Skip to content

Latest commit

 

History

History
287 lines (228 loc) · 7.4 KB

02.manage-aks.md

File metadata and controls

287 lines (228 loc) · 7.4 KB
Raw

Hands-on Lab - Day 2

Tools for this Lab

  • Azure Command-Line Interface (Az CLI) on Bash.

Exercise 4 - Deploy a Kubernetes ingress controller running NGINX

A Kubernetes ingress controller is software that provides layer 7 load balancer features, including: reverse proxy, configurable traffic routing and TLS termination for Kubernetes services.

The ingress controllers are exposed to the internet by using a Kubernetes service of type LoadBalancer.

Task 4 - Reconfigure the ratings web service to use ClusterIP

The ingress controller will be the entry point for all application traffic. There is no need to expose services as LoadBalancer services.

Go to the directory where you have the ratings-web-service.yaml file and change ratings-web service definition from LoadBalancer to ClusterIP

sed -i 's/LoadBalancer/ClusterIP/g' ratings-web-service.yaml

Redefine the service as ClusterIP

kubectl apply -n ratingsapp -f ratings-web-service.yaml

Check that all services are now ClusterIP

kubectl get services -n ratingsapp

Task 2 - Create a namespace for the ingress controller

kubectl create namespace ingress

Task 3 - Configure the Helm client to use the stable repository

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

Task 3 - Install the NGINX ingress controller with two replicas

helm install ingress-nginx ingress-nginx/ingress-nginx \
    --namespace ingress \
    --set controller.replicaCount=2 \
    --set controller.nodeSelector."kubernetes\.io/os"=linux \
    --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux

Task 6 - Set up an Ingress resource with a route to the ratings-web-service

Create a new yaml file

vi ratings-web-ingress.yaml

Paste the following definitions

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ratings-web-ingress
spec:
  ingressClassName: nginx
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: ratings-web
            port:
              number: 80

Task 7 - Create the Ingress controller

Execute the following command

kubectl apply -n ratingsapp -f ratings-web-ingress.yaml

Task 8 - Check the public IP of the ingress service and navigate to that address with your browser

kubectl get services --namespace ingress -w

Exercise 5 - Enable SSL/TLS on the front-end ingress

The online security and privacy of user data is a primary concern for everybody. It's important the ratings website allows HTTPS connections to all customers.

This exercise demonstrate how to use cert-manager, which provides automatic Let's Encrypt certificate generation and management.

Task 1 - Deploy cert-manager

kubectl create namespace cert-manager

Task 2 - Install the Jetstack Helm repository to find and install cert-manager

helm repo add jetstack https://charts.jetstack.io
helm repo update

Task 3 - Deploy the cert-manager CRD (Custom Resource Definition)

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml

Task 4 - Install the cert-manager Helm chart

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.8.2

Task 5 - Verify the running pods on the cert-manager namespace

kubectl get pods --namespace cert-manager

Task 6 - Deploy a ClusterIssuer resource

Create a new yaml file

vi cluster-issuer.yaml

Paste the following text in the file and replace the email key with a valid email

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: <your email> # IMPORTANT: Replace with a valid email from your organization
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - http01:
        ingress:
          class: nginx

Task 7 - Deploy the cluster-issuer configuration

kubectl apply \
    --namespace ratingsapp \
    -f cluster-issuer.yaml

Task 8 - Enable SSL/TLS for the ratings web service on the Ingress

Create a new yaml file

vi ratings-web-ingress.yaml

Add the following lines after line 6 (kubernetes.io/ingress.class: nginx) and before the rules key

cert-manager.io/cluster-issuer: letsencrypt
spec:
  tls:
    - hosts:
      - frontend.<ingress ip>.nip.io # IMPORTANT: update <ingress ip> with the dashed public IP of your ingress, for example frontend.13-68-177-68.nip.io
      secretName: ratings-web-cert

The yaml files should look like the following one but with your own dashed IP address

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ratings-web-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  tls:
    - hosts:
      - frontend.<ingress ip>.nip.io
      secretName: ratings-web-cert
  rules:
  - host: frontend.<ingress ip>.nip.io # IMPORTANT: update <ingress ip> with the dashed public IP of your ingress, for example frontend.40-78-121-234.nip.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: ratings-web
            port:
              number: 80

Task 9 - Deploy the updated Kubernetes ingress file

kubectl apply \
    --namespace ratingsapp \
    -f ratings-web-ingress.yaml

Task 10 - Verify that the certificate was issued

kubectl describe cert ratings-web-cert --namespace ratingsapp

Task 11 - Test the application

Navigate to the host name configured on the ingress. For example, https://frontend.40-78-121-234.nip.io

Exercise 6 - Configure monitor for your application

The performance of a website depends on your cluster's performance. You can monitor the different components in your application, view logs and get alerts whenever you application goes down or some parts of it fail.

Task 1 - Define environment variables for this exercise

Identify the random number you used previously. It whould be the numeric characters at the end of your AKS cluster.

az aks list -o table

Assign the random number you used to the NUMBER variable. For example if your cluster's name is k8s-cluster7293 your should assign the variable as follows:

NUMBER="7293"

Define the rest of the variables

AKS_NAME="k8s-cluster"$NUMBER
LOCATION="westus"
REGISTRY="containerRegistry"$NUMBER
RESOURCE_GROUP="aksworkshop-RG"
WORKSPACE="aksworkshop-workspace-"$NUMBER

Verify variables

echo $AKS_NAME
echo $LOCATION
echo $REGISTRY
echo $RESOURCE_GROUP
echo $WORKSPACE

Task 2 - Create a Log Analytics workspace

az resource create --resource-type Microsoft.OperationalInsights/workspaces \
        --name $WORKSPACE \
        --resource-group $RESOURCE_GROUP \
        --location $LOCATION \
        --properties '{}' -o table

Task 3 - Get the workspace ID

WORKSPACE_ID=$(az resource show --resource-type Microsoft.OperationalInsights/workspaces \
    --resource-group $RESOURCE_GROUP \
    --name $WORKSPACE \
    --query "id" -o tsv)
echo $WORKSPACE_ID

Task 4 - Enable the AKS monitoring add-on

az aks enable-addons \
    --resource-group $RESOURCE_GROUP \
    --name $AKS_NAME \
    --addons monitoring \
    --workspace-resource-id $WORKSPACE_ID