[KUBERNETES] Setup K3s Envoy Gateway HTTPS Let's Encrypt - fourslickz/notes GitHub Wiki
Setup K3s + Envoy Gateway + HTTPS + Let's Encrypt
Arsitektur
Internet
↓
HTTPS
↓
Envoy Gateway
↓
Gateway API
↓
HTTPRoute
↓
Service
↓
Pods
1. Install K3s
Install tanpa Traefik dan tanpa ServiceLB bawaan.
curl -sfL https://get.k3s.io | sh -s - \
--disable traefik \
--disable servicelb
2. Setup kubectl
Copy kubeconfig
mkdir -p ~/.kube
sudo cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
sudo chown $USER:$USER ~/.kube/config
Export kubeconfig
export KUBECONFIG=~/.kube/config
Optional permanen
echo 'export KUBECONFIG=~/.kube/config' >> ~/.bashrc
source ~/.bashrc
Verifikasi
kubectl get nodes
3. Install Helm
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
Verifikasi
helm version
4. Install Gateway API CRD
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
Verifikasi
kubectl get crd | grep gateway
5. Install Envoy Gateway
helm install eg oci://docker.io/envoyproxy/gateway-helm \
--version v1.4.6 \
-n envoy-gateway-system \
--create-namespace
Verifikasi
kubectl get pods -n envoy-gateway-system
6. Restart Envoy Gateway
Dilakukan karena Gateway API CRD baru diinstall.
kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system
7. Buat GatewayClass
gatewayclass.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: envoy
spec:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
Apply
kubectl apply -f gatewayclass.yaml
Verifikasi
kubectl get gatewayclass
Harus:
envoy gateway.envoyproxy.io/gatewayclass-controller True
8. Buat Gateway
gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: main-gateway
spec:
gatewayClassName: envoy
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
Apply
kubectl apply -f gateway.yaml
9. Cek Service Envoy
kubectl get svc -A
Contoh:
envoy-default-main-gateway-xxxxx LoadBalancer 103.196.155.38
10. Deploy Sample App
nginx.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
selector:
app: nginx
ports:
- port: 80
targetPort: 80
Apply
kubectl apply -f nginx.yaml
11. Buat HTTPRoute
route.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: nginx-route
spec:
parentRefs:
- name: main-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: nginx
port: 80
Apply
kubectl apply -f route.yaml
12. Test HTTP
curl http://103.196.155.38
Harus muncul:
Welcome to nginx!
13. Install cert-manager
Menggunakan versi compatible dengan K3s v1.28.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.5/cert-manager.yaml
Verifikasi
kubectl get pods -n cert-manager
14. Enable Gateway API di cert-manager
Patch deployment:
kubectl patch deployment cert-manager \
-n cert-manager \
--type='json' \
-p='[
{
"op": "add",
"path": "/spec/template/spec/containers/0/args/-",
"value": "--enable-gateway-api"
}
]'
Verifikasi
kubectl describe deployment cert-manager -n cert-manager
Harus muncul:
--enable-gateway-api
15. Buat ClusterIssuer
clusterissuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- http01:
gatewayHTTPRoute:
parentRefs:
- name: main-gateway
namespace: default
Apply
kubectl apply -f clusterissuer.yaml
Verifikasi
kubectl get clusterissuer
Harus:
READY=True
16. Pointing Domain
Arahkan domain:
aliensky.id
ke IP:
103.196.155.38
17. Buat Certificate
certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-domain-cert
spec:
secretName: my-domain-tls
issuerRef:
name: letsencrypt
kind: ClusterIssuer
dnsNames:
- aliensky.id
Apply
kubectl apply -f certificate.yaml
Verifikasi
kubectl get certificate
Harus:
READY=True
18. Update Gateway HTTPS
gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: main-gateway
spec:
gatewayClassName: envoy
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: HTTPS
port: 443
hostname: aliensky.id
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: my-domain-tls
allowedRoutes:
namespaces:
from: All
Apply
kubectl apply -f gateway.yaml
19. Update HTTPRoute HTTPS
route.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: nginx-route
spec:
hostnames:
- aliensky.id
parentRefs:
- name: main-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: nginx
port: 80
Apply
kubectl apply -f route.yaml
20. Test HTTPS
curl https://aliensky.id
atau buka:
https://aliensky.id
Verifikasi Resource
Pods
kubectl get pods -A
Services
kubectl get svc -A
Gateway
kubectl get gateway
GatewayClass
kubectl get gatewayclass
HTTPRoute
kubectl get httproute
Certificate
kubectl get certificate
Penjelasan Komponen
| Komponen | Fungsi |
|---|---|
| K3s | Kubernetes ringan |
| Helm | Package manager Kubernetes |
| Gateway API | Networking modern Kubernetes |
| Envoy Gateway | Reverse proxy modern |
| GatewayClass | Menghubungkan Gateway dengan Envoy |
| Gateway | Entry point traffic |
| HTTPRoute | Routing request |
| cert-manager | Otomatisasi SSL |
| ClusterIssuer | Konfigurasi Let's Encrypt |
| Certificate | Request SSL certificate |
| Service | Expose pod |
| Pod | Container aplikasi |
Flow Request
Internet
↓
HTTPS
↓
Envoy Gateway
↓
Gateway
↓
HTTPRoute
↓
Service
↓
Pod
Next Step Production
Rekomendasi berikutnya:
- Redirect HTTP → HTTPS
- Cloudflare
- Websocket
- gRPC
- Rate limiting
- WAF
- Grafana
- Loki
- Prometheus
- ArgoCD
- Longhorn
- Multi-node K3s