Skip to content

Kubernetes

Jump to bottom
Cengiz Ilerler edited this page Oct 13, 2022 · 20 revisions

Helm

!!! tip Minikube initial start

```powershell
minikube start --container-runtime=containerd; #--memory 8192 --cpus 2;
# minikube node add;
minikube tunnel --cleanup;
```

Use https://artifacthub.io/ to find the packages.

Helm Repositories

helm repo add stable                https://charts.helm.sh/stable;
helm repo add incubator             https://charts.helm.sh/incubator;
helm repo add kubernetes-dashboard  https://kubernetes.github.io/dashboard;
helm repo add hashicorp             https://helm.releases.hashicorp.com;
helm repo add jetstack              https://charts.jetstack.io;
helm repo add prometheus-community  https://prometheus-community.github.io/helm-charts;
helm repo add minio                 https://operator.min.io/;
helm repo add grafana               https://grafana.github.io/helm-charts;
helm repo add ingress-nginx         https://kubernetes.github.io/ingress-nginx;
helm repo add dapr                  https://dapr.github.io/helm-charts;
helm repo add bitnami               https://charts.bitnami.com/bitnami;
helm repo add kubevious             https://helm.kubevious.io;
helm repo add ingress-nginx         https://kubernetes.github.io/ingress-nginx;
helm repo add elastic               https://helm.elastic.co;
helm repo add argo                  https://argoproj.github.io/argo-helm;
helm repo update;
helm search repo bitnami;

kubernetes-dashboard

helm install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --namespace=kube-system --set extraArgs="{--enable-skip-login}";

!!! tip Link http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:https/proxy/

!!! info Port Forwarding powershell kubectl -n kube-system port-forward $(kubectl get pods -n kube-system -l "app.kubernetes.io/name=kubernetes-dashboard,app.kubernetes.io/instance=kubernetes-dashboard" -o jsonpath="{.items[0].metadata.name}") 8443:8443

kubevious

helm upgrade --atomic -i kubevious kubevious/kubevious -n kubevious --create-namespace --version 0.7.22

cert-manager

# https://phoenixnap.com/kb/kubernetes-ssl-certificates

helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true --wait;
kubectl apply --filename .\selfsigned-cert.yaml;
kubectl apply --filename .\selfsigned-issuer.yaml;
helm install cert-manager-trust jetstack/cert-manager-trust --namespace cert-manager --wait;
kubectl apply --filename .\selfsigned-trust.yaml;
$(kubectl get secret selfsigned-tls --namespace=cert-manager -o jsonpath="{.data.tls\.key}" | ForEach-Object {[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($_))}) > tls.key;
$(kubectl get secret selfsigned-tls --namespace=cert-manager -o jsonpath="{.data.tls\.crt}" | ForEach-Object {[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($_))}) > tls.crt;

## verification
kubectl get certificate;
kubectl get certificaterequest
kubectl describe certificate -n default;
kubectl get secret selfsigned-tls -o yaml;
kubectl describe clusterissuer selfsigned-issuer;
kubectl describe issuer selfsigned-issuer;
openssl x509 -in .\tls.crt -text -noout;

## verication bundle
kubectl get bundle;
kubectl get cm -A --field-selector=metadata.name=selfsigned-bundle;
kubectl get cm -n kube-system selfsigned-bundle -o jsonpath="{.data.ca\.crt}"

vault

helm install vault hashicorp/vault --set "injector.enabled=false" --namespace default;

reference

# kubectl exec -ti vault-0 -- vault operator init;
# kubectl exec -ti vault-0 -- vault operator unseal <KEY_1>;
# kubectl exec -ti vault-0 -- vault operator unseal <KEY_2>;
# kubectl exec -ti vault-0 -- vault operator unseal <KEY_3>;
# kubectl exec -ti vault-0 -- vault login <ROOT_TOKEN>;

kubectl exec -ti vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > init-keys.json;
kubectl exec -ti vault-0 -- vault operator unseal $(cat init-keys.json | jq -r ".unseal_keys_b64[]");
kubectl exec -ti vault-0 -- vault login $(cat init-keys.json | jq -r ".root_token");
kubectl exec -ti vault-0 -- vault secrets enable pki;
kubectl exec -ti vault-0 -- vault secrets tune -max-lease-ttl=8760h pki;
kubectl exec -ti vault-0 -- vault write pki/root/generate/internal common_name=example.com ttl=8760h;
kubectl exec -ti vault-0 -- vault write pki/config/urls issuing_certificates="http://vault.default:8200/v1/pki/ca" crl_distribution_points="http://vault.default:8200/v1/pki/crl";
kubectl exec -ti vault-0 -- vault write pki/roles/example-dot-com allowed_domains=example.com allow_subdomains=true max_ttl=72h;
kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh;
vault policy write pki - <<EOF
path "pki*"                        { capabilities = ["read", "list"] }
path "pki/sign/example-dot-com"    { capabilities = ["create", "update"] }
path "pki/issue/example-dot-com"   { capabilities = ["create"] }
EOF
kubectl exec -ti vault-0 -- vault auth enable kubernetes;

kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh;
vault write auth/kubernetes/config kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443";
## issuer-secret.yaml
# apiVersion: v1
# kind: Secret
# metadata:
#   name: issuer-token-lmzpj
#   annotations:
#     kubernetes.io/service-account.name: issuer
# type: kubernetes.io/service-account-token

## vault-issuer.yaml
# apiVersion: cert-manager.io/v1
# kind: Issuer
# metadata:
#   name: vault-issuer
#   namespace: default
# spec:
#   vault:
#     server: http://vault.default:8200
#     path: pki/sign/example-dot-com
#     auth:
#       kubernetes:
#         mountPath: /v1/auth/kubernetes
#         role: issuer
#         secretRef:
#           name: issuer-token-lmzpj
#           key: token

## example-com-cert.yaml
# apiVersion: cert-manager.io/v1
# kind: Certificate
# metadata:
#   name: example-com
#   namespace: default
# spec:
#   secretName: example-com-tls
#   issuerRef:
#     name: vault-issuer
#   commonName: www.example.com
#   dnsNames:
#   - www.example.com

kubectl exec -ti vault-0 -- vault write auth/kubernetes/role/issuer bound_service_account_names=issuer bound_service_account_namespaces=default policies=pki ttl=20m;
kubectl create serviceaccount issuer;
kubectl apply -f issuer-secret.yaml;
kubectl apply --filename vault-issuer.yaml;
kubectl apply --filename example-com-cert.yaml;
kubectl describe certificate.cert-manager example-com;
kubectl get issuers vault-issuer -n default -o wide;

prometheus

helm install prometheus prometheus-community/prometheus --namespace observability --create-namespace;

!!! info Port Forwarding

```powershell
kubectl --namespace observability port-forward $(kubectl get pods --namespace observability -l "app=prometheus,component=server" -o jsonpath="{.items[0].metadata.name}") 9090
```

promtail

helm install promtail grafana/promtail --set config.clients[0].url="http://loki-loki-distributed-gateway/loki/api/v1/push" --namespace observability --create-namespace

minio

helm install minio-operator minio/operator --namespace minio-operator --create-namespace;
kubectl create secret generic -n minio-operator operator-ca-tls --from-file=ca.crt=.\tls.crt;
kubectl rollout restart deployment.apps/minio-operator -n minio-operator;
kubectl create namespace observability;
kubectl get secret selfsigned-tls -n cert-manager -o json | jq 'del(.metadata[\"creationTimestamp\",\"managedFields\",\"namespace\",\"resourceVersion\",\"selfLink\",\"uid\"])' | kubectl apply -n observability -f -;
helm install minio-observability minio/tenant --namespace observability --create-namespace --set image.tag=latest,certificate.requestAutoCert=false,certificate.externalCaCertSecret="{name=selfsigned-tls,type=kubernetes.io/tls}";
# helm install minio-observability minio/tenant --namespace observability --create-namespace --set certificate.requestAutoCert=false,certificate.externalCertSecret[0].name=selfsigned-tls,certificate.externalCertSecret[0].type=kubernetes.io/tls;
# kubectl create secret generic -n observability minio1-tls --from-file=public.crt=.\tls.crt --from-file=private.key=.\tls.key;
# helm uninstall minio-observability -n observability
# kubectl delete secret -n minio-operator operator-tls;
# kubectl create secret generic -n minio-operator operator-tls --from-file=public.crt=.\tls.crt --from-file=private.key=.\tls.key;


#https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
kubectl --namespace minio-operator get secret console-sa-secret -o jsonpath="{.data.token}" | ForEach-Object {[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($_))};
kubectl --namespace observability port-forward svc/minio1-console 9443:9443;

!!! help default credentials

```text
user `minio` 
pass `minio123`
```

loki

helm install loki grafana/loki-distributed --namespace observability --create-namespace -f .\loki.yml;

tempo

helm install tempo grafana/tempo-distributed --namespace observability --create-namespace --set storage.trace.backend="s3",storage.trace.s3.bucket="tempo",storage.trace.s3.endpoint="minio1-hl.observability.svc.cluster.local:9000",storage.trace.s3.access_key="minio",storage.trace.s3.secret_key="minio123",storage.trace.s3.insecure=false

mimir

helm install mimir grafana/mimir-distributed --namespace observability --create-namespace

grafana

helm install grafana grafana/grafana --namespace observability --set plugins="{raintank-worldping-app,grafana-azure-data-explorer-datasource,marcusolsson-json-datasource}",persistence.enabled=true,service.port=3000,service.type=LoadBalancer;

kubectl --namespace observability port-forward $(kubectl get pods --namespace observability -l "app.kubernetes.io/name=grafana,app.kubernetes.io/instance=grafana" -o jsonpath="{.items[0].metadata.name}") 3000

!!! help default credentials

```text
user `admin` 
pass <run the command below>
```

```powershell
kubectl get secret --namespace observability grafana -o jsonpath="{.data.admin-password}" | ForEach-Object {[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($_))};
```

rabbitmq

helm install rabbitmq bitnami/rabbitmq --namespace default --set image.tag=3.8.9-debian-10-r20,auth.user=user,auth.password=user,service.port=5672,service.metricsPort=9419,metrics.enabled=true,rabbitmq.plugins="rabbitmq_management rabbitmq_peer_discovery_k8s rabbitmq_shovel rabbitmq_shovel_management rabbitmq_management_themes"
yaml 
  - name: rabbitmq
    chart: bitnami/rabbitmq
    namespace: default
    values:
    - image:
        tag: 3.8.9-debian-10-r20
      service:
        port: 5672
        metricsPort: 9419
      metrics:
        enabled: true
      auth:
        username: "user"
        password: "user"
      rabbitmq:
        plugins: "rabbitmq_management rabbitmq_peer_discovery_k8s rabbitmq_shovel rabbitmq_shovel_management rabbitmq_management_themes"

redis

helm install redis bitnami/redis --namespace default --set image.tag=6.0.9-debian-10-r0,master.service.port=6379,metrics.enabled=true,metrics.port=9121,usePassword=false;
yaml 
  - name: redis
    chart: bitnami/redis
    namespace: default
    values:
    - image:
        tag: 6.0.9-debian-10-r0
      master:
        service:
          port: 6379
      metrics:
        enabled: true
        port: 9121
      usePassword: false

dapr

helm install dapr dapr/dapr --namespace dapr-system --wait --create-namespace

!!! tip Link

http://localhost:8001/api/v1/namespaces/dapr-system/services/dapr-dashboard:8080/proxy/

mssql-linux

helm install mssql-linux stable/mssql-linux --namespace default --set image.repository=cilerler/mssql-server-linux,image.tag=2017-CU16,service.port=1433,service.type=LoadBalancer,persistence.enabled=true,acceptEula.value=Y,edition.value=Developer,agent.enabled=true;
kubectl get secret --namespace default mssql-linux-secret -o jsonpath="{.data.sapassword}" | ForEach-Object {[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($_))};
helm upgrade mssql-linux stable/mssql-linux --namespace default --reuse-values --recreate-pods --wait --set image.repository=mcr.microsoft.com/mssql/server,image.tag=2017-CU16-ubuntu;
  # kubectl run mssqlcli --image=mcr.microsoft.com/mssql-tools -it --restart=Never --rm=true -- /bin/bash
  # sqlcmd -S mssql-linux.default,1433 -U sa

##cilerler/prometheus-sql-exporter

helm install prometheus-sql-exporter cilerler/prometheus-sql-exporter --namespace default --set-string podAnnotations."prometheus\.io/scrape"=true,podAnnotations."prometheus\.io/port"=9399;
yaml 
- name: prometheus-sql-exporter
  chart: cilerler/prometheus-sql-exporter
  namespace: default
  podAnnotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "9399"

mongodb

helm install my-release bitnami/mongodb

cerebro

helm install cerebro stable/cerebro --namespace default --set image.tag=latest,service.port=9000,service.type=LoadBalancer;

elasticsearch

helm install elasticsearch elastic/elasticsearch --namespace default --set ingress.enabled=true,service.type=LoadBalancer,antiAffinity=soft,resources.requests.cpu=100m,resources.requests.memory=512M,resources.limits.cpu=300m,resources.limits.memory=1024M,volumeClaimTemplate.storageClassName=hostpath,volumeClaimTemplate.resources.requests.storage=100M,esJavaOpts="-Xmx128m -Xms128m" --version 6.5.0;

kibana

helm install kibana elastic/kibana --namespace default --set ingress.enabled=true,service.port=5601,service.type=LoadBalancer,resources.requests.cpu=100m,resources.requests.memory=512M,resources.limits.cpu=1000m,resources.limits.memory=512M --version 6.5.0;

ingress-nginx

helm install ingress-nginx ingress-nginx/ingress-nginx --namespace default --set controller.metrics.enabled=true;

kubectl apply --filename .\ingress.yaml;
Clone this wiki locally