DEV Community: Jello The latest articles on DEV Community by Jello (@angjelo). https://dev.to/angjelo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1008130%2Fbbcf0227-705f-4bad-87d8-536dae68a26b.jpeg DEV Community: Jello https://dev.to/angjelo en Using external-dns on Kubernetes - Cloudflare Jello Wed, 23 Aug 2023 10:43:50 +0000 https://dev.to/angjelo/using-external-dns-with-on-kubernetes-cloudflare-3ld8 https://dev.to/angjelo/using-external-dns-with-on-kubernetes-cloudflare-3ld8 <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ipmCRMho--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yqybmkim9lxm9ost1twc.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ipmCRMho--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yqybmkim9lxm9ost1twc.png" alt="Image description" width="467" height="238"></a></p> <p>When the load balancer's IP address changes, our goal is to avoid the need for manual updates on Cloudflare. Instead, we aim to employ a monitoring service that will automatically ensure the continuity of our DNS records despite these IP changes.</p> <p>Initially, let's set up external DNS. To do this, you will need the following information from Cloudflare:</p> <ul> <li>API KEY</li> <li>ZONE ID</li> </ul> <p>We need to create a secret that external-dns can use to access the Cloudflare API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloudflare-api-token-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">api-token</span><span class="pi">:</span> <span class="s">${CLOUDFLARE_API_TOKEN}</span> </code></pre> </div> <h3> RBAC Configuration </h3> <p>This RBAC configuration grants the external-dns ServiceAccount permissions to interact with namespaces and specific resources in the <code>gateway.networking.k8s.io API group</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-dns</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-dns</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">namespaces"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span><span class="s2">"</span><span class="s">watch"</span><span class="pi">,</span><span class="s2">"</span><span class="s">list"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">gateway.networking.k8s.io"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">gateways"</span><span class="pi">,</span><span class="s2">"</span><span class="s">httproutes"</span><span class="pi">,</span><span class="s2">"</span><span class="s">grpcroutes"</span><span class="pi">,</span><span class="s2">"</span><span class="s">tlsroutes"</span><span class="pi">,</span><span class="s2">"</span><span class="s">tcproutes"</span><span class="pi">,</span><span class="s2">"</span><span class="s">udproutes"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span><span class="s2">"</span><span class="s">watch"</span><span class="pi">,</span><span class="s2">"</span><span class="s">list"</span><span class="pi">]</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-dns</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-dns</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-dns</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> </code></pre> </div> <h3> Deploying external-dns </h3> <ul> <li>In the deployment replace the $ZONE_ID with the zone ID from cloudflare</li> <li> <code>secretKeyRef</code> refers to the <code>cloudflare-api-token-secret</code> that we created earlier</li> <li>Pay attention to <code>--source=gateway-httproute</code> as this flag defines what resource will be monitored for DNS changes </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-dns</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Recreate</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">external-dns</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">external-dns</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">external-dns</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-dns</span> <span class="na">image</span><span class="pi">:</span> <span class="s">registry.k8s.io/external-dns/external-dns:v0.13.5</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">--source=gateway-httproute</span> <span class="pi">-</span> <span class="s">--zone-id-filter=$ZONE_ID</span> <span class="pi">-</span> <span class="s">--provider=cloudflare</span> <span class="pi">-</span> <span class="s">--cloudflare-proxied</span> <span class="pi">-</span> <span class="s">--policy=upsert-only</span> <span class="pi">-</span> <span class="s">--log-level=debug</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CF_API_TOKEN</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloudflare-api-token-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">api-token</span> </code></pre> </div> <p>Verify that the deployment is ready and now we can annotate the services that we want to update the dns records for.</p> <ul> <li>The HTTPRoute resource defines a routing configuration for incoming HTTP requests with a specific host and path. When a request matches the defined conditions, it will be directed to the test-app1 backend service running on port 80. This allows for fine-grained control over how incoming traffic is directed within a Kubernetes cluster.</li> <li> <strong>⚠️ Important Note:</strong> Make sure that the CNAME/A name is not already created so external dns can create the record and take ownership from the start. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">gateway.networking.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HTTPRoute</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-app-1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">parentRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fine-ops-gateway</span> <span class="na">sectionName</span><span class="pi">:</span> <span class="s">https</span> <span class="na">hostnames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">fe-1.fine-ops.com"</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">PathPrefix</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/</span> <span class="na">method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">backendRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-app1</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <p>Verify that the route was created be executing <code>kubectl get httproutes</code></p> <p>After we have applied the HTTP resource lets see if external-dns has created a new DNS record for us.Looking at the logs of the pod <code>kubectl logs external-dns-548f86c768-82szq</code> we can see that </p> <ul> <li>external-dns dected the HTTP Resource and created a new A record: <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--FX3kJXVf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/an8v9hkr3555tszwvsv4.png" alt="Image description" width="800" height="208"> </li> <li>Double-checking also from the DNS cloudflare dashboard : <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--iZHFm5Qk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ae20v6hobd541urcc974.png" alt="Image description" width="800" height="61"> </li> </ul> Issuing wildcard certificates on Kubernetes Gateway API (Part 1/2) Jello Wed, 23 Aug 2023 10:42:39 +0000 https://dev.to/angjelo/issuing-wildcard-certificates-on-kubernetes-gateway-api-part-12-3ijg https://dev.to/angjelo/issuing-wildcard-certificates-on-kubernetes-gateway-api-part-12-3ijg <p>What you will need to follow along:</p> <ol> <li>A domain name and a cloudflare api token with the following permissions: <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--brfiodec--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/myupv8z7u11s8x3z977l.png" alt="Image description" width="800" height="253"> </li> <li>Helm</li> </ol> <h3> First install cert-manager </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#Add the helm repo</span> helm repo add jetstack https://charts.jetstack.io <span class="c"># You can remove the experimental support if you don't need it </span> helm <span class="nb">install </span>cert-manager jetstack/cert-manager <span class="nt">--version</span> v1.12.3 <span class="se">\</span> <span class="nt">--namespace</span> cert-manager <span class="se">\</span> <span class="nt">--set</span> <span class="nv">installCRDs</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--create-namespace</span> <span class="se">\</span> <span class="nt">--set</span> <span class="s2">"extraArgs={--feature-gates=ExperimentalGatewayAPISupport=true}"</span> </code></pre> </div> <p>Validating the deployment by executing<br> <br> <code>kubectl get pods -n cert-manager</code><br> <br> should produce the following output</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Ubsj5AFI--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/n36q8bk2hjog4hh41vxk.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Ubsj5AFI--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/n36q8bk2hjog4hh41vxk.png" alt="Image description" width="792" height="86"></a></p> <p>We need cluster issuer to be able to create certificates in our cluster</p> <p>First we need to create scecret with the cloudflare token in the cert manager space<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloudflare-api-token-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cert-manager</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">api-token</span><span class="pi">:</span> <span class="s">${CLOUDFLARE_API_TOKEN}</span> </code></pre> </div> <p>Then we can create the cluster issuer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloudflare-domain-issuer</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">acme</span><span class="pi">:</span> <span class="na">email</span><span class="pi">:</span> <span class="s">email-to-register-domain</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://acme-v02.api.letsencrypt.org/directory</span> <span class="na">privateKeySecretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt-prod</span> <span class="na">solvers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">dns01</span><span class="pi">:</span> <span class="na">cloudflare</span><span class="pi">:</span> <span class="na">email</span><span class="pi">:</span> <span class="s">cloudflare-email</span> <span class="na">apiTokenSecretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloudflare-api-token-secret</span> <span class="na">key</span><span class="pi">:</span> <span class="s">api-token</span> </code></pre> </div> <p><code>kubectl get cluster issuer</code><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Zehbes8g--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9k0y84ri3tlw4r4ui45m.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Zehbes8g--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9k0y84ri3tlw4r4ui45m.png" alt="Image description" width="468" height="48"></a></p> <p>if the cluster issuer is ready then we can issue our wildcard certificate<br> secretName: fine-ops: Specifies the name of the Kubernetes Secret where the generated certificate and private key will be stored.</p> <p><strong>Note:</strong> <code>secretName</code> specifies the name of the Kubernetes Secret where the generated certificate and private key will be stored.</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Certificate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">certificate-fine-ops</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">dnsNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">*.fine-ops.com"</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">fine-ops</span> <span class="na">issuerRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cloudflare-domain-issuer</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> </code></pre> </div> <p><code>kubectl get cr</code></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Fddh1HVw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/n8plsi8fq8t1l1c1qma3.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Fddh1HVw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/n8plsi8fq8t1l1c1qma3.png" alt="Image description" width="800" height="33"></a></p> <p>Here you have it :) </p> <p>Using the certificate in the kubernetes Gateway API </p> kubernetes cloudflare devops cloud Issuing wildcard certificates on Kubernetes Gateway API (Part 2/2) Jello Wed, 23 Aug 2023 10:37:43 +0000 https://dev.to/angjelo/issuing-wildcard-certificates-on-kubernetes-gateway-api-part-22-2peo https://dev.to/angjelo/issuing-wildcard-certificates-on-kubernetes-gateway-api-part-22-2peo <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--sHGJNAz8--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/dlkugb5v7s83myibzgov.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--sHGJNAz8--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/dlkugb5v7s83myibzgov.png" alt="Image description" width="800" height="418"></a></p> <p>If you have followed part1 you should should have cert-manager already running.</p> <p>All the files are available on github: <a href="https://github.com/angjelo/cloud-infra">https://github.com/angjelo/cloud-infra</a></p> <p>Let's see how we can build the following infrustrcture by using cilium and the gateway api.</p> <p>Initially we need to create a gateway class and specify the controller that our gateway will be using, I am using cilium on my cluster that's why I have set <code>controllerName: io.cilium/gateway-controller</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">gateway.networking.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">GatewayClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cillium-gateway-class</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">controllerName</span><span class="pi">:</span> <span class="s">io.cilium/gateway-controller</span> </code></pre> </div> <p>After you have successfully created the gateway controller lets define the gateway which will be our entrypoint.<br> Few things:</p> <ul> <li> The <code>annotations</code> field allows you to attach additional metadata to the resource. In this case, an annotation is used to specify the cluster issuer for certificates issued by Cert-Manager (a Kubernetes add-on for certificate management)</li> <li> <code>cert-manager.io/cluster-issuer:cloudflare-domain-issuer</code> refers to the cluster-issuer that we created in part1</li> <li>The secret used in the field <code>certificateRefs</code> is defined in the certificate.yml </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">gateway.networking.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Gateway</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fine-ops-gateway</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">cert-manager.io/cluster-issuer</span><span class="pi">:</span> <span class="s">cloudflare-domain-issuer</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">gatewayClassName</span><span class="pi">:</span> <span class="s">cillium-gateway-class</span> <span class="na">listeners</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*.fine-ops.com"</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">HTTPS</span> <span class="na">tls</span><span class="pi">:</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">Terminate</span> <span class="na">certificateRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fine-ops</span> </code></pre> </div> <p>if we execute <code>kubectl get svc</code> then we shoulld see a public IP assigned to our gateway, if you are on aws usually you will get an ELB address that you can use to point to point your <code>CNAME</code> cloudflare</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--1NP1xRUH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ig1k2sxjjnkn3v3iyy5i.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--1NP1xRUH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ig1k2sxjjnkn3v3iyy5i.png" alt="Image description" width="800" height="56"></a></p> <strong>⚠️ Important Note:</strong> if you delete and recreate the gateway the load balancer will populate a new ip which you need to update manually on cloudflare <p><br><br> Now that we have defined our main entry point lets create our</p> <ul> <li><code>tls-route</code></li> <li> <code>service</code> </li> <li>deployment for <code>test-app1</code> </li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--oaKOJ7t2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/urwdlmbqmw095ndzsr1v.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--oaKOJ7t2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/urwdlmbqmw095ndzsr1v.png" alt="Image description" width="695" height="184"></a></p> <p>This will be the nginx app deployment<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-app1</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">test-app1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">test-app1</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">test-app1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> </code></pre> </div> <p><code>kubectl apply -f test-app1-deployment.yml</code></p> <p>To view if the pods are deployed successfully <code>kubectl get pods</code></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--tGuGz2E9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/i8q0701g0oits14h7yaq.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--tGuGz2E9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/i8q0701g0oits14h7yaq.png" alt="Image description" width="752" height="104"></a></p> <p>Now is time to create a service to expose the port internally in kubernetes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-app1</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">test-app1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">test-app1</span> </code></pre> </div> <p><code>kubectl get svc</code> to see if the service was created</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--nEkxtQ4m--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ypq5or47pkmg3lfffxk8.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--nEkxtQ4m--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ypq5or47pkmg3lfffxk8.png" alt="Image description" width="800" height="68"></a></p> <p>Se we can see that test-app1 has been exposed to an internal IP. Now it's time create the <code>tls-route</code> and attach it to the service that we exposed earlier<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">gateway.networking.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HTTPRoute</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-app-1</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">parentRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fine-ops-gateway</span> <span class="na">sectionName</span><span class="pi">:</span> <span class="s">https</span> <span class="na">hostnames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">fe-1.fine-ops.com"</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">PathPrefix</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/</span> <span class="na">method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">backendRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-app1</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <p>Lets break down some keypoints in the yaml:</p> <ul> <li> <code>parentRefs</code> refers to the gateway name that we created earlier (fine-ops-gateway)</li> <li> <code>We are referencing the service created earlier for test-app1</code> validate that the route was created: <code>kubectl get httproutes</code> </li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--9NIA-yAf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/vzhhy2bx1xg2pytiep78.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--9NIA-yAf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/vzhhy2bx1xg2pytiep78.png" alt="Image description" width="800" height="41"></a></p> <p>Now that we have have created our http route, we can try to access the service on <code>https://fe-1.fine-ops.com</code> (make sure you have created an A record that points the Loadbalancer IP of the cilium gateway)</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--LPD4eVej--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yqe6touk7la22arfuu8z.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--LPD4eVej--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yqe6touk7la22arfuu8z.png" alt="Image description" width="800" height="302"></a></p> <p>Now that we have deployed <code>fe-1.fine-ops.com</code> it time to deploy <code>fe-2.fine-ops.com</code></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--fbSSY_S0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/bspt97cg7g9j9uxdlke2.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--fbSSY_S0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/bspt97cg7g9j9uxdlke2.png" alt="Image description" width="800" height="221"></a></p> <p>Let's start again by creating the second deployment, similar to the previous nginx deployment but the app name is different this time<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-app2</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">test-app2</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">test-app2</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">test-app2</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> </code></pre> </div> <p>After verifying that the pods are running it is time to create the service to internally expose the port to kubernetes<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-app2</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">test-app2</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">90</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">test-app2</span> </code></pre> </div> <p>Not it is time to create the TLS route for fe-2.fine-ops.com<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">gateway.networking.k8s.io/v1beta1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HTTPRoute</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http-app-2</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">parentRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">fine-ops-gateway</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">hostnames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">fe-2.fine-ops.com"</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matches</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">PathPrefix</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/</span> <span class="na">method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">backendRefs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-app2</span> <span class="na">port</span><span class="pi">:</span> <span class="m">90</span> </code></pre> </div> <p><code>kubectl get httproutes</code> should display these routes<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--eQ8iNxFP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/pwrxcp11k1c63q2qewps.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--eQ8iNxFP--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/pwrxcp11k1c63q2qewps.png" alt="Image description" width="750" height="112"></a></p> <p>Lastly we need to add a new A for fe-2.fine-ops.com record to point to the load balancer IP,this is how the records should look like in cloudflare</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--9Uhv3TB---/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9d1v0p4fz7ehr00hjyx5.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--9Uhv3TB---/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9d1v0p4fz7ehr00hjyx5.png" alt="Image description" width="800" height="86"></a></p> <p>Now you can visit fe-2.yourdomain.com</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--BIR9UgOH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/m5tyntqy3if3flt8yh9g.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--BIR9UgOH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/m5tyntqy3if3flt8yh9g.png" alt="Image description" width="800" height="270"></a></p> kubernetes externaldns cloudflare Secure builds on Kubernetes with Kaniko (AWS ECR) Jello Wed, 23 Aug 2023 10:27:52 +0000 https://dev.to/angjelo/secure-builds-on-kubernetes-with-kaniko-aws-ecr-425f https://dev.to/angjelo/secure-builds-on-kubernetes-with-kaniko-aws-ecr-425f <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--9CvjzjoD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sjt899tfmjkbcjq7psvl.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--9CvjzjoD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sjt899tfmjkbcjq7psvl.png" alt="Image description" width="693" height="337"></a></p> <p>Kaniko is a suitable choice for scenarios where security, isolation, compatibility with container orchestration platforms, and efficient resource utilization are important factors. It provides an alternative to traditional Docker builds, particularly in environments where running Docker daemons might not be optimal or secure.</p> <p>All the files are included in <a href="https://gitlab.com/angjelo/ecr-kaniko-builds">gitlab</a></p> <p>Prerequisites:</p> <ul> <li>Kubernetes Cluster</li> <li>Helm Installed</li> <li>gitlab-registration token</li> <li>IAM User from AWS with full ECR ACCESS</li> </ul> <p>Lets start by adding the AWS credentials as variables into our repository</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--8JAP_Xqr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/tt5fibd3d19afsjr0ou9.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--8JAP_Xqr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/tt5fibd3d19afsjr0ou9.png" alt="Image description" width="800" height="207"></a></p> <p>The helm repository will enable us to use the gitlab-runner chart<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add gitlab https://charts.gitlab.io </code></pre> </div> <h3> Gitlab runner config yaml </h3> <p>A deeper overview of the gitlab configuration is located in the official repo ["<a href="https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/values.yaml%22">https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/main/values.yaml"</a>]<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">gitlabUrl</span><span class="pi">:</span> <span class="s">https://gitlab.com</span> <span class="na">runnerRegistrationToken</span><span class="pi">:</span> <span class="s">$REGISTRATION_TOKEN</span> <span class="na">concurrent</span><span class="pi">:</span> <span class="m">2</span> <span class="na">rbac</span><span class="pi">:</span> <span class="na">create</span><span class="pi">:</span> <span class="no">true</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gitlab-runner</span> <span class="na">runners</span><span class="pi">:</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">kube,aws</span> <span class="na">runUntagged</span><span class="pi">:</span> <span class="no">true</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">if-not-present</span> </code></pre> </div> <ul> <li> <code>gitalb-runner/values.yml</code> contains the values to overwrite in the helm repostiry</li> <li> <code>tags: kube,aws</code> can be anything that makes sense to you</li> <li> <code>runnerRegistrationToken</code> should be obtained from the CI/CD section.</li> </ul> <p>Create a namespace for gitlab: <code>kubectl create ns gitlab</code></p> <h3> Using helm to instal gitlab-runner </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install</span> <span class="nt">--namespace</span> gitlab gitlab-runner <span class="nt">-f</span> values.yml gitlab/gitlab-runner </code></pre> </div> <p><code>kubectl get pods -n gitlab</code> should have active gitlab pods</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--D14qcUUb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ouxriq04axja9vzr9vfr.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--D14qcUUb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ouxriq04axja9vzr9vfr.png" alt="Image description" width="800" height="78"></a></p> <p>Now if you navigate to the runners section in your gitlab, there should be a new runner registered:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--nxNmghym--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/0nny75i0l9pk08fpwi7v.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--nxNmghym--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/0nny75i0l9pk08fpwi7v.png" alt="Image description" width="599" height="200"></a></p> <p>For the project build you can use the <code>Dockerfile</code> &amp; <code>index.html</code> from my gitlab-repoisitory</p> <h3> .gitlab-ci.yml </h3> <p>To further understand kaniko please reference to the documentation <a href="https://docs.gitlab.com/ee/ci/docker/using_kaniko.html">kaniko Gitlab</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">stages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">build</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">AWS_REGION</span><span class="pi">:</span> <span class="s">eu-north-1</span> <span class="na">REGISTRY</span><span class="pi">:</span> <span class="s2">"</span><span class="s">${AWS_ACCOUNT_ID}.dkr.ecr.eu-north-1.amazonaws.com"</span> <span class="na">build</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">build</span> <span class="na">image</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gcr.io/kaniko-project/executor:debug</span> <span class="na">entrypoint</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">mkdir -p /kaniko/.docker</span> <span class="pi">-</span> <span class="s">echo "{\"credsStore\":\"ecr-login\",\"credHelpers\":{\"$REGISTRY/contoso\":\"ecr-login\"}}" &gt; /kaniko/.docker/config.json</span> <span class="pi">-</span> <span class="pi">&gt;-</span> <span class="s">/kaniko/executor</span> <span class="s">--context "${CI_PROJECT_DIR}" </span> <span class="s">--dockerfile "${CI_PROJECT_DIR}/Dockerfile" </span> <span class="s">--build-arg AWS_REGION=$AWS_REGION </span> <span class="s">--build-arg AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID </span> <span class="s">--build-arg AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY </span> <span class="s">--destination "${REGISTRY}/contoso:${CI_COMMIT_TAG:-$CI_COMMIT_REF_SLUG}"</span> <span class="na">tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">aws,kube</span> </code></pre> </div> <p><code>"{\"credsStore\":\"ecr-login\",\"credHelpers\":{\"$REGISTRY/contoso\":\"ecr-login\"}}"</code>:</p> <ul> <li><p><code>credsStore</code>: This specifies the Docker credentials store to be used for authentication. In this case, it's set to "ecr-login", in which the Amazon Elastic Container Registry (ECR) authentication mechanism is being used.</p></li> <li><p><code>credHelpers</code>: Is an object that defines custom credential helpers for specific Docker registries. In this case, a custom helper is being set up for the $REGISTRY/contoso registry.</p></li> </ul> <p>Once we push gitlab-ci.yml and trigger the pipeline we see the build is running, it Could take up to 30 secs for the runner to pick up the job</p> <p>You can see the full pipeline<a href="https://gitlab.com/angjelo/ecr-kaniko-builds/-/jobs/4929396368">pipeline log</a>:<br><br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--MPHvgimL--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/z9b7zn3tqrsqjqh5zh1c.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--MPHvgimL--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/z9b7zn3tqrsqjqh5zh1c.png" alt="Image description" width="800" height="211"></a></p> <p>Navigate to the ECR repository to confirm the image build</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--o2ZOQ5ru--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yvtd6lm2th29sd36jr97.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--o2ZOQ5ru--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yvtd6lm2th29sd36jr97.png" alt="Image description" width="800" height="49"></a></p> <p>Now that you have the pipeline all working start experimenting and see what you can do :) </p> aws kaniko kubernetes gitlab Cilium with Kubernetes Gateway API on Azure Cloud (BYOCNI) Jello Wed, 16 Aug 2023 19:20:18 +0000 https://dev.to/angjelo/cilium-with-kubernetes-on-azure-cloud-byocni-55jn https://dev.to/angjelo/cilium-with-kubernetes-on-azure-cloud-byocni-55jn <h2> Spinning up the AKS Cluster </h2> <p>I selected the cheapest VM type that I found to keep the costs to minimum for this project</p> <p>You will need AKS Preview enabled for the commands to work properly</p> <p>We are planning to use cilium without kube-proxy, the flag <code>--kube-proxy-config kube-proxy.json</code> wil disable it upon creation.</p> <p>kube-proxy json config<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"IPVS"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ipvsConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"scheduler"</span><span class="p">:</span><span class="w"> </span><span class="s2">"LeastConnection"</span><span class="p">,</span><span class="w"> </span><span class="nl">"TCPTimeoutSeconds"</span><span class="p">:</span><span class="w"> </span><span class="mi">900</span><span class="p">,</span><span class="w"> </span><span class="nl">"TCPFINTimeoutSeconds"</span><span class="p">:</span><span class="w"> </span><span class="mi">120</span><span class="p">,</span><span class="w"> </span><span class="nl">"UDPTimeoutSeconds"</span><span class="p">:</span><span class="w"> </span><span class="mi">300</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>In azure-cli or terminal execute the following command (make sure you are using an already authenticated user):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">NAME</span><span class="o">=</span><span class="s2">"cilium-sw"</span> <span class="nb">export </span><span class="nv">AZ_RESOURCEGROUP</span><span class="o">=</span><span class="s2">"resource group"</span> <span class="nb">export </span><span class="nv">AZ_LOCATION</span><span class="o">=</span><span class="s2">"ylocation"</span> az aks create <span class="se">\</span> <span class="nt">-n</span> <span class="s2">"</span><span class="k">${</span><span class="nv">NAME</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--network-plugin</span><span class="o">=</span>none <span class="se">\</span> <span class="nt">-l</span> <span class="s2">"</span><span class="k">${</span><span class="nv">AZ_LOCATION</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-g</span> <span class="s2">"</span><span class="k">${</span><span class="nv">AZ_RESOURCEGROUP</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--kube-proxy-config</span><span class="o">=</span><span class="s2">"kube-proxy.json"</span> <span class="se">\</span> <span class="nt">--enable-cluster-autoscaler</span> <span class="se">\</span> <span class="nt">--min-count</span><span class="o">=</span>1 <span class="se">\</span> <span class="nt">--max-count</span><span class="o">=</span>2 <span class="se">\</span> <span class="nt">--no-wait</span> <span class="se">\</span> <span class="nt">--node-count</span><span class="o">=</span>1 <span class="se">\</span> <span class="nt">--node-vm-size</span><span class="o">=</span><span class="s2">"Standard_B2s"</span> <span class="se">\</span> <span class="nt">--load-balancer-sku</span><span class="o">=</span><span class="s2">"basic"</span> <span class="se">\</span> <span class="nt">--generate-ssh-keys</span> </code></pre> </div> <h3> Connecting to the AKS Cluster </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>az aks get-credentials <span class="nt">--resource-group</span> cilium-eu-1_group <span class="nt">--name</span> cilium-eu </code></pre> </div> <p>Coredns &amp; metrics services will be stuck because there is no CNI plugin installed in your cluster, you can verify that by running:<br> </p> <p><code>kubectl get pods -n kube-system</code><br> </p> <h3> Installing resources that are need for Gateway API support </h3> <p>Before we install cilium as we are planning to use the Kubernetes Gateway API we need to isntall following compoents to kubernetes (also you can reference the officials docs: <a href="https://docs.cilium.io/en/latest/network/servicemesh/gateway-api/gateway-api/#prerequisites">Gateway API Cilium</a>)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.7.0/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.7.0/config/crd/standard/gateway.networking.k8s.io_gateways.yaml kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.7.0/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.7.0/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml kubectl apply <span class="nt">-f</span> https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v0.7.0/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml </code></pre> </div> <h3> Installing Cilium </h3> <p>There are different ways to install cilium according to this articles:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>git clone https://github.com/cilium/cilium <span class="nv">$ </span><span class="nb">cd </span>cilium <span class="c"># Then we will use helm to install cilium with the latest changes #from the main branch</span> <span class="nv">$ </span>cilium <span class="nb">install</span> <span class="nt">--chart-directory</span> ./install/kubernetes/cilium <span class="se">\</span> <span class="nt">--set</span> <span class="nv">kubeProxyReplacement</span><span class="o">=</span><span class="nb">true</span> <span class="se">\</span> <span class="nt">--set</span> gatewayAPI.enabled<span class="o">=</span><span class="nb">true</span> <span class="nt">--set</span> azure.resourceGroup<span class="o">=</span><span class="k">${</span><span class="nv">AZ_RESOURCEGROUP</span><span class="k">}</span> </code></pre> </div> <p>Upon successful installation you should see the following:<br> <a href="https://res.cloudinary.com/practicaldev/image/fetch/s--giJvKEKY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ickv97l7nndx7f654ocj.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--giJvKEKY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ickv97l7nndx7f654ocj.png" alt="Image description" width="800" height="138"></a><br> </p> <p><code>kubectl get pods -n kube-system</code><br> </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--LaVe2Rqo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/90njepzpvqg4nwjnkok4.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--LaVe2Rqo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/90njepzpvqg4nwjnkok4.png" alt="Image description" width="723" height="266"></a></p> <p>Now your cilium cluster is ready :)</p> azure cilium kubernetes