Skip to main content
Skip table of contents

3. Create a TunnelProxy Object: CLI Proxied Access

On the Management cluster, create a TunnelProxy object for your proxied cluster and assign it a unique domain. This domain forwards all user authentication requests through the Management cluster, and is used to generate a URL that exposes the cluster's dashboards (clusterProxyDomain).

You require both a certificate and a DNS record to back the domain. If you choose the default configuration, DKP will handle the certificate creation (self-signed certificate), but you must create a DNS record manually.

Alternatively, you can set up a different Certificate Authority to handle the certificate creation and rotation for your domain. You can also set up the external-dns service to automatically create a DNS record.

Here are some examples of possible configuration combinations:

Domain with default certificate and automatic DNS record creation (requires External DNS)

In this example, the following configuration applies:

  • Certificate - The domain uses a self-signed certificate created by DKP.

  • DNS record - The external-dns manages the creation of a DNS record automatically. For it to work, ensure you have enabled External DNS in your Management cluster.

CODE
cat > tunnelproxy.yaml <<EOF | kubectl apply -f -
apiVersion: kubetunnel.d2iq.io/v1alpha1
kind: TunnelProxy
metadata:
  name: ${TUNNEL_PROXY_NAME}
  namespace: ${WORKSPACE_NAMESPACE}
spec:
  clusterProxyDomain: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
  tunnelConnectorRef:
    name: ${TUNNEL_CONNECTOR_NAME}
  ingress:
    annotations:
      external-dns.alpha.kubernetes.io/hostname: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
EOF

The spec.ingress.annotations field contains the annotation required for DNS record management. For more information, see DNS Record Creation with External DNS.

Domain with default certificate and default DNS setup (requires manually-created DNS record)

In this example, the following configuration applies:

  • Certificate - The domain uses a self-signed certificate created by DKP.

  • DNS record - For the domain to be recognized by the cluster, ensure you manually create a DNS record. The record’s A/CNAME value must point to the Management cluster’s Traefik IP address, URL or domain. Create a record per proxied cluster.

CODE
cat > tunnelproxy.yaml <<EOF | kubectl apply -f -
apiVersion: kubetunnel.d2iq.io/v1alpha1
kind: TunnelProxy
metadata:
  name: ${TUNNEL_PROXY_NAME}
  namespace: ${WORKSPACE_NAMESPACE}
spec:
  clusterProxyDomain: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
  tunnelConnectorRef:
    name: ${TUNNEL_CONNECTOR_NAME}
EOF
Domain with automatically-generated ACME certificate and automatic DNS record creation (requires External DNS)

In this example, the following configuration applies:

  • Certificate - The domain uses cert-manager to enable an ACME-based Certificate Authority. This CA automatically issues and rotates your certificates. By default, DKP uses Let's Encrypt.

  • DNS record - The external-dns manages the creation of a DNS record automatically. For it to work, ensure you have enabled External DNS in your Management cluster.

  1. Set the environment variable for your issuing object:
    (info) This can be a ClusterIssuer or Issuer. See Advanced Configuration: ClusterIssuer for more information.

    CODE
    ISSUER_KIND=ClusterIssuer
  2. Set the environment variable for your CA:
    (info) Replace letsEncrypt if you are using another ACME-based certificate authority.

    CODE
    ISSUER_NAME=letsEncrypt 
  3. Create the TunnelProxy:

    CODE
    cat > tunnelproxy.yaml <<EOF | kubectl apply -f -
    apiVersion: kubetunnel.d2iq.io/v1alpha1
    kind: TunnelProxy
    metadata:
      name: ${TUNNEL_PROXY_NAME}
      namespace: ${WORKSPACE_NAMESPACE}
    spec:
      clusterProxyDomain: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
      tunnelConnectorRef:
        name: ${TUNNEL_CONNECTOR_NAME}
      ingress:
        annotations:
          external-dns.alpha.kubernetes.io/hostname: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
        certificate:
          issuerRef:
            kind: ${ISSUER_KIND}
            name: ${ISSUER_NAME}
    EOF
Domain with a custom certificate (requires certificate secret) and automatic DNS record creation (requires External DNS)

In this example, the following configuration applies:

  • Certificate - The domain uses a custom certificate created manually. Ensure you reference the <certificate_secret_name>.

  • DNS record - The external-dns manages the creation of a DNS record automatically. For it to work, ensure you have enabled External DNS in your Management cluster.

  1. Set an environment variable for the name of your custom certificate:
    (info) See Manually-generated certificate for more information.

    CODE
    CERTIFICATE_SECRET_NAME=<custom_certificate_secret_name>
  2. Optional: If you do not have a secret yet and wish to create one pointing at the certificate, execute the following command:

    CODE
    kubectl create secret tls ${CERTIFICATE_SECRET_NAME} -n ${WORKSPACE_NAMESPACE} --key="tls.key" --cert="tls.crt"
  3. Create the TunnelProxy:

    CODE
    cat > tunnelproxy.yaml <<EOF | kubectl apply -f -
    apiVersion: kubetunnel.d2iq.io/v1alpha1
    kind: TunnelProxy
    metadata:
      name: ${TUNNEL_PROXY_NAME}
      namespace: ${WORKSPACE_NAMESPACE}
    spec:
      clusterProxyDomain: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
      tunnelConnectorRef:
        name: ${TUNNEL_CONNECTOR_NAME}
      ingress:
        annotations:
          external-dns.alpha.kubernetes.io/hostname: ${TUNNEL_PROXY_EXTERNAL_DOMAIN}
        certificate:
          certificateSecretRef:
             name: ${CERTIFICATE_SECRET_NAME}
    EOF

Next Step:

4. Enable the TunnelProxy Object in the KommanderCluster: CLI Proxied Access

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.