Notes on Building a Raspberry Pi Kubernetes Cluster (Part 4: TLS, Ingress, and the Dashboard)

ubuntu@fury:~$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’ to cancel):,,,,
Requesting a certificate for and 4 more domains
Performing the following challenges:
http-01 challenge for
http-01 challenge for
http-01 challenge for
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Subscribe to the EFF mailing list (email:
- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your certificate will expire on 2021–05–28. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run “certbot renew”
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt:
Donating to EFF:
microk8s kubectl create secret tls home-tls \
--cert=fullchain.pem \
--key=privkey.pem \
microk8s kubectl describe secret --namespace kube-system home-tls
Name: home-tls
Namespace: kube-system
Labels: <none>
Annotations: <none>
tls.key: 1704 bytes
tls.crt: 3566 bytes
kind: Ingress
name: system-ingress
namespace: kube-system
annotations: HTTPS |
proxy_ssl_verify off;
- hosts:
secretName: home-tls
- host:
- path: /
pathType: Prefix
name: kubernetes-dashboard
number: 443
curl --resolve     
curl --resolve
curl --resolve
curl --resolve
curl --resolve
curl --resolve
curl --resolve
curl --resolve
curl --resolve
kubectl delete ingress/system-ingress --namespace kube-system
token=$(microk8s kubectl -n kube-system get secret \
| grep default-token \
| cut -d “ “ -f1)
microk8s kubectl -n kube-system describe secret $token
Name: default-token-4hvl9
Namespace: kube-system
Labels: <none>
Annotations: default 9ed370e4–9591–4b4c-bf8f-0ceb4c9218d9
ca.crt: 1123 bytes
namespace: 11 bytes

Update: What to do when your certificate expires

LetsEncrypt certificates expire after three months. If you search online, you can find ways to configure your cluster to automatically update its certs, but manual updates are easy if you don’t mind taking your cluster offline for a few minutes.

kubectl create secret tls home-tls \
--namespace=kube-system \
--cert=fullchain.pem --key=privkey.pem \
--dry-run=client \
-o yaml | kubectl apply -f -



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tim Burks

Tim Burks

Software developer in the SF Bay area. Electronic Design Automation, iOS apps, and now API tools for the world’s largest computer.