kubernetes cluster 19 part 1

19th attempt to get a k8s setup working

SEAN K.H. LIAO

kubernetes cluster 19 part 1

19th attempt to get a k8s setup working

Goals

kubernetes cluster
config in git
tls certificates

tldr

config: seankhliao/kluster @ v0.19.0

use with:

make create-cluster
make decrypt // or create appropriate secret files
kubectl apply -k . // maybe repeat a few times if things fail

cluster / config

GKE
kustomize

certificates

cert-manager and lets encrypt

cluster

GKE, but cheaply, ok? 1 zonal E2 node

disable http load balancing
add DNS + wildcard CNAME to point to node

config

use kubectl's built in kustomize support

helm 3 might be better than 2 without Tiller, but I want control
helm is still useful to get a decent starting config helm install --dry-run --debug name repo/chart > bundle.yaml
the only command you'll ever need is kubectl apply -k .
careful with --prune --all especially with GKE managed resources(?)
configMapGenerator and secretGenerator means config and secrets get their own files (and file types!)

tls

cert-manager is a royal pain to get running. DO NOT attempt to change anything from their default config

Lets Encrypt Cluster Issuer with Cloudflare DNS Challenge

cloudflare API token needs Zone:Zone:Read, Zone:DNS:Edit on all zones(?)

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: le-issuer
spec:
  acme:
    email: admin@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: le-issuer-account
    solvers:
      - dns01:
          cloudflare:
            email: admin@example.com
            apiTokenSecretRef:
              name: cloudflare
              key: token

certificate resource:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: api.seankhliao.com
spec:
  secretName: api-seankhliao-com-tls
  duration: 2160h
  renewBefore: 360h
  dnsNames:
    - api.seankhliao.com
    - "*.api.seankhliao.com"
  issuerRef:
    name: le-issuer
    kind: ClusterIssuer