I was playing around with OpenFaaS, and needed an, local, environment for it.
Install Ubuntu 20.04 Server in a virtual machine.
Install docker:
sudo apt-get remove docker docker-engine docker.io containerd runc
sudo apt-get update
sudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
stable"
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
sudo usermod -a -G docker $USER
Install arkade and kubectl:
curl -sLS https://dl.get-arkade.dev | sudo sh
arkade get kubectl
echo "export PATH=\$PATH:\$HOME/.arkade/bin" >> ~/.bashrc
. ~/.bashrc
Download the latest version of minikube and start a new kubernetes cluster with docker as “backend”:
sudo dpkg -i minikube_latest_amd64.deb
minikube start --driver=docker
Deploy a private docker registry (domain docker-registry), which should be accessible from the host (ubuntu server), minikube (docker) and the namespace where OpenFaas function is being deployed:
arkade install docker-registry
In the output you’ll see the password for the admin user, we need it later on so make sure to save it. We also need to be able to access the registry “externally” (outside of the kubernetes cluster) with a self-signed certificate:
export REGISTRY_PASSWORD=<password from output above>
kubectl expose deploy/docker-registry --type=NodePort --name=docker-registry-external --port=5000
minikube addons enable ingress
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-out docker-registry-ingress-tls.crt \
-keyout docker-registry-ingress-tls.key \
-subj "/CN=docker-registry/O=docker-registry-ingress-tls"
kubectl create secret tls docker-registry-ingress-tls \
--key docker-registry-ingress-tls.key \
--cert docker-registry-ingress-tls.crt
cat <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: 2048m
nginx.ingress.kubernetes.io/rewrite-target: /$1
name: docker-registry-ingress
namespace: default
spec:
rules:
- host: docker-registry
http:
paths:
- path: /(.*)
pathType: Prefix
backend:
service:
name: docker-registry-external
port:
number: 5000
tls:
- hosts:
- docker-registry
secretName: docker-registry-ingress-tls
EOF | kubectl apply -f -
sudo mkdir /usr/local/share/ca-certificates/docker-registry
sudo chmod 755 /usr/local/share/ca-certificates/docker-registry
sudo cp docker-registry-ingress-tls.crt /usr/local/share/ca-certificates/docker-registry
sudo chmod 644 /usr/local/share/ca-certificates/docker-registry/*
sudo update-ca-certificates
sudo mkdir -p /etc/docker/certs.d/docker-registry:443
sudo cp docker-registry-ingress-tls.crt /etc/docker/certs.d/docker-registry:443/ca.crt
scp -i $(minikube ssh-key) docker-registry-ingress-tls.crt docker@$(minikube ip):/home/docker
minikube ssh
sudo mkdir /usr/local/share/ca-certificates/docker-registry
sudo chmod 755 /usr/local/share/ca-certificates/docker-registry
sudo cp docker-registry-ingress-tls.crt /usr/local/share/ca-certificates/docker-registry
sudo chmod 644 /usr/local/share/ca-certificates/docker-registry/*
sudo update-ca-certificates
sudo mkdir -p /etc/docker/certs.d/docker-registry:443
sudo cp docker-registry-ingress-tls.crt /etc/docker/certs.d/docker-registry:443/ca.crt
sudo kill -SIGHUP $(pidof dockerd)
sudo apt update && sudo apt install -y vim-tiny
sudo vim.tiny /etc/hosts # add docker-registry after minikube
exit
Install and deploy OpenFaaS and the command line tool, and login to the OpenFaas gateway:
arkade install faas-cli
arkade install openfaas
kubectl port-forward -n openfaas svc/gateway 8080:8080 &
PASSWORD=$(kubectl get secret -n openfaas basic-auth -o jsonpath="{.data.basic-auth-password}" | base64 --decode; echo)
echo -n $PASSWORD | faas-cli login --username admin --password-stdin
The deployed functions need authentication for the private docker registry:
kubectl create secret -n openfaas-fn docker-registry docker-registry-credentials --docker-server=docker-registry:443 --docker-username=admin --docker-password=$REGISTRY_PASSWORD --docker-email=docker@example.com
kubectl edit serviceaccount default -n openfaas-fn
In the editor, add the following lines:
imagePullSecrets:
- name: docker-registry-credentials
Create a docker, client, configuration file with the basic authentication for the private docker registry:
mkdir ~/.docker/
cat > ~/.docker/config.json <<EOF
{
"auths": {
"docker-registry:443": {
"auth": "$(echo -n "admin:$REGISTRY_PASSWORD" | base64)"
}
}
}
EOF
That should be it.