Setup Production K3s Envoy Gateway HTTPS Private Docker Hub - fourslickz/notes GitHub Wiki
Setup Production K3s + Envoy Gateway + HTTPS + Private Docker Hub
Arsitektur
Internet
↓
HTTP → HTTPS Redirect
↓
Envoy Gateway
↓
Gateway API
↓
HTTPRoute
↓
Service
↓
Private Docker Hub Container
1. Install K3s
Install tanpa Traefik dan tanpa ServiceLB bawaan.
curl -sfL https://get.k3s.io | sh -s - \
--disable traefik \
--disable servicelb
2. Setup kubectl
Copy kubeconfig
mkdir -p ~/.kube
sudo cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
sudo chown $USER:$USER ~/.kube/config
Export kubeconfig
export KUBECONFIG=~/.kube/config
Permanen
echo 'export KUBECONFIG=~/.kube/config' >> ~/.bashrc
source ~/.bashrc
3. Install Helm
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
4. Install Gateway API CRD
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
5. Install Envoy Gateway
helm install eg oci://docker.io/envoyproxy/gateway-helm \
--version v1.4.6 \
-n envoy-gateway-system \
--create-namespace
6. Restart Envoy Gateway
kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system
7. Buat GatewayClass
gatewayclass.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: envoy
spec:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
Apply
kubectl apply -f gatewayclass.yaml
8. Buat Gateway
gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: main-gateway
spec:
gatewayClassName: envoy
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- name: https
protocol: HTTPS
port: 443
hostname: aliensky.id
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: my-domain-tls
allowedRoutes:
namespaces:
from: All
Apply
kubectl apply -f gateway.yaml
9. Install cert-manager
Menggunakan versi compatible dengan K3s v1.28.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.5/cert-manager.yaml
10. Enable Gateway API di cert-manager
kubectl patch deployment cert-manager \
-n cert-manager \
--type='json' \
-p='[
{
"op": "add",
"path": "/spec/template/spec/containers/0/args/-",
"value": "--enable-gateway-api"
}
]'
11. Buat ClusterIssuer
clusterissuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-account-key
solvers:
- http01:
gatewayHTTPRoute:
parentRefs:
- name: main-gateway
namespace: default
Apply
kubectl apply -f clusterissuer.yaml
12. Pointing Domain
Arahkan:
aliensky.id
ke IP server:
103.196.155.38
13. Buat Certificate
certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-domain-cert
spec:
secretName: my-domain-tls
issuerRef:
name: letsencrypt
kind: ClusterIssuer
dnsNames:
- aliensky.id
Apply
kubectl apply -f certificate.yaml
14. Buat HTTP Redirect Route
4-http-redirect.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http-redirect
spec:
hostnames:
- aliensky.id
parentRefs:
- name: main-gateway
sectionName: http
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
Apply
kubectl apply -f 4-http-redirect.yaml
15. Buat Docker Registry Secret
Digunakan untuk pull private image Docker Hub.
kubectl create secret docker-registry dockerhub-secret \
--docker-server=https://index.docker.io/v1/ \
--docker-username=DOCKERHUB_USERNAME \
--docker-password=DOCKERHUB_PASSWORD \
--docker-email=EMAIL
16. Deploy Private Docker Hub App
app.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: aliensky-app
spec:
replicas: 1
selector:
matchLabels:
app: aliensky-app
template:
metadata:
labels:
app: aliensky-app
spec:
imagePullSecrets:
- name: dockerhub-secret
containers:
- name: aliensky-app
image: aliensky/private-app:v1.0.0
imagePullPolicy: Always
ports:
- containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
name: aliensky-app
spec:
selector:
app: aliensky-app
ports:
- port: 80
targetPort: 3000
Apply
kubectl apply -f app.yaml
17. Buat HTTPS Backend Route
5-https-backend.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: https-backend
spec:
hostnames:
- aliensky.id
parentRefs:
- name: main-gateway
sectionName: https
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: aliensky-app
port: 80
Apply
kubectl apply -f 5-https-backend.yaml
18. Hapus nginx Sample Lama
kubectl delete deployment nginx
kubectl delete service nginx
19. Verifikasi Resource
Pods
kubectl get pods -A
Services
kubectl get svc -A
Gateway
kubectl get gateway
GatewayClass
kubectl get gatewayclass
HTTPRoute
kubectl get httproute
Certificate
kubectl get certificate
20. Testing
HTTP Redirect
curl -I http://aliensky.id
Harus:
301 Moved Permanently
HTTPS
curl -I https://aliensky.id
Harus:
200 OK
Troubleshooting
ImagePullBackOff
kubectl describe pod
Logs App
kubectl logs deployment/aliensky-app
Logs Envoy Gateway
kubectl logs -n envoy-gateway-system deployment/envoy-gateway
Best Practice Production
Gunakan image version:
image: aliensky/private-app:v1.0.0
Jangan gunakan:
latest
Infrastruktur Production Sekarang
Sudah memiliki:
- K3s
- Envoy Gateway
- Gateway API
- HTTPS
- Let's Encrypt
- cert-manager
- HTTP → HTTPS redirect
- Private Docker Hub deployment
- Kubernetes native routing
- Modern ingress architecture