Objective:
To perform a minimal installation of k0s on a VPS, set up Traefik as a reverse proxy, and enable HTTPS.
Prerequisites:
- A VPS (4GB RAM, 2 vCPUs)
- A domain
- k0s (v1.31.2+k0s.0)
- Helm (v3.16.3)
- MetalLB (v0.14.8)
- Traefik (v3.2.0)
- Traefik Helm Chart (v33.0.0)
Steps:
1. k0s Setup:
A single-node k0s installation is ideal for this minimal VPS setup to minimize resource usage. Below are the installation commands:
- Download k0s
curl --proto '=https' --tlsv1.2 -sSf https://get.k0s.sh | sudo sh
- Install a single node k0s
# output k0s.yaml
sudo k0s config create > k0s.yaml
- Modify k0s.yaml to install MetalLB
extensions:
helm:
concurrencyLevel: 5
repositories:
- name: metallb
url: https://metallb.github.io/metallb
charts:
- name: metallb
chartname: metallb/metallb
version: "0.14.8"
namespace: default
- Start k0s
sudo k0s install controller --single --force --config k0s.yaml
sudo k0s start
- Create ConfigMap for MetalLB
Remember to add your vps public ip
---
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: metallb-ip-pool
namespace: default
spec:
addresses:
- [your_vps_public_ip]/32
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: metallb-l2-advertisment
namespace: default
spec:
ipAddressPools:
- metallb-ip-pool
After adding metallb-l2-pool.yaml, then
kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io metallb-webhook-configuration
kubectl apply -f metallb-l2-pool.yaml
2. Enabling HTTPS and Redirect HTTP to HTTPS:
Generate a Cloudflare Origin CA certificate for secure HTTPS
How to generate your Origin certificate on Cloudflare-
Create TLS secret
your-tls-secret- your_origin_ca.pem (Origin Certificate)
- your_origin_ca.key (Private Key)
kubectl create secret tls your-tls-secret --cert=your_origin_ca.pem --key=your_origin_ca.key --namespace=default
3. Installing Traefik:
Install Traefik using the Helm chart.
-
Add your traefik_values.yaml
- my-tls-secret is generated from the previous step.
- redirectTo is used for redirecting HTTP to HTTPS.
- nodeAffinity is because we need to schedule traefik pod in the controller node.
# traefik_values.yaml
ports:
web:
redirectTo:
port: websecure
tlsStore:
default:
defaultCertificate:
secretName: my-tls-secret
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
Then
helm repo add traefik https://traefik.github.io/charts
helm install -f traefik_values.yaml traefik traefik/traefik
4. Test Deployment:
Deploy a simple whoami application to test if the setup is successful.
-
Add your whoami.yaml
- port = 8001 (or whatever you want)
- WHOAMI_PORT_NUMBER is necessary
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
namespace: default
labels:
app: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
env:
- name: WHOAMI_PORT_NUMBER
value: "8001"
---
apiVersion: v1
kind: Service
metadata:
name: whoami-service
namespace: default
labels:
app: whoami
spec:
ports:
- port: 8001
targetPort: 8001
selector:
app: whoami
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: whoami-ingress
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`your_domain`) && PathPrefix(`/whoami`)
kind: Rule
services:
- name: whoami-service
port: 8001
Then
kubectl apply -f whoami.yaml
So, you would see the whoami app from the url your_domain/whoami
Top comments (0)