-
-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Where to terminate TLS connections? #18
Comments
What I do personally is "outsource" SSL to Cloudflare. Will explain exactly how. |
2- Save the certificates to two files: origin-ca.crt
origin-ca.pk
|
3- Add these certificates to Kube with:
|
4- In your ingress manifest and add the following spec:
|
7- (Optional) Couple that with external-dns, and you'll be deploying like a boss, without even touching Cloudflare ever again. Do deploy it, use:
With this external-dns.values.yaml file:
Then you can have your ingresses in the following format, and it will create the DNS records automatically:
|
Basically, @MartiniMoe, when you have the above setup once, that's it, the rest just flows automatically, and you do not ever need to configure anything on Hetzner's side, it's all done in the ingress manifest like in the above example. Good luck! |
Hi, thank you very much for your detailed explanation! |
@MartiniMoe You never need to touch the load balancer manually. You let Traefik do its own thing. It configures the LB with the proxy protocol for maximum flexibility. The SSL is added in Kubernetes and shows up automatically on the LB when port 443 is hit. Again, everything just works out of the box, you just need to think about feeding the Ingress with a certificate of your choice, either from Let's Encrypt, Traefik can do that, or Cloudflare like I did above. |
Closing this for now @MartiniMoe, do not hesitate to ask questions if you still have some about SSL, but it really is as simple as described above. No manual intervention is needed on the LB. The only LB boss in town is Traefik. |
OK, now I understand! |
Exactly @MartiniMoe, and don't forget Traefik on k3s can be configured via this HelmChartConfig, you can recreate this file, add the acme resolver info for instance like shown here and here, then apply it, and it should get you well on your way of making this work! Just make sure to keep the name of the HelmChartConfig the same so it overwrites the previous config that was applied during install:
|
Thanks! At first I wondered why I already got it to work with my main domain, but not with subdomains 🤔 But maybe thats a DNS issue on my side, I will have to look into it 😄 |
Great to hear, please don't hesitate to post your HelmChartConfig just to help others that would want to do the same in the future. About subdomains, you have to make sure you request for them with wildcard SSL in the form of *.yourdomain.dev, if already done, then indeed, must be a DNS thing. |
Sure, my HelmChartConfig with certificateresolver looks like this:
Note that this is using LetsEncrypts staging certificates to not run into rate limiting while testing. For production one should remove the caserver line. For subdomains I was thinking about letting Traefik get a seperate certificate for each subdomain. Why do you think this wont work and I would need a wildcard certificate? Or did you mention the wildcard certificate because it is easier? |
Great, thanks for sharing @MartiniMoe! About the wildcard, I just thought it's easier, but maybe I'm mistaken (never used it on Kube) because I can read it needs a DNS challenge to work. |
@mysticaltech I tried to replicate your setup with kubectl get ing
NAME CLASS HOSTS ADDRESS PORTS AGE
test-ingress <none> test.my-domain.dev 10.0.0.6,2a01:4f8:c011:501::1,49.12.16.189 80, 443 13m I would expect it to only expose the public ips. Is that the same for you? It could be that it works for you because you enable cloudflare proxying and i think that filters private ips by default, but it might be buggy if one is using cloudflares dns only? EDIT: That seems to be the case. With cloudflare-proxied set to true, it works fine. Without it, it's using both the public and the private ipv4 address and ignores the ipv6. |
I've got it to work without cloudflare proxying & ipv4 only, by adding the following two annotations to "load-balancer.hetzner.cloud/ipv6-disabled": "true"
"load-balancer.hetzner.cloud/disable-private-ingress": "true" I disable ipv6 because hetzner-ccm recommends doing so while using external-dns, but there's an open issue in external-dns to solve that. |
Thanks for sharing, great info @phaer! |
@MartiniMoe FYI, not sure it's even relevant, but just wanted you to know that I had made a mistake at step 3/ of the tutorial above, I had pasted the wrong command with |
Thanks for letting me know! I was wondering how your certificate ended up as a secret in kubernetes :D |
This was super helpful! @mysticaltech Maybe link to this in the Readme unter the Examples section |
Hi,
I really appreciate your work and have successfully created my own k8s cluster on the Hetzner cloud :)
Now I wanted to add TLS / HTTPS support and wanted to let the TLS connection terminate on the loadbalancer. Automatically retrieved certificates from letsencrypt seem fine. However the loadbalancer does not seem to work when I change its service
from
"[tcp] 443 -> 31028"
to
"[https] 443 -> 30468"
I have completely removed the tcp service for port 80, because I think I will not need it.
The loadbalancer shows 'unhealthy' for this service and I cannot access any ingress anymore.
Can someone please advise me on how to achieve TLS support with the hetzner loadbalancer and traefik ingress? :) Thanks!
The text was updated successfully, but these errors were encountered: