io/name=traefik

kubectl get pods --namespace traefik

should see

NAME                       READY   STATUS    RESTARTS   AGE
traefik-76474c4d47-l5z74   1/1     Running   0          11m
traefik-76474c4d47-xb282   1/1     Running   0          11m
traefik-76474c4d47-xx5lw   1/1     Running   0          11m

middleware

kubectl apply -f default-headers.yaml

kubectl get middleware

should see

NAME              AGE
default-headers   25s

dashboard

install htpassword

sudo apt-get update
sudo apt-get install apache2-utils

generate password

htpasswd -nb techno password | openssl base64

apply secret

kubectl apply -f secret

get secret

kubectl get secrets --namespace traefik

apply dashboard

kubectl apply -f dashboard.yaml

visit

https://traefik.local.technotim.live/

sample workload

kubectl apply -f deployment.yaml
kubectl apply -f service.yaml
kubectl apply -f ingress.yaml

or folder

kubectl apply -f nginx

cert-manager

add repo

helm repo add jetstack https://charts.jetstack.io

update

kubectl create namespace cert-manager

kubectl get namespaces

should see

NAME              STATUS   AGE
cert-manager      Active   12s
default           Active   21h
kube-node-lease   Active   21h
kube-public       Active   21h
kube-system       Active   21h
metallb-system    Active   21h
traefik           Active   4h35m

apply crds (1.9.1)

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml

helm install cert-manager jetstack/cert-manager --namespace cert-manager --values=values.yaml --version v1.9.1

secrets

kubectl apply -f secret-cf-token.yaml
kubectl apply -f secret-cf-email.yaml

issuers

kubectl apply -f letsencrypt-staging.yaml

create certs

staging

from staging folder

kubectl apply -f technotim-live-cert.yaml

looks at logs

can tail with

kubectl logs -n cert-manager -f cert-manager-877fd747c-fjwhp

get challenges

kubectl get challenges

or more details with

kubectl describe order local-technotim-live-frm2z-1836084675

Links

⚙️ See all the hardware I recommend at https://l.technotim.live/gear

🚀 Don’t forget to check out the 🚀Launchpad repo with all of the quick start source files


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK