INT 21h

Hi, I am Vladimir Smagin, SysAdmin, DevOps and barely good guy. Telegram Email / GIT / Микроблог / Thingiverse / GPG

cert-manager can’t resolve new domain to perform HTTP01 challenge

№ 10443 В разделе "Sysadmin" от December 14th, 2019,
В подшивках: , ,

In ingress resource you created new domain to perform HTTP01 challenge and obtain new LE certificate but something goes wrong in log file:

E1214 14:35:06.644315 1 sync.go:183] cert-manager/controller/challenges "msg"="propagation check failed" "error"="failed to perform self check GET request 'http://test.k8s.blindage.org/.well-known/acme-challenge/nmxxZh0K7iXuOnqGRm52PqymHj8YFVpN2MryLfRdVoU': Get http://test.k8s.blindage.org/.well-known/acme-challenge/nmxxZh0K7iXuOnqGRm52PqymHj8YFVpN2MryLfRdVoU: dial tcp: lookup test.k8s.blindage.org on 10.245.0.10:53: no such host" "dnsName"="test.k8s.blindage.org" "resource_kind"="Challenge" "resource_name"="tls-test-k8s-blindage-org-749846670-0" "resource_namespace"="testing" "type"="http-01"

… and this error repeats multiple times without any progress. Its managed Kubernetes in DigitalOcean.

To solve this problem just uncomment these lines in Helm chart of cert-manager to provide your own nameservers:

podDnsPolicy: "None"
podDnsConfig:
  nameservers:
    - "1.1.1.1"
    - "8.8.8.8"

Voila! You got new certificate.

Нет комментариев »

cert-manager пытается выдать сертификат в родительской зоне

№ 10436 В разделе "Sysadmin" от December 13th, 2019,
В подшивках: ,

Предыстория такая, была в DNS A запись code.semantiqo.ru и указывала она на IP балансера kubernetes. Захотел сделать нормально и создать на серверах digitalocean зону code.semantiqo.ru целиком и уже оттуда ей управлять. Захотел – сделал! Добавил в ingress ресурс выдачу сертификата от letsencrypt и затем добавил в панельке хостингера 3 NS записи указывающие на сервера digitalocean и стал ждать когда все само подтащится и заработает.

Время шло и в логах я продолжал видеть обращение к родительскому домену с целью создать челендж записи.

I1212 19:07:55.716799 1 controller.go:129] cert-manager/controller/challenges "level"=0 "msg"="syncing item" "key"="production/tls-code-semantiqo-ru-2352965144-0"
I1212 19:07:55.717716 1 dns.go:104] cert-manager/controller/challenges/Present "level"=0 "msg"="presenting DNS01 challenge for domain" "dnsName"="code.semantiqo.ru" "domain"="code.semantiqo.ru" "resource_kind"="Challenge" "resource_name"="tls-code-semantiqo-ru-2352965144-0" "resource_namespace"="production" "type"="dns-01"
E1212 19:07:56.164072 1 controller.go:131] cert-manager/controller/challenges "msg"="re-queuing item due to error processing" "error"="POST https://api.digitalocean.com/v2/domains/semantiqo.ru/records: 404 The resource you were accessing could not be found." "key"="production/tls-code-semantiqo-ru-2352965144-0

Проверил все ресурсы, даже полностью удалял все секреты и ресурсы и т.д., ничего не помогало, будто cert-manager просто не видит новую зону. И тут меня осенило просто прибить нахер этот гнусный под с гнусным днс кешем. И таки что бы вы могли подумать? Оно заработало! cert manager наконец правильно увидел зону и получил сертификат.

Чтобы окончательно решить эту проблему можно сходить по ссылке и настроиться.

Нет комментариев »

bash: wait database for connection

№ 10430 В разделе "Sysadmin" от December 6th, 2019,
В подшивках: , ,

You can easily use it to check MySQL or Postgresql connection.

#!/bin/bash

for i in `seq 1 ${CONNECT_TIMEOUT}`;
do
  mysql -h "${DB_HOST}" -u${DB_USERNAME} -p${DB_PASSWORD} ${DB_DATABASE} -e 'select 1'
  if [ $? -eq 0 ]; then
    echo "Connected to MySQL"
    exit 0
  fi
  if [ $i -eq ${CONNECT_TIMEOUT} ]; then
    echo "MySQL timeout"
    exit 1
  fi
  sleep 1
done

Нет комментариев »

Private Docker Registry in DigitalOcean Kubernetes with s3 storage in Spaces

№ 10420 В разделе "Sysadmin" от December 4th, 2019,
В подшивках: , ,

Prepare Configmap with auth information. Use command htpasswd -Bbn vlad 123 to create login and password for users. No need to restart all pods of registry to apply changes. May be you want to store it in Secret resource, at your choice.

Example:

---
apiVersion: v1
kind: ConfigMap
metadata:
  creationTimestamp: null
  name: registry-auth
data:
  htpasswd: |
    vlad:$2y$05$anFCx3pAPG/BNxPsEKcau.LPKjWFN7hHkoXbvIMp7Jie97uYafuSq

Now create bucket my-own-registry in Spaces with access key id and secret key. Do not forget to set http_secret and nodeSelector. http_secret required if you want multiple pods.

Example:

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: registry
spec:
  replicas: 2
  template:
    metadata:
      labels:
        name: registry
    spec:
      containers:
      - name: registry
        image: registry:2
        ports:
        - name: registry
          containerPort: 5000
        volumeMounts:
        - mountPath: /auth
          name: auth
        env:
        - name: REGISTRY_STORAGE_DELETE_ENABLED
          value: "true"
        - name: REGISTRY_HEALTH_STORAGEDRIVER_ENABLED
          value: "false"
        - name: REGISTRY_AUTH
          value: "htpasswd"
        - name: REGISTRY_AUTH_HTPASSWD_REALM
          value: "Registry Realm"
        - name: REGISTRY_AUTH_HTPASSWD_PATH
          value: /auth/htpasswd
        - name: REGISTRY_STORAGE
          value: "s3"
        - name: REGISTRY_STORAGE_S3_ACCESSKEY
          value: "TVV3WXZ233MEPEBXFP7X"
        - name: REGISTRY_STORAGE_S3_SECRETKEY
          value: "ERlofd+hb9Ps1oBR5jUJuPa9NIMRSLxvUyulKJnt8S0"
        - name: REGISTRY_STORAGE_S3_BUCKET
          value: "my-own-registry"
        - name: REGISTRY_STORAGE_S3_REGION
          value: "fra1"
        - name: REGISTRY_STORAGE_S3_REGIONENDPOINT
          value: "https://fra1.digitaloceanspaces.com"
        - name: REGISTRY_LOG_LEVEL
          value: "info"
        - name: REGISTRY_HTTP_ADDR
          value: "0.0.0.0:5000"
        - name: REGISTRY_HTTP_SECRET
          value: sexy_pony
        resources:
          limits:
            cpu: 100m
            memory: 200Mi
          requests:
            cpu: 50m
            memory: 50Mi
      volumes:
      - name: auth
        configMap:
          name: registry-auth
      nodeSelector:
        doks.digitalocean.com/node-pool: infra

Last step easily shares registry. Set limit for image size in proxy-body-size, value 0 means no limits.

Example:

---
apiVersion: v1
kind: Service
metadata:
  name: registry
  labels:
    name: registry
spec:
  ports:
  - port: 80
    targetPort: registry
    protocol: TCP
    name: registry
  selector:
    name: registry
  type: ClusterIP

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
  name: registry
spec:
  rules:
  - host: registry.k8s.blindage.org
    http:
      paths:
      - backend:
          serviceName: registry
          servicePort: registry
        path: /
  tls:
  - hosts:
    - k8s.blindage.org
    - '*.k8s.blindage.org'
    secretName: k8s-blindage-tls

Problems:

time="2019-12-14T22:03:19.448702167Z" level=info msg="PurgeUploads starting: olderThan=2019-12-07 22:03:19.439373039 +0000 UTC m=-601559.638413974, actuallyDelete=true"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xc4e6bd]

Its a bug.

Нет комментариев »

Import DNS resources from DigitalOcean to Terraform

№ 10401 В разделе "Sysadmin" от November 19th, 2019,
В подшивках: ,

At first, create digitalocean.tf with auth token if you do not have one.

Carefully read documentation:

  • https://www.terraform.io/docs/providers/do/r/domain.html
  • https://www.terraform.io/docs/providers/do/r/record.html
  • Now prepare domains.tf with resources declaration:

    resource "digitalocean_domain" "k8s_blindage_org" {
      name = "k8s.blindage.org"
    }
    
    resource "digitalocean_record" "k8s_blindage_org_ns1" {
      domain = digitalocean_domain.k8s_blindage_org.name
      type   = "NS"
      name   = "@"
      value  = "ns1.digitalocean.com."
    }
    
    resource "digitalocean_record" "k8s_blindage_org_ns2" {
      domain = digitalocean_domain.k8s_blindage_org.name
      type   = "NS"
      name   = "@"
      value  = "ns2.digitalocean.com."
    }
    
    resource "digitalocean_record" "k8s_blindage_org_ns3" {
      domain = digitalocean_domain.k8s_blindage_org.name
      type   = "NS"
      name   = "@"
      value  = "ns3.digitalocean.com."
    }
    

    Authorize and receive list of records with IDs:

    export DO_TOKEN=fed82d66020b4ccfa67d53d45a519fuck6d3you0c946a9cd196f1062195a7993
    curl -X GET https://api.digitalocean.com/v2/domains/k8s.blindage.org/records -H "Authorization:Bearer ${DO_TOKEN}"

    Now you are ready to import current state with record IDs from previous step:

    terraform import digitalocean_domain.k8s_blindage_org k8s.blindage.org
    terraform import digitalocean_record.k8s_blindage_org_ns1 k8s.blindage.org,80019903
    terraform import digitalocean_record.k8s_blindage_org_ns2 k8s.blindage.org,80019904
    terraform import digitalocean_record.k8s_blindage_org_ns3 k8s.blindage.org,80019905
    

    Нет комментариев »

    Микроблог перейти

    # 2019-12-23 09:14:01

    Очень интересная концепция, docker-compose для kubernetes kompose.io/ #devops #kubernetes #docker

    # 2019-12-16 17:21:18

    Надо будет почитать для общего развития как оживить кластер в случае проеба сертов habr.com/ru/company/southbridg #kubernetes #devops

    # 2019-12-12 17:33:46

    js bootstrap с интерфейсом как в DOS github.com/kristopolous/BOOTST


    © Vladimir Smagin, 2005-2019. Копирование материалов без разрешения запрещено. GPG DA4CD0F5E222EA727D6A40C413BCE12E5618F071 *
    Яндекс.Метрика

    Fortune cookie: "I never spared heretics and have always done my utmost so that the enemies of the Church should also be my enemies." [St. Jerome, 420 AD]