dda-k8s-crate is no longer maintained.
At https://gitlab.com/domaindrivenarchitecture/provs you will find our improved way for provisioning small systems.
chat over e-mail |
team@social.meissa-gmbh.de | Website & Blog
This crate is part of dda-pallet.
This is a asciinema recording of the features of this crate:
Kubernetes setup
This crate sets up a K8s as SingleNode-Instance. This cheap setup is intended for production grade low traffic applications.
Compatibility
dda-k8s is compatible with the following versions
- pallet 0.9
- clojure 1.10.1
- ubuntu 18.04 / 20.04
Features
The Kubernetes cluster installed by this crate provides the following features:
- a single node all-in-one k8s system for serving one application in a cheap manner
- includes Ingress for the app to be installed (replacement of traditional reverse-proxy httpd)
- supports letsencrypt (dynamic created by https) for a defined fqdn or alternatively injected static https certs
- provides a dashboard for defined users with anonymous access disabled
- secure enough for serving applications to the internet.
dda-k8s in detail
We use the following components:
- Flannel networking: [Flannel], [Kubernetes Cluster Networking]
- metallb: [MetalLB]
- nginx-ingress: [Ingress]
- cert-manager: [cert-manager]
- dashboard 2.0: [dashboard]
- apple-echo for debugging: [http-echo]
- nexus as example application: [docker-nexus]
k8s api and dashboard is eposed to localhost only and can be accesed through a ssh-tunnel, all k8s operations can be executed by a k8s user. Generated yml manifests can be found at '/home/k8s/k8s-resources'
Ingress and MetalLB
dda-k8s exposes its ingress to the outside by using metallb. The most important config for ingress and metallb options are:
- host-ip, where the ingress is exposed
- the fqdn for the Ingress instance (dns should point to the host-ip above)
- the (cluster-)issuer to be used with the Ingress instance
Cert-manager and handling of https and certificates
We use cert-manager to issue certificates for us. There following issuers are available:
- a secret representing the CA-key pairs needs to be created
- a config file for the actual certificate needs to be created
- an issuer of either self-signed, CA-issuer or letsencrypt issuer
The self-signed issuer does not require a secret or certificate config file. For the letsencrypt issuer we distinguish between an issuer for staging and for production.
Dashboard
The dashboard allows for debugging and to get an overview of the Kubernetes cluster and should later also provide networking. To secure the dashboard, an ssh proxy is required and the dashboard can then be accessed via a http://localhost:8002/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy in the browser.
ssh k8s@k8s-server-name -L 8002:localhost:8002
kubectl proxy &
# you need to authorize as k8s or have your public_key under k8s authorized_keys
# you can get the authorize token with this command
kubectl -n kube-system describe secret admin-user| awk '$1=="token:"{print $2}'
You can use the dashboard for monitoring, debugging or checking the state of pods like we do in this screenshot:
Apple application for debugging
Nexus repository manager
The nexus repository manager uses certmanager for certificates. The storage is relized as PersistentVolume.
Compatibility
dda-pallet is compatible with the following versions
- jvm11 or later
- clojure 1.9 or later
- pallet 0.8.x
- (x)ubunutu 18.04
Watch log for debug reasons
In case of problems you may want to have a look at the log-file:
less logs/pallet.log
Targets
You can define provisioning targets using the targets-schema
Convention API
You can use our conventions as a starting point: see convention reference
Infra API
Or you can build your own conventions using our low level infra API. We will keep this API backward compatible whenever possible: see infra reference
License
Copyright © 2018, 2019, 2020, 2021 meissa GmbH Licensed under the Apache License, Version 2.0 (the "License") Pls. find licenses of our subcomponents here