title: “Create Certificates”
date: 2019-07-30T14:47:45
slug: create-certificates

Create CA Key

openssl genrsa -out ca.key 2048

Create CA CSR

openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr

Create CA Certificate

openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

Create Admin Key

openssl genrsa -out admin.key 2048

Create Admin CSR (CN Will be the User Name, OU Will be the System Group)

openssl req -new -key admin.key -subj \
"/CN=kube-admin/OU=system:masters" -out admin.csr

Create the Certificate

openssl x509 -req -in admin.csr –CA ca.crt -CAkey ca.key -out admin.crt

Or in the case of a “ca.srl: No such file or directory” error:

openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out admin.crt

Test the Admin Certificate:

curl https://kube-apiserver:6443/api/v1/pods \
--key admin.key --cert admin.crt --cacert ca.crt

Create Scheduler Key

openssl genrsa -out scheduler.key 2048

Create Scheduler CSR

openssl req -new -key scheduler.key -subj \
"/CN=system:kube-scheduler" -out scheduler.csr

Create the Certificate

openssl x509 -req -in scheduler.csr –CA ca.crt -CAkey ca.key -out scheduler.crt

Or in the case of a “ca.srl: No such file or directory” error:

openssl x509 -req -in scheduler.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out scheduler.crt

Create API Server Key

openssl genrsa -out apiserver.key 2048

Create openssl.cnf

[ req ]
default\_bits = 2048
prompt = no
default\_md = sha256
req\_extensions = req\_ext
distinguished\_name = dn

[ dn ]
C = <country>
ST = <state>
L = <city>
O = <organization>
OU = <organization unit>
CN = <MASTER\_IP>

[ req\_ext ]
subjectAltName = @alt\_names

[ alt\_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = 10.96.0.1
IP.2 = 172.17.0.87

[ v3\_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt\_names

Create API Server csr

openssl req -new -key apiserver.key -subj \
"/CN=kube-apiserver" -out apiserver.csr -config openssl.cnf

Create Apiserver Certificate

openssl x509 -req -in apiserver.csr \
-CA ca.crt -CAkey ca.key -out apiserver.crt

Or if you get the error unable to load number from ca.srl

openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out apiserver.crt

title: “Gitlab external ingress”
date: 2019-07-03T14:58:19
slug: gitlab-external-ingress

Edit Ingress controller (maybe backend is missing)

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 annotations:
 kubernetes.io/ingress.class: nginx
 kubernetes.io/tls-acme: "true"
 creationTimestamp: "2019-07-03T14:45:20Z"
 generation: 2
 labels:
 app: gitlab-gitlab-ce
 chart: gitlab-ce-0.2.2
 heritage: Tiller
 release: gitlab
 name: gitlab-gitlab-ce
 namespace: default
spec:
 rules:
 - host: gitlab.asanger.eu
 http:
 paths:
 - backend:
 serviceName: gitlab-gitlab-ce
 servicePort: 80
 tls:
 - hosts:
 - gitlab.asanger.eu
 secretName: gitlab-asanger-eu

values.yaml:

If external url is set to https, the internal nginx controller will crash because of a missing ssl cert.

image: gitlab/gitlab-ce:9.4.1-ce.0
externalUrl: http://gitlab.asanger.eu/
gitlabRootPassword: "changeme"
serviceType: LoadBalancer
ingress:
 annotations:
 kubernetes.io/ingress.class: nginx
 kubernetes.io/tls-acme: "true"
 enabled: true
 tls:
 - secretName: gitlab-asanger-eu
 hosts:
 - gitlab.asanger.eu
 url: gitlab.asanger.eu
sshPort: 22
httpPort: 80
httpsPort: 443
livenessPort: http
readinessPort: http
resources:
 ## GitLab requires a good deal of resources. We have split out Postgres and
 ## redis, which helps some. Refer to the guidelines for larger installs.
 ## ref: https://docs.gitlab.com/ce/install/requirements.html#hardware-requirements
 requests:
 memory: 1Gi
 cpu: 500m
 limits:
 memory: 2Gi
 cpu: 1
persistence:
 ## This volume persists generated configuration files, keys, and certs.
 ##
 gitlabEtc:
 enabled: true
 size: 1Gi
 ## If defined, volume.beta.kubernetes.io/storage-class: <storageClass>
 ## Default: volume.alpha.kubernetes.io/storage-class: default
 ##
 storageClass: local-disks
 accessMode: ReadWriteOnce
 ## This volume is used to store git data and other project files.
 ## ref: https://docs.gitlab.com/omnibus/settings/configuration.html#storing-git-data-in-an-alternative-directory
 ##
 gitlabData:
 enabled: true
 size: 10Gi
 ## If defined, volume.beta.kubernetes.io/storage-class: <storageClass>
 ## Default: volume.alpha.kubernetes.io/storage-class: default
 ##
 storageClass: local-disks
 accessMode: ReadWriteOnce
postgresql:
 # 9.6 is the newest supported version for the GitLab container
 imageTag: "9.6"
 cpu: 1000m
 memory: 1Gi
 postgresUser: gitlab
 postgresPassword: gitlab
 postgresDatabase: gitlab
 persistence:
 size: 10Gi
redis:
 redisPassword: "gitlab"
 resources:
 requests:
 memory: 1Gi
 persistence:
 size: 10Gi

title: “helm gitlab-ci”
date: 2019-07-02T15:33:31
slug: helm-gitlab-ci

helm upgrade --install gitlab -f values.yaml stable/gitlab-ce

title: “GoCD Varibale substitution in template”
date: 2019-01-14T09:56:10
slug: gocd-varibale-substitution-in-template

https://github.com/kolypto/j2cli

title: “error parsing HTTP 413 response body: invalid character ‘<‘ looking for beginning of value:”
date: 2018-11-21T12:51:41
slug: error-parsing-http-413-response-body-invalid-character

Add “nginx.ingress.kubernetes.io/proxy-body-size: 50m” to values.yaml

ingress:
 enabled: true
 path: /
 # Used to create an Ingress record.
 hosts:
 - registry.k8s
 annotations:
 kubernetes.io/ingress.class: nginx
 nginx.ingress.kubernetes.io/proxy-body-size: 100m
 # kubernetes.io/tls-acme: "true"
 tls:

title: “docker with gui”
date: 2018-10-29T09:59:48
slug: docker-with-gui

docker run -ti --rm -e DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -v $HOME/.Xauthority:/root/.Xauthority --net=host debian

title: “kubelet config”
date: 2018-10-21T16:26:21
slug: kubelet-config

Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --eviction-hard=memory.available<500Mi,nodefs.available<1Gi,imagefs.available<1Gi"

title: “Ingress with TLS”
date: 2018-08-29T15:43:12
slug: ingress-with-tls

helm install stable/kube-lego --namespace kube-system --set config.LEGO\_EMAIL=YOUR\_EMAIL,config.LEGO\_URL=https://acme-v01.api.letsencrypt.org/directory
helm install stable/kube-lego --name kube-lego --namespace kube-system --set config.LEGO\_EMAIL=ta@ta.vg,config.LEGO\_URL=https://acme-v01.api.letsencrypt.org/directory,rbac.create=true

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: joomla-ingress
 annotations:
 kubernetes.io/ingress.class: nginx
 kubernetes.io/tls-acme: 'true'
spec:
 rules:
 - host: YOUR\_DOMAIN
 http:
 paths:
 - path: /
 backend:
 serviceName: ingress-example-joomla
 servicePort: 80
 tls:
 - secretName: joomla-tls-cert
 hosts:
 - YOUR\_DOMAIN

title: “Create new kubeadm token”
date: 2018-08-28T08:29:17
slug: create-new-kubeadm-token

kubeadm token create

title: “Set Loadbalancer external IP”
date: 2018-08-24T13:49:46
slug: set-loadbalancer-external-ip

spec:
type: LoadBalancer
externalIPs:
- 192.168.0.10