Microk8s Install Cert-manager

Install

First you will need to install microk8s and enable helm3 and ingress using microk8s enable helm3 ingress.

Then install cert-manager with helm with following cmd by (Envekus)[https://www.reddit.com/r/kubernetes/comments/g3z5sp/microk8s_with_certmanager_and_letsecncrypt/].

microk8s kubectl create namespace cert-manager
microk8s helm3 repo add jetstack https://charts.jetstack.io
microk8s helm3 repo update
microk8s helm3 install cert-manager jetstack/cert-manager \
  --namespace cert-manager --version v0.15.2 \
  --set installCRDs=true \
  --set ingressShim.defaultIssuerName=letsencrypt-production \
  --set ingressShim.defaultIssuerKind=ClusterIssuer \
  --set ingressShim.defaultIssuerGroup=cert-manager.io

Then setup cluster issuer with the following cmd.

microk8s kubectl apply -f - <<YAML
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    email: CHANGE-ME@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-production-issuer-account-key
    solvers:
    - selector: {}
      http01:
        ingress:
          class: public
YAML

Then you will be able to gerenate the certificate. The ingress class in microk8s is public for me. Otherwise, it is not generating endpoint for ACME validation.

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: example
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "public"
    cert-manager.io/cluster-issuer: "letsencrypt-production"
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls-acme
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: example
              servicePort: 8080

Alipay Sdk Learn

Istio Upstream Connection Overflow

Backgroun

I found some failed request 503 error for the microservice deployment in Openshift 4.5 with Service Mesh v1. The error shown is upstream connect error or disconnect/reset before headers. reset reason: overflow.

Problem

I found the solution during the search and refer to the documentation. It is because Service Mesh v1 is using (Istio 1.3)[https://istio.io/v1.3/docs/reference/config/networking/v1alpha3/destination-rule/#ConnectionPoolSettings-HTTPSettings]. And the Connection poll is set to 1024 for http1MaxPendingRequests, http2MaxRequests, etc. It is different from version 1.8 where it is default to 2^32-1. Therefore, it is required to set it differently.

Solution

This is not really a good solution I believe. and it require sometime to investigate, but you can increase those settings with destination rules.

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: sample-destinationrule
spec:
  host: sample
  trafficPolicy:
    loadBalancer:
      simple: RANDOM
    connectionPool:
      http:
        http1MaxPendingRequests: 10240
        http2MaxRequests: 10240
  subsets:
  - name: v1
    labels:
      version: "v1"

Kubernetes Debugging Network

When you try to debug the network inside kubernetes but not much tool avaliable since all the image remove unused command. The easy way to to use busybox by deploying a pod using the following commandline kubectl run -i --tty --rm debug --image=busybox --restart=Never -- sh. Then you can access to telnet, nc, etc.

Kube Rolling Update

https://stackoverflow.com/questions/53591417/kubernetes-kubectl-apply-does-not-update-pods-when-using-latest-tag