From a8e4a09398c58ad3dba140a28d1f85573bca2bfd Mon Sep 17 00:00:00 2001 From: Dominik Chilla Date: Mon, 20 Sep 2021 00:06:26 +0200 Subject: [PATCH] Clustering hints; certificate by CRD --- README.md | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 96 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6634aee..1fde573 100644 --- a/README.md +++ b/README.md @@ -3,12 +3,14 @@ * [On on-premises](#install-k3s-on-premises) * [Configure upstream DNS-resolver](#upstream-dns-resolver) * [Change NodePort range](#nodeport-range) + * [Clustering](#clustering) * [On Docker with k3d](#install-k3s-on-docker-k3d) * [Namespaces and resource limits](#namespaces-limits) * [Persistent volumes (StorageClass - dynamic provisioning)](#pv) * [Rancher Local](#pv-local) * [Rancher Longhorn - distributed in local cluster](#pv-longhorn) * [NFS](#pv-nfs) + * [Seaweedfs](#pv-seaweedfs) * [Ingress controller](#ingress-controller) * [Disable Traefik-ingress](#disable-traefik-ingress) * [Enable NGINX-ingress with OCSP stapling](#enable-nginx-ingress) @@ -16,7 +18,8 @@ * [Cert-Manager (references ingress controller)](#cert-manager) * [Installation](#cert-manager-install) * [Let´s Encrypt issuer](#cert-manager-le-issuer) - * [Deploying a LE-certificate](#cert-manager-ingress) + * [Deploying a LE-certificate with ingress](#cert-manager-ingress) + * [Deploying a LE-certificate by CRD](#cert-manager-crd) * [Troubleshooting](#cert-manager-troubleshooting) * [HELM charts](#helm) * [Create a chart](#helm-create) @@ -103,6 +106,21 @@ ExecStart=/usr/local/bin/k3s \ 2. Re-load systemd config: `systemctl daemon-reload` 3. Re-start k3s: `systemctl restart k3s.service` +### Clustering +If you want to build a K3s-cluster the default networking model is *overlay@VXLAN*. In this case make sure that +* all of your nodes can reach (ping) each other over the underlying network. This is required for the overlay network to work properly. VXLAN spans a mashed network over all K3s-nodes. +* if your nodes are spread over public networks (like the internet) use a VPN (like IPSec or OpenVPN) to secure the traffic between the nodes. **VXLAN uses plain UDP for transport!** +* if your nodes are connected through VPN, `flannel` (overlay network daemon) explicitly communicates over the vpn network interface instead of the public network interface. Following settings should be made on the nodes: +``` +/etc/systemd/system/k3s-agent.service: + +[...] +ExecStartPre=sleep 60 +ExecStart=/usr/local/bin/k3s \ + agent \ + --flannel-iface \ +``` + ## On Docker with K3d K3d is a terraforming orchestrator which deploys a K3s cluster (masters and nodes) directly on docker without the need for virtual machines for each node (master/worker). @@ -217,6 +235,11 @@ spec: requests: storage: 32Mi ``` +## Seaweedfs +Docs: https://github.com/seaweedfs +Docs: https://github.com/seaweedfs/seaweedfs-csi-driver + +In order to use the CSI driver you already need to have a working seaweedfs-cluster. As seaweedfs is really lightweight it can be deployed on a bunch (at least three) of raspberries (min. version 3) as well as on the K3s cluster too. # Ingress controller ## Disable Traefik-ingress @@ -380,7 +403,7 @@ spec: ``` `kubectl apply -f lets-encrypt-cluster-issuers.yaml` -## Deploying a LE-certificate +## Deploying a LE-certificate with ingress All you need is an `Ingress` resource of class `nginx` which references a ClusterIssuer (`letsencrypt-prod-issuer`) resource. HTTP-01 solver (`cert-manager.io/cluster-issuer: "letsencrypt-prod-issuer"`): @@ -433,6 +456,77 @@ spec: serviceName: some-target-service servicePort: some-target-service-port ``` +## Deploying a LE-certificate by CRD +All you need is a Certificate-CRD (Custom Resource Definition) like this one: +``` +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: some-certificate + namespace: staging +spec: + # Secret names are always required. + secretName: some-secret + + duration: 2160h # 90d + renewBefore: 360h # 15d + # The use of the common name field has been deprecated since 2000 and is + # discouraged from being used. + commonName: some.fully.qualified.domain.name + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 + usages: + - server auth + - client auth + # At least one of a DNS Name, URI, or IP address is required. + dnsNames: + - some.fully.qualified.domain.name + # Issuer references are always required. + issuerRef: + name: + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: ClusterIssuer +``` +After the certificate was issued, you can reference it as a volume within a deployment: +``` +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx-ssl + name: nginx-ssl + namespace: staging +spec: + replicas: 1 + selector: + matchLabels: + app: nginx-ssl + strategy: + type: Recreate + template: + metadata: + labels: + app: nginx-ssl + spec: + volumes: + - name: nginx-ssl-volume + secret: + secretName: some-secret + containers: + - image: nginx + name: nginx-ssl + volumeMounts: + - mountPath: "/etc/nginx/ssl" + name: nginx-ssl-volume + readOnly: true + ports: + - containerPort: 80 + restartPolicy: Always +``` ## Troubleshooting Docs: https://cert-manager.io/docs/faq/acme/