Do some updates, add more stuff

README.md

@@ -4,25 +4,33 @@ Kubebag is my playground where I am learning about k8s by trying to create a Kub
 
 ## Setup
 
-Get Fedora CoreOS running:
+Install virt-manager and deps. Edit "default" network via `virsh net-edit default` and make the dhcp pool start at 100.
+
+Next, get Fedora CoreOS running:
 
 ```bash
 virt-install --name=fcos --vcpus=3 --ram=6144 \
 --os-variant=fedora-coreos-stable \
 --import \
 --network=bridge=virbr0 \
 --disk=size=20,backing_store=/home/gene/Downloads/fedora-coreos.qcow2 \
---qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/home/gene/Downloads/server.ign" \
+--qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/home/gene/repos/kubebag/server.ign" \
 --graphics=none
 ```
 
 Copy over a kube connfig:
 
 ```bash
-IPADDRESS=192.168.122.118 # update to IP of CoreOS
+IPADDRESS=192.168.122.10 # update to IP of CoreOS. This should match what is in server.bu
 ssh -o UserKnownHostsFile=/dev/null $IPADDRESS cat /etc/rancher/k3s/k3s.yaml |sed 's/default/k3s/g' |sed "s/127\.0\.0\.1/$IPADDRESS/" > ~/.kube/config
 ```
 
+Verify k3s access via
+
+```bash
+kubectl get ns
+```
+
 If not already installed.....
 
 ```bash
@@ -71,6 +79,12 @@ argocd argo/argo-cd --set configs.params."server.insecure"=true
 helm template ./infra-stage-1 |kubectl apply -f -
 ```
 
+Wait for apps to sync and be healthy by watching this:
+
+```bash
+kubectl -n argocd get Applications
+```
+
 Generate trust anchor for Linkerd:
 
 ```bash
@@ -90,7 +104,7 @@ kubeseal --controller-name=sealed-secrets \
 --controller-namespace=kubeseal -o yaml > infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml
 ```
 
-Update ca cert in linkerd-control-plane with one generated above and then commit to git and push.
+Update ca cert in `infra-stage-2/templates/apps/app-linkerd-control-plane.yaml` with one generated above and then commit to git and push.
 
 ```bash
 helm template ./infra-stage-2 |kubectl apply -f -
@@ -111,6 +125,8 @@ ARGOCD_PW=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath
 
 ~/argocd login localhost:8080 --insecure --username admin --password $ARGOCD_PW
 ~/argocd account update-password --current-password $ARGOCD_PW
+~/argocd login localhost:8080 --insecure --username admin # use new password
+
 ```
 
 ## To Do / Notes

infra-stage-1/templates/cilium/lb-ip-pools.yaml

@@ -0,0 +1,7 @@
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "first-pool"
+spec:
+  blocks:
+  - cidr: "192.168.122.16/28"

infra-stage-2/templates/apps/app-linkerd-control-plane.yaml

@@ -18,55 +18,21 @@ spec:
         - name: identityTrustAnchorsPEM
           value: |
             -----BEGIN CERTIFICATE-----
-            MIIBjDCCATOgAwIBAgIQFcdhaMcm8qlAQ0+lCWg0rTAKBggqhkjOPQQDAjAlMSMw
-            IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDA4MDIyMDQ4
-            NTdaFw0zNDA3MzEyMDQ4NTdaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz
-            dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESXvpCxx+j3BR48uE
-            JJwM1rURWP7q80gBmfURNCBVFXir4VtAFyNv3oJ1i7SVKP58rHf02gH1gEc5tyJK
-            VNuGB6NFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD
-            VR0OBBYEFJ7If0SpFqAcPhQaKkpiaC3zsNSIMAoGCCqGSM49BAMCA0cAMEQCIDEG
-            /ymV8+7CRPsQLF3MbpjuFTmkATuSpKcyEURu1XdSAiBpCB44ctX3Ap1pSzYHKAQK
-            WuGsyFQ92FLhKbt2MWYQ5w==
+            MIIBjzCCATSgAwIBAgIRAO1q0LzjFD5YDGC7l/003H8wCgYIKoZIzj0EAwIwJTEj
+            MCEGA1UEAxMacm9vdC5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjQwODA0MDIx
+            MzU3WhcNMzQwODAyMDIxMzU3WjAlMSMwIQYDVQQDExpyb290LmxpbmtlcmQuY2x1
+            c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJic6Hy3IiLBl1YT
+            s9rHtdQd6K6JdIVCP6uI71kMSEWosPKDWMM62CHlu4bGKKv6T75ad7KeuznM4ZmQ
+            6EV7vvijRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0G
+            A1UdDgQWBBQGUEd2teG0dkiTcvJWLtYJGkKuOjAKBggqhkjOPQQDAgNJADBGAiEA
+            l6LdXdFrs8NoYvOAzaTao645HxCK3nGp3crXJ4rE6+0CIQDkPmc3iOVk6NjwQOHk
+            lTL53KyZiSx9oM+ZhhffW1sDUg==
             -----END CERTIFICATE-----
         - name: identity.issuer.scheme
           value: kubernetes.io/tls
   destination:
     namespace: linkerd
     server: https://kubernetes.default.svc
-  ignoreDifferences:
-    - group: ""
-      kind: Secret
-      name: linkerd-proxy-injector-k8s-tls
-      jsonPointers:
-        - /data/tls.crt
-        - /data/tls.key
-    - group: ""
-      kind: Secret
-      name: linkerd-sp-validator-k8s-tls
-      jsonPointers:
-        - /data/tls.crt
-        - /data/tls.key
-    - group: ""
-      kind: Secret
-      name: linkerd-policy-validator-k8s-tls
-      jsonPointers:
-        - /data/tls.crt
-        - /data/tls.key
-    - group: admissionregistration.k8s.io/v1
-      kind: MutatingWebhookConfiguration
-      name: linkerd-proxy-injector-webhook-config
-      jsonPointers:
-        - /webhooks/0/clientConfig/caBundle
-    - group: admissionregistration.k8s.io/v1
-      kind: ValidatingWebhookConfiguration
-      name: linkerd-sp-validator-webhook-config
-      jsonPointers:
-        - /webhooks/0/clientConfig/caBundle
-    - group: admissionregistration.k8s.io/v1
-      kind: ValidatingWebhookConfiguration
-      name: linkerd-policy-validator-webhook-config
-      jsonPointers:
-        - /webhooks/0/clientConfig/caBundle
   syncPolicy:
     automated:
       prune: true

infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml

@@ -7,8 +7,8 @@ metadata:
   namespace: linkerd
 spec:
   encryptedData:
-    tls.crt: AgCaC0kMEyxMN25o80pDA+2ZXardKBwnCfbJ2Edh3HWFGug8lDJRIVn8gkERWiXWZvWY0fopIIXpbjcvhMtHevllLFVJmGC3vtmVhro47cMqFY98CJkE9/J5yBNHi+rNq/iaY7CmcTt6JWxT5apXyAIHiowb/2ZvWfTNgkB0oqYnIC4MnaXora33YerZtZiEM8go48nAzNQ5/ivyN2y2qPBtmi3R0NfpCo6msm++CenwRwUD2MyyQ0IhjSj0oPjq1geGMOqmoKPynyp5dYIg+sQ2ESd2gk3uYdDQYqQBWS/Z9Fe1BxzsxrVTHNURf24vDaEuLz+UQwqH/VVYpc59d330TKlxn1DEgxXyhkBbTXsjmMdK6DQGt/1PJr07X+tYtCiCQvYUALN1Y6wdLeoIuOgIMVVjfWUOJQQxJ1OEpPT/47xuZ5iMFcVDrCIcLeYBykv04TKV7hF5fSjRNmGhaE0FSIgTn7KgsKkIcnpzqb2xH3WSuYrrspRSKLpXtL0atS8p0e4NnxOt4vcjoXOCKYzR9im2SNKueCUIhRtbfGFhgUh6E5Cf/8YIzJo2NAZSGQd35FG7a9P+JjJDsIYuLseNaUWYyyTvcIfJ2ood8Pi7k7NZx0bXz9Ae3O3knQu5KGun/AgbGi2j0bsEJZ2ize3+1MiyBiuwiOWixZOy5HxEUWt4ohZpJ5DYL5K2sOG2oOOd4qHiHWem0xNsMn8pxeJ+2fIDxwGhqrsx2U/vLSTcdU/mtWM9yzU0x67em4iDIG7vvijPMGKg6IDh07Y6DXpciMlafggkFnhJ6rS4L1fAm8IVfPjAtZB1fBxLNM+VW9SVrZXgByvdKFPYo7lVwxZ1wq2sG691KcVLNv3nZjdCMoLGqPz1qWhkH68ODEsnFqyRgPlJuNKER+bPvh7i03FzpvDe3+1QSmA7+fk5zsgu70/QFS6A70+s4TRCf+DQPN/iSZ/BsxHGFcuVg3rT3yf/PR6eaQc5WKy6wtPC0Qw4c0sRdSLfH99fSMPf5sXtcKs8xdvopono2oI3pBHBDOXQdLrzzHXJOjVdHGuNuggVZMRozK8ZosVEEMiWz2MzU/Nl5sqOsacyUEqbMhaxWlQudbANf90RTkS9ITPk4m7YcnD8a2i3S0vZffVL1cX9simGCgZDDbV0xmtEpBf3rtCdtn43N1OL3rlmrgrUk/8+q0aGFSNZMGkpmficzYFVEtm/m3oeN0DfJ3eKu1LzGkX/wSNahWe5M+58m3hrkaG3TIwvIXkOBMB776yCnsHNffVhwDC4JYYm3hM/nBVI1d748948blShh0Cpre6y7xxKCJQpzd9Mr4sKy8dgaTCfwzxTwZwpMbJWib9b6RoocNU3miLVe0iXX7BhOmH5jNbIP/6JCR9OR3KnwWiqkcQwb5yvQrOaAqsEhIgIVlhxlcdJUP29VOKjNF/eEaFilMkoRFP7qmUqgqaXtbHjKgpLL+G+9erTB1uxX2Y5g3oH4Jgz6CFZAv2HqA==
-    tls.key: AgAE4DkEl82kkjLuaqhJjJ4J3RVqAD88KZRuW/odDm7Qg1vFVnqeF3avRRejcA/AINOJGu50ez1MZcuLfoxx6Y9lmCfsCzMI/YeD9l8SproNe6+xjqd19OHQ/d9DowjUmOwtSl/j9MU6gs2ExQILQTB6zqNklUEadpdxgk8Xl+YS09A58Vefy6dgoJzGav/S0BRymxvfXZWWLIY0h3QD1hVL9uoV+L8H6aovu+ZGmMwdSzbV/6qFoJHt/PBZEkC5G3BesJX21T2LTh7BsIvyvPOaZrG7BoRfu9oAtBQHqhoBtgv1hsvmjs9MFNtSUnPD2srYqG70YDpdQnp7pzOk/4Hx5Jkr29HM+0m/46Y3vI4XK7/HOoOuxNEz4UWhHhJHUVJF0E4DJp9DSd50QhBRP0X8/oXZLtyLR3xWRKrlds/XmSyUaMOKNwDKzKbmUTleSBALdgSafk21A/TnrfGt5uGoPjo1HyRSIaBsX4incJJFPR9D1t0F7+hku5KxJBfHJMmL84M2e+a6eVf3zJvhGy45EHIORqcY30NFcpaqvFSZXYwzjnB+zQVmyzY50NwhYZyN51GkwK89aIMFehTDj8mE6KHFH54f245sLOCkjvgN0Uey+s/U6ktVDcjldvmFOErmk33Tx1CQpL+VP1bnTYK3GYjxUXZ3D1/IJuUxbL+GGQJ8OA1eMwF85v1ndxiDZn2OHpifLTLA0GQEd0X+xQfbDljEWQHVOSOLgZepjO5zkwd5RawO1LXZ9MTAIZizrjWATEN3K7Kv5Ph/VB7ZchAkM7qaqwlP7mVsbbYm1ZoWkcM6dFmkir0Jl81CnF6lHvalgaCDY8XtwyMbs+EeLt9A15OpgqbPcuF9pRzHXdy2tj3uJWJ3JDhq+xiupdTgJaqS+4phluS49kNJsZnPa5uFCl2iNzQxqgXxGmJXClF5WVPoo+15u09UiqKBzshtQ0LgzPOPq6jKMpZooU+0HYzIdaAcFvLbgXd3HhaD7lBN0QZ0bQ==
+    tls.crt: AgCtDpNT9wVJ9z3ZuY7k9x2/dPfv2OOzJ9jNn1TVWhuivi7kkQ70lzvaaOmZDh/n8azLeGfXyqgoUy3O46FDlPsRDgkyl1hYujLekcKpJp3nlFRHAEoa6qX93d6+HTxeiuehUOz/f0VxUSFqtwhDox6+MZ7VQluFaBUyEkPF5d3mV6SxUGBC/d12BYw1s+zUIOiqNFQOl+x4piYih7PwTuiPCpVAEFehs5Ttpl1B20drk6mcaBqdPjawUPLfYmUwDYwCPiFVk/SuRrGDzZe9gBoihKf+tRf4HRuS4HlLojO14bZCRUsOmkhurzJbmYww8a/3fvQjx4fP8Tr0sLc4YTmud4/aHNQnVEOv5YUuS6/7/xuXj7qe9t6KdqC63FCI/rF9o3c52S0rW1xOecfnub/RTbiSJeLOnpgkNC+sK2oKLisUs0bQ9AclOruvDwDuKxzvE8h/K7NA072GSC1SuIKXTXnSGmqCIWR4sTbM4qChRn0UpnDm+C7t9m6MecVMKwhLXEByVh7miBpSejtJJqQKAbq2+1TMNBivuoVl0t46TB+Uc0BWz096EGzDcb5DhoUJJPv/B+HdFRGXOpaiiq6jm34gVJvxJo5jE1YOH2UCltBI9cYRZ0VlFYOyW89YFx7uLVo3VlLAIBC4lHL58Cr+AzemLpMNM8bC9MIsbRG6UExbVp0dfUJKIDoTX5/2fa+EfWkGhbGI84IZ+hmMtdzTzm7kMElvn7eJMMr1cJhyl1BxLmKPtze4I6ereiY5X2SQ5UM6stq2MD+jtHBcUrRSDnQCsaxXYcnkc/2dMy1AsNJS2l8aCrVmxGOq8tI/1LXXn45DExoxNIJwjp8Y5qZ4HT2tgRoCGG2GccckcKEdxhdjlUz/5xKkcz1XHvZ1M2XFE3M16QQXw4N56LEPERGflaLEdAnaok6uKenlrULIOqKzurZ32sHRtgEbJJpMdF1lawmlp/mBh/jPXlz17qMjLDlKqGBkT7Up710QRYN0zMP905G1tjRY/tlfd4RX3nOPol35VYhPoykHTnNEltJnTbHSnxleT+SdfnVkCfi+47uijdsGMa3xd4dCAuHh1PTwUyRKVmtkfgVFUskCDfJNA2E0qFH2WGy0jJpml5IfdRNSrPEY7mW84TeTU29Sx5Ux6O5s/JJg51QB5C2QKjUXQWr6+OhKmWVkWvtWkqumpE9WHFT5ld0nAE8eKIdqwDqx0ZHn3vxCuhYdtJeoMJScL3uBrqOlu8CmN+bbfgLytbstb7HS6TrHPyApm/yRgLmkv4Wg521tu5e1267j6BG+ck5/tR9l142NFbox2LyHUdOl6dJdGITIdvvCXtosz7oVLcN2wC1ZlQxUu3MWNzBwicCnjfk4YKLkMze5OL6n3/jRBNNfRvJiq6nmMwvLBWyWT3XCAcbTiGz8knfl+3XsgM3PniF7WOzoyPvug8D9JQk84Jwmnyfc004lUDsI9/aZdQb/4lIt0y1nHSBdnRbhYf5p3qbe6mBMdss=
+    tls.key: AgCxC2LhloTMml0QRJemZI6Q0zNVnxurYaQBBDUmbAvxJK7LyydPH+9kcEXCMZKPQ/BYa0vPjBeRf1AERpPzMv4Amegwj6sLJZoDB5YrF58UCeF92XFhI/mjPdSqImGOyc9+g9oY9XwqFd7sDYeuE9W7WdinJqsXYeJLyI6P2inAk07nN/wxg8bItbfb0y0+UwPt8qWDN7wUVHoHgXq9hUGB+MtCEwQTazG7nKMgFHOlwE2/cI6Sy1WAeldFATEplVuTGWmPVdpN9WOV7DR9zYXU+a2EolwZBajeUSVO/4HhZGL51cBxoDwAsn6gQ4BNB9BOYsJawAKC2fyOiY68pGsIeJWcbvrgpy3FIAikZ/21sgVN5dQ74C4Qw41B0GeBbgBRFeDiigv9t8JVfzZwgxTq6qs3y2p8wYn4+ErCgUvgWRCgGCENWQGYvLjxm7vRzI1MiAxfqQZtjHQZuTYKPnUHpvhrKo9MCeZpu28KTpwz7S53drmYWIJdB9xKjGgv5TuRLBHBfcjWXgixeH4If9HqqZtXpf9Bc6DhpxF8PW2veWbmDwSMDOYsXdEQx+YNLfUbWpm2qg9x4grd9N3pkitzpali5AbXD1MJlONgPHHbga7WFT980KNL7Qk/PRMcwSiLwiPmSM+oCWGKRcn0C3tMaH//r/tRa5jT2dGFE8fHzmUzq+RBrIn8XbqlqSMoex9FH4UiNwHAwOo5eAFWVWXoip9YlhzhfkAb5Xx2B3mFpJ2clqkifc/u0war0qXkTSB5bVXjXvFvMvGO54Ng0Ew/7ELlOqs9mooYTElsO8IkyA6CjqNb6ENlYHtdd25ywzoKfYQ7KCk9DEmNzmjORZugq81jJmwBnd+RxKac7k35SypY8XlkqQBTPQBv5cW4sgU/6T9L0M8zdxrdl4zd+xHYWiiXsWslKVV+dYBUEDj7Si6QJOSWrgTZ/IyJEMUbOVxkMk/rH7SzDRyabrXaT8WcbK+Q+s+7p2JVgnmlwf9IU5fg0A==
   template:
     metadata:
       creationTimestamp: null

server.bu

@@ -96,6 +96,21 @@ storage:
       mode: 0644
       contents:
         inline: fcos-vm1
+    - path: /etc/NetworkManager/system-connections/enp1s0.nmconnection
+      mode: 0600
+      contents:
+        inline: |
+          [connection]
+          id=enp1s0
+          type=ethernet
+          interface-name=enp1s0
+          [ipv4]
+          address1=192.168.122.10/24,192.168.122.1
+          dhcp-hostname=fcos-vm1
+          dns=192.168.122.1;
+          dns-search=
+          may-fail=false
+          method=manual
     - path: /etc/rancher/k3s/config.yaml
       mode: 0644
       contents:
@@ -108,6 +123,7 @@ storage:
           disable-network-policy: true
           flannel-backend: none
           selinux: true
+          tls-san: true
           write-kubeconfig-mode: "0644"
     - path: /etc/yum.repos.d/kubernetes.repo
       mode: 0644

server.ign

@@ -44,11 +44,19 @@
         },
         "mode": 420
       },
+      {
+        "path": "/etc/NetworkManager/system-connections/enp1s0.nmconnection",
+        "contents": {
+          "compression": "gzip",
+          "source": "data:;base64,H4sIAAAAAAAC/1TMwarDIBCF4f08yzU3SigtxScJWQw6ohBHcaaBvH1poYtsP87519CYKWhpvEGJnrhbmUHPTp4002BSKKw0EgYyjJV+m7X0Y9kAYxwkYr19uMne7pN1brLzv1v+LgIxh25yE/1GUmhijmohslyvzw8ZIRwhe6h4moRl9wl3IaikuUVfkV+4wzsAAP//T2zVVL4AAAA="
+        },
+        "mode": 384
+      },
       {
         "path": "/etc/rancher/k3s/config.yaml",
         "contents": {
           "compression": "gzip",
-          "source": "data:;base64,H4sIAAAAAAAC/1TMMa7DIBAE0J5TIPcr/cL6BbcBPEQrNou1QOzcPlISFylH82ayzD5gxMoj+GETbuMekyA478l32IMzJL3TsIjC9SJUZwLt1s7n75YU42hWaW/C+SqLRFUIpZgrdAtem8J1COs8v+YwHp/f3LTwje5tQ/DL3/+6Lu4VAAD//7ieEI+uAAAA"
+          "source": "data:;base64,H4sIAAAAAAAC/1SNMQ7DIBAEe16B3J+UwkrBbwCvoxOXw4Ijdn4fKbGLlKOd1WQZ3dCIlS14awNu4R6TIDjvyXe0F2dI+pK1iJXLpVAZCbS1erz/v6SwvbZCWxXO17hKVIVQirlAl+C1KlyHsI7jdEw69agn7Y3tV8lVV37Qsy4Ifrrd53lynwAAAP//PRlc6rwAAAA="
         },
         "mode": 420
       },