From e466328b458df983977eef54c0269090d0f28ab9 Mon Sep 17 00:00:00 2001
From: James Pace <jpace121@gmail.com>
Date: Mon, 27 May 2024 10:21:15 -0400
Subject: [PATCH] Add docs on upgrading k3s and rotating certs.

---
 docs/rotating_k3s_certs.md  | 37 ++++++++++++++++++++++++++
 docs/upgrading-k3s-notes.md | 53 +++++++++++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+)
 create mode 100644 docs/rotating_k3s_certs.md
 create mode 100644 docs/upgrading-k3s-notes.md

diff --git a/docs/rotating_k3s_certs.md b/docs/rotating_k3s_certs.md
new file mode 100644
index 0000000..6efe1ae
--- /dev/null
+++ b/docs/rotating_k3s_certs.md
@@ -0,0 +1,37 @@
+# Rotating k8s certs
+
+Problem: k3s client certs, including the admin cert expire after 1 year.
+
+To see cert:
+```
+cat ~/.kube/config | grep client-certificate-data | cut -f2 -d : | tr -d ' ' | base64 -d | openssl x509 -text -out -
+```
+
+```
+ssh jimmy@192.168.1.103
+sudo systemctl stop k3s
+sudo k3s certificate rotate
+sudo systemctl start k3s
+
+
+```
+
+```
+sudo cp /etc/rancher/k3s/k3s.yaml ~/j7s-cluster.yaml
+sudo chown jimmy:jimmy ~/j7s-cluster.yaml
+exit
+
+```
+
+```
+rm  ~/.kube/j7s-cluster.yaml
+scp jimmy@192.168.1.103:~/j7s-cluster.yaml /home/jimmy/.kube/.
+# Use text editor to fix IP in file.
+
+```
+
+```
+export KUBECONFIG=~/.kube/j7s-cluster.yaml
+kubectl get nodes
+```
+
diff --git a/docs/upgrading-k3s-notes.md b/docs/upgrading-k3s-notes.md
new file mode 100644
index 0000000..781d220
--- /dev/null
+++ b/docs/upgrading-k3s-notes.md
@@ -0,0 +1,53 @@
+# Notes on updating k3s and cilium
+
+Notes:
+1. Cilium need to be uninstalled with the cilium cli version it was installed with,
+   then reinstalled using the new cilium cli and the new installation instructions.
+2. K3S can be updated by calling the install script with the same options as before.
+
+
+Update k3s.
+Update cilium.
+
+Update k3s.
+
+j7s-cluster:
+```
+export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.46.0.0/16 --service-cidr 10.47.0.0/16 --cluster-dns 10.47.0.10 --selinux --resolv-conf /run/systemd/resolve/resolv.conf"
+curl -sfL https://get.k3s.io | sh -s -
+```
+
+infra-cluster:
+```
+export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.44.0.0/16 --service-cidr 10.45.0.0/16 --cluster-dns 10.45.0.10 --selinux"
+curl -sfL https://get.k3s.io | sh -s -
+```
+
+I don't know why I needed resolve-conf in one but not the other, but I did confirm it was not set in the infra-cluster systemd file...
+
+Update cilium:
+
+
+1. Move cilium binary to cilium-original
+
+For j7s-cluster:
+2. `export KUBECONFIG=~/.kube/j7s-cluster.yaml`
+3. `cilium-original uninstall`
+4. `cilium install --version 1.15.5 --set=ipam.operator.clusterPoolIPv4PodCIDRList="10.46.0.0/16"`
+5. `ssh jimmy@192.168.1.103`
+6. `sudo su`
+7. `iptables-save |  grep -v '\-A' | iptables-restore`
+8. `exit` `exit`
+
+
+For infra cluster:
+2. `export KUBECONFIG=~/.kube/infra.yaml`
+3. `cilium-original uninstall`
+4. `cilium install --version 1.15.5 --set=ipam.operator.clusterPoolIPv4PodCIDRList="10.44.0.0/16"`
+wait......
+5. `ssh jimmy@192.168.1.112`
+6. `sudo su`
+7. `iptables-save |  grep -v '\-A' | iptables-restore`
+8. `exit` `exit`
+
+I didn't wait where I put wait..... and had to rstart k3s...