Autoscaling in Kubernetes

March 27, 2026March 27, 2026 techhadoop ai, cloud, devops, kubernetes, technology

Autoscaling in Kubernetes is the process of automatically adjusting your resources to match the current demand. Instead of guessing how many servers or how much memory you need, Kubernetes monitors your traffic and “flexes” the infrastructure in real-time.

There are three main “layers” of autoscaling. Think of them as a chain: if one layer can’t handle the load, the next one kicks in.

1. Horizontal Pod Autoscaler (HPA)

The Concept: Adding more “lanes” to the highway.

HPA is the most common form of scaling. It increases or decreases the number of pod replicas based on metrics like CPU usage, memory, or custom traffic data.

How it works: It checks your pods every 15 seconds. If the average CPU across all pods is above your target (e.g., 70%), it tells the Deployment to spin up more pods.
Best for: Stateless services like web APIs or microservices that can handle traffic by simply having more copies running.

2. Vertical Pod Autoscaler (VPA)

The Concept: Making the “cars” bigger.

VPA doesn’t add more pods; instead, it looks at a single pod and decides if it needs more CPU or Memory. It “right-sizes” your containers.

How it works: It observes your app’s actual usage over time. If a pod is constantly hitting its memory limit, VPA will recommend (or automatically apply) a higher limit.
The Catch: Currently, in most versions of Kubernetes, changing a pod’s size requires restarting the pod.
Best for: Stateful apps (like databases) that can’t easily be “split” into multiple copies, or apps where you aren’t sure what the resource limits should be.

3. Cluster Autoscaler (CA)

The Concept: Adding more “pavement” to the highway.

HPA and VPA scale Pods, but eventually, you will run out of physical space on your worker nodes (VMs). This is where the Cluster Autoscaler comes in.

How it works: It watches for “Pending” pods—pods that want to run but can’t because no node has enough free CPU/RAM. When it sees this, it calls your cloud provider (AWS, Azure, GCP) and asks for a new VM to be added to the cluster.
Downscaling: It also watches for underutilized nodes. If a node is mostly empty, it will move those pods elsewhere and delete the node to save money.

The “Scaling Chain” in Action

Imagine a sudden surge of users hits your website:

HPA sees high CPU usage and creates 10 new Pods.
The cluster is full, so those 10 Pods stay in Pending status.
Cluster Autoscaler sees the Pending pods and provisions 2 new Worker Nodes.
The Pods finally land on the new nodes, and your website stays online.

Comparison Summary

Feature	HPA	VPA	Cluster Autoscaler
What it scales	Number of Pods	Size of Pods (CPU/RAM)	Number of Nodes (VMs)
Primary Goal	Handle traffic spikes	Optimize resource efficiency	Provide hardware capacity
Impact	Fast, no downtime	Usually requires pod restart	Slower (minutes to boot VM)

Pro-Tip: Never run HPA and VPA on the same metric (like CPU) for the same app. They will “fight” each other—HPA will try to add pods while VPA tries to make them bigger, leading to a “flapping” state where your app is constantly restarting.

To set up a Horizontal Pod Autoscaler (HPA), you need two things: a Deployment (your app) and an HPA resource that watches it.

Here is a breakdown of how to configure this in a way that actually works.

1. The Deployment

First, your pods must have resources.requests defined. If the HPA doesn’t know how much CPU a pod should use, it can’t calculate the percentage.

YAML

			
apiVersion: apps/v1
kind: Deployment
metadata:
  name: php-apache
spec:
  selector:
    matchLabels:
      run: php-apache
  replicas: 1
  template:
    metadata:
      labels:
        run: php-apache
    spec:
      containers:
      - name: php-apache
        image: registry.k8s.io/hpa-example
        ports:
        - containerPort: 80
        resources:
          limits:
            cpu: 500m
          requests:
            cpu: 200m # HPA uses this as the baseline

		

2. The HPA Resource

This YAML tells Kubernetes: “Keep the average CPU usage of these pods at 50%. If it goes higher, spin up more pods (up to 10). If it goes lower, scale back down to 1.”

YAML

			
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: php-apache-hpa
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: php-apache
  minReplicas: 1
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 50

		

3. How to Apply and Test

You can apply these using oc apply -f <filename>.yaml (in OpenShift) or kubectl apply.

Once applied, you can watch the autoscaler in real-time:

View status: oc get hpa
Watch it live: oc get hpa php-apache-hpa --watch

The Calculation Logic:

The HPA uses a specific formula to decide how many replicas to run:

$$\text{Desired Replicas} = \lceil \text{Current Replicas} \times \frac{\text{Current Metric Value}}{\text{Desired Metric Value}} \rceil$$

Quick Tip: If you are using OpenShift, you can also do this instantly via the CLI without a YAML file:

oc autoscale deployment/php-apache --cpu-percent=50 --min=1 --max=10

To make your autoscaling more robust, you can combine CPU and Memory metrics in a single HPA. Kubernetes will look at both and scale based on whichever one hits the limit first.

Here is the updated YAML including both resource types and a “Scale Down” stabilization period to prevent your cluster from “flapping” (rapidly adding and removing pods).

1. Advanced HPA YAML (CPU + Memory)

YAML

			
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: advanced-app-hpa
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: advanced-app
  minReplicas: 2
  maxReplicas: 15
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 60
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80
  behavior:
    scaleDown:
      stabilizationWindowSeconds: 300 # Wait 5 mins before scaling down to ensure traffic is actually gone
      policies:
      - type: Percent
        value: 10
        periodSeconds: 60

		

2. Scaling on Custom Metrics (e.g., HTTP Requests)

Sometimes CPU doesn’t tell the whole story. If your app is waiting on a database, CPU might stay low while users experience lag. In these cases, you can scale based on Requests Per Second (RPS).

To use this, you must have the Prometheus Adapter installed (which comes standard in OpenShift’s monitoring stack).

YAML

  - type: Pods
    pods:
      metric:
        name: http_requests_per_second
      target:
        type: AverageValue
        averageValue: 500 # Scale up if pods average more than 500 requests/sec

Pro-Tips for Memory Scaling

Memory is “Sticky”: Unlike CPU, which drops the moment a process finishes, many runtimes (like Java/JVM or Node.js) do not immediately release memory back to the OS.
The Danger: If your app doesn’t have a good Garbage Collector configuration, the HPA might see high memory usage, spin up 10 pods, and never scale back down because the memory stays “reserved” by the app.
The Fix: Always ensure your memory.requests in the Deployment are set to what the app actually needs to start, not its peak limit.

Summary Table: Which metric to use?

Scenario	Recommended Metric	Why?
Calculation heavy	CPU	Directly maps to processing power.
Caching/Large Data	Memory	Prevents OOM (Out of Memory) kills.
Web APIs	Requests Per Second	Scaled based on actual user load.
Message Queue	Queue Depth	Scales based on “work to be done.”

When an HPA isn’t behaving as expected—maybe it’s not scaling up during a spike, or it’s “stuck” at the minimum replicas—you need to look at the Controller Manager’s internal logic.

Here is how you can perform a “health check” on your HPA’s decision-making process.

1. The “Describe” Command (Most Useful)

The describe command provides a chronological log of every scaling action and, more importantly, why a request failed.

Bash

oc describe hpa advanced-app-hpa

What to look for in the “Events” section:

SuccessfulRescale: The HPA successfully changed the replica count.
FailedComputeMetricsReplicas: Usually means the HPA can’t talk to the Metrics Server (check if your pods have resources.requests defined!).
FailedGetResourceMetric: The pods might be crashing or “Unready,” so the HPA can’t pull their CPU/Memory usage.

2. Checking the “Conditions”

In the output of the describe command, look for the Conditions section. It tells you the current “brain state” of the autoscaler:

Condition	Status	Meaning
AbleToScale	`True`	The HPA is healthy and can talk to the Deployment.
ScalingActive	`True`	Metrics are being received and scaling logic is running.
ScalingLimited	`True`	Warning: You’ve hit your `maxReplicas` or `minReplicas`. It wants to scale further but you’ve capped it.

3. Real-time Metric Monitoring

If you want to see exactly what numbers the HPA is seeing right now compared to your target, use:

Bash

oc get hpa advanced-app-hpa -w

Example Output:

Plaintext

			
NAME               REFERENCE                    TARGETS           MINPODS   MAXPODS   REPLICAS   AGE
advanced-app-hpa   Deployment/advanced-app      75%/60%, 40%/80%  2         15        5          10m

In this example, CPU is at 75% (above the 60% target), so it has already scaled to 5 replicas.

4. Debugging Common “Stuck” Scenarios

Scenario A: “Target: “

If the TARGETS column shows <unknown>, it almost always means:

Missing Requests: You forgot to set resources.requests in your Deployment YAML.
Metrics Server Down: The cluster-wide metrics service is having issues.
Labels Mismatch: The HPA selector doesn’t match the Deployment labels.

Scenario B: High CPU but No Scaling

Check if the pods are in a Ready state. HPA ignores “Unready” pods to prevent scaling up based on the high CPU usage often seen during a container’s startup/boot phase.

Pro-Tip: The “Cooldown” Period

If you just stopped a load test and the pods are still running, don’t panic! By default, Kubernetes has a 5-minute stabilization window for scaling down. This prevents the “Flapping” effect where pods are deleted and then immediately recreated because of a small traffic blip.

Kong – proxy issue

August 27, 2025September 2, 2025 techhadoop cloud, devops, kubernetes, security, technology

Got it—your client runs in AWS and must use a corporate proxy. With mTLS, a client-side proxy can absolutely be the culprit. Here’s the playbook.

What’s happening

If the proxy does TLS inspection (MITM), it terminates TLS and re-signs with its own CA. Your server asks the proxy (not the real client) for a cert → it has none → server logs “trying to obtain a certificate from the client.”
The client may also see “unable to get local issuer certificate” because it’s validating the proxy’s substituted cert but doesn’t trust the proxy’s Root CA.

Decide the path (pick one)

A) Allow end-to-end mTLS (best):
Ask the proxy admins to bypass SSL inspection for your domain (add it to the proxy’s TLS bypass list) or ensure it does pure CONNECT tunneling. Then the real client cert reaches your server.

B) Two-hop mTLS (enterprise pattern):

Client ↔ Proxy: mTLS using Client-Cert-#1 (issued by proxy’s CA).
Proxy ↔ Your Server: mTLS using Client-Cert-#2 (issued by a CA your server trusts).
Your server will authenticate the proxy’s identity, not the original client. If you need end-user identity, have the proxy forward vetted identity (headers/JWT) and verify it.

C) Temporary test bypass:
On that AWS instance, set NO_PROXY for your hostname if policy allows, and open egress 443 to your server to confirm the issue is the proxy.

Quick diagnostics (run both)

1) See if proxy is intercepting

# Behind the proxy
openssl s_client -proxy PROXY_HOST:PROXY_PORT \
  -connect YOUR_HOST:443 -servername YOUR_HOST -showcerts </dev/null | \
  openssl x509 -noout -issuer -subject -enddate

Compare issuer/subject to the same command from a machine without the proxy.
If issuers differ (e.g., “Zscaler/BlueCoat/Corp Root CA”), it’s inspecting.

2) Prove mTLS works through a tunnel

# If proxy supports pure CONNECT (no inspection)
curl -v https://YOUR_HOST/ \
  --proxy http://PROXY_HOST:PROXY_PORT \
  --cert client.crt --key client.key \
  --cacert server_ca_chain.pem

If your proxy itself is HTTPS, add: --proxy-cacert PROXY_ROOT_CA.pem.

Java client notes (common in AWS)

# Client cert for mTLS to your server
-Djavax.net.ssl.keyStore=/path/client.p12 -Djavax.net.ssl.keyStorePassword=***** -Djavax.net.ssl.keyStoreType=PKCS12
# Trust your server (or proxy if inspecting)
-Djavax.net.ssl.trustStore=/path/truststore.jks -Djavax.net.ssl.trustStorePassword=*****
# Proxy settings (CONNECT)
-Dhttps.proxyHost=PROXY_HOST -Dhttps.proxyPort=PROXY_PORT
# Bypass (if allowed)
-Dhttp.nonProxyHosts="|YOUR_HOST|*.yourdomain.com"

If inspection can’t be bypassed, you must import the proxy’s Root CA into the truststore, and if mTLS is required by your server, implement the two-hop mTLS model above.

What to send to the proxy team

“Please bypass TLS inspection (or allow pure CONNECT) for YOUR_HOST:443.”
If not possible: “We’ll run two-hop mTLS. We’ll trust your proxy’s client CA for the proxy→server leg; you’ll trust ours for client→proxy.”

If you share the outputs of the two openssl/curl tests (redact hostnames as needed), I’ll tell you exactly whether it’s inspection vs tunneling and the minimal change to make it work.

Short answer: tcpdump can capture payload, but only if the traffic is plaintext.
If it’s HTTPS/TLS (which most APIs are), tcpdump will not show the body unless you decrypt it. It also won’t write into your “app logs”—it just captures packets.

Here are your practical options:

Kong troubleshooting

June 4, 2025June 6, 2025 techhadoop api, cloud, devops, k8s, kubernetes

A 502 Bad Gateway error in your setup:

Client → LB → KONG → LB → Server

means that Kong Gateway cannot successfully connect to the upstream server behind the second load balancer. Here’s how to troubleshoot and resolve it step by step:

🔁 Understanding the Flow

Client hits the first LB (e.g., AWS ELB, NGINX).
That LB forwards traffic to Kong Gateway.
Kong receives the request and proxies it to a second LB.
That LB routes to your actual upstream service.

🛠️ Troubleshooting Checklist

✅ 1. Check Upstream URL in Kong

Run: curl -s http://<KONG_ADMIN>:8001/services/<service-name>
Ensure the upstream URL (url or host) points to a valid, resolvable address (DNS or IP) and correct port.

Example:

{
  "host": "internal-lb.yourdomain.local",
  "port": 8080,
  "protocol": "http"
}

✅ 2. Test Kong’s Network Reachability

From the Kong container or host:

curl -v http://internal-lb.yourdomain.local:8080/

If this fails:

DNS resolution might be broken
Port might be blocked
LB might not route correctly

✅ 3. Enable Debug Logs in Kong

In kong.conf or via environment variable:

log_level = debug

Then check:

tail -f /usr/local/kong/logs/error.log

Look for messages like:

upstream timed out
could not resolve host
connection refused

✅ 4. Check Health of Second LB and Backend

Ensure second LB is up
Verify backend servers are healthy and accepting connections
Check if Kong’s IP is allowed (firewall or security group)

✅ 5. Check Kong Route & Service Configuration

Validate route is defined correctly:

curl -s http://<KONG_ADMIN>:8001/routes

Make sure paths, hosts, or methods match the request.

🧪 Example Kong Service & Route Setup

# Service pointing to internal load balancer
curl -i -X POST http://localhost:8001/services \
  --data name=upstream-service \
  --data url=http://internal-lb.yourdomain.local:8080

# Route for the service
curl -i -X POST http://localhost:8001/services/upstream-service/routes \
  --data paths[]=/api

🚫 Common Causes of 502 with LB Behind Kong

Problem	Solution
DNS resolution failure	Use IP or fix `/etc/resolv.conf` or CoreDNS
Port not exposed or wrong	Confirm port with `nc` or `curl`
Second LB not forwarding correctly	Check LB target groups and health checks
Kong plugins (e.g., OIDC, rate-limit) error	Disable plugins temporarily to isolate
HTTP vs HTTPS mismatch	Ensure protocol matches (`http` vs `https`)
Timeout too short	Increase `proxy_read_timeout` or similar

✅ Final Tips

Try curl directly from Kong to the backend server.
Use Kong’s health check endpoint if you’re using upstream targets: curl http://localhost:8001/upstreams/<name>/health

If you share:

the exact curl call to Kong
the relevant Kong service/route config
error.log content from Kong

The error message “upstream prematurely closed connection while reading response header from upstream” in Kong Gateway indicates that Kong attempted to read the response headers from the upstream service, but the connection was closed unexpectedly before the headers were fully received. This typically results in a 502 Bad Gateway error.

Common Causes

Upstream Service Crashes or Terminates Connection Early:
- The upstream application may crash, encounter an error, or intentionally close the connection before sending a complete response.
Timeouts:
- The upstream service takes too long to respond, exceeding Kong’s configured timeouts.
Keepalive Connection Issues:
- Persistent connections (keepalive) between Kong and the upstream service may be closed unexpectedly by the upstream, leading to this error.
Protocol Mismatch:
- Kong expects a certain protocol (e.g., HTTP/1.1), but the upstream service responds differently or uses an incompatible protocol.
Large Response Headers:
- The upstream service sends headers that exceed Kong’s buffer sizes, causing the connection to be closed prematurely.

es, a mismatch between the protocol specified in Kong’s service configuration and the actual protocol used by the upstream service can lead to the error:

“upstream prematurely closed connection while reading response header from upstream”

This typically occurs when Kong attempts to communicate with an upstream service over HTTP, but the upstream expects HTTPS, or vice versa.

🔍 Understanding the Issue

When Kong is configured to connect to an upstream service, it uses the protocol specified in the service’s configuration. If the upstream service expects HTTPS connections and Kong is configured to use HTTP, the SSL/TLS handshake will fail, leading to the connection being closed prematurely.

Yes, a mismatch between the protocol specified in Kong’s service configuration and the actual protocol used by the upstream service can lead to the error:

“upstream prematurely closed connection while reading response header from upstream”

This typically occurs when Kong attempts to communicate with an upstream service over HTTP, but the upstream expects HTTPS, or vice versa.

🔍 Understanding the Issue

For example, if your upstream service is accessible at https://api.example.com, but Kong is configured with:

bashCopyEditcurl -i -X POST http://localhost:8001/services \
  --data name=example-service \
  --data url=http://api.example.com

Kong will attempt to connect over HTTP, resulting in a failed connection.

✅ Solution

Ensure that the protocol in Kong’s service configuration matches the protocol expected by the upstream service.

If the upstream service requires HTTPS, configure the service in Kong accordingly:

bashCopyEditcurl -i -X POST http://localhost:8001/services \
  --data name=example-service \
  --data url=https://api.example.com

This ensures that Kong establishes a secure connection using HTTPS, aligning with the upstream service’s expectations.

Deploy AWX (Rancher )

April 28, 2025April 29, 2025 techhadoop cloud-native, interesting, kubernetes, python, technology

If you turn on (start/deploy) cattle-system pods (especially cattle-cluster-agent) and it crashes your cluster,
it means the Rancher agents are broken or misconfigured and are overloading, blocking, or breaking Kubernetes internally.

In detail, here’s why this can happen:

Cause	What Happens	Why It Crushes the Cluster
❌ Rancher agents fail to connect and keep retrying	They flood the Kubernetes API server with reconnect attempts	API server gets overloaded, becomes unresponsive
❌ Wrong Rancher URL or network broken	Agents enter infinite loops trying to reach Rancher	Node CPU/memory gets exhausted
❌ Authentication errors (cert expired, token invalid)	Agents spam auth failures on kube-apiserver	API server becomes slow or hangs
❌ Agent version mismatch	Older agents send bad requests to newer servers	API server rejects them violently
❌ Cluster registration issues (wrong cluster state in Rancher DB)	Rancher tries to sync invalid resources	etcd or kube-apiserver crash
❌ cattle-node-agent overload	Each node spawns bad agents, DaemonSet restarts infinitely	kubelet, container runtime get overloaded

🚨 Important:

Rancher’s cattle-cluster-agent talks both to your Kubernetes API server and to Rancher’s API.
If it is broken (wrong URL, invalid token, expired cert, bad Rancher setup), it spams the cluster.
Symptoms you usually see:
- kubectl get nodes hangs
- kubectl get pods -A freezes
- CPU of kube-apiserver jumps high
- Cluster nodes become NotReady
- etcd warnings appear if etcd is running locally

✅ Proof: If you kill (scale to 0) the cattle-cluster-agent, the cluster usually becomes healthy again.
Example:

kubectl scale deployment cattle-cluster-agent -n cattle-system --replicas=0

→ Cluster becomes stable.

💬 Summary in simple words:

Rancher agents are deeply tied into your Kubernetes cluster.
If they are broken, they spam your Kubernetes system like crazy, and that overloads and crashes your cluster.

🔎 Next step: To solve it properly:

Collect logs: kubectl logs -n cattle-system cattle-cluster-agent-xxxx kubectl logs -n cattle-system cattle-node-agent-xxxx
Fix whatever is wrong (wrong URL, expired cert, wrong Rancher token, network broken).
Then redeploy cattle-system carefully.

👉 Question for you to proceed:

Did you recently upgrade Rancher or move Rancher server (IP change, domain change)?
Did you renew SSL/TLS certificates on Rancher?
Or is this a new cluster registration you are trying?

Depending on your answer, I will tell you exactly how to fix it.
Would you like me to guide you step-by-step? 🚀
(If yes, tell me Rancher version too — 2.6.x, 2.7.x, 2.8.x, etc.)

This is a serious architecture conflict:

Rancher’s cattle-node-agent is destabilizing your AWX deployment.

And the reason is resource exhaustion or cluster network/messaging overload.

🔥 Why does this happen?

Cause	Description	Why it breaks AWX
Resource exhaustion	Rancher’s cattle-node-agent is heavy (especially when reconnecting or retrying). It uses a lot of CPU, memory, and bandwidth.	AWX Postgres and Web pods starve for CPU/memory or lose network
Node pressure	When 2 cattle-node-agents come alive, node CPU/mem pressure increases.	Kubernetes starts evicting pods (including AWX pods)
Pod preemption	If no resource limits are properly set, kube-scheduler kills “low-priority” pods to save critical pods.	Your AWX web or postgres pod might get evicted
Flapping networking	Rancher’s agents may try to reach Rancher server and overload K8s networking.	AWX needs stable DNS, API server access; it breaks
PersistentVolume interruptions	If Rancher agents cause node instability, your Postgres PVCs (storage) might get stuck or remount improperly.	AWX relies heavily on Postgres; database disruptions kill it

🧠 Let’s go deep technical quickly:

If you run:

kubectl get events -n awx --sort-by='.metadata.creationTimestamp'

kubectl describe pod <awx-pod-name> -n awx

you will likely see:

Evicted messages
NodeAffinity errors
OutOfcpu
OutOfmemory
Pod sandbox changed
Volume mount errors
Postgres connection refused or file corruption

🛠 How to properly fix this

✅ Step 1: Check Node Resources

Look at:

kubectl describe node <node-name>

Check for:

Allocatable CPU/memory
Current Usage
Conditions like MemoryPressure, DiskPressure

✅ Step 2: Set Strong Resource Requests & Limits for AWX

In your AWX YAML (awx.yaml), add hard limits like this:

yamlCopyEditspec:
  web_resource_requirements:
    requests:
      memory: 1Gi
      cpu: 500m
    limits:
      memory: 2Gi
      cpu: 1000m
  task_resource_requirements:
    requests:
      memory: 1Gi
      cpu: 500m
    limits:
      memory: 2Gi
      cpu: 1000m
  postgres_resource_requirements:
    requests:
      memory: 1Gi
      cpu: 500m
    limits:
      memory: 2Gi
      cpu: 1000m

✅ Step 3: Pin AWX pods to 1 specific node (optional)

If your nodes are unstable, you can force AWX to run only on the “good” node:

spec:
  node_selector:
    node-role.kubernetes.io/awx: "true"

Or use taints and tolerations.

✅ Step 4: Fix Rancher agents

If your Rancher agents (cattle-node-agent) are going crazy (e.g., retrying, error loops):

Make sure nodes can reach Rancher server stably
Update the registration URL if needed
Fix certificate errors

You can check the cattle-node-agent logs:

kubectl logs -n cattle-system cattle-node-agent-xxxxx

✅ Step 5: Stabilize PVCs

If AWX Postgres uses PVC (Persistent Volume Claim), ensure that:

Storage class is fast and resilient
Volumes aren’t remounting during node pressure

If you use Longhorn or local-path, make sure your storage is attached and healthy.

⚡ Quick Summary

Symptom	Root Cause	Fix
AWX web and Postgres pods crash when Rancher agent wakes up	Node pressure, network overload, volume flapping	Set AWX hard resource requests/limits, stabilize Rancher agent, pin critical pods to best nodes, ensure fast storage

✍️ What I Recommend for You Right Now

Look at AWX pods: kubectl get pods -n awx kubectl describe pod <awx-pod> -n awx kubectl get events -n awx --sort-by='.metadata.creationTimestamp'
Look at Node status: bashCopyEditkubectl describe node <node-name>
Look at Rancher cattle-node-agent logs: bashCopyEditkubectl logs -n cattle-system cattle-node-agent-xxxx

Paste me (if you want) the errors and I can tell you exactly what’s killing AWX.
You’re very close to solving it. 🚀

❓ Quick Questions

create a better AWX deployment YAML that sets:

Node Affinity
Hard CPU/memory limits
Stable PVC
Tolerations (if needed)

Troubleshooting

kubectl get secret awx-admin-password -n awx -o jsonpath=”{.data.password}” | base64 –decode

EKS – subnet size

December 17, 2024 techhadoop aws, azure, cloud, kubernetes, networking

To determine the appropriate subnet class for an Amazon EKS (Elastic Kubernetes Service) cluster with 5 nodes, it’s important to account for both the nodes and the additional IP addresses needed for pods and other resources. Here’s a recommended approach:

Calculation and Considerations:

EKS Node IP Addresses:
- Each node will need its own IP address.
- For 5 nodes, that’s 5 IP addresses.
Pod IP Addresses:
- By default, the Amazon VPC CNI plugin assigns one IP address per pod from the node’s subnet.
- The number of pods per node depends on your instance type and the configuration of your Kubernetes cluster.
- For example, if you expect each node to host around 20 pods, you’ll need approximately 100 IP addresses for pods.
Additional Resources:
- Include IP addresses for other resources like load balancers, services, etc.

Subnet Size Recommendation:

A /24 subnet provides 254 usable IP addresses, which is typically sufficient for a small EKS cluster with 5 nodes.

Example Calculation:

Nodes: 5 IP addresses
Pods: 100 IP addresses (assuming 20 pods per node)
Additional Resources: 10 IP addresses (for services, load balancers, etc.)

Total IP Addresses Needed: 5 (nodes) + 100 (pods) + 10 (resources) = 115 IP addresses.

Recommended Subnet Size:

A /24 subnet should be sufficient for this setup:

CIDR Notation: 192.168.0.0/24
Total IP Addresses: 256
Usable IP Addresses: 254

Example Configuration:

Subnet 1: 192.168.0.0/24

Reasons to Choose a Bigger Subnet (e.g., /22 or /20):

Future Scalability: If you anticipate significant growth in the number of nodes or pods, a larger subnet will provide ample IP addresses for future expansion without the need to reconfigure your network.
Flexibility: More IP addresses give you flexibility to add additional resources such as load balancers, services, or new applications.
Avoiding Exhaustion: Ensuring you have a large pool of IP addresses can prevent issues related to IP address exhaustion, which can disrupt your cluster’s operations.

Example Subnet Sizes:

/22 Subnet:
- Total IP Addresses: 1,024
- Usable IP Addresses: 1,022
/20 Subnet:
- Total IP Addresses: 4,096
- Usable IP Addresses: 4,094

When to Consider Smaller Subnets (e.g., /24):

Small Deployments: If your EKS cluster is small and you do not expect significant growth, a /24 subnet might be sufficient.
Cost Efficiency: Smaller subnets can sometimes be more cost-effective in environments where IP address scarcity is not a concern.

For an EKS cluster with 5 nodes, I would recommend going with a /22 subnet. This gives you a healthy margin of IP addresses for your nodes, pods, and additional resources while providing room for future growth.

Steps to install HPE Ezmeral 7.x on Linux cluster

December 6, 2024 techhadoop devops, docker, kubernetes, linux, technology

Installing HPE Ezmeral Data Fabric (formerly MapR) version 7.x on a 12-node Linux cluster requires planning and configuration. Here are the detailed steps to install and configure the cluster:

Step 1: Prerequisites

System Requirements:
- 64-bit Linux (RHEL/CentOS 7 or 8, or equivalent).
- Minimum hardware for each node:
  - Memory: At least 16GB RAM.
  - CPU: Quad-core or higher.
  - Disk: Minimum of 500GB of storage.
Network Configuration:
- Assign static IP addresses or hostnames to all 12 nodes.
- Configure DNS or update /etc/hosts with the IP and hostname mappings.
- Ensure nodes can communicate with each other via SSH.
Users and Permissions:
- Create a dedicated user for HPE Ezmeral (e.g., mapr).
- Grant the user passwordless SSH access across all nodes.
Firewall and SELinux:
- Disable or configure the firewall to allow required ports.
- Set SELinux to permissive mode:

sudo setenforce 0

sudo sed -i ‘s/^SELINUX=.*/SELINUX=permissive/’ /etc/selinux/config

Java Installation:
- Install Java (OpenJDK 11 recommended):

sudo yum install java-11-openjdk -y

Step 2: Download HPE Ezmeral Data Fabric Software

Obtain Software:
- Download the HPE Ezmeral 7.x installation packages from the official HPE Ezmeral website.
Distribute Packages:
- Copy the packages to all 12 nodes using scp or a similar tool.

Step 3: Install Core Services

Install the Core Packages:
- On each node, install the required packages:

sudo yum install mapr-core mapr-fileserver mapr-cldb mapr-webserver -y

Install Additional Services:
- Based on your use case, install additional packages (e.g., mapr-zookeeper, mapr-nodemanager, etc.).

Step 4: Configure ZooKeeper

Select ZooKeeper Nodes:
Choose three nodes to run the ZooKeeper service (e.g., node1, node2, node3).
Edit the ZooKeeper Configuration:
Update the ZooKeeper configuration file (/opt/mapr/zookeeper/zookeeper-<version>/conf/zoo.cfg) on the ZooKeeper nodes:

tickTime=2000

dataDir=/var/mapr/zookeeper

clientPort=2181

initLimit=5

syncLimit=2

server.1=node1:2888:3888

server.2=node2:2888:3888

server.3=node3:2888:3888

Initialize ZooKeeper:
- On each ZooKeeper node, create a myid file:

echo “1” > /var/mapr/zookeeper/myid # Replace with 2 or 3 for other nodes

Start ZooKeeper:

sudo systemctl start mapr-zookeeper

Step 5: Configure the Cluster

Initialize the Cluster:
- Run the cluster initialization command from one node:

/opt/mapr/server/configure.sh -C node1,node2,node3 -Z node1,node2,node3

Replace node1,node2,node3 with the actual hostnames of the CLDB and ZooKeeper nodes.

Verify Installation:
- Check the cluster status:

maprcli cluster info

Add Nodes to the Cluster:
- On each additional node, configure it to join the cluster:

/opt/mapr/server/configure.sh -N <cluster_name> -C node1,node2,node3 -Z node1,node2,node3

Step 6: Start Core Services

Start CLDB:
- Start the CLDB service on the designated nodes:

sudo systemctl start mapr-cldb

Start FileServer and WebServer:
- Start the file server and web server services on all nodes:

sudo systemctl start mapr-fileserver

sudo systemctl start mapr-webserver

Start Node Manager:
If using YARN, start the Node Manager service on all nodes:

sudo systemctl start mapr-nodemanager

Step 7: Post-Installation Steps

Access the Web Interface:
- Open a browser and go to the web interface of your cluster:

http://<CLDB-node-IP>:8443

Add Storage:
- Add storage disks to the cluster using the web interface or CLI:

maprcli disk list

maprcli disk add -all

Secure the Cluster:
- Enable Kerberos or LDAP integration for authentication.
- Configure SSL/TLS for secure communication.

Step 8: Verify the Cluster

Check Services:
- Verify that all services are running:

maprcli node list -columns svc

Run a Test:
Create a directory in the file system and test file creation:

hadoop fs -mkdir /test

hadoop fs -put /path/to/local/file /test

High Availability (HA) for two Kong API Gateway instances

November 24, 2024 techhadoop aws, cloud, database, devops, kubernetes

To set up High Availability (HA) for two Kong API Gateway instances, you need to configure them to work seamlessly, ensuring reliability and fault tolerance. Below are the steps in detail:

1. HA Architecture Overview

In an HA setup, two Kong Gateway instances are deployed behind a load balancer. Both instances share the same configuration data, stored in a database (e.g., PostgreSQL or Cassandra), or operate in DB-less mode if configuration is managed via automation.

Components of the Architecture

Kong API Gateway Instances: Two or more Kong nodes deployed on separate servers.
Load Balancer: Distributes traffic to Kong nodes.
Database (Optional): A shared PostgreSQL or Cassandra instance for storing configuration if not using DB-less mode.
Health Monitoring: Ensures requests are routed only to healthy Kong nodes.

2. Setup Steps

Step 1: Install Kong on Two Nodes

Follow the Kong installation guide for your operating system.
- Kong Installation Guide
Ensure both nodes are installed with the same version of Kong.

Step 2: Configure a Shared Database (If Not Using DB-less Mode)

Database Setup:

Install PostgreSQL or Cassandra on a separate server (or cluster for HA).
Create a Kong database user and database.
- Example for PostgreSQL:

CREATE USER kong WITH PASSWORD ‘kong’;

CREATE DATABASE kong OWNER kong;

Update the kong.conf file on both nodes to point to the shared database:

database = postgres

pg_host = <DATABASE_IP>

pg_port = 5432

pg_user = kong

pg_password = kong

pg_database = kong

Run the Kong migrations (only on one node):

kong migrations bootstrap

Step 3: DB-less Mode (Optional)

If you prefer DB-less mode for better scalability and faster failover:

Use declarative configuration with a YAML file (kong.yml).
Place the configuration file on both Kong nodes.
Set the kong.conf file to use DB-less mode:

database = off

declarative_config = /path/to/kong.yml

Step 4: Configure Load Balancer

Set up a load balancer to distribute traffic between the two Kong instances.

Options:

F5, HAProxy, or NGINX for on-premises environments.
AWS Elastic Load Balancer (ELB) for cloud-based setups.

Configuration Example:

Backend pool: Add both Kong instances (Node1_IP and Node2_IP).
Health checks: Use HTTP health checks to monitor the /status endpoint of Kong.

curl -X GET http://<KONG_INSTANCE>:8001/status

Step 5: Synchronize Configuration Across Nodes

For consistency, ensure both Kong nodes share the same configuration.

DB-Mode Synchronization:

Configurations are automatically synchronized via the shared database.

DB-less Mode Synchronization:

Use configuration management tools like Ansible, Terraform, or CI/CD pipelines to deploy the kong.yml file to all nodes.

Step 6: Enable Kong Clustering (Optional)

If using Cassandra as the database, configure Kong clustering for HA.

Enable clustering in the kong.conf file:

cluster_listen = 0.0.0.0:7946

cluster_listen_rpc = 127.0.0.1:7373

Ensure that ports 7946 (for gossip communication) and 7373 (for RPC communication) are open between Kong nodes.

Step 7: Configure SSL (TLS)

Generate SSL certificates for your domain.
Configure Kong to use these certificates for the gateway.

curl -X POST http://<KONG_ADMIN_API>/certificates \

–data “cert=@/path/to/cert.pem” \

–data “key=@/path/to/key.pem” \

–data “snis[]=example.com”

Step 8: Test the Setup

Health Check:

Verify the /status endpoint on both nodes:

curl -X GET http://<KONG_NODE_IP>:8001/status

Request Routing:

Send a test request through the load balancer:

curl -X GET http://<LOAD_BALANCER_IP>:8000/your-api

Verify logs on both Kong instances to ensure traffic is distributed.

Example HA Diagram

plaintext

Copy code

+———————–+

| Load Balancer |

| (F5, ELB, HAProxy) |

+———-+————+

+—————–+—————–+

| |

+———–+———–+ +———–+———–+

| Kong Instance 1 | | Kong Instance 2 |

| (Node1_IP) | | (Node2_IP) |

+———–+————+ +———–+————+

| |

+———–+————+ +———–+————+

| Shared Database (DB-Mode) OR Shared Config File (DB-less Mode)|

+———————–+—————————————-+

Best Practices for Kong HA

Load Balancer Health Checks:
- Ensure your load balancer only forwards requests to healthy Kong instances.
Database High Availability:
- Use a clustered database for the shared configuration.
Monitoring:
- Integrate Kong with monitoring tools (e.g., Prometheus, Grafana) to track performance.
Rate Limiting:
- Configure plugins for rate limiting to prevent node overload.
Session Persistence:
- Use sticky sessions if required by your application.

By following these steps, you’ll achieve a robust, highly available Kong Gateway setup. Let me know if you need help with specific configurations!

Deploy monitoring solution with Prometheus and Grafana on premise in HA mode

November 5, 2024 techhadoop devops, grafana, kubernetes, prometheus, technology

Deploy monitoring solution with Prometheus and Grafana on premise in HA mode

Deploying Prometheus and Grafana in High Availability (HA) mode on-premises ensures monitoring continuity and data resilience. In this setup, Prometheus will run in HA mode with redundancy and Grafana will connect to the Prometheus instances, also configured for HA.

Below are the steps to deploy Prometheus and Grafana on-premises with HA:

1. Plan the Architecture

Prometheus Instances:
- Set up at least two Prometheus instances in HA mode for redundancy.
- Each Prometheus instance will scrape the same set of targets independently and store its own local data.
Grafana Instances:
- Deploy at least two Grafana instances in HA mode, load balanced to ensure availability.
- Grafana will connect to both Prometheus instances and aggregate the metrics.
Storage:
- Use a distributed storage system like Thanos, VictoriaMetrics, or Prometheus remote storage (like Cortex or Mimir) for long-term data storage.
- Configure a shared storage for Grafana, or use a SQL database (e.g., MySQL, PostgreSQL) to keep dashboards and configuration in sync.

2. Set Up Prometheus in HA Mode

Step 2.1: Install Prometheus

Download and extract Prometheus on each node:

wget https://github.com/prometheus/prometheus/releases/download/v2.37.0/prometheus-2.37.0.linux-amd64.tar.gz

tar -xvf prometheus-2.37.0.linux-amd64.tar.gz

cd prometheus-2.37.0.linux-amd64

Copy the Prometheus binary to /usr/local/bin and set up the configuration directory (/etc/prometheus).

Step 2.2: Configure Prometheus

Create a prometheus.yml configuration file in /etc/prometheus for each instance:

global:

scrape_interval: 15s

scrape_configs:

– job_name: ‘your_targets’

static_configs:

– targets: [‘<target_ip1>:<port>’, ‘<target_ip2>:<port>’]

For HA, each Prometheus instance must be configured identically with the same scrape targets and rules.
High Availability Labeling:
- To distinguish between HA Prometheus instances, add a –cluster.peer=<other_instance_ip>:<port> flag in each instance’s configuration.
- This will allow the instances to work as separate, yet synchronized, peers.

Step 2.3: Start Prometheus

Create a systemd service file for each Prometheus instance at /etc/systemd/system/prometheus.service:

[Unit]

Description=Prometheus

After=network.target

[Service]

User=prometheus

ExecStart=/usr/local/bin/prometheus –config.file=/etc/prometheus/prometheus.yml –storage.tsdb.path=/var/lib/prometheus –web.enable-lifecycle

[Install]

WantedBy=multi-user.target

Enable and start each Prometheus instance:

sudo systemctl enable prometheus

sudo systemctl start prometheus

3. Install and Configure Thanos (Optional for Long-Term Storage)

Deploy Thanos Sidecar alongside each Prometheus instance for storing data in a distributed store and enabling HA Prometheus queries.
Thanos Sidecar:
- Set up a sidecar container or service to work with each Prometheus instance.
- It will upload data to an object storage (e.g., S3, MinIO) and enable querying of both Prometheus instances as a unified source.

4. Deploy Grafana in HA Mode

Step 4.1: Install Grafana

Download and install Grafana on each node:

wget https://dl.grafana.com/oss/release/grafana-8.0.0.linux-amd64.tar.gz

tar -zxvf grafana-8.0.0.linux-amd64.tar.gz

Copy the Grafana binaries and set up the configuration directory (/etc/grafana).

Step 4.2: Configure Grafana

In the Grafana configuration file (/etc/grafana/grafana.ini), set up the database to store Grafana data centrally:

[database]

type = postgres

host = <database_host>:5432

name = grafana

user = grafana_user

password = grafana_password

Add both Prometheus instances as data sources in Grafana. Grafana will automatically handle HA and load balancing between them.

Step 4.3: Start Grafana

Set up a systemd service for Grafana:

[Unit]

Description=Grafana

After=network.target

[Service]

User=grafana

ExecStart=/usr/local/bin/grafana-server -config /etc/grafana/grafana.ini

[Install]

WantedBy=multi-user.target

Enable and start Grafana:

sudo systemctl enable grafana-server

sudo systemctl start grafana-server

5. Set Up Load Balancers for HA

Prometheus Load Balancer:
- Set up a load balancer in front of the Prometheus instances to ensure that requests are evenly distributed across instances.
Grafana Load Balancer:
- Set up another load balancer for the Grafana instances to distribute user access and enable failover.

6. Verify and Test the HA Setup

Prometheus:
- Test that both Prometheus instances are running independently by accessing them via <node_ip>:9090.
- Use Thanos Querier (if configured) to query both Prometheus instances as a single source.
Grafana:
- Log in to Grafana via the load balancer IP, add Prometheus as a data source, and create a sample dashboard.
- Simulate a failure on one Grafana instance and ensure that the other instance handles the load transparently.

7. Enable Monitoring and Alerting

Configure Alertmanager for Prometheus:
- Set up Alertmanager to handle alerts in case of any issues.
- Use HA by deploying multiple Alertmanager instances with clustering.
Set up alerts in Grafana for visualization and notifications based on key metrics and alert rules.

Summary of Key Points

HA Prometheus: Multiple Prometheus instances scraping the same targets, optionally with Thanos for long-term storage and aggregation.
HA Grafana: Multiple Grafana instances with a centralized database for dashboards, load-balanced to ensure redundancy.
Alerting: Use Alertmanager in HA mode to handle alerts from Prometheus.

This HA setup for Prometheus and Grafana provides a robust monitoring solution that is resilient, scalable, and fault-tolerant.

How to integrate mTLS Kong certificate with secrets management infrastructure

September 29, 2024 techhadoop azure, certificates, kubernetes, security, technology

To integrate mTLS (Mutual TLS) certificates used in Kong API Gateway with a secrets management infrastructure (such as HashiCorp Vault, AWS Secrets Manager, or other secret management tools), you can follow a systematic approach to store, retrieve, and rotate the certificates securely.

Key Steps:

Generate mTLS certificates.
Store certificates securely in the secrets management infrastructure.
Configure Kong to retrieve and use certificates for mTLS.
Automate certificate rotation for secure management.

Step 1: Generate mTLS Certificates

You need to generate the client and server certificates that Kong will use for mTLS.

Generate a Certificate Authority (CA): First, generate a CA to sign the certificates.

openssl genrsa -out ca.key 2048

openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt \

-subj “/CN=Kong-CA”

Generate the Server Certificate: Generate a private key and a certificate signing request (CSR) for Kong, and sign it with your CA.

openssl genrsa -out kong-server.key 2048

openssl req -new -key kong-server.key -out kong-server.csr -subj “/CN=kong-server”

openssl x509 -req -in kong-server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \

-out kong-server.crt -days 365 -sha256

Generate the Client Certificate: You also need a client certificate to authenticate incoming requests.

openssl genrsa -out kong-client.key 2048

openssl req -new -key kong-client.key -out kong-client.csr -subj “/CN=kong-client”

openssl x509 -req -in kong-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \

-out kong-client.crt -days 365 -sha256

Step 2: Store Certificates Securely in a Secrets Management Infrastructure

Use a secrets management service like HashiCorp Vault, AWS Secrets Manager, or another system to store the mTLS certificates securely.

Example: Store Certificates in HashiCorp Vault

Start by enabling the secrets engine in Vault:

vault secrets enable -path=pki pki

vault secrets tune -max-lease-ttl=87600h pki

Store the CA certificate in Vault:

vault write pki/config/ca pem_bundle=@ca.crt

Store the server certificate and key in Vault:

vault kv put secret/kong/server cert=@kong-server.crt key=@kong-server.key

Store the client certificate and key:

vault kv put secret/kong/client cert=@kong-client.crt key=@kong-client.key

Example: Store Certificates in AWS Secrets Manager

Use AWS CLI to store the server certificate:

aws secretsmanager create-secret –name kong/server \

–secret-string file://kong-server.json

The kong-server.json file contains:

{

“certificate”: “—–BEGIN CERTIFICATE—– …”,

“private_key”: “—–BEGIN PRIVATE KEY—– …”

}

Store the client certificate similarly in AWS Secrets Manager:

aws secretsmanager create-secret –name kong/client \

–secret-string file://kong-client.json

Step 3: Configure Kong to Retrieve and Use Certificates for mTLS

Once the certificates are securely stored, you need to configure Kong to retrieve and use these certificates from your secrets management infrastructure.

Option 1: Use HashiCorp Vault with Kong

Install the Vault Plugin for Kong (or use an external script to retrieve certificates from Vault).
Write a Lua script or custom plugin to dynamically retrieve the certificates from Vault.
- Use the vault kv get API to retrieve certificates from Vault.
- Load the certificates into Kong’s SSL configuration dynamically.
Configure Kong to use the certificates:
- Add the mTLS plugin to your service or route to enable mutual authentication using the retrieved certificates.

Example to configure the mTLS plugin:

curl -i -X POST http://localhost:8001/services/my-service/plugins \

–data “name=mtls-auth” \

–data “config.trusted_ca_ids=ca_id” \

–data “config.client_verify=true”

Option 2: Use AWS Secrets Manager with Kong

Install the AWS SDK (or a script) on your Kong instances to fetch the certificates from Secrets Manager.
Create a script or custom plugin to:
- Retrieve the server and client certificates from AWS Secrets Manager using the AWS CLI or SDK:

aws secretsmanager get-secret-value –secret-id kong/server

aws secretsmanager get-secret-value –secret-id kong/client

Dynamically load the certificates into Kong’s SSL configuration using Lua or custom logic.
Configure mTLS in Kong:
- Set up the mTLS plugin in Kong to verify client certificates:

curl -i -X POST http://localhost:8001/services/my-service/plugins \

–data “name=mtls-auth” \

–data “config.trusted_ca_ids=<ca-id>”

Step 4: Automate Certificate Rotation

To ensure secure and automated certificate management, integrate certificate rotation.

Automated Certificate Renewal in Vault:
- Configure Vault’s PKI secrets engine to automate certificate issuance and rotation.

Example:

vault write pki/roles/kong \

allowed_domains=example.com \

allow_subdomains=true \

max_ttl=72h

Use Vault’s pki/issue endpoint to automatically rotate certificates and replace them in Kong.

Automate AWS Secrets Manager Rotation:
- Set up AWS Secrets Manager’s built-in rotation feature for SSL certificates.
Trigger Updates in Kong:
- Use a periodic task (e.g., a cron job or Ansible playbook) to update the certificates in Kong without restarting the gateway:

kong reload

This ensures Kong always uses the latest mTLS certificates from the secrets manager.

Conclusion

To integrate Kong API Gateway’s mTLS certificates with a secrets management infrastructure, follow these steps:

Generate the mTLS certificates and store them securely in a secrets management tool (e.g., HashiCorp Vault, AWS Secrets Manager).
Configure Kong to retrieve the certificates dynamically from the secret manager.
Implement automation for certificate renewal and rotation to ensure that Kong always uses up-to-date certificates without manual intervention.

This approach enhances security by managing sensitive SSL certificates in a centralized and automated manner.