Skip to main content

LetsEncrypt Setup with Kubernetes

This tutorial explains how to deploy OneDev into a Kubernetes cluster to get a full-blown CI/CD farm, and protect it with LetsEncrypt.

We will demonstrate with Google Kubernetes Engine, which is the most convenient to set up and maintain according to my experience.

  1. Create a standard GKE cluster with all default options

  2. After cluster is created, configure kubectl to connect to the cluster

  3. Make sure helm is installed, run below commands to install ingress Nginx controller and cert manager:

    $ helm install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace
    $ kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.0/cert-manager.yaml

  4. Run below command to get external ip address of nginx controller:

    $ kubectl get service ingress-nginx-controller -n ingress-nginx

  5. Configure your dns provider to add a A record to associate OneDev DNS name with external ip address above. Wait for some time for the DNS entry to spread out (you may ping the DNS name to see if it returns the correct ip address to make sure)

  6. Now deploy OneDev into the cluster with below command (replacing <OneDev DNS name> with above DNS name, and <your email address> with an email address using to receive LetsEncrypt certificate notifications):

    $ helm install onedev onedev --repo https://dl.cloudsmith.io/public/onedev/onedev/helm/charts --namespace onedev --create-namespace --set ingress.enabled=true --set ingress.className=nginx --set ingress.host=<OneDev DNS name> --set ingress.tls.enabled=true --set ingress.tls.acme.enabled=true --set ingress.tls.acme.email=<your email address> --set ingress.tls.acme.production=true

    For a complete list of configurable values of OneDev chart, please check the values.yaml file

  7. Wait a while for OneDev to get deployed. If things work fine, you should be able to visit OneDev at https://<OneDev DNS name> follow In case it does not work, follow this guide to trouble shoot certificate onedev-tlsin namespace onedev

  8. If you also want to enable SSH access to OneDev repositories, run below command to configure tcp port of the Nginx controller

    helm upgrade ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx -n ingress-nginx --set tcp.22=onedev/onedev:ssh --reuse-values

    Then update SSH Root URL at OneDev side (via menu Administration / System Setting) as ssh://<OneDev DNS name>

Thanks for reading!