Kubernetes - dev ops
Digital Ocean Commands
# List available clusters
doctl kubernetes cluster list
# Automatically renew your cluster's certificate.
doctl kubernetes cluster kubeconfig save <cluster_id or name>
Common Commands
Checkout kubernetes.io verbose cheatsheet here
This will be a reminder of commands that I most frequently use
*Some of the commands here may not be accurately described
| Command | Description |
| kubectl config current-context | Output the ID of the currently used cluster |
| kubectl config view | Show all configurations, past or present |
| kubectl get nodes | Get nodes running on selected cluster |
| kubectl get pods | Get the pods currently running |
| kubectl get services | Get the services currently running |
| kubectl get deployments -o wide | Display deployments (wide format) |
| kubectl apply -f manifest.yml or directory --recursive | Create pods using the .yaml file or files (if directory) defined |
| kubectl delete -f manifest.yml or directory --recursive | Deletes deployments |
| kubectl scale --replicas=4 deployment/deployment_name | Scale named container's number of pods |
| kubectl diff -f manifest.yml or directory --recursive | Show the difference between what a pod is running live vs what is in your .yaml file |
| kubectl rollout status deployments/deployment_name | Check the status of a deployments rollout |
| kubectl rollout undo deployments/deployment_name | Undo the changes last made to a deployment |
| kubectl rollout history deployments/deployment_name | Check the history of rollouts |
Common Terms
Checkout kubernetes.io verbose glossary here
*Some of the terms here may not be accurately defined
| Term | Definition |
| node | An actual machine running in the cluster |
| pod | Containerized application running on a node |
| deployment | A resource that automatically manages pods; is defined by a configuration file |
| service | A resource that handles network activity |
Set up NGINX Ingress With Cert Manager (Digital Ocean)
SOURCE: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes
# Optional: This is an example service and deployment file
File
# Apply with:
kubectl apply -f echo1.yaml
# 1. Apply the deployment file for the ingress
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/do/deploy.yaml
# get latest here
# WARNING: When I used the latest v1.0.0 in the apply command this entire process broke and I got 404's when visiting sites
# Only grab the latest command if you know exactly what causes this issue.
# 2. Confirm Controller Pods Started
kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx --watch
# 3. Confirm Load Balancer successfully created
kubectl get svc --namespace=ingress-nginx
# 4. Use External IP generated from this command in step 5
kubectl get svc --namespace=ingress-nginx | awk '$1 == "ingress-nginx-controller" {print $4}'
# 5. Update your domain manager's A records to point to your load balancer's external IP
Type Name Value TTL
A echo1 <external_ip> 1 Hour
A echo2 <external_ip> 1 Hour
# 6. Download this file and replace the relevant variables (host, etc..)
File
# 7. Apply said file to your cluster
kubectl apply -f echo_ingress.yaml
# Should now be able to $ curl echo1.example.com
# 8. Install cert manager
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.16.1/cert-manager.yaml
# Verify correct installation with $ kubectl get pods --namespace cert-manager
# 9. Download staging_issuer.yaml and edit email field
File
# Make sure to edit email field
# 10. Roll out the cluster issuer
kubectl create -f staging_issuer.yaml
# 11. Do the same thing for prod_issuer.yaml; Dont forget the email field
File
kubectl create -f prod_issuer.yaml
# 12. Create A record for workaround.example.com in your DNS management
# to point to the same external ip as before
# 13. Download ingress_nginx_svc.yaml and edit the hostname field
# Also possibly edit the version field under labels and chart
File
# 14. Apply that file to the cluster
kubectl apply -f ingress_nginx_svc.yaml
# 15. Update echo_ingress.yaml with this file; update hosts vars
File
# 16. Apply the changes
kubectl apply -f echo_ingress.yaml
# To verify: describe ingress with $ kubectl describe ingress
# Then describe the certificate with $ kubectl describe certificate
# 17. Update echo_ingress.yaml with this file; update hosts vars
File
# 18. Apply changes
kubectl apply -f echo_ingress.yaml
# 19. Track certificates progress
kubectl describe certificate echo-tls
# 20. Confirm the successful completion of this by curl'ing your site
curl echo1.example.com
# Should show a 308 redirect
# 21. Now confirm the secured site
curl https://echo1.example.com
Use websockets with NGINX Ingress
This is untested, but figured I'd jot it down cause I know I'll need it
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tornado-socket
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/server-snippets: |
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;
}
spec:
rules:
- host: tornado-ws.example.com
http:
paths:
- backend:
serviceName: tornado-socket
servicePort: 8000
Pull from private registry
# Login (and create subsequent login token; unencrypted)
docker login
# Create secret using newly created file
kubectl create secret generic regcred \
--from-file=.dockerconfigjson=/path/to/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
# Usage in pod description
apiVersion: v1
kind: Pod
metadata:
name: private-reg
spec:
containers:
- name: private-reg-container
image: <your-private-image>
imagePullSecrets:
- name: regcred
Secrets
# Create Secret
kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
kubectl create secret generic my-generic-secret --from-literal='key1=value1' --from-literal='key2=value2'
# not tested
kubectl create secret tls tls_secret --from-literal='key1=value1' --from-literal='key2=value2'
# Get Secret
kubectl get secret regcred --output=yaml
kubectl get secret my-generic-secret --output=yaml
kubectl get secret tls_secret --output=yaml
# Delete Secret
kubectl delete secret my-generic-secret
# Usage in pod description
apiVersion: v1
kind: Pod
metadata:
name: private-reg
spec:
containers:
- name: private-reg-container
image: <your-private-image>
imagePullSecrets:
- name: regcred