k8s cluster updated to 1.13.5 with RBAC activated. Docs and some conf…

…ig files updated
PyAr · Jun 4, 2019 · a762ca4 · a762ca4
1 parent a78a2d8
commit a762ca4
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 38 deletions.
diff --git a/docs/k8s.md b/docs/k8s.md
@@ -10,11 +10,11 @@
 ## Crear el cluster de k8s
 
 ```bash 
-az aks create -g pyar-infra -n flying-circus \
+az aks create -g pyar-infra -n flying-circus-v2 \
                 --node-count 3 \
                 --node-vm-size Standard_B2s \
-                -k 1.11.1 --disable-rbac \
-                --dns-name-prefix flying-circus \
+                -k 1.13.5 \
+                --dns-name-prefix flying-circus-v2 \
                 -l eastus \
                 --ssh-key-value .ssh/[email protected] 
 ```
@@ -25,7 +25,7 @@ El tamaño de las VMs y la zona las seleccioné buscando la combinación más ec
 Una vez creado el cluster hay que configurar `kubectl` para que se conecte: 
 
 ```bash 
-az aks get-credentials --resource-group pyar-infra --name flying-circus
+az aks get-credentials --resource-group pyar-infra --name flying-circus-v2
 ```
 
 Testear ejecutando 
@@ -38,6 +38,22 @@ kubectl get nodes
 
 `helm init`
 
+### Configurar permisos (RBAC) para Tiller (helm server side)
+
+
+More at: https://helm.sh/docs/using_helm/#role-based-access-control
+
+```bash 
+# create service account
+kubectl create serviceaccount tiller --namespace kube-system
+# create ClusterRoleBinding 
+kubectl create -f k8s/tiller-clusterrolebinding.yaml
+# upgrade helm 
+helm init --service-account tiller --upgrade
+# test it 
+helm ls
+```
+
 ## crear secretos 
 
 >  (:warning: no están en el repo)
@@ -63,38 +79,54 @@ kubectl apply -f /path/to/secrets/files/
 
 Detalles en: https://docs.microsoft.com/en-us/azure/aks/ingress
 
+
+- crear namespace 
+`kubectl create namespace ingress-basic`
+
 - instalar nginx-ingress 
 
 ```bash 
-helm install stable/nginx-ingress --namespace kube-system\
-                                  --set rbac.create=false\
-                                  -f values/production/nginx-ingress.yaml\
-                                  --name production-nginx-ingress
+helm install stable/nginx-ingress \
+    --name production-nginx-ingress \
+    --namespace ingress-basic \
+    --set controller.replicaCount=2 \
+    -f values/production/nginx-ingress.yaml\
 ```
 
+- opcional, ejecutar este paso: https://docs.microsoft.com/en-us/azure/aks/ingress-tls#configure-a-dns-name
+
+
 - instalar cert-manager 
 
 ```bash
-helm install --name prod-cert-manager stable/cert-manager \
-             --set ingressShim.defaultIssuerName=letsencrypt-prod \
-             --set ingressShim.defaultIssuerKind=ClusterIssuer \
-             --set rbac.create=false \
-             --set serviceAccount.create=false
-```
+# Install the CustomResourceDefinition resources separately
+kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.8/deploy/manifests/00-crds.yaml
 
-- Cear CA cluster issuer 
+# Create the namespace for cert-manager
+kubectl create namespace cert-manager
 
-```bash 
-kubectl create -f letsencrypt/cluster-issuer.yaml
-```
+# Label the cert-manager namespace to disable resource validation
+kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
 
-- Crear certificados 
+# Add the Jetstack Helm repository
+helm repo add jetstack https://charts.jetstack.io
 
-```bash 
-kubectl create -f letsencrypt/certificates.yaml
+# Update your local Helm chart repository cache
+helm repo update
+
+# Install the cert-manager Helm chart
+helm install \
+  --name cert-manager \
+  --namespace cert-manager \
+  --version v0.8.0 \
+  jetstack/cert-manager
 ```
 
+- Cear CA cluster issuer 
 
+```bash 
+kubectl create -f k8s/letsencrypt/cluster-issuer.yaml
+```
 ## Hints:
 
 - Una vez que k8s esta funcionando se puede continuar con los pasos detallados en README.md para cada proyecto. 

diff --git a/k8s/configure_ingress_https.sh b/k8s/configure_ingress_https.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+alias az='fades -p python3.6 -d azure-cli -x az'
+# Public IP address of your ingress controller
+IP="52.168.19.255"  # WARNING!!! UPDATE WITH THE CLUSTER IP
+
+# Name to associate with public IP address
+DNSNAME="redirecter.python.org.ar"
+
+# Get the resource-id of the public ip
+PUBLICIPID=$(az network public-ip list --query "[?ipAddress!=null]|[?contains(ipAddress, '$IP')].[id]" --output tsv)
+
+# Update public ip address with DNS name
+az network public-ip update --ids $PUBLICIPID --dns-name $DNSNAME
diff --git a/letsencrypt/cluster-issuer.yaml → k8s/letsencrypt/cluster-issuer.yaml b/letsencrypt/cluster-issuer.yaml → k8s/letsencrypt/cluster-issuer.yaml
@@ -2,6 +2,7 @@ apiVersion: certmanager.k8s.io/v1alpha1
 kind: ClusterIssuer
 metadata:
   name: letsencrypt-prod
+  namespace: ingress-basic
 spec:
   acme:
     server: https://acme-v02.api.letsencrypt.org/directory

diff --git a/k8s/tiller-clusterrolebinding.yaml b/k8s/tiller-clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: tiller-clusterrolebinding
+subjects:
+- kind: ServiceAccount
+  name: tiller
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: ""
diff --git a/letsencrypt/certificates.yaml b/letsencrypt/certificates.yaml
diff --git a/values/production/eventol.yaml b/values/production/eventol.yaml
@@ -51,6 +51,7 @@ env:
   EMAIL_FROM: [email protected]
   DEFAULT_FROM_EMAIL: [email protected]
   EMAIL_BACKEND: 'django.core.mail.backends.smtp.EmailBackend'
+  PSQL_OPTIONS_SSL: 'require'
 
 mediafiles:
   path: /usr/src/app/eventol/media