playgrounds/vagrant-lab-k8s
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

init commit

Browse Source
This commit is contained in:
Aleksander Cynarski
2022-03-13 13:29:53 +01:00
commit ef753a3c7e
8 changed files with 679 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
provision/base.sh Normal file
View File

@@ -0,0 +1,72 @@
#!/bin/bash
set -euo pipefail
#
# Helper functions
#
declare -i term_width=80
h1() {
declare border padding text
border='\e[1;34m'"$(printf '=%.0s' $(seq 1 "$term_width"))"'\e[0m'
padding="$(printf ' %.0s' $(seq 1 $(((term_width - $(wc -m <<<"$*")) / 2))))"
text="\\e[1m$*\\e[0m"
echo -e "$border"
echo -e "${padding}${text}${padding}"
echo -e "$border"
}
h2() {
printf '\e[1;33m==>\e[37;1m %s\e[0m\n' "$*"
}
export DEBIAN_FRONTEND=noninteractive
# !!!!!!!!!!!!!!!
# Wyłącz swap!!
# swapoff -a
# sed -i -E 's,^([^#]+\sswap\s.+),#\1,' /etc/fstab
h1 "Debug networking and system uuid"
ip addr
cat /sys/class/dmi/id/product_uuid
h1 "Prepare base system"
h2 "Install applications and utils"
# update the package cache.
apt-get update
apt-get install -y --no-install-recommends jq curl bash-completion vim tcpdump traceroute iptables
h2 "Configure vim"
cat >/etc/vim/vimrc.local <<'EOF'
syntax on
set background=dark
set esckeys
set ruler
set laststatus=2
set nobackup
EOF
h2 "Configure shell"
cat >/etc/profile.d/login.sh <<'EOF'
[[ "$-" != *i* ]] && return
export EDITOR=vim
export PAGER=less
alias l='ls -lF --color'
alias ll='l -a'
alias h='history 25'
alias j='jobs -l'
EOF
cat >/etc/inputrc <<'EOF'
set input-meta on
set output-meta on
set show-all-if-ambiguous on
set completion-ignore-case on
"\e[A": history-search-backward
"\e[B": history-search-forward
"\eOD": backward-word
"\eOC": forward-word
EOF

42
provision/etcdctl.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
set -euo pipefail
#
# Helper functions
#
declare -i term_width=80
h1() {
declare border padding text
border='\e[1;34m'"$(printf '=%.0s' $(seq 1 "$term_width"))"'\e[0m'
padding="$(printf ' %.0s' $(seq 1 $(((term_width - $(wc -m <<<"$*")) / 2))))"
text="\\e[1m$*\\e[0m"
echo -e "$border"
echo -e "${padding}${text}${padding}"
echo -e "$border"
}
h2() {
printf '\e[1;33m==>\e[37;1m %s\e[0m\n' "$*"
}
etcd_version="${1:-v3.4.16}"; shift || true
h1 "Install etcd"
h2 "Version: ${etcd_version}"
# install the binaries.
url="https://github.com/etcd-io/etcd/releases/download/$etcd_version/etcd-$etcd_version-linux-amd64.tar.gz"
filename="$(basename "$url")"
wget -q "$url"
rm -rf etcd && mkdir etcd
tar xf "$filename" --strip-components 1 -C etcd
install etcd/etcdctl /usr/local/bin
rm -rf "$filename" etcd
h2 "Configure envs to access etcd"
cat >/etc/profile.d/etcdctl.sh <<'EOF'
export ETCDCTL_CACERT=/var/lib/rancher/rke2/server/tls/etcd/server-ca.crt
export ETCDCTL_CERT=/var/lib/rancher/rke2/server/tls/etcd/server-client.crt
export ETCDCTL_KEY=/var/lib/rancher/rke2/server/tls/etcd/server-client.key
EOF

100
provision/example-app.sh Normal file
View File

@@ -0,0 +1,100 @@
#!/bin/bash
set -euo pipefail
#
# Helper functions
#
declare -i term_width=80
h1() {
declare border padding text
border='\e[1;34m'"$(printf '=%.0s' $(seq 1 "$term_width"))"'\e[0m'
padding="$(printf ' %.0s' $(seq 1 $(((term_width - $(wc -m <<<"$*")) / 2))))"
text="\\e[1m$*\\e[0m"
echo -e "$border"
echo -e "${padding}${text}${padding}"
echo -e "$border"
}
h2() {
printf '\e[1;33m==>\e[37;1m %s\e[0m\n' "$*"
}
domain="$(hostname --domain)"
h1 "Deploy example app"
# deploy.
kubectl apply -f - <<EOF
---
# see https://kubernetes.io/docs/concepts/services-networking/ingress/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#ingress-v1-networking-k8s-io
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-app
spec:
rules:
- host: example-app.$domain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-app
port:
name: web
---
# see https://kubernetes.io/docs/concepts/services-networking/service/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#service-v1-core
apiVersion: v1
kind: Service
metadata:
name: example-app
spec:
selector:
app: example-app
type: ClusterIP
ports:
- name: web
protocol: TCP
port: 80
targetPort: web
---
# see https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#daemonset-v1-apps
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#podtemplatespec-v1-core
# see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#container-v1-core
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: example-app
spec:
selector:
matchLabels:
app: example-app
template:
metadata:
labels:
app: example-app
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- name: example-app
image: ruilopes/example-docker-buildx-go:v1.2.0
args:
- -listen=:8000
ports:
- name: web
containerPort: 8000
resources:
requests:
memory: 20Mi
cpu: "0.1"
limits:
memory: 20Mi
cpu: "0.1"
EOF

35
provision/k9s.sh Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
set -euo pipefail
#
# Helper functions
#
declare -i term_width=80
h1() {
declare border padding text
border='\e[1;34m'"$(printf '=%.0s' $(seq 1 "$term_width"))"'\e[0m'
padding="$(printf ' %.0s' $(seq 1 $(((term_width - $(wc -m <<<"$*")) / 2))))"
text="\\e[1m$*\\e[0m"
echo -e "$border"
echo -e "${padding}${text}${padding}"
echo -e "$border"
}
h2() {
printf '\e[1;33m==>\e[37;1m %s\e[0m\n' "$*"
}
k9s_version="${1:-v0.24.15}"; shift || true
h1 "Install k9s"
h2 "Version: ${k9s_version}"
# download and install.
wget -qO- "https://github.com/derailed/k9s/releases/download/$k9s_version/k9s_Linux_x86_64.tar.gz" \
| tar xzf - k9s
install -m 755 k9s /usr/local/bin/
rm k9s
# try it.
k9s version

104
provision/rke2-agent.sh Normal file
View File

@@ -0,0 +1,104 @@
#!/bin/bash
set -euo pipefail
#
# Helper functions
#
declare -i term_width=80
h1() {
declare border padding text
border='\e[1;34m'"$(printf '=%.0s' $(seq 1 "$term_width"))"'\e[0m'
padding="$(printf ' %.0s' $(seq 1 $(((term_width - $(wc -m <<<"$*")) / 2))))"
text="\\e[1m$*\\e[0m"
echo -e "$border"
echo -e "${padding}${text}${padding}"
echo -e "$border"
}
h2() {
printf '\e[1;33m==>\e[37;1m %s\e[0m\n' "$*"
}
rke2_channel="$1"; shift
rke2_version="$1"; shift
rke2_server_url="$1"; shift
ip_address="$1"; shift
cat >/etc/motd <<'EOF'
_ ____ _
_ __| | _____|___ \ __ _ __ _ ___ _ __ | |_
| '__| |/ / _ \ __) | / _` |/ _` |/ _ \ '_ \| __|
| | | < __// __/ | (_| | (_| | __/ | | | |_
|_| |_|\_\___|_____(_)__,_|\__, |\___|_| |_|\__|
|___/
EOF
h1 "Install rke2 agent"
h2 "Version: ${rke2_version}"
h2 "Server: ${rke2_server_url}"
# install rke2 agent.
# see https://docs.rke2.io/install/install_options/install_options/
# see https://docs.rke2.io/install/install_options/linux_agent_config/
install -d -m 700 /etc/rancher/rke2
install /dev/null -m 600 /etc/rancher/rke2/config.yaml
cat >>/etc/rancher/rke2/config.yaml <<EOF
server: $rke2_server_url
token: $(cat /vagrant/tmp/node-token)
node-ip: $ip_address
EOF
curl -sfL https://raw.githubusercontent.com/rancher/rke2/$rke2_version/install.sh \
| \
INSTALL_RKE2_CHANNEL="$rke2_channel" \
INSTALL_RKE2_VERSION="$rke2_version" \
INSTALL_RKE2_TYPE="agent" \
sh -
h2 "Start rke2 agent service"
systemctl cat rke2-agent
systemctl enable rke2-agent.service
systemctl start rke2-agent.service
h2 "Configure system path for rke2"
# symlink the utilities and setup the environment variables to use them.
# NB kubectl should not be available in worker nodes as rke2 does not
# install a kubeconfig.
ln -fs /var/lib/rancher/rke2/bin/{kubectl,crictl,ctr} /usr/local/bin/
cat >/etc/profile.d/01-rke2.sh <<'EOF'
export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock
export CONTAINERD_NAMESPACE=k8s.io
export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
EOF
source /etc/profile.d/01-rke2.sh
# NB do not try to use kubectl on a agent node, as kubectl does not work on a
# agent node without a proper kubectl configuration (which you could copy
# from the server, but we do not do it here).
# install the bash completion scripts.
h2 "Bash configure"
crictl completion bash >/usr/share/bash-completion/completions/crictl
kubectl completion bash >/usr/share/bash-completion/completions/kubectl
# list runnnig pods.
crictl pods
# list running containers.
crictl ps
ctr containers ls
# show listening ports.
ss -n --tcp --listening --processes
# show network routes.
ip route
# show memory info.
free
# show versions.
crictl version
ctr version

223
provision/rke2-server.sh Normal file
View File

@@ -0,0 +1,223 @@
#!/bin/bash
set -euo pipefail
#
# Helper functions
#
declare -i term_width=80
h1() {
declare border padding text
border='\e[1;34m'"$(printf '=%.0s' $(seq 1 "$term_width"))"'\e[0m'
padding="$(printf ' %.0s' $(seq 1 $(((term_width - $(wc -m <<<"$*")) / 2))))"
text="\\e[1m$*\\e[0m"
echo -e "$border"
echo -e "${padding}${text}${padding}"
echo -e "$border"
}
h2() {
printf '\e[1;33m==>\e[37;1m %s\e[0m\n' "$*"
}
rke2_command="$1"; shift
rke2_channel="${1:-latest}"; shift
rke2_version="${1:-v1.21.5+rke2r1}"; shift
ip_address="$1"; shift
krew_version="${1:-v0.4.1}"; shift || true # NB see https://github.com/kubernetes-sigs/krew
fqdn="$(hostname --fqdn)"
rke2_url="https://server.$(hostname --domain):9345"
h1 "Install rke2 server"
h2 "Version: ${rke2_version}"
h2 "Server url: ${rke2_url}"
cat >/etc/motd <<'EOF'
_ ____
_ __| | _____|___ \ ___ ___ _ ____ _____ _ __
| '__| |/ / _ \ __) | / __|/ _ \ '__\ \ / / _ \ '__|
| | | < __// __/ _\__ \ __/ | \ V / __/ |
|_| |_|\_\___|_____(_)___/\___|_| \_/ \___|_|
EOF
# configure the rke2 server.
# see https://docs.rke2.io/install/install_options/install_options/
# see https://docs.rke2.io/install/install_options/server_config/
install -d -m 700 /etc/rancher/rke2
install /dev/null -m 600 /etc/rancher/rke2/config.yaml
if [ "$rke2_command" != 'cluster-init' ]; then
cat >>/etc/rancher/rke2/config.yaml <<EOF
server: $rke2_url
token: $(cat /vagrant/tmp/node-token)
EOF
fi
cat >>/etc/rancher/rke2/config.yaml <<EOF
node-ip: $ip_address
node-taint: CriticalAddonsOnly=true:NoExecute
tls-san:
- server.$(hostname --domain)
- $fqdn
cni: calico
cluster-cidr: 10.12.0.0/16
service-cidr: 10.13.0.0/16
cluster-dns: 10.13.0.10
cluster-domain: cluster.local
EOF
# install rke2 server.
# see https://docs.rke2.io/install/install_options/install_options/
# see https://docs.rke2.io/install/install_options/server_config/
curl -sfL https://raw.githubusercontent.com/rancher/rke2/$rke2_version/install.sh \
| \
INSTALL_RKE2_CHANNEL="$rke2_channel" \
INSTALL_RKE2_VERSION="$rke2_version" \
INSTALL_RKE2_TYPE="server" \
sh -
# start the rke2-server service.
systemctl cat rke2-server
systemctl enable rke2-server.service
systemctl start rke2-server.service
# symlink the utilities and setup the environment variables to use them.
ln -fs /var/lib/rancher/rke2/bin/{kubectl,crictl,ctr} /usr/local/bin/
cat >/etc/profile.d/01-rke2.sh <<'EOF'
export CONTAINERD_ADDRESS=/run/k3s/containerd/containerd.sock
export CONTAINERD_NAMESPACE=k8s.io
export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
EOF
source /etc/profile.d/01-rke2.sh
# wait for this node to be Ready.
# e.g. server Ready control-plane,etcd,master 3m v1.21.5+rke2r1
$SHELL -c 'node_name=$(hostname); echo "waiting for node $node_name to be ready..."; while [ -z "$(kubectl get nodes $node_name | grep -E "$node_name\s+Ready\s+")" ]; do sleep 3; done; echo "node ready!"'
# wait for the kube-dns pod to be Running.
# e.g. rke2-coredns-rke2-coredns-7bb4f446c-jksvq 1/1 Running 0 33m
$SHELL -c 'while [ -z "$(kubectl get pods --selector k8s-app=kube-dns --namespace kube-system | grep -E "\s+Running\s+")" ]; do sleep 3; done'
# save the node-token in the host.
# NB do not create a token yourself as a simple hex random string, as that will
# not include the Cluster CA which means the joining nodes will not
# verify the server certificate. rke2 warns about this as:
# Cluster CA certificate is not trusted by the host CA bundle, but the
# token does not include a CA hash. Use the full token from the server's
# node-token file to enable Cluster CA validation
if [ "$rke2_command" == 'cluster-init' ]; then
install -d /vagrant/tmp
cp /var/lib/rancher/rke2/server/node-token /vagrant/tmp/node-token
fi
# install the krew kubectl package manager.
echo "installing the krew $krew_version kubectl package manager..."
apt-get install -y --no-install-recommends git
wget -qO- "https://github.com/kubernetes-sigs/krew/releases/download/$krew_version/krew.tar.gz" | tar xzf - ./krew-linux_amd64
wget -q "https://github.com/kubernetes-sigs/krew/releases/download/$krew_version/krew.yaml"
./krew-linux_amd64 install --manifest=krew.yaml
rm krew-linux_amd64
cat >/etc/profile.d/krew.sh <<'EOF'
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
EOF
source /etc/profile.d/krew.sh
kubectl krew version
# install the bash completion scripts.
crictl completion bash >/usr/share/bash-completion/completions/crictl
kubectl completion bash >/usr/share/bash-completion/completions/kubectl
# save kubeconfig in the host.
if [ "$rke2_command" == 'cluster-init' ]; then
mkdir -p /vagrant/tmp
python3 - <<EOF
import base64
import yaml
d = yaml.load(open('/etc/rancher/rke2/rke2.yaml', 'r'))
# save cluster ca certificate.
for c in d['clusters']:
open(f"/vagrant/tmp/{c['name']}-ca-crt.pem", 'wb').write(base64.b64decode(c['cluster']['certificate-authority-data']))
# save user client certificates.
for u in d['users']:
open(f"/vagrant/tmp/{u['name']}-crt.pem", 'wb').write(base64.b64decode(u['user']['client-certificate-data']))
open(f"/vagrant/tmp/{u['name']}-key.pem", 'wb').write(base64.b64decode(u['user']['client-key-data']))
print(f"Kubernetes API Server https://$ip_address:6443 user {u['name']} client certificate in tmp/{u['name']}-*.pem")
# set the server ip.
for c in d['clusters']:
c['cluster']['server'] = 'https://$ip_address:6443'
yaml.dump(d, open('/vagrant/tmp/admin.conf', 'w'), default_flow_style=False)
EOF
fi
# show cluster-info.
kubectl cluster-info
# list etcd members.
etcdctl --write-out table member list
# show the endpoint status.
etcdctl --write-out table endpoint status
# list nodes.
kubectl get nodes -o wide
# rbac info.
kubectl get serviceaccount --all-namespaces
kubectl get role --all-namespaces
kubectl get rolebinding --all-namespaces
kubectl get rolebinding --all-namespaces -o json | jq .items[].subjects
kubectl get clusterrole --all-namespaces
kubectl get clusterrolebinding --all-namespaces
kubectl get clusterrolebinding --all-namespaces -o json | jq .items[].subjects
# rbac access matrix.
# see https://github.com/corneliusweig/rakkess/blob/master/doc/USAGE.md
kubectl krew install access-matrix
kubectl access-matrix version --full
kubectl access-matrix # at cluster scope.
kubectl access-matrix --namespace default
kubectl access-matrix --sa kubernetes-dashboard --namespace kubernetes-dashboard
# list system secrets.
kubectl -n kube-system get secret
# list all objects.
# NB without this hugly redirect the kubectl output will be all messed
# when used from a vagrant session.
kubectl get all --all-namespaces
# really get all objects.
# see https://github.com/corneliusweig/ketall/blob/master/doc/USAGE.md
kubectl krew install get-all
kubectl get-all
# list services.
kubectl get svc
# list running pods.
kubectl get pods --all-namespaces -o wide
# list runnnig pods.
crictl pods
# list running containers.
crictl ps
ctr containers ls
# show listening ports.
ss -n --tcp --listening --processes
# show network routes.
ip route
# show memory info.
free
# show versions.
kubectl version
crictl version
ctr version