ofilter/home_setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ofilter:19d87487412a46b9cd3f2b05ed31012342a9cf8b
Branches Tags
ofilter:main ofilter:Upgrade/Kubeadm-1.29
ofilter:Kubernetes_with_external_docker_server ofilter:base_setup
..
compare: ofilter:base_setup
Branches Tags
ofilter:Upgrade/Kubeadm-1.29 ofilter:main
ofilter:Kubernetes_with_external_docker_server ofilter:base_setup

4 Commits
19d8748741 ... base_setup

Author SHA1 Message Date
savagebidoof
57a8288769 Part 8 and 9 documented (even tho part 9 was just a link to the repo used ... ) 2023-10-20 20:30:53 +02:00
savagebidoof
efcb916c9f Part 8 and 9 documented (even tho part 9 was just a link to the repo used ... ) 2023-10-20 20:30:25 +02:00
savagebidoof
cd7fdbdd16 Fixing header formatting. 2023-08-02 17:27:11 +02:00
savagebidoof
40010b8c2a Added slave01 to the clsuter. 
Part 7 documented.
 2023-08-02 17:21:16 +02:00
9 changed files with 585 additions and 43 deletions
Expand all files Collapse all files

2
Migrations/Forget_Traefik_2023/P6_Redeployment/non_Istio_Config/Local_Gateway/Gateway.yaml
View File

@@ -5,7 +5,7 @@ metadata:
namespace: default
spec:
selector:
istio: public-ingress
istio: local-ingress
servers:
- port:
number: 80

45
Migrations/Forget_Traefik_2023/P8_Fihome_Cert/Issuer.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-fihome
namespace: istio-system
spec:
acme:
# ACME Server
# prod : https://acme-v02.api.letsencrypt.org/directory
# staging : https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
# ACME Email address
email: <redacted>
privateKeySecretRef:
name: letsencrypt-fihome # staging or production
solvers:
- selector:
dnsNames:
- '*.fihome.xyz'
dns01:
webhook:
config:
apiKeySecretRef:
name: fihome-godaddy-api-key
key: key
secret: secret
production: true
ttl: 600
groupName: acme.fihome.xyz
solverName: godaddy
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: fihome-domain-cert-public
namespace: istio-system
spec:
secretName: fihome-domain-cert-public
duration: 720h # 30d
renewBefore: 168h # 1d
dnsNames:
- '*.fihome.xyz'
issuerRef:
name: letsencrypt-fihome
kind: ClusterIssuer

9
Migrations/Forget_Traefik_2023/P8_Fihome_Cert/Secret.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: fihome-godaddy-api-key
namespace: cert-manager
type: Opaque
data:
key: <redacted>
secret: <redacted>

23
Migrations/Forget_Traefik_2023/P8_Ingress/Filebrowser/VirtualService.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: filebrowser-vs
namespace: external
labels:
app: filebrowser
spec:
hosts:
- "filebrowser.filter.home"
- "filebrowser.filterhome.xyz"
- "filebrowser.fihome.xyz"
- "filebrowser.filterhome.duckdns.org"
gateways:
- default/public-gateway
- default/local-gateway
- default/fihome-gateway
http:
- route:
- destination:
host: filebrowser.external.svc.cluster.local
port:
number: 443

20
Migrations/Forget_Traefik_2023/P8_Ingress/Gateway.yaml Executable file
View File

@@ -0,0 +1,20 @@
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: fihome-gateway
namespace: default
spec:
selector:
istio: public-ingress
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*.fihome.xyz"
- "fihome.xyz"
tls:
mode: SIMPLE
credentialName: fihome-cert

23
Migrations/Forget_Traefik_2023/P8_Ingress/Gitea/VirtualService.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: gitea-vs
namespace: external
labels:
app: gitea
spec:
hosts:
- "gitea.filter.home"
- "gitea.filterhome.xyz"
- "gitea.fihome.xyz"
- "gitea.filterhome.duckdns.org"
gateways:
- default/public-gateway
- default/local-gateway
- default/fihome-gateway
http:
- route:
- destination:
host: gitea.external.svc.cluster.local
port:
number: 443

23
Migrations/Forget_Traefik_2023/P8_Ingress/Jelly/VirtualService.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: jelly-vs
namespace: external
labels:
app: jellyfin
spec:
hosts:
- "jelly.filter.home"
- "jelly.filterhome.xyz"
- "jelly.filterhome.duckdns.org"
- "jelly.fihome.xyz"
gateways:
- default/public-gateway
- default/local-gateway
- default/fihome-gateway
http:
- route:
- destination:
host: jelly.external.svc.cluster.local
port:
number: 443

23
Migrations/Forget_Traefik_2023/P8_Ingress/Tube/VirtualService.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: tube-vs
namespace: external
labels:
app: tube
spec:
hosts:
- "tube.filter.home"
- "tube.filterhome.xyz"
- "tube.filterhome.duckdns.org"
- "tube.fihome.xyz"
gateways:
- default/public-gateway
- default/local-gateway
- default/fihome-gateway
http:
- route:
- destination:
host: tube.external.svc.cluster.local
port:
number: 443

460
Migrations/Forget_Traefik_2023/README.md
View File

@@ -234,18 +234,27 @@ Current Issue? For X and y, I need to wait for a while for the DNS provider to r
### Part 7
- [ ] Remove the last host from the old kubernetes cluster and join it to the new cluster.
> Completed 02/August/2023
- [x] Remove the last host from the old kubernetes cluster and join it to the new cluster.
### Part 8
- [ ] Deploy NFS service on the `media SRV` host.
- [x] Set wildcards certificates through `ACME DNS01` challenge.
### Part 9
- [ ] Deploy Istio security.
- [x] Deploy NFS service(s) on the `media SRV` host.
### Part 10
- [ ] Deploy Istio security.
> **Note:**\
> If there is barely workloads, don't think that it's wise to deploy a restrictive security settings as per the moment.
### Part 11
- [ ] Update the `Current Setup` documentation with the new container and architecture rearrangement.
- [ ] Migrate some lightweight/not data heavy services from the `media SRV` to the `Kluster`.
@@ -262,9 +271,9 @@ Current Issue? For X and y, I need to wait for a while for the DNS provider to r
- Run the old migrated services back on the `media SRV` host.
### Part 11
### TMP Notes
- Set wildcards certificates through `ACME DNS01` challenge.
- https://github.com/joohoi/acme-dns
# Execution
@@ -1161,7 +1170,7 @@ I updated the Local DNS to point towards the new-architecture/new-resources.
First, let's generate a certificate, and it's key.
```shell
openssl req -x509 -newkey rsa:4096 -sha256 -days 5 -nodes \
openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
-keyout ca.filter.home.key -out ca.filter.home.cer \
-subj /C=ES/ST=BAR/O=FilterHome/CN=ca.filter.home \
-extensions ext \
@@ -1292,7 +1301,7 @@ x-envoy-upstream-service-time: 2
> It's extremely possible that I set HTTP to HTTPS redirect also locally, still need to decide if there is any reason for which I would like to maintain the local HTTP traffic.
### Part 5
## Part 5
I decided to use a SSD with the Pi4 through a USB3.0 connector.
@@ -1300,7 +1309,7 @@ On the Orange Pi5 I intend to use an m.2 that I bought for it, yet need to try i
Therefore, I will remove 1 node from the current Kubernetes cluster and try there the m.2 that I got.
#### Remove 1 OrangePI Node
### Remove 1 OrangePI Node
https://stackoverflow.com/questions/35757620/how-to-gracefully-remove-a-node-from-kubernetes
@@ -1354,7 +1363,7 @@ error when evicting pods/"istio-public-ingress-5bb994c8b7-j9hgr" -n "istio-syste
Well, it's on it, so let's open a new shell.
#### Cannot evict pod as it would violate the pod's disruption budget.
### Cannot evict pod as it would violate the pod's disruption budget.
Let's delete the "remaining" pods manually.
@@ -1431,7 +1440,7 @@ kubectl delete node slave01.filter.home
node "slave01.filter.home" deleted
```
### Part 6
## Part 6
Currently, the resources whereas:
@@ -1450,17 +1459,17 @@ I will change it to
```
#### Prepare NVME images etc.
### Prepare NVME images etc.
Did the needful.
#### Set up cluster
### Set up cluster
Used the following ansible script to set up things arround.
https://gitea.filterhome.xyz/ofilter/ansible_kubernetes_cluster
##### run.sh
#### run.sh
<pre><span style="color:#FF7F7F"><b>✗</b></span> ./run.sh
@@ -1756,7 +1765,7 @@ PLAY RECAP *********************************************************************
<span style="color:#CC3980">slave02.filter.home</span> : <span style="color:#7F3FBF">ok=12 </span> <span style="color:#CC3980">changed=23 </span> unreachable=0 failed=0 <span style="color:#7f7fff">skipped=12 </span> rescued=0 ignored=0
</pre>
#### Check cluster status
### Check cluster status
```shell
@@ -1781,9 +1790,9 @@ metallb-system speaker-5zptn 1/1 Running 2
metallb-system speaker-whw4n 1/1 Running 2 (22m ago) 26m 192.168.1.11 slave02.filter.home <none> <none>
```
#### Kubeconfig
### Kubeconfig
##### Backup `Kubeconfig` file
#### Backup `Kubeconfig` file
I will back up `kubeconfig.conf` file to a directory of my own.
@@ -1797,13 +1806,13 @@ cp ksetup/Exported/kubeconfig.conf ~/kubeconfig.conf -v
Pods are deployed correctly
##### Configure new `Kubeconfig` location
#### Configure new `Kubeconfig` location
```shell
export KUBECONFIG="/home/savagebidoof/kubeconfig.conf"
```
##### Confirm `Kubeconfig` is selected properly
#### Confirm `Kubeconfig` is selected properly
```shell
kubectl get nodes
@@ -1815,7 +1824,7 @@ pi4.filter.home Ready control-plane 18h v1.27.4
slave02.filter.home Ready <none> 17h v1.27.4
```
#### Move workloads
### Move workloads
Well it's time to move everything over.
@@ -1837,7 +1846,7 @@ I will be using
.39 -> egress LB
```
##### Deploy lacking CRDs
#### Deploy lacking CRDs
I already have `MetalLB` and `Calico` installed.
@@ -1856,7 +1865,7 @@ customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io cre
...
```
##### MetalLB Config
#### MetalLB Config
I am setting up 2 Address Pools.
@@ -1882,7 +1891,7 @@ kind: IPAddressPool
autoAssign: true
```
###### Deploy MetalLB configuration
##### Deploy MetalLB configuration
```shell
kubectl create -f P6_Redeployment/MetalLB.yaml
@@ -1896,9 +1905,9 @@ l2advertisement.metallb.io/l2-advert created
```
##### Deploy Istio Config and Load Balancers
#### Deploy Istio Config and Load Balancers
###### IstioOperator_IstioConfig.yaml
##### IstioOperator_IstioConfig.yaml
```shell
istioctl install -y -f P6_Redeployment/Istio_Config/IstioOperator_IstioConfig.yaml
@@ -1910,7 +1919,7 @@ istioctl install -y -f P6_Redeployment/Istio_Config/IstioOperator_IstioConfig.ya
<span style="color:#7F3FBF">✔</span> Installation complete
Making this installation the default for injection and validation.</pre>
###### IstioOperator_IstioEgress.yaml
##### IstioOperator_IstioEgress.yaml
```shell
istioctl install -y -f P6_Redeployment/Istio_Config/IstioOperator_IstioEgress.yaml
@@ -1922,7 +1931,7 @@ istioctl install -y -f P6_Redeployment/Istio_Config/IstioOperator_IstioEgress.ya
> **Note**:\
> The egress resource doesn't work "right off the bat", requires some configurations regarding this matter, don't think this will be done on this "walkthrough".
###### IstioOperator_LocalIngress.yaml
##### IstioOperator_LocalIngress.yaml
```shell
istioctl install -y -f P6_Redeployment/Istio_Config/IstioOperator_LocalIngress.yaml
@@ -1931,7 +1940,7 @@ istioctl install -y -f P6_Redeployment/Istio_Config/IstioOperator_LocalIngress.y
<pre><span style="color:#7F3FBF">✔</span> Ingress gateways installed
<span style="color:#7F3FBF">✔</span> Installation complete</pre>
###### IstioOperator_PublicIngress.yaml
##### IstioOperator_PublicIngress.yaml
```shell
istioctl install -y -f P6_Redeployment/Istio_Config/IstioOperator_PublicIngress.yaml
@@ -1940,7 +1949,7 @@ istioctl install -y -f P6_Redeployment/Istio_Config/IstioOperator_PublicIngress.
<pre><span style="color:#7F3FBF">✔</span> Ingress gateways installed
<span style="color:#7F3FBF">✔</span> Installation complete </pre>
###### Check Service IP provisioning
##### Check Service IP provisioning
```shell
kubectl get svc -n istio-system | grep LoadBalancer
@@ -1950,15 +1959,15 @@ kubectl get svc -n istio-system | grep LoadBalancer
istio-local-ingress <span style="color:#FF7F7F"><b>LoadBalancer</b></span> 10.97.14.59 192.168.1.21 15021:30005/TCP,80:30168/TCP,443:32103/TCP 50m
istio-public-ingress <span style="color:#FF7F7F"><b>LoadBalancer</b></span> 10.100.53.247 192.168.1.20 15021:31249/TCP,80:30427/TCP,443:30411/TCP 50m</pre>
#### Prepare Secrets
### Prepare Secrets
##### Placeholder folder for God knows what
#### Placeholder folder for God knows what
```shell
mkdir tmp
```
##### Local Certs
#### Local Certs
```shell
openssl req -x509 -newkey rsa:4096 -sha512 -days 365 -nodes \
@@ -2003,7 +2012,7 @@ Add the base64 outputs to the secrets file `P6_Redeployment/non_Istio_Config/Loc
nano P6_Redeployment/non_Istio_Config/Local_Certs/Secret.yaml
```
##### Modify Public Certificate duration
#### Modify Public Certificate duration
Changed the duration to something more "reasonable".
@@ -2011,7 +2020,7 @@ Changed the duration to something more "reasonable".
nano P6_Redeployment/non_Istio_Config/Certificate_Manager/Issuer.yaml
```
##### Modify Local Certificate duration
#### Modify Local Certificate duration
Changed the duration to something more "reasonable".
@@ -2019,7 +2028,7 @@ Changed the duration to something more "reasonable".
nano P6_Redeployment/non_Istio_Config/Local_CA/Issuer.yaml
```
###### Set up HTTP to HTTPS in the local gateway.
##### Set up HTTP to HTTPS in the local gateway.
Added the following Gateway and modified the previous existing to remove `HTTP` access through the port 80.
@@ -2043,7 +2052,7 @@ spec:
httpsRedirect: true
```
##### Deploy EVERYTHING not IstioOperator
#### Deploy EVERYTHING not IstioOperator
Well it's time to press the create button, this will pop up some text, just make sure everything sates as "created".
@@ -2077,7 +2086,7 @@ gateway.networking.istio.io/http-to-https-local created
gateway.networking.istio.io/local-gateway created
```
##### Remove ./tmp folder
#### Remove ./tmp folder
We no longer need the folder ./tmp, therefore we can delete it.
@@ -2092,17 +2101,17 @@ removed './tmp/ca.filter.home.key'
```
##### Update the Router to point towards the "new" Ingress Load Balancer
#### Update the Router to point towards the "new" Ingress Load Balancer
Changed from `192.168.1.80` to `192.168.1.20`.
##### Update Local DNS
#### Update Local DNS
I did the needful.
##### Monitor Public Cert Provisioning
#### Monitor Public Cert Provisioning
```shell
kubectl get events -n istio-system --field-selector involvedObject.name=filterhome-domain-cert-public,involvedObject.kind=Certificate --sort-by=.metadata.creationTimestamp --watch
@@ -2120,12 +2129,379 @@ LAST SEEN TYPE REASON OBJECT MES
```
## Part 7
## Difficulties
I did set up the NVME with the OS etc.
### Set up cluster
Used the following ansible script join the host to the Kubernetes cluster, all I had to do was to populate the `Exported/kubeadm-join.command`.
https://gitea.filterhome.xyz/ofilter/ansible_kubernetes_cluster
<pre><span style="color:#FF7F7F"><b>✗</b></span> ./run.sh
PLAY [Pre Setup] *************************************************************************************************************************************************************************************************************************
TASK [apt update] ************************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [apt upgrade] ***********************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Install sudo] **********************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [update facts] **********************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [Make sure we have a &apos;wheel&apos; group] *************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Allow &apos;wheel&apos; group to have passwordless sudo] *************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Add user new_user_name] ************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">[DEPRECATION WARNING]: Encryption using the Python crypt module is deprecated. The Python crypt module is deprecated and will be removed from Python 3.13. Install the passlib library for continued encryption functionality. This </span>
<span style="color:#7F3FBF">feature will be removed in version 2.17. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.</span>
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [adding user &apos;klussy&apos; to group wheel] ***********************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Select new user] *******************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [Change root default password] ******************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">[DEPRECATION WARNING]: Encryption using the Python crypt module is deprecated. The Python crypt module is deprecated and will be removed from Python 3.13. Install the passlib library for continued encryption functionality. This </span>
<span style="color:#7F3FBF">feature will be removed in version 2.17. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.</span>
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [PermitRootLogin = no] **************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [PermitEmptyPasswords = no] *********************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [Ensure localisation files for &apos;en_US.UTF-8&apos; are available] *************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [Ensure localisation files for &apos;en_US.UTF-8&apos; are available] *************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [Get current locale and language configuration] *************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [Configure locale to &apos;en_US.UTF-8&apos; and language to &apos;en_US.UTF-8&apos;] *******************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [reboot] ****************************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
PLAY RECAP *******************************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">slave01.filter.home</span> : <span style="color:#7F3FBF">ok=10 </span> <span style="color:#CC3980">changed=11 </span> unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 </pre>
<pre>PLAY [Preparethings] *********************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] *******************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [debug] *****************************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home] =&gt; {</span>
<span style="color:#7F3FBF"> &quot;set_hostname&quot;: &quot;slave01.filter.home&quot;</span>
<span style="color:#7F3FBF">}</span>
TASK [debug] *****************************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home] =&gt; {</span>
<span style="color:#7F3FBF"> &quot;is_master&quot;: false</span>
<span style="color:#7F3FBF">}</span>
TASK [Set a hostname] ********************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Swapoff] ***************************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Disable ram on boot (orangepi)] ****************************************************************************************************************************************************************************************************
<span style="color:#7F7FFF">skipping: [slave01.filter.home]</span>
TASK [Disable ram on boot (armbian)] *****************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [apt prune containerd] **************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [apt update] ************************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [apt upgrade] ***********************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [apt install gnupg] *****************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [Creating a new directory] **********************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [Add Docker GPG key] ****************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Add Docker APT repository] *********************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Add Kubernetes GPG key] ************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Add Kubernetes APT repository] *****************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [apt update] ************************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Install Kubelet Kubeadm Kubectl] ***************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Hold kubeadm] **********************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Hold kubelet] **********************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Hold kubectl] **********************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Install Container Runtime] *********************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Containerd set default config] *****************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [SystemdCgroup = true] **************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Iptables thingies (not touching specific firewall rules.)] *************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Iptables thingies] *****************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Add the overlay module] ************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [Add the br_netfilter module] *******************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Apply changes (might need to use sysctl module with the reload flag, will try eventually)] *****************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Enable kubelet] ********************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [Enable containerd] *****************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [Enable kubelet] ********************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Restart containerd] ****************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Set /etc/hosts file content (template/base)] ***************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Init cluster] **********************************************************************************************************************************************************************************************************************
<span style="color:#7F7FFF">skipping: [slave01.filter.home]</span>
TASK [Export remote kubeconfig file] *****************************************************************************************************************************************************************************************************
<span style="color:#7F7FFF">skipping: [slave01.filter.home]</span>
TASK [Remove Taint (allows deployment in control plane node)] ****************************************************************************************************************************************************************************
<span style="color:#7F7FFF">skipping: [slave01.filter.home]</span>
TASK [Calico] ****************************************************************************************************************************************************************************************************************************
<span style="color:#7F7FFF">skipping: [slave01.filter.home]</span>
TASK [MetalLB] ***************************************************************************************************************************************************************************************************************************
<span style="color:#7F7FFF">skipping: [slave01.filter.home]</span>
TASK [Generate join token] ***************************************************************************************************************************************************************************************************************
<span style="color:#7F7FFF">skipping: [slave01.filter.home]</span>
TASK [set_fact] **************************************************************************************************************************************************************************************************************************
<span style="color:#7F7FFF">skipping: [slave01.filter.home]</span>
TASK [debug] *****************************************************************************************************************************************************************************************************************************
<span style="color:#7F7FFF">skipping: [slave01.filter.home]</span>
TASK [Store join command in &quot;./Exported/kubeadm-join.command&quot;] ***************************************************************************************************************************************************************************
<span style="color:#7F7FFF">skipping: [slave01.filter.home]</span>
TASK [Populate] **************************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home]</span>
TASK [debug] *****************************************************************************************************************************************************************************************************************************
<span style="color:#7F3FBF">ok: [slave01.filter.home] =&gt; {</span>
<span style="color:#7F3FBF"> &quot;_kubeadm_join_command&quot;: &quot;kubeadm join 192.168.1.9:6443 --token fjw9iy.0v1vim764ls5mpyp --discovery-token-ca-cert-hash sha256:028116b6076078c15bd4212b8a96ecc159507a07df11d7f9859b2593533616c3&quot;</span>
<span style="color:#7F3FBF">}</span>
TASK [Join kubeadm] **********************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [Delete user] ***********************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
TASK [reboot] ****************************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">changed: [slave01.filter.home]</span>
PLAY RECAP *******************************************************************************************************************************************************************************************************************************
<span style="color:#CC3980">slave01.filter.home</span> : <span style="color:#7F3FBF">ok=38 </span> <span style="color:#CC3980">changed=25 </span> unreachable=0 failed=0 <span style="color:#7F7FFF">skipped=10 </span> rescued=0 ignored=0</pre>
#### Check Cluster node list
The node was added correctly.
```shell
kubectl get nodes
```
```text
NAME STATUS ROLES AGE VERSION
pi4.filter.home Ready control-plane 22h v1.27.4
slave01.filter.home Ready <none> 78s v1.27.4
slave02.filter.home Ready <none> 21h v1.27.4
```
## Part 8
I bought the domain `fihome.xyz`.
### Install helm
I did follow the process documented from [here](https://helm.sh/docs/intro/install/)
Also, didn't saved the output, but the process it's fairly simple soo ... GL!
### Update the other reverse proxies to accept ingress from the domain `fihome.xyz`
On my scenario I had to update the reverse proxy from the host `srv` to allow from that domain.
As well had to modify the services that I am intented to serve publicly.
### Install webhook
The repository I will be using is:
https://github.com/snowdrop/godaddy-webhook
Following the installation steps listed in [here](https://github.com/snowdrop/godaddy-webhook#the-godaddy-webhook).
```shell
helm repo add godaddy-webhook https://fred78290.github.io/cert-manager-webhook-godaddy/
```
```text
"godaddy-webhook" has been added to your repositories
```
```shell
helm repo update
```
```text
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "godaddy-webhook" chart repository
...Successfully got an update from the "nfs-subdir-external-provisioner" chart repository
Update Complete. ⎈Happy Helming!⎈
```
```shell
helm upgrade -i godaddy-webhook godaddy-webhook/godaddy-webhook \
--set groupName=acme.fihome.xyz \
--set image.tag=v1.27.2 \
--set image.pullPolicy=Always \
--namespace cert-manager
```
### Update VirtualServices and deploy an Istio Gateway config
This includes adding the `fihome.xyz` domain to the VirtualService resources, and adding a TLS entry for the respective `Istio Gateway` configuration.
```shell
kubectl apply -f P8_Ingress -R
```
```text
gateway.networking.istio.io/fihome-gateway created
virtualservice.networking.istio.io/filebrowser-vs configured
virtualservice.networking.istio.io/gitea-vs configured
virtualservice.networking.istio.io/jelly-vs configured
virtualservice.networking.istio.io/tube-vs configured
```
### Deploy cert-manager config for the secondary domain
```shell
kubectl apply -f P8_Fihome_Cert -R
```
```text
clusterissuer.cert-manager.io/letsencrypt-fihome created
certificate.cert-manager.io/fihome-domain-cert-public created
secret/fihome-godaddy-api-key created
```
### Monitor the certificate provisioning
#### Check Certificate Issuer status
Well, it was very fast on my scenario, but since we are doing a DNS challenge, it could take some time, specially if we required to wait for the DNS propagation, which, as a rule of thumb, can take up to 72h.
```shell
kubectl get -n istio-system certificate fihome-domain-cert-public -o jsonpath='{.metadata.name}{"\t"}{.status.conditions[].reason}{"\t"}{.status.conditions[].message}{"\n"}'
```
```text
fihome-domain-cert-public Ready Certificate is up to date and has not expired
```
#### Certificate logs
```shell
kubectl get events -n istio-system --field-selector involvedObject.name=fihome-domain-cert-public,involvedObject.kind=Certificate --sort-by=.metadata.creationTimestamp --watch
```
```text
LAST SEEN TYPE REASON OBJECT MESSAGE
64s Normal Issuing certificate/fihome-domain-cert-public Issuing certificate as Secret does not exist
64s Normal Generated certificate/fihome-domain-cert-public Stored new private key in temporary Secret resource "fihome-domain-cert-public-wz9hv"
64s Normal Requested certificate/fihome-domain-cert-public Created new CertificateRequest resource "fihome-domain-cert-public-1"
61s Normal Issuing certificate/fihome-domain-cert-public The certificate has been successfully issued
```
## Part 9
Well, I did not document this either, yet I did deploy the following NFS provider from this repo:
- https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner
So far it's been working correctly, can't say I tested much from it, the services I am running are working correctly so, so far so good.
## Part 10
# Difficulties
The Certificate Manager must be located at the same namespace as the `istiod` service, without the LB location being taken into account.
## no healthy upstream
During the "testing of configurations", I created a the `DestinationRule` for the Jelly on the namespace `default`, instead of `external`.
@@ -2258,7 +2634,7 @@ Let's check the "access logs" differences when using one selector or another.
#### Custom
```shell
kubectl get logs -l istio=public-ingress -n istio-system
kubectl logs -l istio=public-ingress -n istio-system
```
```text