Skip to content

Instantly share code, notes, and snippets.

@Kelwing

Kelwing/k8sdo.md

Last active Oct 2, 2020
Embed
What would you like to do?
Deploying Kubernetes 1.11 on DigitalOcean with Rancher 2.0

Deploying Kubernetes 1.11 on DigitalOcean with Rancher 2.0

This guide will help you add support for DigitalOcean volumes and load balancers to a freshly deployed Kubernetes 1.11 cluster. It assumes you already have a cluster deployed through Rancher, have kubectl set up, and helm installed.

Set up helm

  • kubectl apply -f helm-rbac.yaml
  • helm init --service-account tiller

helm-rbac.yaml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

Deploy DigitalOcean secrets

Do not apply this part if you're using DigitalOcean Kubernetes

  • kubectl apply -f digitalocean-secret.yaml

Example secret yaml:

apiVersion: v1
kind: Secret
metadata:
  name: digitalocean
  namespace: kube-system
stringData:
  access-token: "MY-DO-TOKEN"

Set up DigitalOcean controller manager

Do not apply this part if you're using DigitalOcean Kubernetes

  • kubectl apply -f https://raw.githubusercontent.com/digitalocean/digitalocean-cloud-controller-manager/master/releases/v0.1.7.yml

Set up DigitalOcean CSI

Do not apply this part if you're using DigitalOcean Kubernetes

Be sure to edit the rancher cluster yaml to include the following:

services:
  kube-api:
    extra_args:
      feature-gates: MountPropagation=true

  kubelet:
    extra_args:
      feature-gates: MountPropagation=true

NOTE: the kube-api and kubelet stanza's will already exist, just add the extra_args section to each.

  • kubectl apply -f https://raw.githubusercontent.com/digitalocean/csi-digitalocean/master/deploy/kubernetes/releases/csi-digitalocean-v0.2.0.yaml

Install nginx controller

  • helm install stable/nginx-ingress --namespace kube-system

Install cert-manager

  • helm install --name cert-manager --namespace kube-system stable/cert-manager

We also need to configure an issuer, the HTTP validation issuer is the easiest to work with, and requires the least interaction.

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: default
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: user@example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    http01: {}

Note: This will only install the issuer to the default namespace, and will only be available in that namespace

Example Certificate Request

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com
  namespace: default
spec:
  secretName: example-com-tls
  issuerRef:
    name: letsencrypt-prod
  commonName: example.com
  dnsNames:
  - www.example.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - example.com
    - http01:
        ingress: my-ingress
      domains:
      - www.example.com

This can then be referenced in your ingress like so:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-com-ingress
  namespace: default
spec:
  tls:
  - hosts:
    - example.com
    - www.example.com
    secretName: example-com-tls
  rules:
  - host: example.com
    http:
      paths:
      - backend:
          serviceName: echoheaders-x
          servicePort: 80
        path: /
  - host: www.example.com
    http:
      paths:
      - backend:
          serviceName: echoheaders-x
          servicePort: 80
        path: /

Enjoy your fresh new Kubernetes cluster, with full support for DigitalOcean volumes and Load Balancers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment