Skip to content

Instantly share code, notes, and snippets.

@gjreasoner
Created December 25, 2022 17:55
Show Gist options
  • Save gjreasoner/e56d14571b92d4c670d96bafb5822dd4 to your computer and use it in GitHub Desktop.
Save gjreasoner/e56d14571b92d4c670d96bafb5822dd4 to your computer and use it in GitHub Desktop.
k3 tls

Overview

Lots of options around the web, this is what worked best for me so far;

Based on results here: https://traefik.io/blog/https-on-kubernetes-using-traefik-proxy/

Steps

Do a manual dns certbot to create lets encrypt certs

docker run -v /tmp/cert:/etc/letsencrypt/archive -it certbot/certbot certonly --preferred-challenges dns --manual

mv /tmp/cert/[your-domain] .

Create the secret from the files generated by letsencrypt

kubectl create secret generic [your-domain]-secret --from-file=tls.crt=[your-domain]/fullchain1.pem --from-file=tls.key=[your-domain]/privkey1.pem

Replace the default traefik ssl cert with your letsencrypt one (default-cert.yaml)

apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: default
spec:
  defaultCertificate:
    secretName: [your-domain]-secret

Apply the file

kubectl apply -f default-cert.yaml

Make sure you have a k8s deployment with TLS like

apiVersion: v1
items:
- apiVersion: networking.k8s.io/v1
  kind: Ingress
...
  spec:
    rules:
    - host: bitwarden.[your-domain]
      http:
        paths:
        - backend:
            service:
              name: bitwarden-bitwarden-k8s
              port:
                number: 80
          path: /
          pathType: Prefix
    tls:
    - hosts:
      - bitwarden.[your-domain]

Check connectivity

curl https://bitwarden.[your-domain]

# if something is incorrect, sometimes `curl` is a bit more helpful
# at helping determining what went wrong
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment