INT 21h

Hi, I am Vladimir Smagin, SysAdmin and Kaptain. Telegram Email / GIT / RSS / GPG

Проксирование DNS запросов в DNS-over-HTTPS

№ 11416. В разделе " Sysadmin " от November 14th, 2021

В подшивках: ,

Vaultwarden fast start in Kubernetes

№ 11409. В разделе " Sysadmin " от November 2nd, 2021

В подшивках: ,

HashiCorp Vault fast start in Kubernetes

№ 11404. В разделе " Sysadmin " от November 2nd, 2021

В подшивках: , ,

Secure container registry in microk8s

№ 11332 В разделе "Sysadmin" от August 27th, 2021,
В подшивках: ,

Microk8s includes docker registry feature but absolutely not secure, just for local developers use.

So remove old service “registry” (NodePort) and create new one:

apiVersion: v1
kind: Service
metadata:
  name: registry-external
  namespace: container-registry
  labels:
    app: registry
spec:
  ports:
  - port: 5000
    name: registry
    protocol: TCP
    targetPort: registry
  selector:
    app: registry
  type: ClusterIP

New service points to the same place but not opens port 32000.

Now create secret, do not change filename, its important:

htpasswd -bc auth kubernetes PruedAtshyohuciabIdcav
kubectl create secret generic basic-auth --from-file=auth --dry-run -o yaml

Good! Add new secret to your kube.

apiVersion: v1
data:
  auth: a3ViZXJuZXRlczokYXByMSRHQXNKamVGbiRzWFNDSVNxOGwuYVlwTkhTajlpQ2EuCg==
kind: Secret
metadata:
  creationTimestamp: null
  name: basic-auth

And now create ingress resource with basic auth pointed to new secret

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-http01
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
  name: registry
  namespace: container-registry
spec:
  rules:
  - host: registry.k8s.huy.net
    http:
      paths:
      - backend:
          serviceName: registry-external
          servicePort: registry
        path: /
  tls:
  - hosts:
    - registry.k8s.huy.net
    secretName: tls-registry-k8s-huy-net

You did it!

Нет комментариев »

Add additional cluster domain for microk8s

№ 11327 В разделе "Sysadmin" от August 19th, 2021,
В подшивках:

Open /var/snap/microk8s/current/certs/csr.conf.template and add:

[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = blindage.org
DNS.7 = k8s.blindage.org
IP.1 = 127.0.0.1
IP.2 = 10.152.183.1
#MOREIPS
IP.3 = 192.168.1.9
IP.4 = 109.227.241.137

Now refresh certificates with command microk8s.refresh-certs

Нет комментариев »

Яндекс.Метрика

Fortune cookie: Impiety. Your irreverence toward my deity. [Ambrose Bierce, The Devil's Dictionary, 1911]