e1e0.net

manage-k8s-from-openbsd.md (7291B)

---

 Title: Manage Kubernetes clusters from OpenBSD
 Author: paco
 Date: 2020-05-08
 Type: article
 
 _This should work with OpenBSD `6.7`.  I write this while the source tree is
 locked for release, so even if I use `-current` this is as close as `-current`
 gets to `-release`_
 
 _Update 2020-06-05: we now have [a port for kubectl][6].  So, at least in
 `-current` things get a bit easier._
 
 ## Intro
 
 Some of us have to suffer the pain of the trendy tech and the buzzwords even
 when it does not provide much benefit.  But hey ! we have to be cool kids
 playing with cool tech, right ?
 
 Nowadays, its containers _all the way down_.  As I like to say, this solves
 some problems and brings others, but I digress and this can become a rant
 quicker than you think.
 
 In this article I want to talk about how I do for manage work infrastructure
 (all cloudy and containery) from the comfort of my OpenBSD-current workstation.
 
 ## Objective
 
 Before I tried all this I had a Linux VM running on `vmd(8)` so I could have
 all the command line tools to work with Google Cloud Platform (from now on
 `gcp`) and Google Kubernetes Engine (from now on `gke`), which are the cloudy
 and containery providers we use at work.
 
 My goal was to have all the needed tools working on OpenBSD so I do not have to
 fire up the VM, and avoid the hassle of moving YAML files around.
 
 In my case I need those cli tools:
 
 * `gcloud`: Google Cloud SDK, for managing Compute Engine VMs, Cloud Storage
     buckets, etc.
 * `kubectl`: to manage Kubernetes stuff directly.
 * `kustomize`: [This one][1] allows to have a base configuration for the
     Kubernetes YAML definitions and overlays that can modify that base.  In our
     case for different environments.
 * `fluxctl`: We have all those YAMLs on a git repository, and [flux][2] makes
     it be the _source of truth_.  Before this, there was always sync problems
     between what was on the repo and what was actually deployed on the
     Kubernetes cluster.
 * `kubeseal`: We use [sealed secrets][3] to store sensible data on the
     repository.
 
 Luckily, there's a port for Google Cloud SDK, and the others are written in Go,
 and can be compiled for OpenBSD (with some tweaks).
 
 ## Google Cloud SDK
 
 This is not the most used tool for me, but is essential as it provides
 authentication for all the others.
 As I said, there's a port for it, so install it is as simple as:
 
     $ doas pkg_add google-cloud-sdk
 
 After that one needs to log in.  Execute this command and follow the
 instructions:
 
     $ gcloud init
 
 More info [here][4]
 
 If you manage more than one Google Cloud Project (as I do), the configuration
 files are placed on `~/.config/gcloud/configurations/`.
 
 You'll see there's a `config_default` file.  You can copy that to
 `config_whatever` and edit the file (it's in _ini_ format) to fit your needs.
 Later on you can change projects with:
 
     $ gcloud config configurations activate whatever
 
 ## kubectl
 
 There's no port for `kubectl` ~~(yet, if you want to step in, I promise to test
 it, give feedback and maybe even commit it !),~~ on `6.7` but it can be compiled and
 installed manually.  We have [a port now on -current][6] thanks to
 Karlis Mikelsons and _@kn_.
 
 I assume that you have a Go environment working.
 
 At first I tried to go the easy route, as some devs (_abieber@ and kn@_) told
 me that that it was working, maybe this does the trick for you:
 
     $ go get -u github.com/kubernetes/kubernetes/cmd/kubectl
 
 Unfortunately it did not for me.  I had to delete some old stuff on
 `$GOPATH/src` that I think it was outdated and the `-u` did not handle
 correctly for some reason.  After that it compiled and installed perfectly on
 `$GOPATH/bin`. If you do not use `gke` as a provider you're all set here, but
 (there's always a but) after get the credentials (more on that later) I got
 this error:
 
     error: no Auth Provider found for name "gcp"
 
 For some reason it seems the auth provider I need fails to compile and gives no
 error at all.
 
 So, to solve this I took a peak at the FreeBSD port to see how they do things.
 Long story short, I downloaded the stable version they use in the port and used
 the same parameters they use to compile.  Basically get the source tarball for
 `1.18.2` (at the time of writing), then go to `kubernetes-1.18.2/cmd/kubectl`
 and compile with those options:
 
 
 ```
 go build -ldflags="-X k8s.io/component-base/version.gitMajor=1 -X k8s.io/component-base/version.gitMinor=18 -X k8s.io/component-base/version.buildDate=$(date +'%Y-%m-%dT%H:%M:%SZ') -X k8s.io/component-base/version.gitCommit=\"\" -X k8s.io/component-base/version.gitVersion=v1.18.2 -X k8s.io/client-go/pkg/version.gitVersion=v1.18.2"
 ```
 
 I have the impression that the only one needed is the last `-X`, but I couldn't
 be bothered of cheking further.  So one can get the configuration for the auth
 provider as usual right ?
 
     gcloud container clusters get-credentials my-cluster-name
 
 Wrong.  For some reason this does not work.  The error message urges you to use
 _"application default credentials"_, so a couple more steps are needed:
 
     gcloud config set container/use_application_default_credentials true
     gcloud auth application-default login
 
 And now finally `kubectl` is working.  You'll have to repeat this 3 last steps
 if you have more than one project or cluster to manage.
 
 ## kustomize
 
 If you have to suffer Kubernetes and don't know about [kustomize][5].  Take
 a look, you'll thank me later.
 
 It's out of the scope of this article to explain what it is and how to use it
 (which is a fancy way of saying RTFM).
 
 There's no port for this one either but, it's really easy, just "go get it":
 
     GO111MODULE=on go install sigs.k8s.io/kustomize/kustomize/v3
 
 ## fluxctl
 
 Again, no port for this one either.  I had to use the same technique as with
 `kubectl` because the "go get" was failing with a type mismatch on one of the
 dependencies `k8s.io/client-go/transport/round_trippers.go`.
 
 I took a quick look at the code, but the offending lines were there since 2016,
 so I avoided the potential rabbit hole and went for the easy ride.
 
 Download the last tarball (`1.19.0` at the time of writing), go to
 `flux-1.19.0/cmd/fluxctl` and then `go build`.
 
 That went flawlessly.
 
 ## kubeseal
 
 This one is quite nice to manage sensible data.  It keeps the data on the
 source repo encrypted and it can only be decrypted by the controller installed
 on the Kubernetes cluster.  Again, it's out of the scope ... blah blah ...
 
 Really easy one.  Just "go get" it and be happy:
 
     go get -u github.com/bitnami-labs/sealed-secrets/cmd/kubeseal
 
 ## Conclusion
 
 And finally, I can use all those _wonderful_ commands to manage that
 _fantastic_ infrastructure from OpenBSD.
 
 To be honest, at least they do a good job to work with each other and with
 other classic tools, which means they play quite nice with the
 pipeline/redirection composition ways of the shell.
 
 I really doubt that there's much OpenBSD users managing Kubernetes clusters out
 there, but maybe this could be useful to somebody.
 
 [1]: https://kustomize.io/
 [2]: https://fluxcd.io/
 [3]: https://github.com/bitnami-labs/sealed-secrets
 [4]: https://cloud.google.com/sdk/docs/quickstart-linux#initialize_the_sdk
 [5]: https://kustomize.io
 [6]: https://marc.info/?l=openbsd-ports-cvs&m=159136413409093&w=2