services/k3s
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add more details

Browse Source
This commit is contained in:
ducoterra
2020-08-17 10:47:28 -04:00
parent ab1b20620f
commit 1009e24f1d
1 changed files with 84 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
README.md
View File

@@ -2,48 +2,69 @@
## Raspberry Pi ## Raspberry Pi
Enable cgroups by adding the following to the end of /boot/cmdline.txt ### Set static DNS
For the love of god do this before anything else. Your pods depend on it.
```bash ```bash
cgroup_memory=1 cgroup_enable=memory echo 'static domain_name_servers=1.1.1.1 1.0.0.1' >> /etc/dhcpcd.conf
service dhcpcd restart
``` ```
Enable legacy iptables ### Wait for network at boot
Because so many services rely on proper mounting of nfs you should really wait for network at boot:
```bash ```bash
sudo iptables -F raspi-config
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy > boot
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy > Wait for network
sudo reboot
``` ```
Install k3s on our sacrificial server (assuming you have etcd configured) ### Install K3s
Enable cgroups and legacy iptables
```bash ```bash
curl -sfL https://get.k3s.io | sh -s - server \ echo "$(cat /boot/cmdline.txt) cgroup_memory=1 cgroup_enable=memory" > /boot/cmdline.txt
--datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \ iptables -F
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
reboot
```
Install k3s on our lead server (assuming you have etcd configured) to generate token and certs
```bash
curl -sfL https://get.k3s.io | sh -s -
systemctl stop k3s
export token=$(cat /var/lib/rancher/k3s/server/node-token)
curl -sfL https://get.k3s.io | sh -s - \
--datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.103:2379,https://3.14.3.107:2379 \
--datastore-cafile=/certs/ca.pem \ --datastore-cafile=/certs/ca.pem \
--datastore-certfile=/certs/client.pem \ --datastore-certfile=/certs/client.pem \
--datastore-keyfile=/certs/client-key.pem \ --datastore-keyfile=/certs/client-key.pem \
--token $token
journalctl -u k3s -f
``` ```
Join worker node (token located at /var/lib/rancher/k3s/server/node-token) Join worker node (token located at /var/lib/rancher/k3s/server/node-token)
```bash ```bash
export token=<token> export token=<token>
curl -sfL https://get.k3s.io | sh -s - server \ curl -sfL https://get.k3s.io | sh -s - \
--datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \ --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.103:2379,https://3.14.3.107:2379 \
--datastore-cafile=/certs/ca.pem \ --datastore-cafile=/certs/ca.pem \
--datastore-certfile=/certs/client.pem \ --datastore-certfile=/certs/client.pem \
--datastore-keyfile=/certs/client-key.pem \ --datastore-keyfile=/certs/client-key.pem \
--token $token \ --token $token
--server https://3.14.3.107
``` ```
Generate certs for a new user Generate certs for a new user
```bash ```bash
export USER=<username> export USER=
mkdir $USER mkdir $USER
cd $USER cd $USER
openssl genrsa -out $USER.key 2048 openssl genrsa -out $USER.key 2048
@@ -51,13 +72,57 @@ openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
sudo openssl x509 -req -in $USER.csr -CA /var/lib/rancher/k3s/server/tls/client-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/client-ca.key -CAcreateserial -out $USER.crt -days 5000 sudo openssl x509 -req -in $USER.csr -CA /var/lib/rancher/k3s/server/tls/client-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/client-ca.key -CAcreateserial -out $USER.crt -days 5000
sudo chown pi:pi $USER.crt sudo chown pi:pi $USER.crt
sudo kubectl create namespace $USER sudo kubectl create namespace $USER
sudo kubectl -n $USER create role $USER --verb=get,list,create,update,patch,watch,delete,deletecollection --resource=deployments,pods,pods/exec,pods/log,pods/attach,services,ingresses,secrets,configmaps,persistentvolumeclaims sudo kubectl -n $USER create role $USER --verb=get,list,create,update,patch,watch,delete,deletecollection --resource=deployments,daemonsets,pods,pods/exec,pods/log,pods/attach,services,secrets,configmaps,persistentvolumeclaims,endpoints,ingresses.extensions,ingresses.networking.k8s.io
sudo kubectl -n $USER create rolebinding -n ducoterra $USER --role=$USER --user=$USER sudo kubectl -n $USER create rolebinding -n $USER $USER --role=$USER --user=$USER
sudo kubectl create clusterrole volume --verb=get,list,create,update,patch,watch,delete,deletecollection --resource=persistentvolumes
sudo kubectl create clusterrolebinding --role=volume --user=$USER
```
Copy certs
```bash
export SERVER=
export USER=
scp $SERVER:~/$USER/$USER.crt $SERVER:~/$USER/$USER.csr $SERVER:~/$USER/$USER.key certs/
``` ```
Test a bunch of deploys Test a bunch of deploys
```bash ```bash
for i in {1..100}; do kubectl create deploy test$i --image=nginx; done; for i in {1..10}; do kubectl create deploy test$i --image=nginx; done;
for i in {1..100}; do kubectl delete deploy test$i; done; for i in {1..10}; do kubectl delete deploy test$i; done;
``` ```
To uninstall
```bash
/usr/local/bin/k3s-uninstall.sh
```
### Install Docker
```bash
curl -sSL https://get.docker.com | sh
sudo usermod -aG docker pi
docker run hello-world
sudo apt-get install -y libffi-dev libssl-dev
sudo apt-get install -y python3 python3-pip
sudo apt-get remove python-configparser
sudo pip3 -v install docker-compose
```
### Add NFS for local-storage
Disable local-path:
```bash
echo 'freenas:/mnt/enc0/pi /var/lib/rancher/k3s/storage nfs noexec,nosuid,nofail 0 0' >> /etc/fstab
mkdir -p /var/lib/rancher/k3s/storage
mount -a
```
### Pihole password
```bash
echo $(kubectl get secret pihole --output=jsonpath='{.data.WEBPASSWORD}' | base64 --decode)
```