This is a guide on how to configure attached cluster with Let's Encrypt issued certificate for Traefik, so that the cluster is correctly recognized and configured by the management cluster.
Basic configuration variables:
# Path to management cluster kubeconfig file export KUBECONFIG=/path/to/the/management-cluster-kubeconfig # Workspace name where the new cluster will be attached export WORKSPACE_NAMESPACE=acme # Name of the newly atttached cluster export ATTACHED_CLUSTER_NAME=acme-test # DNS name that will be used for attached cluster export CLUSTER_DOMAIN_NAME="attached.ksphere-platform.d2iq.cloud"
Applicable versions
- DKP 2.0.x
- DKP 2.1.x
- DKP 2.2.x
Attach the cluster without the Let's Encrypt certificate
Create new namespace and attach a cluster:
./kommander create workspace $WORKSPACE_NAMESPACE -n $WORKSPACE_NAMESPACE ./kommander attach cluster -n "$ATTACHED_CLUSTER_NAME" --attached-kubeconfig /path/to/kubeconfig -w $WORKSPACE_NAMESPACE
If it is necessary to automatically manage DNS records for custom domains please see our cluster external-dns documentation:
https://docs.d2iq.com/dkp/kommander/2.2/networking/external-dns/
cert-manager ClusterIssuer
CLUSTER: `attached`
Create a new ACME `ClusterIssuer` for Let's Encrypt certificate. This particular `ClusterIssuer` is configured to complete an ACME challenge of type: `DNS01`: https://letsencrypt.org/docs/challenge-types/
export ACME_EMAIL=kommander-e2e-tests@d2iq.com export AWS_REGION=us-west-2 export EXTERNAL_DNS_ROUTE53_ZONE_ID=Z36CN7WXPDV8VR export EXTERNAL_DNS_AWS_ASSUME_ROLE=arn:aws:iam::999867407951:role/cert-manager-dns01 cat << EOF | kubectl apply -f - --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: kommander-acme-issuer spec: acme: email: "${ACME_EMAIL}" server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: kommander-acme-issuer-account solvers: - dns01: route53: region: "${AWS_REGION}" hostedZoneID: "${EXTERNAL_DNS_ROUTE53_ZONE_ID}" role: "${EXTERNAL_DNS_AWS_ASSUME_ROLE}" EOF
Disable the certificate created by Kommander in order to update the secret where the certificate is stored.
NOTE: This is a same operation that `kommander-cli` does on `management` cluster when installed with Let's Encrypt certificate configuration.
cat << EOF | kubectl -n $WORKSPACE_NAMESPACE patch certificate kommander-traefik --type='merge' --patch-file=/dev/stdin --- spec: issuerRef: name: no-op EOF
Create a new traefik `Certificate` issued by the newly created ACME issuer:
cat << EOF | kubectl apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kommander-traefik-acme namespace: ${WORKSPACE_NAMESPACE} spec: secretName: kommander-traefik-certificate duration: 19200h # 800d commonName: "${CLUSTER_DOMAIN_NAME}" isCA: false usages: - server auth dnsNames: - "${CLUSTER_DOMAIN_NAME}" issuerRef: name: kommander-acme-issuer kind: ClusterIssuer EOF
Configure new domain name and certificate in `konvoyconfig-kubeaddons` on the attached cluster.
cat << EOF | kubectl apply -f - apiVersion: v1 kind: ConfigMap metadata: name: konvoyconfig-kubeaddons namespace: ${WORKSPACE_NAMESPACE} data: clusterHostname: "${CLUSTER_DOMAIN_NAME}" caSecretName: kommander-traefik-certificate EOF
Trigger update on management cluster
CLUSTER: `management`
This will manually trigger the updates on the management cluster that will reconfigure its components to use the newly configured domain on attached cluster.
cat << EOF | kubectl -n $WORKSPACE_NAMESPACE patch kommandercluster $ATTACHED_CLUSTER_NAME --type='merge' --patch-file=/dev/stdin --- metadata: annotations: d2iq-update: "`date +%s`" EOF