Jafner/Jafner.net
1
0
Fork 0
Code Issues 16 Pull Requests Actions Packages Projects Releases Wiki Activity
5e95fb3a0c
Jafner.net/homelab/docs/Jafner-dev on GKE.md
Joey Hafner 5e95fb3a0c Working Jafner.dev with TLS 
- TLS for hello, hello2, and dndtools
  - Documentation for adding services
2023-03-29 23:52:38 -07:00

44 lines
3.4 KiB
Markdown
Raw Blame History

# Exercise: jafner.dev on GKE
[Cert-Manager - Deploy cert-manager on Google Kubernetes Engine](https://cert-manager.io/docs/tutorials/getting-started-with-cert-manager-on-google-kubernetes-engine-using-lets-encrypt-for-ingress-ssl/)
## Setting Up Initial Services
1. Create cluster `gcloud container clusters create jafner-dev --preemptible --num-nodes=3`
This cluster is preemptible, which means it's basically for testing and will kill itself within 24 hours. This command will take a few minutes to create the cluster.
2. Create the example hello and hello2 deployments: `kubectl apply -f ./hello/Deployment.yaml -f ./hello2/Deployment.yaml`
3. Create the example hello and hello2 internal services: `kubectl apply -f ./hello/Service.yaml -f ./hello2/Service.yaml`
4. Create a public global static IP for the cluster to use: `gcloud compute addresses create web-ip --global`
This step is applied across the GCP project and is not necessary for a new cluster.
5. Open [Google Domains for jafner.dev](https://domains.google.com/registrar/jafner.dev/dns?hl=en) and ensure the A records for `*.jafner.dev` and `jafner.dev` are pointed at the correct IP address.
6. Create the Ingress without TLS: `kubectl apply -f ./Ingress-noTLS.yaml`
Once this ingress is created, the services should be internet accessible by domain name. Try `curl http://hello.jafner.dev` and `curl http://hello2.jafner.dev`.
7. Install cert-manager: `kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.yaml` (We use the generic merged manifest here).
After this is done, you can use `kubectl explain` for the new CustomResourceDefinitions `Certificate`, `CertificateRequest`, and `Issuer`, which are installed with Cert-manager.
8. Create staging and production Issuers for LetsEncrypt: `kubectl apply -f ./cert-manager/Issuer.yaml`
9. Create empty secret for storing SSL certificate: `kubectl apply -f ./cert-manager/Secret.yaml`
10. Apply the Ingress with TLS configured with the staging issuer: `kubectl apply -f Ingress-staging.yaml`
It will take several minutes for the background process of acquiring and loading the certificate to complete. You can check on the process with `curl -v --insecure https://hello.jafner.dev`. While the process is running, you will get an error code 35 with `SSL_ERROR_SYSCALL`. Once the process is complete, curl will return verbose certificate information and the "Hello, world!" message from the server.
11. Apply the Ingress with TLS configured with the production issuer: `kubectl apply -f Ingress.yaml`
This process will take several minutes like the previous one. Once it is complete, you should be able to access `https://hello.jafner.dev` and `https://hello2.jafner.dev` by browser.
## Adding A New Service: `dndtools`
1. Deploy the new service: `kubectl apply -f ./dndtools/Deployment.yaml -f ./dndtools/Service.yaml`
2. Edit `Ingress.yaml` to configure the new application.
1. Add the new host to `spec.tls.hosts` (e.g. 5e.jafner.dev).
2. Add a stanza to `spec.rules` for the new host. For example:
```
spec:
rules:
- host: "5e.jafner.dev"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: dndtools
port:
number: 80
```
3. Apply the edited `Ingress.yaml`: `kubectl apply -f Ingress.yaml` and wait for the changes to apply. Once changes are applied, the new service will be accessible in the browser at `https://5e.jafner.dev`.
Done!
Reference in New Issue View Git Blame Copy Permalink