- Have kubernetes cluster
- kubectl (v1.28.2 client and server)
- Helm (v3.13.0, GoVersion:go1.21.1)
- Install Hetzner Cloud Manager (follow this here if you haven't done this yet)
- Have your own domain
- Add Traefik with helm
helm repo add traefik https://traefik.github.io/charts- Change actual-traefik.yaml (password and hostname for the dashboard)
ingressRoute:
dashboard:
enabled: true
matchRule: Host(`dashboard.example.com`) <------ !!!
entryPoints: ["websecure"]
middlewares:
- name: traefik-dashboard-auth
extraObjects:
- apiVersion: v1
kind: Secret
metadata:
name: traefik-dashboard-auth-secret
type: kubernetes.io/basic-auth
stringData:
username: admin
password: <change password> <------------ !!!Consider changing othe values in the annotations as well, depending on your server setup (for example region and datacenter)
- Install Traefik with values from actual-traefik.yml
helm install -f traefik-values.yaml traefik traefik/traefik --namespace traefik --create-namespaceIf you have installed the hcloud manager correctly this should have created a new LoadBalancer. Now you need to set up A and AAAA Records with the IP-Address of your LoadBalancer that you can find in your hetzer cloud console. The dashboard will be exposed on the domain you provide (not https but password protected)
- Install cert-manager CustomResourceDefinitions
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.crds.yaml- Add Jetsack with helm
helm repo add jetstack https://charts.jetstack.io- Install cert-manager with helm
helm install cert-manager --namespace cert-manager --version v1.13.1 jetstack/cert-manager --create-namespaceWhoami service example
- Create Whoami Namespace, Deployment and Service
kubectl apply -f whoami.yml- Change email in
staging-cert-manager.yml
email: [email protected]- Create staging cert-manager to test the issueing
kubectl apply -f staging-cert-manager.yml- Change issuer in
ingress-whoami.yml
cert-manager.io/issuer: "letsencrypt-staging"- Add correct domain address in
ingress-whoami.yml
spec:
tls:
- hosts:
- your.example.com
secretName: tls-whoami-ingress-http
rules:
- host: your.example.com- Start ingress for whoami
kubectl apply -f ingress-whoami.yml- Now wait for 30-60 secs and run this to check if the certificate is valid
kubectl get certificateS,challenge,order,pods,services,issuer,deployments,ingress,certificaterequests,secrets,configmaps -n whoami- If everything worked you can safely delete the ingress (this will delete all the belonging cert-manager actions as well)
kubectl delete ingress -n whoami whoami-ingressIMPORTANT!! This will not issue a certificate that you can use in the browser, its only for testing purposes to check if the validation works procceed to the production example!!
Skipping Steps here that where done during staging
- Change email in
prod-cert-manager.yml
email: [email protected]- Create staging cert-manager to test the issueing
kubectl apply -f prod-cert-manager.yml- Change issuer in
ingress-whoami.yml
cert-manager.io/issuer: "letsencrypt-prod"- Start ingress for whoami
kubectl apply -f ingress-whoami.yml- Now wait for 30-60 secs and run this to check if the certificate is valid
kubectl get certificateS,challenge,order,pods,services,issuer,deployments,ingress,certificaterequests,secrets,configmaps -n whoami- Delete cert-manager
helm delete cert-manager -n cert-manager- Delete cert-manager CRD
kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.crds.yaml- Delete Traefik
helm delete traefik -n traefik