Move helm to infra.

.gitignore

@@ -1 +1,2 @@
 secrets/
+.*secret.*

cluster-v2-design.md

@@ -233,14 +233,26 @@ Lightsail:
 
 Infra Cluster:
 - RAM 4 GiB total
-- 3 CPUs
+- 2 CPUs
 - 120Gib Hardrive
 
 Main Cluster:
 - RAM 4 GiB total
-- 3 CPUs
+- 2 CPUs
 - 120Gib Hardrive
 
+## Secrets
+
+Options:
+Mozilla Kops
+Bitnami Sealed Secrets
+
+Both work with Flux.
+Sealed Secrets seems more integrated with k8s when not using
+Flux.
+
+Decision: Bitnami Sealed Secrets
+
 ## Experiments
 
 ### k3s with cilium and nginx on Centos Stream 9
@@ -315,3 +327,102 @@ nmcli connection modify enp4s0 autoconnect no
 nmcli connection down enp4s0
 nmcli connection up id br0
 ```
+
+### Kubeseal Use
+cat secret.yaml | kubeseal --format yaml > sealedsecret.yaml
+
+# Actual Install Notes
+
+Fedora Server 37 keep defaults.
+
+Infra:
+On VM:
+```
+sudo hostnamectl set-hostname infra-cluster
+sudo systemctl disable firewalld --now
+sudo su
+export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.44.0.0/16 --service-cidr 10.45.0.0/16 --cluster-dns 10.45.0.10 --selinux"
+curl -sfL https://get.k3s.io | sh -s -
+exit
+sudo cp /etc/rancher/k3s/k3s.yaml ~/infra.yaml
+sudo chown jimmy:jimmy ~/infra.yaml
+exit
+```
+
+on laptop
+```
+scp jimmy@192.168.1.112:~/infra.yaml /home/jimmy/.kube/.
+export KUBECONFIG=~/.kube/infra.yaml
+vim KUBECONFIG and fix ip.
+```
+Install cilium cli.
+
+On laptop:
+```
+cilium install
+```
+wait...
+```
+helm upgrade --debug --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace
+```
+Main:
+On VM:
+```
+sudo hostnamectl set-hostname j7s-cluster
+sudo systemctl disable firewalld --now
+sudo su
+export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.46.0.0/16 --service-cidr 10.47.0.0/16 --cluster-dns 10.47.0.10 --selinux"
+curl -sfL https://get.k3s.io | sh -s -
+exit
+sudo cp /etc/rancher/k3s/k3s.yaml ~/j7s-cluster.yaml
+sudo chown jimmy:jimmy ~/j7s-cluster.yaml
+exit
+```
+
+on laptop
+```
+scp jimmy@192.168.1.103:~/j7s-cluster.yaml /home/jimmy/.kube/.
+export KUBECONFIG=~/.kube/j7s-cluster.yaml
+vim KUBECONFIG and fix ip.
+```
+On laptop:
+```
+cilium install
+```
+wait...
+```
+helm upgrade --debug --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace
+```
+
+Install Sealed Secrets:
+
+Main:
+```
+export KUBECONFIG=~/.kube/j7s-cluster.yaml
+wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.5/controller.yaml
+kubectl apply -f controller.yaml
+```
+Infra:
+```
+export KUBECONFIG=~/.kube/infra.yaml
+kubectl apply -f controller.yaml
+rm controller.yaml
+```
+
+Install kubeseal.
+
+Merge kube config files:
+
+1. Manually modify each config file and get rid of all the defaults
+   to something unique for that file.
+   ( I have k3s for the original cluster, j7s for the new main cluster, and infra
+     for the new infra cluster. )
+2. Do some magic.
+```
+cp config.yaml config.yaml.back.<date>
+export KUBECONFIG=~/.kube/config:~/.kube/infra.yaml:~/.kube/j7s-cluster.yaml
+kubectl config view --flatten > new-config
+mv new-confg config
+export KUBECONFIG=~/.kube/config
+```
+

deployments/harbor/upgrade.bash

@@ -1,2 +0,0 @@
-#helm repo add harbor https://helm.goharbor.io
-helm upgrade harbor -f values.yaml harbor/harbor -n harbor

infra-cluster/harbor/helm/upgrade.bash

@@ -0,0 +1,2 @@
+#helm repo add harbor https://helm.goharbor.io
+helm upgrade --debug --install harbor -f values.yaml harbor/harbor -n harbor --create-namespace

infra-cluster/harbor/helm/values.yaml

@@ -44,7 +44,7 @@ expose:
     controller: default
     ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress
     kubeVersionOverride: ""
-    className: ""
+    className: "nginx"
     annotations:
       # note different ingress controllers may require a different ssl-redirect annotation
       # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below
@@ -215,14 +215,14 @@ persistence:
       # Specify the "storageClass" used to provision the volume. Or the default
       # StorageClass will be used (the default).
       # Set it to "-" to disable dynamic provisioning
-      storageClass: "nfs-client"
+      storageClass: ""
       subPath: ""
       accessMode: ReadWriteOnce
       size: 50Gi
       annotations: {}
     chartmuseum:
       existingClaim: ""
-      storageClass: "nfs-client"
+      storageClass: ""
       subPath: ""
       accessMode: ReadWriteOnce
       size: 5Gi
@@ -230,14 +230,14 @@ persistence:
     jobservice:
       jobLog:
         existingClaim: ""
-        storageClass: "nfs-client"
+        storageClass: ""
         subPath: ""
         accessMode: ReadWriteOnce
         size: 1Gi
         annotations: {}
       scanDataExports:
         existingClaim: ""
-        storageClass: "nfs-client"
+        storageClass: ""
         subPath: ""
         accessMode: ReadWriteOnce
         size: 1Gi
@@ -246,7 +246,7 @@ persistence:
     # be ignored
     database:
       existingClaim: ""
-      storageClass: "nfs-client"
+      storageClass: ""
       subPath: ""
       accessMode: ReadWriteOnce
       size: 1Gi

infra-cluster/harbor/namespace/harbor.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: harbor