jason/socktop-webterm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6e48c095ab
socktop-webterm/kubernetes/INDEX.md

307 lines
9.1 KiB
Markdown
Raw Normal View History

Initial commit: Socktop WebTerm with k3s deployment - Multi-architecture Docker image (ARM64 + AMD64) - Kubernetes manifests for 3-replica deployment - Traefik ingress configuration - NGINX Proxy Manager integration - ConfigMap-based configuration - Automated build and deployment scripts - Session monitoring tools
2025-11-28 09:31:33 +00:00
# Socktop WebTerm - Kubernetes Deployment Guide
Complete Kubernetes deployment manifests and tools for running Socktop WebTerm on your k3s cluster.
## 📁 Files Overview
### Core Manifests (Deploy in Order)
1. **`01-configmap.yaml`** - Configuration files (profiles.json, alacritty.toml, theme)
2. **`02-secret.yaml`** - TLS certificates for Raspberry Pi nodes (placeholder)
3. **`03-deployment.yaml`** - Main deployment with 3 replicas, host networking
4. **`04-service.yaml`** - Service with session affinity for terminal connections
5. **`05-ingress.yaml`** - Ingress with TLS, WebSocket support, and multiple domains
### Deployment Tools
- **`deploy.sh`** - Automated deployment script (recommended)
- **`kustomization.yaml`** - Kustomize configuration for advanced deployments
### Documentation
- **`INDEX.md`** - This file - overview and quick navigation
- **`QUICKSTART.md`** - Get running in 5 minutes
- **`README.md`** - Comprehensive deployment guide
- **`CHECKLIST.md`** - Pre-deployment checklist
## 🚀 Quick Start
### Fastest Way to Deploy
```bash
cd kubernetes
./deploy.sh
```
The script handles everything automatically!
### Manual Deployment
```bash
kubectl apply -f 01-configmap.yaml
kubectl apply -f 02-secret.yaml
kubectl apply -f 03-deployment.yaml
kubectl apply -f 04-service.yaml
kubectl apply -f 05-ingress.yaml
```
Or all at once:
```bash
kubectl apply -f .
```
## 📋 Prerequisites
Before deploying, ensure you have:
- ✅ k3s cluster running (3+ nodes recommended)
- ✅ kubectl configured
- ✅ Traefik Ingress Controller (default with k3s)
- ✅ External NGINX Proxy Manager for SSL termination
- ✅ DNS records pointing to external IP (socktop.io, www.socktop.io, origin.socktop.io)
- ✅ Insecure registry configured for `192.168.1.208:3002`
- ✅ Proxy hosts configured in NGINX Proxy Manager to forward to k3s on port 8080
**See `CHECKLIST.md` for complete pre-deployment verification.**
## 🔧 Configuration Overview
### Deployment Specs
- **Replicas**: 3 (adjust in `03-deployment.yaml`)
- **Image**: `192.168.1.208:3002/jason/socktop-webterm:0.2.0`
- **Networking**: Host network mode (for accessing Pi nodes on port 8443)
- **Resources**: 500m-2000m CPU, 256Mi-1Gi RAM per pod
- **Health Checks**: HTTP liveness and readiness probes
### Exposed Services
- **Port 8082**: WebTerm HTTP interface
- **Port 3001**: Containerized socktop-agent
### Ingress Configuration
- **Ingress Controller**: Traefik (default with k3s)
- **Domains**: socktop.io, www.socktop.io, origin.socktop.io
- **TLS**: Terminated at external NGINX Proxy Manager (not in cluster)
- **WebSocket**: Supported by default in Traefik
- **Session Affinity**: Configured in Service (ClientIP)
### ConfigMap Contents
- `profiles.json` - Connection profiles for local and 4 Pi nodes
- `alacritty.toml` - Terminal emulator configuration
- `catppuccin-frappe.toml` - Color scheme
## 📚 Documentation Guide
### Start Here
1. **`CHECKLIST.md`** - Verify all prerequisites are met
2. **`QUICKSTART.md`** - Deploy in 5 minutes
3. **`README.md`** - Deep dive into configuration and troubleshooting
### Common Tasks
**First Time Deployment**
→ Read `CHECKLIST.md` then run `./deploy.sh`
**Quick Deploy**
→ See `QUICKSTART.md`
**Troubleshooting**
→ See `QUICKSTART.md` (common issues) or `README.md` (comprehensive guide)
**Update Configuration**
→ Edit ConfigMap: `kubectl edit configmap socktop-webterm-config`
→ Restart: `kubectl rollout restart deployment socktop-webterm`
**Update Image Version**
`kubectl set image deployment/socktop-webterm webterm=192.168.1.208:3002/jason/socktop-webterm:NEW_VERSION`
**Scale Replicas**
`kubectl scale deployment socktop-webterm --replicas=5`
## 🛠️ Common Commands
```bash
# Check deployment status
kubectl get pods -l app=socktop-webterm
# View logs
kubectl logs -l app=socktop-webterm -f
# Check ingress
kubectl get ingress socktop-webterm
# Check certificate status
kubectl get certificate socktop-webterm-tls
# Describe deployment
kubectl describe deployment socktop-webterm
# Scale up
kubectl scale deployment socktop-webterm --replicas=5
# Update image
kubectl set image deployment/socktop-webterm webterm=192.168.1.208:3002/jason/socktop-webterm:0.3.0
# Restart deployment
kubectl rollout restart deployment socktop-webterm
# Delete everything
kubectl delete -f .
```
## 🌐 Access URLs
After deployment and configuring NGINX Proxy Manager, access your terminal at:
- https://socktop.io (SSL terminated at NGINX Proxy Manager)
- https://www.socktop.io
- https://origin.socktop.io
Traffic flow: **Internet → NGINX Proxy Manager (port 8080) → k3s Traefik (HTTP) → Service → Pods**
## ⚙️ Architecture Highlights
### Host Networking
- Uses `hostNetwork: true` to directly access Pi nodes on port 8443
- Each pod binds to host network interface
- Containerized agent runs on port 3001 (not 3000) to avoid conflicts
### High Availability
- 3 replicas for redundancy
- k3s spreads pods across available nodes
- Session affinity keeps users on same pod
- If a pod fails, traffic routes to healthy pods
### WebSocket Support
- Ingress configured for WebSocket upgrades
- Long connection timeouts (3600s)
- Proper headers for terminal connections
### Security
- Non-root user inside container
- Read-only certificate mounts
- Security context with dropped capabilities
- TLS for external access
- Rate limiting enabled
## 🔍 Monitoring & Debugging
### Check Resource Usage
```bash
kubectl top pods -l app=socktop-webterm
```
### View Pod Distribution
```bash
kubectl get pods -l app=socktop-webterm -o wide
```
### Check Events
```bash
kubectl get events --sort-by='.lastTimestamp' | grep socktop
```
### Test Pi Connectivity
```bash
kubectl exec -it deployment/socktop-webterm -- curl -k https://192.168.1.101:8443/health
```
## 📦 What's Included
```
kubernetes/
├── 01-configmap.yaml # Configuration files
├── 02-secret.yaml # TLS certificates (placeholder)
├── 03-deployment.yaml # Main deployment (3 replicas)
├── 04-service.yaml # Service with session affinity
├── 05-ingress.yaml # Ingress with TLS and WebSocket
├── deploy.sh # Automated deployment script
├── kustomization.yaml # Kustomize configuration
├── CHECKLIST.md # Pre-deployment checklist
├── QUICKSTART.md # 5-minute quick start
├── README.md # Comprehensive guide
└── INDEX.md # This file
```
## 🚨 Important Notes
1. **Insecure Registry**: You MUST configure `/etc/rancher/k3s/registries.yaml` on all k3s nodes to allow pulling from `192.168.1.208:3002`
2. **DNS Configuration**: Ensure socktop.io domains point to your external NGINX Proxy Manager IP, not cluster IP
3. **External Proxy**: Configure NGINX Proxy Manager to forward traffic to k3s nodes on port 8080 with WebSocket support enabled
4. **SSL Termination**: SSL/TLS is handled by NGINX Proxy Manager, not in the k8s cluster
5. **TLS Certificates**: The `02-secret.yaml` is a placeholder for Pi node certificates. Use `deploy.sh` or manually create the secret
6. **Host Network**: Using `hostNetwork: true` reduces isolation but is required to reach Pi nodes
7. **Session Affinity**: Crucial for maintaining terminal connections - don't disable!
## 🆘 Need Help?
### Quick Fixes
See **`QUICKSTART.md`** for common issues and solutions
### Detailed Troubleshooting
See **`README.md`** for comprehensive troubleshooting guide
### Verify Prerequisites
Run through **`CHECKLIST.md`** to ensure everything is configured
### Check Logs
```bash
kubectl logs -l app=socktop-webterm --tail=100
```
### Describe Resources
```bash
kubectl describe deployment socktop-webterm
kubectl describe pods -l app=socktop-webterm
```
## 📈 Performance & Scaling
### Default Configuration
- 3 replicas
- 500m CPU request, 2000m limit per pod
- 256Mi RAM request, 1Gi limit per pod
### Scaling Up
```bash
kubectl scale deployment socktop-webterm --replicas=5
```
### Resource Adjustment
Edit `03-deployment.yaml` resources section, then:
```bash
kubectl apply -f 03-deployment.yaml
```
## 🔐 Security Considerations
- Run as non-root user inside container
- Drop unnecessary capabilities
- Use secrets for sensitive data (certificates)
- Enable TLS for external access
- Implement rate limiting
- Consider adding authentication layer (OAuth2 Proxy)
- Use network policies to restrict pod-to-pod traffic
## ✅ Success Indicators
Deployment is successful when:
- All 3 pods show `Running` status
- Service has endpoints: `kubectl get endpoints socktop-webterm`
- Ingress has an address: `kubectl get ingress socktop-webterm`
- Certificate shows `Ready=True`: `kubectl get certificate socktop-webterm-tls`
- Can access https://socktop.io in browser
- Terminal sessions work correctly
## 📝 Version Information
- **Application Version**: 0.2.0
- **Container Image**: 192.168.1.208:3002/jason/socktop-webterm:0.2.0
- **Kubernetes API Version**: apps/v1, networking.k8s.io/v1
- **Ingress Controller**: Traefik (default with k3s)
- **SSL Termination**: External NGINX Proxy Manager
---
**Ready to deploy?** Start with `CHECKLIST.md``./deploy.sh` → Profit! 🎉
Reference in New Issue Copy Permalink