Kubeflow on OCI

Super proud to have participated in the Kubeflow community.

First to have tested Kubeflow installation on OKE, Oracle Container Engine for Kubernetes

Mainly tested the new release v1.6 on OKE and updated Kubeflow documentation to include Oracle and OCI.

It was a great experience and motivated me to keep participating.

The instruction describes how to install Kubeflow on OCI and OKE. 

We will keep improving the guide.

https://github.com/oracle-devrel/kubeflow-oke

The official documentation

https://www.kubeflow.org/docs/started/installing-kubeflow/

Free Gitlab ARM on OCI

With Oracle Cloud Infrastructure article, you can deploy for free 2 VM ARM, for example your GitLab instance.

The article guides you through deploying your GitLab instance.

https://docs.oracle.com/en/solutions/deploy-GitLab-ci-cd-oci/index.html#GUID-02762BBC-6B22-4547-B542-2C021CDEA870

Here I provide you with the steps to update GitLab to the latest version and configure your instance to use a custom domain for free using DuckDNS, send emails and enable free SSL certificate with Let's Encrypt.

Upgrade GitLab

Upgrade following the GitLab upgrade path

https://docs.GitLab.com/ee/update/index.html#upgrade-paths

sudo yum -y update Gitlab-ee-13.12.15-ee.0.el8
sudo yum -y update Gitlab-ee-14.0.12-ee.0.el8

Finally, one last update

sudo yum -y update

Register your custom domain with DuckDNS

Create an account on www.duckdons.org.

Create your subdomain

Create your subdomain myinstance.duckdns.org using your OCI instance public IP.

Follow DuckDNS steps. Create /etc/duckdns/duck.sh

mkdir duckdns
cd duckdns
vi duck.sh

In the file add your custom DuckDNS configuration.

echo url="https://www.duckdns.org/update?domains=myinstance&token=a7c4b0ad-114e-40ef-ba1d-d218904a50f2&ip=" | curl -k -o ~/duckdns/duck.log -K -

Create your cron entry

*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1

Update GitLab to use your custom domain

Update GitLab configuration file to update your external_url

sudo vim /etc/gitlab/gitlab.rb
external_url 'http://GitLab.example.com'

Set your hostname

sudo hostnamectl set-hostname myinstance.duckdns.org

Reload configuration sudo GitLab-ctl reconfigure
Review configuration
sudo GitLab-ctl show-config

Configure GitLab to send email

Create OCI SMTP credentials

Follow the OCI steps to generate a username and password
https://docs.oracle.com/en-us/iaas/Content/Email/Reference/gettingstarted.htm https://docs.oracle.com/en-us/iaas/Content/Email/Tasks/generatesmtpcredentials.htm#Generate_SMTP_Credentials_for_a_User

Configuration GitLab to use Postfix
https://docs.oracle.com/en-us/iaas/Content/Email/Reference/postfix.htm

SMTP credentials to send emails

Edit GitLab configuration to use the credentials generated

sudo vim /etc/GitLab/GitLab.rb
  GitLab_rails['smtp_user_name'] = "ocid1.user.oc1..aaaaaaaaaxxxxx.ii@ocid1.tenancy.oc1...kd.com" 
  GitLab_rails['smtp_password'] = "3e4rtyhu6yt_W"    

Test to send email from GitLab

sudo GitLab-rails console
Notify.test_email('my.email@domain.com', 'Message Subject', 'Message Body').deliver_now

https://docs.GitLab.com/omnibus/settings/smtp.html#testing-the-smtp-configuration

Tips and tricks

Send email in bash

sudo yum install mailx

The sender needs to be approved
https://docs.oracle.com/en-us/iaas/Content/Email/Reference/gettingstarted.htm#start__config

echo "This is a test message" | mail -s "Test" -r my.email@domain.com my.email@domain.com
Check maillog sudo tail -f /var/log/maillog

SSL configuration

https://docs.GitLab.com/omnibus/settings/ssl.html#install-custom-public-certificates

In the following article, how to deploy your code

Install Istio on OKE Oracle Linux 8.5

Tips, when installing Istio and the sample application Bookinfo on an OKE cluster running Oracle Linux 8.5 you may face the error

error   Command error output: xtables parameter problem: iptables-restore: unable to initialize table 'nat'

You need to enable CNI support at the installation

istioctl manifest apply --set components.cni.enabled=true

On working nodes, you can apply the following commands as root and apply the configuration for restart.

modprobe br_netfilter ; modprobe nf_nat ; modprobe xt_REDIRECT ; modprobe xt_owner; modprobe iptable_nat; modprobe iptable_mangle; modprobe iptable_filter

cat  <<EOF | sudo tee /etc/modules-load.d/99-istio-modules.conf
# These modules need to be loaded on boot so that Istio (as required by
# Kubeflow) runs properly.
#
# See also: https://github.com/istio/istio/issues/23009

br_netfilter
nf_nat
xt_REDIRECT
xt_owner
iptable_nat
iptable_mangle
iptable_filter
EOF

You will be able to deploy the application without troubles

$ kubectl get pods
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-79f774bdb9-87x6d       2/2     Running   0          35m
productpage-v1-6b746f74dc-zg4tb   2/2     Running   0          35m
ratings-v1-b6994bb9-vtcqz         2/2     Running   0          35m
reviews-v1-545db77b95-fldn4       2/2     Running   0          35m
reviews-v2-7bf8c9648f-mj26p       2/2     Running   0          35m
reviews-v3-84779c7bbc-2jvjt       2/2     Running   0          35m

Documentation
https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengistio-intro-topic.htm
https://istio.io/latest/docs/setup/getting-started/
https://istio.io/latest/docs/examples/bookinfo/

Issue
https://github.com/istio/istio/issues/23009

Sync secret management systems into Kubernetes secret

Working with a customer who needed to manage external Kubernetes secret, we came over External Secrets.
External Secret is a Kubernetes operator that integrates external secret management systems.
It's an excellent project. You can use it with almost every Cloud provider, AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault.
https://github.com/external-secrets/external-secrets
Using External Secret, you can manage from a single point of truth your Kubernetes secret. You can easily rotate them and delegate the management without providing access to your Kubernetes clusters.
We used it on Oracle Cloud Infrastructure to sync with OCI Vault.
To succeed, few steps:
Create an OCI Vault
Create a secret
Install External Secret
Create a SecretStore (2 methods):
Configure Instance Principal
Configure Auth
Create an ExternalSecret
Create an OCI Vault
If it's your first vault, create a master key, then create your secret.
 Name of the secret
 Description, optional
 Encryption key (your master encryption key)
 Secret key template: Plain-Text
 Secret Content: Your secret content.
Create ocisecret
Install External Secret Operator
Follow the step to install with Helm https://external-secrets.io/v0.4.4/guides-getting-started/
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets \
external-secrets/external-secrets \
-n external-secrets \
--create-namespace
Create your SecretStore
External Secret offers two ways to authenticate, using Instance principal or service account authentication.
Instance Principal
To use Instance principal, you need to create a dynamic group and IAM policy.
Configure Instance Principal
Create Dynamic Group
Instances that meet the criteria defined by any of these rules will be included in the dynamic group.
Dynamic group name: oke-kms-dyn-grp
Any {instance.compartment.id = 'ocid1.compartment.oc1..xxxxxx'}	
Any {resource.type = 'cluster',resource.compartment.id = 'ocid1.compartment.oc1..xxxxxx'}	

Use your compartment OCID.
IAM Policy
IAM policy will allow the defined dynamic group to manage secrets in your compartment.
Allow dynamic-group oke-kms-dyn-grp to manage vaults in compartment JULSILVE_ES
Allow dynamic-group oke-kms-dyn-grp to manage keys in compartment JULSILVE_ES
Allow dynamic-group oke-kms-dyn-grp to manage secret-family in compartment JULSILVE_ES

Use your compartment name.
Tips
You can SSH into your worker node to validate your instance principal configuration.
oci --auth instance_principal --region us-ashburn-1 secrets secret-bundle get --secret-id "${SECRET_OCID}"
Instance principal Secret Store
Specify the OCID of the OCI Vault and your region.
  apiVersion: external-secrets.io/v1alpha1
  kind: SecretStore
  metadata:
    name: example-instance-principal
  spec:
    provider:
      oracle:
        vault: # The vault OCID
        region: # The vault region eq: us-ashburn-1
Create your secret store
  kubectl create -f secretstore.yaml
Account Authentifcation
You must create a Kubernetes secret with the API key and the related fingerprint to use the service account method.
Create Kubernetes Secret
Generate a new API Key and fingerprint from OCI Console.
Create a Kubernetes secret with the API Key (Pem certificate) and the fingerprint.
Create Kubernetes Secret
apiVersion: v1
kind: Secret
metadata:
  name: oracle-secret
  labels:
    type: oracle
type: Opaque
stringData:
  privateKey: |-
        -----BEGIN PRIVATE KEY-----
        insert you PEM certificate
        -----END PRIVATE KEY-----
  fingerprint: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
Create Auth Secret Store
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
  name: secretstore-auth
spec:
  provider:
    oracle:
      vault: # The vault OCID
      region: # The vault region eq: us-ashburn-1
      auth:
        user: # The user OCID to use
        tenancy: # The tenancy OCID
        secretRef:
          privatekey:
            name: oracle-secret
            key: privateKey
          fingerprint:
            name: oracle-secret
            key: fingerprint
Once your Secret Store is created, you can confirm its validity.
$ kubectl get ss
NAME           AGE    STATUS
example-auth   5d5h   Valid
julienvault    13d    Valid
Create External Secret
Then create the external secret to sync your OCI Vault secret to your Kubernetes secret using your secret store.
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
  name: ocisecret
  namespace: default
spec:
  refreshInterval: 0.03m
  secretStoreRef:
    kind: SecretStore
    name: julienvault
  target:
    name: k8s-secret
    creationPolicy: Owner
  data:
    - secretKey: oci-secret
      remoteRef:
        key: ocisecret
Tips
DataFrom can be used to get a secret as a JSON string and attempt to parse it.
dataFrom:
  - key: username
Data can use used to get a string, like in my example.
Secret sync as K8s secret
As result your external secret (es) is synchronized with OCI Vault.
kubectl get es ocisecret
NAME        STORE         REFRESH INTERVAL   STATUS
ocisecret   julienvault   0.03m              SecretSynced
Wrap-up


To confirm, you can query and decode the data content of the secret.
kubectl get secret k8s-secret -o jsonpath='{.data.oci-secret}'| base64 -d
tadaaa

GCP GKE VPN to on premises

Once we needed to consult an on-prem MS SQL from our PHP Lumen microservices.

Following the steps described in the following articles.

https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent

Then change to false to not mask links and publish them to the firewall.

  masqLinkLocal: false