Skip to main content

Setup Kubernetes (k3s)

Verify k3s is running correctly and prepare Kubernetes namespace for ORISO Platform.
1

Verify k3s is Running

Check that k3s service is active and Kubernetes cluster is operational.
# Check k3s status
sudo systemctl status k3s

# Check nodes
kubectl get nodes

# Check all pods
kubectl get pods --all-namespaces

# Check storage class
kubectl get storageclass
Expected output should show:
  • k3s service: active (running)
  • Node status: Ready
  • Storage class: local-path (default) with provisioner rancher.io/local-path
2

Create Namespace

Create the caritas namespace for ORISO Platform resources.
# Create caritas namespace
kubectl create namespace caritas

# Verify
kubectl get namespaces

# Set default namespace (optional)
kubectl config set-context --current --namespace=caritas
The caritas namespace should appear in the namespaces list.
Setting the default namespace is optional but convenient, as it allows you to omit -n caritas from subsequent kubectl commands.
3

Create ClusterIssuer for Let's Encrypt

Create a ClusterIssuer for automatic TLS certificate management with Let’s Encrypt.
# Create ClusterIssuer
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your-email@example.com  # CHANGE THIS!
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

# Verify ClusterIssuer
kubectl get clusterissuer
The ClusterIssuer should show Ready status: kubectl get clusterissuer letsencrypt-prod should show READY=True.
Replace your-email@example.com with your actual email address. This email is used by Let’s Encrypt for certificate expiration notifications.
4

Create Required Secrets

Create Kubernetes secrets for database credentials and other sensitive information.
# MariaDB secrets
kubectl create secret generic mariadb-secrets -n caritas \
  --from-literal=MYSQL_ROOT_PASSWORD=your-secure-password \
  --from-literal=MYSQL_DATABASE=caritas \
  --from-literal=MYSQL_USER=caritas_user \
  --from-literal=MYSQL_PASSWORD=your-secure-password

# Redis secrets
kubectl create secret generic redis-secret -n caritas \
  --from-literal=password=your-secure-password

# RabbitMQ secrets
kubectl create secret generic rabbitmq-secrets -n caritas \
  --from-literal=RABBITMQ_DEFAULT_USER=admin \
  --from-literal=RABBITMQ_DEFAULT_PASS=your-secure-password

# Verify secrets
kubectl get secrets -n caritas
All secrets should be listed: mariadb-secrets, redis-secret, rabbitmq-secrets.
Use strong, unique passwords for production. Store these passwords securely (password manager, encrypted file, etc.).
5

Configure k3s for Production

Configure k3s for production use with custom settings.
This step is optional but recommended for production deployments.
# Edit k3s service
sudo systemctl edit k3s
Add resource limits and configuration:
[Service]
Environment="K3S_KUBECONFIG_MODE=644"
Environment="K3S_NODE_NAME=oriso-platform"
Apply changes:
# Restart k3s
sudo systemctl daemon-reload
sudo systemctl restart k3s

# Verify
sudo systemctl status k3s
k3s should restart successfully and show active (running) status.

Verification

After completing all steps, verify Kubernetes is ready: 
# Check node is ready
kubectl get nodes

# Check namespace exists
kubectl get namespaces | grep caritas

# Check storage class
kubectl get storageclass

Troubleshooting

k3s Not Running

Check k3s logs: 
sudo journalctl -u k3s -f
Verify swap is disabled (required for k3s): 
free -h

Cannot Access Cluster

Check kubeconfig: 
cat ~/.kube/config
Verify file permissions: 
ls -la ~/.kube/config
# Should be readable by your user

Storage Class Missing

If local-path storage class is missing: 
# Check if local-path-provisioner is running
kubectl get pods -n local-path-storage

Verification

After completing all steps, verify everything is configured: 
# Check node is ready
kubectl get nodes

# Check namespace exists
kubectl get namespaces | grep caritas

# Check ClusterIssuer
kubectl get clusterissuer letsencrypt-prod

# Check secrets
kubectl get secrets -n caritas

# Check Ingress Controller
kubectl get pods -n ingress-nginx

# Check cert-manager
kubectl get pods -n cert-manager

Next Steps