Update metallb configmap to custom resource

active/software_k0s/k0s.md

@@ -1,12 +1,39 @@
 # K0s
 
+- [K0s](#k0s)
+  - [Install Single Node Cluster](#install-single-node-cluster)
+  - [Install Multi Node Cluster](#install-multi-node-cluster)
+  - [Uninstall](#uninstall)
+  - [Install Metallb](#install-metallb)
+    - [Uninstall Metallb](#uninstall-metallb)
+  - [Install OpenEBS](#install-openebs)
+
 ## Install Single Node Cluster
 
 <https://docs.k0sproject.io/v0.11.0/k0s-single-node/>
 
 ```bash
-# Allow all traffic in
-firewall-cmd --set-default-zone=trusted
+# Trust traffic on podCIDR and serviceCIDR subnets
+firewall-cmd --permanent --zone=trusted \
+--add-source=10.244.0.0/16 \
+--add-source=10.96.0.0/12
+
+# Set default zone to drop packets
+firewall-cmd --set-default-zone=drop
+
+# Allow k0s ports
+firewall-cmd --permanent --zone=drop \
+--add-port=22/tcp \
+--add-port=6443/tcp \
+--add-port=179/tcp \
+--add-port=4789/udp \
+--add-port=10250/tcp \
+--add-port=9443/tcp \
+--add-port=8132/tcp \
+--add-port=112/tcp
+
+# Apply firewall
+firewall-cmd --reload
 
 # Install k0s cli
 curl -sSLf https://get.k0s.sh | sudo sh
@@ -15,7 +42,7 @@ curl -sSLf https://get.k0s.sh | sudo sh
 k0s config create > k0s.yaml
 
 # Install single node cluster controller/node
-k0s install controller -c k0s.yaml --enable-worker
+k0s install controller -c k0s.yaml --enable-worker --no-taints
 
 # Start and enable the service
 systemctl enable --now k0scontroller
@@ -39,8 +66,22 @@ kubectl edit node
 Install the controller on the controller machine
 
 ```bash
-# Allow all traffic in
-firewall-cmd --set-default-zone=trusted
+# Set default zone to drop packets
+firewall-cmd --set-default-zone=drop
+
+# Allow k0s ports
+firewall-cmd --permanent --zone=drop \
+--add-port=22/tcp \
+--add-port=6443/tcp \
+--add-port=179/tcp \
+--add-port=4789/udp \
+--add-port=10250/tcp \
+--add-port=9443/tcp \
+--add-port=8132/tcp \
+--add-port=112/tcp
+
+# Apply firewall
+firewall-cmd --reload
 
 # Install k0s cli
 curl -sSLf https://get.k0s.sh | sudo sh
@@ -70,8 +111,13 @@ k0s token create --role=worker > worker0-token
 Now on the worker machine, install the worker
 
 ```bash
-# Allow all traffic in
-firewall-cmd --set-default-zone=trusted
+# Trust traffic on podCIDR and serviceCIDR subnets
+firewall-cmd --permanent --zone=trusted \
+--add-source=10.244.0.0/16 \
+--add-source=10.96.0.0/12
+
+# Apply firewall
+firewall-cmd --reload
 
 # On the operator, copy the token file from the controller to the worker
 scp vm-k0s-controller:worker0-token vm-k0s-worker:token-file
@@ -105,20 +151,45 @@ reboot
 1. Create a VLAN with a dedicated subnet for Metallb. Disable DHCP.
 2. Attach this new VLAN to your worker nodes
 3. Assign the worker nodes an address within the created network.
-4. Install Metallb. Check `active/software_k0s/metallb-configmap.yaml` before proceeding.
+4. Install Metallb. Check `active/software_k0s/metallb-address-pool.yaml` before proceeding.
 
 ```bash
 kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/namespace.yaml
 kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/metallb.yaml
 
-kubectl apply -f active/software_k0s/metallb-configmap.yaml
+kubectl apply -f active/software_k0s/metallb-address-pool.yaml
 ```
 
 ### Uninstall Metallb
 
 ```bash
-kubectl delete -f active/software_k0s/metallb-configmap.yaml
+kubectl delete -f active/software_k0s/metallb-address-pool.yaml
 
 kubectl delete -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/metallb.yaml
 kubectl delete -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/namespace.yaml
 ```
+
+## Install OpenEBS
+
+<https://docs.k0sproject.io/stable/examples/openebs/>
+
+Add the openebs extension
+
+```yaml
+extensions:
+    helm:
+      repositories:
+      - name: openebs-internal
+        url: https://openebs.github.io/charts
+      charts:
+      - name: openebs
+        chartname: openebs-internal/openebs
+        version: "3.9.0"
+        namespace: openebs
+        order: 1
+        values: |
+          localprovisioner:
+            hostpathClass:
+              enabled: true
+              isDefaultClass: false
+```

active/software_k0s/metallb-address-pool.yaml

@@ -0,0 +1,8 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: first-pool
+  namespace: metallb-system
+spec:
+  addresses:
+    - 192.168.123.100-192.168.123.254

active/software_k0s/metallb-configmap.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  namespace: metallb-system
-  name: config
-data:
-  config: |
-    address-pools:
-    - name: default
-      protocol: layer2
-      addresses:
-      - 192.168.123.100-192.168.123.254