kubernetes cluster 19 part 1

19th attempt to get a k8s setup working

Goals

• kubernetes cluster
• config in git
• tls certificates

tldr

config: seankhliao/kluster @ v0.19.0

use with:

• make create-cluster
• make decrypt // or create appropriate secret files
• kubectl apply -k . // maybe repeat a few times if things fail

cluster / config

• GKE
• kustomize

certificates

• cert-manager and lets encrypt

cluster

GKE, but cheaply, ok? 1 zonal E2 node

• disable http load balancing
• add DNS + wildcard CNAME to point to node

config

use kubectl's built in kustomize support

• helm 3 might be better than 2 without Tiller, but I want control
• helm is still useful to get a decent starting config helm install --dry-run --debug name repo/chart > bundle.yaml
• the only command you'll ever need is kubectl apply -k .
• careful with --prune --all especially with GKE managed resources(?)
• configMapGenerator and secretGenerator means config and secrets get their own files (and file types!)

tls

cert-manager is a royal pain to get running. DO NOT attempt to change anything from their default config

Lets Encrypt Cluster Issuer with Cloudflare DNS Challenge

• cloudflare API token needs Zone:Zone:Read, Zone:DNS:Edit on all zones(?)

 1apiVersion: cert-manager.io/v1alpha2
 2kind: ClusterIssuer
 3metadata:
 4  name: le-issuer
 5spec:
 6  acme:
 7    email: admin@example.com
 8    server: https://acme-v02.api.letsencrypt.org/directory
 9    privateKeySecretRef:
10      name: le-issuer-account
11    solvers:
12      - dns01:
13          cloudflare:
14            email: admin@example.com
15            apiTokenSecretRef:
16              name: cloudflare
17              key: token

certificate resource:

 1apiVersion: cert-manager.io/v1alpha2
 2kind: Certificate
 3metadata:
 4  name: api.seankhliao.com
 5spec:
 6  secretName: api-seankhliao-com-tls
 7  duration: 2160h
 8  renewBefore: 360h
 9  dnsNames:
10    - api.seankhliao.com
11    - "*.api.seankhliao.com"
12  issuerRef:
13    name: le-issuer
14    kind: ClusterIssuer