INT 21h

Hi, I am Vladimir Smagin, SysAdmin and Kaptain. Telegram Email / GIT / RSS / GPG

Secure container registry in microk8s

№ 11332 В разделе "Sysadmin" от August 27th, 2021,
В подшивках: ,

Microk8s includes docker registry feature but absolutely not secure, just for local developers use.

So remove old service “registry” (NodePort) and create new one:

apiVersion: v1
kind: Service
metadata:
  name: registry-external
  namespace: container-registry
  labels:
    app: registry
spec:
  ports:
  - port: 5000
    name: registry
    protocol: TCP
    targetPort: registry
  selector:
    app: registry
  type: ClusterIP

New service points to the same place but not opens port 32000.

Now create secret, do not change filename, its important:

htpasswd -bc auth kubernetes PruedAtshyohuciabIdcav
kubectl create secret generic basic-auth --from-file=auth --dry-run -o yaml

Good! Add new secret to your kube.

apiVersion: v1
data:
  auth: a3ViZXJuZXRlczokYXByMSRHQXNKamVGbiRzWFNDSVNxOGwuYVlwTkhTajlpQ2EuCg==
kind: Secret
metadata:
  creationTimestamp: null
  name: basic-auth

And now create ingress resource with basic auth pointed to new secret

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-http01
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
  name: registry
  namespace: container-registry
spec:
  rules:
  - host: registry.k8s.huy.net
    http:
      paths:
      - backend:
          serviceName: registry-external
          servicePort: registry
        path: /
  tls:
  - hosts:
    - registry.k8s.huy.net
    secretName: tls-registry-k8s-huy-net

You did it!

Нет комментариев »

Заглушка для Kubernetis “сервис недоступен”

№ 11256 В разделе "Sysadmin" от March 28th, 2021,
В подшивках: , , ,

Назвал ее monkey502. Внутри закодировано 4 картинки, которые меняются в зависимости от количества обновлений страницы. Также страница обновляется самостоятельно 1 раз в минуту чтобы пользователь продолжил работать с урла на котором все остановилось. Образ базируется на минимальном образе nginx unit всего с 1 статической страницей.

Установить helm chart и настроить nginx ingress controller можно по инструкции здесь https://hub.docker.com/r/iam21h/monkey502. По ссылке приведена глобальная конфигурация, для отдельных ингресов используйте аннотации.

Нет комментариев »

Credentials and other secrets from Vault to your containers at startup

№ 11183 В разделах: Programming Sysadmin от January 2nd, 2021,
В подшивках: , , , ,

What if you stored your database credentials in Vault and want to make ENV variables with them for your application at container startup? You can do it for Kubernetes deployments or plain Docker containers with my small program vault-envs.

Add to your Dockerfile additional steps:

  • install my vault-envs programs that “converts” secret to ENV variables
  • create\modify entrypoint script where or call vault-envs and other pre-startup actions

Add to your Dockerfile steps:

...
...
# add Ubuntu\Debian repo and install vault-envs with fresh certificates
RUN curl http://deb.blindage.org/gpg-key.asc | apt-key add - && \
    echo "deb http://deb.blindage.org bionic main" | tee /etc/apt/sources.list.d/21h.list && \
    apt update
RUN apt install -y ca-certificates vault-envs

# copy entrypoint script
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

ENTRYPOINT ["/entrypoint.sh"]

Your entrypoint script will look like:

#!/bin/bash

...
...

export eval `vault-envs -token "$VAULT_TOKEN" \
        -vault-url https://vault.blindage.org \
        -vault-path /prod/crm/connection_postgres -envs-prefix "PG_"`

export eval `vault-envs -token "$VAULT_TOKEN" \
        -vault-url https://vault.blindage.org \
        -vault-path /prod/crm/connection_mysql -envs-prefix "MYSQL_"`

export eval `vault-envs -token "$VAULT_TOKEN" \
        -vault-url https://vault.blindage.org \
        -vault-path /prod/crm/connection_api`

...
...

exec "$@"

If some vars names is identical they will be overwritten at next vault-envs call, so I used prefix.

Now build image and run

docker run --rm -e VAULT_TOKEN=s.QQmLlqnHnRAEO9eUeoggeK1n crm printenv

and see results at container console:

...
VAULT_RETRIEVER=vault-envs
PG_DB_PASS=postgres
PG_DB_PORT=5432
PG_DB_USER=postgres
PG_DB_HOST=db-postgres
PG_DB_NAME=crm
MYSQL_DB_HOST=mysql.wordpress
MYSQL_DB_PASS=
MYSQL_DB_PORT=3306
MYSQL_DB_USER=root
MYSQL_DB_NAME=wordpress
API_HOST=http://crm/api
API_TOKEN=giWroufpepfexHyentOnWebBydHojGhokEpAnyibnipNirryesaccasayls4
...

Wooh! You did it.

Нет комментариев »

How to create docker volume from directory

№ 11114 В разделе "Sysadmin" от October 6th, 2020,
В подшивках: ,

Typically its not useful because you can directly mount directory to containers, but… who knows? May be you just want it.

For example, you have directory on your hard drive and want to move files inside docker volume:

root@boroda:/tmp/future-volume# find .
.
./somedir
./somedir/config.yaml
./file1
./test.txt
./myfile2

Just run move (or copy) command in busybox container:

docker run --rm -it \
    -v my-docker-volume:/destination \
    -v /tmp/future-volume:/source \
    busybox \
    /bin/sh -c "mv /source/* /destination/ && find /destination"

This command mounts (or create if not exists already) volume, mount directory on disk and move files from disk to volume.

After move completion you’ll see tree on moved files:

/destination
/destination/somedir
/destination/somedir/config.yaml
/destination/file1
/destination/test.txt
/destination/myfile2

That’s all, easy.

Нет комментариев »

docker-compose for Elasticsearch, Kibana and oauth2 protection

№ 10908 В разделе "Sysadmin" от January 17th, 2020,
В подшивках: ,

version: '3.7'
services:
  kibana:
    image: kibana:7.3.0
    depends_on:
      - elasticsearch
    networks:
      - elk

  elasticsearch:
    image: elasticsearch:7.3.0
    volumes:
      - esdata:/usr/share/elasticsearch/data
    networks:
      - elk
    ports:
      - 39200:9200
    environment:
      - "discovery.type=single-node"
      - "cluster.name=docker-cluster"
      - "bootstrap.memory_lock=true"
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1

  oauth:
    # cloned git repo with enabled bitbucket support
    build: ./oauth2_proxy
    image: oauth2proxy
    entrypoint:
      - oauth2_proxy
      - --upstream=http://kibana:5601
      - --email-domain=*
      - --http-address=0.0.0.0:4180
      - --bitbucket-team=my_organization
      - --client-id=zZYjbsBVMBDyaXvk5v
      - --client-secret=wxz3uFvKVBXR2EaQPJAcQyPY44XbyNKT
      - --provider=bitbucket
      - --cookie-secret=cy-BbEK5MgHg5NcQe8FcdQ==
      - --cookie-secure=true
    depends_on:
      - elasticsearch
      - kibana
    ports:
      - 127.0.0.1:4180:4180
    networks:
      - elk

networks:
  elk:

volumes:
  esdata:
    driver: local

Нет комментариев »

Яндекс.Метрика

Fortune cookie: Today's spam: Boost your equipment.