From d40150b97a0ce8889f69ca2505f09ff59c255cc7 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 13 Apr 2024 13:35:18 +0200 Subject: [PATCH] update documentation on k8s --- README.md | 21 +++++++++++---------- docs/k3s.md | 41 ----------------------------------------- 2 files changed, 11 insertions(+), 51 deletions(-) delete mode 100644 docs/k3s.md diff --git a/README.md b/README.md index fb4b38f..7985e4f 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,6 @@ Nix definitions to configure our servers at home. - [disko](https://github.com/nix-community/disko): declarative disk partitioning - [agenix](https://github.com/ryantm/agenix): deployment of encrypted secrets to NixOS machines - [dns.nix](https://github.com/kirelagin/dns.nix): A Nix DSL for defining DNS zones -- [microvm.nix](https://github.com/astro/microvm.nix): Declarative virtual machine management in NixOS - [flake-utils](https://github.com/numtide/flake-utils): Handy utilities to develop Nix flakes - [nixos-hardware](https://github.com/NixOS/nixos-hardware): Hardware-specific NixOS modules. Doing the heavy lifting for our Raspberry Pi. @@ -36,17 +35,19 @@ Additionally, it deploys an age identity, which is later used for decrypting sec To deploy all servers at once: `nix run nixpkgs#deploy-rs -- .# -k` To deploy only one server: `nix run nixpkgs#deploy-rs -- -k --targets .#` +## Deploying to Kubernetes + +To deploy to the Kubernetes cluster, first make sure you have an admin account on the cluster. +You can generate this using `nix run .#gen-k3s-cert ~/.kube`, assuming you have SSH access to the master node. +This puts a private key, signed certificate and a kubeconfig in the kubeconfig directory + +If the cluster has not been initialized yet, next run `nix run .#kubenix-bootstrap.x86_64-linux`. +⚠️ Do not do this if the cluster has been initialized already, as it will prune any deployed resources! ⚠️ + +Lastly, deploy everything to the cluster using `nix run .#kubenix.x86_64-linux`. + ## Known bugs -### Failed to connect to socket - -When deploying a new virtiofs share, the error `Failed to connect to '.sock': No such file or directory` can occur. -This seems to be a bug in `microvm.nix` and I opened a bug report [here](https://github.com/astro/microvm.nix/issues/200). -A workaround is to deploy the share without `deploy-rs`'s rollback feature enabled: -``` -nix run nixpkgs#deploy-rs -- -k --targets .# --auto-rollback false --magic-rollback false -``` - ### Rsync not available during bootstrap The `rsync` command was removed from recent NixOS ISO which causes nixos-anywhere to fail when copying extra files. diff --git a/docs/k3s.md b/docs/k3s.md deleted file mode 100644 index 76d97a1..0000000 --- a/docs/k3s.md +++ /dev/null @@ -1,41 +0,0 @@ -# Kubernetes - -## Creating an admin certificate for k3s - -Create the admin's private key: -``` -openssl genpkey -algorithm ed25519 -out -key.pem -``` - -Create a CSR for the admin: -``` -openssl req -new -key -key.pem -out .csr -subj "/CN=" -``` - -Create a Kubernetes CSR object on the cluster: -``` -k3s kubectl create -f - <-csr -spec: - request: $(cat .csr | base64 | tr -d '\n') - expirationSeconds: 307584000 # 10 years - signerName: kubernetes.io/kube-apiserver-client - usages: - - digital signature - - key encipherment - - client auth -EOF -``` - -Approve and sign the admin's CSR: -``` -k3s kubectl certificate approve -csr -``` - -Extract the resulting signed certificate from the CSR object: -``` -k3s kubectl get csr -csr -o jsonpath='{.status.certificate}' | base64 --decode > .crt -```