This guide will help you add support for DigitalOcean volumes and load balancers to a freshly deployed Kubernetes 1.11 cluster. It assumes you already have a cluster deployed through Rancher, have kubectl set up, and helm installed.
kubectl apply -f helm-rbac.yamlhelm init --service-account tiller
helm-rbac.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-systemDo not apply this part if you're using DigitalOcean Kubernetes
kubectl apply -f digitalocean-secret.yaml
Example secret yaml:
apiVersion: v1
kind: Secret
metadata:
name: digitalocean
namespace: kube-system
stringData:
access-token: "MY-DO-TOKEN"Do not apply this part if you're using DigitalOcean Kubernetes
kubectl apply -f https://raw.githubusercontent.com/digitalocean/digitalocean-cloud-controller-manager/master/releases/v0.1.7.yml
Do not apply this part if you're using DigitalOcean Kubernetes
Be sure to edit the rancher cluster yaml to include the following:
services:
kube-api:
extra_args:
feature-gates: MountPropagation=true
kubelet:
extra_args:
feature-gates: MountPropagation=trueNOTE: the kube-api and kubelet stanza's will already exist, just add the extra_args section to each.
kubectl apply -f https://raw.githubusercontent.com/digitalocean/csi-digitalocean/master/deploy/kubernetes/releases/csi-digitalocean-v0.2.0.yaml
helm install stable/nginx-ingress --namespace kube-system
helm install --name cert-manager --namespace kube-system stable/cert-manager
We also need to configure an issuer, the HTTP validation issuer is the easiest to work with, and requires the least interaction.
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: default
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: [email protected]
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
http01: {}Note: This will only install the issuer to the default namespace, and will only be available in that namespace
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: example-com
namespace: default
spec:
secretName: example-com-tls
issuerRef:
name: letsencrypt-prod
commonName: example.com
dnsNames:
- www.example.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- example.com
- http01:
ingress: my-ingress
domains:
- www.example.comThis can then be referenced in your ingress like so:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-com-ingress
namespace: default
spec:
tls:
- hosts:
- example.com
- www.example.com
secretName: example-com-tls
rules:
- host: example.com
http:
paths:
- backend:
serviceName: echoheaders-x
servicePort: 80
path: /
- host: www.example.com
http:
paths:
- backend:
serviceName: echoheaders-x
servicePort: 80
path: /Enjoy your fresh new Kubernetes cluster, with full support for DigitalOcean volumes and Load Balancers!