Manifest to run Harmony Connect Remote Access (former ODO) in K8S
Converted original instructions to run adanite/odo_connecter:GEO_v3 in Kubernetes
- as a Pod
- as a Deployment
Original command:
docker run -d \
--cap-add=NET_ADMIN \
--sysctl net.ipv4.ip_forward=1 \
--device /dev/net/tun --restart=always \
--log-opt max-size=1g \
-e Secret=<CONNECTOR-SECRET> \
adanite/odo_connector:eu_v3
Several interesting requirements had to be solved:
- using sysctl
- mapping device
- using linux capabilities
- DNS (quick hack change
core-dns
config to forward to external servers) - logging, solved with run-time option
--log-file-max-size=1024
<CONNECTOR_SECRET>
provided via ConfigMap in Pod, not Secret, since there is no decryption function inside the container and secrets are only base64 encoded.
In Deployment, <CONNECTOR_SECRET> is provided as a Secret.
For offline install, with docker runtime, one may pull the image on a different machine, save it, transfer the archive to K8S master node and docker load it.
Since the manifest includes both ConfigMap and Pod, if Secret must be changed simply run kubectl replace --force --grace-period=0 -f
to have both reinitialized (yes, I know that updating CM will update the env var of container, but it was easier and more consistent during testing).
Tested with minikube, which requires --extra-config
minikube start --driver=docker --network-plugin=cni --cni=calico --extra-config="kubelet.allowed-unsafe-sysctls=kernel.msg*,net.*" --kubernetes-version=v1.22.2