baseline/README.md

# k3s Kubernetes + Baseline

* [k3s](https://docs.k3s.io/)
* [ArgoCD](https://argoproj.github.io/cd/)
  * [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx/)
  * [cert-manager](https://cert-manager.io/)
    * selfsigned issuer
    * LetsEncrypt issuers (Prod and Staging)
  * [zabbix-proxy](https://git.zabbix.com/projects/ZT/repos/kubernetes-helm/browse?at=refs%2Fheads%2Frelease%2F7.0)
  * [keel](https://keel.sh)
  * [reloader](https://github.com/stakater/Reloader)

## Run (k3s + baseline)

`docker compose up`

### Get kubeconfig

`docker compose exec -it k3s kubectl config view --flatten`

### Add Agents

#### Get Agent Token

> The secure token format (occasionally referred to as a "full" token) contains the following parts:
> 
> <prefix><cluster CA hash>::<credentials>

Get existing server token:
`cat /var/lib/docker/volumes/baseline_k3s-data/_data/server/token`

Create new token:
`docker compose exec -it k3s k3s token create`

#### Register Agent/Worker

```bash
export K3S_URL=https://<cpn.fqdn>:6443
export K3S_NODE_NAME=<node.fqdn>
export K3S_TOKEN=<full-token>
curl -sfL https://get.k3s.io | sh -s -
```

## Notes

### ArgoCD

To retrieve the initial admin password use
`kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d`

To change the password follow [Argocd account update password](https://argo-cd.readthedocs.io/en/stable/user-guide/commands/argocd_account_update-password/).

#### Sync Applications with Kubectl

Add to application:
```yaml
operation:
  sync:
    syncStrategy:
      hook: {}
```

### Zabbix Monitoring

See: [infrastructure/zabbix-config - Zabbix Kubernetes Monitoring](https://git.smsvc.net/infrastructure/zabbix-config/src/branch/master/Zabbix-Kubernetes.md)

## Cloud Setups

### Linode

PROXY protocol needs to be enabled for ingress-nginx to see the clients IP in ingress log.

Add the PROXY protocol annotation to the ingress-nginx service:

```
annotations:
    service.beta.kubernetes.io/linode-loadbalancer-proxy-protocol: v2
```

Update the ingress-nginx ConfigMap to make nginx expect PROXY protocol data:

```
data:
  use-proxy-protocol: "true"
```

#### cert-manager

> However, when you have the PROXY protocol enabled, the external load balancer does modify the traffic, prepending the PROXY line before each TCP connection. If you connect directly to the web server internally, bypassing the external load balancer, then it will receive traffic without the PROXY line.
> 
> This is particularly a problem when using cert-manager for provisioning SSL certificates.

After enabling the PROXY protocol cert-manager is unable to perform a self check ("propagation check failed", "failed to perform self check GET request").

[hairpin-proxy](https://github.com/compumike/hairpin-proxy) adds PROXY protocol support for internal-to-LoadBalancer traffic for Kubernetes Ingress users, specifically for cert-manager self-checks (no further configuration needed).
break: switch from k0s to k3s (in docker) - replace k0s with k3s in docker-compose.yml - remove k0s-config.yaml - remove metallb-address-pool - update .renovaterc.json to match new file structure - add new argocd-init files for k3s - update README to reflect changes 🤖 2024-09-02 20:10:32 +00:00			`# k3s Kubernetes + Baseline`
Genesis 2021-11-28 22:36:39 +00:00
break: switch from k0s to k3s (in docker) - replace k0s with k3s in docker-compose.yml - remove k0s-config.yaml - remove metallb-address-pool - update .renovaterc.json to match new file structure - add new argocd-init files for k3s - update README to reflect changes 🤖 2024-09-02 20:10:32 +00:00			`* [k3s](https://docs.k3s.io/)`
DOC: add ArgoCD to baseline list 2022-03-21 09:23:56 +00:00			`* [ArgoCD](https://argoproj.github.io/cd/)`
FEAT!: move to GitOps * deploy ArgoCD via server-side Helm * deploy baseline via ArgoCD Application * define all baseline tools as Helm Application * omit ansible playbook * update README 2022-03-31 15:42:55 +00:00			`* [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx/)`
			`* [cert-manager](https://cert-manager.io/)`
FEAT: add cert-manager selfsigned issuer 2022-04-29 13:19:50 +00:00			`* selfsigned issuer`
FEAT: add LetsEncrypt issuers 2022-05-01 15:33:33 +00:00			`* LetsEncrypt issuers (Prod and Staging)`
feat(zabbix-proxy): update helm chart repository to v7 2024-06-20 12:13:31 +00:00			`* [zabbix-proxy](https://git.zabbix.com/projects/ZT/repos/kubernetes-helm/browse?at=refs%2Fheads%2Frelease%2F7.0)`
FEAT!: move to GitOps * deploy ArgoCD via server-side Helm * deploy baseline via ArgoCD Application * define all baseline tools as Helm Application * omit ansible playbook * update README 2022-03-31 15:42:55 +00:00			`* [keel](https://keel.sh)`
			`* [reloader](https://github.com/stakater/Reloader)`
DOC: use ProxyProtocol for Linode LB 2022-01-05 22:10:37 +00:00
break: switch from k0s to k3s (in docker) - replace k0s with k3s in docker-compose.yml - remove k0s-config.yaml - remove metallb-address-pool - update .renovaterc.json to match new file structure - add new argocd-init files for k3s - update README to reflect changes 🤖 2024-09-02 20:10:32 +00:00			`## Run (k3s + baseline)`
DOC: update README * merge INSTALL.md into README * remove unused section 2022-04-10 09:02:21 +00:00
break: switch from k3s to k0s (in docker) - replace k3s with k0s - remove argocd-init.yml - remove pb_install.yml - add docker-compose.yml for k0s setup - add k0s-config.yaml for k0s configuration - add metallb loadbalancer - add metallb ip pool - add openebs local storage - update README 🤖 2024-08-30 22:22:48 +00:00			`docker compose up`
DOC: update README * merge INSTALL.md into README * remove unused section 2022-04-10 09:02:21 +00:00
break: switch from k3s to k0s (in docker) - replace k3s with k0s - remove argocd-init.yml - remove pb_install.yml - add docker-compose.yml for k0s setup - add k0s-config.yaml for k0s configuration - add metallb loadbalancer - add metallb ip pool - add openebs local storage - update README 🤖 2024-08-30 22:22:48 +00:00			`### Get kubeconfig`
DOC: use ProxyProtocol for Linode LB 2022-01-05 22:10:37 +00:00
break: switch from k0s to k3s (in docker) - replace k0s with k3s in docker-compose.yml - remove k0s-config.yaml - remove metallb-address-pool - update .renovaterc.json to match new file structure - add new argocd-init files for k3s - update README to reflect changes 🤖 2024-09-02 20:10:32 +00:00			`docker compose exec -it k3s kubectl config view --flatten`
DOC: update README * merge INSTALL.md into README * remove unused section 2022-04-10 09:02:21 +00:00
doc: add agent registration instructions - add section on how to get existing server token - add steps to create a new token - add instructions on how to register an agent/worker 🤖 2024-09-03 20:31:56 +00:00			`### Add Agents`

			`#### Get Agent Token`

			`> The secure token format (occasionally referred to as a "full" token) contains the following parts:`
			`>`
			`> <prefix><cluster CA hash>::<credentials>`

			`Get existing server token:`
			`cat /var/lib/docker/volumes/baseline_k3s-data/_data/server/token`

			`Create new token:`
			`docker compose exec -it k3s k3s token create`

			`#### Register Agent/Worker`

			```bash
			`export K3S_URL=https://<cpn.fqdn>:6443`
			`export K3S_NODE_NAME=<node.fqdn>`
			`export K3S_TOKEN=<full-token>`
			`curl -sfL https://get.k3s.io \| sh -s -`
			```

DOC: update README * merge INSTALL.md into README * remove unused section 2022-04-10 09:02:21 +00:00			`## Notes`
DOC: add fix for missing ingress-nginx servicemonitor 2022-02-06 14:43:50 +00:00
doc: update ArgoCD README sections - Add instructions on how to access ArgoCD dashboard via `argocdm admin dashboard` - Mention possible requirement to switch namespace to `argocd` 🤖 2023-07-29 18:13:44 +00:00			`### ArgoCD`

feat(argocd): enable argocd application server 2023-08-01 21:07:13 +00:00			`To retrieve the initial admin password use`
			`kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" \| base64 -d`
doc: update ArgoCD README sections - Add instructions on how to access ArgoCD dashboard via `argocdm admin dashboard` - Mention possible requirement to switch namespace to `argocd` 🤖 2023-07-29 18:13:44 +00:00
feat(argocd): enable argocd application server 2023-08-01 21:07:13 +00:00			`To change the password follow [Argocd account update password](https://argo-cd.readthedocs.io/en/stable/user-guide/commands/argocd_account_update-password/).`
doc: update ArgoCD README sections - Add instructions on how to access ArgoCD dashboard via `argocdm admin dashboard` - Mention possible requirement to switch namespace to `argocd` 🤖 2023-07-29 18:13:44 +00:00
doc(argo-cd): describe sync via Kubectl 2024-09-03 11:24:07 +00:00			`#### Sync Applications with Kubectl`

			`Add to application:`
			```yaml
			`operation:`
			`sync:`
			`syncStrategy:`
			`hook: {}`
			```

doc: add Zabbix Monitoring section - add new section for Zabbix Monitoring in README.md - provide link to Zabbix Kubernetes Monitoring documentation 🤖 2024-09-03 18:14:09 +00:00			`### Zabbix Monitoring`

			`See: [infrastructure/zabbix-config - Zabbix Kubernetes Monitoring](https://git.smsvc.net/infrastructure/zabbix-config/src/branch/master/Zabbix-Kubernetes.md)`

			`## Cloud Setups`

DOC: use ProxyProtocol for Linode LB 2022-01-05 22:10:37 +00:00			`### Linode`

DOC: fix typos and syntax 2022-02-03 07:30:12 +00:00			`PROXY protocol needs to be enabled for ingress-nginx to see the clients IP in ingress log.`
DOC: use ProxyProtocol for Linode LB 2022-01-05 22:10:37 +00:00
DOC: fix typos and syntax 2022-02-03 07:30:12 +00:00			`Add the PROXY protocol annotation to the ingress-nginx service:`
DOC: add instructions for hairpin-proxy 2022-02-03 07:28:40 +00:00
DOC: use ProxyProtocol for Linode LB 2022-01-05 22:10:37 +00:00			```
			`annotations:`
DOC: add instructions for hairpin-proxy 2022-02-03 07:28:40 +00:00			`service.beta.kubernetes.io/linode-loadbalancer-proxy-protocol: v2`
DOC: use ProxyProtocol for Linode LB 2022-01-05 22:10:37 +00:00			```

DOC: fix typos and syntax 2022-02-03 07:30:12 +00:00			`Update the ingress-nginx ConfigMap to make nginx expect PROXY protocol data:`
DOC: add instructions for hairpin-proxy 2022-02-03 07:28:40 +00:00
DOC: use ProxyProtocol for Linode LB 2022-01-05 22:10:37 +00:00			```
			`data:`
			`use-proxy-protocol: "true"`
			```
DOC: add instructions for hairpin-proxy 2022-02-03 07:28:40 +00:00
			`#### cert-manager`

			`> However, when you have the PROXY protocol enabled, the external load balancer does modify the traffic, prepending the PROXY line before each TCP connection. If you connect directly to the web server internally, bypassing the external load balancer, then it will receive traffic without the PROXY line.`
feat(zabbix-proxy): update helm chart repository to v7 2024-06-20 12:13:31 +00:00			`>`
DOC: add instructions for hairpin-proxy 2022-02-03 07:28:40 +00:00			`> This is particularly a problem when using cert-manager for provisioning SSL certificates.`

			`After enabling the PROXY protocol cert-manager is unable to perform a self check ("propagation check failed", "failed to perform self check GET request").`

			`[hairpin-proxy](https://github.com/compumike/hairpin-proxy) adds PROXY protocol support for internal-to-LoadBalancer traffic for Kubernetes Ingress users, specifically for cert-manager self-checks (no further configuration needed).`