Merge pull request #1 from Mikroways/refactor/examples-airgapped

Refactor ejemplo airgapped
Mikroways · May 2, 2024 · 5e3ea1d · 5e3ea1d
2 parents bee295d + 2bd317b
commit 5e3ea1d
Show file tree

Hide file tree

Showing 9 changed files with 54 additions and 33 deletions.
diff --git a/examples-airgapped/.containerignore b/examples-airgapped/.containerignore
@@ -0,0 +1 @@
+.gitkeep
diff --git a/examples-airgapped/.gitignore b/examples-airgapped/.gitignore
@@ -0,0 +1 @@
+registry/
diff --git a/examples-airgapped/Containerfile b/examples-airgapped/Containerfile
@@ -0,0 +1,12 @@
+FROM ghcr.io/mikroways/fcos-k3s/server:latest as server
+COPY ignition-assets/k3s-server /etc/rancher
+COPY ignition-assets/registries.yaml /etc/rancher/k3s/registries.yaml
+
+RUN ln -fs /usr/share/zoneinfo/America/Argentina/Buenos_Aires /etc/localtime
+
+FROM ghcr.io/mikroways/fcos-k3s/agent:latest as agent
+COPY ignition-assets/k3s-agent /etc/rancher
+COPY ignition-assets/registries.yaml /etc/rancher/k3s/registries.yaml
+COPY ignition-assets/agent.yaml /etc/rancher/k3s/config.yaml.d/agent.yaml
+
+RUN ln -fs /usr/share/zoneinfo/America/Argentina/Buenos_Aires /etc/localtime
diff --git a/examples-airgapped/Makefile b/examples-airgapped/Makefile
@@ -1,6 +1,8 @@
 SHELL := /bin/bash
 BUTANE := podman run --rm --interactive --security-opt label=disable --volume ${PWD}:/pwd --workdir /pwd quay.io/coreos/butane:release
-SKOPEO := podman run --rm --interactive --network=host --volume ${PWD}:/pwd quay.io/skopeo/stable:latest
+SKOPEO := podman run --rm --interactive --network=host --volume ${PWD}:/pwd \
+					-v ${HOME}/.local/share/containers/storage:/var/lib/containers/storage \
+					quay.io/skopeo/stable:latest
 ASSETS_DIR := ignition-assets
 TPL_DEP_SVC_FILES := $(shell find $(ASSETS_DIR) -type f -name '*.service.tpl')
 DEP_SVC_FILES := $(TPL_DEP_SVC_FILES:%.service.tpl=%.service)
@@ -18,14 +20,16 @@ CERT_SUBJ := $(CERT_SUBJ_PREFIX)CN=$(REGISTRY_DNS)
 CERT_ALTNAMES := [SAN]\nsubjectAltName=DNS:$(REGISTRY_DNS),IP:$(REGISTRY_IP)
 REGISTRY_CONTAINER_NAME := k3s-poc-registry
 
-.PHONY: all clean clean-agent .validate-envs certs load-local-registry agent
+.PHONY: all clean clean-agent .validate-envs certs load-local-registry agent \
+	load-server-image-local-registry load-agent-image-local-registry
 
 .validate-envs:
 	@if [ -z "${REGISTRY_IP}" ]; then \
 		echo >&2 "Must define REGISTRY_IP" && false; \
 	fi
 
 all: $(SERVER_IGNITION_FILES) $(DEP_SVC_FILES) $(CERTS_DIR)/cert.crt $(CERTS_DIR)/cert.key
+	$(MAKE) load-server-image-local-registry
 
 $(ASSETS_DIR)/registries.yaml: $(ASSETS_DIR)/registries.yaml.tpl
 	$(MAKE) .validate-envs
@@ -88,11 +92,19 @@ load-local-registry:
 	for image in `cat tmp/manifest.json | jq -r '.[] | .RepoTags | join(",")'`; do \
 		$(SKOPEO) copy --dest-tls-verify=false --all docker-archive:/pwd/tmp/k3s-airgap-images-amd64.tar.gz:$${image} docker://$(REGISTRY_DNS)/$${image}; \
 	done
+
+load-server-image-local-registry:
+	$(MAKE) .validate-envs
+	podman build --target server -f Containerfile  . -t k3s-custom-server
 	$(SKOPEO) copy --dest-tls-verify=false --all \
-		docker://ghcr.io/mikroways/fcos-k3s/server:latest \
+		containers-storage:localhost/k3s-custom-server:latest \
 		docker://$(REGISTRY_DNS)/mikroways/fcos-k3s/server:latest
+
+load-agent-image-local-registry:
+	$(MAKE) .validate-envs
+	podman build --target agent -f Containerfile  . -t k3s-custom-agent
 	$(SKOPEO) copy --dest-tls-verify=false --all \
-		docker://ghcr.io/mikroways/fcos-k3s/agent:latest \
+		containers-storage:localhost/k3s-custom-agent:latest \
 		docker://$(REGISTRY_DNS)/mikroways/fcos-k3s/agent:latest
 
 
@@ -106,13 +118,14 @@ $(ASSETS_DIR)/agent.yaml: $(ASSETS_DIR)/agent.yaml.tpl
 	sed "s/SERVER_IP/${K3S_API_SERVER_IP}/g;s/TOKEN/${K3S_API_SERVER_TOKEN}/g" $< > $@
 
 agent: $(ASSETS_DIR)/agent.yaml $(AGENT_IGNITION_FILES)
+	$(MAKE) load-agent-image-local-registry
 
 clean-agent:
 	rm -f $(ASSETS_DIR)/agent.yaml
 	rm -f $(AGENT_IGNITION_FILES)
 clean:
 	$(MAKE) clean-agent
 	rm -rf $(IGNITION_FILES) $(DEP_FILES) $(CERTS_DIR)
-	@sudo podman container exists $(REGISTRY_CONTAINER_NAME) && \
+	sudo podman container exists $(REGISTRY_CONTAINER_NAME) && \
 		sudo podman rm --force $(REGISTRY_CONTAINER_NAME) || true
-	@sudo podman volume rm registry
+	sudo podman volume exists registry && sudo podman volume rm registry || true
diff --git a/examples-airgapped/README.md b/examples-airgapped/README.md
@@ -127,10 +127,12 @@ Podemos entonces en un comando correr, una vez iniciado el nodo master, el
 siguiente comando:
 
 ```bash
-K3S_API_SERVER_IP=$(kcli show vm k3s-airgapped-server -f ip | \
-  cut -d: -f2 | tr -d ' ') \
+REGISTRY_IP=$(hostname -I | cut -f 1 -d ' ') \
+  K3S_API_SERVER_IP=$(kcli show vm k3s-airgapped-server -f ip | \
+    cut -d: -f2 | tr -d ' ') \
   K3S_API_SERVER_TOKEN=$(kcli ssh k3s-airgapped-server sudo \
-  cat /var/lib/rancher/k3s/server/token) make agent
+    cat /var/lib/rancher/k3s/server/token) \
+  make agent
 ```
 
 Luego podemos iniciar el/los nuevos nodos agentes usando:
@@ -149,6 +151,22 @@ kcli delete vm k3s-airgapped-node-1
 kcli delete vm k3s-airgapped-node-2
 ```
 
+### Si no se usa ignition
+
+Si no se utiliza ignition files en tiempo de booteo, podemos remediarlo
+manualmente o con ansible realizando los siguientes pasos:
+
+* Copiar el archivo `registry/certs/ca.crt` a cada nodo en la carpeta
+  `/etc/pki/ca-trust/source/anchors/custom.crt`. Luego correr `update-ca-trust`
+* Copiar el archivo correspondiente a la unidad de systemd a decir:
+  * **server:**
+    `ignition-assets/rpm-ostree-install-customizations-server.service` en
+`/etc/systemd/system/`. Luego reiniciar
+  * **agents:**
+    `ignition-assets/rpm-ostree-install-customizations-agent.service` en
+`/etc/systemd/system/`. Luego reiniciar
+
+
 ### Destruir todo
 
 Es posible eliminar todo usando:

diff --git a/examples-airgapped/ignition-assets/k3s-agent/k3s/.gitkeep b/examples-airgapped/ignition-assets/k3s-agent/k3s/.gitkeep
diff --git a/examples-airgapped/ignition-assets/k3s-server/k3s/.gitkeep b/examples-airgapped/ignition-assets/k3s-server/k3s/.gitkeep
diff --git a/examples-airgapped/k3s-airgapped-node-1.bu b/examples-airgapped/k3s-airgapped-node-1.bu
@@ -6,19 +6,8 @@ systemd:
       enabled: true
       contents_local: ignition-assets/rpm-ostree-install-customizations-agent.service
 storage:
-  links:
-    - path: /etc/localtime
-      target: ../usr/share/zoneinfo/America/Argentina/Buenos_Aires
   files:
     - path: /etc/pki/ca-trust/source/anchors/custom.crt
       mode: 0644
       contents:
         local: registry/certs/ca.crt
-    - path: /etc/rancher/k3s/registries.yaml
-      mode: 0600
-      contents:
-        local: ignition-assets/registries.yaml
-    - path: /etc/rancher/k3s/config.yaml.d/agent.yaml
-      mode: 0600
-      contents:
-        local: ignition-assets/agent.yaml
diff --git a/examples-airgapped/k3s-airgapped-server.bu b/examples-airgapped/k3s-airgapped-server.bu
@@ -6,21 +6,8 @@ systemd:
       enabled: true
       contents_local: ignition-assets/rpm-ostree-install-customizations-server.service
 storage:
-  links:
-    - path: /etc/localtime
-      target: ../usr/share/zoneinfo/America/Argentina/Buenos_Aires
   files:
     - path: /etc/pki/ca-trust/source/anchors/custom.crt
       mode: 0644
       contents:
         local: registry/certs/ca.crt
-    - path: /etc/rancher/k3s/config.yaml
-      mode: 0600
-      contents:
-        inline: |
-          write-kubeconfig-mode: "0600"
-          selinux: true
-    - path: /etc/rancher/k3s/registries.yaml
-      mode: 0600
-      contents:
-        local: ignition-assets/registries.yaml