Little help needed for my https deployment on own domain

[1mfaasj]

Hi,
first off all:
sorry for the stupid questions, maybe not quite related to what you made but i could really use a little help right now.

I have created the cluster (not via the Docker way) and am trying to use my own (sub)domains in my deployments. on http I get this to work but unfortunately not on https.
I also have to say that the documentation on Hetzner Cloud Controller Manager isn't very good either... I can't find any good instructions on the Internet.

You shared an example of your Service annotations:

  service:
    annotations:
      load-balancer.hetzner.cloud/hostname: <a valid fqdn>
      load-balancer.hetzner.cloud/http-redirect-https: 'false'
      load-balancer.hetzner.cloud/location: nbg1
      load-balancer.hetzner.cloud/name: <lb name>
      load-balancer.hetzner.cloud/uses-proxyprotocol: 'true'
      load-balancer.hetzner.cloud/use-private-ip: "true"

but shouldn't these 2 lines be added too?

load-balancer.hetzner.cloud/http-certificates
load-balancer.hetzner.cloud/protocol

But when I add the protocol line in the Service, the loadbalancer is crashing in the Hetzner cloud.

Anyway, this is how my whoami.yaml deployment file looks like:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: whoami
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: containous/whoami
  selector:
    matchLabels:
      app: whoami
---
apiVersion: v1
kind: Service
metadata:
  name: whoami
  labels:
    app: whoami
  annotations:
    load-balancer.hetzner.cloud/hostname: 'whoami.mydomain.com'
    load-balancer.hetzner.cloud/http-redirect-https: 'false'
    load-balancer.hetzner.cloud/location: 'nbg1'
    load-balancer.hetzner.cloud/name: 'a0377f5249b9myidd34a497800858'
    load-balancer.hetzner.cloud/uses-proxyprotocol: 'false'
    load-balancer.hetzner.cloud/use-private-ip: 'true'
spec:
  type: LoadBalancer
  ports:
    - port: 443
      targetPort: 80
  selector:
    app: whoami

Then at Cloudflare to manage the DNS, I've created an A-record pointing mydomain.com to the IP of the loadbalancer
And a second A-record for whoami.mydomain to the same IP of the loadbalancer. Not sure if both are needed though.

When I apply the deployment a loadbalancer is created and the whoami service gets available at:

http://whoami.dockerjourney.ovh:443/
and http://loadbalancerip:443

but NOT on the https port haha ... Is Let's encrypt not included in the Hetzner Cloud Controller Manager?

Maybe something needs to be set manually in Hetnzer cloud? for example at Loadbalancer, Networking, PUBLIC NETWORK. you can fill in a Reserved DNS name here. But Iam not sure...
Or do I need to Create a certificate in the Hetnzer cloud, and then use the Service annotations?

Thanks in advance for your help, I would really appreciate it

[vitobotta]

Sorry for the delay, been very busy with my day job. Maybe you've sorted it out in the meantime, but I recommend you install an ingress controller instead. That way you can have multiple workloads share the same load balancer, so you save some bucks. So instead of creating a service of type LoadBalancer for your workloads, you 1) install an ingress controller like ingress-nginx, 2) create a service of type ClusterIP plus an ingress resource for each workload.

[vitobotta]

Forgot to mention that for the certificates the easiest way is to use cert-manager, and configure the ingress resource accordingly. This will use certificates provisioned automatically with Let's Encrypt.

[1mfaasj]

Thank you for the reply.
i was confused because you also get api loadbalancer if you create 3+ master, but this is for load balancing between the masters right?

[1mfaasj]

Ok back to the basics because I can't even get it to work on http anymore. Pff
What I did: I created 1 master and 2 worker nodes (with the docker command).
thereafter:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

helmet repo update

helm upgrade --install --namespace ingress-nginx --create-namespace -f C:\kluster\ingress-nginx.yaml ingress-nginx ingress-nginx/ingress-nginx

the ingress-nginx.yaml:

controller:
  child: DaemonSet
  service:
    annotations:
      load-balancer.hetzner.cloud/location: nbg1
      load-balancer.hetzner.cloud/name: cluster-name-ingress-nginx
      load-balancer.hetzner.cloud/use-private-ip: "true"

then:
kubectl -n ingress-nginx get svc

the result is looking OK, right? But I see 2 of them, I expected 1

PS C:\kluster> kubectl -n ingress-nginx get svc
NAME                                 TYPE           CLUSTER-IP      EXTERNAL-IP                                   PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   10.43.185.246   10.0.0.5,myloadbalancerip,2a01:4f6:1c1d:d76::1   80:30592/TCP,443:32013/TCP   3h25m
ingress-nginx-controller-admission   ClusterIP      10.43.13.66     <none>                                        443/TCP                      3h25m

When I go to the Hetnzer cloud, I see a loadbalancer with the same IP as shown in External IP.
And I've created an A-record in my DNS settings to point my hostname to this IP of the loadbalancer.
so far so good, right?

however when I apply the following yaml, with a small change though:
https://gist.githubusercontent.com/vitobotta/6e73f724c5b94355ec21b9eee6f626f1/raw/3036d4c4283a08ab82b99fffea8df3dded1d1f78/deployment.yaml

default is:
- host: hello-world.<load balancer ip>.nip.io

and I changed the line to:
- host: <load balancer ip>.nip.io

The deployment is running but I can't see it on my domain. I get an :

404 Not Found
nginx

What am I missing?

PS C:\kluster> kubectl get services

NAME          TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE
hello-world   ClusterIP   10.43.22.80   <none>        80/TCP    2m33s
kubernetes    ClusterIP   10.43.0.1     <none>        443/TCP   6h53m

PS C:\kluster> kubectl describe ingress
Name:             hello-world
Namespace:        default
Address:          
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host                  Path  Backends
  ----                  ----  --------
  loadbalancerip.nip.io  
                        /   hello-world:80 (10.244.1.10:80)
Annotations:            <none>
Events:                 <none>

Do I need some annotations or ?

[vitobotta]

Thank you for the reply.
i was confused because you also get api loadbalancer if you create 3+ master, but this is for load balancing between the masters right?

Correct, one load balancer is for the API server if you have multiple masters, and the other is for the ingress controller (or any other services that provision a load balancer).

It looks like you've made progress! Are you sure you've picked the IP of the correct load balancer of nginx and not the one for the API server?

Also, try portforwarding the service locally to see if it's a problem with the ingress.

[vitobotta]

Closing since there hasn't been an update in a while.

[1mfaasj]

Ive created a new issue because this one is closed: #41