Kubernetes and Rancher Adventures...on the cheap
TL, DR: a guide to setup k8s clusters quickly and cheaply, optionally with Rancher for easy GUI-based admin and role management.
I wanted to learn more about k8s but didn't particularly want to commit to paying substantial $ for hosting a 'normal' Kubernetes cluster somewhere. I wanted to stick to the lowest possible budget, but still have real k8s running on a server somewhere.
This doc explains how I did that. It happens to go into Rancher but it could be any cloud native app. Intended for my own learning purposes and edification. If things go well, I might stand up some real apps with external users, but for now no anticipated prod purpose.
Cheap Kubernetes option
I learned Digital Ocean offers a single node Kubernetes clusters for $10/month, and this seems like it could meet my needs quite well. So, I created a single node cluster there, configured
kubectl and got the public IP address of the node (DO "droplet") using
$ kubectl get nodes -o wide
Quick DNS change
I created a new A record on a domain (one I happen to already own) pointing to that public IP. Now I will be able to pull up whatever deployments using a human friendly domain name. Yay for convenience.
How to avoid a Load Balancer
Like other providers, DO provides a load balancer which is fine, however I don't think the $10/month extra is worth it for my case.
No problem, b/c accessing my apps by port number is good enough. So long as I e.g. expose my
Services of type NodePort we're gonna be fine from here on out.
Now onto the Rancher piece. Following the official docs I first tried adding Rancher via Helm, but I saw lots of
CrashLoopBackOffs and things were glacial. I also saw there's a default of 3 Rancher instances, even on a single node cluster, which seems not necessary for a tiny cluster like mine.
In the end I followed their Docker-oriented docs but wrote my own Kubernetes manifest implementing their tips. But before you copapasta
rancher-single-node-manifest.yaml below, do check the next step first.
Since Rancher is an 'admin' category tool and requires higher privs, you may need to configure the Rancher user accordingly. sauce
kubectl create clusterrolebinding permissive-binding --clusterrole=cluster-admin --user=admin --user=kubelet --user=kube-system --user=default --user=rancher --group=system:serviceaccounts
I suggest you use a dedicated namespace, e.g.
kubectl create ns rancher
Finally, go ahead and startup Rancher.
kubectl apply -f rancher-single-node-manifest.yaml -n rancher
Rancher is now running at
Now you're cooking with gas!
...or are we?
I noticed a "convenience issue" that bothered me enough to want to fix. Turns out, Google Chrome no longer offers to save passwords on sites you visit, unless the origin is served over TLS.
- it's more convenient when Chrome saves credentials for me
- I'm not interested in paying for a real certificate since the server is a throwaway (also DO might change the IP on me)
- normally I'd consider a Let's Encrypt cert for free, but this time I don't want to waste limited RAM/mental cycles having to deal with a webserver for the usual ACME automation dance
...I ended up creating my own Certificate Authority using macOS Keychain Access.
Your own Certificate Authority
It might sound like a huge job, but really it's just some applied crypto and once you grok the concepts it's not bad.
CAs are the root of trust for TLS. If you make one on your own, e.g. using macOS, the CA is automatically added to your local macOS trust store, which you can see using Keychain Access. You can optionally add the CA to other devices e.g. using AirDrop which I did. (Colleagues could also get your CA which might be useful e.g. if you wanted to prove the server's identity)
So after making the CA, I then generated a certificate for my node (aka Rancher) using my new CA. I next exported that certificate, the private key for the cert, and the CA authority certificate aka the "fullchain" cert. Because Rancher's Docker image expects .pem formatted files, I converted from .cer.
How to convert Keychain Access exports (.cer) to .pem files:
openssl x509 -inform der -in cert.cer -out cert.pem openssl x509 -inform der -in fullchain.cer -out fullchain.pem openssl pkcs12 -in key.p12 -nodes -out key.pem -nocerts
Paste these values into the relevant bits of the manifest, and you're off to the races. Convoluted? You could say that, yeah, but I do think having your own CA is a useful trick to have up your sleeve, and depending on your needs is likely to be useful in the future also. I've used it twice this year and counting :)
Finally, when you logon Chrome will happily save your creds as per usual. Yay for convenience!