Notes on Building a Raspberry Pi Kubernetes Cluster (Part 4: TLS, Ingress, and the Dashboard)

ubuntu@fury:~$ sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’ to cancel): a.domain.me, b.domain.me, c.domain.me, d.domain.me, e.domain.me
Requesting a certificate for a.domain.me and 4 more domains
Performing the following challenges:
http-01 challenge for a.domain.me
http-01 challenge for b.domain.me
http-01 challenge for c.domain.me
http-01 challenge for d.domain.me
http-01 challenge for e.domain.me
Waiting for verification…
Cleaning up challenges
Subscribe to the EFF mailing list (email: me@domain.me).
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/a.domain.me/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/a.domain.me/privkey.pem
Your certificate will expire on 2021–05–28. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run “certbot renew”
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
microk8s kubectl create secret tls home-tls \
--cert=fullchain.pem \
--key=privkey.pem \
--namespace=kube-system
microk8s kubectl describe secret --namespace kube-system home-tls
Name: home-tls
Namespace: kube-system
Labels: <none>
Annotations: <none>
Type: kubernetes.io/tlsData
====
tls.key: 1704 bytes
tls.crt: 3566 bytes
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: system-ingress
namespace: kube-system
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/server-snippet: |
proxy_ssl_verify off;
spec:
tls:
- hosts:
- d.domain.me
secretName: home-tls
rules:
- host: d.domain.me
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard
port:
number: 443
curl https://d.domain.me --resolve d.domain.me:443:fury     
curl https://d.domain.me --resolve d.domain.me:443:stark
curl https://d.domain.me --resolve d.domain.me:443:parker
curl https://d.domain.me --resolve d.domain.me:443:murdock
curl https://d.domain.me --resolve d.domain.me:443:strange
curl https://d.domain.me --resolve d.domain.me:443:banner
curl https://d.domain.me --resolve d.domain.me:443:romanova
curl https://d.domain.me --resolve d.domain.me:443:coulsen
curl https://d.domain.me --resolve d.domain.me:443:vers
kubectl delete ingress/system-ingress --namespace kube-system
token=$(microk8s kubectl -n kube-system get secret \
| grep default-token \
| cut -d “ “ -f1)
microk8s kubectl -n kube-system describe secret $token
Name: default-token-4hvl9
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 9ed370e4–9591–4b4c-bf8f-0ceb4c9218d9
Type: kubernetes.io/service-account-tokenData
====
ca.crt: 1123 bytes
namespace: 11 bytes
token: VERY-LONG-STRING

Update: What to do when your certificate expires

kubectl create secret tls home-tls \
--namespace=kube-system \
--cert=fullchain.pem --key=privkey.pem \
--dry-run=client \
-o yaml | kubectl apply -f -

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store