== Kubernetes cluster available at @ FIXME:==
Endpoint: https://62.220.135.205:6443=== Information ===
* Endpoint: k8s.fixme.ch* Credentials are available in file metafook8s:/etc/kubernetes/admin.conf.* Currently running on [[Bellatrix]]* Backup: https://git.fixme.ch/Comite/fixme-kube-backup (restricted for secret access)
Currently running === Services === * Some services that are deployed on our instance** [[MetaFooChat]]** [[Etherpad]]** [[Power|Power monitoring]]** Fablab wiki** [[LED_Lighting|Led API endpoint]]** [[Trigger]]** [[MQTT|MQTT gateway]]** gitlab: ongoing === Add your own Service === A service is composed of:* A deployment* A service* An ingress controller at minimum ==== SSL ==== * We use cert-manager to manage LetsEncrypt certs, you only need to add this annotation to your Ingress Controller for it to manage your cert,<pre>ubuntu@k8s:~$ k edit -n mattermost ingress/mattermost-ingress[...]metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt[...]</pre> === Debug ======= Access impossible ==== Sometimes the eth interface is in the sauce (to investigate), you have to reconfigure it. <pre>ubuntu@k8s:~$ sudo ip addr add 62.220.135.219/32 dev ens6</pre> It should look like this<pre>ubuntu@k8s:~$ ip -4 a show ens6 2: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 inet 62.220.135.205/26 brd 62.220.135.255 scope global ens6 valid_lft forever preferred_lft forever inet 62.220.135.219/32 scope global ens6 valid_lft forever preferred_lft forever</pre> ==== Certificate expiration ==== Sometimes K8S is in the sauce, something like this might help regenerate the certs <pre># Service statesystemctl stop kubelet.servicesystemctl restart docker.service # Backuprsync -av /etc/kubernetes/ /root/kubernetes-$(date +%s)/rsync -av /var/lib/etcd/ /root/etcd-$(date +%s)/ cd /etc/kubernetesrm {admin.conf,controller-manager.conf,kubelet.conf,scheduler.conf} cd /etc/kubernetes/pkirm {apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt} # Regen certificatescdkubeadm init phase certs all --apiserver-advertise-address 62.220.135.205 --ignore-preflight-errors=allkubeadm init phase kubeconfig allcp -i /etc/kubernetes/admin.conf $HOME/.kube/config # Check stateskubeadm join 62.220.135.205:6443 --token XXX --discovery-token-ca-cert-hash YYY --ignore-preflight-errors=allkubectl get nodeskubectl get all</pre>
