Skip to content

Commit

Permalink
Merge pull request #5 from DevOpsPlayground/dry_run
Browse files Browse the repository at this point in the history
Dry run
  • Loading branch information
robertpountney92 authored Jan 26, 2021
2 parents 32532a5 + 9752aad commit 3e8a790
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 17 deletions.
24 changes: 10 additions & 14 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,15 +29,11 @@ Ingress exposes HTTP and HTTPS routes from outside the cluster to services withi

![alt text](assets/simple_ingress_k8s.png "Simple Ingress Example Kubernetes")

For the built in Ingress resource to work, the cluster must have an **Ingress Controller** running.
For the built in Ingress resource to work, the cluster must have an **Ingress Controller** running. The Ingress Controller watches for new Ingress rules, that we may define in Kubernetes manifests, and fulfills the mapping from Domain Names outside of the cluster to services running within the cluster.

We can declaratively define Ingress resources using Kubernetes manifests, however it is the Ingress Controller that determines how this will be fulfilled. The Ingress Controller watches for new Ingress rules and fulfills the mapping from services within the cluster to public URLs/domain names outside the cluster.
Unlike other types of controllers which run as part of the kube-controller-manager binary, Ingress controllers are not started automatically with a cluster. The most popular controller is provided by NGINX, we can add this to our cluster using **Helm**.

Unlike other types of controllers which run as part of the kube-controller-manager binary, Ingress Controllers are not started automatically with a cluster. The most popular controller is provided by NGINX, we can add this to our cluster using **Helm**.

Helm is a package manager purpose built for Kubernetes. Helm has been pre-installed on your workstations.

Add the ingress-nginx repository
Add the ingress-nginx Helm chart repository

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

Expand All @@ -48,15 +44,15 @@ Use Helm to deploy an NGINX Ingress Controller
--set rbac.scope=true \
--set controller.admissionWebhooks.enabled=false

Once this is deployed, we can view the created service and assocaited EXTERNAL_IP (Note: may take a few seconds to generate the IP)
Once this is deployed, we can view the created service and assocaited EXTERNAL_IP (Note: It may take a few seconds to generate the IP)

kubectl get services ingress-nginx-controller

Set the EXTERNAL_IP as a variable for later use

EXTERNAL_IP=$(kubectl get services ingress-nginx-controller | awk 'NR==2 {print $4}')

The EXTERNAL_IP of this service acts as an entry point from the outside world.
The EXTERNAL_IP of this service acts as an entry point for the outside world.

## Self-Signed Certificates

Expand All @@ -83,9 +79,9 @@ Create the Ingress resource

Test the Ingress configuration

curl -v -k --resolve dpg.com:443:$EXTERNAL_IP https://dpg.com # Trusts any certificates
curl -v --cacert /tmp/tls.crt --resolve dpg.com:443:$EXTERNAL_IP https://dpg.com

curl -v --cacert /tmp/tls.crt --resolve dpg.com:443:$EXTERNAL_IP https://dpg.com # Trusts on certificate specified in command
In the above curl command we indicate that we trust the self-signed certificate. `/tmp/tls.crt` contains the public key needed to verify the certificate was signed by us.

Alternatively on your own machine (not your workstation) modify hosts file and view in browser. (Note: this will require sudo access)

Expand All @@ -96,7 +92,7 @@ Hosts file locations:
`Mac & Linux /etc/hosts`


(Note: If the browser prevents you from proceeding type "thisisunsafe" into the browser window. This should bypass the browsers built in security checks.)
(Note: If the browser prevents you from proceeding, type "thisisunsafe" into the browser window. This should bypass the browsers built in security checks)


## Automated Certificates signed by LetsEncypt
Expand Down Expand Up @@ -135,7 +131,7 @@ Deploy the demo application using `kubectl apply`
kubectl apply -f LetsEncrypt/prod-app.yaml

### Issue Certificates and configure Ingress
Prior to this interactive session, the kubernetes **cert-manager** controller has been pre-installed onto the Kubernetes cluster. See `aks-cluster` directory for details.
Prior to this interactive session, the Kubernetes **cert-manager** controller has been pre-installed onto the Kubernetes cluster. See `aks-cluster` directory for details.

Cert-manager is a Kubernetes add-on that automates the management and issuance of TLS certificates from various issuing sources, including external CAs.

Expand All @@ -155,7 +151,7 @@ Verify that the certificate was created successfully by checking READY is True,

kubectl get certificate

### View HTTPS applicaiton in browser
### View HTTPS application in browser
Finally navigate to the the Fully Qualified Domain Name, copy the result of the echo command to your browser

echo $FQDN
2 changes: 1 addition & 1 deletion workstations/README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Provision atendee workstations and
# Provision attendee workstations and

## Prerequisites
Must have built aks-cluster and resource group from other directory.
Expand Down
9 changes: 7 additions & 2 deletions workstations/workstations.tf
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,12 @@ resource "kubernetes_role" "role" {
}
rule {
api_groups = ["cert-manager.io"]
resources = ["issuers", "certificates", "certificaterequests", "orders", "challenges"]
resources = ["issuers", "certificates", "certificaterequests"]
verbs = ["*"]
}
rule {
api_groups = ["acme.cert-manager.io"]
resources = ["orders", "challenges"]
verbs = ["*"]
}
rule {
Expand Down Expand Up @@ -105,7 +110,7 @@ resource "azurerm_subnet" "internal" {
name = "internal"
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = azurerm_virtual_network.main.name
address_prefixes = ["10.0.2.0/24"]
address_prefixes = ["10.0.1.0/24"]
}

resource "azurerm_public_ip" "public" {
Expand Down

0 comments on commit 3e8a790

Please sign in to comment.