Kube-Platform
Create production ready Development Platform for Kubernetes. It contains tools for:
- Monitoring, Alerting, Logging
- Ingress based adding of DNS entries and TLS Certificates
- Oauth based authentication
- CI/CD tool
In detail - installed tools are:
- Ingress Controller
- Prometheus mit node-exporter, Grafana, Alert Manager, kube-state-metrics etc.
- EFK Stack
- External DNS
- cert-manager
- oauth2-proxy
- keycloak
- argo Workflow, argo-events
Precondition
- Installed kustomize 2.0.1
- Running GKE Kubernetes Cluster with at least
n1-standard-2machines
Configuration
What you need to know now:
- An Email Adress for HTTPS-Certificate issues
- Your new DNS zone name (e.g.
kubeplatform.my.domain.io) - A GCP project ID (e.g.
my-google-project-223304)
Own OAUTH provider
KubePlatform comes with a preconfigured KeyCloak used for user management and oauth2 authentication. If you plan to use your own oauth provider, collect these parameters:
- An Issuer URL for OpenID Connect
- Client ID and its client secret
- Cookie Secret
Add these paramteres to:
- oauth2-proxy.properties
- patches/oauth2-proxy-patch.yaml
Installation
The installation consists basically of these parts
- GCE configuration
- Overlay Configuration
- Installing yamls on Kubernetes
GCE configuration
GCE Preparation and DNS Configuration
- Create a new DNS Zone and a ServiceAccount to be used by
external-dnsto add hosts to:
export PROJECT_ID=my-google-project-223304
export DOMAIN=kubeplatform.my.domain.io
gcloud dns managed-zones create "${DOMAIN//./-}" \
--dns-name "$DOMAIN." \
--description "Automatically managed zone by kubernetes.io/external-dns"
gcloud iam service-accounts create ${DOMAIN//./-} \
--display-name "${DOMAIN//./-} service account for external-dns"
gcloud iam service-accounts keys create ./google-credentials.json \
--iam-account ${DOMAIN//./-}@$PROJECT_ID.iam.gserviceaccount.com
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:${DOMAIN//./-}@$PROJECT_ID.iam.gserviceaccount.com --role roles/dns.admin- Ensure that the downloaded credential file
google-credentails.jsonis thegoogle-overlayfolder - Make a note of the nameservers that were assigned to your new DNS zone (and enter them as NS entries in your providers DNS):
gcloud dns record-sets list \
--zone "${DOMAIN//./-}" \
--name "$DOMAIN." \
--type NSOverlay Configuration
Configuration is made in these three files:
- kubeplatform.properties
- Enter the desired domain (e.g.
DOMAIN=kubeplatform.my.domain.io) - Enter the GCE project (e.g.
PROJECT=my-google-project-223304)
- Enter the desired domain (e.g.
- cluster-issuer-patch.yaml
- Enter two email adresses for Letsencrypt certificate. One for staging and one (or the same) for prod.
- kustomization.yaml
- Choose
namePrefix,nameSuffixandnamespace - If you plan to use letencrypt
prodenvironment instead ofstaging, change varCLUSTER_ISSUER_NAMEaccordingly
- Choose
Installing yamls
- create Kubernetes cluster and retrieve kubectl credentials
kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=my@google.account.com- create namespace you have chosen above
- execute
kustomize build google-overlay | kubectl apply -f -
Finalize
Wait until your PODs are running
Setup a User in Keycloak:
- A call to https://keycloak.$(DOMAIN)/auth/admin/ should point you to your Keycloak instance (usename is
keycloakpassword refer to your kustomization.yaml) - Add a user of your choice in Manage/Users (must have an email adress). Please refer to the respective keycloak documentation
You should then be able to use this user to go to:
- https://prometheus.$(DOMAIN)
- https://kibana.$(DOMAIN)
- https://grafana.$(DOMAIN)
- https://argo.$(DOMAIN)
using ARGO
For running basic workflows refer to the demos page.
For using it for CI refer to this example