From 74e2e51f721e8bd28e4c5d0e9dac797ff09a764c Mon Sep 17 00:00:00 2001
From: ducoterra <ducoterra@gmail.com>
Date: Wed, 12 Aug 2020 10:50:08 -0400
Subject: [PATCH] init

---
 .gitignore |  1 +
 README.md  | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a2661ad
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+certs/
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..858a852
--- /dev/null
+++ b/README.md
@@ -0,0 +1,64 @@
+# K3S
+
+## Raspberry Pi
+
+Enable cgroups
+
+```bash
+sudo vim /boot/cmdline.txt
+
+... cgroup_memory=1 cgroup_enable=memory
+```
+
+Enable legacy iptables
+
+```bash
+sudo iptables -F
+sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
+sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+sudo reboot
+```
+
+Install k3s on our sacrificial server
+
+```bash
+curl -sfL https://get.k3s.io | sh -s - server \
+    --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \
+    --datastore-cafile=/certs/ca.pem \
+    --datastore-certfile=/certs/client.pem \
+    --datastore-keyfile=/certs/client-key.pem \
+```
+
+Join worker node (token located at /var/lib/rancher/k3s/server/node-token)
+
+```bash
+export token=<token>
+curl -sfL https://get.k3s.io | sh -s - server \
+    --datastore-endpoint=https://3.14.3.102:2379,https://3.14.3.107:2379,https://3.14.3.103:2379 \
+    --datastore-cafile=/certs/ca.pem \
+    --datastore-certfile=/certs/client.pem \
+    --datastore-keyfile=/certs/client-key.pem \
+    --token $token \
+    --server https://3.14.3.107
+```
+
+Test a bunch of deploys
+
+```bash
+for i in {1..100}; do kubectl create deploy test$i --image=nginx & done;
+for i in {1..100}; do kubectl delete deploy test$i & done;
+```
+
+Generate certs
+
+```bash
+export USER=<username>
+mkdir $USER
+cd $USER
+openssl genrsa -out $USER.key 2048
+openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user"
+sudo openssl x509 -req -in $USER.csr -CA /var/lib/rancher/k3s/server/tls/client-ca.crt -CAkey /var/lib/rancher/k3s/server/tls/client-ca.key -CAcreateserial -out $USER.crt -days 5000
+sudo chown pi:pi $USER.crt
+sudo kubectl create role $USER --verb=* --resource=deployments,pods,pods/exec,pods/log,pods/attach,services,ingresses,ingressroutes,secrets,configmaps,persistentvolumeclaims
+sudo kubectl create rolebinding $USER --role=$USER --user=$USER
+```