Migration existing cluster to cloudflare
- Space Sync for Confluence
Analytics
This runbook outlines the necessary steps for migrating an existing cluster to Cloudflare. Please note that this procedure is only for clusters hosted in AWS.
If your cluster is hosted in AWS, it is essential to verify that the cluster has been assigned the "k3s-dev-qa-prod-cloudflare--sg" security group.
In Route 53, please follow these steps to change the DNS records as specified, [please note that you need to use address from proper hosted zone, below is example for gvdevelopment)
Remove the existing record if it exists. Be sure to save the public IP address for your cluster.
Add a new record with the following details:
Record Name: _acme-challenge.CLUSTER_NAME.gvdevelopment.k3s.getvisibility.com
Type: CNAME
Value: CLUSTER_NAME.gvdevelopment.k3s.getvisibility.com.c5848cf1067e2717.dcv.cloudflare.com
TTL (seconds): 60
Please make sure to replace "CLUSTER_NAME" with the actual name of your cluster when setting up the record. This will create a CNAME record that points to the specified Cloudflare address.
Also, you need add additional CNAME record to AWS
Set up the CNAME record as follows:
Record Name: CLUSTER_NAME.gvdevelopment.k3s.getvisibility.com
Type: CNAME
Value: CLUSTER_NAME.gvdevelopment.k3s.getvisibility.com.cdn.cloudflare.net
Connect to cloudflare and add dns record for cluster like below depends about hosted zone
CLUSTER_NAME.gvdevelopment.k3s
On SSL/TLS order advanced certificate as seen on below image, and ensure that status is Active (wait for 5-10 minutes and refresh webpage)
Create the Terraform code below and save it in the following way: within the same directory, establish a subfolder named 'files' and insert two files named 'ca.pem' and 'key.pem.' You can obtain these files from the following location: GitHub Repository. Ensure that dns_names is same as record in cloudflare
resource "tls_private_key" "this" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "tls_cert_request" "this" {
private_key_pem = tls_private_key.this.private_key_pem
dns_names = ["boriscluster.gvdevelopment.k3s.getvisibility.com"]
subject {
organization = "Getvisibility"
common_name = "Getvisibility"
}
}
resource "tls_locally_signed_cert" "this" {
cert_request_pem = tls_cert_request.this.cert_request_pem
ca_private_key_pem = file("${path.module}/files/key.pem")
ca_cert_pem = file("${path.module}/files/ca.pem")
validity_period_hours = 262800 # 30 years
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}
locals {
ca_cert_content = file("${path.module}/files/ca.pem")
ca_cert_base64 = base64encode(local.ca_cert_content)
}
data "null_data_source" "cloudflare" {
inputs = {
tls_crt = base64encode(tls_locally_signed_cert.this.cert_pem)
tls_key = base64encode(tls_private_key.this.private_key_pem)
ca_cert_base64 = local.ca_cert_base64
}
}After executing Terraform locally on your device, log in to the EC2 instance using SSM or SSH or rancher shell and create below secrets values can be retreived from the Terraform tfstate. Finally, apply it using 'kubectl apply -f'
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-origin-pull
namespace: kube-system
type: kubernetes.io/tls
data:
tls.crt: value of tls_crt -> Retrieve this from terraform tfstate
tls.key: value of tls_key -> Retrieve this from terraform tfstate
---
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-origin-ca
namespace: kube-system
type: Opaque
data:
tls.ca: value of ca_cert_base64 -> Retrieve from terraform tfstateAs last step please create below TLS options for traefik to take above secrets
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: kube-system
spec:
defaultCertificate:
secretName: cloudflare-origin-pull
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: kube-system
spec:
clientAuth:
secretNames:
- cloudflare-origin-ca
clientAuthType: RequireAndVerifyClientCert
Also restart traefik pod and test access to the website
Related content
Classified as Getvisibility - Partner/Customer Confidential