Notes on Building a Raspberry Pi Kubernetes Cluster (Part 4: TLS, Ingress, and the Dashboard)

ubuntu@fury:~$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’ to cancel): a.domain.me, b.domain.me, c.domain.me, d.domain.me, e.domain.me
Requesting a certificate for a.domain.me and 4 more domains
Performing the following challenges:
http-01 challenge for a.domain.me
http-01 challenge for b.domain.me
http-01 challenge for c.domain.me
http-01 challenge for d.domain.me
http-01 challenge for e.domain.me
Waiting for verification…
Cleaning up challenges
Subscribe to the EFF mailing list (email: me@domain.me).
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/a.domain.me/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/a.domain.me/privkey.pem
Your certificate will expire on 2021–05–28. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run “certbot renew”
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
microk8s kubectl create secret tls home-tls \
--cert=fullchain.pem \
--key=privkey.pem \
--namespace=kube-system
microk8s kubectl describe secret --namespace kube-system home-tls
Name: home-tls
Namespace: kube-system
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tlsData
====
tls.key: 1704 bytes
tls.crt: 3566 bytes
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: system-ingress
namespace: kube-system
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/server-snippet: |
proxy_ssl_verify off;
spec:
tls:
- hosts:
- d.domain.me
secretName: home-tls
rules:
- host: d.domain.me
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
curl https://d.domain.me --resolve d.domain.me:443:fury     
curl https://d.domain.me --resolve d.domain.me:443:stark
curl https://d.domain.me --resolve d.domain.me:443:parker
curl https://d.domain.me --resolve d.domain.me:443:murdock
curl https://d.domain.me --resolve d.domain.me:443:strange
curl https://d.domain.me --resolve d.domain.me:443:banner
curl https://d.domain.me --resolve d.domain.me:443:romanova
curl https://d.domain.me --resolve d.domain.me:443:coulsen
curl https://d.domain.me --resolve d.domain.me:443:vers
kubectl delete ingress/system-ingress --namespace kube-system
token=$(microk8s kubectl -n kube-system get secret \
| grep default-token \
| cut -d “ “ -f1)
microk8s kubectl -n kube-system describe secret $token
Name: default-token-4hvl9
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 9ed370e4–9591–4b4c-bf8f-0ceb4c9218d9
Type: kubernetes.io/service-account-tokenData
====
ca.crt: 1123 bytes
namespace: 11 bytes
token: VERY-LONG-STRING

Update: What to do when your certificate expires

LetsEncrypt certificates expire after three months. If you search online, you can find ways to configure your cluster to automatically update its certs, but manual updates are easy if you don’t mind taking your cluster offline for a few minutes.

kubectl create secret tls home-tls \
--namespace=kube-system \
--cert=fullchain.pem --key=privkey.pem \
--dry-run=client \
-o yaml | kubectl apply -f -

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tim Burks

Tim Burks

Software developer in the SF Bay area. Electronic Design Automation, iOS apps, and now API tools for the world’s largest computer.