Deploying High Availability SafeLine WAF on K3s(Part 3)

carrie_luo1

Carrie

Posted on October 11, 2024

Deploying High Availability SafeLine WAF on K3s(Part 3)

Refer to my last two posts for the deployment of the k3s cluster and nginx-ingress services.

In this article, we are going to install the nfs-provisioner Component and SafeLine WAF via HelmChart.

Image description
Image source:Vishnu ks

Installing the nfs-provisioner Component via HelmChart

The nfs-subdir-external-provisioner service is a third-party component used in K8S or K3S clusters to automatically mount NFS directories as persistent data storage for the cluster. This document will demonstrate how to deploy it using HelmChart and create a storage-class for the cluster.

Adding the Helm Public Repository and Deploying

  1. Check Helm Version:
   helm version
Enter fullscreen mode Exit fullscreen mode
  1. List All Added Helm Repositories:
   helm repo list
Enter fullscreen mode Exit fullscreen mode
  1. Add nfs-subdir Helm Repository:
   helm repo add nfs-subdir-external-provisioner https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
Enter fullscreen mode Exit fullscreen mode
  1. Verify Added Helm Repositories:
   helm repo list
Enter fullscreen mode Exit fullscreen mode
   NAME                                  URL
   nfs-subdir-external-provisioner       https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
Enter fullscreen mode Exit fullscreen mode
  1. Update Helm Repositories:
   helm repo update
Enter fullscreen mode Exit fullscreen mode

Checking NFS-related HelmChart Versions

  1. Search for nfs-subdir-external-provisioner Chart:
   helm search repo nfs-subdir-external-provisioner | grep nfs-subdir-external-provisioner
Enter fullscreen mode Exit fullscreen mode
   nfs-subdir-external-provisioner/nfs-subdir-exte...      4.0.10          4.0.2           nfs-subdir-external-provisioner is an automatic...
Enter fullscreen mode Exit fullscreen mode

Install NFS Client

  1. Install NFS Client:
   apt install -y nfs-common
Enter fullscreen mode Exit fullscreen mode

Note: All cluster nodes must install the NFS client to use NFS as backend storage.

Install nfs-client-provisioner

  1. Install using Helm:
   helm install --namespace kube-system nfs-subdir-external-provisioner nfs-subdir-external-provisioner/nfs-subdir-external-provisioner \
   --set nfs.server=192.168.1.103 \
   --set nfs.path=/nfs_data/waf-lan-k3s-data \
   --set image.repository=registry.cn-hangzhou.aliyuncs.com/k8s_sys/nfs-subdir-external-provisioner \
   --set image.tag=v4.0.2 \
   --set storageClass.name=cfs-client \
   --set storageClass.defaultClass=true \
   --set tolerations[0].operator=Exists \
   --set tolerations[0].effect=NoSchedule
Enter fullscreen mode Exit fullscreen mode

Note: Deploy the Helm chart named nfs-client-provisioner into the kube-system namespace of the cluster. The storage class name for the cluster will be: cfs-client.

Parameter options:

  • nfs.server: The IP address of the NFS server.
  • nfs.path: The directory path shared by the NFS server.
  • storageClass.name: The name of the storage class to be set for the cluster.
  • storageClass.defaultClass: Whether to set this as the default storage class for the cluster.
  • tolerations: Set this service to be allowed to run on nodes with scheduling restrictions, such as master nodes.

Verify Deployment

  1. Check Deployed Pods:
   kubectl get pod -n kube-system
Enter fullscreen mode Exit fullscreen mode
   NAME                                               READY   STATUS      RESTARTS        AGE
   nfs-subdir-external-provisioner-6f5f6d764b-2z2ns   1/1     Running     3 (6d22h ago)   17d
Enter fullscreen mode Exit fullscreen mode
  1. Check Storage Classes:
   kubectl get sc
Enter fullscreen mode Exit fullscreen mode
   NAME                   PROVISIONER                                     RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
   cfs-client (default)   cluster.local/nfs-subdir-external-provisioner   Delete          Immediate              true                   17d
Enter fullscreen mode Exit fullscreen mode

Deployment of SafeLine WAF via Helm

SafeLine WAF officially supports only Docker standalone container deployment. However, the community provides a HelmChart deployment solution, which will be followed in this document. The third-party repository link is mentioned at the document's top.

  1. Pull HelmChart tgz Package on Master Node:
   cd /root/
   helm repo add safeline "https://g-otkk6267-helm.pkg.coding.net/Charts/safeline"
   helm repo update
   helm fetch --version 5.2.0 safeline/safeline
Enter fullscreen mode Exit fullscreen mode
  1. Create values.yaml File:
   detector:
     image:
       registry: 'swr.cn-east-3.myhuaweicloud.com/chaitin-safeline'
       repository: safeline-detector
   tengine:
     image:
       registry: 'swr.cn-east-3.myhuaweicloud.com/chaitin-safeline'
       repository: safeline-tengine
Enter fullscreen mode Exit fullscreen mode
  1. Install SafeLine WAF in K3S Cluster:
   cd /root/
   helm install safeline --namespace safeline safeline-5.2.0.tgz --values values.yaml --create-namespace
Enter fullscreen mode Exit fullscreen mode
  1. Upgrade SafeLine WAF:
   cd /root/
   helm upgrade -n safeline safeline safeline-5.2.0.tgz --values values.yaml
Enter fullscreen mode Exit fullscreen mode
  1. Verify Pod Status:
   kubectl get pod -n safeline
Enter fullscreen mode Exit fullscreen mode
   NAME                                 READY   STATUS      RESTARTS      AGE
   safeline-database-0                  1/1     Running     0             21h
   safeline-bridge-688c56547c-stdnd     1/1     Running     0             20h
   safeline-fvm-54fbf6967c-ns8rg        1/1     Running     0             20h
   safeline-luigi-787946d84f-bmzkf      1/1     Running     0             20h
   safeline-detector-77fbb59575-btwpl   1/1     Running     0             20h
   safeline-mario-f85cf4488-xs2kp       1/1     Running     1 (20h ago)   20h
   safeline-tengine-8446745b7f-wlknr    1/1     Running     0             20h
   safeline-mgt-667f9477fd-mtlpj        1/1     Running     0             20h
Enter fullscreen mode Exit fullscreen mode
  1. Check Service Exposure:
   kubectl get svc -n safeline
Enter fullscreen mode Exit fullscreen mode
   NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                      AGE
   safeline-tengine            ClusterIP   10.43.1.38      <none>        65443/TCP,80/TCP                             15d
   safeline-luigi              ClusterIP   10.43.119.40    <none>        80/TCP                                       15d
   safeline-fvm                ClusterIP   10.43.162.1     <none>        9004/TCP,80/TCP                              15d
   safeline-detector           ClusterIP   10.43.248.81    <none>        8000/TCP,8001/TCP                            15d
   safeline-mario              ClusterIP   10.43.156.13    <none>        3335/TCP                                     15d
   safeline-pg                 ClusterIP   10.43.176.51    <none>        5432/TCP                                     15d
   safeline-tengine-nodeport   NodePort    10.43.219.148   <none>        80:30080/TCP,443:30443/TCP                   15d
   safeline-mgt                NodePort    10.43.243.181   <none>        1443:31443/TCP,80:32009/TCP,8000:30544/TCP   15d
Enter fullscreen mode Exit fullscreen mode

SafeLine WAF has been successfully deployed via Helm! SafeLine WAF console can be accessed through the K3S node IP + the NodePort exposed by safeline-mgt, e.g., https://192.168.1.9:31443.

💖 💪 🙅 🚩
carrie_luo1
Carrie

Posted on October 11, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related