K8s - DigitalOcean

Page content

Deploy Sampleapp on Kuberentes …

Prerequisite

  • Domain “kubbi.xyz”, ns1.digitalocean.com, ns2, ns3 …
  • Digital Ocean Login

Doku

https://docs.digitalocean.com/products/kubernetes/getting-started/operational-readiness/

Build Kubbi Cluster

Build Cluster with WebGUI or CLI

via CLI

time doctl kubernetes cluster create prod001 --region fra1 --node-pool "size=s-2vcpu-2gb;auto-scale=true;min-nodes=3;max-nodes=5"
  • FRA1
  • 3 Nodes
  • 2 CPU
  • 2 GB RAM
  • 60 GB Disk
  • Costs: 54 USD/Mt!

Connecting and managing this cluster

doctl kubernetes cluster kubeconfig save 4375b470-ebe8-4ccb-925a-345df364dfbd
user@mac % doctl kubernetes cluster kubeconfig save 4375b470-ebe8-4ccb-925a-345df364dfbd


Notice: Adding cluster credentials to kubeconfig file found in "/Users/user/.kube/config"
Notice: Setting current-context to do-fra1-k8s-1-28-2-do-0-fra1-1702031438694

kubectl config get-contexts

kubectl config get-contexts
user@mac % kubectl config get-contexts

CURRENT   NAME                                         CLUSTER                                      AUTHINFO                                           NAMESPACE
*         do-fra1-prod-cluster-01                      do-fra1-prod-cluster-01                      do-fra1-prod-cluster-01-admin

kubectl cluster-info

kubectl cluster-info
user@mac % kubectl cluster-info

Kubernetes control plane is running at https://f179692f-aeac-4f9c-af3b-2422897ea578.k8s.ondigitalocean.com
CoreDNS is running at https://f179692f-aeac-4f9c-af3b-2422897ea578.k8s.ondigitalocean.com/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

kubectl version

kubectl version
user@mac % kubectl version

Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.2

kubectl get nodes

kubectl get nodes
user@mac % kubectl get nodes

NAME                    STATUS   ROLES    AGE     VERSION
prod-cluster-01-xa856   Ready    <none>   3m59s   v1.28.2
prod-cluster-01-xa85a   Ready    <none>   4m7s    v1.28.2

Install Nginx Ingress Controller

  • via GUI / Marketplace / NGINX Ingress Controller

show lbl status

doctl compute load-balancer list --format IP,ID,Name,Status
user@mac % doctl compute load-balancer list --format IP,ID,Name,Status

IP    ID                                      Name                                Status
      55d7381d-9bcd-4f8f-905e-e90efd09f03e    a6554a9aff1a340e986d48431e19cca9    new

no ip yet … wait …

while true; do doctl compute load-balancer list --format IP,ID,Name,Status; sleep 10; done

after a few seconds …

user@mac % while true; do doctl compute load-balancer list --format IP,ID,Name,Status; sleep 10; done

IP    ID                                      Name                                Status
      55d7381d-9bcd-4f8f-905e-e90efd09f03e    a6554a9aff1a340e986d48431e19cca9    new
IP    ID                                      Name                                Status
      55d7381d-9bcd-4f8f-905e-e90efd09f03e    a6554a9aff1a340e986d48431e19cca9    new
IP    ID                                      Name                                Status
      55d7381d-9bcd-4f8f-905e-e90efd09f03e    a6554a9aff1a340e986d48431e19cca9    new
IP    ID                                      Name                                Status
      55d7381d-9bcd-4f8f-905e-e90efd09f03e    a6554a9aff1a340e986d48431e19cca9    new
IP             ID                                      Name                                Status
64.225.93.9    55d7381d-9bcd-4f8f-905e-e90efd09f03e    a6554a9aff1a340e986d48431e19cca9    active
IP             ID                                      Name                                Status
64.225.93.9    55d7381d-9bcd-4f8f-905e-e90efd09f03e    a6554a9aff1a340e986d48431e19cca9    active

Create Backend Application

kubectl create ns backend
user@mac % kubectl create ns backend

namespace/backend created

Create the Deployment and apply

cat << 'EOF' > echo_deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: echo
  namespace: backend
spec:
  replicas: 1
  selector:
    matchLabels:
      app: echo
  strategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: echo
    spec:
      containers:
        - name: echo
          image: jmalloc/echo-server
          ports:
            - name: http
              containerPort: 8080
          resources:
            requests:
              cpu: 100m
              memory: 50Mi
            limits:
              cpu: 200m
              memory: 100Mi
EOF
kubectl apply -f echo_deployment.yaml
deployment.apps/echo created

Create the Service and Apply

cat << 'EOF' > echo_service.yaml
apiVersion: v1
kind: Service
metadata:
  name: echo
  namespace: backend
spec:
  ports:
    - name: http
      port: 80
      targetPort: 8080
  selector:
    app: echo
EOF
kubectl apply -f echo_Service.yaml
service/echo created

Verify Deployment

kubectl get deployments -n backend
user@mac % kubectl get deployments -n backend

NAME   READY   UP-TO-DATE   AVAILABLE   AGE
echo   1/1     1            1           81s

Verify Services

kubectl get services -n backend
user@mac % kubectl get services -n backend

NAME   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
echo   ClusterIP   10.245.228.215   <none>        80/TCP    43s

Configure DNS

doctl compute domain records list kubbi.xyz
user@mac % doctl compute domain records list kubbi.xyz

ID            Type    Name    Data                    Priority    Port    TTL     Weight
1715497047    SOA     @       1800                    0           0       1800    0
1715497048    NS      @       ns1.digitalocean.com    0           0       1800    0
1715497049    NS      @       ns2.digitalocean.com    0           0       1800    0
1715497050    NS      @       ns3.digitalocean.com    0           0       1800    0

add Wildcard Pointing to the Cluster

lbip="64.225.93.9"
doctl compute domain records create "kubbi.xyz" --record-type A --record-data ${lbip} --record-ttl 60 --record-name "*"

confirm Wildcard Record

user@mac % doctl compute domain records list kubbi.xyz

ID            Type    Name    Data                    Priority    Port    TTL     Weight
1715497047    SOA     @       1800                    0           0       1800    0
1715497048    NS      @       ns1.digitalocean.com    0           0       1800    0
1715497049    NS      @       ns2.digitalocean.com    0           0       1800    0
1715497050    NS      @       ns3.digitalocean.com    0           0       1800    0
1715597396    A       *       64.225.93.9             0           0       60      0

Install Cert Manager

via GUI / Marketplace / Cert-Manager

Check Cert Manager

kubectl get all -n cert-manager
user@mac % kubectl get all -n cert-manager

NAME                                           READY   STATUS    RESTARTS   AGE
pod/cert-manager-7b9cbf5b8d-p2bwm              1/1     Running   0          13s
pod/cert-manager-cainjector-6d5f558c69-m79p9   1/1     Running   0          13s
pod/cert-manager-webhook-bd76f6cf9-48bwv       1/1     Running   0          13s

NAME                           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
service/cert-manager-webhook   ClusterIP   10.245.93.140   <none>        443/TCP   13s

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cert-manager              1/1     1            1           13s
deployment.apps/cert-manager-cainjector   1/1     1            1           13s
deployment.apps/cert-manager-webhook      1/1     1            1           13s

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/cert-manager-7b9cbf5b8d              1         1         1       13s
replicaset.apps/cert-manager-cainjector-6d5f558c69   1         1         1       13s
replicaset.apps/cert-manager-webhook-bd76f6cf9       1         1         1       13s

Inspect the Cert Manager

kubectl get crd -l app.kubernetes.io/name=cert-manager
user@mac % kubectl get crd -l app.kubernetes.io/name=cert-manager

NAME                                  CREATED AT
certificaterequests.cert-manager.io   2023-12-08T06:18:47Z
certificates.cert-manager.io          2023-12-08T06:18:47Z
challenges.acme.cert-manager.io       2023-12-08T06:18:47Z
clusterissuers.cert-manager.io        2023-12-08T06:18:48Z
issuers.cert-manager.io               2023-12-08T06:18:47Z
orders.acme.cert-manager.io           2023-12-08T06:18:47Z

Create Kubernetes Secret

via GUI / API: https://cloud.digitalocean.com/account/api/tokens

  • mytoken
  • 90 days
  • read/write
dop_v1_60f1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DO_API_TOKEN="dop_v1_60f1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

kubectl create secret generic "digitalocean-dns" \
  --namespace backend \
  --from-literal=access-token="$DO_API_TOKEN"
user@mac % DO_API_TOKEN="dop_v1_60f1exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

kubectl create secret generic "digitalocean-dns" \
  --namespace backend \
  --from-literal=access-token="$DO_API_TOKEN"
secret/digitalocean-dns created

Configure Issuer CRD and apply

  • adapt email
cat << 'EOF' > cert-manager-wcard-issuer.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-dev-wcard
  namespace: backend
spec:
  acme:
    email: [email protected]
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-dev-wcard-private
    # List of challenge solvers that will be used to solve ACME challenges for the matching domains.
    solvers:
    # Use the DigitalOcean DNS API to manage DNS-01 challenge records.
      - dns01:
          digitalocean:
            # Kubernetes secret that contains the DO API token.
            # Must be in the same namespace as the Issuer CRD.
            tokenSecretRef:
              name: digitalocean-dns
              key: access-token
EOF
kubectl apply -f cert-manager-wcard-issuer.yaml
issuer.cert-manager.io/letsencrypt-dev-wcard created

verify issuer

kubectl get issuer letsencrypt-dev-wcard -n backend
user@mac % kubectl get issuer letsencrypt-dev-wcard -n backend

NAME                    READY   AGE
letsencrypt-dev-wcard   True    25s

Configure Certificate CRD and apply

cat << 'EOF' > cert-manager-wcard-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kubbi.xyz
  namespace: backend
spec:
  secretName: kubbi.xyz
  issuerRef:
    name: letsencrypt-dev-wcard
    kind: Issuer
    group: cert-manager.io
  commonName: "*.kubbi.xyz"
  dnsNames:
    - "kubbi.xyz"
    - "*.kubbi.xyz"
EOF
kubectl apply -f cert-manager-wcard-certificate.yaml
certificate.cert-manager.io/kubbi.xyz created

verify status

kubectl get certificate kubbi.xyz -n backend
user@mac % kubectl get certificate kubbi.xyz -n backend

NAME        READY   SECRET      AGE
kubbi.xyz   False   kubbi.xyz   24s

wait 2:30min

user@mac % kubectl get certificate kubbi.xyz -n backend

NAME        READY   SECRET      AGE
kubbi.xyz   True    kubbi.xyz   3m39s

Describe Secret

kubectl describe secret kubbi.xyz -n backend
user@mac % kubectl describe secret kubbi.xyz -n backend

Name:         kubbi.xyz
Namespace:    backend
Labels:       controller.cert-manager.io/fao=true
Annotations:  cert-manager.io/alt-names: *.kubbi.xyz,kubbi.xyz
              cert-manager.io/certificate-name: kubbi.xyz
              cert-manager.io/common-name: *.kubbi.xyz
              cert-manager.io/ip-sans:
              cert-manager.io/issuer-group: cert-manager.io
              cert-manager.io/issuer-kind: Issuer
              cert-manager.io/issuer-name: letsencrypt-dev-wcard
              cert-manager.io/uri-sans:

Type:  kubernetes.io/tls

Data
====
tls.crt:  5518 bytes
tls.key:  1675 bytes

create Host and apply

cat << 'EOF' > wildcard-host.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-backend
  namespace: backend
spec:
  tls:
    - hosts:
        - "*.kubbi.xyz"
      secretName: kubbi.xyz
  rules:
    - host: echo.kubbi.xyz
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: echo
                port:
                  number: 80
  ingressClassName: nginx
EOF
kubectl apply -f wildcard-host.yaml
ingress.networking.k8s.io/ingress-backend created

show ingress

kubectl get ingress -n backend
user@mac % kubectl get ingress -n backend

NAME              CLASS   HOSTS            ADDRESS       PORTS     AGE
ingress-backend   nginx   echo.kubbi.xyz   64.225.93.9   80, 443   58s

and here we are …

curl -Li http://echo.kubbi.xyz/
user@puffy202 $ curl -Li http://echo.kubbi.xyz/
HTTP/1.1 308 Permanent Redirect
Date: Fri, 08 Dec 2023 11:16:00 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://echo.kubbi.xyz

HTTP/2 200
date: Fri, 08 Dec 2023 11:16:00 GMT
content-type: text/plain
content-length: 334
strict-transport-security: max-age=15724800; includeSubDomains

Request served by echo-67dbbdb49d-dt9f9

GET / HTTP/1.1

Host: echo.kubbi.xyz
Accept: */*
User-Agent: curl/8.4.0
X-Forwarded-For: 10.244.0.87
X-Forwarded-Host: echo.kubbi.xyz
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Scheme: https
X-Real-Ip: 10.244.0.87
X-Request-Id: 1480dae4d90eab8df39db4683c52404b
X-Scheme: https

Any Comments ?

sha256: 2c4814af7931dcb4ff1080d8d406e8ffe603a213d0ed3b34d00defdcdcebb428