- Configure the Network Protocol Profile on the vCenter according to: https://www.virtualthoughts.co.uk/2020/03/29/rancher-vsphere-network-protocol-profiles-and-static-ip-addresses-for-k8s-nodes/
- Ensure to create a service user with the regarding global and folder specific permissions: https://rancher.com/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/creating-credentials/
- Beside the vCenter role permissions from the official Rancher documentation, the following ones need to be provided in order to configure the Nodes via vApp options:
- Content Library: Read storage
- Extension: Register extension
- Beside the vCenter role permissions from the official Rancher documentation, the following ones need to be provided in order to configure the Nodes via vApp options:
- vSphere Tagging: Assign or Unassign vSphere Tag on Object
# https://github.com/bloomberg/goldpinger | |
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: goldpinger | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: |
kubectl run -it --rm tshoot --overrides=' | |
{ | |
"spec": { | |
"containers": [ | |
{ | |
"name": "tshoot", | |
"image": "nicolaka/netshoot:latest", | |
"command": ["/bin/bash"], | |
"stdin": true, | |
"stdinOnce": true, |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: iperf3 | |
spec: | |
replicas: 2 | |
selector: | |
matchLabels: | |
app: iperf3 | |
template: |
Docker-Compose single-host Minio S3 setup using Traefik (Let's Encrypt with DNS-01 challenge via Cloudflare) for TLS offloading.
Tested on Ubuntu 20.04.
Run all commands shown here with root
or prepend a sudo
to the regarding commands which require higher privileges.
Ranchers official documentation about how to configure the Rancher <> KeyCloak setup is fine but definitely not sufficient to successfully configure it (https://rancher.com/docs/rancher/v2.x/en/admin-settings/authentication/keycloak/). That's the reason why here every single required step is documented down here.
I simply use the default master
realm for the Rancher client. Nevertheless, it would sometimes absolutely make sense to use a custom KeyCloak realm.
- Login as
admin
on https://keycloak.example.com/. Important: It's crucial that in KeyCloak the same username exists as you use as admin user on Rancher. Since I just use theadmin
account in this guide, this prerequisite is already achieved. - Create a new client under https://keycloak.example.com/auth/admin/master/console/#/realms/master/clients
Client ID
:https://rancher.example.com/v1-saml/keycloak/saml/metadata
Optional: Disable PSA
k label ns default pod-security.kubernetes.io/enforce=privileged
k label ns default pod-security.kubernetes.io/audit=privileged # optional
k label ns default pod-security.kubernetes.io/warn=privileged # optional
Start tshoot
pod:
echo '
- name: custom_certmanager_monitoring | |
rules: | |
- alert: CertManagerAbsent | |
expr: absent(up{job="cert-manager"}) | |
for: 1h | |
annotations: | |
message: "Cert Manager has dissapeared from Prometheus service discovery." | |
labels: | |
severity: critical | |
- alert: CertManagerACMEProxyReachability |