Skip to main content

Extending KubeStrap

KubeStrap was designed with extensibility in mind. That's why the KubeStrap platform is a repository, not a module. This means, it can ultimately be yours, and you can do with it as you please. See the sections below on how to extend the KubeStrap platform.

Cloud

All Cloud resources are created and managed through/by Terraform. Terraform is a full-featured, general purpose Infrastructure as Code (IaC) tool/dsl/platform. KubeStrap uses Terraform to provision its cloud resources. Feel free to extend the existing Terraform by modifying existing resources and modules or adding new ones all together.

DNS

DNS records are created in Route53 or CloudDNS in public domains by the External DNS controller. However, until you register your Route53 or CloudDNS domain with your domain name's registrar, the zones will not be publicly routable.

Here's an example of 4 records that were added on the kubestrap.it domain to enable a successful podinfo.kubestrap.it DNS resolution in GCP's Cloud DNS.

podinfo NS ns-cloud-e1.googledomains.com
podinfo NS ns-cloud-e2.googledomains.com
podinfo NS ns-cloud-e3.googledomains.com
podinfo NS ns-cloud-e4.googledomains.com

Note: for existing domains e.g. mysite.com, it is recommended to use KubeStrap to create a sub-domain/zone that will be managed by External DNS..

TLS Certificates

TLS certs are provisioned by cert-manager and the Let's Encrypt provider. The verification system used before certs are issued is DNS01.

This means that Let's Encrypt must be able to resolve your DNS records from the internet. This also means that cert-manager needs to be able to place a domain verification record there. If Let's Encrypt can see it, your cert will be issued and recognized by all major browsers. KubeStrap handles the permissions and IAM policies to make this possible.

Kustomize

Tips on using FluxCD and Kustomize

  • If you're deploying a new app or non-core infrastructure, drop the yaml in cluster/manifest-<provider>/apps and update kustomization.yaml. Then push your commits to the branch you're syncing with FluxCD i.e. github_repo_branch parameter in .tfvars. You should see the resource syncing in < 60 seconds.
    cluster/manifest-aws/apps/kustomization.yaml
    apiVersion: kustomize.config.k8s.io/v1beta1
    kind: Kustomization
    resources:
    - pod-info.yaml
    - my-new-kube-resources.yaml
  • Similar steps can be taken for core infra in core/. See FluxCD for more info about flux resource types: docs
  • Use template variables to pipe terraform outputs to your yaml templates and make them DRY
    • Templates must be named with .tmpl extension
    • Template vars must begin with TF_SUBST_ e.g. ${TF_SUBST_dns_zone}
    • In the ex. above, the terraform output would be called dns_zone
    • see cluster/manifest-<provider>/init.sh

Secrets

If you enabled SOPS in .tfvars you can create secrets using SOPS+KMS

  • Your Flux Kustomization controller knows how to decrypt them
  • You can commit them straight to GitHub (woah!)

Follow these steps

  1. Ensure that .sops.yaml symlink in cluster/manifest-<provider>/apps is not broken. If it is, enable sops in .tfvars with sops_kms_enabled=true and terraform apply the change
  2. From the same dir execute sops hello.enc.yaml, paste the following text and save 
    apiVersion: v1
    kind: Secret
    metadata:
      name: secret-basic-auth
    type: kubernetes.io/basic-auth
    stringData:
      username: admin
      password: t0p-Secret
  3. Now open the file with your default editor, does it look different? Then open it with sops like sops hello.enc.yaml. Cool right? Note: making modifications to SOPS encrypted files without using the SOPS CLI will corrupt the file

Pre-commit

Pre-commit is a great tool for keeping code quality high

  • View the pre-commit config and plugins: .pre-commit-config.yaml
  • Install hooks: pre-commit install
  • For dev commits, optionally skip pre-commit hooks with the -n flag