mirror of
https://github.com/jbowdre/vsphere-k8s.git
synced 2024-11-23 00:12:18 +00:00
310 lines
No EOL
12 KiB
Markdown
310 lines
No EOL
12 KiB
Markdown
Install metallb manifest:
|
|
```shell
|
|
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.9/config/manifests/metallb-native.yaml
|
|
```
|
|
|
|
Configure metallb:
|
|
```shell
|
|
cat << EOF > config-metallb.yaml
|
|
apiVersion: metallb.io/v1beta1
|
|
kind: IPAddressPool
|
|
metadata:
|
|
name: default
|
|
namespace: metallb-system
|
|
spec:
|
|
addresses:
|
|
- 192.168.1.70-192.168.1.89
|
|
---
|
|
apiVersion: metallb.io/v1beta1
|
|
kind: L2Advertisement
|
|
metadata:
|
|
name: default
|
|
namespace: metallb-system
|
|
EOF
|
|
kubectl apply -f config-metallb.yaml
|
|
```
|
|
|
|
Install pinniped CLI:
|
|
```shell
|
|
curl -Lso pinniped https://get.pinniped.dev/v0.23.0/pinniped-cli-linux-amd64 \
|
|
&& chmod +x pinniped \
|
|
&& sudo mv pinniped /usr/local/bin/pinniped
|
|
```
|
|
|
|
Install pinniped supervisor:
|
|
```shell
|
|
kubectl apply -f https://get.pinniped.dev/v0.23.0/install-pinniped-supervisor.yaml
|
|
```
|
|
|
|
Create LoadBalancer:
|
|
```shell
|
|
cat << EOF > pinniped-supervisor-lb.yaml
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: pinniped-supervisor-loadbalancer
|
|
namespace: pinniped-supervisor
|
|
spec:
|
|
type: LoadBalancer
|
|
selector:
|
|
app: pinniped-supervisor
|
|
ports:
|
|
- protocol: TCP
|
|
port: 443
|
|
targetPort: 8443 # 8443 is the TLS port.
|
|
EOF
|
|
kubectl apply -f pinniped-supervisor-lb.yaml
|
|
```
|
|
|
|
Get LoadBalancer IP:
|
|
```shell
|
|
kubectl get service pinniped-supervisor-loadbalancer \
|
|
-o jsonpath='{.status.loadBalancer.ingress[*].ip}' \
|
|
--namespace pinniped-supervisor
|
|
```
|
|
|
|
Install cert-manager:
|
|
```shell
|
|
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml
|
|
```
|
|
|
|
|
|
Configure Vault as Intermediate CA:
|
|
```shell
|
|
vault secrets enable pki
|
|
vault secrets tune -max-lease-ttl=8760h pki
|
|
vault write pki/intermediate/generate/exported common_name=vault.lab.bowdre.net ttl=87600h alt_names="vault"
|
|
vault write pki/intermediate/set-signed certificate=@signed_cert.pem
|
|
vault write pki/config/urls issuing_certificates="https://vault.lab.bowdre.net/v1/pki/ca" crl_distribution_points="https://vault.lab.bowdre.net/v1/pki/crl"
|
|
vault write pki/roles/lab-bowdre-net allowed_domains=lab.bowdre.net allow_subdomains=true max_ttl=72h
|
|
vault write pki/issue/lab-bowdre-net common_name=coobernettees.lab.bowdre.net
|
|
```
|
|
|
|
Configure approle auth for cert-manager:
|
|
```shell
|
|
vault auth enable approle
|
|
cat << EOF | vault policy write cert-manager -
|
|
path "pki/sign/lab-bowdre-net" {
|
|
capabilities = ["create", "update", "delete"]
|
|
}
|
|
EOF
|
|
vault write auth/approle/role/cert-manager secret_id_ttl=0 token_policies=["cert-manager"]
|
|
# get approle role-id (username)
|
|
vault read auth/approle/role/cert-manager/role-id
|
|
# get approle secret-id (token)
|
|
vault write -f auth/approle/role/cert-manager/secret-id
|
|
```
|
|
|
|
```shell
|
|
cat << EOF > pinniped-cert-manager.yaml
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: Opaque
|
|
metadata:
|
|
name: cert-manager-vault-approle
|
|
namespace: pinniped-supervisor
|
|
data:
|
|
secretId: "${VAULT_CERTMAN_SECRETID_B64}"
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Issuer
|
|
metadata:
|
|
name: pinniped-vault-issuer
|
|
namespace: pinniped-supervisor
|
|
spec:
|
|
vault:
|
|
path: pki/sign/lab-bowdre-net
|
|
server: https://vault.lab.bowdre.net/
|
|
caBundle: |
|
|
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEalRDQ0FuV2dBd0lCQWdJUVlVemtVbW5W
|
|
SnJsSlBtUTk1SFZ0QkRBTkJna3Foa2lHOXcwQkFRc0ZBREJaDQpNUk13RVFZS0NaSW1pWlB5TEdR
|
|
QkdSWURibVYwTVJZd0ZBWUtDWkltaVpQeUxHUUJHUllHWW05M1pISmxNUk13DQpFUVlLQ1pJbWla
|
|
UHlMR1FCR1JZRGJHRmlNUlV3RXdZRFZRUURFd3hzWVdJdFYwbE9NREV0UTBFd0hoY05Nakl3DQpN
|
|
akl6TVRrME5qUTJXaGNOTWpjd01qSXpNVGsxTmpRMldqQlpNUk13RVFZS0NaSW1pWlB5TEdRQkdS
|
|
WURibVYwDQpNUll3RkFZS0NaSW1pWlB5TEdRQkdSWUdZbTkzWkhKbE1STXdFUVlLQ1pJbWlaUHlM
|
|
R1FCR1JZRGJHRmlNUlV3DQpFd1lEVlFRREV3eHNZV0l0VjBsT01ERXRRMEV3Z2dFaU1BMEdDU3FH
|
|
U0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLDQpBb0lCQVFESXp2dG9RRjNvT3VDRmNVc21OcWtHRjVH
|
|
ZVdBUjNibDN6Y3BmMXJRRy8wMlJrTUhVNFFla1V1QzBwDQo3eFdhTFc1Wmg4aWhlL3BhaVcvMXJO
|
|
UTB2UnZNcW96OFlTRkhJN3czYStFMjUxQ3BqKy93Z1NUV3JuZUsyYUJ0DQoyellpMTdmcFVIRTV1
|
|
R25kYi9TNjVpQk9IdFJzNG5BZ1VPcUFsZ2hjZnlkZU9qd3dMdldJOTdqSFV4a3RhVzE0DQpWUzlh
|
|
NTlBc0dGTk1rVFY0SzRMRmN1eExxd2lOUkFaTFNOejFuck1uMFlpcTBxenpVbFAvUXlJNVhCMmF2
|
|
V2lSDQpveGRJaVZWYm5rRlRJaWxiSUVaNFVKWWNCZFdqQ01nNUZHcGU0SmdaU3dRSDNCMmR6aU01
|
|
aVdHc3Z2eklwQUlNDQpyNnFKZTBVNG13V24vUjlGdTVBV0gyZUhrMXV0QWdNQkFBR2pVVEJQTUFz
|
|
R0ExVWREd1FFQXdJQmhqQVBCZ05WDQpIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSd2VR
|
|
SHVBRGJuVEFnV2NabnFDYnQwY1BwU2JUQVFCZ2tyDQpCZ0VFQVlJM0ZRRUVBd0lCQURBTkJna3Fo
|
|
a2lHOXcwQkFRc0ZBQU9DQVFFQXg5dVcrK2ZWSEZ1c2sxc1VTeXRFDQpsWEpJVXdocGtGWE1Md2lm
|
|
Y2VRQ3VwcjlJUjk4UzNzTFI4U2hucGltaVNpbGVXa052cXR5RWVsUHFIM2hEbE9BDQo5bHRzRGY5
|
|
dWVWZTRaSVNxejlQMk14NXVGckxhQ1g5cm5vNlVXSjdYRGZyTk0zMHJVd2NwbDdsdG9aQmFoSm80
|
|
DQpmWWtDeGx4a1dSQkVmNnlNMzVjQnREVVRHZ1dlNFQ3RG82aDBvRUNSRzlsNTE1b04xRkVRVnpH
|
|
MEtGWTc5UmZ5DQp3S0xtL2FpVGxPNWp2Q3Q0V1Jjak1vWjhMbU15dStwY1ZyOWwySjhsK0tNUUFq
|
|
b2UvV1RSOFRMa2duZ2dNNmpIDQo0bUNIWENOWVlxNGJJVVZKWDlVVzMxL1FhRnpZeXl5Smg4cHhI
|
|
YVF1RkllZVFBUDY5aW1WRjM2QmViTlMwYkh2DQowdz09DQotLS0tLUVORCBDRVJUSUZJQ0FURS0t
|
|
LS0tDQo=
|
|
auth:
|
|
appRole:
|
|
path: approle
|
|
roleId: "${VAULT_CERTMAN_ROLEID}"
|
|
secretRef:
|
|
name: cert-manager-vault-approle
|
|
key: secretId
|
|
EOF
|
|
kubectl apply -f pinniped-cert-manager.yaml
|
|
|
|
k -n pinniped-supervisor get issuers pinniped-vault-issuer -o wide
|
|
NAME READY STATUS AGE
|
|
vault-issuer True Vault verified 2m16s
|
|
```
|
|
|
|
Create cert request for pinniped-supervisor
|
|
```shell
|
|
cat <<EOF > pinniped-cert-request.yaml
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: supervisor-tls-cert-request
|
|
namespace: pinniped-supervisor
|
|
spec:
|
|
secretName: supervisor-tls-cert
|
|
commonName: "pinniped-supervisor.lab.bowdre.net"
|
|
issuerRef:
|
|
name: pinniped-vault-issuer
|
|
dnsNames:
|
|
- "pinniped-supervisor.lab.bowdre.net"
|
|
EOF
|
|
kubectl apply -f pinniped-cert-request.yaml
|
|
```
|
|
|
|
Create FederationDomain:
|
|
```shell
|
|
cat <<EOF > pinniped-federationdomain.yaml
|
|
apiVersion: config.supervisor.pinniped.dev/v1alpha1
|
|
kind: FederationDomain
|
|
metadata:
|
|
name: federation-domain
|
|
namespace: pinniped-supervisor
|
|
spec:
|
|
# You can choose an arbitrary path for the issuer URL.
|
|
issuer: "https://pinniped-supervisor.lab.bowdre.net/issuer"
|
|
tls:
|
|
# The name of the secretName from the cert-manager Certificate
|
|
# resource above.
|
|
secretName: supervisor-tls-cert
|
|
EOF
|
|
kubectl apply -f pinniped-federationdomain.yaml
|
|
```
|
|
|
|
Create ActiveDirectoryIdentityProvider
|
|
```shell
|
|
cat << EOF > pinniped-ad-idp.yaml
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: active-directory-bind-account
|
|
namespace: pinniped-supervisor
|
|
type: kubernetes.io/basic-auth
|
|
data:
|
|
# The dn (distinguished name) of your Active Directory bind account.
|
|
# Remember to b64 encode without newlines:
|
|
# echo -n "string" | base64 -w 0
|
|
username: "${LDAP_BIND_USERNAME_B64}"
|
|
# The password of your Active Directory bind account.
|
|
password: "${LDAP_BIND_PASSWORD_B64}"
|
|
---
|
|
apiVersion: idp.supervisor.pinniped.dev/v1alpha1
|
|
kind: ActiveDirectoryIdentityProvider
|
|
metadata:
|
|
name: lab-bowdre-net-idp
|
|
namespace: pinniped-supervisor
|
|
spec:
|
|
# Specify the host of the Active Directory server.
|
|
host: "win01.lab.bowdre.net:636"
|
|
# Specify the name of the Kubernetes Secret that contains your Active
|
|
# Directory bind account credentials. This service account will be
|
|
# used by the Supervisor to perform LDAP user and group searches.
|
|
bind:
|
|
secretName: "active-directory-bind-account"
|
|
tls:
|
|
certificateAuthorityData: |+
|
|
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEalRDQ0FuV2dBd0lCQWdJUVlVemtVbW5W
|
|
SnJsSlBtUTk1SFZ0QkRBTkJna3Foa2lHOXcwQkFRc0ZBREJaDQpNUk13RVFZS0NaSW1pWlB5TEdR
|
|
QkdSWURibVYwTVJZd0ZBWUtDWkltaVpQeUxHUUJHUllHWW05M1pISmxNUk13DQpFUVlLQ1pJbWla
|
|
UHlMR1FCR1JZRGJHRmlNUlV3RXdZRFZRUURFd3hzWVdJdFYwbE9NREV0UTBFd0hoY05Nakl3DQpN
|
|
akl6TVRrME5qUTJXaGNOTWpjd01qSXpNVGsxTmpRMldqQlpNUk13RVFZS0NaSW1pWlB5TEdRQkdS
|
|
WURibVYwDQpNUll3RkFZS0NaSW1pWlB5TEdRQkdSWUdZbTkzWkhKbE1STXdFUVlLQ1pJbWlaUHlM
|
|
R1FCR1JZRGJHRmlNUlV3DQpFd1lEVlFRREV3eHNZV0l0VjBsT01ERXRRMEV3Z2dFaU1BMEdDU3FH
|
|
U0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLDQpBb0lCQVFESXp2dG9RRjNvT3VDRmNVc21OcWtHRjVH
|
|
ZVdBUjNibDN6Y3BmMXJRRy8wMlJrTUhVNFFla1V1QzBwDQo3eFdhTFc1Wmg4aWhlL3BhaVcvMXJO
|
|
UTB2UnZNcW96OFlTRkhJN3czYStFMjUxQ3BqKy93Z1NUV3JuZUsyYUJ0DQoyellpMTdmcFVIRTV1
|
|
R25kYi9TNjVpQk9IdFJzNG5BZ1VPcUFsZ2hjZnlkZU9qd3dMdldJOTdqSFV4a3RhVzE0DQpWUzlh
|
|
NTlBc0dGTk1rVFY0SzRMRmN1eExxd2lOUkFaTFNOejFuck1uMFlpcTBxenpVbFAvUXlJNVhCMmF2
|
|
V2lSDQpveGRJaVZWYm5rRlRJaWxiSUVaNFVKWWNCZFdqQ01nNUZHcGU0SmdaU3dRSDNCMmR6aU01
|
|
aVdHc3Z2eklwQUlNDQpyNnFKZTBVNG13V24vUjlGdTVBV0gyZUhrMXV0QWdNQkFBR2pVVEJQTUFz
|
|
R0ExVWREd1FFQXdJQmhqQVBCZ05WDQpIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSd2VR
|
|
SHVBRGJuVEFnV2NabnFDYnQwY1BwU2JUQVFCZ2tyDQpCZ0VFQVlJM0ZRRUVBd0lCQURBTkJna3Fo
|
|
a2lHOXcwQkFRc0ZBQU9DQVFFQXg5dVcrK2ZWSEZ1c2sxc1VTeXRFDQpsWEpJVXdocGtGWE1Md2lm
|
|
Y2VRQ3VwcjlJUjk4UzNzTFI4U2hucGltaVNpbGVXa052cXR5RWVsUHFIM2hEbE9BDQo5bHRzRGY5
|
|
dWVWZTRaSVNxejlQMk14NXVGckxhQ1g5cm5vNlVXSjdYRGZyTk0zMHJVd2NwbDdsdG9aQmFoSm80
|
|
DQpmWWtDeGx4a1dSQkVmNnlNMzVjQnREVVRHZ1dlNFQ3RG82aDBvRUNSRzlsNTE1b04xRkVRVnpH
|
|
MEtGWTc5UmZ5DQp3S0xtL2FpVGxPNWp2Q3Q0V1Jjak1vWjhMbU15dStwY1ZyOWwySjhsK0tNUUFq
|
|
b2UvV1RSOFRMa2duZ2dNNmpIDQo0bUNIWENOWVlxNGJJVVZKWDlVVzMxL1FhRnpZeXl5Smg4cHhI
|
|
YVF1RkllZVFBUDY5aW1WRjM2QmViTlMwYkh2DQowdz09DQotLS0tLUVORCBDRVJUSUZJQ0FURS0t
|
|
LS0tDQo=
|
|
EOF
|
|
kubectl apply -f pinniped-ad-idp.yaml
|
|
```
|
|
|
|
Install Concierge
|
|
```shell
|
|
kubectl apply -f https://get.pinniped.dev/v0.23.0/install-pinniped-concierge-crds.yaml
|
|
kubectl apply -f https://get.pinniped.dev/v0.23.0/install-pinniped-concierge-resources.yaml
|
|
```
|
|
|
|
Configure Concierge
|
|
```shell
|
|
cat << EOF > pinniped-concierge.yaml
|
|
apiVersion: authentication.concierge.pinniped.dev/v1alpha1
|
|
kind: JWTAuthenticator
|
|
metadata:
|
|
name: my-supervisor-authenticator
|
|
spec:
|
|
|
|
# The value of the issuer field should exactly match the issuer
|
|
# field of your Supervisor's FederationDomain.
|
|
issuer: https://pinniped-supervisor.lab.bowdre.net/issuer
|
|
|
|
# You can use any audience identifier for your cluster, but it is
|
|
# important that it is unique for security reasons.
|
|
audience: kates-$(openssl rand -hex 8)
|
|
|
|
# If the TLS certificate of your FederationDomain is not signed by
|
|
# a standard CA trusted by the Concierge pods by default, then
|
|
# specify its CA here as a base64-encoded PEM.
|
|
tls:
|
|
certificateAuthorityData: |+
|
|
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlEalRDQ0FuV2dBd0lCQWdJUVlVemtVbW5W
|
|
SnJsSlBtUTk1SFZ0QkRBTkJna3Foa2lHOXcwQkFRc0ZBREJaDQpNUk13RVFZS0NaSW1pWlB5TEdR
|
|
QkdSWURibVYwTVJZd0ZBWUtDWkltaVpQeUxHUUJHUllHWW05M1pISmxNUk13DQpFUVlLQ1pJbWla
|
|
UHlMR1FCR1JZRGJHRmlNUlV3RXdZRFZRUURFd3hzWVdJdFYwbE9NREV0UTBFd0hoY05Nakl3DQpN
|
|
akl6TVRrME5qUTJXaGNOTWpjd01qSXpNVGsxTmpRMldqQlpNUk13RVFZS0NaSW1pWlB5TEdRQkdS
|
|
WURibVYwDQpNUll3RkFZS0NaSW1pWlB5TEdRQkdSWUdZbTkzWkhKbE1STXdFUVlLQ1pJbWlaUHlM
|
|
R1FCR1JZRGJHRmlNUlV3DQpFd1lEVlFRREV3eHNZV0l0VjBsT01ERXRRMEV3Z2dFaU1BMEdDU3FH
|
|
U0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLDQpBb0lCQVFESXp2dG9RRjNvT3VDRmNVc21OcWtHRjVH
|
|
ZVdBUjNibDN6Y3BmMXJRRy8wMlJrTUhVNFFla1V1QzBwDQo3eFdhTFc1Wmg4aWhlL3BhaVcvMXJO
|
|
UTB2UnZNcW96OFlTRkhJN3czYStFMjUxQ3BqKy93Z1NUV3JuZUsyYUJ0DQoyellpMTdmcFVIRTV1
|
|
R25kYi9TNjVpQk9IdFJzNG5BZ1VPcUFsZ2hjZnlkZU9qd3dMdldJOTdqSFV4a3RhVzE0DQpWUzlh
|
|
NTlBc0dGTk1rVFY0SzRMRmN1eExxd2lOUkFaTFNOejFuck1uMFlpcTBxenpVbFAvUXlJNVhCMmF2
|
|
V2lSDQpveGRJaVZWYm5rRlRJaWxiSUVaNFVKWWNCZFdqQ01nNUZHcGU0SmdaU3dRSDNCMmR6aU01
|
|
aVdHc3Z2eklwQUlNDQpyNnFKZTBVNG13V24vUjlGdTVBV0gyZUhrMXV0QWdNQkFBR2pVVEJQTUFz
|
|
R0ExVWREd1FFQXdJQmhqQVBCZ05WDQpIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSd2VR
|
|
SHVBRGJuVEFnV2NabnFDYnQwY1BwU2JUQVFCZ2tyDQpCZ0VFQVlJM0ZRRUVBd0lCQURBTkJna3Fo
|
|
a2lHOXcwQkFRc0ZBQU9DQVFFQXg5dVcrK2ZWSEZ1c2sxc1VTeXRFDQpsWEpJVXdocGtGWE1Md2lm
|
|
Y2VRQ3VwcjlJUjk4UzNzTFI4U2hucGltaVNpbGVXa052cXR5RWVsUHFIM2hEbE9BDQo5bHRzRGY5
|
|
dWVWZTRaSVNxejlQMk14NXVGckxhQ1g5cm5vNlVXSjdYRGZyTk0zMHJVd2NwbDdsdG9aQmFoSm80
|
|
DQpmWWtDeGx4a1dSQkVmNnlNMzVjQnREVVRHZ1dlNFQ3RG82aDBvRUNSRzlsNTE1b04xRkVRVnpH
|
|
MEtGWTc5UmZ5DQp3S0xtL2FpVGxPNWp2Q3Q0V1Jjak1vWjhMbU15dStwY1ZyOWwySjhsK0tNUUFq
|
|
b2UvV1RSOFRMa2duZ2dNNmpIDQo0bUNIWENOWVlxNGJJVVZKWDlVVzMxL1FhRnpZeXl5Smg4cHhI
|
|
YVF1RkllZVFBUDY5aW1WRjM2QmViTlMwYkh2DQowdz09DQotLS0tLUVORCBDRVJUSUZJQ0FURS0t
|
|
LS0tDQo=
|
|
EOF
|
|
kubectl apply -f pinniped-concierge.yaml
|
|
``` |