Setting up a Microk8s cluster with a domain and SSL certificate
- Aniket Patel
- Kubernetes , Microk8s , Devops
- January 17, 2024
Microk8s is a lightweight Kubernetes distribution that’s perfect for development, testing, and small-scale deployments. It’s easy to install and configure, and it includes all the essential features of Kubernetes.
In this blog post, I’ll walk you through the process of setting up a Microk8s cluster with a domain name and SSL certificate. This will allow you to expose your Kubernetes services to the outside world securely.
Here are the steps involved:
- Install Microk8s
Using Homebrew:
brew install ubuntu/microk8s/microk8s
Run the installer:
microk8s install
Wait for it to be ready:
microk8s status --wait-ready
- Enable Add-ons
- Enable the dashboard and DNS:
microk8s enable dashboard dns
- Access the dashboard:
microk8s dashboard-proxy
- Enable Traefik (ingress controller):
microk8s enable traefik
- Please use ip range from you local network. Check with
ifconfig, lookbridge100. - Enable MetalLB (for external IP addresses):
microk8s enable metallb:192.168.64.240-192.168.64.250 # Replace with your IP range
Enable cert-manager (for SSL certificates):
microk8s enable cert-manager dns
- Configure Traefik
Disable TLS verification in Traefik (for testing purposes):
- '--serverstransport.insecureskipverify=true'
- Deploy a Sample Application
Apply a sample deployment:
kubectl apply -f https://raw.githubusercontent.com/ct-Open-Source/k8s-examples/master/whoami.yaml
- Apply ingress route for whoami and similar values for traefik.
- Change the IP address in following files. you can do check ip address using following command.
kubectl get svc -n traefik
# output
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik LoadBalancer 10.152.183.144 192.168.64.240 80:31415/TCP,443:32139/TCP 9d
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: whoami-cert
spec:
commonName: "*.nip.io"
secretName: xip-io-cert
issuerRef:
name: selfsigned
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`whoami.192.168.64.240.nip.io`)
services:
- name: whoami-service
port: 80
tls:
secretName: xip-io-cert
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned
namespace: traefik
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: traefik-cert
namespace: traefik
spec:
commonName: "*.nip.io"
secretName: xip-io-cert
issuerRef:
name: selfsigned
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: traefik-dashboard-transport
namespace: traefik
spec:
serverName: traefik-dashboard
insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: dashboard
namespace: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.192.168.64.240.nip.io`) && ( PathPrefix(`/api`) || PathPrefix(`/dashboard`) )
kind: Rule
services:
- name: api@internal
kind: TraefikService
serversTransport: traefik-dashboard-transport
tls:
secretName: xip-io-cert
- Access Your Services
Using nip.io domain:
https://whoami.192.168.64.240.nip.io https://traefik.192.168.64.240.nip.io
