Access services deployed in the cluster

Access Kubernetes API

K3s’ installation create a kubeconfig.yaml file that contains the Kubernetes context that allows you to access the cluster.

$ export CLUSTER_NAME=master
$ export KUBECONFIG=distributions/k3s/_/docker/terraform/terraform.tfstate.d/$CLUSTER_NAME/kubeconfig.yaml
$ export BASE_DOMAIN=`docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' k3s-server-$CLUSTER_NAME|tr '.' '-'`.nip.io
$ kubectl get nodes
$ kubectl get namespaces
$ kubectl get pods --all-namespaces

Access ArgoCD web UI

ArgoCD Web UI is accessible via https://argocd.apps.$BASE_DOMAIN. The default account is admin/argocd.

Access Traefik dashboard

For security reasons, Traefik dashboard is not exposed, hence you have to use port-forwarding to access it:

$ kubectl -n traefik port-forward $(kubectl -n traefik get pods --selector "app.kubernetes.io/name=traefik" --output=name | head -n1) 9000:9000

Then point your web browser to http://localhost:9000/dashboard/

Access Vault UI

Vault UI is accessible via https://vault.apps.$BASE_DOMAIN.

In this stack, Vault is deploy in dev mode, which means that the root token is root.

Create a secret in Vault and allow access to a ServiceAccount using Terraform

Inject a secret from Vault using agent injector

This stack installs Vault injector that allows secrets injection to a pod.

$ kubectl -n demo-app exec -ti $(kubectl -n demo-app get pods --selector 'app.kubernetes.io/name=demo-app' --output=name|head -n1) -- cat /vault/secrets/demo-app
Defaulting container name to demo-app.
Use 'kubectl describe pod/demo-app-6f7cf8ddbf-vq7vg -n demo-app' to see all of the containers in this pod.
data: map[foo:bar pizza:cheese]
metadata: map[created_time:2020-10-05T15:04:47.061885873Z deletion_time: destroyed:false version:1]

Inject a secret from Vault using secrets store CSI driver

$ kubectl -n demo-app exec -ti $(kubectl -n demo-app get pods --selector 'app.kubernetes.io/name=demo-app' --output=name|head -n1) -- cat /mnt/secrets-store/demo-app

Access Grafana dashboard

Granafa is accessible via https://grafana.apps.$BASE_DOMAIN. As there is currently no proper secret management in this stack, we let the default Grafana credentials: admin/prom-operator.

Access Prometheus dashboard

Prometheus is accessible via https://prometheus.apps.$BASE_DOMAIN. As there is currently no proper secret management in this stack, the Prometheus URL is not protected.

Access Alertmanager dashboard

Alertmanager is accessible via https://alertmanager.apps.$BASE_DOMAIN. As there is currently no proper secret management in this stack, the Alertmanager URL is not protected.