Move helm to infra.

2023-03-03 19:13:50 -05:00 · 2023-03-03 19:13:50 -05:00 · 7b31deb65b
parent 34a1b2b567
commit 7b31deb65b
7 changed files with 126 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 secrets/
+.*secret.*
--- a/cluster-v2-design.md
+++ b/cluster-v2-design.md
@ -233,14 +233,26 @@ Lightsail:

 Infra Cluster:
 - RAM 4 GiB total
- 3 CPUs
+- 2 CPUs
 - 120Gib Hardrive

 Main Cluster:
 - RAM 4 GiB total
- 3 CPUs
+- 2 CPUs
 - 120Gib Hardrive

+## Secrets
+
+Options:
+Mozilla Kops
+Bitnami Sealed Secrets
+
+Both work with Flux.
+Sealed Secrets seems more integrated with k8s when not using
+Flux.
+
+Decision: Bitnami Sealed Secrets
+
 ## Experiments

 ### k3s with cilium and nginx on Centos Stream 9
@ -315,3 +327,102 @@ nmcli connection modify enp4s0 autoconnect no
 nmcli connection down enp4s0
 nmcli connection up id br0
 ```
+
+### Kubeseal Use
+cat secret.yaml | kubeseal --format yaml > sealedsecret.yaml
+
+# Actual Install Notes
+
+Fedora Server 37 keep defaults.
+
+Infra:
+On VM:
+```
+sudo hostnamectl set-hostname infra-cluster
+sudo systemctl disable firewalld --now
+sudo su
+export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.44.0.0/16 --service-cidr 10.45.0.0/16 --cluster-dns 10.45.0.10 --selinux"
+curl -sfL https://get.k3s.io | sh -s -
+exit
+sudo cp /etc/rancher/k3s/k3s.yaml ~/infra.yaml
+sudo chown jimmy:jimmy ~/infra.yaml
+exit
+```
+
+on laptop
+```
+scp jimmy@192.168.1.112:~/infra.yaml /home/jimmy/.kube/.
+export KUBECONFIG=~/.kube/infra.yaml
+vim KUBECONFIG and fix ip.
+```
+Install cilium cli.
+
+On laptop:
+```
+cilium install
+```
+wait...
+```
+helm upgrade --debug --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace
+```
+Main:
+On VM:
+```
+sudo hostnamectl set-hostname j7s-cluster
+sudo systemctl disable firewalld --now
+sudo su
+export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.46.0.0/16 --service-cidr 10.47.0.0/16 --cluster-dns 10.47.0.10 --selinux"
+curl -sfL https://get.k3s.io | sh -s -
+exit
+sudo cp /etc/rancher/k3s/k3s.yaml ~/j7s-cluster.yaml
+sudo chown jimmy:jimmy ~/j7s-cluster.yaml
+exit
+```
+
+on laptop
+```
+scp jimmy@192.168.1.103:~/j7s-cluster.yaml /home/jimmy/.kube/.
+export KUBECONFIG=~/.kube/j7s-cluster.yaml
+vim KUBECONFIG and fix ip.
+```
+On laptop:
+```
+cilium install
+```
+wait...
+```
+helm upgrade --debug --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace
+```
+
+Install Sealed Secrets:
+
+Main:
+```
+export KUBECONFIG=~/.kube/j7s-cluster.yaml
+wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.19.5/controller.yaml
+kubectl apply -f controller.yaml
+```
+Infra:
+```
+export KUBECONFIG=~/.kube/infra.yaml
+kubectl apply -f controller.yaml
+rm controller.yaml
+```
+
+Install kubeseal.
+
+Merge kube config files:
+
+1. Manually modify each config file and get rid of all the defaults
+   to something unique for that file.
+   ( I have k3s for the original cluster, j7s for the new main cluster, and infra
+     for the new infra cluster. )
+2. Do some magic.
+```
+cp config.yaml config.yaml.back.<date>
+export KUBECONFIG=~/.kube/config:~/.kube/infra.yaml:~/.kube/j7s-cluster.yaml
+kubectl config view --flatten > new-config
+mv new-confg config
+export KUBECONFIG=~/.kube/config
+```
+
--- a/deployments/harbor/upgrade.bash
+++ b/deployments/harbor/upgrade.bash
@ -1,2 +0,0 @@
-#helm repo add harbor https://helm.goharbor.io
-helm upgrade harbor -f values.yaml harbor/harbor -n harbor
--- a/infra-cluster/harbor/helm/install.bash
+++ b/infra-cluster/harbor/helm/install.bash
--- a/infra-cluster/harbor/helm/upgrade.bash
+++ b/infra-cluster/harbor/helm/upgrade.bash
@ -0,0 +1,2 @@
+#helm repo add harbor https://helm.goharbor.io
+helm upgrade --debug --install harbor -f values.yaml harbor/harbor -n harbor --create-namespace
--- a/infra-cluster/harbor/helm/values.yaml
+++ b/infra-cluster/harbor/helm/values.yaml
@ -44,7 +44,7 @@ expose:
    controller: default
    ## Allow .Capabilities.KubeVersion.Version to be overridden while creating ingress
    kubeVersionOverride: ""
-    className: ""
+    className: "nginx"
    annotations:
      # note different ingress controllers may require a different ssl-redirect annotation
      # for Envoy, use ingress.kubernetes.io/force-ssl-redirect: "true" and remove the nginx lines below
@ -215,14 +215,14 @@ persistence:
      # Specify the "storageClass" used to provision the volume. Or the default
      # StorageClass will be used (the default).
      # Set it to "-" to disable dynamic provisioning
-      storageClass: "nfs-client"
+      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 50Gi
      annotations: {}
    chartmuseum:
      existingClaim: ""
-      storageClass: "nfs-client"
+      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 5Gi
@ -230,14 +230,14 @@ persistence:
    jobservice:
      jobLog:
        existingClaim: ""
-        storageClass: "nfs-client"
+        storageClass: ""
        subPath: ""
        accessMode: ReadWriteOnce
        size: 1Gi
        annotations: {}
      scanDataExports:
        existingClaim: ""
-        storageClass: "nfs-client"
+        storageClass: ""
        subPath: ""
        accessMode: ReadWriteOnce
        size: 1Gi
@ -246,7 +246,7 @@ persistence:
    # be ignored
    database:
      existingClaim: ""
-      storageClass: "nfs-client"
+      storageClass: ""
      subPath: ""
      accessMode: ReadWriteOnce
      size: 1Gi
--- a/infra-cluster/harbor/namespace/harbor.yaml
+++ b/infra-cluster/harbor/namespace/harbor.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: harbor