cd
/
k8s-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add docs on upgrading k3s and rotating certs.

This commit is contained in:
James Pace 2024-05-27 10:21:15 -04:00
parent a19a55318d
commit e466328b45
2 changed files with 90 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
docs/rotating_k3s_certs.md Normal file
View File

@ -0,0 +1,37 @@
# Rotating k8s certs
Problem: k3s client certs, including the admin cert expire after 1 year.
To see cert:
```
cat ~/.kube/config | grep client-certificate-data | cut -f2 -d : | tr -d ' ' | base64 -d | openssl x509 -text -out -
```
```
ssh jimmy@192.168.1.103
sudo systemctl stop k3s
sudo k3s certificate rotate
sudo systemctl start k3s
```
```
sudo cp /etc/rancher/k3s/k3s.yaml ~/j7s-cluster.yaml
sudo chown jimmy:jimmy ~/j7s-cluster.yaml
exit
```
```
rm ~/.kube/j7s-cluster.yaml
scp jimmy@192.168.1.103:~/j7s-cluster.yaml /home/jimmy/.kube/.
# Use text editor to fix IP in file.
```
```
export KUBECONFIG=~/.kube/j7s-cluster.yaml
kubectl get nodes
```

53
docs/upgrading-k3s-notes.md Normal file
View File

@ -0,0 +1,53 @@
# Notes on updating k3s and cilium
Notes:
1. Cilium need to be uninstalled with the cilium cli version it was installed with,
then reinstalled using the new cilium cli and the new installation instructions.
2. K3S can be updated by calling the install script with the same options as before.
Update k3s.
Update cilium.
Update k3s.
j7s-cluster:
```
export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.46.0.0/16 --service-cidr 10.47.0.0/16 --cluster-dns 10.47.0.10 --selinux --resolv-conf /run/systemd/resolve/resolv.conf"
curl -sfL https://get.k3s.io | sh -s -
```
infra-cluster:
```
export INSTALL_K3S_EXEC="server --disable traefik --flannel-backend=none --disable-network-policy --cluster-cidr 10.44.0.0/16 --service-cidr 10.45.0.0/16 --cluster-dns 10.45.0.10 --selinux"
curl -sfL https://get.k3s.io | sh -s -
```
I don't know why I needed resolve-conf in one but not the other, but I did confirm it was not set in the infra-cluster systemd file...
Update cilium:
1. Move cilium binary to cilium-original
For j7s-cluster:
2. `export KUBECONFIG=~/.kube/j7s-cluster.yaml`
3. `cilium-original uninstall`
4. `cilium install --version 1.15.5 --set=ipam.operator.clusterPoolIPv4PodCIDRList="10.46.0.0/16"`
5. `ssh jimmy@192.168.1.103`
6. `sudo su`
7. `iptables-save | grep -v '\-A' | iptables-restore`
8. `exit` `exit`
For infra cluster:
2. `export KUBECONFIG=~/.kube/infra.yaml`
3. `cilium-original uninstall`
4. `cilium install --version 1.15.5 --set=ipam.operator.clusterPoolIPv4PodCIDRList="10.44.0.0/16"`
wait......
5. `ssh jimmy@192.168.1.112`
6. `sudo su`
7. `iptables-save | grep -v '\-A' | iptables-restore`
8. `exit` `exit`
I didn't wait where I put wait..... and had to rstart k3s...