From 3ba8394cac4a4cbe2109f855df2f2afb8571ff04 Mon Sep 17 00:00:00 2001
From: ducoterra <ducoterra@gmail.com>
Date: Thu, 17 Sep 2020 13:44:57 -0400
Subject: [PATCH] fix cert location and add k3os yaml

---
 .gitignore              |  1 +
 etcd.md                 |  6 +--
 k3os.md                 | 94 +++++++++++++++++++++++++++++++++++++++++
 k3os1.yaml => k3os.yaml | 14 ++++--
 4 files changed, 108 insertions(+), 7 deletions(-)
 rename k3os1.yaml => k3os.yaml (78%)

diff --git a/.gitignore b/.gitignore
index b229014..53f633f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 certs
+config
\ No newline at end of file
diff --git a/etcd.md b/etcd.md
index 1e88ce6..592d32d 100644
--- a/etcd.md
+++ b/etcd.md
@@ -221,9 +221,9 @@ journalctl -u etcd -f
 ```bash
 scp etcd1:/certs/client.pem etcd1:/certs/client-key.pem etcd1:/certs/ca.pem certs
 export ETCDCTL_DIAL_TIMEOUT=3s;
-export ETCDCTL_CACERT=./certs/ca.pem;
-export ETCDCTL_CERT=./certs/client.pem;
-export ETCDCTL_KEY=./certs/client-key.pem;
+export ETCDCTL_CACERT=./certs/etcd/ca.pem;
+export ETCDCTL_CERT=./certs/etcd/client.pem;
+export ETCDCTL_KEY=./certs/etcd/client-key.pem;
 export ETCDCTL_ENDPOINTS=https://etcd1:2379,https://etcd2:2379,https://etcd3:2379;
 etcdctl put foo bar
 etcdctl get foo
diff --git a/k3os.md b/k3os.md
index 53accdd..329efed 100644
--- a/k3os.md
+++ b/k3os.md
@@ -1 +1,95 @@
 # K3OS
+
+## Install
+
+Install as normal with k3os.yaml as your base cloud config file
+
+## Config
+
+Copy and edit the config file
+
+```bash
+cp /k3os/system/config.yaml /var/lib/rancher/k3os/config.yaml
+```
+
+Create a folder to hold the certs
+
+```bash
+mkdir -p /var/lib/rancher/certs
+chown rancher:rancher /var/lib/rancher/certs
+
+scp -r certs/* k3os1:/var/lib/rancher/certs
+```
+
+Grab the certs for etcd and copy them to /certs
+
+```yaml
+    - "--datastore-endpoint=https://etcd1:2379,https://etcd2:2379,https://etcd3:2379"
+    - "--datastore-cafile=/var/lib/rancher/certs/ca.pem"
+    - "--datastore-certfile=/var/lib/rancher/certs/client.pem"
+    - "--datastore-keyfile=/var/lib/rancher/certs/client-key.pem"
+```
+
+Add the token
+
+```bash
+cat /var/lib/rancher/k3s/server/token
+```
+
+```yaml
+--token $token
+```
+
+## Install traefik
+
+See traefik project
+
+## Users
+
+Generate certs for a new user
+
+```bash
+export USER=
+
+openssl genrsa -out $USER.key 2048
+openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
+openssl x509 -req -in $USER.csr -CA ../kube/client-ca.crt -CAkey ../kube/client-ca.key -CAcreateserial -out $USER.crt -days 5000
+```
+
+Create namespace
+
+```bash
+export USER=
+
+kubectl create namespace $USER
+kubectl -n $USER create role $USER --verb=get,list,create,update,patch,watch,delete,deletecollection --resource=deployments,daemonsets,pods,pods/exec,pods/log,pods/attach,services,secrets,configmaps,persistentvolumeclaims,endpoints,ingresses.extensions,ingresses.networking.k8s.io,ingressroutes.traefik.containo.us
+kubectl -n $USER create rolebinding -n $USER $USER --role=$USER --user=$USER
+```
+
+Copy certs
+
+```bash
+export SERVER=
+export USER=
+scp $SERVER:~/$USER/$USER.crt  $SERVER:~/$USER/$USER.csr  $SERVER:~/$USER/$USER.key certs/
+```
+
+Test a bunch of deploys
+
+```bash
+for i in {1..10}; do kubectl create deploy test$i --image=nginx; done;
+for i in {1..10}; do kubectl delete deploy test$i; done;
+```
+
+## NFS Storage
+
+```bash
+helm upgrade --install --kube-context k3os-admin \
+--set nfs.server=freenas \
+--set nfs.path=/mnt/nvme/kube \
+--set storageClass.name=nvme \
+--set storageClass.defaultClass=true \
+--set storageClass.allowVolumeExpansion=true \
+--set storageClass.archiveOnDelete=true \
+nvme stable/nfs-client-provisioner
+```
\ No newline at end of file
diff --git a/k3os1.yaml b/k3os.yaml
similarity index 78%
rename from k3os1.yaml
rename to k3os.yaml
index 5f03d25..f9d7976 100644
--- a/k3os1.yaml
+++ b/k3os.yaml
@@ -1,7 +1,11 @@
 --- 
 boot_cmd: 
   - "echo '127.0.0.1 hub.ducoterra.net' | tee --append /etc/hosts"
-hostname: k3os1
+run_cmd:
+  - "ip addr add 6.0.22.3/24 dev eth1"
+  - "ip link set dev eth0 up"
+  - "ip link set dev eth0 mtu 9014"
+hostname: k3os
 k3os: 
   k3s_args: 
     - server
@@ -17,12 +21,14 @@ ssh_authorized_keys:
 write_files: 
   - 
     content: |-
+        6.0.22.1 mainframe
+        6.0.22.2 freenas
         3.14.3.20 etcd1
         3.14.3.21 etcd2
         3.14.3.22 etcd3
-        3.14.3.23 kube1
-        3.14.3.24 kube2
-        3.14.3.25 kube3
+        3.14.3.23 k3os1
+        3.14.3.24 k3os2
+        3.14.3.25 k3os3
         3.14.3.26 wg1
         3.14.3.27 wg2
     encoding: ""