initial commit

Author: kenfdev

.gitignore

@@ -0,0 +1,39 @@
+workspace/*
+!workspace/.gitkeep
+*.log
+
+# Created by https://www.gitignore.io/api/macos,vagrant
+
+### macOS ###
+*.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Vagrant ###
+.vagrant/
+*.box
+
+
+# End of https://www.gitignore.io/api/macos,vagrant

README.md

@@ -0,0 +1,28 @@
+# Kubernetes the hard way with vagrant
+
+You can study kubernetes with vagrant. Credits go to the Kinvolk team because this repository is based on https://github.com/kinvolk/kubernetes-the-hard-way-vagrant .
+
+#### Differences with the Kinvolk version atm
+
+* Uses containerd
+* Uses gVisor
+* The pod-cidr is the same as the tutorial ( `10.200.${i}.0/24` )
+
+## How to  use this repository
+
+* Hit `vagrant up` to bring up the vms (1 load balancer node, 3 controllers nodes , 3 worker nodes)
+* Use the `workspace` directory to follow Kelsey Hightower's repository https://github.com/kelseyhightower/kubernetes-the-hard-way
+* A few things to care about is
+  * `gcloud` commands won't work (of course). Skip everything related to `gcloud` or use an alternative command. Have a look at the `scripts` directory if you get stuck. They correspond with the chapters.
+  * `EXTERNAL_IP` , `KUBERNETES_PUBLIC_ADDRESS` would be `10.240.0.40` (the load balancer's ip)
+  * [vagrant-scp](https://github.com/invernizzi/vagrant-scp) would come in handy for `scp` commands
+  * Careful about `INTERNAL_IP`s and `POD_CIDR` because you cannot fetch them with `gcloud` commands.
+  * Be sure to add the `[plugins.cri]` config and `stream_server_address` setting to the `containerd`'s `config.toml`. If you miss this, you won't be able to `exec` in to the container. Have a look at the [script](./scripts/k8s-the-hard-way/0902-configure-containerd.sh) .
+* `vagrant destroy -f` when you finish and clean up the `workspace` .
+
+
+
+All the scripts inside the `scripts` directory correspond to the commands and chapters mentioned in the tutorial. It uses alternative commands which correspond to `gcloud` commands. This has been tested with [this version](https://github.com/kelseyhightower/kubernetes-the-hard-way/tree/36d4bbf4ad16cbe3c6eb809d9f567c07eaddea8c) of the tutorial.
+
+
+

Vagrantfile

@@ -0,0 +1,42 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "ubuntu/bionic64"
+
+  config.vm.provider "virtualbox" do |vb|
+    vb.memory = "512"
+  end
+
+  # must be at the top
+  config.vm.define "lb-0" do |c|
+      c.vm.hostname = "lb-0"
+      c.vm.network "private_network", ip: "10.240.0.40"
+
+      c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-haproxy.sh"
+
+      c.vm.provider "virtualbox" do |vb|
+        vb.memory = "256"
+      end
+  end
+
+  (0..2).each do |n|
+    config.vm.define "controller-#{n}" do |c|
+        c.vm.hostname = "controller-#{n}"
+        c.vm.network "private_network", ip: "10.240.0.1#{n}"
+
+        c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-hosts-file.sh"
+    end
+  end
+
+  (0..2).each do |n|
+    config.vm.define "worker-#{n}" do |c|
+        c.vm.hostname = "worker-#{n}"
+        c.vm.network "private_network", ip: "10.240.0.2#{n}"
+
+        c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-routes.sh"
+        c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-hosts-file.sh"
+    end
+  end
+
+end

scripts/bootstrap/vagrant-setup-haproxy.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+set -euo pipefail
+
+apt-get update
+apt-get install -y haproxy
+
+grep -q -F 'net.ipv4.ip_nonlocal_bind=1' /etc/sysctl.conf || echo 'net.ipv4.ip_nonlocal_bind=1' >> /etc/sysctl.conf
+
+cat >/etc/haproxy/haproxy.cfg <<EOF
+global
+	log /dev/log	local0
+	log /dev/log	local1 notice
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+	# Default ciphers to use on SSL-enabled listening sockets.
+	# For more information, see ciphers(1SSL). This list is from:
+	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+	ssl-default-bind-options no-sslv3
+defaults
+	log	global
+	mode	tcp
+	option	tcplog
+	option	dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+	errorfile 400 /etc/haproxy/errors/400.http
+	errorfile 403 /etc/haproxy/errors/403.http
+	errorfile 408 /etc/haproxy/errors/408.http
+	errorfile 500 /etc/haproxy/errors/500.http
+	errorfile 502 /etc/haproxy/errors/502.http
+	errorfile 503 /etc/haproxy/errors/503.http
+	errorfile 504 /etc/haproxy/errors/504.http
+frontend k8s
+	bind 10.240.0.40:6443
+	default_backend k8s_backend
+backend k8s_backend
+	balance roundrobin
+	mode tcp
+	server controller-0 10.240.0.10:6443 check inter 1000
+	server controller-1 10.240.0.11:6443 check inter 1000
+	server controller-2 10.240.0.12:6443 check inter 1000
+EOF
+
+systemctl restart haproxy

scripts/bootstrap/vagrant-setup-hosts-file.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -euo pipefail
+
+cat <<EOF | sudo tee -a /etc/hosts
+# KTHW Vagrant machines
+10.240.0.10 controller-0
+10.240.0.11 controller-1
+10.240.0.12 controller-2
+10.240.0.20 worker-0
+10.240.0.21 worker-1
+10.240.0.22 worker-2
+EOF

scripts/bootstrap/vagrant-setup-routes.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -euo pipefail
+
+case "$(hostname)" in
+  worker-0)
+    route add -net 10.200.1.0/24 gw 10.240.0.21
+    route add -net 10.200.2.0/24 gw 10.240.0.22
+    ;;
+  worker-1)
+    route add -net 10.200.0.0/24 gw 10.240.0.20
+    route add -net 10.200.2.0/24 gw 10.240.0.22
+    ;;
+  worker-2)
+    route add -net 10.200.0.0/24 gw 10.240.0.20
+    route add -net 10.200.1.0/24 gw 10.240.0.21
+    ;;
+  *)
+    route add -net 10.200.0.0/24 gw 10.240.0.20
+    route add -net 10.200.1.0/24 gw 10.240.0.21
+    route add -net 10.200.2.0/24 gw 10.240.0.22
+    ;;
+esac

scripts/k8s-the-hard-way/0400-certificate-authority.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+cat > ca-config.json <<EOF
+{
+  "signing": {
+    "default": {
+      "expiry": "8760h"
+    },
+    "profiles": {
+      "kubernetes": {
+        "usages": ["signing", "key encipherment", "server auth", "client auth"],
+        "expiry": "8760h"
+      }
+    }
+  }
+}
+EOF
+
+cat > ca-csr.json <<EOF
+{
+  "CN": "Kubernetes",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "Kubernetes",
+      "OU": "CA",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert -initca ca-csr.json | cfssljson -bare ca

scripts/k8s-the-hard-way/0410-admin-client-certificate.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+cat > admin-csr.json <<EOF
+{
+  "CN": "admin",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:masters",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  admin-csr.json | cfssljson -bare admin

scripts/k8s-the-hard-way/0411-kubelet-client-certificates.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+for instance in worker-0 worker-1 worker-2; do
+cat > ${instance}-csr.json <<EOF
+{
+  "CN": "system:node:${instance}",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:nodes",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+EXTERNAL_IP=10.240.0.40
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -hostname=${instance},${EXTERNAL_IP} \
+  -profile=kubernetes \
+  ${instance}-csr.json | cfssljson -bare ${instance}
+done

scripts/k8s-the-hard-way/0412-controller-manager-client-certfiicate.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+cat > kube-controller-manager-csr.json <<EOF
+{
+  "CN": "system:kube-controller-manager",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:kube-controller-manager",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager