-
Notifications
You must be signed in to change notification settings - Fork 0
[KUBERNETES] Setup K3s Envoy Gateway HTTPS Let's Encrypt
fourslickz edited this page May 16, 2026
·
1 revision
Internet
↓
HTTPS
↓
Envoy Gateway
↓
Gateway API
↓
HTTPRoute
↓
Service
↓
Pods
Install tanpa Traefik dan tanpa ServiceLB bawaan.
curl -sfL https://get.k3s.io | sh -s - \
--disable traefik \
--disable servicelbmkdir -p ~/.kube
sudo cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
sudo chown $USER:$USER ~/.kube/configexport KUBECONFIG=~/.kube/configecho 'export KUBECONFIG=~/.kube/config' >> ~/.bashrc
source ~/.bashrckubectl get nodescurl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bashhelm versionkubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yamlkubectl get crd | grep gatewayhelm install eg oci://docker.io/envoyproxy/gateway-helm \
--version v1.4.6 \
-n envoy-gateway-system \
--create-namespacekubectl get pods -n envoy-gateway-systemDilakukan karena Gateway API CRD baru diinstall.
kubectl rollout restart deployment envoy-gateway -n envoy-gateway-systemapiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: envoy
spec:
controllerName: gateway.envoyproxy.io/gatewayclass-controllerkubectl apply -f gatewayclass.yamlkubectl get gatewayclassHarus:
envoy gateway.envoyproxy.io/gatewayclass-controller True
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: main-gateway
spec:
gatewayClassName: envoy
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: Allkubectl apply -f gateway.yamlkubectl get svc -AContoh:
envoy-default-main-gateway-xxxxx LoadBalancer 103.196.155.38
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
selector:
app: nginx
ports:
- port: 80
targetPort: 80kubectl apply -f nginx.yamlapiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: nginx-route
spec:
parentRefs:
- name: main-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: nginx
port: 80kubectl apply -f route.yamlcurl http://103.196.155.38Harus muncul:
Welcome to nginx!
Menggunakan versi compatible dengan K3s v1.28.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.5/cert-manager.yamlkubectl get pods -n cert-managerPatch deployment:
kubectl patch deployment cert-manager \
-n cert-manager \
--type='json' \
-p='[
{
"op": "add",
"path": "/spec/template/spec/containers/0/args/-",
"value": "--enable-gateway-api"
}
]'kubectl describe deployment cert-manager -n cert-managerHarus muncul:
--enable-gateway-api
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
email: yourmail@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- http01:
gatewayHTTPRoute:
parentRefs:
- name: main-gateway
namespace: defaultkubectl apply -f clusterissuer.yamlkubectl get clusterissuerHarus:
READY=True
Arahkan domain:
aliensky.id
ke IP:
103.196.155.38
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-domain-cert
spec:
secretName: my-domain-tls
issuerRef:
name: letsencrypt
kind: ClusterIssuer
dnsNames:
- aliensky.idkubectl apply -f certificate.yamlkubectl get certificateHarus:
READY=True
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: main-gateway
spec:
gatewayClassName: envoy
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: HTTPS
port: 443
hostname: aliensky.id
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: my-domain-tls
allowedRoutes:
namespaces:
from: Allkubectl apply -f gateway.yamlapiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: nginx-route
spec:
hostnames:
- aliensky.id
parentRefs:
- name: main-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: nginx
port: 80kubectl apply -f route.yamlcurl https://aliensky.idatau buka:
https://aliensky.id
kubectl get pods -Akubectl get svc -Akubectl get gatewaykubectl get gatewayclasskubectl get httproutekubectl get certificate| Komponen | Fungsi |
|---|---|
| K3s | Kubernetes ringan |
| Helm | Package manager Kubernetes |
| Gateway API | Networking modern Kubernetes |
| Envoy Gateway | Reverse proxy modern |
| GatewayClass | Menghubungkan Gateway dengan Envoy |
| Gateway | Entry point traffic |
| HTTPRoute | Routing request |
| cert-manager | Otomatisasi SSL |
| ClusterIssuer | Konfigurasi Let's Encrypt |
| Certificate | Request SSL certificate |
| Service | Expose pod |
| Pod | Container aplikasi |
Internet
↓
HTTPS
↓
Envoy Gateway
↓
Gateway
↓
HTTPRoute
↓
Service
↓
Pod
Rekomendasi berikutnya:
- Redirect HTTP → HTTPS
- Cloudflare
- Websocket
- gRPC
- Rate limiting
- WAF
- Grafana
- Loki
- Prometheus
- ArgoCD
- Longhorn
- Multi-node K3s