The steps below requires that you have followed the installation steps for installing K3s on RPIs.
Ensure that you have a DNS hostname that can be resolved on Inet:
$ dig +short oh.domain.se
104.21.58.56
Ensure that port 80 and 443 points to your k3s master in your local router configuration.
Create namespace:
kubectl create namespace cert-manager
Create cert manager yaml-file:
curl -sL \
https://github.com/jetstack/cert-manager/releases/download/v1.7.3/cert-manager.yaml |\
sed -r 's/(image:.*):(v.*)$/\1-arm:\2/g' > cert-manager-arm.yaml
Apply the yaml-file:
kubectl apply -f cert-manager-arm.yaml
Check that all pods are running:
kubectl --namespace cert-manager get pods
Create a file named letsencrypt-issuer-production.yaml with the following contents (NOTE: Change to your email address):
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <your_email>@example.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: traefik
Apply the file:
kubectl apply -f letsencrypt-issuer-production.yaml
This ClusterIssuer can now be re-used for all future certificate generations.
Install apache2-utils package to get the htpasswd utility installed:
sudo apt-get install apache2-utils
Create a storage folder for the authentication file:
sudo mkdir /etc/traefik/
Create a first admin user (change username to your desired username) and add a password:
sudo htpasswd -c /etc/traefik/.htpasswd username
To add new users to your site, you must use following command, do not use the -c modifier again as this will remove all previously created users:
sudo htpasswd /etc/traefik/.htpasswd username
and to delete an existing user:
sudo htpasswd -D /etc/traefik/.htpasswd username
Issue the following command to create a secret named authsecret:
kubectl create secret generic authsecret --from-file /etc/traefik/.htpasswd
Update your trafik/ingress yaml-file according to:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: openhab-production
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/auth-type: basic
traefik.ingress.kubernetes.io/auth-secret: authsecret
ingress.kubernetes.io/custom-request-headers: "cookie: X-OPENHAB-AUTH-HEADER=true"
ingress.kubernetes.io/custom-response-headers: "cookie: X-OPENHAB-AUTH-HEADER=true"
ingress.kubernetes.io/auth-remove-header: "true"
spec:
rules:
- host: oh.domain.se
http:
paths:
- path: /
backend:
serviceName: openhab-production
servicePort: openhab-http
tls:
- hosts:
- oh.domain.se
secretName: oh-domain-se-tls
Time to apply the updated file:
kubectl apply -f openhab-traefik.yml
Check that the Let's encrypt certificate is generated:
pi@k3s-master-1:~/openhab-production-k3s $ kubectl get certificates
NAME READY SECRET AGE
oh-domain-se-tls True oh-domain-se-tls 39m
It will take upto 1 min before READY is set as True.
Then try to access your site!