dda-k8s-crate

chat over e-mail | team@social.meissa-gmbh.de | Website & Blog

This crate is part of dda-pallet.

This is a asciinema recording of the features of this crate:

Kubernetes setup

This crate sets up a K8s as SingleNode-Instance. This cheap setup is intended for production grade low traffic applications.

Compatibility

dda-k8s is compatible with the following versions

• pallet 0.9
• clojure 1.10.1
• ubuntu 18.04 / 20.04

Features

The Kubernetes cluster installed by this crate provides the following features:

• a single node all-in-one k8s system for serving one application in a cheap manner
• includes Ingress for the app to be installed (replacement of traditional reverse-proxy httpd)
• supports letsencrypt (dynamic created by https) for a defined fqdn or alternatively injected static https certs
• provides a dashboard for defined users with anonymous access disabled
• secure enough for serving applications to the internet.

dda-k8s in detail

We use the following components:

• Flannel networking: [Flannel], [Kubernetes Cluster Networking]
• metallb: [MetalLB]
• nginx-ingress: [Ingress]
• cert-manager: [cert-manager]
• dashboard 2.0: [dashboard]
• apple-echo for debugging: [http-echo]
• nexus as example application: [docker-nexus]

k8s api and dashboard is eposed to localhost only and can be accesed through a ssh-tunnel, all k8s operations can be executed by a k8s user. Generated yml manifests can be found at '/home/k8s/k8s-resources'

Ingress and MetalLB

dda-k8s exposes its ingress to the outside by using metallb. The most important config for ingress and metallb options are:

• host-ip, where the ingress is exposed
• the fqdn for the Ingress instance (dns should point to the host-ip above)
• the (cluster-)issuer to be used with the Ingress instance

Cert-manager and handling of https and certificates

We use cert-manager to issue certificates for us. There following issuers are available:

• a secret representing the CA-key pairs needs to be created
• a config file for the actual certificate needs to be created
• an issuer of either self-signed, CA-issuer or letsencrypt issuer

The self-signed issuer does not require a secret or certificate config file. For the letsencrypt issuer we distinguish between an issuer for staging and for production.

Dashboard

The dashboard allows for debugging and to get an overview of the Kubernetes cluster and should later also provide networking. To secure the dashboard, an ssh proxy is required and the dashboard can then be accessed via a http://localhost:8002/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy in the browser.

 ssh k8s@k8s-server-name -L 8002:localhost:8002
 kubectl proxy &
 # you need to authorize as k8s or have your public_key under k8s authorized_keys
 # you can get the authorize token with this command
 kubectl -n kube-system describe secret admin-user| awk '$1=="token:"{print $2}'

You can use the dashboard for monitoring, debugging or checking the state of pods like we do in this screenshot:

Apple application for debugging

Nexus repository manager

The nexus repository manager uses certmanager for certificates. The storage is relized as PersistentVolume.

Compatibility

dda-pallet is compatible with the following versions

• jvm11 or later
• clojure 1.9 or later
• pallet 0.8.x
• (x)ubunutu 18.04

Watch log for debug reasons

In case of problems you may want to have a look at the log-file: less logs/pallet.log

Targets

You can define provisioning targets using the targets-schema

Convention API

You can use our conventions as a starting point: see convention reference

Infra API

Or you can build your own conventions using our low level infra API. We will keep this API backward compatible whenever possible: see infra reference

License

Copyright © 2018, 2019, 2020, 2021 meissa GmbH Licensed under the Apache License, Version 2.0 (the "License") Pls. find licenses of our subcomponents here