Jafner.net/homelab/archives/jafner-dev/README.md

3.4 KiB

Exercise: jafner.dev on GKE

Cert-Manager - Deploy cert-manager on Google Kubernetes Engine

Setting Up Initial Services

  1. Create cluster gcloud container clusters create jafner-dev --preemptible --num-nodes=3 This cluster is preemptible, which means it's basically for testing and will kill itself within 24 hours. This command will take a few minutes to create the cluster.
  2. Create the example hello and hello2 deployments: kubectl apply -f ./hello/Deployment.yaml -f ./hello2/Deployment.yaml
  3. Create the example hello and hello2 internal services: kubectl apply -f ./hello/Service.yaml -f ./hello2/Service.yaml
  4. Create a public global static IP for the cluster to use: gcloud compute addresses create web-ip --global This step is applied across the GCP project and is not necessary for a new cluster.
  5. Open Google Domains for jafner.dev and ensure the A records for *.jafner.dev and jafner.dev are pointed at the correct IP address.
  6. Create the Ingress without TLS: kubectl apply -f ./Ingress-noTLS.yaml Once this ingress is created, the services should be internet accessible by domain name. Try curl http://hello.jafner.dev and curl http://hello2.jafner.dev.
  7. Install cert-manager: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.yaml (We use the generic merged manifest here). After this is done, you can use kubectl explain for the new CustomResourceDefinitions Certificate, CertificateRequest, and Issuer, which are installed with Cert-manager.
  8. Create staging and production Issuers for LetsEncrypt: kubectl apply -f ./cert-manager/Issuer.yaml
  9. Create empty secret for storing SSL certificate: kubectl apply -f ./cert-manager/Secret.yaml
  10. Apply the Ingress with TLS configured with the staging issuer: kubectl apply -f Ingress-staging.yaml It will take several minutes for the background process of acquiring and loading the certificate to complete. You can check on the process with curl -v --insecure https://hello.jafner.dev. While the process is running, you will get an error code 35 with SSL_ERROR_SYSCALL. Once the process is complete, curl will return verbose certificate information and the "Hello, world!" message from the server.
  11. Apply the Ingress with TLS configured with the production issuer: kubectl apply -f Ingress.yaml This process will take several minutes like the previous one. Once it is complete, you should be able to access https://hello.jafner.dev and https://hello2.jafner.dev by browser.

Adding A New Service: dndtools

  1. Deploy the new service: kubectl apply -f ./dndtools/Deployment.yaml -f ./dndtools/Service.yaml
  2. Edit Ingress.yaml to configure the new application.
    1. Add the new host to spec.tls.hosts (e.g. 5e.jafner.dev).
    2. Add a stanza to spec.rules for the new host. For example:
spec:
  rules:
  - host: "5e.jafner.dev"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: dndtools
            port:
              number: 80
  1. Apply the edited Ingress.yaml: kubectl apply -f Ingress.yaml and wait for the changes to apply. Once changes are applied, the new service will be accessible in the browser at https://5e.jafner.dev.

Done!