This snippet shows how to run TP-Link Tapo cameras fully locally, without access to internet.

Environment

• TP-Link Tapo C110 hw 2.0 fw 1.4.7
• TP-Link Tapo C225 hw 2.0 fw 1.1.1
• NTP server running locally that doesn’t use time.windows.com as a source of time

Rationale

By default, TP-Link Tapo cameras are connected to cloud for multiple purposes:

• share video streams
• perform firmware updates
• sync time

Unfortunately, these cameras ignore NTP servers specified via DHCP config, and seem to rely on a list of hardcoded NTP servers. One of them is time.windows.com. You can find others in your firewall log once internet connectivity is blocked.

Configuration

• Setup cameras via Tapo app with internet connected
  • Update firmware if necessary
  • Create RTSP account (otherwise what’s the point of running it fully locally?)
  • Use DHCP or specify local DNS
• Block internet connection from cameras via network firewall (most likely on router)
• Create DNS A record (on DNS used by Tapo) pointing time.windows.com to local NTP server

This snippet installs Let’s Encrypt TLS certificate, ensures it is renewed, and makes sure that UniFi is resolved to LAN IP when accessed via FQDN in TLS certificate.

Environment

• UniFi OS 4.4.6
• UniFi Network 10.0.162
• kchristensen/udm-le commit 316a8509063ce5161436c49a844da18de2681d27

Configuration

• Follow installation instructions in udm-le Readme
• Add A DNS record pointing to UniFi device LAN IP in Policy Engine

• x86_64:
  • CoreOS (now Flatcar Container Linux) as a Linux distro
  • Kubespray as a Kubernetes installer
  • Metallb and NGINX Ingress Controller for incoming traffic
• arm (Raspberry PI 3B)
  • HypriotOS as a lightweight container-oriented Debian-based Linux
  • k3s as a lightweight Kubernetes distribution with sqlite instead of etcd
  • Metallb and Traefik v1 for incoming traffic

Configuration

• Pulumi for everything except Helm charts
• Helmsman for Helm charts
• kubie for using multiple Kubernetes contexts simultaneously in different terminals

My tool of choice is Helmsman

I appreciate the fact that building abstraction on top of the tool such as helm is not ideal. That’s why there are no major players in this field.

And there are even less of these which were not abandoned by their authors, and support changes introduced in helm 3.

Alternatives

• Pulumi - didn’t like it for use of helm template.
• Ship - concentrated on a single application lifecycle.
• helmfile - quite popular, but I didn’t like the fact that the configuration file (helmfile.yaml) was treated as a Go template file.
• Landscaper - deprecated in favour of helmfile just couple days ago.
• Reckoner - Python-based, quite slow in my experience, very brief documentation, lack of secrets or environment variables management.

Installation (on macOS)

brew install helm helmsman sops
helm plugin install https://github.com/databus23/helm-diff --version master
helm plugin install https://github.com/fabmation-gmbh/helm-whatup
helm plugin install https://github.com/futuresimple/helm-secrets

Usage

• Create Desired State Specification file (helmsman.yaml in this example)
• helmsman --apply -p 3 -f helmsman.yaml, where -p is parallelism level. I set it to 1 on my Raspberry PI k3s cluster, otherwise it can’t cope with the load; my intel-based cluster works better, and -p 3 speeds things up.
• …
• Profit!

Secrets Management

Use helm-secrets and sops (installed in my example) for secret management.

With GPG key it’s as easy as:

export SOPS_PGP_FP="<KEY_ID>"
sops /path/to/new/or/existing/secrets-file.yaml

• Each value is encoded separately, which makes it perfect for GitOps and change management.
• Cloud KMS services are supported.

Extracting common variables into dotenv

.env files are supported, and they are ideal for reusable values like URLs, hostnames, IP addresses, versions.

ohmyzsh has even a dotenv plugin to load them up automatically into your shell.

Simple .env looks like:

IP_ETCD=192.168.0.100
# Some comment
VERSION_KIBANA=7.6.2

Desired State Definition (DSD) tips

Both environment variables can secrets can then be referenced in the Desired State Specification file.

You can (and should) also extract value files for individual charts into separate files.

I use the following folder structure:

.
├── charts
│   ├── kibana
│   └── prometheus-operator
├── helmsman.yaml
├── secrets
│   ├── kibana.yaml
│   └── prometheus-operator.yaml
└── values
    ├── kibana-default.yaml
    ├── kibana.yaml
    ├── prometheus-operator-default.yaml
    └── prometheus-operator.yaml

• charts/ hold unpacked chart archives (.gitignore‘d) - I use it for updating to latest versions, more on that later.
• secrets/ hold files with sensitive information, encrypted by sops
• values/ hold value files used to configure charts, as well as default value files extracted from charts/. Default value files are stored in git, that’s how I find out what changed between currently installed and latest chart release. Then I upgrade values used by installed apps accordingly.

Helmsman DSD file looks like this:

settings:
  # I use that to control chart removal order - use it rarely :)
  reverseDelete: true

# Namespaces observed by helmsman. It will remove any charts from these namespaces that are not managed by helmsman.
namespaces:
  kibana: {}
  prometheus-operator: {}

# All your helm repos go here
helmRepos:
  stable: 'https://kubernetes-charts.storage.googleapis.com'

apps:
  # That's pretty self-descriptive IMHO :)
  kibana:
    namespace: kibana
    chart: stable/kibana
    version: 3.2.6 # Chart version
    enabled: true # Set to false, and release will be removed
    secretsFile: secrets/kibana.yaml # Path to yaml file with secrets managed by sops. It will be decrypted, and later used as a regular values file (helm -f)
    valuesFile: values/kibana.yaml # Yaml file with unencrypted configuration values  (helm -f)
    set:
      image.tag: '${VERSION_KIBANA}' # Here you can use variables defined in .env (helm --set key=value)
      'ingress.hosts[0]': '${DNS_NAME_KIBANA}' # And even address array indices

  prometheus-operator:
    namespace: prometheus-operator
    chart: stable/prometheus-operator
    version: 8.13.0
    enabled: true
    valuesFiles: # You can use multiple values files if necessary
      - values/prometheus-operator.yaml
      - values/prometheus-operator-rules.yaml
    secretsFile: secrets/prometheus-operator.yaml
    priority: -50 # And also set priority. The lower, the sooner it will be executed when installing. And the later during deletion (due to reverseDelete)
    wait: true # You can also wait...
    timeout: 600 #... for a specific timeout until chart is fully deployed
    noHooks: true # You can disable Helm hooks
    helmFlags: ['--skip-crds'] # Or pass additional flags to helm command line, if necessary

Upgrading charts

I use helm-whatup plugin to find updates for the charts:

helm whatup --all-namespaces -a

And I wrote a script that supplements the helmsman upgrade process:

• Run helm whatup
• For each outdated chart run helm fetch <chart_name> --version=<chart_new_version> --untar --destination charts/
• Then I copy charts/<chart_name>/values.yaml to values/<chart_name>-default.yaml

I am too ashamed of the script to share it though :smile:.

Once updated charts are fetched, I update chart versions in helmsman.yaml, make necessary updates to my overridden values, and run helmsman apply... again.

Of course, one can just combine them all into a single uber-YAML :smile:. But the harsh reality is, despite the fact that Kubernetes by design can and will apply this configuration asynchronously, and eventually cluster state will achieve the desired state, this “eventually” might be equal to infinity.

There are certain cases when order matters, for instance when new CRD definitions are added, and then new objects with that kind are declared.

Another aspect is complexity, which can be encapsulated by tools such as Helm. While Helm is a good solution for the problem of installing third-party apps, it’s not necessary a right choice for your own services, or for lightweight overall cluster configuration.

And one more thing. I enjoy the kubernetes architecture, even (and especially!) the fact that numerous abstractions are needed to “canonically” expose a single container to the rest of the world. But it doesn’t mean that I enjoy to break a DRY principle, and copy-paste-modify same YAMLs over and over.

So… Pulumi to the rescue!

Disclaimer: I like declarative configuration. I really do. There’s no need to think what can go wrong, or what needs to be done to the infrastructure to change it from the current to the desired state. You just declare the target state, and the system decides on it’s own the effective diff between the two. It’s not the case with Ansible, for instance. You have to explicitly describe all the changes. But the Ansible is so simple, so good and so predictive, that I keep using it for simple infrastructure configuration.

Bearing that in mind, I was looking for a tool that could be used to automate cluster configuration after provisioning:

• Apply numerous YAMLs or pseudo-YAMLs (good old kubernetes configs), and ideally refactor them by extracting common parts.
• Apply Helm charts.
• Extract configuration parameters (DNS names, IP addresses, secrets) and store them separately.

Alternatives

I’ve looked at different tools, and here’s what I disliked about them:

• Plain YAMLs. These are just unmanageable. And not DRY enough for me (Plus all the issues mentioned above). Even with kustomize. Even with kpt.
• Ansible. Uh… Thanks, but no, thanks. Not declarative enough for me :)
• Terraform. Now, here’s the thing about Terraform. I tried to like it, but I simply don’t. At this point in my life I don’t understand why yet-another-DSL should be used in a situation, where general-purpose programming language can be used. Especially taking into consideration, that some of these languages already have features that enable programmers to build DSL on top of them (think of Groovy or Kotlin). Real languages, with loops and conditions. With debuggers, code styles, test frameworks and all other features that mature development technologies provide. HCL is what I don’t like in Terraform. Sorry, it’s just my opinion. And yes, I super-enjoyed when Hashicorp folks made breaking changes to the syntax between 0.11 and 0.12 :disappointed:. It’s possible to migrate Kubernetes descriptors from YAML to HCL. I don’t think it’ll make them more DRY though. Probably more vendor-locked.
• Pulumi. I’ve heard about it on an episode of Kubernetes Podcast, and was happy to find same-minded developers :smiley:. Pulumi supports Python, Javascript, Typescript, and as of version 2 (released just days ago) also Go and .NET. Pulumi supports numerous cloud providers, and even have a Terraform bridge. In regards to Kubernetes, Pulumi claims to support declarative configuration via these programming languages, but also existing YAML descriptors and Helm charts.

Pulumi 101

Detailed explanation of how Pulumi works can be found on their website, but in a nutshell it’s simple:

1. Run a program written in general-purpose language using their SDK that will declare a desired state.
2. Compare it to the actual state stored by Pulumi (that state might actually be different from the actual state of the cluster, in which case you might need to pulumi refresh it).
3. Perform necessary operations (using K8s API Server) to ensure that actual state matches the desired state.
4. Store the new actual state.

Unfortunately, I am not coding day-to-day anymore, so I don’t have hands-on experience with either of languages supported by Pulumi, but Python and Go are on my todo list. When I’ve started looking at Pulumi, Go support was not in GA, hence choice was obvious: Python.

I was able to cover majority of my use cases at the end (all except Helm), and now I have 95% confidence (and already verified it) that I can configure a new cluster after spinning it up with a simple plan:

• Run Pulumi (configuration: skip CRDs)
• Deploy Helm charts (containing CRD definitions) with Helmsman
• Run Pulumi (configuration: enable CRDs)
• Do one small kubectl create / kubectl replace - more on that below

Pros & cons

Pulumi has the following pros to me (in regards to K8s handling):

• Real programming language support. Possibility to extract common parts to functions, and then reuse them.
• Open source. Free. Not vendor-locked to their backend. It is possible to use their SaaS backend, but it’s also possible to store the state locally or on self-managed backends (AWS S3, GCP GCS, Azure Blob). Same applies to secrets management: Pulumi SaaS, encrypted locally with AES-256-GCM, using cloud KMS (AWS, GCP, Azure) or Hashicorp Vault.
• YAML generation instead of applying changes to server. That’s a continuation of their awesomeness in fight with vendor lock-in! Not happy with Pulumi? Generate YAMLs and move on. Kudos to Pulumi team for the wise decision :bow:!
• YAML provisioning support (and even customization via transformations) - super-useful to provision existing external apps that don’t have Helm charts, or where Helm charts add unnecessary complexity (Fluent Bit, for instance).
• Automatic SDK generation from k8s OpenAPI. Very wise decision, allowing Pulumi to quickly become up-to-date with latest changes in spec.
• They provide a toolkit for automated infrastructure testing, but I haven’t tried it.
• Detailed documentation. Lots of examples for all supported languages, as well as API docs. Amazing.

And in my opinion these are the drawbacks (again, for K8s only):

• Auto-naming approach. That’s a design decision. I don’t like it, IMHO it’s a leaky abstraction (Resources from existing YAMLs or Helm charts are not auto-named), but it’s an easy fix: explicitly provide a name in metadata.name. And take responsiblity for potential clashes. But you should be doing that already :smiley:

• Helm support via local template rendering. Helm v2 was a painful experience (tiller and friends), but v3 made it a lot easier. And while kubernetes itself is moving apply to the server, helm moved it to the client. Wise decision for Helm IMHO, and now they can leverage native server-side k8s apply. In my opinion, Pulumi should’ve delegated underlying resource management to helm, but they made a decision to manage granular resources within Pulumi. In fact, Helm v3 support is identical to v2 (at least in Python), implemented with a single line:

    from ..v2.helm import *  # v3 support is identical to v2
  

  I don’t like the decision that Pulumi made, it’s not suitable to me:

  • There are problems with charts rendered via helm template, for instance lifecycle hooks are not supported (#555, #666), CRDs are not installed (#1023) etc.
  • It’s impossible to leverage the existing helm tooling for the installed releases, as helm won’t see them. What’s crucial to me is finding out updates to the installed charts, as helm whatup won’t work.
• Lack of first-class Namespace support. That one really makes me sad, but it’s also an easy fix: specify namespace name explicitly in metadata.namespace. However, in my opinion that should be handled in a different way by Pulumi, providing better abstraction, as that’s a crucial object within Kubernetes.
• No type hinting for Kubernetes objects in Python. It looks like they’ve implemented it for Go, but in Python it’s all lists and dicts in metadata, spec and everywhere else. Pulumi converts canonical Python snake_case to Kubernetes camelCase and vice versa, but that’s about it. Other than that - you’re on your own. And as far as I can tell, Pulumi does not (or at least did not, as of v1) perform validation against an OpenAPI spec. I remember seeing errors while objects with misspelled properties were applied.

My Pulumi Infrastructure as Code

• Separate stacks for k8s clusters
• Python
• GCP GCS for state storage (recently replaced with local due to #4258)
• Locally encrypted secrets with passphrase provided via PULUMI_CONFIG_PASSPHRASE
• Helm managed outside of Pulumi. Flag in Pulumi Config that enables provisioning of CRDs that depends on definitions from Helm charts.
• YAML files for third-party services (Fluent Bit, K8s dashboard) stored as resources and applied via pulumi_kubernetes.ConfigFile with transformations
• Grafana dashboards ConfigMaps generated as YAML files by a separate provider and applied manually (workaround for #1048)

Issues

Pulumi is a relatively new tool, and probably not as popular as Terraform. It has certain issues, but none are critical for me. Trying to be a good citizen, I’ve at least documented them on Github.

1. Lack of native Helm 3 support. As I’ve mentioned before, that’s a design decision. As a result I am just using another tool for helm charts management.

2. Resources with long manifests cannot be created due to too long last-applied-configuration annotation. That’s not an issue of Pulumi per se, rather the one of kubectl apply. However, due to that issue I am currently unable to provision ConfigMaps with Grafana Dashboards.

   Workaround (also described in the Github issue):

   • separate provider generating YAML
   • Python script removing kubectl.kubernetes.io/last-applied-configuration annotation
   • kubectl create or kubectl replace
3. “Released” PersistentVolumes with Reclaim Policy “Retain” are not recreated. They have to be manually removed and re-created by pulumi (after pulumi refresh)
4. Resource getter function does not work for CustomResourceDefinition. Again, workaround in the issue.
5. Allow conditional resource creation depending on existence of external resources. Not Kubernetes-specific, hence marked as a duplicate to #3364

GCP GCS state storage issue

One more issue I’ve suffered from recently - rate limit errors for GCS bucket (#4258).

Symptoms in logs:

kubernetes:core:Secret (kubernetes-dashboard/kubernetes-dashboard-csrf):
error: pre-step event returned an error: failed to save snapshot: An IO error occurred during the current operation: blob (key ".pulumi/stacks/dev.json") (code=Unknown): googleapi: Error 429: The rate of change requests to the object /path/to/code/.pulumi/stacks/dev.json exceeds the rate limit. Please reduce the rate of create, update, and delete requests., rateLimitExceeded

kubernetes:core:Endpoints (XXX):
error: pre-step event returned an error: failed to save snapshot: An IO error occurred during the current operation: blob (key ".pulumi/stacks/dev.json") (code=Unknown): googleapi: Error 429: The rate of change requests to the object /path/to/code/.pulumi/stacks/dev.json exceeds the rate limit. Please reduce the rate of create, update, and delete requests., rateLimitExceeded

pulumi:pulumi:Stack (YYY-dev):
error: update failed

Current workaround: migrated to local storage.

Conclusion

All in all, I am extremely happy with Pulumi. I use it for all provisioning except Helm charts.

And I know for sure, if for some reason I’d want to move off from it, it would be as simple as configuring K8s provider to generate YAML descriptors. And that’s one of the best design decisions for such tool.

10000ft Overview

From the high level perspective it looks like this:

• External DNS configuration to point to the ISP-owned IP of my router (either using static IP or via DynDNS).
• Router configuration, one of the following:
  • OpenWRT router has HAProxy 2, which is configured to route clients supporting SNI either to K8s or to other targets (this is my case).
  • Simple port forwarding to route TCP traffic on port 443 to proper destination.
• K8s LoadBalancer (MetalLB) that would propagate custom IP address to the router. This allows scheduling LB on different nodes and failover.
• External and Internal Ingress Controller (Nginx) that would take care of k8s Ingress objects and create LoadBalancer services via MetalLB.
• OAuth2 Proxy configured in Nginx Ingress as external auth (for externally exposed services)
• K8s CoreDNS pointing to router DNS instead of Google DNS to allow inter-service communication via LAN (useful for Nginx <-> OAuth2 Proxy, for example)
• Cert Manager requesting SSL certificates that are used by Ingress Controller

User request (assuming HTTPS traffic to K8s service using client supporting SNI) originating from the Internet is routed via:

• External DNS pointing to the router IP
• HAProxy 2
• LAN IP address associated with external MetalLB LoadBalancer associated with MAC address of one of the nodes network card
• kube-proxy spreading traffic between one of metallb-speakers
• Nginx with proper SSL certificates performs SSL termination
• Nginx performs authentication via OAuth2 Proxy (K8s CoreDNS uses OpenWRT DNS to lookup the IP address, and then request is forwarded (again) via MetalLB and nginx)
• Service and Pod networking do their magic
• HTTP traffic finally reaches the pod

OpenWRT

HAProxy

OpenWRT router is configured with HAProxy 2 listening on port 443 with SNI configuration allowing to proxy certain domain names to Kubernetes, while other to another target.

If Kubernetes (on a single IP) is the only destination, simple port forwarding can be used instead.

Here’s snippet of HAProxy config, including web UI and prometheus metrics:

global
    daemon

defaults
    timeout client 30s
    timeout server 30s
    timeout connect 5s

frontend ft_ssl
  bind :443
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  acl k8s_app_1 req_ssl_sni -i app1.k8s.example.com
  acl k8s_app_2 req_ssl_sni -i app2.k8s.example.com

  use_backend bk_ssl_k8s_x64 if k8s_app_1
  use_backend bk_ssl_k8s_x64 if k8s_app_2

  default_backend bk_ssl_non_k8s

  # K8s x64
backend bk_ssl_k8s_x64
  mode tcp
  balance roundrobin
  stick-table type binary len 32 size 30k expire 30m
  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello
  tcp-response content accept if serverhello
  stick on payload_lv(43,1) if clienthello
  stick store-response payload_lv(43,1) if serverhello
  option ssl-hello-chk
  server k8s-x64-node1 192.168.0.3:443 check
  #server k8s-x64-node2 192.168.0.4:443 check

backend bk_ssl_non_k8s
  mode tcp
  balance roundrobin
  stick-table type binary len 32 size 30k expire 30m
  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello
  tcp-response content accept if serverhello
  stick on payload_lv(43,1) if clienthello
  stick store-response payload_lv(43,1) if serverhello
  option ssl-hello-chk
  server non_k8s 192.168.0.2:443

listen stats
    bind *:1936
    http-request use-service prometheus-exporter if { path /metrics }
    mode http
    stats enable
    stats uri /
    stats refresh 10s

Internal DNS

Router’s DNS is used to avoid routing traffic with both source and destination within the LAN. It maps hostnames to the IP addresses of Kubernetes ingress services (type: LoadBalancer).

uci add dhcp domain
uci set dhcp.@domain[-1].name='app1.k8s.example.com'
uci set dhcp.@domain[-1].ip='192.168.0.3'

uci add dhcp domain
uci set dhcp.@domain[-1].name='app2.k8s.example.com'
uci set dhcp.@domain[-1].ip='192.168.0.3'

uci commit
luci-reload
service dnsmasq restart

Kubernetes

I was not a huge fan of Helm 2, especially due to the Tiller component. But also due to many charts using outdated apiVersion in their templates, but now as K8s API became much more mature, I am enjoying Helm 3 instead. That’s why most of the services in this post are deployed via Helm.

Kubespray config

Several Kubespray configuration options have to be adjusted to make this setup working.

One is related to configure Kubernetes DNS to use OpenWRT DNS as an upstream instead of Google DNS.

Another one is about enabling scheduling on a master node of my two-node cluster.

Also, I used this as a chance to convert inventory to YAML, which allows me to configure node labels :)

Additionally, I’ve configured several components to expose their metrics in Prometheus format.

Inventory:

all:
  hosts:
    nuc:
      ansible_host: 192.168.0.10
      ansible_user: core
      etcd_member_name: nuc5ppyh
      node_labels: {'disktype': 'hdd', 'cputype': 'pentium'}

    udoo:
      ansible_host: 192.168.0.11
      ansible_user: core
      node_labels: {'disktype': 'ssd', 'cputype': 'celeron'}

  children:
    etcd: {hosts: {nuc: {}}}
    k8s-cluster:
      children:
        kube-master: {hosts: {nuc: {}}}
        # Master node must be included into kube-node to avoid NoSchedule taint
        kube-node: {hosts: {nuc: {}, udoo: {}}}

Configuration:

## Upstream dns servers
upstream_dns_servers:
 - 192.168.0.1
# - 8.8.8.8
# - 8.8.4.4

## Prometheus metrics
# The IP address and port for the metrics server to serve on
# (set to 0.0.0.0 for all IPv4 interfaces and `::` for all IPv6 interfaces)
kube_proxy_metrics_bind_address: 0.0.0.0:10249

calico_felix_prometheusmetricsenabled: true
calico_felix_prometheusmetricsport: 9091
calico_felix_prometheusgometricsenabled: true
calico_felix_prometheusprocessmetricsenabled: true

Here’s quick way to verify that changes were correctly applied:

# Checking labels
kubectl get node --show-labels

# Checking that NoSchedule was removed from master
kubectl get nodes -o json | jq '.items[].spec.taints'

# Checking that K8s DNS uses local DNS as an upstream
kubectl -nkube-system get cm coredns -oyaml | grep upstream
kubectl -nkube-system get cm nodelocaldns -oyaml | grep forward

# Checking that Prometheus metrics are accessible
kubectl -n kube-system get cm kube-proxy -oyaml | grep metricsBindAddress
curl 192.168.0.10:9091/metrics
curl 192.168.0.11:9091/metrics

MetalLB

MetalLB is an awesome little load balancer implementation for both enthusiasts (like myself) and serious production deployments running on bare metal.

I neither have fancy hardware to support BGP, nor actually need it.

Layer 2 (ARP) mode and proxying all the traffic using single node (with an automatic failover, thanks to ARP!) works for me!

Without further ado, here’s my Helm 3 configuration for MetalLB. It matches IP addresses that I use for OpenWRT internal DNS, as well as for HAProxy configuration. That’s the key :smile:

configInline:
  address-pools:
  # Used in HAProxy and internal DNS, for services accessible from Internet
  - name: external
    protocol: layer2
    addresses:
    - 192.168.0.3/32

  # Used only in internal DNS, for services accessible from LAN only
  - name: internal
    protocol: layer2
    addresses:
    - 192.168.0.5/32

# Of course, Prometheus!
prometheus:
  serviceMonitor:
    enabled: true
  prometheusRule:
    enabled: true

Nginx Ingress Controller

Nginx Ingress Controller have to be configured to create proper LoadBalancer service, and Ingress objects must map to proper ingress controller and include Authn configuration.

Here’s Helm configuration for external Nginx Ingress (keep an eye on MetalLB annotation!):

controller:
  name: controller-external
  electionID: ingress-controller-external-leader
  ingressClass: nginx-external
  kind: DaemonSet
  service:
    omitClusterIP: true
    annotations:
      metallb.universe.tf/address-pool: external
  metrics:
    enabled: true
    service:
      omitClusterIP: true

defaultBackend:
  service:
    omitClusterIP: true

Here’s sample Ingress object leveraging Nginx Ingress external OAuth support and SSL certificates managed via Cert Manager:

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: app1
  namespace: app1
  annotations:
    kubernetes.io/ingress.class: "nginx-external"
    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
spec:
  tls:
    - hosts:
        - app1.k8s.example.com
      secretName: tls-app1
  rules:
    - host: app1.k8s.example.com
      http:
        paths:
          - backend:
              serviceName: app1
              servicePort: 80
            path: /

OAuth2 Proxy

OAuth2 Proxy is another wonderful service transparently enabling OAuth2 for applications that don’t support it natively. It works great with Nginx Ingress too.

Helm configuration:

config:
  clientID: "app1-cid"
  clientSecret: "app1-csec"
  # openssl rand -base64 32 | head -c 32
  cookieSecret: "cookieMonsterAteTheSecret"
  configFile: |-
    provider = "foooo"
    upstream = "file:///dev/null"
    footer = "-"

ingress:
  enabled: true
  path: /oauth2
  hosts:
  - app1.k8s.example.com
  annotations:
    kubernetes.io/ingress.class: "nginx-external"
  tls:
  - secretName: tls-app1
    hosts:
    - app1.k8s.example.com

Conclusion

That’s about it, folks. Now I can easily and (more or less) securely access my k8s services from both LAN and Internet using the same host names, proper SSL certificates and OAuth 2 support.

Aside this sad fact, that small PC have decent specs, including 4 gigs of RAM, which makes it a good candidate for a single-node ElasticSearch cluster. I have to collect logs from my Kubernetes cluster somewhere, right?

Unfortunately, Elastic dropped an official i586 support long time ago, which totally makes sense from commercial perspective.

Well, thanks to Debian and Java we still can run ElasticSearch on top of 32-bit Linux!

This tutorial is written for ElasticSearch OSS v7.5.1, and might not work for newer versions, as source code might change!

I’ve chosen official deb OSS distribution w/o JVM over tar.gz and commercial because:

• Deb has convenient integration with systemd and follows Debian conventions for files and directories.
• I don’t plan on using any additional components from the commercial distribution, and don’t want to unintentionally break any license for modifications required to run ES on 32-bit OS.
• Bundled JVM is 64-bit, thus it’s of no use to me.

First things first, we need to prepare our OS:

# I know, it's bad practice
sudo -i
export ES_VERSION=7.5.1

apt install -y openjdk-11-jdk seccomp
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-${ES_VERSION}-no-jdk-amd64.deb
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-i386
dpkg --force-all -i elasticsearch-oss-${ES_VERSION}-no-jdk-amd64.deb

After this installation you’ll get the similar message once you try using apt again:

[...]
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
elasticsearch : Depends: libc6 but it is not installable
[...]

In order to fix it you need to modify /var/lib/dpkg/status: search for elasticsearch and remove depends: libc6.

Now the next (and most important) trick: enable 32-bit support in ElasticSearch itself. Even though it’s written in Java (which is cross-platform), it uses certain native bindings.

Minor change should be applied to a single class, SystemCallFilter:

diff --git a/server/src/main/java/org/elasticsearch/bootstrap/SystemCallFilter.java b/server/src/main/java/org/elasticsearch/bootstrap/SystemCallFilter.java
index 59f8bd5daf7..6a6b360726e 100644
--- a/server/src/main/java/org/elasticsearch/bootstrap/SystemCallFilter.java
+++ b/server/src/main/java/org/elasticsearch/bootstrap/SystemCallFilter.java
@@ -243,6 +243,7 @@ final class SystemCallFilter {
         Map<String,Arch> m = new HashMap<>();
         m.put("amd64", new Arch(0xC000003E, 0x3FFFFFFF, 57, 58, 59, 322, 317));
         m.put("aarch64",  new Arch(0xC00000B7, 0xFFFFFFFF, 1079, 1071, 221, 281, 277));
+        m.put("i386",  new Arch(0x40000003, 0xFFFFFFFF, 2, 190, 11, 358, 354));
         ARCHITECTURES = Collections.unmodifiableMap(m);
     }

I am doing it on my macOS, which compiles Java much faster. Save systemcallfilter-i386.patch and navigate shell to the same directory (replace <elasticsearch-host> with your ES hostname):

export ES_VERSION=7.5.1

# Prepare build environment
curl -s "https://get.sdkman.io" | bash
sdk list java
sdk install java 12.0.2-open
sdk use java 12.0.2-open

# Clone the repo, apply the patch
git clone https://github.com/elastic/elasticsearch.git
cd elasticsearch
git checkout v${ES_VERSION}
git apply ../systemcallfilter-i386.patch

# Download the whole internet to compile a single class
./gradlew clean compileJava

# Copy compiled class and replace it in the existing JAR
mkdir -p ../org/elasticsearch/bootstrap
cp server/build/classes/java/main/org/elasticsearch/bootstrap/SystemCallFilter.class ../org/elasticsearch/bootstrap
cd ..
scp <elasticsearch-host>:/usr/share/elasticsearch/lib/elasticsearch-${ES_VERSION}.jar .
cp elasticsearch-${ES_VERSION}.jar elasticsearch-${ES_VERSION}.jar.bak
# https://stackoverflow.com/questions/1667153/updating-class-file-in-jar
jar -uf elasticsearch-${ES_VERSION}.jar org/elasticsearch/bootstrap/SystemCallFilter.class

# Copy modified JAR back to the i586 host
scp elasticsearch-${ES_VERSION}.jar <elasticsearch-host>:/tmp

Now we can continue (in the same shell with sudo and ES_VERSION):

# Replacing the ElasticSearch jar with the patched one
mv /tmp/elasticsearch-${ES_VERSION}.jar /usr/share/elasticsearch/lib/

# Replacing stripped JNA bindings (w/o i586 support) with the full, original version
wget -O /usr/share/elasticsearch/lib/jna-4.5.1.jar https://github.com/java-native-access/jna/raw/4.5.1/dist/jna.jar

# Using system JVM
echo "JAVA_HOME=/usr/lib/jvm/java-11-openjdk-i386" >> /etc/default/elasticsearch

# Configuring ElasticSearch single node to act as production-ready cluster
echo "network.host: 0.0.0.0" >> /etc/elasticsearch/elasticsearch.yml
echo "discovery.type: single-node" >> /etc/elasticsearch/elasticsearch.yml
echo "-Des.enforce.bootstrap.checks=true" >> /etc/elasticsearch/jvm.options

# Using half of memory for JVM heap, per official recommendation. Another part would be used for file system cache
sed -Ei 's/^-Xms.*/-Xms2g/g' /etc/elasticsearch/jvm.options
sed -Ei 's/^-Xmx.*/-Xmx2g/g' /etc/elasticsearch/jvm.options

systemctl enable elasticsearch.service
systemctl start elasticsearch.service

cat /var/log/elasticsearch/elasticsearch.log

# Checking file descriptors: https://www.elastic.co/guide/en/elasticsearch/reference/current/file-descriptors.html
curl localhost:9200/_nodes/stats/process?filter_path=**.max_file_descriptors

# And finally:
curl localhost:9200

Bingo! It’s up and running in no time.

Just remember, in order to upgrade to the new ES version you have to:

1. Download fresh deb file & install it.
2. Modify /var/lib/dpkg/status to get rid of unmet apt dependency
3. Check if SystemCallFilter in your particular release (v7.5.1 in this case) has changed. master branch is already different, so it’s just a matter of time.
4. Re-compile SystemCallFilter.java if necessary (after applying patch)
5. Re-package elasticsearch-*.jar with the patched SystemCallFilter.class
6. Check if /usr/share/elasticsearch/lib/jna-*.jar has changed (maybe version was bumped), and replace it with the proper full version

Now it’s time to finally install Kubernetes on them!

Kubespray is an official tool for deploying a Production-Ready Kubernetes cluster on wide variety of infrastructure, including bare metal. It is based on Ansible, and uses kubeadm under the hood (if I’m not mistaken).

I’ve used v2.10.4, which was latest as of time I’ve written this post. Personally, I configured it as a submodule to my git repo with custom configs, but it could be just downloaded from a tag, and used independently of git.

Quickstart usage commands are available on it’s website, and I won’t repeat them. However, I’d like to emphasize that you should use an Ansible from kubespray’s requirements.txt instead of latest & greatest from your package manager. It turns out, that Ansible sometimes breaks backward compatibility or introduces bugs, which break kubespray. It happend to me twice (in 2018 and in 2019), and both times Ansible pinned to Kubespray worked like a charm.

CoreOS is supported, and main cluster.yml playbook even auto-detects CoreOS and sets proper defaults, however other playbooks (such as reset.yml) don’t support them. Following changes worked for me, when I’ve configured, and then tore down the cluster multiple times.

Configuration

diff --git a/k8s/inventory-x64/group_vars/all/all.yml b/k8s/inventory-x64/group_vars/all/all.yml
index 4b45b66..d16c4c2 100644
--- a/k8s/inventory-x64/group_vars/all/all.yml
+++ b/k8s/inventory-x64/group_vars/all/all.yml
@@ -3,7 +3,9 @@
 etcd_data_dir: /var/lib/etcd

 ## Directory where the binaries will be installed
-bin_dir: /usr/local/bin
+bin_dir: /opt/bin
+
+ansible_python_interpreter: /opt/bin/python

 ## The access_ip variable is used to define how other nodes should access
 ## the node.  This is used in flannel to allow other flannel nodes to see
@@ -39,9 +41,9 @@ loadbalancer_apiserver_healthcheck_port: 8081
 # kubelet_load_modules: false

 ## Upstream dns servers
-# upstream_dns_servers:
-#   - 8.8.8.8
-#   - 8.8.4.4
+upstream_dns_servers:
+ - 8.8.8.8
+ - 8.8.4.4

 ## There are some changes specific to the cloud providers
 ## for instance we need to encapsulate packets with some network plugins
diff --git a/k8s/inventory-x64/group_vars/k8s-cluster/k8s-cluster.yml b/k8s/inventory-x64/group_vars/k8s-cluster/k8s-cluster.yml
index b2bfdf0..dcd9fcc 100644
--- a/k8s/inventory-x64/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/k8s/inventory-x64/group_vars/k8s-cluster/k8s-cluster.yml
@@ -124,7 +124,7 @@ kube_encrypt_secret_data: false

 # DNS configuration.
 # Kubernetes cluster name, also will be used as DNS domain
-cluster_name: cluster.local
+cluster_name: your_cluster_name.local
 # Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods
 ndots: 2
 # Can be coredns, coredns_dual, manual or none
@@ -136,7 +136,7 @@ enable_nodelocaldns: true
 nodelocaldns_ip: 169.254.25.10

 # Can be docker_dns, host_resolvconf or none
-resolvconf_mode: docker_dns
+resolvconf_mode: host_resolvconf
 # Deploy netchecker app to verify DNS resolve as an HTTP service
 deploy_netchecker: false
 # Ip address of the kubernetes skydns service
@@ -175,9 +175,9 @@ dynamic_kubelet_configuration_dir: "{{ kubelet_config_dir | default(default_kube
 podsecuritypolicy_enabled: false

 # Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts
-# kubeconfig_localhost: false
+kubeconfig_localhost: true
 # Download kubectl onto the host that runs Ansible in {{ bin_dir }}
 # kubectl_localhost: false

Couple notes about those changes:

• You need to specify upstream_dns_servers, otherwise DNS resolution won’t work, and Kubespray will even fail to download containers to bootstrap the cluster. The issue #2831 was reported in kubespray about that (but closed unresolved due to inactivity).
• I prefer changing cluster_name to something meaningful. Pick your own name for a pet cluster :pig:

My inventory file is pretty straightforward. My cluster doesn’t have HA for K8s master and etcd, as it has just 2 nodes.

nuc ansible_host=192.168.0.10 ansible_user=core etcd_member_name=nuc5ppyh
udoo ansible_host=192.168.0.11 ansible_user=core

[kube-master]
nuc

[etcd]
nuc

[kube-node]
udoo

[k8s-cluster:children]
kube-master
kube-node

Cluster provisioning

Provisioning requires just a single command, but prepare for a long process :clock1:

ansible-playbook -i inventory-x64/inventory.ini kubespray-x64/cluster.yml -b -v > install.log

-b stands for become, which means sudo to CoreOS nodes in our case, while -v produces a verbose output to the install.log file. If cluster provisioning fails, look at the last lines of this log file.

Once provisioning is completed, copy artifacts/admin.conf to ~/.kube/config file and install kubectl on your machine.

Now (hopefully) you have a running cluster, and you can verify it by invoking some kubectl commands:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T14:25:20Z", GoVersion:"go1.12.7", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.3", GitCommit:"5e53fd6bc17c0dec8434817e69b04a25d8ae0ff0", GitTreeState:"clean", BuildDate:"2019-06-06T01:36:19Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}

$ kubectl cluster-info
Kubernetes master is running at https://192.168.0.10:6443
coredns is running at https://192.168.0.10:6443/api/v1/namespaces/kube-system/services/coredns:dns/proxy
kubernetes-dashboard is running at https://192.168.0.10:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

$ kubectl get nodes
NAME   STATUS   ROLES    AGE   VERSION
nuc    Ready    master   28d   v1.14.3
udoo   Ready    <none>   28d   v1.14.3

$ kubectl get all --all-namespaces
NAMESPACE     NAME                                           READY   STATUS    RESTARTS   AGE
kube-system   pod/calico-kube-controllers-79c7fd7f68-cshvb   1/1     Running   3          28d
kube-system   pod/calico-node-bzc7t                          1/1     Running   3          28d
kube-system   pod/calico-node-sr6x8                          1/1     Running   3          28d
kube-system   pod/coredns-56bc6b976d-2zslx                   1/1     Running   3          28d
kube-system   pod/coredns-56bc6b976d-p9jql                   1/1     Running   3          28d
kube-system   pod/dns-autoscaler-5fc5fdbf6-f4zq7             1/1     Running   3          28d
kube-system   pod/kube-apiserver-nuc                         1/1     Running   4          28d
kube-system   pod/kube-controller-manager-nuc                1/1     Running   4          28d
kube-system   pod/kube-proxy-6xnwn                           1/1     Running   3          28d
kube-system   pod/kube-proxy-pqfcw                           1/1     Running   3          28d
kube-system   pod/kube-scheduler-nuc                         1/1     Running   4          28d
kube-system   pod/kubernetes-dashboard-6c7466966c-lmh72      1/1     Running   4          28d
kube-system   pod/nginx-proxy-udoo                           1/1     Running   3          28d
kube-system   pod/nodelocaldns-7pfm2                         1/1     Running   3          28d
kube-system   pod/nodelocaldns-k8kll                         1/1     Running   3          28d


NAMESPACE     NAME                           TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                  AGE
default       service/kubernetes             ClusterIP   10.233.0.1     <none>        443/TCP                  28d
kube-system   service/coredns                ClusterIP   10.233.0.3     <none>        53/UDP,53/TCP,9153/TCP   28d
kube-system   service/kubernetes-dashboard   ClusterIP   10.233.5.252   <none>        443/TCP                  28d

NAMESPACE     NAME                          DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                 AGE
kube-system   daemonset.apps/calico-node    2         2         2       2            2           <none>                        28d
kube-system   daemonset.apps/kube-proxy     2         2         2       2            2           beta.kubernetes.io/os=linux   28d
kube-system   daemonset.apps/nodelocaldns   2         2         2       2            2           <none>                        28d

NAMESPACE     NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
kube-system   deployment.apps/calico-kube-controllers   1/1     1            1           28d
kube-system   deployment.apps/coredns                   2/2     2            2           28d
kube-system   deployment.apps/dns-autoscaler            1/1     1            1           28d
kube-system   deployment.apps/kubernetes-dashboard      1/1     1            1           28d

NAMESPACE     NAME                                                 DESIRED   CURRENT   READY   AGE
kube-system   replicaset.apps/calico-kube-controllers-79c7fd7f68   1         1         1       28d
kube-system   replicaset.apps/coredns-56bc6b976d                   2         2         2       28d
kube-system   replicaset.apps/dns-autoscaler-5fc5fdbf6             1         1         1       28d
kube-system   replicaset.apps/kubernetes-dashboard-6c7466966c      1         1         1       28d

Long story short, it’s Kubernetes v1.14.3 with the following components:

• Calico for pod networking
• CoreDNS as Kubernetes DNS server
• Nginx as proxy to API Server for worker nodes (makes it available on localhost:6443), and is called a localhost loadbalancing in Kubespray docs.
• Kubernetes web-based dashboard

One important thing we’re missing is an Ingress for an external acces to cluster, but we’ll configure it next time.

Why not in cloud? Kubernetes in cloud is still expensive if it’s just for fun. And I have a couple mini computers at home, as well as desire to look how Kubernetes works on the network layer.

I was never satisfied with “fat” Linux distributions for running containers, and didn’t want to configure OS auto upgrades. Trying out CoreOS Container Linux sounded like a natural fit for my little pets.

Upd 2020-04-23: I have migrated to Flatcar Container Linux, which is more or less a drop-in replacement for CoreOS Container Linux

Anyway, I’ve decided to start with this:

• Hardware
  • Intel NUC5PPYH
  • UDOO x86 (I have the first version)
• Software
  • CoreOS Container Linux
  • Kubespray v2.10.4

Hardware

I have two x64 mini computers, which are good candidates for Kubernetes nodes. They are not equal, but powerful enough. And they are unique to me, not only because they’re so different :cat:

That’s why I still treat them as pets, not cattle.

Image from StackExchange

One of them is called Nuc, and it’s breed is Intel NUC5PPYH.

Image from Amazon

According to spec, it has 4-core Pentium N3700 and supports up to 8Gb RAM. Mine has 8Gb RAM and 1Tb HDD.

Another one responds to Udoo, and it’s breed is Udoo x86 (first version from Kickstarter).

Image from Kickstarter

My edition is called UDOO X86 Advanced, and it has 4-core Celeron N3160, as well as 4Gb of RAM, but rather small 8Gb eMMC.

Both processors are quite similar in their performance, but Nuc has twice the memory and larger (but slower) HDD.

CoreOS installation

Both pets have Ethernet port, and I prefer stable wired connection with DHCP address reservation configured to their MAC addresses. But here’s the thing, it’s either Ethernet or monitor in my apartment :smile:. I had to choose either to plug the physical screen or the network. This somewhat drove the approach I’ve used for OS installation.

I’ve used two USB drives:

• One with the latest stable CoreOS ISO flashed by Balena Etcher. This ISO would be used to boot the CoreOS and run coreos-install.
• Another with couple of goodies:
  • Latest stable coreos_production_image.bin.bz2 (not to be confused with the ISO). That would be actually an image that is installed on the machine.
  • ignition.json, a CoreOS config file consumable by coreos-install.

Here’s the process I’ve followed to install the OS:

• Generate a hash from the password:
  • mkpasswd --method=SHA-512 --rounds=4096 should be used, as shown in an example
  • I’m using the password for authentication as an alternative to SSH pubkey to log into the machine interactively, while it’s still connected to the screen, not network.
• Write ignition.yaml, a human-readable version of CoreOS config file that contains:
  • Password hash
  • SSH pubkeys
  • CoreOS autoupdate strategy
• I store my ignition.yaml in the repo (without password hash and pubkey) as a reference, but CoreOS installer uses another config format, which is a less-readable json. Latest Config Transpiler should be downloaded to create the JSON config: ct < ignition.yaml > ignition.json. There’s even a validation service to check that config is well-formed.
• Resulting config is written to a USB drive (different from the one where bootable ISO is flashed), alongside with the bin.bz2 image.
• After computer is booted from the CoreOS ISO run the installation command: coreos-install -d /dev/target-disk -i /path/to/ignition.json -f /path/to/image.bin.bz2, where:
  • target-disk is the disk where CoreOS should be installed (disk, not a partition). CoreOS will erase the entire disk and create a new partition table.
  • /path/to is path to the second USB drive (previously needs to be mount‘ed), containing both the image & ignition config.

Here’s my ignition.yaml config:

# Replace <PWD_HASH> with the password hash (or remove line if it's not necessary)
# Replace <SSH_PUBKEY> with the SSH public key. Add as many as you wish
# Download Config Transpiler: https://github.com/coreos/container-linux-config-transpiler/releases/latest
# Run ct < ignition.yaml > ignition.json to generate the resulting config
passwd:
  users:
    - name: core
      # https://coreos.com/os/docs/latest/clc-examples.html#generating-a-password-hash
      # mkpasswd --method=SHA-512 --rounds=4096
      password_hash: "<PWD_HASH>"
      ssh_authorized_keys:
        - <SSH_PUBKEY>
update:
  group: stable
locksmith:
  reboot_strategy: reboot

If you’re lucky, then CoreOS would be installed on your machine. You can login either with the password, or an SSH key. It doesn’t have much services installed, and there isn’t any package manager to install more. The idea is to spin up containers to do the work.

And the next step would be Kubernetes installation to run containers at scale.