Harbor and wireguard updates.

.gitignore

@@ -1,2 +1 @@
-secrets/
-.*secret.*
+/secrets/

cluster-v2-design.md

@@ -271,7 +271,8 @@ Install nginx with:
 ```
 helm upgrade --install ingress-nginx ingress-nginx \
   --repo https://kubernetes.github.io/ingress-nginx \
-  --namespace ingress-nginx --create-namespace
+  --namespace ingress-nginx --create-namespace \
+  --set controller.ingressClassResource.default=true
 ```
 
 ### k3s with nginx on fedora server
@@ -333,6 +334,34 @@ cat secret.yaml | kubeseal --format yaml > sealedsecret.yaml
 
 # Actual Install Notes
 
+## To Do List
+
+Infra Cluster:
+- On Host:
+    1. CoreDNS [x]
+    2. Wireguard [x]
+- On Cluster:
+    1. Keycloak
+    2. Kanboard
+    3. OneDev
+    4. Harbor [x]
+
+Main Cluster:
+- On Host:
+    1. Wireguard [x]
+- On Cluster:
+    1. Tekton
+    2. MQTT Broker
+    3. Squid
+    4. j7s-os-deployment
+    5. Flux
+
+[x] Give accounts on Harbor to clusters.
+[ ] Push images to Harbor.
+[ ] Hubble.
+
+## Regularly Scheduled Programming
+
 Fedora Server 37 keep defaults.
 
 Infra:
@@ -424,5 +453,136 @@ export KUBECONFIG=~/.kube/config:~/.kube/infra.yaml:~/.kube/j7s-cluster.yaml
 kubectl config view --flatten > new-config
 mv new-confg config
 export KUBECONFIG=~/.kube/config
+chmod 600 ~/.kube/config
+```
+
+Use kubeseal to encrypt secrets for harbor.
+
+Install harbor.
+```
+cd infra-cluster/harbor
+kubectl apply -f namespace
+kubectl apply -f secrets
+cd helm
+./install.bash
+```
+
+Build coredns rpm following instructions in coredns folder.
+scp to infra:
+```
+scp redhat/RPMS/x86_64/coredns-1.8.4-1.fc37.x86_64.rpm jimmy@192.168.1.112:~/.
+ssh jimmy@192.168.1.112
+sudo dnf install ./coredns-1.8.4-1.fc37.x86_64.rpm
+exit
+```
+Copy over corefile from coredns folder.
+```
+scp Corefile jimmy@192.168.1.112:~/.
+ssh jimmy@192.168.1.112
+sudo cp Corefile /etc/coredns/Corefile
+sudo systemctl start coredns
+sudo systemctl enable coredns
+
+sudo dnf install policycoreutils-devel rpm-build
+sepolicy generate --application /bin/coredns
+./coredns.sh
+# Until it works....
+sudo su
+ausearch -c '(coredns)' --raw | audit2allow -M my-coredns
+semodule -i my-coredns.pp
+# Also:
+sudo setsebool -P domain_can_mmap_files 1
+# Turn of resolver.
+sudo vim /etc/systemd/resolved.conf
+DNSStubListener=no
+```
+
+Wound up turning off SELinux...
+```
+sudo vi /etc/selinux/config
+# SELINUX=permissive
+sudo grubby --update-kernel ALL --args selinux=0
+```
+
+Wound up reverting back.
+
+Add:
+```
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+```
+
+under `[Service]` in
+```
+sudo vim /usr/lib/systemd/system/coredns.service
+```
+
+Wireguard:
+
+```
+sudo dnf install wireguard-tools
+wg genkey | tee wg.key | wg pubkey > wg.pub
+vim wg0.conf
+<<<
+[Interface]
+Address = 10.100.100.?/24
+PrivateKey = <Contents from file.>
+
+[Peer]
+PublicKey = zgcRWY3MAwKGokyRs9dR4E5smoeFy1Hh4MfDcDM3iSc=
+AllowedIPs = 10.100.100.0/24
+Endpoint = vpn.jpace121.net:51902
+PersistentKeepAlive = 25
+<<<<
+```
+Add to server:
+```
+# Infra k3s node
+[Peer]
+PublicKey = <>
+AllowedIPs = 10.100.100.7/32
+
+# j7s k3s node
+[Peer]
+PublicKey = <>
+AllowedIPs = 10.100.100.8/32
+
+sudo systemctl restart wg-quick@wg0
+```
+
+Tried using nm below, moved to wg-quick for consistency.
+```
+nmcli con import type wireguard file /etc/wireguard/wg0.conf
+```
+
+ Better:
+ ```
+sudo cp wg0.conf /etc/wireguard/wg0.conf
+sudo chown root:root /etc/wireguard/wg0.conf
+wg-quick up wg0
+
+# Add to systemd 
+sudo systemctl enable wg-quick@wg0.service 
+sudo systemctl daemon-reload 
+sudo systemctl start wg-quick@wg0 
+ ```
+
+Harbor Login:
+
+```
+scp harbor_tls.crt jimmy@10.100.100.7:.
+ssh jimmy@10.100.100.7
+sudo cp harbor_tls.crt /etc/rancher/k3s/.
+```
+
+`/etc/rancher/k3s/registries.yaml`
+```
+configs:
+  "harbor.internal.jpace121.net":
+    auth:
+      username: robot$k8s+infra-cluster
+      password: <from harbor>
+    tls:
+      ca_file: /etc/rancher/k3s/harbor_tls.crt
 ```
 

infra-cluster/harbor/secrets/harbor-tls-sealed.yaml

@@ -0,0 +1,17 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: harbor-tls-secret
+  namespace: harbor
+spec:
+  encryptedData:
+    tls.crt: AgBEpaISgzD53Qg6EcZiYBQjyiglHMVpiK+QF2HRHQ+0ooWCFL8BzC3kI65Y6Es9CCENK8XAFbJwO0fCNXNcZnKoSKnpMwcR0PSPiaKRgv8PaQtqKy8dSqdbphL3OeEbqbFt8a+EEry+rFXIpzF+UTaLKnqsZnwRb/2Px7uMVLyMbYzEZnhMPyTRjAYmYfoGceBvN8JHZV6tbuyJBtG6wRvX/otWYlDs02OtLX+ll54rSaK+l1BAV/OTURA/7k/agaD8C9wmggCibyGpakzYL2DcnpUZiNqmubjqtQCJ5u+A3qPQacF0OcjDMTjxsoxEkG5w+SeJBDW7EowPqp6jYMeS1auw1GCXjLIwU/4V/CyRAcboqNz3v+z4Iu8SIyMhPRjdOGQ93A52DukEHYZ6ediQDgBWDvIM+iIM7zyDewNVoUxmqDx5pqkCfk1DerDIQFCS6yxgTEWtg2E+qNVtxMT+Oeq1KTnFh64KKqzYdD/d9sFwkRGbrjfPju8n5ZBb+pHQHzkAQQFB079OsLyTIIC7rYAKmH+yylBi2ObZRCVwXqMXDKJKlT5dsC1yR03FaUCDfwyJ08XafdkyqJzARBsy+zxuQ/wlJduMduKGbKuthhPo91e/tX49jd934LmcveKJrlTTegdVS20+lXy/jubhoT48d6UunhM+5Idou4IkltrfZYzBI+y9kCKhLsHAgN4jix4+8jvdAD56r5ibwfI1RaKeiNFslFdHNWCWpY1XRHmNGKBuDQiDGPLHcgogT1hP0C0wcihmfD7k843OjZDvTbnENnM7+RaYhmf8hx/MJh/2JCPpKnzDB35VuICoFjHIabquqBmT6lLzcDWrrsiymomg1YFys/UBbJWQ2iarI9L0nhQGnP+8NIrr3MA+iAm0M85Ih+SIWgYr0wHmW3SK+dTsUoADNvfDyabEl5bhvZvnBf8yAXfK3mBVryMHko0djNVBxR+REseWgwSJFgDVk0Hywh0uQiGt8hUvyvrhjJvrOx6/39ZRnuG6Cly6v+hYXkiOl+rDlCh/vAsfbw1L+kb1lnHUQ7fOiwa0+63px+c1Kh91eKCfc8hGBPbWovxSxkb4CSRlJX30XAbni+Oqt6b/KE8Rab06PlrJM4oUAqTPgmzzhbaScfCsxQLY5ig/Mub0wVBByKT+ffQy/EZ25SGlJO+Poi2cn02Oiab8Ftwksbn1uBJ+UPpnKxJmPoP47wD7Z6pi2wCGzZNizREUKEoALbYxyNPUQkpoQL8+TEvdvPipOTQa9+uFm045o2GhrCWkm0T303bIXmwzHuscB5Eg5qx1KNzCtIIaSkoUdetEt1Ulk1WKlEUNiC1Jd8jImHT/1xLyjTyIbWKV1vAbW5EybU0xMFO7ySu7hK5d9GBcfoN/KbRlaW9Bcw3am5aKOGRIKeGxlvSNBeUfvzLtylbLW48Pk2mvslKTNJbGP3+d4MLX5gVRGsmxT+1ngQKwkDrobYvCsVm2EC1scpGDszaUb2xETm4vGSfkztByCkDPwofXFAJ9PdIxIC6lsz+eRhdj59uWufhYVbTN4kl/5inhlu03baGRNGNd0tX9Y79v4wI25yepYiCl/3nLgiSzNDQswYQcWCHFX20QQo5RPl3oU5RAbMpT5u9Ta9hD76vfOIjo+tzmPR4o58IKoyYsiUqupkrShLFlplaFp6o8TyrIOybsNH8/rjTzY+PVwiocK5br0qFdKeffePPo/h3Z
+    tls.key: AgA6k4GUBe6ZOWPTuI8nEblV/Gt2DzWuvZRUGLpBhzioi+C1m7Pged/LkhE7eIka1+utyI3GogzF5L00e9jpwnTYV3I6X3u4DIJ2+EAhI0RkrP+xAbVibY+dN+ye6lwdcpiMGNkTakQ2ab/hMXUhqLA9klzED2/hmMbsMJ09CkbFGU3vRX9ejG2xP7rq5pRqgTdZOPydnMRLoTxq5DyeEdXF/lxkyzKMDlo54hSX7I4JLQprGgbjzsaCd7SNHNJaLUEFMVCwkI4Ns2VxG6AaqZ2gc5iQaUhxDOgu5sSSHSZ3XQUfwopeDO/xJCNuDJ20HwbpvaklrR/VQ7wpiWTbyIdYzQCfe7aph7WgG0yfdsi9REsmg+xW9JfE6QdB3jChrVZPz/DLKIsf+BflARhIjGNlAGBXc5ylzm4zWrzy7lme6gjY3cWlgQLoGIgBVYt0a5gcgISajVCAjb2WOT+gJmoLstl+BR5TWn3S8Fq97NvpQcYCWrV9T33vAbJQdFdayYGmAvhrZSdpCs8mwU3fwa1ulRsQFkMVxGwp9/AaLC0mcaqHdSxSAhtqlOpETzhA7GL1AkBTeQlgGdf25o9t/ZUZ6ZOS9c5eJXYjBiHYZ3TYBO+WgXlk6LXQmPcCeuO7IDZJ/3GVBTQCl712YUJ1ivpCMxlbt0j+EvlIOA8YBapCFxnw5wU2WvzObJAWJVpG0doqnQdupcG3AJQUytGcDeYfDfIjv+A2N5864zjtQFJ7aQmFqGDInwqcTkW4xYrXfST+kpBaWrfu5I9J+Ea5zp1TFnWzYSpPMN6OTfo26f6OAh0RO4DRPnb6HEMNcP90NbBKzFHv+sykCpK3XO9vVgx20lH2QdjB+BDKhXnUBBq+IFygmBAY2aa1LNygoyXLGjt3LjlEZO1R0Vc5ViP8+zglt4GmIdP+fqqFfMUnACdUC2O6RJ8ZZ5Owx4s5DHWWqRxNxkCvjcjNbNHCih5KzuhVsYcy9d0UepjNhj2aNcBQORbELsdFkk6XRfglMPAxlaxs
+  template:
+    metadata:
+      creationTimestamp: null
+      name: harbor-tls-secret
+      namespace: harbor
+    type: kubernetes.io/tls
+

infra-cluster/harbor/secrets/harbor-token-sealed.yaml

@@ -0,0 +1,17 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: harbor-token
+  namespace: harbor
+spec:
+  encryptedData:
+    tls.crt: AgAvwazdKDS15lrLi8kBslPiZwjkRGcvN3np4UXji4Ck7oKoN2pHIDGLby3mRy0H6udwQB5LfG4qhzBB/gs1p07lsweIWYq3vnJhKrTave0oUxhjNBEtCbaVxWt6I7nAeNLz0EugxK9rvPqDokDA+xVTHGnkXDPUZX2Bg33vJuaW9ZywNGSLAzZtMrfHEkOM+m3LIsY8GT5i3K3adIjeejNmpmF6tAx7mWibmiveOvbEkTcaPpWxaMn/IgYykOa1xVVyZujBv6u0YqpPX2m9traysSypOkzdGWF/c7ebC2esZCI8u4/OrOYmbTJyt3m/9v4MyxB5Dso9EkxM9WJDGmyAHYivj6zKFjmSK5ItsZrqaVI3OAO1Tvf0Q1rI/nYyhGtwOd4mgGr4XZCTNMvPt5JXYYdC9+2miFFS/c6LdSxdjIs+YecoRvWBrcakKqRDDppEPZM3+3zGx8IbvGOBzqVqzp6Pk1p1kY9hY+7fRLAJF4MZPEmCQfYdHGoZ7zlYCysgFRpjMXHRUbwMvTqQLqh979ej11X+LzzVu4x825JZY9Ds/gqkKdvOP4FjMoVXAIB5U63rrOSJOMu4S8K96DwVvm4NQ+cSF6lGPp02SgUsNBLS2Z6B9EdV/g2tv5KAIHJBF7x4KbwKgEcIRGtKjp8ntA1ONmK0AbMxdSl5/R4cwjMqSFnDb/Zy7jpsRigBIT2cOGAUTHz3TW8yoH9+nGSjokNSactr8oWeGjzaMP15QMCypacNdqj6Epbc5grT5TNIrE3oTiYOsWMPxy2bH11YonnwCIiqsxWqucp+N7PQCTdzUzf4QmCF82HxCJ5CuMRotrMy8CG1P/P3FQJxoT2Gr6RMdccymbZ9RD/v2R/vE3McCdpCxapiX8FwVXJmYJVSS2vxA8KqJHit5+eLMzBqVlJ5rTVonK2RuCXs5ywOGj/Wv8gaz5dHIBJTeefwXITesq5cCKWclUftwD6YiPod3o0vxhxYKU6s4z7pGGuzDGbJ2UQ7I7LbHbt42yGmCN9QZk54QhOYMZekCn10+RO6Q+kNkANeKRXQJS79276TMSkGWyRqvYhTYdnTWo7EBvmMm3DerAC5Ey4Tt5tExRwebC8ZjgwlnEu37Hdqixvy4j39ihXwKfQ+IC1+es0IalJQUzoqPxcrQgXGlV4XAZoVKoAikswJkrhl2tIxSweb1xcCYxyV7XP1BSc+26sq1p9RX3WH2FA9ogvKRvLqx5r0/01r5rqXLzHhnCIJVBYee/OJM1wt5Bm+WBNVTOr4cgpc3N9eZq+bl6gMBMg5r7v43BdbkCHoA7QqBU3wIG+1b2prXj8Wc3Y0oHXkDedETeTUhmAp+d3yIZvOQtTCYVw3pBerB2d0QCCUiljfx9VSQ1KHE8gTm3WBtZ0zaBMvzLsClqGYeoQOTA8ayQr+rZrXC6uU+SnN24C9YRDXbaZniolMEOfdeaPZR7iHLXuxl9L2TzPEUhoXjVipFb2MJkWrYbpClOKbnoq1IdX/HoM1TE4YRe6jcWTKpJi0WG5wU/j6QadEmscNnBs1opF1RTS8iSuxRZMFb5MKb7mxJbAaHhrI7iehL5rsAyDXKWsaJIBXHDNZyOiBWwBEHrxsANvdVmVneWHs3PSEzycsI4N31NgXYoEFPcZrLJD4iVJhpbBMcqrFkKbh3Bf9DbyNBjR4VeZbC/rrN54eZpp/z1hBUzU7k/yUJw27F74Igq+Aw0J/dgmx6SeVgUR9HXRn4Qefjzi6Efdgzx53BUeeN0fDqbeb8yEdG7lFu6Fc3whHcWsZGlD0lHwmVevCprI6e5UKvuyWBu36b4QmZHeWo0AtBh0t4gcL9bLxrCirp0LmjCTldaOopUaqrHFBHmvXK6gLl+DhJJ6hA4XlMFbdP+DAkoykYfzgdIbcN4GTgoSHihtxjXlZz7tzDKe9mG9zvB7/O2Q6okWCroNAMwRDg0xZvw==
+    tls.key: AgCm+k6tYejqHId4QlboyC+9/0C1jfPlZEdoudVC1SAwheNOzpZBSD2g7ClN0olWyp7RxMEH3LUZzmaGsY+GKa1lqqH/BEapBCfFq4cf/jJ+K51Ta0v87dpWns3ox0UDgTeS0wqo8Yn3nDL7EGrwNdiPkF0WgOLCFV6TDCSTFzaE4ViPlkqFO64dNjCxFqpKKIhKj4+CAIc6syKdzx6ZV977pa8OL8p4gz+pjXplmbj/rALO1Hym7juLsx2T1LPbNuIa8hxB7mL7eQFd4k9Y9qIUt5bYZYm0GX6g7yLESwokxkI1oV9bTRmQWAtyyGmgv4yuQYNgpJgNFKuCxJMwqfh4JHiEQ+0Sa38I80cMs2mlxBzP9KroY1UGt1/Zj2Y7d9fclYZfT8mxALkweNYwyjPpb2Yc4vSYOV4ofHNoDaMSCJlYwGTDzqyNBUlkG2kURzB26Fq7qifmn4S5OomP4bhoxsLdCqHlB4NnzQcee4yjB4pOTnorQIM34T1F9aZPkIkZ54VZoQgQS23nU94WZy27V+KTeTNY7zlr43OGg9yg1s4dCx8LBgehB6uYOYxH+23Xcv8Ee8wpjZZu6LN3zZipf+sPFgGX7rYoEYad+yc3v0jc1vxTGew2tQOdJxtzcjTgYGFmv9bYkMVl6z/xVYT6rvqUES6Brxc2XOk/eBz71L1FRCqSf7Bgb/vP4vAVkr5tt8sLm3vtsBontvVXHW93lfTTfHxYGAFMgqMAY28adzDe+Dp34+CVO2SsFu3LiJBZwIZFRtTJ6Uu0kWbjIn0g7sc+ilipv6z33rNLaEvz7Mh5HQnRQl58iZ8w5VFXnPyYqRn4vh5ajsLgiy18HBfZNeHrajAutcJsu2gmFhBvpNygOofX1ivZ9LulfsgMwMEwFDMUWvxD2zoi2p3ALDlQDmKVPinQOZpr2AGQ+i3oLEiAcH2lBzJYMpaJOdBUaLAagGWtL2GctpYz4PNZCcDfZOBgjJnk4cDZKbUVSaqB1YuJcCX6NSv8+jTwbYRftBtrvQv8NzKg+WKxyiTH6r0foVgN0ubIQz7r80ChvkeOeluGbxAolZQLnd9wqoR6YxHzPvKfuTnrQLzqbJpRruGnm14nY0w/yvd8PAESHM/NaH6ygYhQvFUzng6CUOnviuFcDPeqqDaWRGa+KR+KRAggMG323g8s0a1tDKw5QTDI38geWtiAs+27f8qEkHY2odvGBSPz8jQTa0+ajv0xm8v+/nkCEyMmxasbCfUYoK8L1OLoR851FlEZHQT0LwKrDbiIJS3LJIDGFr+Ur/p9LaPQPDFPJF0Nd6STF1BdY52SlS1Edydr8y2asb1GXODZ/l0f7V+3z5I3H/F7v30564fQ8GqrdP2PnwyXaLfeD0cqE+Bgf7rboszYoVSYRpRnPobCVNhkFg/U4qTHgCStSezLo0IT+UDIvrd3EP0TNxhxUc6tjXvSYklBuxOVo3BZGkVzc3MzhgV0/O0f48jdQZDeE7enKY+zbkRnJGTlNMB4UFInXBrFHA07obZZ1MaX5OPTZkJaGZELSB37YhiPVSoJG4PNGNddL3sSJKXGM0mY+7RmHc8jcTuK77+D2EUO4XoFPWZ32zxuTVj4UGEKf7DORIQtgytUrxP+U7kzXb+stZOPuxY3iDbHK0gcKoAFZzvT+cZu0ESwhRAeAmgx2pEeznve9ZDolHFwDn1PKpBjA1nKM6bZCK7YWJOhwf0pdYA6eX7j7nrZB/jNfuvodHOl/R7/G76C8mFZSEKUnIss/9VxNkQU7O6S3RIqBmXdRdRMEHSKmFk9W029qRRUFFdOO2T40ZxIuk+dt7Z/VcNV9vLrHbfC8q6YVD1LGYTudKcwSsMNCl/KpSdtaD75nmuMOkESC01q9A5n35g=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: harbor-token
+      namespace: harbor
+    type: Opaque
+

infra-cluster/harbor/secrets/harbor_tls.crt

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICCjCCAa+gAwIBAgIUF5nJK6l4Y+oDycbHEtgByz0DTrIwCgYIKoZIzj0EAwIw
+bjELMAkGA1UEBhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTETMBEGA1UEBwwK
+UGl0dHNidXJnaDEMMAoGA1UECgwDajdzMSUwIwYDVQQDDBxoYXJib3IuaW50ZXJu
+YWwuanBhY2UxMjEubmV0MB4XDTIzMDIxMjIyMDY1NFoXDTMzMDEzMDIyMDY1NFow
+bjELMAkGA1UEBhMCVVMxFTATBgNVBAgMDFBlbm5zeWx2YW5pYTETMBEGA1UEBwwK
+UGl0dHNidXJnaDEMMAoGA1UECgwDajdzMSUwIwYDVQQDDBxoYXJib3IuaW50ZXJu
+YWwuanBhY2UxMjEubmV0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg0jRtGpv
+l8llYG7xnop0VswmLVZIfJwZrrvOZA/leJ7P3VO2kxmZG2QEGODPIRtkc+WibQKm
+s5hDRLFl/xxKpKMrMCkwJwYDVR0RBCAwHoIcaGFyYm9yLmludGVybmFsLmpwYWNl
+MTIxLm5ldDAKBggqhkjOPQQDAgNJADBGAiEAlxZfpVU2Db1xD9F+Fk5ArYneUZS0
+U1ddr2qUvNrX+IMCIQDipHJ+MbWHzxzDHeHmvRWA6g6xq47VHGuF71FBkZRcxg==
+-----END CERTIFICATE-----

infra-cluster/harbor/secrets/harbor_tls.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg0jRtGpvl8llYG7xnop0VswmLVZI
+fJwZrrvOZA/leJ7P3VO2kxmZG2QEGODPIRtkc+WibQKms5hDRLFl/xxKpA==
+-----END PUBLIC KEY-----