No description
Find a file
Sebastian Mark 13cded188f break: migrate back to bare-metal (and ansible)
- remove docker-compose.yml
- add ansible playbook for k3s and argocd deployment
- update renovate custom manager for k3s version
- update README.md with new instructions

🤖
2024-09-12 19:29:50 +02:00
argocd-bootstrap refactor(argocd): split bootstrap files 2024-09-12 19:29:50 +02:00
bin Revert "feat: add renovate-bot cronjob" 2023-07-29 17:44:54 +02:00
manifests refactor(manifests): move _templates into manifests path 2024-09-12 19:29:50 +02:00
.gitignore FEAT: get kubeconfig after k3s installation 2022-05-01 20:04:05 +02:00
.renovaterc.json break: migrate back to bare-metal (and ansible) 2024-09-12 19:29:50 +02:00
logo.png FEAT: add logo 2021-11-30 14:49:29 +01:00
playbook.yml break: migrate back to bare-metal (and ansible) 2024-09-12 19:29:50 +02:00
README.md break: migrate back to bare-metal (and ansible) 2024-09-12 19:29:50 +02:00

k3s Kubernetes + ArgoCD + Baseline

Run (Deploy k3s + ArgoCD + Baseline)

ansible-playbook k3s_boostrap.yml -i <host|ip>,

Get kubeconfig

cat /etc/rancher/k3s/k3s.yml

Add Agents

Get Agent Token

The secure token format (occasionally referred to as a "full" token) contains the following parts:

::

Get existing server token: cat /var/lib/docker/volumes/baseline_k3s-data/_data/server/token

Create new token: docker compose exec -it k3s k3s token create

Register Agent/Worker

export K3S_URL=https://<cpn.fqdn>:6443
export K3S_NODE_NAME=<node.fqdn>
export K3S_TOKEN=<full-token>
curl -sfL https://get.k3s.io | sh -s -

Notes

ArgoCD

To retrieve the initial admin password use kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

To change the password follow Argocd account update password.

Sync Applications with Kubectl

Add to application:

operation:
  sync:
    syncStrategy:
      hook: {}

Zabbix Monitoring

See: infrastructure/zabbix-config - Zabbix Kubernetes Monitoring

Cloud Setups

Linode

PROXY protocol needs to be enabled for ingress-nginx to see the clients IP in ingress log.

Add the PROXY protocol annotation to the ingress-nginx service:

annotations:
    service.beta.kubernetes.io/linode-loadbalancer-proxy-protocol: v2

Update the ingress-nginx ConfigMap to make nginx expect PROXY protocol data:

data:
  use-proxy-protocol: "true"

cert-manager

However, when you have the PROXY protocol enabled, the external load balancer does modify the traffic, prepending the PROXY line before each TCP connection. If you connect directly to the web server internally, bypassing the external load balancer, then it will receive traffic without the PROXY line.

This is particularly a problem when using cert-manager for provisioning SSL certificates.

After enabling the PROXY protocol cert-manager is unable to perform a self check ("propagation check failed", "failed to perform self check GET request").

hairpin-proxy adds PROXY protocol support for internal-to-LoadBalancer traffic for Kubernetes Ingress users, specifically for cert-manager self-checks (no further configuration needed).