How to install k3s + Traefik + CertManager + LetsEncrypt
Why use k3s?
k3s is a lightweight Kubernetes distribution designed to be minimal and efficient, making it well-suited for resource-constrained environments and use cases where simplicity and ease of deployment are important. It was created by Rancher Labs and is intended to simplify the installation and management of Kubernetes clusters.
In this example use k3s with Traefik ingress controller so it’s a default by K3s and it’s a lightweight, easy, and fast solution, but if you prefer another one feel free to use it.
Why use cert manager?
Using cert-manager on Kubernetes simplifies SSL/TLS certificate management, automates the renewal process, integrates seamlessly with Kubernetes resources, and provides the flexibility to work with various certificate issuers. This results in enhanced security and reduced operational overhead for securing your Kubernetes applications.
1. Install k3s
curl -sfL https://get.k3s.io | sh -
If you want to have access to the k3s cluster outside the node, you can use the following parameter when creating the cluster --tls-san.
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--tls-san <public ip address or hostname>" sh -
By default, you do not have to execute permissions on k3.conf to resolve you need to move the file and give it the necessary permissions.
NOTE : It’s not recommended to give permissions to the original file.
mkdir $HOME/.kube
sudo cp /etc/rancher/k3s/k3s.yaml $HOME/.kube/config
sudo chmod 644 $HOME/.kube/config
export KUBECONFIG=~/.kube/config
You can add
KUBECONFIG=~/.kube/configto your~/.profileor~/.bashrcto make it persist on reboot.
2. Install helm (optional)
This step is completely optional in order to follow the tutorial but highly recommended.
Helm is a package manager for Kubernetes that simplifies the deployment and management of applications in Kubernetes clusters.
Install Helm on K3s is really easy, just execute the script and you don’t need to modify any config !
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
3. Install cert manager
Mainly, we have two ways to install with helm or with kubectl. Personally I prefer to use the helm package manager with all the advantages that comes with it.
Option 1: Install by Helm (recommended)
Add the oficial repository on Helm
helm repo add jetstack https://charts.jetstack.io
Update your local Helm chart repository
helm repo update
And install de cert-manager with namespace cert-manager
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--set installCRDs=true
NOTE : You can find the all config parameters on the oficial chart page: https://artifacthub.io/packages/helm/cert-manager/cert-manager
Option 2: Install by kubectl
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.4/cert-manager.crds.yaml
3.1 Verify the cert manager installation
kubectl -n cert-manager get pod
4. Create the ClusterIssuer resource
Create ClusterIssuer for staging environment
# cluster-issuer-staging.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
namespace: default
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: <YOUR_EMAIL> # replace for your valid email
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- selector: {}
http01:
ingress:
class: traefik
kubectl apply -f cluster-issuer-staging.yaml
Create ClusterIssuer for production environment
# cluster-issuer-production.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
namespace: default
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <YOUR_EMAIL> # replace for your valid email
privateKeySecretRef:
name: letsencrypt-production
solvers:
- selector: {}
http01:
ingress:
class: traefik
kubectl apply -f cluster-issuer-production.yaml
Verify that it has been properly applied
kubectl get ClusterIssuer -A
And check the status of ClusterIssuer
kubectl describe clusterissuer letsencrypt-staging
kubectl describe clusterissuer letsencrypt-production
5. Let’s play!
Finally we are going to create our certificate
5.1 Create a dummy application
In this step just create a very basic dummy nginx application, if you already have an application you can go to the next step.
Create a deployment using a default image from nginx:alpine
kubectl create deployment nginx --image nginx:alpine
Show the deployments status
kubectl get deployments
kubectl describe deployment nginx
Expose the server at port 80
kubectl expose deployment nginx --port 80 --target-port 80
Check that the service is correct and running
kubectl get svc
5.2 Create a ingress traefik controller
Define the trafik ingress with the cert-manager annotations and the tsl section to be able to manage our certificate.
# ingress ingress-nginx.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
kubernetes.io/ingress.class: traefik
labels:
app: nginx
name: nginx
namespace: default
spec:
rules:
- host: example.com # Change by your domain
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- example.com # Change by your domain
secretName: example-com-tls
kubectl apply -f ingress-nginx.yaml
Verify that the certificate has actually been created
kubectl get cert -n default
NOTE : I change the host example.com to letsencrypt-k3s.albertcolom.com and change example-com-tls to letsencryptk3s-albertcolom-com-tls .
You can show the valid certificated by Let’s Encrypt!
Conclusion
Once you have installed cert manager it is really easy to manage your certificates together with traefik. You just have to set a couple of parameters in the ingress and the system takes care of everything.
No more excuses for not using a valid certificate!
Original published at: albertcolom.com
Top comments (0)