diff --git a/.gitignore b/.gitignore index 4bd922a..ea6e912 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ secrets/ +.*secret.* diff --git a/cluster-v2-design.md b/cluster-v2-design.md index 92c2f1f..a8ee071 100644 --- a/cluster-v2-design.md +++ b/cluster-v2-design.md @@ -233,14 +233,26 @@ Lightsail: Infra Cluster: - RAM 4 GiB total -- 3 CPUs +- 2 CPUs - 120Gib Hardrive Main Cluster: - RAM 4 GiB total -- 3 CPUs +- 2 CPUs - 120Gib Hardrive +## Secrets + +Options: +Mozilla Kops +Bitnami Sealed Secrets + +Both work with Flux. +Sealed Secrets seems more integrated with k8s when not using +Flux. + +Decision: Bitnami Sealed Secrets + ## Experiments ### k3s with cilium and nginx on Centos Stream 9 @@ -315,3 +327,102 @@ nmcli connection modify enp4s0 autoconnect no nmcli connection down enp4s0 nmcli connection up id br0 ``` + +### Kubeseal Use +cat secret.yaml | kubeseal --format yaml > sealedsecret.yaml + +# Actual Install Notes + +Fedora Server 37 keep defaults. + +Infra: +On VM: +``` +sudo hostnamectl set-hostname infra-cluster +sudo systemctl disable firewalld --now +sudo su +export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.44.0.0/16 --service-cidr 10.45.0.0/16 --cluster-dns 10.45.0.10 --selinux" +curl -sfL https://get.k3s.io | sh -s - +exit +sudo cp /etc/rancher/k3s/k3s.yaml ~/infra.yaml +sudo chown jimmy:jimmy ~/infra.yaml +exit +``` + +on laptop +``` +scp jimmy@192.168.1.112:~/infra.yaml /home/jimmy/.kube/. +export KUBECONFIG=~/.kube/infra.yaml +vim KUBECONFIG and fix ip. +``` +Install cilium cli. + +On laptop: +``` +cilium install +``` +wait... +``` +helm upgrade --debug --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace +``` +Main: +On VM: +``` +sudo hostnamectl set-hostname j7s-cluster +sudo systemctl disable firewalld --now +sudo su +export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.46.0.0/16 --service-cidr 10.47.0.0/16 --cluster-dns 10.47.0.10 --selinux" +curl -sfL https://get.k3s.io | sh -s - +exit +sudo cp /etc/rancher/k3s/k3s.yaml ~/j7s-cluster.yaml +sudo chown jimmy:jimmy ~/j7s-cluster.yaml +exit +``` + +on laptop +``` +scp jimmy@192.168.1.103:~/j7s-cluster.yaml /home/jimmy/.kube/. +export KUBECONFIG=~/.kube/j7s-cluster.yaml +vim KUBECONFIG and fix ip. +``` +On laptop: +``` +cilium install +``` +wait... +``` +helm upgrade --debug --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace +``` + +Install Sealed Secrets: + +Main: +``` +export KUBECONFIG=~/.kube/j7s-cluster.yaml +wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.5/controller.yaml +kubectl apply -f controller.yaml +``` +Infra: +``` +export KUBECONFIG=~/.kube/infra.yaml +kubectl apply -f controller.yaml +rm controller.yaml +``` + +Install kubeseal. + +Merge kube config files: + +1. Manually modify each config file and get rid of all the defaults + to something unique for that file. + ( I have k3s for the original cluster, j7s for the new main cluster, and infra + for the new infra cluster. ) +2. Do some magic. +``` +cp config.yaml config.yaml.back. +export KUBECONFIG=~/.kube/config:~/.kube/infra.yaml:~/.kube/j7s-cluster.yaml +kubectl config view --flatten > new-config +mv new-confg config +export KUBECONFIG=~/.kube/config +``` + diff --git a/deployments/harbor/upgrade.bash b/deployments/harbor/upgrade.bash deleted file mode 100644 index 2d5df3e..0000000 --- a/deployments/harbor/upgrade.bash +++ /dev/null @@ -1,2 +0,0 @@ -#helm repo add harbor https://helm.goharbor.io -helm upgrade harbor -f values.yaml harbor/harbor -n harbor diff --git a/deployments/harbor/install.bash b/infra-cluster/harbor/helm/install.bash old mode 100644 new mode 100755 similarity index 100% rename from deployments/harbor/install.bash rename to infra-cluster/harbor/helm/install.bash diff --git a/infra-cluster/harbor/helm/upgrade.bash b/infra-cluster/harbor/helm/upgrade.bash new file mode 100755 index 0000000..63289b0 --- /dev/null +++ b/infra-cluster/harbor/helm/upgrade.bash @@ -0,0 +1,2 @@ +#helm repo add harbor https://helm.goharbor.io +helm upgrade --debug --install harbor -f values.yaml harbor/harbor -n harbor --create-namespace diff --git a/deployments/harbor/values.yaml b/infra-cluster/harbor/helm/values.yaml similarity index 99% rename from deployments/harbor/values.yaml rename to infra-cluster/harbor/helm/values.yaml index 61c712f..1e3669a 100644 --- a/deployments/harbor/values.yaml +++ b/infra-cluster/harbor/helm/values.yaml @@ -44,7 +44,7 @@ expose: controller: default ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress kubeVersionOverride: "" - className: "" + className: "nginx" annotations: # note different ingress controllers may require a different ssl-redirect annotation # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below @@ -215,14 +215,14 @@ persistence: # Specify the "storageClass" used to provision the volume. Or the default # StorageClass will be used (the default). # Set it to "-" to disable dynamic provisioning - storageClass: "nfs-client" + storageClass: "" subPath: "" accessMode: ReadWriteOnce size: 50Gi annotations: {} chartmuseum: existingClaim: "" - storageClass: "nfs-client" + storageClass: "" subPath: "" accessMode: ReadWriteOnce size: 5Gi @@ -230,14 +230,14 @@ persistence: jobservice: jobLog: existingClaim: "" - storageClass: "nfs-client" + storageClass: "" subPath: "" accessMode: ReadWriteOnce size: 1Gi annotations: {} scanDataExports: existingClaim: "" - storageClass: "nfs-client" + storageClass: "" subPath: "" accessMode: ReadWriteOnce size: 1Gi @@ -246,7 +246,7 @@ persistence: # be ignored database: existingClaim: "" - storageClass: "nfs-client" + storageClass: "" subPath: "" accessMode: ReadWriteOnce size: 1Gi diff --git a/infra-cluster/harbor/namespace/harbor.yaml b/infra-cluster/harbor/namespace/harbor.yaml new file mode 100644 index 0000000..0a27fb7 --- /dev/null +++ b/infra-cluster/harbor/namespace/harbor.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: harbor