commit e6e49a57db18dc20780d6d350cffeb4d9a7a9ef6 Author: ducoterra Date: Tue Sep 8 22:06:16 2020 -0400 init diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b229014 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +certs diff --git a/README.md b/README.md new file mode 100644 index 0000000..e4ed31f --- /dev/null +++ b/README.md @@ -0,0 +1,59 @@ +# VM Managed Kubernetes + +## etcd + +3 debian VMs with etcd + +| Host | CPU | MEM | DISK | IP | VNC Port | +| --------- | ----- | ------ | ------- | --------- | -------- | +| etcd1 | 2 | 2G | 16G | 3.14.3.20 | 5920 | +| etcd2 | 2 | 2G | 16G | 3.14.3.21 | 5921 | +| etcd3 | 2 | 2G | 16G | 3.14.3.22 | 5922 | +| **TOTAL** | **6** | **6G** | **48G** | | | + +## k3os + +3 k3os VMs + +| Host | CPU | MEM | DISK | IP | VNC Port | +| --------- | ------ | ------- | ------- | --------- | -------- | +| kube1 | 12 | 16G | 16G | 3.14.3.23 | 5923 | +| kube2 | 12 | 16G | 16G | 3.14.3.24 | 5924 | +| kube3 | 12 | 16G | 16G | 3.14.3.25 | 5925 | +| **TOTAL** | **36** | **48G** | **48G** | | | + +## Wireguard + +2 debian VMs with wireguard and dnsmasq + +| Host | CPU | MEM | DISK | IP | VNC Port | +| --------- | ----- | ------ | ------- | --------- | -------- | +| wg1 | 2 | 2G | 16G | 3.14.3.26 | 5926 | +| wg2 | 2 | 2G | 16G | 3.14.3.27 | 5927 | +| **TOTAL** | **4** | **4G** | **32G** | | | + +## /etc/hosts + +```bash +cat <> /etc/hosts +3.14.3.20 etcd1 +3.14.3.21 etcd2 +3.14.3.22 etcd3 +3.14.3.23 kube1 +3.14.3.24 kube2 +3.14.3.25 kube3 +3.14.3.26 wg1 +3.14.3.27 wg2 +EOF +``` + +## UEFI Boot Issues + +1. When on UEFI Interactive Shell; type: exit +1. In the EFI menu system navigate to "Boot Maintenance Manager" +1. Select "Boot from file" +1. Locate and select your grubx64.efi file +1. When in terminal: +1. $ sudo mkdir /boot/efi/EFI/BOOT +1. $ sudo cp /boot/efi/EFI/ubuntu/grubx64.efi /boot/efi/EFI/BOOT/bootx64.efi +1. $ reboot \ No newline at end of file diff --git a/etcd.md b/etcd.md new file mode 100644 index 0000000..1e88ce6 --- /dev/null +++ b/etcd.md @@ -0,0 +1,232 @@ +# ETCD Config and Testing + +## Config + +### /etc/hosts + +```bash +cat <> /etc/hosts +3.14.3.20 etcd1 +3.14.3.21 etcd2 +3.14.3.22 etcd3 +3.14.3.23 kube1 +3.14.3.24 kube2 +3.14.3.25 kube3 +3.14.3.26 wg1 +3.14.3.27 wg2 +EOF +``` + +### Generate Certs + +Pick one server to act as the CA. + +Install make + +```bash +apt install -y make gcc git +``` + +Install [go](https://golang.org/doc/install) + +```bash +tar -C /usr/local -xzf go... +rm go... + +cat <> ~/.bashrc +export PATH=$PATH:/usr/local/go/bin +EOF + +source ~/.bashrc +``` + +Install [cfssl](https://github.com/cloudflare/cfssl) + +```bash +git clone https://github.com/cloudflare/cfssl +cd cfssl +make -j 2 +cp bin/cfssl bin/cfssljson /usr/local/bin/ +cd .. +rm -r cfssl +``` + +Create templates + +```bash +mkdir ~/.cfssl +cd ~/.cfssl + +cat < ca-config.json +{ + "signing": { + "default": { + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ], + "expiry": "876000h" + } + } +} +EOF + +cat < ca-csr.json +{ + "CN": "etcd", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "autogenerated", + "OU": "etcd cluster", + "L": "duconet" + } + ] +} +EOF + +cat < req-csr.json +{ + "CN": "etcd", + "hosts": [ + "etcd1", + "etcd2", + "etcd3", + "localhost" + ], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "autogenerated", + "OU": "etcd cluster", + "L": "duconet" + } + ] +} +EOF +``` + +Generate CA: + +```bash +mkdir -p /certs +cfssl gencert -initca ca-csr.json | cfssljson -bare /certs/ca +``` + +Generate a Peer and Client Cert: + +```bash +cfssl gencert \ + -ca /certs/ca.pem \ + -ca-key /certs/ca-key.pem \ + -config ca-config.json \ + req-csr.json | cfssljson -bare /certs/client + +cfssl gencert \ + -ca /certs/ca.pem \ + -ca-key /certs/ca-key.pem \ + -config ca-config.json \ + req-csr.json | cfssljson -bare /certs/etcd1 + +cfssl gencert \ + -ca /certs/ca.pem \ + -ca-key /certs/ca-key.pem \ + -config ca-config.json \ + req-csr.json | cfssljson -bare /certs/etcd2 + +cfssl gencert \ + -ca /certs/ca.pem \ + -ca-key /certs/ca-key.pem \ + -config ca-config.json \ + req-csr.json | cfssljson -bare /certs/etcd3 + +# Run this on every node +useradd etcd +usermod -aG etcd ducoterra +mkdir -p /certs +chown -R etcd:etcd /certs +chmod 770 /certs + +scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/etcd2-key.pem /certs/etcd2.pem etcd2:/certs/ + +scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/etcd3-key.pem /certs/etcd3.pem etcd3:/certs/ + +chown -R etcd:etcd /certs +chmod 600 /certs/* +``` + +## Install ETCD + +[Download the latest version](https://github.com/etcd-io/etcd/releases) + +```bash +tar xf $(find . -maxdepth 1 -name etcd*) +cp $(find . -maxdepth 1 -type d -name "etcd*")/etcd $(find . -maxdepth 1 -type d -name "etcd*")/etcdctl /usr/local/bin/ +chmod +x /usr/local/bin/etcd /usr/local/bin/etcdctl +echo 'export ETCD_IP=etcd1' >> ~/.bashrc +echo 'export ETCD_NAME=etcd1' >> ~/.bashrc +source ~/.bashrc +mkdir -p /var/lib/etcd +chown -R etcd:etcd /var/lib/etcd +chmod -R 700 /var/lib/etcd + +cat < /etc/systemd/system/etcd.service +[Unit] +Description=etcd service +Documentation=https://github.com/etcd-io/etcd +After=network.target + +[Service] +User=etcd +Type=notify +Environment=ETCD_DATA_DIR=/var/lib/etcd/$ETCD_NAME +Environment=ETCD_NAME=$ETCD_NAME +Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=https://$ETCD_IP:2380 +Environment=ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380 +Environment=ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379 +Environment=ETCD_ADVERTISE_CLIENT_URLS=https://$ETCD_IP:2379 +Environment=ETCD_INITIAL_CLUSTER_TOKEN=pi-cluster-1 +Environment=ETCD_INITIAL_CLUSTER="etcd1=https://etcd1:2380,etcd2=https://etcd2:2380,etcd3=https://etcd3:2380" +Environment=ETCD_INITIAL_CLUSTER_STATE=new +Environment=ETCD_TRUSTED_CA_FILE=/certs/ca.pem +Environment=ETCD_CERT_FILE=/certs/client.pem +Environment=ETCD_KEY_FILE=/certs/client-key.pem +Environment=ETCD_PEER_TRUSTED_CA_FILE=/certs/ca.pem +Environment=ETCD_PEER_CERT_FILE=/certs/$ETCD_NAME.pem +Environment=ETCD_PEER_KEY_FILE=/certs/$ETCD_NAME-key.pem +ExecStart=/usr/local/bin/etcd --client-cert-auth --peer-client-cert-auth +Restart=on-failure +RestartSec=5 +LimitNOFILE=40000 + +[Install] +WantedBy=multi-user.target +EOF + +systemctl start etcd +systemctl enable etcd +journalctl -u etcd -f +``` + +## Testing + +```bash +scp etcd1:/certs/client.pem etcd1:/certs/client-key.pem etcd1:/certs/ca.pem certs +export ETCDCTL_DIAL_TIMEOUT=3s; +export ETCDCTL_CACERT=./certs/ca.pem; +export ETCDCTL_CERT=./certs/client.pem; +export ETCDCTL_KEY=./certs/client-key.pem; +export ETCDCTL_ENDPOINTS=https://etcd1:2379,https://etcd2:2379,https://etcd3:2379; +etcdctl put foo bar +etcdctl get foo +while true; do etcdctl put foo $(( ( RANDOM % 1000 ) + 1 )) && etcdctl get foo; done; +etcdctl del "" --from-key=true +``` \ No newline at end of file diff --git a/k3os.md b/k3os.md new file mode 100644 index 0000000..53accdd --- /dev/null +++ b/k3os.md @@ -0,0 +1 @@ +# K3OS diff --git a/k3os1.yaml b/k3os1.yaml new file mode 100644 index 0000000..fc56b8c --- /dev/null +++ b/k3os1.yaml @@ -0,0 +1,15 @@ +hostname: k3os1 +ssh_authorized_keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFb/p/AdaQMlWqUNlE3NdSiX8Wxpr2q4gmsW/h/IbC2uU47VynMK5NZjZs00+HTRRg6LSj42zF9Q6zxn2RCoG0WGvU7c9JJbmnr9OB+TWg+0vBK0Ic9p5or5pMLE7OGRMiNwvIxmNXyBEH7m1VIz+Z2iiuOtNeicSOa8nTtz7mt+fQX6rCpolekFFbi+Hraq/wI9EDZO3FqWISEkHkLbYhwJS87PYkqIiuLqZhYahx7KtYcfVMpPuYy6Wjtd8enTT7FWHaeU9YkDtLF0XhDQOAWAvfpz0xfmsl2obzLJ5KMMlhCMz9FPfuglxnFy8X7QsnZ2KdVjwu6QcYlULFWBxt ducoterra@DucoBook.local" +boot_cmd: + - "echo '127.0.0.1 hub.ducoterra.net' | tee --append /etc/hosts" +k3os: + k3s_args: + - server + - "--disable" + - "traefik" + - "--disable" + - "local-storage" + ntp_servers: + - 0.us.pool.ntp.org + - 1.us.pool.ntp.org \ No newline at end of file