Links
Microk8s
# Update the server
sudo apt update -y && sudo apt upgrade -y
sudo apt install snapd -y
# Install microk8s, kubectl, helm and kubeseal
sudo snap install microk8s --classic
sudo snap install kubectl --classic
sudo snap install helm --classic
wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.17.3/kubeseal-0.17.3-linux-amd64.tar.gz
tar -xvf kubeseal-0.17.3-linux-amd64.tar.gz
chmod +x kubeseal
sudo mv kubeseal /usr/local/bin
# Give permissions to microk8s
mkdir .kube
sudo usermod -a -G microk8s $USER
sudo chown -f -R $USER ~/.kube
# Logout and login from the machine
sudo su - $USER
# Get k8s config file
microk8s kubectl config view --raw > ~/.kube/config
# Enable useful plugins
microk8s.enable dns storage ingress
# Install argocd
helm repo add argo https://argoproj.github.io/argo-helm
helm install argocd argo/argo-cd --namespace argocd --create-namespace --wait
# kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
# kubectl port-forward svc/argocd-server -n argocd 8080:443 --address 0.0.0.0
kubectl apply -f - <<YAML
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: apps
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: apps
server: https://kubernetes.default.svc
project: default
source:
path: argocd
repoURL: https://salsa.debian.org/cloud-team/image-finder.git
targetRevision: infrastructure
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
YAML
ssh VM
ssh root@image-finder.debian.net
ssh -L 8080:image-finder.debian.net:8080 root@image-finder.debian.net
GitLab link config variables from microk8s
# Get certificate autority
microk8s kubectl config view --raw -o=jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode
microk8s kubectl -n kube-system get secret | grep gitlab-admin | awk '{print $1}'
microk8s kubectl -n kube-system get secret $SECRET -o jsonpath='{.data.token}' | base64 --decode
Promote user to admin
# Production
export pod=$(kubectl get pods -n image-finder-production| awk 'FNR==3{print $1}' )
kubectl exec -it $pod -n image-finder-production -- flask promote-user
# Staging
export pod=$(kubectl get pods -n image-finder-staging | awk 'FNR==3{print $1}' )
kubectl exec -it $pod -n image-finder-staging -- flask promote-user
Initial seed
# Production
export pod=$(kubectl get pods -n image-finder-production | awk 'FNR==3{print $1}' )
kubectl exec -it $pod -n image-finder-production -- flask seed run
# Staging
export pod=$(kubectl get pods -n image-finder-staging | awk 'FNR==3{print $1}' )
kubectl exec -it $pod -n image-finder-staging -- flask seed run
Bash to image-finder pod
# Production
export pod=$(kubectl get pods -n image-finder-production | awk 'FNR==3{print $1}' )
kubectl exec -it $pod -n image-finder-production -- bash
# Staging
export pod=$(kubectl get pods -n image-finder-staging | awk 'FNR==3{print $1}' )
kubectl exec -it $pod -n image-finder-staging -- bash
Kubeseal
cat > image-finder-secrets.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
creationTimestamp: null
name: image-finder-production
namespace: image-finder-production
data:
gitlabClientId: "MTQ2OTc4NTllNmE5NjEzOWU0NGIyZDI4NTMwMDc4YTEyYzZmZGRhNzhlZTZiYWRhOWY5ZWYxZTVkMTczNjJhYw=="
gitlabClientSecret: "YzY5MGE3NTlhZjMyNDM0MWNhMDkxYWEyMThiMWU0ODczYTg0Y2QyZDE4ODM4ZmI1YTgyZGJlY2RlZTdlYTMxMA=="
secretKey: "YjkyMjUwMDRkNWE3NDE2Y2JlNmEyY2U0NTIwZDk0M2E="
EOF
cat > image-finder-postgresql-secrets.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
creationTimestamp: null
name: image-finder-production-postgresql
namespace: image-finder-production
data:
postgresql-password: "N012azQ4aHVUOXFnZlNtaw=="
EOF
cat > runner-registration-token.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
name: gitlab-runner-secret
type: Opaque
data:
runner-registration-token: "OC1HdHRRS0FvQkFZRnVDUUR6eF8=" #base64 encoded registration token
runner-token: ""
EOF
kubectl create secret generic s3access \
--from-literal=accesskey="YourAccessKey" \
--from-literal=secretkey="YourSecretKey"
cat image-finder-secrets.yaml | kubeseal \
--controller-namespace kube-system \
--controller-name sealed-secrets \
--format yaml \
> image-finder-sealed-secret.yaml
cat image-finder-sealed-secret.yaml
cat image-finder-postgresql-secrets.yaml | kubeseal \
--controller-namespace kube-system \
--controller-name sealed-secrets \
--format yaml \
> image-finder-postgresql-secrets-sealed-secret.yaml
cat image-finder-postgresql-secrets-sealed-secret.yaml
Updating microk8s certificates DNS
This will only allow Kubectl to access the API server locally, to access it through the internet and a real domain name you must add it to the file /var/snap/microk8s/current/certs/csr.conf.template, for example:
After changing, refresh the certificates with:
sudo microk8s refresh-certs
Delete token
flask shell
from debian_image_finder.models.service_token import ServiceToken
from debian_image_finder.extensions.database import db
ServiceToken.query.all()
ServiceToken.query.delete()
db.session.commit()