This is a guide on how to configure attached cluster with custom issued certificate for Traefik, so that the cluster is correctly recognized and configured by the management cluster.
# Path to management cluster kubeconfig file
export KUBECONFIG=/path/to/the/management-cluster-kubeconfig
# Workspace name where the new cluster will be attached
export WORKSPACE_NAMESPACE=acme
# Name of the newly atttached cluster
export ATTACHED_CLUSTER_NAME=acme-test
# DNS name that will be used for attached cluster
export CLUSTER_DOMAIN_NAME="attached.mh.ksphere-platform.d2iq.cloud"
Applicable versions
- DKP 2.0.x
- DKP 2.1.x
- DKP 2.2.x
Attach a cluster without custom domain
CLUSTER: `management`
./kommander create workspace $WORKSPACE_NAMESPACE -n $WORKSPACE_NAMESPACE
./kommander attach cluster -n "$ATTACHED_CLUSTER_NAME" --attached-kubeconfig /path/to/kubeconfig -w $WORKSPACE_NAMESPACE
If it is necessary to automatically manage DNS records for custom domains see per cluster external-dns documentation.
Configure custom domain and certificate
CLUSTER: `attached`
Disable the certificate created by Kommander in order to update the secret where the certificate is stored.
NOTE: This is the same operation that `kommander-cli` does on `management` cluster when installed with Let's Encrypt certificate configuration.
cat << EOF | kubectl -n $WORKSPACE_NAMESPACE patch certificate kommander-traefik --type='merge' --patch-file=/dev/stdin --- spec: issuerRef: name: no-op EOF
Replace traefik certificate values with custom certificate:
export CERT_PATH=cert/attached.test.crt.pem export CERT_KEY_PATH=cert/attached.test.key.pem export CERT_CA_PATH=cert/ca.crt.pem cat << EOF | kubectl -n $WORKSPACE_NAMESPACE apply -f - apiVersion: v1 kind: Secret metadata: name: kommander-traefik-certificate namespace: ${WORKSPACE_NAMESPACE} type: kubernetes.io/tls data: ca.crt: $(cat $CERT_CA_PATH | base64 -w 0) tls.crt: $(cat $CERT_PATH | base64 -w 0) tls.key: $(cat $CERT_KEY_PATH | base64 -w 0) EOF
Configure new domain name and certificate in `konvoyconfig-kubeaddons` on the attached cluster.
cat << EOF | kubectl apply -f - apiVersion: v1 kind: ConfigMap metadata: name: konvoyconfig-kubeaddons namespace: ${WORKSPACE_NAMESPACE} data: clusterHostname: "${CLUSTER_DOMAIN_NAME}" caSecretName: kommander-traefik-certificate EOF
Trigger update on management cluster
CLUSTER: `management`
This will manually trigger the updates on the management cluster that will reconfigure its components to use the newly configured domain on attached cluster.
cat << EOF | kubectl -n $WORKSPACE_NAMESPACE patch kommandercluster $ATTACHED_CLUSTER_NAME --type='merge' --patch-file=/dev/stdin --- metadata: annotations: d2iq-update: "`date +%s`" EOF