kubernetesssllets-encryptcert-managerhetzner-cloud
Hetzler LB, cert-manager, nginx-ingress example
I installed kubernetes in Hetner based on the repository.
I am using godaddy as DNS management
I have install cert manager in the cluster. I took it from here.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
Load balancer:
apiVersion: v1
kind: Service
metadata:
name: example-lb
annotations:
load-balancer.hetzner.cloud/location: hel1
spec:
selector:
app: example
ports:
- port: 80
targetPort: 5678
type: LoadBalancer
Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: example
spec:
selector:
matchLabels:
app: example
replicas: 1
template:
metadata:
labels:
app: example
spec:
containers:
- name: echo1
image: hashicorp/http-echo
args:
- "-text=echo1"
ports:
- containerPort: 5678
Load balancer got 32695 port
I open firewall for 32695 and 80 ports.
I made an A record to connect my load balancer with subdomain.
I can connect to my pod through the http URL.
ClusterIssuer manifest:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-issuer-account-key
solvers:
- http01:
ingress:
class: nginx
Certificate manifest
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: secure-homekube-io
namespace: default
spec:
secretName: secure-homekube-io-tls
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- my-org
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
dnsNames:
- my.sub.domain
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
group: cert-manager.io
The question is why certificate has false status?
Update
Describe Challenges:
Waiting for HTTP-01 challenge propagation: did not get expected response when querying endpoint, expected "some.sensitive.data." but got: echo1
Solution
- Create Hetzner project with next config:
hetzner_token:
cluster_name: echo
kubeconfig_path: "./kubeconfig"
k3s_version: v1.26.4+k3s1
public_ssh_key_path: "~/.ssh/id_rsa.pub"
private_ssh_key_path: "~/.ssh/id_rsa"
use_ssh_agent: false # set to true if your key has a passphrase or if SSH connections don't work or seem to hang without agent. See https://github.com/vitobotta/hetzner-k3s#limitations
# ssh_port: 22
ssh_allowed_networks:
- 0.0.0.0/0 # ensure your current IP is included in the range
api_allowed_networks:
- 0.0.0.0/0 # ensure your current IP is included in the range
private_network_subnet: 10.0.0.0/16 # ensure this doesn't overlap with other networks in the same project
disable_flannel: false # set to true if you want to install a different CNI
schedule_workloads_on_masters: false
cloud_controller_manager_manifest_url: "https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.18.0/ccm-networks.yaml"
csi_driver_manifest_url: "https://raw.githubusercontent.com/hetznercloud/csi-driver/v2.5.1/deploy/kubernetes/hcloud-csi.yml"
system_upgrade_controller_manifest_url: "https://raw.githubusercontent.com/rancher/system-upgrade-controller/master/manifests/system-upgrade-controller.yaml"
masters_pool:
instance_type: cx11
instance_count: 1
location: hel1
worker_node_pools:
- name: small-static
instance_type: cx21
instance_count: 1
location: hel1
- Install ingress-nginx
helm upgrade --install \
ingress-nginx ingress-nginx/ingress-nginx \
-f value.yaml \
--namespace ingress-nginx \
--create-namespace
value file:
controller:
kind: DaemonSet
metrics:
enabled: true
service:
annotations:
load-balancer.hetzner.cloud/location: hel1
load-balancer.hetzner.cloud/name: lb
load-balancer.hetzner.cloud/use-private-ip: "true"
load-balancer.hetzner.cloud/uses-proxyprotocol: 'true'
load-balancer.hetzner.cloud/hostname: sub.domain.name
load-balancer.hetzner.cloud/http-redirect-https: 'false'
replicaCount: 2
config:
use-proxy-protocol: "true"
- install Cert-manager
helm upgrade --install \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true \
cert-manager jetstack/cert-manager
Connect load-balancer public IP to your DNS
apply Cluster issuer:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
namespace: cert-manager
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-issuer-account-key
solvers:
- http01:
ingress:
class: nginx
- Apply Certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: secure-homekube-io
namespace: default
spec:
secretName: secure-homekube-io-tls
duration: 2160h # 90d
renewBefore: 360h # 15d
subject:
organizations:
- some-org
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
dnsNames:
- sub.domain.name
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
group: cert-manager.io
7 Ingress, service and deployment for test
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-test
namespace: ingress-nginx
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
rules:
- host: sub.domain.name
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: echo
port:
number: 80
tls:
- hosts:
- sub.domain.name
secretName: secure-homekube-io-tls
---
apiVersion: v1
kind: Service
metadata:
name: echo
namespace: ingress-nginx
spec:
selector:
app: echo
ports:
- protocol: TCP
port: 80
targetPort: 5678
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: echo
namespace: ingress-nginx
labels:
app: echo
spec:
selector:
matchLabels:
app: echo
replicas: 1
template:
metadata:
labels:
app: echo
spec:
containers:
- name: echo1
image: hashicorp/http-echo
args:
- "-text=echo1"
ports:
- containerPort: 5678
- The connection to the server localhost:8080 was refused
- How to use Kubernetes secret object stringData to store base64 encoded privateKey
- K8s cluster deployment error: nc: bad address 'xx'
- Ingress path redirection, helm chart
- fluentd with OpenSearch - where does the @timestamp field come from?
- How can I keep a container running on Kubernetes?
- kubectl logs displays only 'API server listening at: [::]:40000' when remote debugging with dlv is enabled - How do I get my logs back?
- failed calling webhook "vingress.elbv2.k8s.aws"
- Kubernetes - Frontend pod can't reach backend pod
- How to access Kubernetes API when using minkube?
- What is Difference between KubernetesManifest@0 and KubernetesManifest@1 in Yaml pipeline?
- kube-prometheus-stack issue scraping metrics
- No stdout/stderror output or delayed when running Haskell application in Kubernetes
- Is there an imperative command to create daemonsets in kubernetes?
- Mongo DB deployment not working in kubernetes because processor doesn't have AVX support
- Nginx Ingress Controller - Failed Calling Webhook
- Easily detect deprecated resources on Kubernetes
- How to configure a Kubernetes Multi-Pod Deployment
- Difference between targetPort and port in Kubernetes Service definition
- EKS Fargate workloads unable to resolve DNS names
- Failed to load module script: Expected a JavaScript module script but the server responded with a MIME type of "text/html"
- Can't install Kubernetes on Vagrant
- How do I force Kubernetes to re-pull an image?
- no endpoints available for service \"kubernetes-dashboard\"
- Cannot install kubernetes helm chart Error: cannot re-use a name that is still in use
- helm error "Error: This command needs 2 arguments: release name, chart path"
- Helm --set with > as special Charcater at the end
- How can I deploy a helm packaged app to ArgoCD?
- k8s CRD definition: 4 mutually exclusive optional fields
- Minikube with ingress example not working