Notes on Building a Raspberry Pi Kubernetes Cluster (Part 4: TLS, Ingress, and the Dashboard)

ubuntu@fury:~$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’ to cancel): a.domain.me, b.domain.me, c.domain.me, d.domain.me, e.domain.me
Requesting a certificate for a.domain.me and 4 more domains
Performing the following challenges:
http-01 challenge for a.domain.me
http-01 challenge for b.domain.me
http-01 challenge for c.domain.me
http-01 challenge for d.domain.me
http-01 challenge for e.domain.me
Waiting for verification…
Cleaning up challenges
Subscribe to the EFF mailing list (email: me@domain.me).
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/a.domain.me/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/a.domain.me/privkey.pem
Your certificate will expire on 2021–05–28. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run “certbot renew”
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
microk8s kubectl create secret tls home-tls \
--cert=fullchain.pem \
--key=privkey.pem \
--namespace=kube-system
microk8s kubectl describe secret --namespace kube-system home-tls
Name: home-tls
Namespace: kube-system
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tlsData
====
tls.key: 1704 bytes
tls.crt: 3566 bytes
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: system-ingress
namespace: kube-system
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/server-snippet: |
proxy_ssl_verify off;
spec:
tls:
- hosts:
- d.domain.me
secretName: home-tls
rules:
- host: d.domain.me
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
curl https://d.domain.me --resolve d.domain.me:443:fury     
curl https://d.domain.me --resolve d.domain.me:443:stark
curl https://d.domain.me --resolve d.domain.me:443:parker
curl https://d.domain.me --resolve d.domain.me:443:murdock
curl https://d.domain.me --resolve d.domain.me:443:strange
curl https://d.domain.me --resolve d.domain.me:443:banner
curl https://d.domain.me --resolve d.domain.me:443:romanova
curl https://d.domain.me --resolve d.domain.me:443:coulsen
curl https://d.domain.me --resolve d.domain.me:443:vers
kubectl delete ingress/system-ingress --namespace kube-system
token=$(microk8s kubectl -n kube-system get secret \
| grep default-token \
| cut -d “ “ -f1)
microk8s kubectl -n kube-system describe secret $token
Name: default-token-4hvl9
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 9ed370e4–9591–4b4c-bf8f-0ceb4c9218d9
Type: kubernetes.io/service-account-tokenData
====
ca.crt: 1123 bytes
namespace: 11 bytes
token: VERY-LONG-STRING

Update: What to do when your certificate expires

kubectl create secret tls home-tls \
--namespace=kube-system \
--cert=fullchain.pem --key=privkey.pem \
--dry-run=client \
-o yaml | kubectl apply -f -

--

--

--

Software developer in the SF Bay area. Electronic Design Automation, iOS apps, and now API tools for the world’s largest computer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Devops Trends and Kubernetes evolving Devops in 2020

Three Strategic Concept which Engineering Managers Should

Three Strategic Concept

5 Reasons Digital Agencies Should Go Open Source

Wfuzz Tool

Go for Java Devs — The Basics

Writing Testable Swift — Part 2: Interfaces

Python Set Comprehension

DataCamp-Intermediate R

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tim Burks

Tim Burks

Software developer in the SF Bay area. Electronic Design Automation, iOS apps, and now API tools for the world’s largest computer.

More from Medium

[Workaround] Let's solve the Jenkins slave connection issue with the Jenkins Kubernetes plugin

Kubernetes Secrets

Kubernetes Services for Absolute Beginners — ClusterIP

How to Run Containers with Kubernetes