jason/socktop-webterm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6e48c095ab
socktop-webterm/kubernetes/CHECKLIST.md
jasonwitty 6e48c095ab Initial commit: Socktop WebTerm with k3s deployment 
- Multi-architecture Docker image (ARM64 + AMD64)
- Kubernetes manifests for 3-replica deployment
- Traefik ingress configuration
- NGINX Proxy Manager integration
- ConfigMap-based configuration
- Automated build and deployment scripts
- Session monitoring tools
2025-11-28 01:31:33 -08:00

217 lines
6.1 KiB
Markdown
Raw Blame History

# Pre-Deployment Checklist for Socktop WebTerm on k3s
Use this checklist to ensure your k3s cluster is properly configured before deploying Socktop WebTerm.
## Infrastructure Requirements
### k3s Cluster
- [ ] k3s cluster is installed and running
- [ ] At least 3 nodes available (for spreading 3 replicas)
- [ ] `kubectl` is installed and configured
- [ ] Can run `kubectl get nodes` successfully
- [ ] Traefik ingress controller is running (default with k3s)
- [ ] Nodes have sufficient resources:
- [ ] 1.5+ CPU cores available per node
- [ ] 768+ MB RAM available per node
### Network Access
- [ ] k3s nodes can reach Raspberry Pi nodes on port 8443
- [ ] 192.168.1.101:8443 (rpi-master)
- [ ] 192.168.1.102:8443 (rpi-worker-1)
- [ ] 192.168.1.103:8443 (rpi-worker-2)
- [ ] 192.168.1.104:8443 (rpi-worker-3)
- [ ] Test with: `curl -k https://192.168.1.101:8443/health`
### DNS Configuration
- [ ] DNS records point to your external NGINX Proxy Manager IP:
- [ ] socktop.io → external IP
- [ ] www.socktop.io → external IP
- [ ] origin.socktop.io → external IP
- [ ] DNS propagation is complete (test with `nslookup socktop.io`)
## Required k3s Components
### Traefik Ingress Controller
- [ ] Traefik is running (comes default with k3s)
- [ ] Check with: `kubectl get pods -n kube-system | grep traefik`
- [ ] Traefik is accessible on port 80 (HTTP)
### External NGINX Proxy Manager
- [ ] External NGINX Proxy Manager is configured
- [ ] SSL certificates are set up in Proxy Manager
- [ ] Proxy hosts configured for:
- [ ] socktop.io → k3s-node-ip:8080
- [ ] www.socktop.io → k3s-node-ip:8080
- [ ] origin.socktop.io → k3s-node-ip:8080
- [ ] WebSocket support enabled in proxy hosts
- [ ] SSL termination happens at NGINX Proxy Manager
## Docker Registry Access
### Gitea Registry Configuration
- [ ] Gitea registry is accessible at 192.168.1.208:3002
- [ ] Test with: `curl http://192.168.1.208:3002/v2/`
- [ ] Image exists: `192.168.1.208:3002/jason/socktop-webterm:0.2.0`
### Insecure Registry Configuration (REQUIRED)
Since Gitea uses HTTP, you MUST configure k3s to allow insecure registries.
**On EACH k3s node** (both server and agents):
- [ ] Created `/etc/rancher/k3s/registries.yaml` with:
```yaml
mirrors:
"192.168.1.208:3002":
endpoint:
- "http://192.168.1.208:3002"
configs:
"192.168.1.208:3002":
tls:
insecure_skip_verify: true
```
- [ ] Restarted k3s services:
- [ ] Server: `sudo systemctl restart k3s`
- [ ] Agents: `sudo systemctl restart k3s-agent`
- [ ] Test image pull: `docker pull 192.168.1.208:3002/jason/socktop-webterm:0.2.0`
## TLS Certificates (Optional but Recommended)
### Raspberry Pi TLS Certificates
If you want to connect to Pi nodes via TLS:
- [ ] Have TLS CA certificates for each Pi node:
- [ ] rpi-master.pem
- [ ] rpi-worker-1.pem
- [ ] rpi-worker-2.pem
- [ ] rpi-worker-3.pem
- [ ] Certificate files are accessible on your local machine
- [ ] Know the full path to each certificate file
**Note:** If you don't have these yet, the deployment will still work, but you won't be able to connect to Pi nodes via TLS WebSocket.
## Configuration Files
### profiles.json
- [ ] Reviewed `kubernetes/01-configmap.yaml`
- [ ] Updated Raspberry Pi IP addresses if different
- [ ] Updated port numbers if different
- [ ] Updated certificate paths if different
### alacritty.toml
- [ ] Reviewed terminal configuration in `kubernetes/01-configmap.yaml`
- [ ] Adjusted font size/family if desired
- [ ] Adjusted transparency/blur settings if desired
## Deployment Files Ready
- [ ] All manifest files are present:
- [ ] `01-configmap.yaml`
- [ ] `02-secret.yaml`
- [ ] `03-deployment.yaml`
- [ ] `04-service.yaml`
- [ ] `05-ingress.yaml`
- [ ] `deploy.sh` script is executable: `chmod +x deploy.sh`
## Security Considerations
- [ ] Understand that `hostNetwork: true` reduces pod isolation
- [ ] Cluster network is trusted (not exposed to public internet directly)
- [ ] TLS certificates will be stored as Kubernetes secrets
- [ ] Consider implementing authentication (OAuth2 Proxy, etc.)
- [ ] Rate limiting is configured in ingress (100 rps by default)
## Resource Planning
With 3 replicas, total resource requirements:
- **CPU**: 1.5 cores requested, 6 cores limit
- **Memory**: 768 MB requested, 3 GB limit
- [ ] Your cluster has sufficient resources
- [ ] Check with: `kubectl describe nodes`
## Backup Plan
- [ ] Know how to view logs: `kubectl logs -l app=socktop-webterm`
- [ ] Know how to delete deployment: `kubectl delete -f kubernetes/`
- [ ] Have access to Docker logs on k3s nodes if needed
## Pre-Deployment Test Commands
Run these commands to verify everything is ready:
```bash
# Check cluster access
kubectl cluster-info
# Check nodes
kubectl get nodes
# Check Traefik ingress controller
kubectl get pods -n kube-system | grep traefik
# Check Traefik service
kubectl get svc -n kube-system traefik
# Test registry access from a node
ssh <your-k3s-node>
docker pull 192.168.1.208:3002/jason/socktop-webterm:0.2.0
# Test network access to Pi nodes
curl -k https://192.168.1.101:8443/health
```
## Ready to Deploy?
If all items above are checked ✓, you're ready to deploy!
### Choose your deployment method:
**Option 1: Automated (Recommended)**
```bash
cd kubernetes
./deploy.sh
```
**Option 2: Manual**
```bash
cd kubernetes
kubectl apply -f .
```
**Option 3: Kustomize**
```bash
cd kubernetes
kubectl apply -k .
```
## Post-Deployment Verification
After deployment, verify:
```bash
# Check pods are running
kubectl get pods -l app=socktop-webterm
# Check service is created
kubectl get svc socktop-webterm
# Check ingress is configured
kubectl get ingress socktop-webterm
# View logs
kubectl logs -l app=socktop-webterm -f
```
Configure your external NGINX Proxy Manager to forward traffic, then access:
- https://socktop.io (SSL terminated at NGINX Proxy Manager)
- https://www.socktop.io
- https://origin.socktop.io
## Troubleshooting
If something goes wrong, see:
- `QUICKSTART.md` - Common issues and quick fixes
- `README.md` - Detailed troubleshooting guide
- Pod logs: `kubectl logs -l app=socktop-webterm`
- Pod events: `kubectl describe pods -l app=socktop-webterm`
Reference in New Issue View Git Blame Copy Permalink