Posted on Leave a comment

Create and use ConfigMap in Kubernetes With Diagram

Create ConfigMap from YAML file

Create and use configmap from single values

kubectl create configmap cm1 --from-literal=myval1=10000

That would create a configmap with a key myval1 = 10000

Of course, you can use multiple --from-literal blocks in a single command.

Use a single value from configmap in pod yaml

Create and use multiple environment variables from file

If you plan to use multiple environment values, prepare a file my-env-vars.whatever like this:

infantry=10000
bowman=2000
generals=100

Then, you can create a configmap like this:

kubectl create configmap cm3 --from-env-file=./my-env-vars.whatever

Then you can refer to all the variables as environment variables in pod by creating a YAM definition like this

Import configmap values as volume

For example, I have a configmap named cm3 like this:

In a pod definition, I mount the configmap as a volume at has mountPath as /etc/config2

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  name: pod3-player
spec:
  volumes:
  - name: local-config
    configMap:
      name: cm3
  containers:
  - image: nginx
    name: pod3-player
    volumeMounts:
    - name: local-config
      mountPath: /etc/config2

Now, if I view the content of the folder /etc/config2 inside the container in the pod, I can see a list of files which names are the keys in the configmap:

kubectl exec -it pod3-player -- ls /etc/config2

And if I view the content of a file, for example, health, I will get the value

kubectl exec -it pod3-player -- cat /etc/config2/health
Posted on Leave a comment

Creating Kubernetes Replication Controller in 5 Minutes

Let’s look at the following diagram to create Kubernetes Replication Controller:

What to remember when creating ReplicationController

  • apiVersion: v1
  • You can define number of replicas, selector and template under spec
  • spec->template has its own spec section along side metadata
  • You specify containers’ related attributes under template‘s spec

Create ReplicationController YAML file example

apiVersion: v1
kind: ReplicationController
metadata:
  name: nginx
spec:
  replicas: 3
  selector:
    app: nginx
  template:
    metadata:
      name: nginx
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
Posted on Leave a comment

Configure SSO Server With Keycloak, HAProxy & Docker

Keycloak is quite a nice tool to handle user authentication and authorization. Both Keycloak and HAProxy are free so you can easily setup an authenication & authorization server very quickly and free (hosting is not free though :)).

With the help of Docker, it will take a few minutes (less than 10) for you to successfully setup a single sign on server(SSO).

Setting up Keycloak

Keycloak has built in database to store users. However, it also allows you specify an external database if you want to do so. I prefer the second option since it seems easier to backup. Let’s first setup a mariadb server. Here is the docker-compose part of MariaDB:

  keycloak_db:
    container_name: keycloak_db
    image: mariadb:10.3.26
    restart: always
    volumes:
      - keycloak_db_volume:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: YOUR_ROOT_PASSWORD

Notice that I’m using MYSQL_ROOT_PASSWORD here for demo purposes. You should create a non root user and also user Docker secrets to manage the password instead.

You can also notice that this service (keycloak_db) uses an external volume keycloak_db_volume. We will create that at the end of the docker-compose.yml file.

Now, let’s write the YAML content for Keycloak itself:

  keycloak:
    container_name: keycloak
    image: quay.io/keycloak/keycloak:12.0.4
    restart: always
    env_file: ./kc.env

As you can see, instead using environment block, we now use an *.env file. Here is the content:

DB_VENDOR=mariadb
DB_ADDR=keycloak_db:3306
DB_DATABASE=keycloak_1
DB_USER=root
DB_PASSWORD=MYSQL_PASSWORD
KEYCLOAK_USER=kc_user
KEYCLOAK_PASSWORDD=keycloak_password
PROXY_ADDRESS_FORWARDING=true

That’s all we need to do with Keycloak. Let’s create and configure HAproxy.

Setting up HAproxy

If you want to have SSL enabled, make sure to install certbot to generate a free Let’s Encrypt certificate. Certbot is awesome since you can set up it to automatically renew the certificate for you.

There is a awesome tutorial here to help you generate standalone certificate for your domain:

https://www.digitalocean.com/community/tutorials/how-to-use-certbot-standalone-mode-to-retrieve-let-s-encrypt-ssl-certificates-on-ubuntu-16-04

After generating the certificate, combine the fullchain.pem and privkey.pem to generate a single .pem file. HAproxy will use this single file.

DOMAIN='your_domain_name' sudo -E bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'

Now, let’s create a service for HAproxy in our docker-compose.yml file:

  haproxy:
    container_name: haproxy
    image: haproxy:2.4.0
    restart: always
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/haproxy/certs/your_domain_name.pem:/usr/local/etc/haproxy/certs/your_domain_name.pem
      - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg

As you can see, we’ve mounted the SSL certificate to /usr/local/etc/haproxy/certs/. We also create and mount a haproxy.cfg file. Let’s see its content:

global
        stats timeout 30s


defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
  timeout connect 5000
  timeout client  50000
  timeout server  50000
        option forwardfor
        option http-server-close


frontend sso
        bind :80
        bind :443 ssl crt /usr/local/etc/haproxy/certs/your_domain_name.pem
  http-request redirect scheme https unless { ssl_fc }
        default_backend keycloak_backend
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }


backend keycloak_backend
  http-request redirect scheme https unless { ssl_fc }
        server www-1 keycloak:8080 check

By default, Keycloak starts on port 8080. This is HAproxy settings, we forward traffic on port 80, 443 to Keycloak backend.

Here is the whole docker-compose file:

version: '3'

services:
  haproxy:
    container_name: haproxy
    image: haproxy:2.4.0
    restart: always
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/haproxy/certs/sso.openexl.com.pem:/usr/local/etc/haproxy/certs/sso.openexl.com.pem
      - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg

  keycloak:
    container_name: keycloak
    image: quay.io/keycloak/keycloak:12.0.4
    restart: always
    env_file: ./kc.env
    
  keycloak_db:
    container_name: keycloak_db
    image: mariadb:10.3.26
    restart: always
    volumes:
      - keycloak_db_volume:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: mysql_root_password



volumes:
  keycloak_db_volume:

If you have the certificate correctly setup, simply run docker-compose up -d, you can access your site after a few minutes.

Some caveats:

I’ve tried this setup on a DigitalOcean droplet with just 1GB of RAM and single CPU ($5/month) and Keycloak crashed every single time. The reason is at start up, Keycloak uses a lot of resources. Afte upgrading to the next tier, I could start without any problem.