On the Management cluster, create a TunnelProxy
object for your proxied cluster and assign it a unique domain. This domain forwards all user authentication requests through the Management cluster, and is used to generate a URL that exposes the cluster's dashboards (clusterProxyDomain
).
You require both a certificate and a DNS record to back the domain. If you choose the default configuration, DKP will handle the certificate creation (self-signed certificate), but you must create a DNS record manually.
Alternatively, you can set up a different Certificate Authority to handle the certificate creation and rotation for your domain. You can also set up the external-dns
service to automatically create a DNS record.
Here are some examples of possible configuration combinations:
Domain with default certificate and automatic DNS record creation (requires External DNS)
In this example, the following configuration applies:
Certificate - The domain uses a self-signed certificate created by DKP.
DNS record - The external-dns
manages the creation of a DNS record automatically. For it to work, ensure you have enabled External DNS in your Management cluster.
CODE
cat > tunnelproxy.yaml <<EOF | kubectl apply -f -
apiVersion: kubetunnel.d2iq.io/v1alpha1
kind: TunnelProxy
metadata:
name: ${TUNNEL_PROXY_NAME}
namespace: ${WORKSPACE_NAMESPACE}
spec:
clusterProxyDomain: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
tunnelConnectorRef:
name: ${TUNNEL_CONNECTOR_NAME}
ingress:
annotations:
external-dns.alpha.kubernetes.io/hostname: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
EOF
Domain with default certificate and default DNS setup (requires manually-created DNS record)
In this example, the following configuration applies:
Certificate - The domain uses a self-signed certificate created by DKP.
DNS record - For the domain to be recognized by the cluster, ensure you manually create a DNS record. The record’s A/CNAME value must point to the Management cluster’s Traefik IP address, URL or domain. Create a record per proxied cluster.
CODE
cat > tunnelproxy.yaml <<EOF | kubectl apply -f -
apiVersion: kubetunnel.d2iq.io/v1alpha1
kind: TunnelProxy
metadata:
name: ${TUNNEL_PROXY_NAME}
namespace: ${WORKSPACE_NAMESPACE}
spec:
clusterProxyDomain: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
tunnelConnectorRef:
name: ${TUNNEL_CONNECTOR_NAME}
EOF
Domain with automatically-generated ACME certificate and automatic DNS record creation (requires External DNS)
In this example, the following configuration applies:
Certificate - The domain uses cert-manager
to enable an ACME-based Certificate Authority. This CA automatically issues and rotates your certificates. By default, DKP uses Let's Encrypt.
DNS record - The external-dns
manages the creation of a DNS record automatically. For it to work, ensure you have enabled External DNS in your Management cluster.
Set the environment variable for your issuing object:
This can be a ClusterIssuer
or Issuer
. See Advanced Configuration: ClusterIssuer for more information.
CODE
ISSUER_KIND=ClusterIssuer
Set the environment variable for your CA:
Replace letsEncrypt
if you are using another ACME-based certificate authority.
CODE
ISSUER_NAME=letsEncrypt
Create the TunnelProxy
:
CODE
cat > tunnelproxy.yaml <<EOF | kubectl apply -f -
apiVersion: kubetunnel.d2iq.io/v1alpha1
kind: TunnelProxy
metadata:
name: ${TUNNEL_PROXY_NAME}
namespace: ${WORKSPACE_NAMESPACE}
spec:
clusterProxyDomain: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
tunnelConnectorRef:
name: ${TUNNEL_CONNECTOR_NAME}
ingress:
annotations:
external-dns.alpha.kubernetes.io/hostname: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
certificate:
issuerRef:
kind: ${ISSUER_KIND}
name: ${ISSUER_NAME}
EOF
Domain with a custom certificate (requires certificate secret) and automatic DNS record creation (requires External DNS)
In this example, the following configuration applies:
Certificate - The domain uses a custom certificate created manually. Ensure you reference the <certificate_secret_name>
.
DNS record - The external-dns
manages the creation of a DNS record automatically. For it to work, ensure you have enabled External DNS in your Management cluster.
Set an environment variable for the name of your custom certificate:
See Manually-generated certificate for more information.
CODE
CERTIFICATE_SECRET_NAME=<custom_certificate_secret_name>
Optional: If you do not have a secret yet and wish to create one pointing at the certificate, execute the following command:
CODE
kubectl create secret tls ${CERTIFICATE_SECRET_NAME} -n ${WORKSPACE_NAMESPACE} --key="tls.key" --cert="tls.crt"
Create the TunnelProxy
:
CODE
cat > tunnelproxy.yaml <<EOF | kubectl apply -f -
apiVersion: kubetunnel.d2iq.io/v1alpha1
kind: TunnelProxy
metadata:
name: ${TUNNEL_PROXY_NAME}
namespace: ${WORKSPACE_NAMESPACE}
spec:
clusterProxyDomain: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
tunnelConnectorRef:
name: ${TUNNEL_CONNECTOR_NAME}
ingress:
annotations:
external-dns.alpha.kubernetes.io/hostname: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
certificate:
certificateSecretRef:
name: ${CERTIFICATE_SECRET_NAME}
EOF
Next Step:
4. Enable the TunnelProxy Object in the KommanderCluster: CLI Proxied Access