Merge branch 'master' of code.ungleich.ch:ungleich-public/ungleich-k8s

README.md

@@ -231,6 +231,17 @@ While above is already a fully running k8s cluster, we do want to have
 support for **PersistentVolumeclaims**. See [the rook
 documentation](rook/README.md) on how to achieve the next step.
 
+## High available control plan
+
+Above steps result in a single control plane node, however for
+production setups, three nodes should be in the control plane.
+
+The [guide for creating HA
+clusters](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/)
+referes to an external load balancer that
+
+
+
 ## The IPv4 "problem"
 
 * Clusters are IPv6 only

alpine-linux/README.md

@@ -0,0 +1,3 @@
+* Alpine Linux does not mark /run or /sys as shared
+* Deploy mount-shared in /etc/init.d
+* Execute `rc-update add mount-shared`

alpine-linux/mount-shared

@@ -0,0 +1,12 @@
+#!/sbin/openrc-run
+
+depend()
+{
+	after sysfs
+}
+
+start()
+{
+	mount --make-shared /run
+	mount --make-shared /sys
+}

k8s/c0/README.md

@@ -0,0 +1,41 @@
+## c0.k8s.ooo
+
+Base cluster for managing other clusters.
+
+## Bootstrap Control Plane
+
+* apu1: `kubeadm init --config k8s/c0/kubeadm.yaml  --upload-certs`
+* apu2: `kubeadm join api.c0.k8s.ooo:6443 ...`
+* apu3: `kubeadm join api.c0.k8s.ooo:6443 ...`
+
+Removing taints, self contained cluster:
+
+```
+kubectl taint nodes --all node-role.kubernetes.io/master-
+```
+
+## Bootstrapping networking
+
+```
+mount --make-shared /sys
+mount --make-shared /run
+kubectl apply -f v3-calico/calico.yaml
+kubectl apply -f https://docs.projectcalico.org/manifests/calicoctl.yaml
+
+alias calicoctl="kubectl exec -i -n kube-system calicoctl -- /calicoctl"
+calicoctl create -f - < ./k8s/c0/calico-bgp.yaml
+```
+
+## Flux bootstrap
+
+On a client:
+
+```
+wget https://github.com/fluxcd/flux2/releases/download/v0.16.1/flux_0.16.1_linux_amd64.tar.gz
+tar xvfz flux_0.16.1_linux_amd64.tar.gz
+./flux bootstrap git --path=./cluster/c0 --cluster-domain c0.k8s.ooo --url ssh://git@code.ungleich.ch/ungleich-intern/k8s-config.git --branch=main
+```
+
+## rook bootstrap
+
+* via flux

k8s/c0/calico-bgp.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: projectcalico.org/v3
+kind: BGPConfiguration
+metadata:
+  name: default
+spec:
+  logSeverityScreen: Info
+  nodeToNodeMeshEnabled: true
+  asNumber: 65534
+  serviceClusterIPs:
+  - cidr: 2a0a:e5c0:13:b1::/108
+  serviceExternalIPs:
+  - cidr: 2a0a:e5c0:13:b1::/108
+---
+apiVersion: projectcalico.org/v3
+kind: BGPPeer
+metadata:
+  name: red-place7
+spec:
+  peerIP: 2a0a:e5c0:13::42
+  asNumber: 213081

k8s/c0/kubeadm.yaml

@@ -0,0 +1,13 @@
+# kubeadm-config.yaml
+kind: ClusterConfiguration
+apiVersion: kubeadm.k8s.io/v1beta2
+kubernetesVersion: v1.21.2
+networking:
+  dnsDomain: "c0.k8s.ooo"
+  podSubnet: 2a0a:e5c0:13:b0::/64
+  serviceSubnet: 2a0a:e5c0:13:b1::/108
+controlPlaneEndpoint: "api.c0.k8s.ooo:6443"
+---
+kind: KubeletConfiguration
+apiVersion: kubelet.config.k8s.io/v1beta1
+cgroupDriver: cgroupfs

k8s/c2/kubeadm.yaml

@@ -1,12 +1,12 @@
 # kubeadm-config.yaml
 kind: ClusterConfiguration
 apiVersion: kubeadm.k8s.io/v1beta2
-kubernetesVersion: v1.21.1
+kubernetesVersion: v1.21.2
 networking:
   dnsDomain: c2.k8s.ooo
   podSubnet: 2a0a:e5c0:13:e1::/64
   serviceSubnet: 2a0a:e5c0:13:e2::/108
-
+controlPlaneEndpoint: "api.c2.k8s.ooo:6443"
 ---
 kind: KubeletConfiguration
 apiVersion: kubelet.config.k8s.io/v1beta1

tests/secret-generation-test.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: string-secret
+  annotations:
+    secret-generator.v1.mittwald.de/autogenerate: password