fix cert location and add k3os yaml

.gitignore

@@ -1 +1,2 @@
 certs
+config

etcd.md

@@ -221,9 +221,9 @@ journalctl -u etcd -f
 ```bash
 scp etcd1:/certs/client.pem etcd1:/certs/client-key.pem etcd1:/certs/ca.pem certs
 export ETCDCTL_DIAL_TIMEOUT=3s;
-export ETCDCTL_CACERT=./certs/ca.pem;
+export ETCDCTL_CACERT=./certs/etcd/ca.pem;
-export ETCDCTL_CERT=./certs/client.pem;
+export ETCDCTL_CERT=./certs/etcd/client.pem;
-export ETCDCTL_KEY=./certs/client-key.pem;
+export ETCDCTL_KEY=./certs/etcd/client-key.pem;
 export ETCDCTL_ENDPOINTS=https://etcd1:2379,https://etcd2:2379,https://etcd3:2379;
 etcdctl put foo bar
 etcdctl get foo

k3os.md

@@ -1 +1,95 @@
 # K3OS
+
+## Install
+
+Install as normal with k3os.yaml as your base cloud config file
+
+## Config
+
+Copy and edit the config file
+
+```bash
+cp /k3os/system/config.yaml /var/lib/rancher/k3os/config.yaml
+```
+
+Create a folder to hold the certs
+
+```bash
+mkdir -p /var/lib/rancher/certs
+chown rancher:rancher /var/lib/rancher/certs
+
+scp -r certs/* k3os1:/var/lib/rancher/certs
+```
+
+Grab the certs for etcd and copy them to /certs
+
+```yaml
+    - "--datastore-endpoint=https://etcd1:2379,https://etcd2:2379,https://etcd3:2379"
+    - "--datastore-cafile=/var/lib/rancher/certs/ca.pem"
+    - "--datastore-certfile=/var/lib/rancher/certs/client.pem"
+    - "--datastore-keyfile=/var/lib/rancher/certs/client-key.pem"
+```
+
+Add the token
+
+```bash
+cat /var/lib/rancher/k3s/server/token
+```
+
+```yaml
+--token $token
+```
+
+## Install traefik
+
+See traefik project
+
+## Users
+
+Generate certs for a new user
+
+```bash
+export USER=
+
+openssl genrsa -out $USER.key 2048
+openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
+openssl x509 -req -in $USER.csr -CA ../kube/client-ca.crt -CAkey ../kube/client-ca.key -CAcreateserial -out $USER.crt -days 5000
+```
+
+Create namespace
+
+```bash
+export USER=
+
+kubectl create namespace $USER
+kubectl -n $USER create role $USER --verb=get,list,create,update,patch,watch,delete,deletecollection --resource=deployments,daemonsets,pods,pods/exec,pods/log,pods/attach,services,secrets,configmaps,persistentvolumeclaims,endpoints,ingresses.extensions,ingresses.networking.k8s.io,ingressroutes.traefik.containo.us
+kubectl -n $USER create rolebinding -n $USER $USER --role=$USER --user=$USER
+```
+
+Copy certs
+
+```bash
+export SERVER=
+export USER=
+scp $SERVER:~/$USER/$USER.crt  $SERVER:~/$USER/$USER.csr  $SERVER:~/$USER/$USER.key certs/
+```
+
+Test a bunch of deploys
+
+```bash
+for i in {1..10}; do kubectl create deploy test$i --image=nginx; done;
+for i in {1..10}; do kubectl delete deploy test$i; done;
+```
+
+## NFS Storage
+
+```bash
+helm upgrade --install --kube-context k3os-admin \
+--set nfs.server=freenas \
+--set nfs.path=/mnt/nvme/kube \
+--set storageClass.name=nvme \
+--set storageClass.defaultClass=true \
+--set storageClass.allowVolumeExpansion=true \
+--set storageClass.archiveOnDelete=true \
+nvme stable/nfs-client-provisioner
+```

k3os.yaml

@@ -1,7 +1,11 @@
 --- 
 boot_cmd: 
   - "echo '127.0.0.1 hub.ducoterra.net' | tee --append /etc/hosts"
-hostname: k3os1
+run_cmd:
+  - "ip addr add 6.0.22.3/24 dev eth1"
+  - "ip link set dev eth0 up"
+  - "ip link set dev eth0 mtu 9014"
+hostname: k3os
 k3os: 
   k3s_args: 
     - server
@@ -17,12 +21,14 @@ ssh_authorized_keys:
 write_files: 
   - 
     content: |-
+        6.0.22.1 mainframe
+        6.0.22.2 freenas
         3.14.3.20 etcd1
         3.14.3.21 etcd2
         3.14.3.22 etcd3
-        3.14.3.23 kube1
+        3.14.3.23 k3os1
-        3.14.3.24 kube2
+        3.14.3.24 k3os2
-        3.14.3.25 kube3
+        3.14.3.25 k3os3
         3.14.3.26 wg1
         3.14.3.27 wg2
     encoding: ""