From ea5716a7b8eebea12f49612f2970ddd54fe93cd1 Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Sat, 3 Aug 2024 21:24:27 -0400 Subject: [PATCH] Do some updates, add more stuff --- README.md | 24 +++++++-- .../templates/cilium/lb-ip-pools.yaml | 7 +++ .../apps/app-linkerd-control-plane.yaml | 52 ++++--------------- .../linkerd/sealed-linkerd-trust-anchor.yaml | 4 +- server.bu | 16 ++++++ server.ign | 10 +++- 6 files changed, 63 insertions(+), 50 deletions(-) create mode 100644 infra-stage-1/templates/cilium/lb-ip-pools.yaml diff --git a/README.md b/README.md index 418d0d4..0c7220e 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,9 @@ Kubebag is my playground where I am learning about k8s by trying to create a Kub ## Setup -Get Fedora CoreOS running: +Install virt-manager and deps. Edit "default" network via `virsh net-edit default` and make the dhcp pool start at 100. + +Next, get Fedora CoreOS running: ```bash virt-install --name=fcos --vcpus=3 --ram=6144 \ @@ -12,17 +14,23 @@ virt-install --name=fcos --vcpus=3 --ram=6144 \ --import \ --network=bridge=virbr0 \ --disk=size=20,backing_store=/home/gene/Downloads/fedora-coreos.qcow2 \ ---qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/home/gene/Downloads/server.ign" \ +--qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=/home/gene/repos/kubebag/server.ign" \ --graphics=none ``` Copy over a kube connfig: ```bash -IPADDRESS=192.168.122.118 # update to IP of CoreOS +IPADDRESS=192.168.122.10 # update to IP of CoreOS. This should match what is in server.bu ssh -o UserKnownHostsFile=/dev/null $IPADDRESS cat /etc/rancher/k3s/k3s.yaml |sed 's/default/k3s/g' |sed "s/127\.0\.0\.1/$IPADDRESS/" > ~/.kube/config ``` +Verify k3s access via + +```bash +kubectl get ns +``` + If not already installed..... ```bash @@ -71,6 +79,12 @@ argocd argo/argo-cd --set configs.params."server.insecure"=true helm template ./infra-stage-1 |kubectl apply -f - ``` +Wait for apps to sync and be healthy by watching this: + +```bash +kubectl -n argocd get Applications +``` + Generate trust anchor for Linkerd: ```bash @@ -90,7 +104,7 @@ kubeseal --controller-name=sealed-secrets \ --controller-namespace=kubeseal -o yaml > infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml ``` -Update ca cert in linkerd-control-plane with one generated above and then commit to git and push. +Update ca cert in `infra-stage-2/templates/apps/app-linkerd-control-plane.yaml` with one generated above and then commit to git and push. ```bash helm template ./infra-stage-2 |kubectl apply -f - @@ -111,6 +125,8 @@ ARGOCD_PW=$(kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath ~/argocd login localhost:8080 --insecure --username admin --password $ARGOCD_PW ~/argocd account update-password --current-password $ARGOCD_PW +~/argocd login localhost:8080 --insecure --username admin # use new password + ``` ## To Do / Notes diff --git a/infra-stage-1/templates/cilium/lb-ip-pools.yaml b/infra-stage-1/templates/cilium/lb-ip-pools.yaml new file mode 100644 index 0000000..c01c6fa --- /dev/null +++ b/infra-stage-1/templates/cilium/lb-ip-pools.yaml @@ -0,0 +1,7 @@ +apiVersion: "cilium.io/v2alpha1" +kind: CiliumLoadBalancerIPPool +metadata: + name: "first-pool" +spec: + blocks: + - cidr: "192.168.122.16/28" diff --git a/infra-stage-2/templates/apps/app-linkerd-control-plane.yaml b/infra-stage-2/templates/apps/app-linkerd-control-plane.yaml index 4807f32..526d671 100644 --- a/infra-stage-2/templates/apps/app-linkerd-control-plane.yaml +++ b/infra-stage-2/templates/apps/app-linkerd-control-plane.yaml @@ -18,55 +18,21 @@ spec: - name: identityTrustAnchorsPEM value: | -----BEGIN CERTIFICATE----- - MIIBjDCCATOgAwIBAgIQFcdhaMcm8qlAQ0+lCWg0rTAKBggqhkjOPQQDAjAlMSMw - IQYDVQQDExpyb290LmxpbmtlcmQuY2x1c3Rlci5sb2NhbDAeFw0yNDA4MDIyMDQ4 - NTdaFw0zNDA3MzEyMDQ4NTdaMCUxIzAhBgNVBAMTGnJvb3QubGlua2VyZC5jbHVz - dGVyLmxvY2FsMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESXvpCxx+j3BR48uE - JJwM1rURWP7q80gBmfURNCBVFXir4VtAFyNv3oJ1i7SVKP58rHf02gH1gEc5tyJK - VNuGB6NFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYD - VR0OBBYEFJ7If0SpFqAcPhQaKkpiaC3zsNSIMAoGCCqGSM49BAMCA0cAMEQCIDEG - /ymV8+7CRPsQLF3MbpjuFTmkATuSpKcyEURu1XdSAiBpCB44ctX3Ap1pSzYHKAQK - WuGsyFQ92FLhKbt2MWYQ5w== + MIIBjzCCATSgAwIBAgIRAO1q0LzjFD5YDGC7l/003H8wCgYIKoZIzj0EAwIwJTEj + MCEGA1UEAxMacm9vdC5saW5rZXJkLmNsdXN0ZXIubG9jYWwwHhcNMjQwODA0MDIx + MzU3WhcNMzQwODAyMDIxMzU3WjAlMSMwIQYDVQQDExpyb290LmxpbmtlcmQuY2x1 + c3Rlci5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJic6Hy3IiLBl1YT + s9rHtdQd6K6JdIVCP6uI71kMSEWosPKDWMM62CHlu4bGKKv6T75ad7KeuznM4ZmQ + 6EV7vvijRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0G + A1UdDgQWBBQGUEd2teG0dkiTcvJWLtYJGkKuOjAKBggqhkjOPQQDAgNJADBGAiEA + l6LdXdFrs8NoYvOAzaTao645HxCK3nGp3crXJ4rE6+0CIQDkPmc3iOVk6NjwQOHk + lTL53KyZiSx9oM+ZhhffW1sDUg== -----END CERTIFICATE----- - name: identity.issuer.scheme value: kubernetes.io/tls destination: namespace: linkerd server: https://kubernetes.default.svc - ignoreDifferences: - - group: "" - kind: Secret - name: linkerd-proxy-injector-k8s-tls - jsonPointers: - - /data/tls.crt - - /data/tls.key - - group: "" - kind: Secret - name: linkerd-sp-validator-k8s-tls - jsonPointers: - - /data/tls.crt - - /data/tls.key - - group: "" - kind: Secret - name: linkerd-policy-validator-k8s-tls - jsonPointers: - - /data/tls.crt - - /data/tls.key - - group: admissionregistration.k8s.io/v1 - kind: MutatingWebhookConfiguration - name: linkerd-proxy-injector-webhook-config - jsonPointers: - - /webhooks/0/clientConfig/caBundle - - group: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - name: linkerd-sp-validator-webhook-config - jsonPointers: - - /webhooks/0/clientConfig/caBundle - - group: admissionregistration.k8s.io/v1 - kind: ValidatingWebhookConfiguration - name: linkerd-policy-validator-webhook-config - jsonPointers: - - /webhooks/0/clientConfig/caBundle syncPolicy: automated: prune: true diff --git a/infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml b/infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml index af9dd29..6b2fc53 100644 --- a/infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml +++ b/infra-stage-2/templates/linkerd/sealed-linkerd-trust-anchor.yaml @@ -7,8 +7,8 @@ metadata: namespace: linkerd spec: encryptedData: - tls.crt: AgCaC0kMEyxMN25o80pDA+2ZXardKBwnCfbJ2Edh3HWFGug8lDJRIVn8gkERWiXWZvWY0fopIIXpbjcvhMtHevllLFVJmGC3vtmVhro47cMqFY98CJkE9/J5yBNHi+rNq/iaY7CmcTt6JWxT5apXyAIHiowb/2ZvWfTNgkB0oqYnIC4MnaXora33YerZtZiEM8go48nAzNQ5/ivyN2y2qPBtmi3R0NfpCo6msm++CenwRwUD2MyyQ0IhjSj0oPjq1geGMOqmoKPynyp5dYIg+sQ2ESd2gk3uYdDQYqQBWS/Z9Fe1BxzsxrVTHNURf24vDaEuLz+UQwqH/VVYpc59d330TKlxn1DEgxXyhkBbTXsjmMdK6DQGt/1PJr07X+tYtCiCQvYUALN1Y6wdLeoIuOgIMVVjfWUOJQQxJ1OEpPT/47xuZ5iMFcVDrCIcLeYBykv04TKV7hF5fSjRNmGhaE0FSIgTn7KgsKkIcnpzqb2xH3WSuYrrspRSKLpXtL0atS8p0e4NnxOt4vcjoXOCKYzR9im2SNKueCUIhRtbfGFhgUh6E5Cf/8YIzJo2NAZSGQd35FG7a9P+JjJDsIYuLseNaUWYyyTvcIfJ2ood8Pi7k7NZx0bXz9Ae3O3knQu5KGun/AgbGi2j0bsEJZ2ize3+1MiyBiuwiOWixZOy5HxEUWt4ohZpJ5DYL5K2sOG2oOOd4qHiHWem0xNsMn8pxeJ+2fIDxwGhqrsx2U/vLSTcdU/mtWM9yzU0x67em4iDIG7vvijPMGKg6IDh07Y6DXpciMlafggkFnhJ6rS4L1fAm8IVfPjAtZB1fBxLNM+VW9SVrZXgByvdKFPYo7lVwxZ1wq2sG691KcVLNv3nZjdCMoLGqPz1qWhkH68ODEsnFqyRgPlJuNKER+bPvh7i03FzpvDe3+1QSmA7+fk5zsgu70/QFS6A70+s4TRCf+DQPN/iSZ/BsxHGFcuVg3rT3yf/PR6eaQc5WKy6wtPC0Qw4c0sRdSLfH99fSMPf5sXtcKs8xdvopono2oI3pBHBDOXQdLrzzHXJOjVdHGuNuggVZMRozK8ZosVEEMiWz2MzU/Nl5sqOsacyUEqbMhaxWlQudbANf90RTkS9ITPk4m7YcnD8a2i3S0vZffVL1cX9simGCgZDDbV0xmtEpBf3rtCdtn43N1OL3rlmrgrUk/8+q0aGFSNZMGkpmficzYFVEtm/m3oeN0DfJ3eKu1LzGkX/wSNahWe5M+58m3hrkaG3TIwvIXkOBMB776yCnsHNffVhwDC4JYYm3hM/nBVI1d748948blShh0Cpre6y7xxKCJQpzd9Mr4sKy8dgaTCfwzxTwZwpMbJWib9b6RoocNU3miLVe0iXX7BhOmH5jNbIP/6JCR9OR3KnwWiqkcQwb5yvQrOaAqsEhIgIVlhxlcdJUP29VOKjNF/eEaFilMkoRFP7qmUqgqaXtbHjKgpLL+G+9erTB1uxX2Y5g3oH4Jgz6CFZAv2HqA== - tls.key: AgAE4DkEl82kkjLuaqhJjJ4J3RVqAD88KZRuW/odDm7Qg1vFVnqeF3avRRejcA/AINOJGu50ez1MZcuLfoxx6Y9lmCfsCzMI/YeD9l8SproNe6+xjqd19OHQ/d9DowjUmOwtSl/j9MU6gs2ExQILQTB6zqNklUEadpdxgk8Xl+YS09A58Vefy6dgoJzGav/S0BRymxvfXZWWLIY0h3QD1hVL9uoV+L8H6aovu+ZGmMwdSzbV/6qFoJHt/PBZEkC5G3BesJX21T2LTh7BsIvyvPOaZrG7BoRfu9oAtBQHqhoBtgv1hsvmjs9MFNtSUnPD2srYqG70YDpdQnp7pzOk/4Hx5Jkr29HM+0m/46Y3vI4XK7/HOoOuxNEz4UWhHhJHUVJF0E4DJp9DSd50QhBRP0X8/oXZLtyLR3xWRKrlds/XmSyUaMOKNwDKzKbmUTleSBALdgSafk21A/TnrfGt5uGoPjo1HyRSIaBsX4incJJFPR9D1t0F7+hku5KxJBfHJMmL84M2e+a6eVf3zJvhGy45EHIORqcY30NFcpaqvFSZXYwzjnB+zQVmyzY50NwhYZyN51GkwK89aIMFehTDj8mE6KHFH54f245sLOCkjvgN0Uey+s/U6ktVDcjldvmFOErmk33Tx1CQpL+VP1bnTYK3GYjxUXZ3D1/IJuUxbL+GGQJ8OA1eMwF85v1ndxiDZn2OHpifLTLA0GQEd0X+xQfbDljEWQHVOSOLgZepjO5zkwd5RawO1LXZ9MTAIZizrjWATEN3K7Kv5Ph/VB7ZchAkM7qaqwlP7mVsbbYm1ZoWkcM6dFmkir0Jl81CnF6lHvalgaCDY8XtwyMbs+EeLt9A15OpgqbPcuF9pRzHXdy2tj3uJWJ3JDhq+xiupdTgJaqS+4phluS49kNJsZnPa5uFCl2iNzQxqgXxGmJXClF5WVPoo+15u09UiqKBzshtQ0LgzPOPq6jKMpZooU+0HYzIdaAcFvLbgXd3HhaD7lBN0QZ0bQ== + tls.crt: AgCtDpNT9wVJ9z3ZuY7k9x2/dPfv2OOzJ9jNn1TVWhuivi7kkQ70lzvaaOmZDh/n8azLeGfXyqgoUy3O46FDlPsRDgkyl1hYujLekcKpJp3nlFRHAEoa6qX93d6+HTxeiuehUOz/f0VxUSFqtwhDox6+MZ7VQluFaBUyEkPF5d3mV6SxUGBC/d12BYw1s+zUIOiqNFQOl+x4piYih7PwTuiPCpVAEFehs5Ttpl1B20drk6mcaBqdPjawUPLfYmUwDYwCPiFVk/SuRrGDzZe9gBoihKf+tRf4HRuS4HlLojO14bZCRUsOmkhurzJbmYww8a/3fvQjx4fP8Tr0sLc4YTmud4/aHNQnVEOv5YUuS6/7/xuXj7qe9t6KdqC63FCI/rF9o3c52S0rW1xOecfnub/RTbiSJeLOnpgkNC+sK2oKLisUs0bQ9AclOruvDwDuKxzvE8h/K7NA072GSC1SuIKXTXnSGmqCIWR4sTbM4qChRn0UpnDm+C7t9m6MecVMKwhLXEByVh7miBpSejtJJqQKAbq2+1TMNBivuoVl0t46TB+Uc0BWz096EGzDcb5DhoUJJPv/B+HdFRGXOpaiiq6jm34gVJvxJo5jE1YOH2UCltBI9cYRZ0VlFYOyW89YFx7uLVo3VlLAIBC4lHL58Cr+AzemLpMNM8bC9MIsbRG6UExbVp0dfUJKIDoTX5/2fa+EfWkGhbGI84IZ+hmMtdzTzm7kMElvn7eJMMr1cJhyl1BxLmKPtze4I6ereiY5X2SQ5UM6stq2MD+jtHBcUrRSDnQCsaxXYcnkc/2dMy1AsNJS2l8aCrVmxGOq8tI/1LXXn45DExoxNIJwjp8Y5qZ4HT2tgRoCGG2GccckcKEdxhdjlUz/5xKkcz1XHvZ1M2XFE3M16QQXw4N56LEPERGflaLEdAnaok6uKenlrULIOqKzurZ32sHRtgEbJJpMdF1lawmlp/mBh/jPXlz17qMjLDlKqGBkT7Up710QRYN0zMP905G1tjRY/tlfd4RX3nOPol35VYhPoykHTnNEltJnTbHSnxleT+SdfnVkCfi+47uijdsGMa3xd4dCAuHh1PTwUyRKVmtkfgVFUskCDfJNA2E0qFH2WGy0jJpml5IfdRNSrPEY7mW84TeTU29Sx5Ux6O5s/JJg51QB5C2QKjUXQWr6+OhKmWVkWvtWkqumpE9WHFT5ld0nAE8eKIdqwDqx0ZHn3vxCuhYdtJeoMJScL3uBrqOlu8CmN+bbfgLytbstb7HS6TrHPyApm/yRgLmkv4Wg521tu5e1267j6BG+ck5/tR9l142NFbox2LyHUdOl6dJdGITIdvvCXtosz7oVLcN2wC1ZlQxUu3MWNzBwicCnjfk4YKLkMze5OL6n3/jRBNNfRvJiq6nmMwvLBWyWT3XCAcbTiGz8knfl+3XsgM3PniF7WOzoyPvug8D9JQk84Jwmnyfc004lUDsI9/aZdQb/4lIt0y1nHSBdnRbhYf5p3qbe6mBMdss= + tls.key: AgCxC2LhloTMml0QRJemZI6Q0zNVnxurYaQBBDUmbAvxJK7LyydPH+9kcEXCMZKPQ/BYa0vPjBeRf1AERpPzMv4Amegwj6sLJZoDB5YrF58UCeF92XFhI/mjPdSqImGOyc9+g9oY9XwqFd7sDYeuE9W7WdinJqsXYeJLyI6P2inAk07nN/wxg8bItbfb0y0+UwPt8qWDN7wUVHoHgXq9hUGB+MtCEwQTazG7nKMgFHOlwE2/cI6Sy1WAeldFATEplVuTGWmPVdpN9WOV7DR9zYXU+a2EolwZBajeUSVO/4HhZGL51cBxoDwAsn6gQ4BNB9BOYsJawAKC2fyOiY68pGsIeJWcbvrgpy3FIAikZ/21sgVN5dQ74C4Qw41B0GeBbgBRFeDiigv9t8JVfzZwgxTq6qs3y2p8wYn4+ErCgUvgWRCgGCENWQGYvLjxm7vRzI1MiAxfqQZtjHQZuTYKPnUHpvhrKo9MCeZpu28KTpwz7S53drmYWIJdB9xKjGgv5TuRLBHBfcjWXgixeH4If9HqqZtXpf9Bc6DhpxF8PW2veWbmDwSMDOYsXdEQx+YNLfUbWpm2qg9x4grd9N3pkitzpali5AbXD1MJlONgPHHbga7WFT980KNL7Qk/PRMcwSiLwiPmSM+oCWGKRcn0C3tMaH//r/tRa5jT2dGFE8fHzmUzq+RBrIn8XbqlqSMoex9FH4UiNwHAwOo5eAFWVWXoip9YlhzhfkAb5Xx2B3mFpJ2clqkifc/u0war0qXkTSB5bVXjXvFvMvGO54Ng0Ew/7ELlOqs9mooYTElsO8IkyA6CjqNb6ENlYHtdd25ywzoKfYQ7KCk9DEmNzmjORZugq81jJmwBnd+RxKac7k35SypY8XlkqQBTPQBv5cW4sgU/6T9L0M8zdxrdl4zd+xHYWiiXsWslKVV+dYBUEDj7Si6QJOSWrgTZ/IyJEMUbOVxkMk/rH7SzDRyabrXaT8WcbK+Q+s+7p2JVgnmlwf9IU5fg0A== template: metadata: creationTimestamp: null diff --git a/server.bu b/server.bu index 7e0f4cb..cd9825a 100644 --- a/server.bu +++ b/server.bu @@ -96,6 +96,21 @@ storage: mode: 0644 contents: inline: fcos-vm1 + - path: /etc/NetworkManager/system-connections/enp1s0.nmconnection + mode: 0600 + contents: + inline: | + [connection] + id=enp1s0 + type=ethernet + interface-name=enp1s0 + [ipv4] + address1=192.168.122.10/24,192.168.122.1 + dhcp-hostname=fcos-vm1 + dns=192.168.122.1; + dns-search= + may-fail=false + method=manual - path: /etc/rancher/k3s/config.yaml mode: 0644 contents: @@ -108,6 +123,7 @@ storage: disable-network-policy: true flannel-backend: none selinux: true + tls-san: true write-kubeconfig-mode: "0644" - path: /etc/yum.repos.d/kubernetes.repo mode: 0644 diff --git a/server.ign b/server.ign index 12ea60d..1a1f6b3 100644 --- a/server.ign +++ b/server.ign @@ -44,11 +44,19 @@ }, "mode": 420 }, + { + "path": "/etc/NetworkManager/system-connections/enp1s0.nmconnection", + "contents": { + "compression": "gzip", + "source": "data:;base64,H4sIAAAAAAAC/1TMwarDIBCF4f08yzU3SigtxScJWQw6ohBHcaaBvH1poYtsP87519CYKWhpvEGJnrhbmUHPTp4002BSKKw0EgYyjJV+m7X0Y9kAYxwkYr19uMne7pN1brLzv1v+LgIxh25yE/1GUmhijmohslyvzw8ZIRwhe6h4moRl9wl3IaikuUVfkV+4wzsAAP//T2zVVL4AAAA=" + }, + "mode": 384 + }, { "path": "/etc/rancher/k3s/config.yaml", "contents": { "compression": "gzip", - "source": "data:;base64,H4sIAAAAAAAC/1TMMa7DIBAE0J5TIPcr/cL6BbcBPEQrNou1QOzcPlISFylH82ayzD5gxMoj+GETbuMekyA478l32IMzJL3TsIjC9SJUZwLt1s7n75YU42hWaW/C+SqLRFUIpZgrdAtem8J1COs8v+YwHp/f3LTwje5tQ/DL3/+6Lu4VAAD//7ieEI+uAAAA" + "source": "data:;base64,H4sIAAAAAAAC/1SNMQ7DIBAEe16B3J+UwkrBbwCvoxOXw4Ijdn4fKbGLlKOd1WQZ3dCIlS14awNu4R6TIDjvyXe0F2dI+pK1iJXLpVAZCbS1erz/v6SwvbZCWxXO17hKVIVQirlAl+C1KlyHsI7jdEw69agn7Y3tV8lVV37Qsy4Ifrrd53lynwAAAP//PRlc6rwAAAA=" }, "mode": 420 },