-
Notifications
You must be signed in to change notification settings - Fork 0
Setup Production K3s Envoy Gateway HTTPS Private Docker Hub
fourslickz edited this page May 16, 2026
·
1 revision
Internet
↓
HTTP → HTTPS Redirect
↓
Envoy Gateway
↓
Gateway API
↓
HTTPRoute
↓
Service
↓
Private Docker Hub Container
Install tanpa Traefik dan tanpa ServiceLB bawaan.
curl -sfL https://get.k3s.io | sh -s - \
--disable traefik \
--disable servicelbmkdir -p ~/.kube
sudo cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
sudo chown $USER:$USER ~/.kube/configexport KUBECONFIG=~/.kube/configecho 'export KUBECONFIG=~/.kube/config' >> ~/.bashrc
source ~/.bashrccurl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bashkubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yamlhelm install eg oci://docker.io/envoyproxy/gateway-helm \
--version v1.4.6 \
-n envoy-gateway-system \
--create-namespacekubectl rollout restart deployment envoy-gateway -n envoy-gateway-systemapiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: envoy
spec:
controllerName: gateway.envoyproxy.io/gatewayclass-controllerkubectl apply -f gatewayclass.yamlapiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: main-gateway
spec:
gatewayClassName: envoy
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: HTTPS
port: 443
hostname: aliensky.id
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: my-domain-tls
allowedRoutes:
namespaces:
from: Allkubectl apply -f gateway.yamlMenggunakan versi compatible dengan K3s v1.28.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.5/cert-manager.yamlkubectl patch deployment cert-manager \
-n cert-manager \
--type='json' \
-p='[
{
"op": "add",
"path": "/spec/template/spec/containers/0/args/-",
"value": "--enable-gateway-api"
}
]'apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
email: yourmail@gmail.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- http01:
gatewayHTTPRoute:
parentRefs:
- name: main-gateway
namespace: defaultkubectl apply -f clusterissuer.yamlArahkan:
aliensky.id
ke IP server:
103.196.155.38
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-domain-cert
spec:
secretName: my-domain-tls
issuerRef:
name: letsencrypt
kind: ClusterIssuer
dnsNames:
- aliensky.idkubectl apply -f certificate.yamlapiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-redirect
spec:
hostnames:
- aliensky.id
parentRefs:
- name: main-gateway
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301kubectl apply -f 4-http-redirect.yamlDigunakan untuk pull private image Docker Hub.
kubectl create secret docker-registry dockerhub-secret \
--docker-server=https://index.docker.io/v1/ \
--docker-username=DOCKERHUB_USERNAME \
--docker-password=DOCKERHUB_PASSWORD \
--docker-email=EMAILapiVersion: apps/v1
kind: Deployment
metadata:
name: aliensky-app
spec:
replicas: 1
selector:
matchLabels:
app: aliensky-app
template:
metadata:
labels:
app: aliensky-app
spec:
imagePullSecrets:
- name: dockerhub-secret
containers:
- name: aliensky-app
image: aliensky/private-app:v1.0.0
imagePullPolicy: Always
ports:
- containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
name: aliensky-app
spec:
selector:
app: aliensky-app
ports:
- port: 80
targetPort: 3000kubectl apply -f app.yamlapiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: https-backend
spec:
hostnames:
- aliensky.id
parentRefs:
- name: main-gateway
sectionName: https
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: aliensky-app
port: 80kubectl apply -f 5-https-backend.yamlkubectl delete deployment nginx
kubectl delete service nginxkubectl get pods -Akubectl get svc -Akubectl get gatewaykubectl get gatewayclasskubectl get httproutekubectl get certificatecurl -I http://aliensky.idHarus:
301 Moved Permanently
curl -I https://aliensky.idHarus:
200 OK
kubectl describe podkubectl logs deployment/aliensky-appkubectl logs -n envoy-gateway-system deployment/envoy-gatewayGunakan image version:
image: aliensky/private-app:v1.0.0Jangan gunakan:
latestSudah memiliki:
- K3s
- Envoy Gateway
- Gateway API
- HTTPS
- Let's Encrypt
- cert-manager
- HTTP → HTTPS redirect
- Private Docker Hub deployment
- Kubernetes native routing
- Modern ingress architecture