K8s pt.5 / Deploy replicaset & DNS Setting
Let’s Try yourself first.
I’m explaining about what kind of yaml file, and what would be composed the basical things in that yaml file for deployment. Change the configuration yourself, and test various environment as many as possible. Debugging and Refactoring is the best way to adapt to the new air.
(0) Label the Node
If you’re not labeling and just deploy your application without nodeSelector, your applicaiton pod will deployed in random pod. It’s not like very crucial to select specific node to deploy your application, cause when the node died for some reason, it will automatically select random node to move your application. But, labeling the pod will make you more like easier to get info or checking around the nodes.
`kubectl get nodes -A`
`kubectl label node <node-name> role=back || role=front`remember two cmds above. Check the node names, and labeling it with the name you want as <key : value> pairs.
(1) Deploy your Application with SVC file
Make Yaml file for the deployment in the directory you want to save them. For example, I saved my deployment.yaml file in the root directory of application repository. It doesn’t matter where you save it. Just make sure deployment.yaml includes all the details about your registry path, and how many nodes or what node are you using.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nextjs-app || nestjs-app (as your wish)
spec:
replicas: 1
selector:
matchLabels:
app: nextjs-app || nestjs-app (as your wish)
template:
metadata:
labels:
app: nextjs-app || nestjs-app (as your wish)
spec:
nodeSelector:
role: front (key : value as your config at (0) stage)
containers:
- name: nextjs-container
image: yourregistry.azurecr.io/yourapplication-front:latest
ports:
- containerPort: 3002
---
apiVersion: v1
kind: Service
metadata:
name: nextjs-app-service
spec:
selector:
app: nextjs-app
ports:
- protocol: TCP
port: 80
targetPort: 3002
type: LoadBalancer
# you can manange deployment.yaml and service.yaml file seperately as your with. I just put them together.go to the repository where your deployment.yaml file exist, and execute kubectl apply -f deployment.yaml command.
You will see the message as below. Check the container status is getting created successfully.
deployment.apps/nestjs-app created
service/nestjs-app-service created(2) Installing ISTIO in your Cluster
As we are using the Istio as our assistant to manage the traffic from outside and inside as well, we need to install and running the istio pod first. You don’t need to follow the steps for demo releasing related parts, as you already have your application ready.
https://istio.io/latest/docs/setup/getting-started/
when you successfully installed and run the pod, you will see the ingress / egress controller run successfully.
See below Gateway.yaml and VirtualService.yaml file.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: dynamic-dev-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
name: http
number: 80
protocol: HTTP
hosts:
- '*'apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: dynamic-frontend-dev
spec:
hosts:
- '*'
gateways:
- dynamic-dev-gateway
http:
- route:
- destination:
host: nextjs-app-service
port:
number: 80Command kubectl get svc -A to look into the service is working properly. You will find the External-IP has been allocated to the ingressgateway. ( Blue colored line )
Copy the External IP and check if you can access your application by using that IP.
(3) DNS Settings
This part can be defined differently based on where you get your Domain. Let’s say that we got one from third party like Cloudflare or the Endpoint users of K8s (Azure, AWS, Google)
What steps are we going to go through? Before we get 443 certificate from the Secret provider (letsEncrypt) we will use 80 port first to declare that the Domain is yours.
Follow below steps by each of command line. Be cautious on the part creating random key.
<Creating secret / Domain Binding>
(1) sudo certbot certonly --manual
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): youremail@youremail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel):*.your-domain.com
Requesting a certificate for *.your-domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.your-domain.com
with the following value:
# copy and paste somewhere below Key
lXEBPgqa4OF1ZcSvAve3CgsaJM7Ox03jpRBBLZV3qYk
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.s-kuber.io.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
(1) DNS Setting on Domain provider
# For using wildcard and www or any subdomain attached to our domain, we need two record setting in our domain provider platform.
# You can remove Txt record after getting certificate. It's for temporal use for lentsecrypt to get to your http domain.
Type | HOST | value/location | TTL
--------------------------------------------------------
A | @ | istio-ingressgateway External IP
A | * | istio-ingressgateway External IP
TXT. | -acme_challenge | lXEBPgqa4OF1ZcSvAve3CgsaJM7Ox03jpRBBLZV3qYk
(2) copy below path
Certificate is saved at: /etc/letsencrypt/live/your-domain.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/your-domain.com/privkey.pem
(3) paste copied path and move secret to the cluster
`sudo kubectl create -n istio-system secret tls your-application-tls --cert /etc/letsencrypt/live/your-domain/fullchain.pem --key /etc/letsencrypt/live/your-domain/privkey.pem`
<Revise your Gateway Yaml file>
# when you finished above process, that means you are successfully declare the domain ownership. Now we need to revise Gateway yaml file to route 80 port to 443.
```yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: your-appplication-gateway
namespace: default
spec:
selector:
istio: ingressgateway
servers:
- port:
name: http
number: 80
protocol: HTTP
hosts:
- "*"
tls:
httpsRedirect: true
- port:
name: https
number: 443
protocol: HTTPS
hosts:
- "*"
- "your-domain"
tls:
mode: SIMPLE
credentialName: your-application-tls
```
<Check HTTPS + url>
https://www.your-domain.com or https://your-domain.com and see if you're website is using https.Sometimes, finding your HTTP _acme-challenge key can be a bit tricky, mainly because of the unique setups in your router, like those found in gateway.yaml or virtualservice.yaml. It really helps to know your way around your YAML setup and understand the settings in your HTTP router.
02.12.2024 — Fin.
