DEV Community: farhanaliali

Step-by-Step Guide: Installing cert-manager and Configuring Production Certificates

farhanaliali — Wed, 04 Sep 2024 10:17:10 +0000

Introduction

In this tutorial, we'll walk through the process of installing cert-manager on your Kubernetes cluster and configuring it to manage production-ready SSL/TLS certificates. cert-manager automates the issuance and renewal of certificates, making it a vital tool for ensuring your services are secure and up to date.

Prerequisites

Before we begin, ensure you have the following:

A Kubernetes cluster up and running
kubectl configured to interact with your cluster
A domain name for which you want to issue certificates

Step 1: Install cert-manager

The first step is to add the Jetstack repository:

helm repo add jetstack https://charts.jetstack.io
helm repo update

Install Cert-Manager with CRDs into your cluster

helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true

Configure The Let's Encrypt Certificate Issuer

Create a YAML file named letsencrypt-production.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
    name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: example@domain.com
    privateKeySecretRef:
      name: letsencrypt-production
    solvers:
      - http01:
          ingress:
            class: nginx

Apply the letsencrypt-production.yaml:

    kubectl apply -f letsencrypt-production.yaml

Obtain an HTTPS Certificate

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wordpress
annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-production
spec:
  rules:
    - http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
                name: wordpress
                port:
                number: 80
tls:
 - hosts:
   - example.com

Apply the updated Ingress resource:

    kubectl apply -f ingress.yaml

Conclusion

Congratulations! You've successfully installed cert-manager and configured it to issue production-ready SSL/TLS certificates. This setup will automatically manage the renewal of your certificates, ensuring your services remain secure. Remember to monitor your cert-manager logs and resources to ensure smooth operation.

Building a Scalable Minio Distributed Setup: A Step-by-Step Guide

farhanaliali — Wed, 04 Sep 2024 09:58:58 +0000

Minio distributed setup

Author: Farhan ali

Introduction

In this guide, I'll walk you through setting up a distributed Minio cluster across five servers. Four of these servers will be equipped with additional storage, providing a robust and scalable solution for your object storage needs. By the end of this tutorial, you'll have a fully configured Minio setup, ready to handle distributed storage tasks efficiently.

You'll need to set up your 5 base servers. Four of them will require an additional 4 disks each
I'm assuming all servers are listed in DNS as follows:

minio1.domain.com
minio2.domain.com
minio3.domain.com
minio4.domain.com
minio.domain.com (This is the load balance)

All 4 servers should have /dev/sdb,sdc,sdd,sde as the 4 empty disks.
Obviously, you can change as you see fit but will have to adapt this guide.

Step 1: Initial Set Up

On each Minio server set up the mount locations on each server:

sudo mkdir /mnt/minio1
sudo mkdir /mnt/minio2
sudo mkdir /mnt/minio3
sudo mkdir /mnt/minio4

Create a partition on each disk:

sudo fdisk /dev/sdb
sudo fdisk /dev/sdc
sudo fdisk /dev/sdd
sudo fdisk /dev/sde

It will prompt for the following sequence. You can accept the defaults mostly. It's n for the new partition, enter for the default partition number, enter for the first sector, enter for the last sector, and w to write the partition to disk.

Repeat that for all disks.

Add a file system. Specifically xfs!

mkfs.xfs /dev/sdb1
mkfs.xfs /dev/sdc1
mkfs.xfs /dev/sdd1
mkfs.xfs /dev/sde1

Repeat that for all disks.

Now mount the disks on all servers accordingly

sudo vi /etc/fstab

/dev/sdb    /mnt/minio1 xfs defaults 0 1 
/dev/sdc    /mnt/minio2 xfs defaults 0 1
/dev/sdd    /mnt/minio3 xfs defaults 0 1
/dev/sde    /mnt/minio4 xfs defaults 0 1

save and mount the disks

sudo mount -a

Install minio

Use the following commands to download the latest stable MinIO DEB and install it:

wget https://dl.min.io/server/minio/release/linux-amd64/archive/minio_20230904195737.0.0_amd64.deb -O minio.deb
sudo dpkg -i minio.deb

We need to create a default config file:

sudo vi /etc/default/minio

This is the file contents for me:

#Set the hosts and volumes MinIO uses at startup
# The command uses MinIO expansion notation {x...y} to denote a
# sequential series.
#
# The following example covers four MinIO hosts
# with 4 drives each at the specified hostname and drive locations.
# The command includes the port that each MinIO server listens on
# (default 9000)

MINIO_VOLUMES="https://minio{1...4}.domain.com:9000/mnt/minio{1...4}"

# Set all MinIO server options
#
# The following explicitly sets the MinIO Console listen address to
# port 9001 on all network interfaces. The default behavior is dynamic
# port selection.

MINIO_OPTS="--console-address :9001"

# Set the root username. This user has unrestricted permissions to
# perform S3 and administrative API operations on any resource in the
# deployment.
#
# Defer to your organizations requirements for superadmin user name.

MINIO_ROOT_USER=minioadmin

# Set the root password
#
# Use a long, random, unique string that meets your organizations
# requirements for passwords.

MINIO_ROOT_PASSWORD=SuperSecretPassword

# Set to the URL of the load balancer for the MinIO deployment
# This value *must* match across all MinIO servers. If you do
# not have a load balancer, set this value to to any *one* of the
# MinIO hosts in the deployment as a temporary measure.
MINIO_SERVER_URL="https://minio.domain.com:9000"

The key things to ensure are the volume names are correct, your admin username and password are as desired and your load balancer URL is set.

We need a mini user too and to give permissions to that user:

sudo groupadd -r minio-user
sudo useradd -M -r -g minio-user minio-user
sudo chown minio-user:minio-user /mnt/minio1/ /mnt/minio2/ /mnt/minio3/ /mnt/minio4/

SSL setup

We want to use SSL for all of the communication so let's use LetsEncrypt for free certs! Again edit the domain to reflect the node you are doing this on.

Now on mini1

sudo apt install certbot
sudo certbot certonly --standalone -d minio1.domain.com
sudo mkdir -p /home/minio-user/.minio/certs
cp /etc/letsencrypt/live/minio1.domain.com/fullchain.pem /home/minio-user/.minio/certs/public.crt
cp /etc/letsencrypt/live/minio1.domain.com/privkey.pem /home/minio-user/.minio/certs/private.key
chown -R minio-user:minio-user /home/minio-user/

We need Minio to bind to ports below 1024:

setcap 'cap_net_bind_service=+ep' /usr/local/bin/minio

And we are finally ready to start Minio!

sudo systemctl restart minio

Make sure it’s all healthy.

Now repeart the same configuration remining servers

On loadbalancer server

Install nginx and certbot.

sudo apt install nginx certbot

Create a config for Minio:

sudo vi /etc/nginx/sites-available/minio

This is the file contents for me:

upstream minio_servers {
        server minio1.domain.com:9000;
        server minio2.domain.com:9000;
        server minio3.domain.com:9000;
        server minio4.domain.com:9000;
        }
upstream minio_console {
        ip_hash;
        server minio1.domain.com:9001;
        server minio2.domain.com:9001;
        server minio3.domain.com:9001;
        server minio4.domain.com:9001;
        }
map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
        }
server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        server_name minio.domain.com;
        client_max_body_size 0;
        ssl_certificate "/etc/letsencrypt/live/minio.domain.com/fullchain.pem";
        ssl_certificate_key "/etc/letsencrypt/live/minio.domain.com/privkey.pem";

     location / {
          proxy_http_version 1.1;
          proxy_set_header Host $http_host;
          proxy_pass https://minio_console;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
           }
        }

server {
          listen       9000 ssl;
          listen  [::]:9000;
          server_name minio.domain.com;
          ignore_invalid_headers off;
          client_max_body_size 0;
          proxy_buffering off;
          proxy_request_buffering off;
          ssl_certificate "/etc/letsencrypt/live/minio.domain.com/fullchain.pem";
          ssl_certificate_key "/etc/letsencrypt/live/minio.domain.com/privkey.pem";

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_connect_timeout 300;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        chunked_transfer_encoding off;
        proxy_pass https://minio_servers;
    }
}

Create the SSL cert from LetsEncrypt again:

sudo systemctl stop nginx
sudo certbot certonly --standalone --preferred-challenges http -d minio.domain.com

Verify the nginx config is all correct and no mistakes or missed characters!

Link the config to the sites-enabled:

sudo ln -s /etc/nginx/sites-available/minio /etc/nginx/sites-enabled/minio

test the config

sudo nginx -t

Lastly, start nginx.

sudo service nginx start

Assuming all of that went fine you now have a working Minio cluster. 4 nodes, 16 disks in total and all load balanced.

access the webui

https://minio.domain.com

Datashim: Streamlined S3 and NFS Dataset Management for Kubernetes

farhanaliali — Thu, 29 Aug 2024 12:12:42 +0000

Overview

Datashim is a Kubernetes Framework to provide easy access to S3 and NFS Datasets within pods. It orchestrates the provisioning of Persistent Volume Claims and ConfigMaps needed for each Dataset.

Using manifests

If you prefer, you can install Datashim using the manifests provided. Start by creating the dlf namespace with:
Start by creating the dlf namespace with:

create ns

kubectl create ns dlf

In order to quickly deploy Datashim

kubectl apply -f https://raw.githubusercontent.com/datashim-io/datashim/master/release-tools/manifests/dlf.yaml

kubectl label namespace default monitor-pods-datasets=enabl

Post-install steps

Ensure that Datashim has been deployed correctly and ready by using the following command:

kubectl wait --for=condition=ready pods -l app.kubernetes.io/name=datashim -n dlf

To use Datashim, we need to create a Dataset: we can do so by editing and running the following:

apiVersion: datashim.io/v1alpha1
kind: Dataset
metadata:
    name: example-dataset
spec:
   local:
     type: COS
     accessKeyID:  test@1234
     secretAccessKey: test@1234
     endpoint: https://minio.demo.com
     bucket: demo
     region: us-east-1

If everything worked, you should now see a PVC named example-dataset which you can mount in your pods. Assuming you have labeled your namespace with monitor-pods-datasets=enabled as mentioned in the post-install steps, you will now be able to mount the PVC in a pod as simply as this:

apiVersion: v1
kind: Pod
metadata:
    name: nginx
spec:
    volumes:
    - name: "example-dataset"
      persistentVolumeClaim:
        claimName: "example-dataset"
    containers:
    - name: nginx
      image: nginx
      volumeMounts:
        - mountPath: "/mount/dataset1" 
          name: "example-dataset"