init

2020-09-08 22:06:16 -04:00
commit e6e49a57db
5 changed files with 308 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
 certs
--- a/README.md
+++ b/README.md
@@ -0,0 +1,59 @@
 # VM Managed Kubernetes
 ## etcd
 3 debian VMs with etcd
 | Host      | CPU   | MEM    | DISK    | IP        | VNC Port |
 | --------- | ----- | ------ | ------- | --------- | -------- |
 | etcd1     | 2     | 2G     | 16G     | 3.14.3.20 | 5920     |
 | etcd2     | 2     | 2G     | 16G     | 3.14.3.21 | 5921     |
 | etcd3     | 2     | 2G     | 16G     | 3.14.3.22 | 5922     |
 | **TOTAL** | **6** | **6G** | **48G** |           |          |
 ## k3os
 3 k3os VMs
 | Host      | CPU    | MEM     | DISK    | IP        | VNC Port |
 | --------- | ------ | ------- | ------- | --------- | -------- |
 | kube1     | 12     | 16G     | 16G     | 3.14.3.23 | 5923     |
 | kube2     | 12     | 16G     | 16G     | 3.14.3.24 | 5924     |
 | kube3     | 12     | 16G     | 16G     | 3.14.3.25 | 5925     |
 | **TOTAL** | **36** | **48G** | **48G** |           |          |
 ## Wireguard
 2 debian VMs with wireguard and dnsmasq
 | Host      | CPU   | MEM    | DISK    | IP        | VNC Port |
 | --------- | ----- | ------ | ------- | --------- | -------- |
 | wg1       | 2     | 2G     | 16G     | 3.14.3.26 | 5926     |
 | wg2       | 2     | 2G     | 16G     | 3.14.3.27 | 5927     |
 | **TOTAL** | **4** | **4G** | **32G** |           |          |
 ## /etc/hosts
 ```bash
 cat <<EOF >> /etc/hosts
 3.14.3.20 etcd1
 3.14.3.21 etcd2
 3.14.3.22 etcd3
 3.14.3.23 kube1
 3.14.3.24 kube2
 3.14.3.25 kube3
 3.14.3.26 wg1
 3.14.3.27 wg2
 EOF
 ```
 ## UEFI Boot Issues
 1. When on UEFI Interactive Shell; type: exit
 1. In the EFI menu system navigate to "Boot Maintenance Manager"
 1. Select "Boot from file"
 1. Locate and select your grubx64.efi file
 1. When in terminal:
 1. $ sudo mkdir /boot/efi/EFI/BOOT
 1. $ sudo cp /boot/efi/EFI/ubuntu/grubx64.efi /boot/efi/EFI/BOOT/bootx64.efi
 1. $ reboot
--- a/etcd.md
+++ b/etcd.md
@@ -0,0 +1,232 @@
 # ETCD Config and Testing
 ## Config
 ### /etc/hosts
 ```bash
 cat <<EOF >> /etc/hosts
 3.14.3.20 etcd1
 3.14.3.21 etcd2
 3.14.3.22 etcd3
 3.14.3.23 kube1
 3.14.3.24 kube2
 3.14.3.25 kube3
 3.14.3.26 wg1
 3.14.3.27 wg2
 EOF
 ```
 ### Generate Certs
 Pick one server to act as the CA.
 Install make
 ```bash
 apt install -y make gcc git
 ```
 Install [go](https://golang.org/doc/install)
 ```bash
 tar -C /usr/local -xzf go...
 rm go...
 cat <<EOF >> ~/.bashrc 
 export PATH=$PATH:/usr/local/go/bin
 EOF
 source ~/.bashrc
 ```
 Install [cfssl](https://github.com/cloudflare/cfssl)
 ```bash
 git clone https://github.com/cloudflare/cfssl
 cd cfssl
 make -j 2
 cp bin/cfssl bin/cfssljson /usr/local/bin/
 cd ..
 rm -r cfssl
 ```
 Create templates
 ```bash
 mkdir ~/.cfssl
 cd ~/.cfssl
 cat <<EOF > ca-config.json
 {
  "signing": {
    "default": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ],
        "expiry": "876000h"
    }
  }
 }
 EOF
 cat <<EOF > ca-csr.json
 {
  "CN": "etcd",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "O": "autogenerated",
      "OU": "etcd cluster",
      "L": "duconet"
    }
  ]
 }
 EOF
 cat <<EOF > req-csr.json
 {
  "CN": "etcd",
  "hosts": [
    "etcd1",
    "etcd2",
    "etcd3",
    "localhost"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "O": "autogenerated",
      "OU": "etcd cluster",
      "L": "duconet"
    }
  ]
 }
 EOF
 ```
 Generate CA:
 ```bash
 mkdir -p /certs
 cfssl gencert -initca ca-csr.json | cfssljson -bare /certs/ca
 ```
 Generate a Peer and Client Cert:
 ```bash
 cfssl gencert \
  -ca /certs/ca.pem \
  -ca-key /certs/ca-key.pem \
  -config ca-config.json \
  req-csr.json | cfssljson -bare /certs/client
 cfssl gencert \
  -ca /certs/ca.pem \
  -ca-key /certs/ca-key.pem \
  -config ca-config.json \
  req-csr.json | cfssljson -bare /certs/etcd1
 cfssl gencert \
  -ca /certs/ca.pem \
  -ca-key /certs/ca-key.pem \
  -config ca-config.json \
  req-csr.json | cfssljson -bare /certs/etcd2
 cfssl gencert \
  -ca /certs/ca.pem \
  -ca-key /certs/ca-key.pem \
  -config ca-config.json \
  req-csr.json | cfssljson -bare /certs/etcd3
 # Run this on every node
 useradd etcd
 usermod -aG etcd ducoterra
 mkdir -p /certs
 chown -R etcd:etcd /certs
 chmod 770 /certs
 scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/etcd2-key.pem /certs/etcd2.pem etcd2:/certs/
 scp /certs/ca.pem /certs/client-key.pem /certs/client.pem /certs/etcd3-key.pem /certs/etcd3.pem etcd3:/certs/
 chown -R etcd:etcd /certs
 chmod 600 /certs/*
 ```
 ## Install ETCD
 [Download the latest version](https://github.com/etcd-io/etcd/releases)
 ```bash
 tar xf $(find . -maxdepth 1 -name etcd*)
 cp $(find . -maxdepth 1 -type d -name "etcd*")/etcd $(find . -maxdepth 1 -type d -name "etcd*")/etcdctl /usr/local/bin/
 chmod +x /usr/local/bin/etcd /usr/local/bin/etcdctl
 echo 'export ETCD_IP=etcd1' >> ~/.bashrc
 echo 'export ETCD_NAME=etcd1' >> ~/.bashrc
 source ~/.bashrc
 mkdir -p /var/lib/etcd
 chown -R etcd:etcd /var/lib/etcd
 chmod -R 700 /var/lib/etcd
 cat <<EOF > /etc/systemd/system/etcd.service
 [Unit]
 Description=etcd service
 Documentation=https://github.com/etcd-io/etcd 
 After=network.target
 [Service]
 User=etcd
 Type=notify
 Environment=ETCD_DATA_DIR=/var/lib/etcd/$ETCD_NAME
 Environment=ETCD_NAME=$ETCD_NAME
 Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=https://$ETCD_IP:2380
 Environment=ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380
 Environment=ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
 Environment=ETCD_ADVERTISE_CLIENT_URLS=https://$ETCD_IP:2379
 Environment=ETCD_INITIAL_CLUSTER_TOKEN=pi-cluster-1
 Environment=ETCD_INITIAL_CLUSTER="etcd1=https://etcd1:2380,etcd2=https://etcd2:2380,etcd3=https://etcd3:2380"
 Environment=ETCD_INITIAL_CLUSTER_STATE=new
 Environment=ETCD_TRUSTED_CA_FILE=/certs/ca.pem
 Environment=ETCD_CERT_FILE=/certs/client.pem
 Environment=ETCD_KEY_FILE=/certs/client-key.pem
 Environment=ETCD_PEER_TRUSTED_CA_FILE=/certs/ca.pem
 Environment=ETCD_PEER_CERT_FILE=/certs/$ETCD_NAME.pem
 Environment=ETCD_PEER_KEY_FILE=/certs/$ETCD_NAME-key.pem
 ExecStart=/usr/local/bin/etcd --client-cert-auth --peer-client-cert-auth
 Restart=on-failure
 RestartSec=5
 LimitNOFILE=40000
 [Install]
 WantedBy=multi-user.target
 EOF
 systemctl start etcd
 systemctl enable etcd
 journalctl -u etcd -f
 ```
 ## Testing
 ```bash
 scp etcd1:/certs/client.pem etcd1:/certs/client-key.pem etcd1:/certs/ca.pem certs
 export ETCDCTL_DIAL_TIMEOUT=3s;
 export ETCDCTL_CACERT=./certs/ca.pem;
 export ETCDCTL_CERT=./certs/client.pem;
 export ETCDCTL_KEY=./certs/client-key.pem;
 export ETCDCTL_ENDPOINTS=https://etcd1:2379,https://etcd2:2379,https://etcd3:2379;
 etcdctl put foo bar
 etcdctl get foo
 while true; do etcdctl put foo $(( ( RANDOM % 1000 )  + 1 )) && etcdctl get foo; done;
 etcdctl del "" --from-key=true
 ```
--- a/k3os.md
+++ b/k3os.md
@@ -0,0 +1 @@
 # K3OS
--- a/k3os1.yaml
+++ b/k3os1.yaml
@@ -0,0 +1,15 @@
 hostname: k3os1
 ssh_authorized_keys:
  - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFb/p/AdaQMlWqUNlE3NdSiX8Wxpr2q4gmsW/h/IbC2uU47VynMK5NZjZs00+HTRRg6LSj42zF9Q6zxn2RCoG0WGvU7c9JJbmnr9OB+TWg+0vBK0Ic9p5or5pMLE7OGRMiNwvIxmNXyBEH7m1VIz+Z2iiuOtNeicSOa8nTtz7mt+fQX6rCpolekFFbi+Hraq/wI9EDZO3FqWISEkHkLbYhwJS87PYkqIiuLqZhYahx7KtYcfVMpPuYy6Wjtd8enTT7FWHaeU9YkDtLF0XhDQOAWAvfpz0xfmsl2obzLJ5KMMlhCMz9FPfuglxnFy8X7QsnZ2KdVjwu6QcYlULFWBxt ducoterra@DucoBook.local"
 boot_cmd:
  - "echo '127.0.0.1 hub.ducoterra.net' | tee --append /etc/hosts"
 k3os:
  k3s_args:
  - server
  - "--disable"
  - "traefik"
  - "--disable"
  - "local-storage"
  ntp_servers:
  - 0.us.pool.ntp.org
  - 1.us.pool.ntp.org