Hashicorp Waypoint deployment to Digital Ocean Kubernetes with Traefik, letsencrypt and Helm.

In this tutorial we will:

Before going further you must have:

  • Created a kubernetes cluster on digital ocean and followed the procedure to set it up on your local.
  • Created a private repo on docker hub

Once done, let’s get started:

kubectl create ns traefikhelm install traefik stable/traefik --namespace traefik --set rbac.enabled=true --set ssl.enabled=true --version 1.87.2helm install cert-manager --namespace traefik --version v1.0.3 jetstack/cert-manager --set installCRDs=true

Traefik has now created a load balancer on digital ocean. Copy its ip address and create a A record on app1.domain.com

Login to your docker:

docker login

Then copy the credential into Kubernetes:

kubectl create secret generic regcred \
--from-file=.dockerconfigjson=$HOME/.docker/config.json \
--type=kubernetes.io/dockerconfigjson

Let’s create the cluster roles clusterRoles.yml:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system

and apply:

kubectl apply -f clusterRoles.yml

Let’s now create letsencrypt-issuer.yml:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
namespace: traefik
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: youremail@address.com
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: traefik

then apply it:

kubectl apply -f letsencrypt-issuer.yml

Now creates letsencrypt-cert.yml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: app1.domain.com
namespace: traefik
spec:
secretName: app1.domain.com-tls
issuerRef:
name: letsencrypt
kind: ClusterIssuer
commonName: app1.domain.com
dnsNames:
- app1.domain.com

then apply:

kubectl apply -f letsencrypt-cert.yml

You can check the created certificate and secrets with these commands:

kubectl get certificates app1.domain.com -n traefik
kubectl get secrets app1.domain.com-tls -n traefik

Create a file named traefik-ingress.yml
The namespace has to be the same where waypoint deploys your app, in this case default.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
cert-manager.io/cluster-issuer: letsencrypt
spec:
rules:
- host: app1.domain.com
http:
paths:
- backend:
serviceName: example-nodejs
servicePort: 80
tls:
- hosts:
- app1.domain.com
secretName: app1.domain.com-tls

and apply

kubectl apply -f traefik-ingress.yml

Let’s now modify the kubernetes example of waypoint:

cd waypoint-examples/kubernetes/nodejs
vim waypoint.hcl

modify the content:

project = "example-nodejs"

app "example-nodejs" {
labels = {
"service" = "example-nodejs",
"env" = "dev"
}
build {
use "pack" {}
registry {
use "docker" {
image = "yourprivaterepo/test"
tag = "1"
local = false
}
}
}
deploy {
use "kubernetes" {
probe_path = "/"
replicas = 2
image_secret = "regcred"
}
}
release {
use "kubernetes" {
node_port = 30000
}
}
}

Then deploy you waypoint app:


waypoint init
waypoint up

Once deployed, you will be able to access http://app1.domain.com and https://app1.domain.com

Before any redeployments, change the tag in you waypoint.hcl otherwise the image won’t be pulled again.

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store