Clustering hints; certificate by CRD

README.md

@@ -3,12 +3,14 @@
   * [On on-premises](#install-k3s-on-premises)
     * [Configure upstream DNS-resolver](#upstream-dns-resolver)
     * [Change NodePort range](#nodeport-range)
+    * [Clustering](#clustering)
   * [On Docker with k3d](#install-k3s-on-docker-k3d)
 * [Namespaces and resource limits](#namespaces-limits)
 * [Persistent volumes (StorageClass - dynamic provisioning)](#pv)
   * [Rancher Local](#pv-local)
   * [Rancher Longhorn - distributed in local cluster](#pv-longhorn)
   * [NFS](#pv-nfs)
+  * [Seaweedfs](#pv-seaweedfs)
 * [Ingress controller](#ingress-controller)
   * [Disable Traefik-ingress](#disable-traefik-ingress)
   * [Enable NGINX-ingress with OCSP stapling](#enable-nginx-ingress)
@@ -16,7 +18,8 @@
 * [Cert-Manager (references ingress controller)](#cert-manager)
   * [Installation](#cert-manager-install)
   * [Let´s Encrypt issuer](#cert-manager-le-issuer)
-  * [Deploying a LE-certificate](#cert-manager-ingress)
+  * [Deploying a LE-certificate with ingress](#cert-manager-ingress)
+  * [Deploying a LE-certificate by CRD](#cert-manager-crd)
   * [Troubleshooting](#cert-manager-troubleshooting)
 * [HELM charts](#helm)
   * [Create a chart](#helm-create)
@@ -103,6 +106,21 @@ ExecStart=/usr/local/bin/k3s \
 2. Re-load systemd config: `systemctl daemon-reload`
 3. Re-start k3s: `systemctl restart k3s.service`
 
+### Clustering <a name="user-content-clustering"></a>
+If you want to build a K3s-cluster the default networking model is *overlay@VXLAN*. In this case make sure that
+* all of your nodes can reach (ping) each other over the underlying network. This is required for the overlay network to work properly. VXLAN spans a mashed network over all K3s-nodes.
+* if your nodes are spread over public networks (like the internet) use a VPN (like IPSec or OpenVPN) to secure the traffic between the nodes. **VXLAN uses plain UDP for transport!**
+* if your nodes are connected through VPN, `flannel` (overlay network daemon) explicitly communicates over the vpn network interface instead of the public network interface. Following settings should be made on the nodes:
+```
+/etc/systemd/system/k3s-agent.service:
+
+[...]
+ExecStartPre=sleep 60
+ExecStart=/usr/local/bin/k3s \
+    agent \
+    --flannel-iface <name-of-vpn-interface> \
+```
+
 ## On Docker with K3d <a name="user-content-install-k3s-on-docker-k3d"></a>
 K3d is a terraforming orchestrator which deploys a K3s cluster (masters and nodes) directly on docker without the need for virtual machines for each node (master/worker).
 
@@ -217,6 +235,11 @@ spec:
     requests:
       storage: 32Mi
 ```
+## Seaweedfs <a name="user-content-pv-seaweedfs"></a>
+Docs: https://github.com/seaweedfs  
+Docs: https://github.com/seaweedfs/seaweedfs-csi-driver
+
+In order to use the CSI driver you already need to have a working seaweedfs-cluster. As seaweedfs is really lightweight it can be deployed on a bunch (at least three) of raspberries (min. version 3) as well as on the K3s cluster too.
 
 # Ingress controller <a name="user-content-ingress-controller"></a>
 ## Disable Traefik-ingress <a name="user-content-disable-traefik-ingress"></a>
@@ -380,7 +403,7 @@ spec:
 ```
 `kubectl apply -f lets-encrypt-cluster-issuers.yaml`
 
-## Deploying a LE-certificate <a name="user-content-cert-manager-ingress"></a>
+## Deploying a LE-certificate with ingress <a name="user-content-cert-manager-ingress"></a>
 All you need is an `Ingress` resource of class `nginx` which references a ClusterIssuer (`letsencrypt-prod-issuer`) resource.
 
 HTTP-01 solver (`cert-manager.io/cluster-issuer: "letsencrypt-prod-issuer"`):
@@ -433,6 +456,77 @@ spec:
           serviceName: some-target-service
           servicePort: some-target-service-port
 ```
+## Deploying a LE-certificate by CRD <a name="user-content-cert-manager-crd"></a>
+All you need is a Certificate-CRD (Custom Resource Definition) like this one:
+```
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: some-certificate
+  namespace: staging
+spec:
+  # Secret names are always required.
+  secretName: some-secret
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  # The use of the common name field has been deprecated since 2000 and is
+  # discouraged from being used.
+  commonName: some.fully.qualified.domain.name
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 4096
+  usages:
+    - server auth
+    - client auth
+  # At least one of a DNS Name, URI, or IP address is required.
+  dnsNames:
+    - some.fully.qualified.domain.name
+  # Issuer references are always required.
+  issuerRef:
+    name: <your-favourite-cluster-issuer>
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
+```
+After the certificate was issued, you can reference it as a volume within a deployment:
+```
+apiVersion:  apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx-ssl
+  name: nginx-ssl
+  namespace: staging
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx-ssl
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: nginx-ssl
+    spec:
+      volumes:
+      - name: nginx-ssl-volume
+        secret:
+          secretName: some-secret
+      containers:
+      - image: nginx
+        name: nginx-ssl
+        volumeMounts:
+          - mountPath: "/etc/nginx/ssl"
+            name: nginx-ssl-volume
+            readOnly: true
+        ports:
+        - containerPort: 80
+      restartPolicy: Always
+```
 
 ## Troubleshooting <a name="user-content-cert-manager-troubleshooting"></a>
 Docs: https://cert-manager.io/docs/faq/acme/