In this tutorial we are going to set up a Kubernetes minion server that combines a basic guestbook app with oauth2_proxy.
Kubernetes is an open-source container orchestration and management system.
This tutorial assumes you have a functioning Kubernetes cluster. I did this in AWS.
This tutorial is based on the Kubernetes guestbook example. I have added a few adjustments to this in a git repository, but for most of it, you can follow along with their documentation.
- Set Up Redis Master Deployment .yaml file
- Set Up Redis Master Service .yaml file
- Create Redis Master Service, the Redis Master Deployment.
- Using kubectl, check your services, pods, and deployments. You can also check the logs of a single pod. The instructions on how to do this are in Kubernetes guestbook readme.
3. Repeat Steps 1 & 2 for Redis Slave Service and Deployment, as well as the Front end Service and Deployment.
- This allows external traffic into our minion.
- I'll let you figure this one out.
- There is an appendix in the guestbook docs on this.
- I assume you know something about oauth2_proxy. If not, read the documentation.
- The .yaml files for oauth2_proxy can be found in my git repository
- Set up an
oauth2proxy_service.yaml
file as follows:
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy
labels:
app: oauth2-proxy
tier: backend
spec:
type: LoadBalancer
ports:
- port: 80
targetPort: 4180
selector:
app: oauth2-proxy
tier: backend
- I assume you know something about oauth2_proxy. If not, read the documentation.
- Set up an
oauth2proxy_deployment.yaml
file as follows:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: oauth2-proxy
spec:
replicas: 1
template:
metadata:
labels:
app: oauth2-proxy
tier: backend
spec:
containers:
- name: oauth2-proxy
# This sets the port at 4180
image: estelora/oauth2_proxy
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: nginx-volume
ports:
- containerPort: 4180
command:
# Please set these variables for your project.
- oauth2_proxy
# Here is an example of service discovery.
- --upstream=http://frontend
- --email-domain=example.com
- --client-id=client-id.apps.googleusercontent.com
- --client-secret="google-client-secret"
- --cookie-domain=.internal.example.com
- --redirect-url=https://auth.internal.example.com/oauth2/callback
- --cookie-secret="secret-chocolate-chip-cookie"
# This variable stays the same - this is an internal IP
- --http-address=0.0.0.0:4180
- The port is set to 4180 in the container, service, and deployment.
- The
command:
sets up oauth2_proxy command line arguments. - The upstream shows Kubernetes' service discovery - the internal address is
http://frontend
.
- You can adjust your network with .yaml on the Kubernetes side.
- You can use
kubectl
logs and ssh into a docker container itself. - Adjust firewalls for both your services and external load balancers.
- Deployment: a set of parameters for the desired state of pods.
- Minion: a server that performs work, configures networking for containers, and runs tasks assigned to containers.
- Service: an internal load balancer.
- Node: provisioned hardware (in this case, a VM in the cloud).
- Pod: container or group of containers that support each other to run tasks.
- Service Discovery: allows you to hard-code host names within your Kubernetes minion into your code.
- Containers: a Docker container or google container.