Difference between revisions of "Kubernetes LXD"
Jump to navigation
Jump to search
(Created page with "``` lxc launch ubuntu:focal adc lxc launch ubuntu:focal k0 --vm lxc config set m8s limits.cpu=8 limits.memory=16GB device override m8s root size=50GB lxc config device overri...") |
|||
| (13 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | # Simple Install of LXD ADC via NGINX for Fronting Kubernetes | ||
| + | |||
| + | Start 1 VM for Kubernetes and one LXD container for NGINX | ||
``` | ``` | ||
lxc launch ubuntu:focal adc | lxc launch ubuntu:focal adc | ||
| − | lxc | + | lxc init ubuntu:focal k0 --vm |
| − | lxc config set m8s limits.cpu=8 limits.memory=16GB | + | lxc config set m8s limits.cpu=8 limits.memory=16GB |
lxc config device override m8s root size=50GB | lxc config device override m8s root size=50GB | ||
| + | lxc start microk8s | ||
| + | lxc list microk8s | ||
lxc exec k0 -- snap install microk8s | lxc exec k0 -- snap install microk8s | ||
| + | ``` | ||
| + | |||
| + | k0:~/demo.yml | ||
| + | ``` | ||
| + | apiVersion: networking.k8s.io/v1 | ||
| + | kind: Ingress | ||
| + | metadata: | ||
| + | name: demo-ingress | ||
| + | annotations: | ||
| + | nginx.ingress.kubernetes.io/rewrite-target: /$1 | ||
| + | spec: | ||
| + | rules: | ||
| + | - host: demo.uvoo.io | ||
| + | http: | ||
| + | paths: | ||
| + | - path: / | ||
| + | pathType: Prefix | ||
| + | backend: | ||
| + | service: | ||
| + | name: demo | ||
| + | port: | ||
| + | number: 8080 | ||
| + | ``` | ||
| + | |||
| + | |||
| + | k0 | ||
| + | ``` | ||
| + | #!/usr/bin/env bash | ||
| + | set -e | ||
| + | alias kubectl='microk8s kubectl' | ||
| + | shopt -s expand_aliases | ||
| + | |||
| + | microk8s enable ingress | ||
| + | microk8s kubectl delete deployment demo | true | ||
| + | microk8s kubectl delete service demo | true | ||
| + | microk8s kubectl delete -f demo.yml | true | ||
| + | |||
| + | |||
| + | microk8s kubectl create deployment demo --image=gcr.io/google-samples/hello-app:1.0 | ||
| + | microk8s kubectl expose deployment demo --type=NodePort --port=8080 | ||
| + | microk8s kubectl apply -f demo.yml | ||
| + | curl -H "Host: demo.uvoo.io" 127.0.0.1 | ||
``` | ``` | ||
| Line 29: | Line 76: | ||
adcip=$(lxc list adc -c 4 | awk '!/IPV4/{ if ( $2 != "" ) print $2}') | adcip=$(lxc list adc -c 4 | awk '!/IPV4/{ if ( $2 != "" ) print $2}') | ||
ip=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p') | ip=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p') | ||
| − | sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -d $ip -j DNAT --to-destination $adcip:80 | + | # sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -d $ip -j DNAT --to-destination $adcip:80 |
| − | sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -d $ip -j DNAT --to-destination $adcip:443 | + | # sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -d $ip -j DNAT --to-destination $adcip:443 |
| − | sudo | + | before_file="/etc/ufw/before.rules" |
| + | sudo sed -i "1 i\*nat" $before_file | ||
| + | sudo sed -i "2 i\-I PREROUTING -p tcp --dport 443 -d $ip -j DNAT --to-destination $adcip" $before_file | ||
| + | sudo sed -i "3 i\-I PREROUTING -p tcp --dport 80 -d $ip -j DNAT --to-destination $adcip" $before_file | ||
| + | sudo sed -i "4 i\COMMIT" $before_file | ||
| + | sudo systemctl restart ufw | ||
} | } | ||
| − | clear | + | # clear |
adc_nat | adc_nat | ||
| + | sudo restart snap # Will cause downtime but refreshes lxd iptables | ||
| + | ``` | ||
| + | |||
| + | # Gen self signed cert | ||
| + | ``` | ||
| + | lxc exec adc -- sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt -subj "/C=US/ST=Utah/L=SLC/O=Example Corp/OU=Testing/CN=example.io" | ||
``` | ``` | ||
| + | |||
| + | adc:/etc/nginx/conf.d/demo.conf | ||
| + | ``` | ||
| + | upstream kub-ingress { | ||
| + | least_conn; | ||
| + | server k0; | ||
| + | } | ||
| + | |||
| + | server { | ||
| + | server_name demo.uvoo.io; | ||
| + | listen 80; | ||
| + | listen [::]:80; | ||
| + | listen 443 ssl; | ||
| + | listen [::]:443 ssl; | ||
| + | ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; | ||
| + | ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; | ||
| + | |||
| + | location /hi { | ||
| + | default_type text/html; | ||
| + | return 200 "<!DOCTYPE html><h3>Hi!</h3>\n"; | ||
| + | } | ||
| + | |||
| + | location / { | ||
| + | proxy_pass http://kub-ingress; | ||
| + | proxy_set_header Host $http_host; | ||
| + | proxy_set_header X-Real-IP $remote_addr; | ||
| + | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| + | proxy_set_header X-Forwarded-Proto $scheme; | ||
| + | } | ||
| + | if ($scheme != "https") { | ||
| + | return 301 https://$host$request_uri; | ||
| + | } | ||
| + | } | ||
| + | ``` | ||
| + | |||
| + | Use letsencrypt | ||
| + | ``` | ||
| + | curl -k -H "Host: demo.uvoo.io" https://$adcip # Make sure site is up (this can take several minutes on reboot | ||
| + | sudo apt install -y certbot python3-certbot-nginx | ||
| + | sudo certbot --no-redirect --nginx -d demo.uvoo.io | ||
| + | ``` | ||
| + | |||
| + | Hopefully you see something like | ||
| + | ``` | ||
| + | Hello, world! | ||
| + | Version: 1.0.0 | ||
| + | Hostname: demo-6fcfc5f6f4-llh4c | ||
| + | ``` | ||
| + | |||
| + | # Useful Commands | ||
| + | `` | ||
| + | docker exec -it 4aaf0e832b3f /bin/bash | ||
| + | lxc shell k0 | ||
| + | ``` | ||
| + | |||
| + | # References | ||
| + | - https://kubernetes.io/docs/tutorials/hello-minikube/ | ||
| + | - https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ | ||
| + | - https://gist.github.com/davydany/0ad377f6de3c70056d2bd0f1549e1017 | ||
| + | - https://linuxcontainers.org/lxd/getting-started-cli/ | ||
| + | - https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/ | ||
| + | - https://bobcares.com/blog/ufw-port-forwarding/#:~:text=DNAT%20and%20PREROUTING,is%20mostly%20used%20in%20DNAT. | ||
Latest revision as of 20:54, 3 February 2021
Simple Install of LXD ADC via NGINX for Fronting Kubernetes
Start 1 VM for Kubernetes and one LXD container for NGINX
lxc launch ubuntu:focal adc lxc init ubuntu:focal k0 --vm lxc config set m8s limits.cpu=8 limits.memory=16GB lxc config device override m8s root size=50GB lxc start microk8s lxc list microk8s lxc exec k0 -- snap install microk8s
k0:~/demo.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: demo-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
rules:
- host: demo.uvoo.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: demo
port:
number: 8080
k0
#!/usr/bin/env bash set -e alias kubectl='microk8s kubectl' shopt -s expand_aliases microk8s enable ingress microk8s kubectl delete deployment demo | true microk8s kubectl delete service demo | true microk8s kubectl delete -f demo.yml | true microk8s kubectl create deployment demo --image=gcr.io/google-samples/hello-app:1.0 microk8s kubectl expose deployment demo --type=NodePort --port=8080 microk8s kubectl apply -f demo.yml curl -H "Host: demo.uvoo.io" 127.0.0.1
#!/usr/bin/env bash
set -e
ts=`date +%Y-%m-%d_%H-%M-%S`
clear(){
sudo iptables-save > /tmp/iptables-save.$ts.ipt
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
# sudo iptables -x
sudo iptables -X -t nat
}
adc_nat(){
adcip=$(lxc list adc -c 4 | awk '!/IPV4/{ if ( $2 != "" ) print $2}')
ip=$(ip -o route get to 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
# sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -d $ip -j DNAT --to-destination $adcip:80
# sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -d $ip -j DNAT --to-destination $adcip:443
before_file="/etc/ufw/before.rules"
sudo sed -i "1 i\*nat" $before_file
sudo sed -i "2 i\-I PREROUTING -p tcp --dport 443 -d $ip -j DNAT --to-destination $adcip" $before_file
sudo sed -i "3 i\-I PREROUTING -p tcp --dport 80 -d $ip -j DNAT --to-destination $adcip" $before_file
sudo sed -i "4 i\COMMIT" $before_file
sudo systemctl restart ufw
}
# clear
adc_nat
sudo restart snap # Will cause downtime but refreshes lxd iptables
Gen self signed cert
lxc exec adc -- sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt -subj "/C=US/ST=Utah/L=SLC/O=Example Corp/OU=Testing/CN=example.io"
adc:/etc/nginx/conf.d/demo.conf
upstream kub-ingress {
least_conn;
server k0;
}
server {
server_name demo.uvoo.io;
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
location /hi {
default_type text/html;
return 200 "<!DOCTYPE html><h3>Hi!</h3>\n";
}
location / {
proxy_pass http://kub-ingress;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}
Use letsencrypt
curl -k -H "Host: demo.uvoo.io" https://$adcip # Make sure site is up (this can take several minutes on reboot sudo apt install -y certbot python3-certbot-nginx sudo certbot --no-redirect --nginx -d demo.uvoo.io
Hopefully you see something like
Hello, world! Version: 1.0.0 Hostname: demo-6fcfc5f6f4-llh4c
Useful Commands
`` docker exec -it 4aaf0e832b3f /bin/bash lxc shell k0 ```
References
- https://kubernetes.io/docs/tutorials/hello-minikube/
- https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
- https://gist.github.com/davydany/0ad377f6de3c70056d2bd0f1549e1017
- https://linuxcontainers.org/lxd/getting-started-cli/
- https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/
- https://bobcares.com/blog/ufw-port-forwarding/#:~:text=DNAT%20and%20PREROUTING,is%20mostly%20used%20in%20DNAT.