Posted on by ccrow

The bare essentials

In my previous post, I documented my installation of RKE2 on VMware. These are mostly my cliff notes for getting some essential services.

At this point, we should have kubectl installed and connected to the cluster. We will also need to get helm installed.

sudo snap install helm --classic

Install Metallb

Metallb provides a simple load balancer. This will allow us to have external services, which is required for some of my services. The rest will be handled by ingresses (a reverse proxy). Thankfully, RKE2 comes configured with nginx as an ingress.

Install Metallb

kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.4/config/manifests/metallb-native.yaml

We will configure metallb by creating the following file:

apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: cheap #the name of the pool you want to use
  namespace: metallb-system
spec:
  addresses:
  - 10.0.1.91 - 10.0.1.110 # be sure to update this with the address pool for your lab
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: example # the name of the advertisement
  namespace: metallb-system

Save and apply the file with:

kubectl apply -f config-metallb.yaml

That’s it, we have a functional load balancer.

Install and configure Cert-Manager

We are going to use helm for this installation. Helm has a few terms that it is helpful to understand:

Repository (or repo): A URL with one or more helm charts
Chart: A specific bit of software that you want to install (cert-manager in this case)
Release: A chart that has been installed
values.yaml: a values file has all of the configuration options a chart will use.

In this instance, we will not be needing a values file.

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install \
   cert-manager jetstack/cert-manager \
   --namespace cert-manager \
   --create-namespace \
   --version v1.8.2 \ # you can remove this to get the latest version
   --set installCRDs=true

That’s it! Let’s set up our certificates issuers:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: contact@ccrow.org
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx
 ---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-cluster-issuer
spec:
  selfSigned: {}

The cluster issuer allows certificate creation in any namespace. Be sure to update your email address. Apply the above with:

kubectl apply -f cert-issuers.yaml

Namespaces are important, most resources cannot use objects that are outside of their namespace. We are working with a few exceptions here, as they are cluster-wide resources.