K3s on Docker Quickstart

Prerequisites

  • Access to a functional Docker Engine,

  • CGroupv2 disabled (K3s does not support it for now)

  • Knowledge of Terraform basics

  • Minimal Terraform version: 0.14

  • jq binary

  • argocd CLI

Create your Terraform root module

Camptocamp’s DevOps Stack is instantiated using a Terraform composition module.

Here is a minimal working example:

# terraform/main.tf

module "cluster" {
  source = "git::https://github.com/camptocamp/devops-stack.git//modules/k3s/docker?ref=master"

  cluster_name = "my-cluster"
}

If your docker setup doesn’t support the bridge0 like on MacOSX, you cannot access to the container IP so the computed base domain isn’t reachable. You can specify the published ports of the K3S master and the base domain to use your computer’s IP.

# terraform/main.tf

module "cluster" {
  source = "git::https://github.com/camptocamp/devops-stack.git//modules/k3s/docker?ref=master"

  cluster_name = "my-cluster"
  cluster_endpoint = "192-168-1-118.nip.io"
  base_domain      = "192-168-1-118.nip.io"
  server_ports = [
    {
      internal = 6443
      external = 6443
    },
    {
      internal = 80
      external = 80
    },
    {
      internal = 443
      external = 443
    },
  ]
}

Terraform Outputs

Define outputs:

# terraform/outputs.tf

output "argocd_auth_token" {
  sensitive = true
  value     = module.cluster.argocd_auth_token
}

output "kubeconfig" {
  sensitive = true
  value     = module.cluster.kubeconfig
}

output "argocd_server" {
  value = module.cluster.argocd_server
}

output "grafana_admin_password" {
  sensitive = true
  value     = module.cluster.grafana_admin_password
}

Deploy the cluster

$ terraform init
$ terraform apply

You should see the services URL as Terraform outputs.

Get kubeconfig and admin password

Retrieve the Kubeconfig file:

$ terraform output -json kubeconfig | jq -r .

Retrieve the Keycloak password for the admin user of the kubernetes realm:

$ terraform output admin_password

You will use this user and password to log in to applications.

Wait for Keycloak to be ready

$ kubectl -n keycloak get sts
NAME       READY   AGE
keycloak   1/1     8m58s

Wait until the READY column says 1/1.

Inspect the DevOps Stack Applications

You can view the ingress routes for the various DevOps Stack Applications with:

$ kubectl get ingress --all-namespaces

Access the URLs in https, and use the OIDC/OAuth2 to log in, using the admin account with the password previously retrieved.

Access the Keycloak dashboard

The keycloak dashboard uses the kubernetes realm. You can log in to it using the /auth/realms/kubernetes/account/ path with the Keycloak ingress.

there is currently an issue when accessing applications and login details in Keycloak.

Destroy the cluster

$ terraform destroy

Reference

See the K3s Docker reference page.