Kelwing/k8sdo.md

## k8sdo.md

      
    Raw
  

              k8sdo.md
            
          
    Deploying Kubernetes 1.11 on DigitalOcean with Rancher 2.0

This guide will help you add support for DigitalOcean volumes and load balancers to a freshly deployed Kubernetes 1.11 cluster.
It assumes you already have a cluster deployed through Rancher, have kubectl set up, and helm installed.
Set up helm


kubectl apply -f helm-rbac.yaml
helm init --service-account tiller

helm-rbac.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system
Deploy DigitalOcean secrets

Do not apply this part if you're using DigitalOcean Kubernetes

kubectl apply -f digitalocean-secret.yaml

Example secret yaml:
apiVersion: v1
kind: Secret
metadata:
  name: digitalocean
  namespace: kube-system
stringData:
  access-token: "MY-DO-TOKEN"
Set up DigitalOcean controller manager

Do not apply this part if you're using DigitalOcean Kubernetes

kubectl apply -f https://raw.githubusercontent.com/digitalocean/digitalocean-cloud-controller-manager/master/releases/v0.1.7.yml

Set up DigitalOcean CSI

Do not apply this part if you're using DigitalOcean Kubernetes
Be sure to edit the rancher cluster yaml to include the following:
services:
  kube-api:
    extra_args:
      feature-gates: MountPropagation=true

  kubelet:
    extra_args:
      feature-gates: MountPropagation=true
NOTE: the kube-api and kubelet stanza's will already exist, just add the extra_args section to each.

kubectl apply -f https://raw.githubusercontent.com/digitalocean/csi-digitalocean/master/deploy/kubernetes/releases/csi-digitalocean-v0.2.0.yaml

Install nginx controller


helm install stable/nginx-ingress --namespace kube-system

Install cert-manager


helm install --name cert-manager --namespace kube-system stable/cert-manager

We also need to configure an issuer, the HTTP validation issuer is the easiest to work with, and requires the least interaction.
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: letsencrypt-prod
  namespace: default
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: user@example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    http01: {}
Note: This will only install the issuer to the default namespace, and will only be available in that namespace
Example Certificate Request

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com
  namespace: default
spec:
  secretName: example-com-tls
  issuerRef:
    name: letsencrypt-prod
  commonName: example.com
  dnsNames:
  - www.example.com
  acme:
    config:
    - http01:
        ingressClass: nginx
      domains:
      - example.com
    - http01:
        ingress: my-ingress
      domains:
      - www.example.com
This can then be referenced in your ingress like so:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-com-ingress
  namespace: default
spec:
  tls:
  - hosts:
    - example.com
    - www.example.com
    secretName: example-com-tls
  rules:
  - host: example.com
    http:
      paths:
      - backend:
          serviceName: echoheaders-x
          servicePort: 80
        path: /
  - host: www.example.com
    http:
      paths:
      - backend:
          serviceName: echoheaders-x
          servicePort: 80
        path: /
Enjoy your fresh new Kubernetes cluster, with full support for DigitalOcean volumes and Load Balancers!