No description
Find a file
2024-09-04 02:00:40 +00:00
argocd-bootstrap refactor(argocd): split bootstrap files 2024-09-03 21:31:40 +02:00
bin Revert "feat: add renovate-bot cronjob" 2023-07-29 17:44:54 +02:00
manifests refactor(manifests): move _templates into manifests path 2024-09-03 17:55:33 +02:00
.gitignore FEAT: get kubeconfig after k3s installation 2022-05-01 20:04:05 +02:00
.renovaterc.json break: switch from k0s to k3s 2024-09-03 17:46:04 +02:00
docker-compose.yml chore: update rancher/k3s docker tag to v1.31.0 2024-09-04 02:00:40 +00:00
logo.png FEAT: add logo 2021-11-30 14:49:29 +01:00
README.md doc: add agent registration instructions 2024-09-03 22:32:40 +02:00

k3s Kubernetes + Baseline

Run (k3s + baseline)

docker compose up

Get kubeconfig

docker compose exec -it k3s kubectl config view --flatten

Add Agents

Get Agent Token

The secure token format (occasionally referred to as a "full" token) contains the following parts:

::

Get existing server token: cat /var/lib/docker/volumes/baseline_k3s-data/_data/server/token

Create new token: docker compose exec -it k3s k3s token create

Register Agent/Worker

export K3S_URL=https://<cpn.fqdn>:6443
export K3S_NODE_NAME=<node.fqdn>
export K3S_TOKEN=<full-token>
curl -sfL https://get.k3s.io | sh -s -

Notes

ArgoCD

To retrieve the initial admin password use kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

To change the password follow Argocd account update password.

Sync Applications with Kubectl

Add to application:

operation:
  sync:
    syncStrategy:
      hook: {}

Zabbix Monitoring

See: infrastructure/zabbix-config - Zabbix Kubernetes Monitoring

Cloud Setups

Linode

PROXY protocol needs to be enabled for ingress-nginx to see the clients IP in ingress log.

Add the PROXY protocol annotation to the ingress-nginx service:

annotations:
    service.beta.kubernetes.io/linode-loadbalancer-proxy-protocol: v2

Update the ingress-nginx ConfigMap to make nginx expect PROXY protocol data:

data:
  use-proxy-protocol: "true"

cert-manager

However, when you have the PROXY protocol enabled, the external load balancer does modify the traffic, prepending the PROXY line before each TCP connection. If you connect directly to the web server internally, bypassing the external load balancer, then it will receive traffic without the PROXY line.

This is particularly a problem when using cert-manager for provisioning SSL certificates.

After enabling the PROXY protocol cert-manager is unable to perform a self check ("propagation check failed", "failed to perform self check GET request").

hairpin-proxy adds PROXY protocol support for internal-to-LoadBalancer traffic for Kubernetes Ingress users, specifically for cert-manager self-checks (no further configuration needed).