Skip to content

Instantly share code, notes, and snippets.

View spiarh's full-sized avatar

Ludo spiarh

18 followers · 10 following
View GitHub Profile
@spiarh
spiarh / ldap-externalauth.md
Last active November 5, 2019 14:29

EXTERNAL AUTH

In both directories, 'user-regular1' and 'user-regular2' are member of the 'k8s-users' group, 'user-admin' is member of 'k8s-admins' group.

For Active Direcoty, 'user-bind' is a simple user which is member of the default 'Domain Users' group in Active Directory. Hence, we can use it to authenticate because has read-only access to Active Directory.

The mail attribute is used to create the RBAC rules.

1. LDAP ACTIVE DIRECTORY

@spiarh
spiarh / override-kube.md
Last active November 5, 2019 14:29

These commands must be run on all the masters

  • override kube-controller-manager ExecStart in systemd service
# mkdir /etc/systemd/system/kube-controller-manager.service.d
# cat > /etc/systemd/system/kube-controller-manager.service.d/override.conf<<EOF
[Service]
ExecStart=
ExecStart=/usr/bin/hyperkube controller-manager \\
@spiarh
spiarh / prometheus-additional-scrapes.md
Last active November 5, 2019 14:36
prometheus-additional-scrapes

Add additinal scrape configs to Prometheus k8s

This procedure takes into account Prometheus Operator has been installed using the manifests provided in prometheus-operator/contrib/kube-prometheus/manifests/ on https://github.com/coreos/prometheus-operator.git

This procedure is based on this documentation

@spiarh
spiarh / nginx-tcp-lb.md
Last active November 5, 2019 14:28

Nginx TCP Load Balancer with passive checks

We can use the ngx_stream_module module (available since version 1.9.0) in order to use TCP load balancing. In this mode, nginx will just forward the tcp packets the masters.

/!\ The Open Source version of Nginx only allows one to use passive health checks so therefore using this configuration is only to consider in a PoC. The main issue with passive health-checks is that nginx will mark a node as unresponsive and not distribute traffic only after a failed request.

@spiarh
spiarh / bootstrap-from-scratch.md
Last active November 5, 2019 14:28

Deploy a cluster from scratch

The process before bootstrapping a new cluster from GM is defined in this order:

  1. Accept the nodes in salt
  2. Register the nodes
  3. Update the packages
  4. Reboot the nodes simultaneously
  5. Deploy cluster
@spiarh
spiarh / haproxy-caasp-lb-from-scratch.md
Last active November 5, 2019 14:28

HAProxy on SLE-HA from scratch

In this guide we will deploy HAProxy in Failover mode leveraging SUSE Linux Enterprise High Availability Extension 15 SP1.

This HAProxy instance will be used as a highly-available load-balancer for a CaaSP cluster with 3 masters.

The HA cluster will have two members:

@spiarh
spiarh / systemd-pod-kubernetes.md
Last active February 24, 2020 09:21
Run systemd inside a pod on Kubernetes
@spiarh
spiarh / source-ip-app.yaml
Created June 15, 2020 12:02
---
apiVersion: apps/v1
kind: Deployment
metadata:
generation: 1
labels:
app: source-ip-app
name: source-ip-app
namespace: default
spec:
@spiarh
spiarh / README.md
Created June 19, 2020 15:04 — forked from detiber/README.md
Using CFSSL as an external CA for kubeadm

CFSSL as an external CA for non-ha kubeadm intialized clusters

Using cfssl to Create an External CA Infrastructure

Install cfssl

# This requires an existing Go environment with GOPATH set
go get -u github.com/cloudflare/cfssl/cmd/...
@spiarh
spiarh / 1-to-3-masters.md
Last active January 27, 2021 09:47

1 to 3 masters

Cluster state:

1 master: master01.fqdn 2 workers: worker01.fqdn, worker01.fqdn

A couple of nginx pods are running.

Goal: