Ingress TCP/UDP

22 Mar, 2019

Source: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/exposing-tcp-udp-services.md

Install ingress nginx with helm

helm install stable/nginx-ingress \
	--name nginx-ingress-tcp-udp \
	--namespace nginx-ingress-tcp-udp \
	--set controller.ingressClass=nginx-ingress-tcp-udp

Create configmap with format: namespace/service:port

kubectl apply -f - -o yaml << EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: tcp-services
  namespace: nginx-ingress-tcp-udp
data:
  2000: "demo-test/mysql-demo-test:3306"
  2001: "demo-test/sftp-server:22"
  2002: "demo-test/postgres-server:5432"
EOF

Edit service nginx-ingress kubectl edit svc nginx-ingress-tcp-udp-controller -n nginx-ingress-tcp-udp

  - name: proxied-tcp-2000
    port: 2000
    targetPort: 2000
    protocol: TCP
  - name: proxied-tcp-2001
    port: 2001
    targetPort: 2001
    protocol: TCP
  - name: proxied-tcp-2002
    port: 2002
    targetPort: 2002
    protocol: TCP

Edit deployment nginx-ingress kubectl edit deploy nginx-ingress-tcp-udp-controller --namespace nginx-ingress-tcp-udp Edit:

    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --tcp-services-configmap=nginx-ingress-tcp-udp/tcp-services

Access through the port previously assigned to the services configured in the configmap.

Delete namespace in perpetual Terminating state

21 Mar, 2019

Error, perpetual Terminating state:

NAME             STATUS        AGE
cert-manager     Terminating   3h
default          Active        1y
kube-public      Active        1y
kube-system      Active        1y

Clean namespace:

kubectl delete all -n cert-manager --all --force --grace-period=0
kubectl delete ns cert-manager --force --grace-period=0

Variables for configuration:

export NAMESPACE_TO_DELETE="cert-manager"
export CLUSTER_NAME="gke_PRO-ID_ZONE-GCP_NAME-CLUSTER"

Create service account with permissions:

kubectl create -f - -o yaml << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tmpadmin
EOF

Save the namespace to edit it kubectl get namespace $NAMESPACE_TO_DELETE -o json > tmp.json

Edit:

    "spec": {
        "finalizers": [
            "kubernetes"
        ]
    },

To:

    "spec": {
        "finalizers": []
    },

Create the following variables

APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")
TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='tmpadmin')].data.token}"|base64 -d)

Test token: curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure

Update namespace:

curl -X PUT $APISERVER/api/v1/namespaces/$NAMESPACE_TO_DELETE/finalize -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" --data-binary @tmp.json  --insecure

After this the namespace is erased.

Clean the service account:

kubectl delete sa tmpadmin

External Load Balancer for Kubernetes - HAProxy

10 Jun, 2017

You need:

  • Cluster Kubernetes
  • New node for HAProxy

Sources:

Instalation in node HAProxy

Install basic sowftware

yum install epel-release
yum install haproxy git socat python-pip
pip install jinja2
pip install deepdiff

Clone repository in / or other route for dinamic configuration of HAProxy

git clone https://github.com/Tedezed/Celtic-Kubernetes.git

Create errors html for service HAProxy

mkdir /etc/haproxy/errors/
cp /Celtic-Kubernetes/external_loadbalancer_hap/errors/* /etc/haproxy/errors/
cp /Celtic-Kubernetes/external_loadbalancer_hap/system/haproxy.cfg /etc/haproxy/

Create state global

mkdir -p /var/state/haproxy/
touch  /var/state/haproxy/global

Enable Haproxy

systemctl enable haproxy

Test

python hap_manager_daemon.py start
python hap_manager_daemon.py stop
sh haproxy_reload

 

HAP Manager

You need the repository https://github.com/Tedezed/Celtic-Kubernetes.git

Modify configuration.json for hap_manager

{
"kube_api": "morrigan:8080",
"version": "v1",
"file_conf": "template.cfg",
"stats": true,
"sleep": 3
}
  • Kube API master

      "kube_api": "ip_kube_api_server:port_http"
    

Unit for systemd of hap_manager

Copy file hap_manager.service

cp /Celtic-Kubernetes/external_loadbalancer_hap/system/hap_manager.service /lib/systemd/system/hap_manager.service

Modify permissions for hap_manager

chmod 644 /lib/systemd/system/hap_manager.service

Reload daemon systemctl for reload configuration of units

systemctl daemon-reload

Start hap_manager.service

systemctl start hap_manager.service

systemctl enable hap_manager.service

See settings

cat /etc/haproxy/haproxy.cfg | grep acl

 

Define services

Example rc

apiVersion: v1
kind: ReplicationController
metadata:
 name: nginx-controller
spec:
 replicas: 2
 selector:
   name: nginx
 template:
   metadata:
     labels:
       name: nginx
   spec:
     containers:
       - name: nginx
         image: nginx
         ports:
           - containerPort: 80

Example svc, you need NodePort

apiVersion: v1
kind: Service
metadata:
  name: nginx-service-domain
  labels:
    app: nginx
spec:
  type: NodePort
  ports:
  - port: 80
    protocol: TCP
    name: http
  selector:
    name: nginx

Enter with http://IP-SERVER-HAP/NAME-SERVICE/

You need domain for the service, no problem, you can use the label “domain”

Example svc with domain

apiVersion: v1
kind: Service
metadata:
  name: nginx-service-domain
  labels:
    app: nginx
    domain: www.test-domain.com
spec:
  type: NodePort
  ports:
  - port: 80
    protocol: TCP
    name: http
  selector:
    name: nginx

 

Not repeat the domain name

You can use manager_tools.py (function constraint_domain) for not to repeat the domain name. If return True domain name is in use.

Example

constraint_domain("morrigan:8080","v1","www.test-domain.com")