├── .gitignore
├── provision-wireguard.sh
├── provision-k9s.sh
├── argocd
    ├── providers.tf
    └── main.tf
├── .vscode
    └── settings.json
├── provision-terraform.sh
├── provision-reloader.sh
├── provision-network.sh
├── provision-etcdctl.sh
├── provision-helmfile.sh
├── renovate.json5
├── provision-containerd-shim-spin-v2.sh
├── provision-helm.sh
├── provision-k3s-registries.sh
├── provision-containerd-configuration.sh
├── provision-kube-vip.sh
├── provision-metallb.sh
├── provision-k3s-agent.sh
├── provision-base.sh
├── provision-crossplane.sh
├── provision-gitlab-runner.sh
├── example-spin.yml
├── provision-cert-manager.sh
├── example.yml
├── provision-zot.sh
├── provision-k8s-dashboard.sh
├── provision-argocd.sh
├── renovate.sh
├── README.md
├── provision-k3s-server.sh
└── Vagrantfile


/.gitignore:
--------------------------------------------------------------------------------
1 | .vagrant/
2 | tmp/
3 | .terraform/
4 | .terraform.lock.hcl
5 | *.tfstate*
6 | *.log
7 | 


--------------------------------------------------------------------------------
/provision-wireguard.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | set -euxo pipefail
3 | 
4 | # NB this is not really required. we only install it to have the wg tool to
5 | #    quickly see the wireguard configuration.
6 | apt-get install -y wireguard
7 | 


--------------------------------------------------------------------------------
/provision-k9s.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | k9s_version="${1:-v0.32.5}"; shift || true
 5 | 
 6 | # download and install.
 7 | wget -qO- "https://github.com/derailed/k9s/releases/download/$k9s_version/k9s_Linux_amd64.tar.gz" \
 8 |   | tar xzf - k9s
 9 | install -m 755 k9s /usr/local/bin/
10 | rm k9s
11 | 
12 | # try it.
13 | k9s version
14 | 


--------------------------------------------------------------------------------
/argocd/providers.tf:
--------------------------------------------------------------------------------
 1 | # see https://github.com/hashicorp/terraform
 2 | terraform {
 3 |   required_version = "1.9.4"
 4 |   required_providers {
 5 |     # see https://registry.terraform.io/providers/oboukili/argocd
 6 |     # see https://github.com/argoproj-labs/terraform-provider-argocd
 7 |     argocd = {
 8 |       source  = "oboukili/argocd"
 9 |       version = "6.1.1"
10 |     }
11 |   }
12 | }
13 | 


--------------------------------------------------------------------------------
/.vscode/settings.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "cSpell.words": [
 3 |         "argocd",
 4 |         "buildx",
 5 |         "configmap",
 6 |         "containerd",
 7 |         "crictl",
 8 |         "crossplane",
 9 |         "daemonset",
10 |         "Distro",
11 |         "ethernets",
12 |         "healthz",
13 |         "httpie",
14 |         "KUBECONFIG",
15 |         "macaddress",
16 |         "netplan",
17 |         "networkd",
18 |         "OIDC",
19 |         "ruilopes",
20 |         "traefik",
21 |         "upbound"
22 |     ]
23 | }


--------------------------------------------------------------------------------
/provision-terraform.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | terraform_version="${1:-1.9.4}"; shift || true
 5 | 
 6 | # install dependencies.
 7 | apt-get install -y unzip
 8 | 
 9 | # install terraform.
10 | artifact_url="https://releases.hashicorp.com/terraform/$terraform_version/terraform_${terraform_version}_linux_amd64.zip"
11 | artifact_path="/tmp/$(basename $artifact_url)"
12 | wget -qO $artifact_path $artifact_url
13 | unzip -o $artifact_path -d /usr/local/bin
14 | rm $artifact_path
15 | CHECKPOINT_DISABLE=1 terraform version
16 | 


--------------------------------------------------------------------------------
/provision-reloader.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | reloader_chart_version="${1:-1.0.121}"; shift || true
 5 | 
 6 | # add the stakater reloader repository.
 7 | # see https://github.com/stakater/reloader
 8 | # see https://artifacthub.io/packages/helm/stakater/reloader
 9 | helm repo add stakater https://stakater.github.io/stakater-charts
10 | helm repo update
11 | 
12 | echo 'Setting the reloader values...'
13 | cat >reloader-values.yml <<EOF
14 | reloader:
15 |   autoReloadAll: false
16 | EOF
17 | 
18 | echo 'Installing reloader...'
19 | helm upgrade --install \
20 |   reloader \
21 |   stakater/reloader \
22 |   --namespace kube-system \
23 |   --version "$reloader_chart_version" \
24 |   --values reloader-values.yml \
25 |   --wait
26 | 


--------------------------------------------------------------------------------
/provision-network.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | ip_address="$1"; shift || true
 5 | 
 6 | # disable ipv6.
 7 | cat >/etc/sysctl.d/99-ipv6.conf <<'EOF'
 8 | net.ipv6.conf.all.disable_ipv6 = 1
 9 | EOF
10 | sysctl -p -f /etc/sysctl.d/99-ipv6.conf
11 | 
12 | # set network.
13 | # NB the system must be rebooted for this to take effect. this is required when
14 | #    running by vagrant, since we cannot reconfigure the network under it.
15 | #    instead, we reboot the machine from a vagrant provisioner.
16 | cat >/etc/network/interfaces <<EOF
17 | source /etc/network/interfaces.d/*
18 | 
19 | auto lo
20 | iface lo inet loopback
21 | 
22 | auto eth0
23 | iface eth0 inet dhcp
24 | 
25 | auto eth1
26 | iface eth1 inet static
27 |   address $ip_address
28 |   netmask 255.255.255.0
29 | EOF
30 | 


--------------------------------------------------------------------------------
/provision-etcdctl.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | etcd_version="${1:-v3.5.15}"; shift || true
 5 | 
 6 | # install the binaries.
 7 | url="https://github.com/etcd-io/etcd/releases/download/$etcd_version/etcd-$etcd_version-linux-amd64.tar.gz"
 8 | filename="$(basename "$url")"
 9 | wget -q "$url"
10 | rm -rf etcd && mkdir etcd
11 | tar xf "$filename" --strip-components 1 -C etcd
12 | install etcd/etcdctl /usr/local/bin
13 | rm -rf "$filename" etcd
14 | 
15 | # configure the user environment to access etcd.
16 | cat >/etc/profile.d/etcdctl.sh <<'EOF'
17 | export ETCDCTL_CACERT=/var/lib/rancher/k3s/server/tls/etcd/server-ca.crt
18 | export ETCDCTL_CERT=/var/lib/rancher/k3s/server/tls/etcd/server-client.crt
19 | export ETCDCTL_KEY=/var/lib/rancher/k3s/server/tls/etcd/server-client.key
20 | EOF
21 | 


--------------------------------------------------------------------------------
/provision-helmfile.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | 
 4 | #
 5 | # deploy helmfile.
 6 | 
 7 | helmfile_version="${1:-0.167.1}"; shift || true
 8 | 
 9 | # install helmfile.
10 | # see https://github.com/helmfile/helmfile#installation
11 | echo "installing helmfile $helmfile_version..."
12 | case `uname -m` in
13 |     x86_64)
14 |         wget -qO- "https://github.com/helmfile/helmfile/releases/download/v$helmfile_version/helmfile_${helmfile_version}_linux_amd64.tar.gz" | tar xzf - --strip-components=0 helmfile
15 |         ;;
16 |     aarch64)
17 |         wget -qO- "https://github.com/helmfile/helmfile/releases/download/v$helmfile_version/helmfile_${helmfile_version}_linux_arm64.tar.gz" | tar xzf - --strip-components=0 helmfile
18 |         ;;
19 | esac
20 | install helmfile /usr/local/bin
21 | rm helmfile
22 | 
23 | # kick the tires.
24 | printf "#\n# helmfile version\n#\n"
25 | helmfile version
26 | 


--------------------------------------------------------------------------------
/renovate.json5:
--------------------------------------------------------------------------------
 1 | // see https://docs.renovatebot.com/templates/
 2 | // see https://docs.renovatebot.com/modules/manager/
 3 | // see https://docs.renovatebot.com/modules/manager/regex/
 4 | // see https://docs.renovatebot.com/configuration-options/
 5 | {
 6 |   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
 7 |   "regexManagers": [
 8 |     // default datasources.
 9 |     {
10 |       "fileMatch": [
11 |         "Vagrantfile",
12 |         "Dockerfile",
13 |         "\\.sh$",
14 |         "\\.tf$",
15 |       ],
16 |       "matchStrings": [
17 |         "# renovate: datasource=(?<datasource>[^:]+?) depName=(?<depName>.+?)( versioning=(?<versioning>.+?))?( extractVersion=(?<extractVersion>.+?))?( registryUrl=(?<registryUrl>.+?))?\\s.+?[:=]\\s*[\"']?(?<currentValue>.+?)[\"']?\\s"
18 |       ],
19 |       "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}",
20 |       "extractVersionTemplate": "{{#if extractVersion}}{{{extractVersion}}}{{else}}^v?(?<version>.+)${{/if}}"
21 |     }
22 |   ]
23 | }


--------------------------------------------------------------------------------
/provision-containerd-shim-spin-v2.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | # see https://github.com/spinkube/containerd-shim-spin
 5 | # renovate: datasource=github-releases depName=spinkube/containerd-shim-spin
 6 | CONTAINERD_SHIM_SPIN_VERSION='0.15.0'
 7 | 
 8 | # bail when already installed.
 9 | if [ -x /usr/local/bin/containerd-shim-spin-v2 ]; then
10 |     # e.g. Version: 0.15.0
11 |     actual_version="$(/usr/local/bin/containerd-shim-spin-v2 -v | perl -ne '/^\s*Version: (.+)/ && print $1')"
12 |     if [ "$actual_version" == "$CONTAINERD_SHIM_SPIN_VERSION" ]; then
13 |         echo 'ANSIBLE CHANGED NO'
14 |         exit 0
15 |     fi
16 | fi
17 | 
18 | # download and install.
19 | containerd_shim_spin_url="https://github.com/spinkube/containerd-shim-spin/releases/download/v${CONTAINERD_SHIM_SPIN_VERSION}/containerd-shim-spin-v2-linux-x86_64.tar.gz"
20 | t="$(mktemp -q -d --suffix=.containerd-shim-spin)"
21 | wget -qO- "$containerd_shim_spin_url" | tar xzf - -C "$t"
22 | install -m 755 "$t/containerd-shim-spin-v2" /usr/local/bin/
23 | rm -rf "$t"
24 | 


--------------------------------------------------------------------------------
/provision-helm.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | 
 4 | #
 5 | # deploy helm.
 6 | 
 7 | helm_version="${1:-v3.15.3}"; shift || true
 8 | 
 9 | # install dependencies.
10 | apt-get install -y --no-install-recommends git-core
11 | 
12 | # install helm.
13 | # see https://helm.sh/docs/intro/install/
14 | echo "installing helm $helm_version client..."
15 | case `uname -m` in
16 |     x86_64)
17 |         wget -qO- "https://get.helm.sh/helm-$helm_version-linux-amd64.tar.gz" | tar xzf - --strip-components=1 linux-amd64/helm
18 |         ;;
19 |     aarch64)
20 |         wget -qO- "https://get.helm.sh/helm-$helm_version-linux-arm64.tar.gz" | tar xzf - --strip-components=1 linux-arm64/helm
21 |         ;;
22 | esac
23 | install helm /usr/local/bin
24 | rm helm
25 | 
26 | # install the bash completion script.
27 | helm completion bash >/usr/share/bash-completion/completions/helm
28 | 
29 | # install the helm-diff plugin.
30 | # NB this is especially useful for helmfile.
31 | helm plugin install https://github.com/databus23/helm-diff
32 | 
33 | # kick the tires.
34 | printf "#\n# helm version\n#\n"
35 | helm version
36 | 


--------------------------------------------------------------------------------
/provision-k3s-registries.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | registry_mirror_url="http://registry.$(hostname --domain)"
 5 | registries='
 6 | docker.io
 7 | registry.k8s.io
 8 | ghcr.io
 9 | quay.io
10 | registry.gitlab.com
11 | '
12 | 
13 | # configure the registries.
14 | # NB this rewrite configuration ends-up in the containerd configuration, but,
15 | #    only works because k3s is using a custom fork of containerd.
16 | # see https://docs.k3s.io/installation/private-registry#rewrites
17 | # see /var/lib/rancher/k3s/agent/etc/containerd/config.toml
18 | # see https://github.com/k3s-io/k3s/blob/v1.30.3+k3s1/pkg/agent/templates/templates_linux.go
19 | # see https://github.com/k3s-io/k3s/pull/3064
20 | # see https://github.com/rancher/rke2/issues/741
21 | # see https://github.com/containerd/containerd/pull/5171
22 | install -d /etc/rancher/k3s
23 | cat >/etc/rancher/k3s/registries.yaml <<EOF
24 | mirrors:
25 | EOF
26 | for d in $registries; do
27 |   cat >>/etc/rancher/k3s/registries.yaml <<EOF
28 |   $d:
29 |     endpoint:
30 |       - $registry_mirror_url
31 |     rewrite:
32 |       "(.*)": "mirror/$d/\$1"
33 | EOF
34 | done
35 | 


--------------------------------------------------------------------------------
/provision-containerd-configuration.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | # NB as-of https://github.com/k3s-io/k3s/releases/tag/v1.29.3+k3s1 this
 5 | #    configuration is no longer required. its left here for reference.
 6 | # see https://github.com/k3s-io/k3s/pull/9519
 7 | exit 0
 8 | 
 9 | # configure k3s containerd.
10 | # see https://docs.k3s.io/advanced#configuring-containerd
11 | # see https://github.com/spinkube/containerd-shim-spin
12 | # see https://github.com/spinkube/containerd-shim-spin/blob/main/containerd-shim-spin/src/main.rs
13 | # see https://github.com/containerd/runwasi
14 | # see https://github.com/containerd/runwasi/blob/main/crates/containerd-shim-wasmtime/src/main.rs
15 | # see https://github.com/containerd/containerd/blob/main/core/runtime/v2/README.md#configuring-runtimes
16 | # see https://github.com/containerd/containerd/blob/main/docs/man/containerd-config.toml.5.md
17 | # see containerd config default
18 | # see containerd config dump
19 | # NB we do not need to create a kubernetes RuntimeClass because k3s already
20 | #    configures it at:
21 | #       /var/lib/rancher/k3s/server/manifests/runtimes.yaml
22 | install -d /var/lib/rancher/k3s/agent/etc/containerd
23 | cat >/var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl <<'EOF'
24 | {{ template "base" . }}
25 | 
26 | [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.spin]
27 |   runtime_type = "io.containerd.spin.v2"
28 | [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.spin.options]
29 |   BinaryName = "/usr/local/bin/containerd-shim-spin-v2"
30 | EOF
31 | 


--------------------------------------------------------------------------------
/provision-kube-vip.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | kube_vip_version="${1:-v0.8.2}"; shift || true
 5 | vip="${1:-10.11.0.30}"; shift || true
 6 | # TODO use a specific version after https://github.com/kube-vip/kube-vip/issues/769 is addressed.
 7 | kube_vip_rbac_url="https://kube-vip.io/manifests/rbac.yaml"
 8 | kube_vip_image="ghcr.io/kube-vip/kube-vip:$kube_vip_version"
 9 | fqdn="$(hostname --fqdn)"
10 | k3s_fqdn="s.$(hostname --domain)"
11 | k3s_url="https://$k3s_fqdn:6443"
12 | 
13 | # load the IPVS kernel modules.
14 | cat >/etc/modules-load.d/ipvs.conf <<'EOF'
15 | ip_vs
16 | ip_vs_rr
17 | EOF
18 | for m in $(cat /etc/modules-load.d/ipvs.conf); do
19 |   modprobe $m
20 | done
21 | 
22 | # install kube-vip.
23 | # NB this creates a HA VIP (L2 IPVS) for the k8s control-plane k3s/api-server.
24 | # see https://kube-vip.io/docs/usage/k3s/
25 | # see https://kube-vip.io/docs/installation/daemonset/
26 | # see https://kube-vip.io/docs/about/architecture/
27 | ctr image pull "$kube_vip_image"
28 | (
29 |   wget -qO- "$kube_vip_rbac_url"
30 |   echo ---
31 |   ctr run --rm --net-host "$kube_vip_image" vip \
32 |     /kube-vip \
33 |     manifest \
34 |     daemonset \
35 |     --arp \
36 |     --interface eth1 \
37 |     --address "$vip" \
38 |     --inCluster \
39 |     --taint \
40 |     --controlplane \
41 |     --enableLoadBalancer \
42 |     --leaderElection
43 | ) | kubectl apply -f -
44 | 
45 | # wait until $k3s_url is available.
46 | while ! wget \
47 |   --quiet \
48 |   --spider \
49 |   --ca-certificate=/var/lib/rancher/k3s/server/tls/server-ca.crt \
50 |   --certificate=/var/lib/rancher/k3s/server/tls/client-admin.crt \
51 |   --private-key=/var/lib/rancher/k3s/server/tls/client-admin.key \
52 |   "$k3s_url"; do sleep 5; done
53 | 


--------------------------------------------------------------------------------
/provision-metallb.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | 
 4 | metallb_chart_version="${1:-6.3.10}"; shift || true
 5 | lb_ip_range="${1:-10.11.0.50-10.11.0.250}"; shift || true
 6 | 
 7 | # add the bitnami helm charts repository.
 8 | helm repo add bitnami https://charts.bitnami.com/bitnami
 9 | helm repo update
10 | 
11 | # install.
12 | # see https://artifacthub.io/packages/helm/bitnami/metallb
13 | # see https://metallb.universe.tf/configuration/k3s/
14 | # see https://metallb.universe.tf/configuration/#layer-2-configuration
15 | # see https://metallb.universe.tf/community/#code-organization
16 | # see https://github.com/bitnami/charts/tree/master/bitnami/metallb
17 | # see https://kind.sigs.k8s.io/docs/user/loadbalancer/
18 | cat >metallb-values.yml <<EOF
19 | speaker:
20 |   secretValue: abracadabra # TODO use a proper secret.
21 | controller:
22 |   tolerations:
23 |     - key: CriticalAddonsOnly
24 |       operator: Exists
25 | EOF
26 | helm upgrade --install \
27 |   metallb \
28 |   bitnami/metallb \
29 |   --version $metallb_chart_version \
30 |   --namespace metallb-system \
31 |   --create-namespace \
32 |   --values metallb-values.yml \
33 |   --wait
34 | 
35 | # configure.
36 | # NB we have to retry until the metallb-webhook-service endpoint is
37 | #    available. while its starting, it will fail with:
38 | #       Internal error occurred: failed calling webhook "ipaddresspoolvalidationwebhook.metallb.io": failed to call webhook: Post
39 | #       "https://metallb-webhook-service.metallb-system.svc:443/validate-metallb-io-v1beta1-ipaddresspool?timeout=10s": dial tcp
40 | #       10.96.9.119:443: connect: connection refused
41 | #    see https://github.com/metallb/metallb/issues/1597
42 | while ! kubectl -n metallb-system apply -f - <<EOF
43 | ---
44 | apiVersion: metallb.io/v1beta1
45 | kind: IPAddressPool
46 | metadata:
47 |   name: default
48 | spec:
49 |   addresses:
50 |     - $lb_ip_range
51 | ---
52 | apiVersion: metallb.io/v1beta1
53 | kind: L2Advertisement
54 | metadata:
55 |   name: default
56 | EOF
57 | do sleep 5; done
58 | 


--------------------------------------------------------------------------------
/provision-k3s-agent.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | k3s_channel="$1"; shift
 5 | k3s_version="$1"; shift
 6 | k3s_token="$1"; shift
 7 | ip_address="$1"; shift
 8 | k3s_url="https://s.$(hostname --domain):6443"
 9 | 
10 | # configure the motd.
11 | # NB this was generated at http://patorjk.com/software/taag/#p=display&f=Big&t=k3s%0Aagent.
12 | #    it could also be generated with figlet.org.
13 | cat >/etc/motd <<'EOF'
14 | 
15 |   _    ____
16 |  | |  |___ \
17 |  | | __ __) |___
18 |  | |/ /|__ </ __|        _
19 |  |   < ___) \__ \       | |
20 |  |_|\_\____/|___/_ _ __ | |_
21 |   / _` |/ _` |/ _ \ '_ \| __|
22 |  | (_| | (_| |  __/ | | | |_
23 |   \__,_|\__, |\___|_| |_|\__|
24 |          __/ |
25 |         |___/
26 | 
27 | EOF
28 | 
29 | # install k3s.
30 | # see https://docs.k3s.io/reference/agent-config
31 | curl -sfL https://raw.githubusercontent.com/k3s-io/k3s/$k3s_version/install.sh \
32 |     | \
33 |         INSTALL_K3S_CHANNEL="$k3s_channel" \
34 |         INSTALL_K3S_VERSION="$k3s_version" \
35 |         K3S_TOKEN="$k3s_token" \
36 |         K3S_URL="$k3s_url" \
37 |         sh -s -- \
38 |             agent \
39 |             --node-ip "$ip_address" \
40 |             --flannel-iface 'eth1'
41 | 
42 | # see the systemd unit.
43 | systemctl cat k3s-agent
44 | 
45 | # check whether this system has the k3s requirements.
46 | k3s check-config
47 | 
48 | # NB do not try to use kubectl on a agent node, as kubectl does not work on a
49 | #    agent node without a proper kubectl configuration (which you could copy
50 | #    from the server).
51 | 
52 | # install the bash completion scripts.
53 | crictl completion bash >/usr/share/bash-completion/completions/crictl
54 | kubectl completion bash >/usr/share/bash-completion/completions/kubectl
55 | 
56 | # list runnnig pods.
57 | crictl pods
58 | 
59 | # list running containers.
60 | crictl ps
61 | ctr containers ls
62 | 
63 | # show listening ports.
64 | ss -n --tcp --listening --processes
65 | 
66 | # show network routes.
67 | ip route
68 | 
69 | # show memory info.
70 | free
71 | 
72 | # show versions.
73 | crictl version
74 | ctr version
75 | 


--------------------------------------------------------------------------------
/argocd/main.tf:
--------------------------------------------------------------------------------
 1 | locals {
 2 |   # see https://github.com/bitnami/charts/tree/main/bitnami/nginx
 3 |   # see https://artifacthub.io/packages/helm/bitnami/nginx
 4 |   # renovate: datasource=docker depName=bitnamicharts/nginx
 5 |   nginx_chart_version = "18.1.8"
 6 | }
 7 | 
 8 | # see https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/project
 9 | resource "argocd_project" "example" {
10 |   metadata {
11 |     name      = "example"
12 |     namespace = "argocd"
13 |   }
14 |   spec {
15 |     source_repos = ["*"]
16 |     destination {
17 |       server    = "*"
18 |       namespace = "*"
19 |     }
20 |     cluster_resource_whitelist {
21 |       group = "*"
22 |       kind  = "*"
23 |     }
24 |   }
25 | }
26 | 
27 | # see https://argo-cd.readthedocs.io/en/stable/user-guide/helm/
28 | # see https://artifacthub.io/packages/helm/bitnami/nginx
29 | # see https://github.com/bitnami/charts/tree/main/bitnami/nginx
30 | # see https://github.com/argoproj/argocd-example-apps
31 | # see https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/application
32 | resource "argocd_application" "nginx" {
33 |   metadata {
34 |     name      = "nginx"
35 |     namespace = "argocd"
36 |   }
37 | 
38 |   wait = true
39 | 
40 |   spec {
41 |     project = argocd_project.example.id
42 | 
43 |     destination {
44 |       name      = "in-cluster"
45 |       namespace = "default"
46 |     }
47 | 
48 |     source {
49 |       repo_url        = "registry-1.docker.io/bitnamicharts"
50 |       chart           = "nginx"
51 |       target_revision = local.nginx_chart_version
52 |       helm {
53 |         values = yamlencode({
54 |           serverBlock = <<-EOS
55 |           server {
56 |             listen 0.0.0.0:8080;
57 |             location / {
58 |               return 200 "nginx: Hello, World!\n";
59 |             }
60 |           }
61 |           EOS
62 |         })
63 |       }
64 |     }
65 | 
66 |     sync_policy {
67 |       automated {
68 |         prune       = true
69 |         self_heal   = true
70 |         allow_empty = true
71 |       }
72 |       retry {
73 |         limit = "5"
74 |         backoff {
75 |           duration     = "30s"
76 |           max_duration = "2m"
77 |           factor       = "2"
78 |         }
79 |       }
80 |     }
81 |   }
82 | }
83 | 


--------------------------------------------------------------------------------
/provision-base.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | extra_hosts="$1"; shift || true
 5 | 
 6 | # set the extra hosts.
 7 | cat >>/etc/hosts <<EOF
 8 | $extra_hosts
 9 | EOF
10 | 
11 | # prevent apt-get et al from asking questions.
12 | # NB even with this, you'll still get some warnings that you can ignore:
13 | #     dpkg-preconfigure: unable to re-open stdin: No such file or directory
14 | export DEBIAN_FRONTEND=noninteractive
15 | 
16 | # # make sure the system does not uses swap (a kubernetes requirement).
17 | # # NB see https://kubernetes.io/docs/tasks/tools/install-kubeadm/#before-you-begin
18 | # swapoff -a
19 | # sed -i -E 's,^([^#]+\sswap\s.+),#\1,' /etc/fstab
20 | 
21 | # show mac/ip addresses and the machine uuid to troubleshoot they are unique within the cluster.
22 | ip addr
23 | cat /sys/class/dmi/id/product_uuid
24 | 
25 | # update the package cache.
26 | apt-get update
27 | 
28 | # expand the root partition.
29 | apt-get install -y --no-install-recommends parted
30 | partition_device="$(findmnt -no SOURCE /)"
31 | partition_number="$(echo "$partition_device" | perl -ne '/(\d+)$/ && print $1')"
32 | disk_device="$(echo "$partition_device" | perl -ne '/(.+?)\d+$/ && print $1')"
33 | parted ---pretend-input-tty "$disk_device" <<EOF
34 | resizepart $partition_number 100%
35 | yes
36 | EOF
37 | resize2fs "$partition_device"
38 | 
39 | # install jq.
40 | apt-get install -y jq
41 | 
42 | # install curl.
43 | apt-get install -y curl
44 | 
45 | # install the bash completion.
46 | apt-get install -y bash-completion
47 | 
48 | # install vim.
49 | apt-get install -y --no-install-recommends vim
50 | cat >/etc/vim/vimrc.local <<'EOF'
51 | syntax on
52 | set background=dark
53 | set esckeys
54 | set ruler
55 | set laststatus=2
56 | set nobackup
57 | EOF
58 | 
59 | # configure the shell.
60 | cat >/etc/profile.d/login.sh <<'EOF'
61 | [[ "$-" != *i* ]] && return
62 | export EDITOR=vim
63 | export PAGER=less
64 | alias l='ls -lF --color'
65 | alias ll='l -a'
66 | alias h='history 25'
67 | alias j='jobs -l'
68 | EOF
69 | 
70 | cat >/etc/inputrc <<'EOF'
71 | set input-meta on
72 | set output-meta on
73 | set show-all-if-ambiguous on
74 | set completion-ignore-case on
75 | "\e[A": history-search-backward
76 | "\e[B": history-search-forward
77 | "\eOD": backward-word
78 | "\eOC": forward-word
79 | EOF
80 | 
81 | # install arp-scan.
82 | # arp-scan lets us discover nodes in the local network.
83 | # e.g. arp-scan --localnet --interface eth1
84 | apt-get install -y --no-install-recommends arp-scan
85 | 
86 | # install useful tools.
87 | apt-get install -y --no-install-recommends \
88 |     tcpdump \
89 |     traceroute \
90 |     iptables \
91 |     ipvsadm \
92 |     ipset
93 | 


--------------------------------------------------------------------------------
/provision-crossplane.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | crossplane_chart_version="${1:-1.16.0}"; shift || true
 5 | crossplane_provider_aws_s3_version="${1:-1.11.0}"; shift || true
 6 | 
 7 | # add the crossplane helm charts repository.
 8 | helm repo add crossplane https://charts.crossplane.io/stable
 9 | helm repo update
10 | 
11 | # search the chart and app versions, e.g.: in this case we are using:
12 | #   NAME                   CHART VERSION  APP VERSION  DESCRIPTION
13 | #   crossplane/crossplane  1.16.0         1.16.0       Crossplane is an open source Kubernetes add-on ...
14 | helm search repo crossplane/crossplane --versions | head -10
15 | 
16 | # set the configuration.
17 | # NB the default values are described at:
18 | #       https://github.com/crossplane/crossplane/tree/master/cluster/charts/crossplane/values.yaml
19 | #    NB make sure you are seeing the same version of the chart that you are installing.
20 | # see https://docs.crossplane.io/v1.16/software/install/#customize-the-crossplane-helm-chart
21 | cat >crossplane-values.yml <<EOF
22 | # empty.
23 | EOF
24 | 
25 | # install.
26 | helm upgrade --install \
27 |   crossplane \
28 |   crossplane/crossplane \
29 |   --version "$crossplane_chart_version" \
30 |   --create-namespace \
31 |   --namespace crossplane-system \
32 |   --values crossplane-values.yml \
33 |   --wait
34 | 
35 | # install the aws providers.
36 | # NB this is cluster-wide.
37 | # NB Provider is cluster scoped.
38 | #    see kubectl get crd providers.pkg.crossplane.io -o yaml
39 | # see https://docs.crossplane.io/v1.16/api/
40 | # see https://marketplace.upbound.io/providers/upbound/provider-aws-s3/v1.11.0
41 | kubectl apply -f - <<EOF
42 | apiVersion: pkg.crossplane.io/v1
43 | kind: Provider
44 | metadata:
45 |   name: provider-aws-s3
46 | spec:
47 |   package: xpkg.upbound.io/upbound/provider-aws-s3:v$crossplane_provider_aws_s3_version
48 | EOF
49 | kubectl wait \
50 |   provider.pkg.crossplane.io/provider-aws-s3 \
51 |   --for condition=healthy \
52 |   --timeout 5m
53 | 
54 | # configure the aws credentials.
55 | if [ -r /vagrant/tmp/aws-credentials.txt ]; then
56 |   kubectl create secret generic aws-credentials \
57 |     --namespace crossplane-system \
58 |     --from-file credentials=/vagrant/tmp/aws-credentials.txt
59 | fi
60 | # NB ProviderConfig is cluster scoped.
61 | #    see kubectl get crd providerconfigs.aws.upbound.io -o yaml
62 | kubectl apply -f - <<'EOF'
63 | apiVersion: aws.upbound.io/v1beta1
64 | kind: ProviderConfig
65 | metadata:
66 |   name: default
67 | spec:
68 |   credentials:
69 |     source: Secret
70 |     secretRef:
71 |       namespace: crossplane-system
72 |       name: aws-credentials
73 |       key: credentials
74 | EOF
75 | 


--------------------------------------------------------------------------------
/provision-gitlab-runner.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | # make sure we have the gitlab-runner registration token.
 5 | # NB this only works when https://github.com/rgl/gitlab-vagrant running at ../gitlab-vagrant
 6 | [ -f /vagrant/tmp/gitlab-runner-authentication-token-kubernetes-k3s.json ] || exit 0
 7 | 
 8 | gitlab_runner_chart_version="${1:-0.67.1}"; shift || true
 9 | gitlab_fqdn="${1:-gitlab.example.com}"; shift || true
10 | gitlab_ip="${1:-10.10.9.99}"; shift || true
11 | gitlab_runner_authentication_token="$(jq -r .token /vagrant/tmp/gitlab-runner-authentication-token-kubernetes-k3s.json)"
12 | 
13 | # trust the gitlab certificate.
14 | cp /vagrant/tmp/$gitlab_fqdn-crt.pem /usr/local/share/ca-certificates/$gitlab_fqdn.crt
15 | update-ca-certificates
16 | 
17 | # add the gitlab helm charts repository.
18 | helm repo add gitlab https://charts.gitlab.io/
19 | helm repo update
20 | 
21 | # search the chart and app versions, e.g.: in this case we are using:
22 | #     NAME                 CHART VERSION APP VERSION DESCRIPTION
23 | #     gitlab/gitlab-runner 0.67.1        17.2.1      GitLab Runner
24 | helm search repo gitlab/gitlab-runner --versions | head -10
25 | 
26 | # create the namespace.
27 | kubectl apply -f - <<'EOF'
28 | apiVersion: v1
29 | kind: Namespace
30 | metadata:
31 |   name: gitlab-runner
32 | EOF
33 | 
34 | # create the secret for the trusted certificates.
35 | kubectl create secret \
36 |   generic \
37 |   gitlab-runner-certs \
38 |   --namespace gitlab-runner \
39 |   --from-file=$gitlab_fqdn.crt=/usr/local/share/ca-certificates/$gitlab_fqdn.crt \
40 |   --dry-run=client \
41 |   --output yaml \
42 |   | kubectl apply -f -
43 | 
44 | # set the configuration.
45 | # NB the default values are described at:
46 | #       https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/v0.67.1/values.yaml
47 | #    NB make sure you are seeing the same version of the chart that you are installing.
48 | # see https://docs.gitlab.com/runner/executors/kubernetes/index.html
49 | cat >gitlab-runner-values.yml <<EOF
50 | gitlabUrl: https://$gitlab_fqdn
51 | runnerToken: "$gitlab_runner_authentication_token"
52 | certsSecretName: gitlab-runner-certs
53 | rbac:
54 |   create: true
55 | serviceAccount:
56 |   create: true
57 | runners:
58 |   config: |
59 |     [[runners]]
60 |       [runners.kubernetes]
61 |         namespace = "{{.Release.Namespace}}"
62 |         image = "ubuntu:22.04"
63 | hostAliases:
64 |   - ip: $gitlab_ip
65 |     hostnames:
66 |       - $gitlab_fqdn
67 | EOF
68 | 
69 | # install.
70 | # see https://docs.gitlab.com/runner/install/kubernetes.html
71 | helm upgrade --install \
72 |   gitlab-runner \
73 |   gitlab/gitlab-runner \
74 |   --version $gitlab_runner_chart_version \
75 |   --namespace gitlab-runner \
76 |   --values gitlab-runner-values.yml
77 | 


--------------------------------------------------------------------------------
/example-spin.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | # see https://kubernetes.io/docs/concepts/services-networking/ingress/
 3 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#ingress-v1-networking-k8s-io
 4 | apiVersion: networking.k8s.io/v1
 5 | kind: Ingress
 6 | metadata:
 7 |   name: example-spin
 8 | spec:
 9 |   rules:
10 |     - host: example-spin.example.test
11 |       http:
12 |         paths:
13 |           - path: /
14 |             pathType: Prefix
15 |             backend:
16 |               service:
17 |                 name: example-spin
18 |                 port:
19 |                   name: web
20 | ---
21 | # see https://kubernetes.io/docs/concepts/services-networking/service/#type-clusterip
22 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#service-v1-core
23 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#serviceport-v1-core
24 | apiVersion: v1
25 | kind: Service
26 | metadata:
27 |   name: example-spin
28 | spec:
29 |   type: ClusterIP
30 |   selector:
31 |     app: example-spin
32 |   ports:
33 |     - name: web
34 |       port: 80
35 |       protocol: TCP
36 |       targetPort: web
37 | ---
38 | # see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
39 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#deployment-v1-apps
40 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#podtemplatespec-v1-core
41 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#container-v1-core
42 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#probe-v1-core
43 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#httpgetaction-v1-core
44 | apiVersion: apps/v1
45 | kind: Deployment
46 | metadata:
47 |   name: example-spin
48 | spec:
49 |   replicas: 1
50 |   selector:
51 |     matchLabels:
52 |       app: example-spin
53 |   template:
54 |     metadata:
55 |       labels:
56 |         app: example-spin
57 |     spec:
58 |       runtimeClassName: spin
59 |       enableServiceLinks: false
60 |       containers:
61 |         - name: example
62 |           # see https://github.com/rgl/spin-http-go-example
63 |           # see https://github.com/rgl/spin-http-go-example/pkgs/container/spin-http-go-example
64 |           image: ghcr.io/rgl/spin-http-go-example:0.3.1
65 |           ports:
66 |             - name: web
67 |               containerPort: 8080
68 |           env:
69 |             - name: SPIN_HTTP_LISTEN_ADDR
70 |               value: 0.0.0.0:8080
71 |           readinessProbe:
72 |             httpGet:
73 |               path: /healthz/ready
74 |               port: web
75 |           resources:
76 |             requests:
77 |               memory: 32Mi
78 |               cpu: '0.1'
79 |             limits:
80 |               memory: 32Mi
81 |               cpu: '0.1'
82 |           securityContext:
83 |             allowPrivilegeEscalation: false
84 |             capabilities:
85 |               drop:
86 |                 - ALL
87 |             readOnlyRootFilesystem: false
88 |             runAsNonRoot: true
89 |             runAsUser: 65534 # 65534 is the uid of the nobody user.
90 |             runAsGroup: 65534 # 65534 is the gid of the nogroup group.
91 |             seccompProfile:
92 |               type: RuntimeDefault
93 | 


--------------------------------------------------------------------------------
/provision-cert-manager.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euxo pipefail
 3 | 
 4 | cert_manager_chart_version="${1:-1.15.2}"; shift || true
 5 | 
 6 | # provision cert-manager.
 7 | # NB YOU MUST INSTALL CERT-MANAGER TO THE cert-manager NAMESPACE. the CRDs have it hard-coded.
 8 | # NB YOU CANNOT INSTALL MULTIPLE INSTANCES OF CERT-MANAGER IN A CLUSTER.
 9 | # NB the CRDs have to be installaled separately from the chart.
10 | # TODO would it make sense to have a separate helm chart for installing the CRDs?
11 | # see https://artifacthub.io/packages/helm/cert-manager/cert-manager
12 | # see https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager
13 | # see https://cert-manager.io/docs/installation/supported-releases/
14 | # see https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers
15 | # see https://cert-manager.io/docs/usage/ingress/
16 | helm repo add jetstack https://charts.jetstack.io
17 | helm repo update
18 | 
19 | echo 'Setting the cert-manager values...'
20 | # NB the default values are described at:
21 | #       https://github.com/cert-manager/cert-manager/blob/v1.15.2/deploy/charts/cert-manager/values.yaml
22 | #    NB make sure you are seeing the same version of the chart that you are installing.
23 | cat >cert-manager-values.yml <<EOF
24 | # NB YOLO the CRDs.
25 | crds:
26 |   enabled: true
27 |   keep: false
28 | EOF
29 | 
30 | echo 'Installing cert-manager...'
31 | helm upgrade --install \
32 |   cert-manager \
33 |   jetstack/cert-manager \
34 |   --namespace cert-manager \
35 |   --version "$cert_manager_chart_version" \
36 |   --create-namespace \
37 |   --values cert-manager-values.yml \
38 |   --wait
39 | 
40 | echo 'Creating the ingress ca...'
41 | kubectl apply -f - <<'EOF'
42 | ---
43 | # see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.ClusterIssuer
44 | apiVersion: cert-manager.io/v1
45 | kind: ClusterIssuer
46 | metadata:
47 |   name: selfsigned
48 | spec:
49 |   selfSigned: {}
50 | ---
51 | # see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Certificate
52 | apiVersion: cert-manager.io/v1
53 | kind: Certificate
54 | metadata:
55 |   name: ingress
56 |   namespace: cert-manager
57 | spec:
58 |   isCA: true
59 |   subject:
60 |     organizations:
61 |       - k3s-vagrant
62 |     organizationalUnits:
63 |       - Kubernetes
64 |   commonName: Kubernetes Ingress
65 |   privateKey:
66 |     algorithm: ECDSA # NB Ed25519 is not yet supported by chrome 93 or firefox 91.
67 |     size: 256
68 |   duration: 8h # NB this is so low for testing purposes. default is 2160h (90 days).
69 |   secretName: ingress-tls
70 |   issuerRef:
71 |     name: selfsigned
72 |     kind: ClusterIssuer
73 |     group: cert-manager.io
74 | ---
75 | # see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.ClusterIssuer
76 | apiVersion: cert-manager.io/v1
77 | kind: ClusterIssuer
78 | metadata:
79 |   name: ingress
80 | spec:
81 |   ca:
82 |     secretName: ingress-tls
83 | EOF
84 | 
85 | # export the ingress ca certificate to the host.
86 | kubectl get secret \
87 |   --namespace cert-manager \
88 |   --output jsonpath='{.data.ca\.crt}' \
89 |   ingress-tls \
90 |   | base64 --decode \
91 |   > /vagrant/tmp/ingress-ca-crt.pem
92 | 
93 | # trust the ingress ca.
94 | install /vagrant/tmp/ingress-ca-crt.pem /usr/local/share/ca-certificates/ingress.crt
95 | update-ca-certificates
96 | 


--------------------------------------------------------------------------------
/example.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | # see https://kubernetes.io/docs/concepts/services-networking/ingress/
  3 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#ingress-v1-networking-k8s-io
  4 | apiVersion: networking.k8s.io/v1
  5 | kind: Ingress
  6 | metadata:
  7 |   name: example
  8 | spec:
  9 |   rules:
 10 |     - host: example.example.test
 11 |       http:
 12 |         paths:
 13 |           - path: /
 14 |             pathType: Prefix
 15 |             backend:
 16 |               service:
 17 |                 name: example
 18 |                 port:
 19 |                   name: web
 20 | ---
 21 | # see https://kubernetes.io/docs/concepts/services-networking/service/#type-clusterip
 22 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#service-v1-core
 23 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#serviceport-v1-core
 24 | apiVersion: v1
 25 | kind: Service
 26 | metadata:
 27 |   name: example
 28 | spec:
 29 |   type: ClusterIP
 30 |   selector:
 31 |     app: example
 32 |   ports:
 33 |     - name: web
 34 |       port: 80
 35 |       protocol: TCP
 36 |       targetPort: web
 37 | ---
 38 | # see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
 39 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#deployment-v1-apps
 40 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#podtemplatespec-v1-core
 41 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#container-v1-core
 42 | apiVersion: apps/v1
 43 | kind: Deployment
 44 | metadata:
 45 |   name: example
 46 | spec:
 47 |   replicas: 1
 48 |   selector:
 49 |     matchLabels:
 50 |       app: example
 51 |   template:
 52 |     metadata:
 53 |       labels:
 54 |         app: example
 55 |     spec:
 56 |       enableServiceLinks: false
 57 |       containers:
 58 |         # see https://github.com/rgl/example-docker-buildx-go
 59 |         # see https://hub.docker.com/repository/docker/ruilopes/example-docker-buildx-go
 60 |         - name: example
 61 |           image: ruilopes/example-docker-buildx-go:v1.11.0
 62 |           args:
 63 |             - -listen=0.0.0.0:9000
 64 |           env:
 65 |             # see https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/
 66 |             # see https://github.com/kubernetes/kubernetes/blob/v1.30.2/test/e2e/common/node/downwardapi.go
 67 |             - name: EXAMPLE_NODE_NAME
 68 |               valueFrom:
 69 |                 fieldRef:
 70 |                   fieldPath: spec.nodeName
 71 |             - name: EXAMPLE_POD_NAMESPACE
 72 |               valueFrom:
 73 |                 fieldRef:
 74 |                   fieldPath: metadata.namespace
 75 |             - name: EXAMPLE_POD_NAME
 76 |               valueFrom:
 77 |                 fieldRef:
 78 |                   fieldPath: metadata.name
 79 |             - name: EXAMPLE_POD_UID
 80 |               valueFrom:
 81 |                 fieldRef:
 82 |                   fieldPath: metadata.uid
 83 |             - name: EXAMPLE_POD_IP
 84 |               valueFrom:
 85 |                 fieldRef:
 86 |                   fieldPath: status.podIP
 87 |           ports:
 88 |             - name: web
 89 |               containerPort: 9000
 90 |           resources:
 91 |             requests:
 92 |               memory: 20Mi
 93 |               cpu: '0.1'
 94 |             limits:
 95 |               memory: 20Mi
 96 |               cpu: '0.1'
 97 |           securityContext:
 98 |             allowPrivilegeEscalation: false
 99 |             capabilities:
100 |               drop:
101 |                 - ALL
102 |             readOnlyRootFilesystem: true
103 |             runAsNonRoot: true
104 |             seccompProfile:
105 |               type: RuntimeDefault
106 | 


--------------------------------------------------------------------------------
/provision-zot.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | set -euxo pipefail
  3 | 
  4 | zot_version="${1:-2.1.1}"
  5 | 
  6 | zot_domain="$(hostname --fqdn)"
  7 | zot_url="http://$zot_domain"
  8 | 
  9 | # NB you can see all the currently used container images with:
 10 | #     kubectl get pods --all-namespaces -o go-template --template '{{range .items}}{{range .spec.containers}}{{printf "%s\n" .image}}{{end}}{{end}}' | sort -u
 11 | registries='
 12 | docker.io
 13 | registry.k8s.io
 14 | ghcr.io
 15 | quay.io
 16 | registry.gitlab.com
 17 | '
 18 | 
 19 | # add the zot user.
 20 | groupadd --system zot
 21 | adduser \
 22 |     --system \
 23 |     --disabled-login \
 24 |     --no-create-home \
 25 |     --gecos '' \
 26 |     --ingroup zot \
 27 |     --home /opt/zot \
 28 |     zot
 29 | install -m 750 -o zot -g zot -d /opt/zot
 30 | 
 31 | # download and install.
 32 | zot_dist_url="https://github.com/project-zot/zot/releases/download/v$zot_version/zot-linux-amd64"
 33 | zli_dist_url="https://github.com/project-zot/zot/releases/download/v$zot_version/zli-linux-amd64"
 34 | zot_dist_path="/vagrant/tmp/zot-$zot_version-$(basename "$zot_dist_url")"
 35 | zli_dist_path="/vagrant/tmp/zot-$zot_version-$(basename "$zli_dist_url")"
 36 | if [ ! -f "$zot_dist_path" ]; then
 37 |     wget -qO "$zot_dist_path" "$zot_dist_url"
 38 | fi
 39 | if [ ! -f "$zli_dist_path" ]; then
 40 |     wget -qO "$zli_dist_path" "$zli_dist_url"
 41 | fi
 42 | install -m 755 -d /opt/zot/bin
 43 | install -m 750 -g zot -d /opt/zot/conf
 44 | install -m 750 -o zot -g zot -d /opt/zot/data
 45 | install -m 755 "$zot_dist_path" /opt/zot/bin/zot
 46 | install -m 755 "$zli_dist_path" /opt/zot/bin/zli
 47 | ln -sf /opt/zot/bin/zli /usr/local/bin/zli
 48 | 
 49 | # # install the certificates.
 50 | # install -m 440 -g zot /vagrant/tmp/tls/example-ca/$zot_domain-crt.pem /opt/zot/conf/crt.pem
 51 | # install -m 440 -g zot /vagrant/tmp/tls/example-ca/$zot_domain-key.pem /opt/zot/conf/key.pem
 52 | 
 53 | # create the configuration file.
 54 | # NB examples:
 55 | #       # use the upstream registry.
 56 | #       regctl tag ls registry.k8s.io/pause
 57 | #       regctl image inspect registry.k8s.io/pause
 58 | #       # use the zot mirror registry.
 59 | #       regctl image export registry.test/mirror/registry.k8s.io/pause pause.tar
 60 | #       regctl image inspect registry.test/mirror/registry.k8s.io/pause
 61 | #       regctl tag ls registry.test/mirror/registry.k8s.io/pause
 62 | # see https://zotregistry.dev/v2.1.1/articles/mirroring/
 63 | # see https://zotregistry.dev/v2.1.1/admin-guide/admin-configuration/#syncing-and-mirroring-registries
 64 | cat >/opt/zot/conf/config.yaml <<EOF
 65 | storage:
 66 |   rootDirectory: /opt/zot/data
 67 | http:
 68 |   address: 0.0.0.0
 69 |   port: 80
 70 |   # realm: zot
 71 |   # tls:
 72 |   #   cert: /opt/zot/conf/crt.pem
 73 |   #   key: /opt/zot/conf/key.pem
 74 | log:
 75 |   level: debug
 76 | extensions:
 77 |   ui:
 78 |     enable: true
 79 |   metrics:
 80 |     enable: true
 81 |     prometheus:
 82 |       path: /metrics
 83 |   search:
 84 |     enable: true
 85 |     cve:
 86 |       updateInterval: 2h
 87 |   sync:
 88 |     enable: true
 89 |     registries:
 90 | EOF
 91 | for d in $registries; do
 92 |   cat >>/opt/zot/conf/config.yaml <<EOF
 93 |       - urls:
 94 |           - https://$d
 95 |         content:
 96 |           - prefix: "**"
 97 |             destination: /mirror/$d
 98 |         onDemand: true
 99 |         tlsVerify: true
100 | EOF
101 | done
102 | /opt/zot/bin/zot verify /opt/zot/conf/config.yaml
103 | 
104 | # create and start the service.
105 | cat >/etc/systemd/system/zot.service <<EOF
106 | [Unit]
107 | Description=OCI Distribution Registry
108 | Documentation=https://github.com/project-zot/zot
109 | After=network.target auditd.service local-fs.target
110 | 
111 | [Service]
112 | Type=simple
113 | ExecStart=/opt/zot/bin/zot serve /opt/zot/conf/config.yaml
114 | Restart=on-failure
115 | User=zot
116 | Group=zot
117 | LimitNOFILE=500000
118 | AmbientCapabilities=CAP_NET_BIND_SERVICE
119 | 
120 | [Install]
121 | WantedBy=multi-user.target
122 | EOF
123 | systemctl daemon-reload
124 | systemctl enable zot
125 | systemctl restart zot
126 | 
127 | # wait for zot the be ready.
128 | systemctl is-active --quiet --wait zot
129 | # TODO remove this while loop after the following issue is fixed:
130 | #         https://github.com/project-zot/zot/issues/2188
131 | while ! wget -q "$zot_url/v2/"; do sleep 1; done;
132 | 
133 | # configure zli.
134 | zli completion bash >/usr/share/bash-completion/completions/zli
135 | zli config add main "$zot_url"
136 | zli config --list
137 | zli image list --config main
138 | 


--------------------------------------------------------------------------------
/provision-k8s-dashboard.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | set -euxo pipefail
  3 | 
  4 | kubernetes_dashboard_chart_version="${1:-v7.5.0}"; shift || true
  5 | kubernetes_dashboard_fqdn="kubernetes-dashboard.$(hostname --domain)"
  6 | 
  7 | # create the kubernetes-dashboard tls secret.
  8 | # see https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/
  9 | kubectl create namespace kubernetes-dashboard
 10 | kubectl apply -n kubernetes-dashboard -f - <<EOF
 11 | # see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Certificate
 12 | apiVersion: cert-manager.io/v1
 13 | kind: Certificate
 14 | metadata:
 15 |   name: kubernetes-dashboard
 16 | spec:
 17 |   subject:
 18 |     organizations:
 19 |       - k3s-vagrant
 20 |     organizationalUnits:
 21 |       - Kubernetes
 22 |   commonName: Kubernetes Dashboard
 23 |   dnsNames:
 24 |     - $kubernetes_dashboard_fqdn
 25 |   duration: 1h # NB this is so low for testing purposes.
 26 |   privateKey:
 27 |     algorithm: ECDSA # NB Ed25519 is not yet supported by chrome 93 or firefox 91.
 28 |     size: 256
 29 |   secretName: kubernetes-dashboard-tls
 30 |   issuerRef:
 31 |     kind: ClusterIssuer
 32 |     name: ingress
 33 | EOF
 34 | kubectl wait --timeout=5m --for=condition=Ready --namespace kubernetes-dashboard certificate/kubernetes-dashboard
 35 | 
 36 | # create the ingress.
 37 | # see https://kubernetes.io/docs/concepts/services-networking/ingress/
 38 | # see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#ingress-v1-networking-k8s-io
 39 | kubectl apply -n kubernetes-dashboard -f - <<EOF
 40 | apiVersion: networking.k8s.io/v1
 41 | kind: Ingress
 42 | metadata:
 43 |   name: kubernetes-dashboard
 44 | spec:
 45 |   rules:
 46 |     - host: $kubernetes_dashboard_fqdn
 47 |       http:
 48 |         paths:
 49 |           - path: /
 50 |             pathType: Prefix
 51 |             backend:
 52 |               service:
 53 |                 name: kubernetes-dashboard-kong-proxy
 54 |                 port:
 55 |                   name: kong-proxy
 56 |   tls:
 57 |     - secretName: kubernetes-dashboard-tls
 58 | EOF
 59 | 
 60 | # add the kubernetes-dashboard helm charts repository.
 61 | helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
 62 | helm repo update
 63 | 
 64 | # search the chart and app versions, e.g., in this case we are using:
 65 | # NAME                                     	 CHART VERSION  APP VERSION  DESCRIPTION
 66 | # kubernetes-dashboard/kubernetes-dashboard          7.5.0               General-purpose web UI for Kubernetes clusters
 67 | helm search repo kubernetes-dashboard/kubernetes-dashboard --versions | head -10
 68 | 
 69 | # set the configuration.
 70 | # see https://github.com/kubernetes/dashboard/blob/master/charts/kubernetes-dashboard
 71 | # see https://github.com/kubernetes/dashboard/blob/master/charts/kubernetes-dashboard/values.yaml
 72 | # see https://github.com/kubernetes/dashboard/blob/master/charts/kubernetes-dashboard/Chart.yaml
 73 | cat >kubernetes-dashboard-values.yml <<EOF
 74 | kong:
 75 |   proxy:
 76 |     http:
 77 |       enabled: true
 78 | api:
 79 |   scaling:
 80 |     replicas: 1
 81 | EOF
 82 | 
 83 | # install.
 84 | # see https://github.com/kubernetes/dashboard
 85 | # see https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard
 86 | helm upgrade --install \
 87 |   kubernetes-dashboard \
 88 |   kubernetes-dashboard/kubernetes-dashboard \
 89 |   --version "$kubernetes_dashboard_chart_version" \
 90 |   --create-namespace \
 91 |   --namespace kubernetes-dashboard \
 92 |   --values kubernetes-dashboard-values.yml \
 93 |   --wait
 94 | 
 95 | # create the admin user for use in the kubernetes-dashboard.
 96 | # see https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
 97 | # see https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/README.md
 98 | # see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets
 99 | kubectl apply -n kubernetes-dashboard -f - <<'EOF'
100 | ---
101 | apiVersion: v1
102 | kind: ServiceAccount
103 | metadata:
104 |   name: admin
105 | ---
106 | apiVersion: v1
107 | kind: Secret
108 | type: kubernetes.io/service-account-token
109 | metadata:
110 |   name: admin
111 |   annotations:
112 |     kubernetes.io/service-account.name: admin
113 | ---
114 | apiVersion: rbac.authorization.k8s.io/v1
115 | kind: ClusterRoleBinding
116 | metadata:
117 |   name: admin
118 | roleRef:
119 |   apiGroup: rbac.authorization.k8s.io
120 |   kind: ClusterRole
121 |   name: cluster-admin
122 | subjects:
123 |   - kind: ServiceAccount
124 |     name: admin
125 |     namespace: kubernetes-dashboard
126 | EOF
127 | # save the admin token.
128 | kubectl -n kubernetes-dashboard get secret admin -o json \
129 |   | jq -r .data.token \
130 |   | base64 --decode \
131 |   >/vagrant/tmp/admin-token.txt
132 | 


--------------------------------------------------------------------------------
/provision-argocd.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | set -euxo pipefail
  3 | 
  4 | argocd_cli_version="${1:-2.12.0}"; shift || true
  5 | argocd_chart_version="${1:-7.4.3}"; shift || true
  6 | argocd_fqdn="argocd.$(hostname --domain)"
  7 | 
  8 | # create the argocd-server tls secret.
  9 | # NB argocd-server will automatically reload this secret.
 10 | # NB alternatively we could set the server.certificate.enabled helm value. but
 11 | #    that does not allow us to fully customize the certificate (e.g. subject).
 12 | # see https://github.com/argoproj/argo-helm/blob/argo-cd-7.4.3/charts/argo-cd/templates/argocd-server/certificate.yaml
 13 | # see https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/
 14 | kubectl create namespace argocd
 15 | kubectl apply -n argocd -f - <<EOF
 16 | # see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Certificate
 17 | apiVersion: cert-manager.io/v1
 18 | kind: Certificate
 19 | metadata:
 20 |   name: argocd-server
 21 | spec:
 22 |   subject:
 23 |     organizations:
 24 |       - k3s-vagrant
 25 |     organizationalUnits:
 26 |       - Kubernetes
 27 |   commonName: Argo CD Server
 28 |   dnsNames:
 29 |     - $argocd_fqdn
 30 |   duration: 1h # NB this is so low for testing purposes.
 31 |   privateKey:
 32 |     algorithm: ECDSA # NB Ed25519 is not yet supported by chrome 93 or firefox 91.
 33 |     size: 256
 34 |   secretName: argocd-server-tls
 35 |   issuerRef:
 36 |     kind: ClusterIssuer
 37 |     name: ingress
 38 | EOF
 39 | kubectl wait --timeout=5m --for=condition=Ready --namespace argocd certificate/argocd-server
 40 | 
 41 | # create the argocd-repo-server tls secret.
 42 | # NB argocd-repo-server will NOT automatically reload this secret. instead, the
 43 | #    argocd-repo-server is configured to be automatically restarted by the
 44 | #    reloader controller.
 45 | # see https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/
 46 | kubectl apply -n argocd -f - <<EOF
 47 | # see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Certificate
 48 | apiVersion: cert-manager.io/v1
 49 | kind: Certificate
 50 | metadata:
 51 |   name: argocd-repo-server
 52 | spec:
 53 |   subject:
 54 |     organizations:
 55 |       - k3s-vagrant
 56 |     organizationalUnits:
 57 |       - Kubernetes
 58 |   commonName: Argo CD Repo Server
 59 |   dnsNames:
 60 |     - argocd-repo-server
 61 |     - argocd-repo-server.argocd.svc
 62 |   duration: 1h # NB this is so low for testing purposes.
 63 |   privateKey:
 64 |     algorithm: ECDSA # NB Ed25519 is not yet supported by chrome 93 or firefox 91.
 65 |     size: 256
 66 |   secretName: argocd-repo-server-tls
 67 |   issuerRef:
 68 |     kind: ClusterIssuer
 69 |     name: ingress
 70 | EOF
 71 | kubectl wait --timeout=5m --for=condition=Ready --namespace argocd certificate/argocd-repo-server
 72 | 
 73 | # create the argocd-dex-server tls secret.
 74 | # NB argocd-dex-server will NOT automatically reload this secret. instead, the
 75 | #    argocd-dex-server is configured to be automatically restarted by the
 76 | #    reloader controller.
 77 | # see https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/
 78 | kubectl apply -n argocd -f - <<EOF
 79 | # see https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Certificate
 80 | apiVersion: cert-manager.io/v1
 81 | kind: Certificate
 82 | metadata:
 83 |  name: argocd-dex-server
 84 | spec:
 85 |  subject:
 86 |    organizations:
 87 |      - k3s-vagrant
 88 |    organizationalUnits:
 89 |      - Kubernetes
 90 |  commonName: Argo CD Dex Server
 91 |  dnsNames:
 92 |    - argocd-dex-server
 93 |    - argocd-dex-server.argocd.svc
 94 |  duration: 1h # NB this is so low for testing purposes.
 95 |  privateKey:
 96 |    algorithm: ECDSA # NB Ed25519 is not yet supported by chrome 93 or firefox 91.
 97 |    size: 256
 98 |  secretName: argocd-dex-server-tls
 99 |  issuerRef:
100 |    kind: ClusterIssuer
101 |    name: ingress
102 | EOF
103 | kubectl wait --timeout=5m --for=condition=Ready --namespace argocd certificate/argocd-dex-server
104 | 
105 | # install the argocd cli.
106 | argocd_url="https://github.com/argoproj/argo-cd/releases/download/v$argocd_cli_version/argocd-linux-amd64"
107 | t="$(mktemp -q -d --suffix=.argocd)"
108 | wget -qO "$t/argocd" "$argocd_url"
109 | install -m 755 "$t/argocd" /usr/local/bin/
110 | rm -rf "$t"
111 | 
112 | # add the argo helm charts repository.
113 | helm repo add argo https://argoproj.github.io/argo-helm
114 | helm repo update
115 | 
116 | # search the chart and app versions, e.g.: in this case we are using:
117 | #     NAME            CHART VERSION APP VERSION DESCRIPTION
118 | #     argo/argo-cd    7.4.3         v2.12.0     A Helm chart for Argo CD, a declarative, GitOps...
119 | helm search repo argo/argo-cd --versions | head -10
120 | 
121 | # set the configuration.
122 | # NB the default values are described at:
123 | #       https://github.com/argoproj/argo-helm/blob/argo-cd-7.4.3/charts/argo-cd/values.yaml
124 | #    NB make sure you are seeing the same version of the chart that you are installing.
125 | cat >argocd-values.yml <<EOF
126 | global:
127 |   domain: $argocd_fqdn
128 | server:
129 |   ingress:
130 |     enabled: true
131 |     tls: true
132 |   extraArgs:
133 |     - --repo-server-strict-tls
134 |     - --dex-server-strict-tls
135 | controller:
136 |   extraArgs:
137 |     - --repo-server-strict-tls
138 | repoServer:
139 |   deploymentAnnotations:
140 |     secret.reloader.stakater.com/reload: argocd-repo-server-tls
141 | dex:
142 |   deploymentAnnotations:
143 |     secret.reloader.stakater.com/reload: argocd-dex-server-tls
144 | EOF
145 | 
146 | # install.
147 | helm upgrade --install \
148 |   argocd \
149 |   argo/argo-cd \
150 |   --version "$argocd_chart_version" \
151 |   --create-namespace \
152 |   --namespace argocd \
153 |   --values argocd-values.yml \
154 |   --wait
155 | 
156 | # save the admin password.
157 | kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" \
158 |   | base64 --decode \
159 |   > /vagrant/tmp/argocd-admin-password.txt
160 | 
161 | # verify the certificates.
162 | # NB to further troubleshoot, add the -debug -tlsextdebug cli arguments.
163 | endpoints=(
164 |   'argocd.example.test:443'
165 |   'argocd-repo-server.argocd.svc:8081'
166 |   # NB dex verification is commented because we have not configured dex, as
167 |   #    such, there is not endpoint listening, so we cannot verify the
168 |   #    certificate.
169 |   #'argocd-dex-server.argocd.svc:5556'
170 | )
171 | for endpoint in "${endpoints[@]}"; do
172 |   h="${endpoint%:*}"
173 |   kubectl -n argocd exec --stdin deployment/argocd-server -- bash -eux <<EOF
174 | # dump certificate.
175 | openssl s_client \
176 |   -connect "$endpoint" \
177 |   -servername "$h" \
178 |   </dev/null \
179 |   2>/dev/null \
180 |   | openssl x509 -noout -text
181 | # verify certificate.
182 | openssl s_client \
183 |   -connect "$endpoint" \
184 |   -servername "$h" \
185 |   -showcerts \
186 |   -verify 100 \
187 |   -verify_return_error \
188 |   -CAfile <(echo "$(cat /vagrant/tmp/ingress-ca-crt.pem)")
189 | EOF
190 | done
191 | 
192 | # configure argocd.
193 | export ARGOCD_SERVER="$argocd_fqdn"
194 | export ARGOCD_AUTH_USERNAME="admin"
195 | export ARGOCD_AUTH_PASSWORD="$(cat /vagrant/tmp/argocd-admin-password.txt)"
196 | export CHECKPOINT_DISABLE=1
197 | export TF_LOG=DEBUG # TF_LOG can be one of: ERROR, WARN, INFO, DEBUG, TRACE.
198 | export TF_LOG_PATH=terraform.log
199 | pushd /vagrant/argocd
200 | rm -f terraform.tfstate* terraform*.log
201 | terraform init
202 | terraform apply -auto-approve \
203 |   | tee terraform-apply.log
204 | popd
205 | 


--------------------------------------------------------------------------------
/renovate.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | set -euo pipefail
  3 | 
  4 | # this executes renovate against the local repository.
  5 | # NB this uses a temporary gitea instance because running renovate against a
  6 | #    local directory not (yet?) supported.
  7 | #    see https://github.com/renovatebot/renovate/issues/3609
  8 | 
  9 | export RENOVATE_USERNAME='renovate'
 10 | export RENOVATE_NAME='Renovate Bot'
 11 | export RENOVATE_PASSWORD='password'
 12 | gitea_container_name="$(basename "$(dirname "$(realpath "${BASH_SOURCE[0]}")")")-renovate-gitea"
 13 | 
 14 | # see https://hub.docker.com/r/gitea/gitea/tags
 15 | # renovate: datasource=docker depName=gitea/gitea
 16 | gitea_version='1.22.1'
 17 | 
 18 | # see https://hub.docker.com/r/renovate/renovate/tags
 19 | # renovate: datasource=docker depName=renovate/renovate
 20 | renovate_version='38.27.0'
 21 | 
 22 | # clean.
 23 | echo 'Deleting existing Gitea...'
 24 | docker rm --force "$gitea_container_name" >/dev/null 2>&1
 25 | echo 'Deleting existing temporary files...'
 26 | rm -f tmp/renovate-*
 27 | install -d tmp
 28 | 
 29 | # start gitea in background.
 30 | # see https://docs.gitea.io/en-us/config-cheat-sheet/
 31 | # see https://github.com/go-gitea/gitea/releases
 32 | # see https://github.com/go-gitea/gitea/blob/v1.22.1/docker/root/etc/s6/gitea/setup
 33 | echo 'Starting Gitea...'
 34 | docker run \
 35 |     --detach \
 36 |     --name "$gitea_container_name" \
 37 |     -v /etc/timezone:/etc/timezone:ro \
 38 |     -v /etc/localtime:/etc/localtime:ro \
 39 |     -e SECRET_KEY=abracadabra \
 40 |     -p 3000 \
 41 |     "gitea/gitea:$gitea_version" \
 42 |     >/dev/null
 43 | gitea_addr="$(docker port "$gitea_container_name" 3000 | head -1)"
 44 | gitea_url="http://$gitea_addr"
 45 | export RENOVATE_ENDPOINT="$gitea_url"
 46 | export GIT_PUSH_REPOSITORY="http://$RENOVATE_USERNAME:$RENOVATE_PASSWORD@$gitea_addr/$RENOVATE_USERNAME/test.git"
 47 | 
 48 | # wait for gitea to be ready.
 49 | echo "Waiting for Gitea to be ready at $gitea_url..."
 50 | GITEA_URL="$gitea_url" bash -euc 'while [ -z "$(wget -qO- "$GITEA_URL/api/v1/version" | jq -r ".version | select(.!=null)")" ]; do sleep 5; done'
 51 | 
 52 | # create user in gitea.
 53 | echo "Creating Gitea $RENOVATE_USERNAME user..."
 54 | docker exec --user git "$gitea_container_name" gitea admin user create \
 55 |     --admin \
 56 |     --email "$RENOVATE_USERNAME@example.com" \
 57 |     --username "$RENOVATE_USERNAME" \
 58 |     --password "$RENOVATE_PASSWORD"
 59 | curl \
 60 |     --silent \
 61 |     --show-error \
 62 |     --fail-with-body \
 63 |     -u "$RENOVATE_USERNAME:$RENOVATE_PASSWORD" \
 64 |     -X 'PATCH' \
 65 |     -H 'Accept: application/json' \
 66 |     -H 'Content-Type: application/json' \
 67 |     -d "{\"full_name\":\"$RENOVATE_NAME\"}" \
 68 |     "$gitea_url/api/v1/user/settings" \
 69 |     | jq \
 70 |     > /dev/null
 71 | 
 72 | # create the user personal access token.
 73 | # see https://docs.gitea.io/en-us/api-usage/
 74 | # see https://docs.gitea.io/en-us/oauth2-provider/#scopes
 75 | # see https://try.gitea.io/api/swagger#/user/userCreateToken
 76 | echo "Creating Gitea $RENOVATE_USERNAME user personal access token..."
 77 | curl \
 78 |     --silent \
 79 |     --show-error \
 80 |     --fail-with-body \
 81 |     -u "$RENOVATE_USERNAME:$RENOVATE_PASSWORD" \
 82 |     -X POST \
 83 |     -H "Content-Type: application/json" \
 84 |     -d '{"name": "renovate", "scopes": ["read:user", "write:issue", "write:repository"]}' \
 85 |     "$gitea_url/api/v1/users/$RENOVATE_USERNAME/tokens" \
 86 |     | jq -r .sha1 \
 87 |     >tmp/renovate-gitea-token.txt
 88 | 
 89 | # try the token.
 90 | echo "Trying the Gitea $RENOVATE_USERNAME user personal access token..."
 91 | RENOVATE_TOKEN="$(cat tmp/renovate-gitea-token.txt)"
 92 | export RENOVATE_TOKEN
 93 | curl \
 94 |     --silent \
 95 |     --show-error \
 96 |     --fail-with-body \
 97 |     -H "Authorization: token $RENOVATE_TOKEN" \
 98 |     -H 'Accept: application/json' \
 99 |     "$gitea_url/api/v1/version" \
100 |     | jq \
101 |     > /dev/null
102 | 
103 | # create remote repository in gitea.
104 | echo "Creating Gitea $RENOVATE_USERNAME test repository..."
105 | curl \
106 |     --silent \
107 |     --show-error \
108 |     --fail-with-body \
109 |     -u "$RENOVATE_USERNAME:$RENOVATE_PASSWORD" \
110 |     -X POST \
111 |     -H 'Accept: application/json' \
112 |     -H 'Content-Type: application/json' \
113 |     -d '{"name": "test"}' \
114 |     "$gitea_url/api/v1/user/repos" \
115 |     | jq \
116 |     > /dev/null
117 | 
118 | # push the code to local gitea repository.
119 | # NB running renovate locally is not yet supported.
120 | #    see https://github.com/renovatebot/renovate/issues/3609
121 | echo "Pushing local repository to Gitea $RENOVATE_USERNAME test repository..."
122 | git push --force "$GIT_PUSH_REPOSITORY"
123 | 
124 | # see https://docs.renovatebot.com/modules/platform/gitea/
125 | # see https://docs.renovatebot.com/self-hosted-configuration/#dryrun
126 | # see https://github.com/renovatebot/renovate/blob/main/docs/usage/examples/self-hosting.md
127 | # see https://github.com/renovatebot/renovate/tree/main/lib/modules/datasource
128 | # see https://github.com/renovatebot/renovate/tree/main/lib/modules/versioning
129 | RENOVATE_TOKEN="$(cat tmp/renovate-gitea-token.txt)"
130 | export RENOVATE_TOKEN
131 | # NB these can also be passed as raw positional arguments to docker run.
132 | export RENOVATE_REPOSITORIES="$RENOVATE_USERNAME/test"
133 | # see https://docs.github.com/en/rest/rate-limit#get-rate-limit-status-for-the-authenticated-user
134 | # see https://github.com/settings/tokens
135 | # NB this is only used for authentication. the token should not have any scope enabled.
136 | #export GITHUB_COM_TOKEN='TODO-YOUR-TOKEN'
137 | # let renovate create all the required pull requests.
138 | # see https://docs.renovatebot.com/configuration-options/#prhourlylimit
139 | # see https://docs.renovatebot.com/configuration-options/#prconcurrentlimit
140 | export RENOVATE_PR_HOURLY_LIMIT='0'
141 | export RENOVATE_PR_CONCURRENT_LIMIT='0'
142 | echo 'Running renovate...'
143 | # NB use --dry-run=lookup for not modifying the repository (e.g. for not
144 | #    creating pull requests).
145 | docker run \
146 |   --rm \
147 |   --tty \
148 |   --interactive \
149 |   --net host \
150 |   --env GITHUB_COM_TOKEN \
151 |   --env RENOVATE_ENDPOINT \
152 |   --env RENOVATE_TOKEN \
153 |   --env RENOVATE_REPOSITORIES \
154 |   --env RENOVATE_PR_HOURLY_LIMIT \
155 |   --env RENOVATE_PR_CONCURRENT_LIMIT \
156 |   --env LOG_LEVEL=debug \
157 |   --env LOG_FORMAT=json \
158 |   "renovate/renovate:$renovate_version" \
159 |   --platform=gitea \
160 |   --git-url=endpoint \
161 |   >tmp/renovate-log.json
162 | 
163 | echo 'Getting results...'
164 | # extract the errors.
165 | jq 'select(.err)' tmp/renovate-log.json >tmp/renovate-errors.json
166 | # extract the result from the renovate log.
167 | jq 'select(.msg == "packageFiles with updates") | .config' tmp/renovate-log.json >tmp/renovate-result.json
168 | # extract all the dependencies.
169 | jq 'to_entries[].value[] | {packageFile,dep:.deps[]}' tmp/renovate-result.json >tmp/renovate-dependencies.json
170 | # extract the dependencies that have updates.
171 | jq 'select((.dep.updates | length) > 0)' tmp/renovate-dependencies.json >tmp/renovate-dependencies-updates.json
172 | 
173 | # helpers.
174 | function show-title {
175 |     echo
176 |     echo '#'
177 |     echo "# $1"
178 |     echo '#'
179 |     echo
180 | }
181 | 
182 | # show errors.
183 | if [ "$(jq --slurp length tmp/renovate-errors.json)" -ne '0' ]; then
184 |     show-title errors
185 |     jq . tmp/renovate-errors.json
186 | fi
187 | 
188 | # show dependencies.
189 | function show-dependencies {
190 |     show-title "$1"
191 |     (
192 |         printf 'packageFile\tdatasource\tdepName\tcurrentValue\tnewVersions\tskipReason\twarnings\n'
193 |         jq \
194 |             -r \
195 |             '[
196 |                 .packageFile,
197 |                 .dep.datasource,
198 |                 .dep.depName,
199 |                 .dep.currentValue,
200 |                 (.dep | select(.updates) | .updates | map(.newVersion) | join(" | ")),
201 |                 .dep.skipReason,
202 |                 (.dep | select(.warnings) | .warnings | map(.message) | join(" | "))
203 |             ] | @tsv' \
204 |             "$2" \
205 |             | sort
206 |     ) | column -t -s "$(printf \\t)"
207 | }
208 | show-dependencies 'Dependencies' tmp/renovate-dependencies.json
209 | show-dependencies 'Dependencies Updates' tmp/renovate-dependencies-updates.json
210 | 
211 | # show the gitea project.
212 | show-title "See PRs at $gitea_url/$RENOVATE_USERNAME/test/pulls (you can login as $RENOVATE_USERNAME:$RENOVATE_PASSWORD)"
213 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # About
  2 | 
  3 | This is a [k3s](https://github.com/k3s-io/k3s) kubernetes cluster playground wrapped in a Vagrant environment.
  4 | 
  5 | # Usage
  6 | 
  7 | Configure the host machine `hosts` file with:
  8 | 
  9 | ```
 10 | 10.11.0.4  registry.example.test
 11 | 10.11.0.30 s.example.test
 12 | 10.11.0.50 traefik.example.test
 13 | 10.11.0.50 kubernetes-dashboard.example.test
 14 | 10.11.0.50 kubernetes-hello.example.test
 15 | 10.11.0.50 argocd.example.test
 16 | ```
 17 | 
 18 | Install the base [Debian 12 (Bookworm) vagrant box](https://github.com/rgl/debian-vagrant).
 19 | 
 20 | Optionally, start the [rgl/gitlab-vagrant](https://github.com/rgl/gitlab-vagrant) environment at `../gitlab-vagrant`. If you do this, this environment will have the [gitlab-runner helm chart](https://docs.gitlab.com/runner/install/kubernetes.html) installed in the k8s cluster.
 21 | 
 22 | Optionally, connect the environment to the physical network through the host `br-lan` bridge. The environment assumes that the host bridge was configured as:
 23 | 
 24 | ```bash
 25 | sudo -i
 26 | # review the configuration in the files at /etc/netplan and replace them all
 27 | # with a single configuration file:
 28 | ls -laF /etc/netplan
 29 | upstream_interface=eth0
 30 | upstream_mac=$(ip link show $upstream_interface | perl -ne '/ether ([^ ]+)/ && print $1')
 31 | cat >/etc/netplan/00-config.yaml <<EOF
 32 | network:
 33 |   version: 2
 34 |   renderer: networkd
 35 |   ethernets:
 36 |     eth0: {}
 37 |   bridges:
 38 |     br-lan:
 39 |       # inherit the MAC address from the enslaved eth0 interface.
 40 |       # NB this is required in machines that have intel AMT with shared IP
 41 |       #    address to prevent announcing multiple MAC addresses (AMT and OS
 42 |       #    eth0) for the same IP address.
 43 |       macaddress: $upstream_mac
 44 |       #link-local: []
 45 |       dhcp4: false
 46 |       addresses:
 47 |         - 192.168.1.11/24
 48 |       routes:
 49 |         - to: default
 50 |           via: 192.168.1.254
 51 |       nameservers:
 52 |         addresses:
 53 |           - 192.168.1.254
 54 |         search:
 55 |           - lan
 56 |       interfaces:
 57 |         - $upstream_interface
 58 | EOF
 59 | netplan apply
 60 | ```
 61 | 
 62 | And open the `Vagrantfile`, uncomment and edit the block that starts at
 63 | `bridge_name` with your specific network details. Also ensure that the
 64 | `hosts` file has the used IP addresses.
 65 | 
 66 | Launch the environment:
 67 | 
 68 | ```bash
 69 | time vagrant up --no-destroy-on-error --no-tty --provider=libvirt
 70 | ```
 71 | 
 72 | **NB** When the `NUMBER_OF_AGENT_NODES` `Vagrantfile` variable value is above `0`, the server nodes (e.g. `s1`) are [tainted](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to prevent them from executing non control-plane workloads. That kind of workload is executed in the agent nodes (e.g. `a1`).
 73 | 
 74 | Show containerd information:
 75 | 
 76 | ```bash
 77 | vagrant ssh s1
 78 | sudo -i
 79 | crictl version
 80 | crictl info
 81 | exit
 82 | exit
 83 | ```
 84 | 
 85 | Access the cluster from the host:
 86 | 
 87 | ```bash
 88 | export KUBECONFIG=$PWD/tmp/admin.conf
 89 | kubectl cluster-info
 90 | kubectl get nodes -o wide
 91 | ```
 92 | 
 93 | Execute an [example workload](https://github.com/rgl/example-docker-buildx-go):
 94 | 
 95 | ```bash
 96 | export KUBECONFIG=$PWD/tmp/admin.conf
 97 | kubectl apply -f example.yml
 98 | kubectl rollout status deployment/example
 99 | kubectl get ingresses,services,pods,deployments
100 | example_ip="$(kubectl get ingress/example -o json | jq -r .status.loadBalancer.ingress[0].ip)"
101 | example_fqdn="$(kubectl get ingress/example -o json | jq -r .spec.rules[0].host)"
102 | example_url="http://$example_fqdn"
103 | curl --resolve "$example_fqdn:80:$example_ip" "$example_url"
104 | echo "$example_ip $example_fqdn" | sudo tee -a /etc/hosts
105 | curl "$example_url"
106 | xdg-open "$example_url"
107 | kubectl delete -f example.yml
108 | ```
109 | 
110 | Execute an [example WebAssembly (Wasm) workload](https://github.com/rgl/spin-http-go-example):
111 | 
112 | ```bash
113 | export KUBECONFIG=$PWD/tmp/admin.conf
114 | kubectl apply -f example-spin.yml
115 | kubectl rollout status deployment/example-spin
116 | kubectl get ingresses,services,pods,deployments
117 | example_spin_ip="$(kubectl get ingress/example-spin -o json | jq -r .status.loadBalancer.ingress[0].ip)"
118 | example_spin_fqdn="$(kubectl get ingress/example-spin -o json | jq -r .spec.rules[0].host)"
119 | example_spin_url="http://$example_spin_fqdn"
120 | curl --resolve "$example_spin_fqdn:80:$example_spin_ip" "$example_spin_url"
121 | echo "$example_spin_ip $example_spin_fqdn" | sudo tee -a /etc/hosts
122 | curl "$example_spin_url"
123 | xdg-open "$example_spin_url"
124 | kubectl delete -f example-spin.yml
125 | ```
126 | 
127 | Execute the [kubernetes-hello workload](https://github.com/rgl/kubernetes-hello), it uses [Role, RoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/), [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/), [Secret](https://kubernetes.io/docs/concepts/configuration/secret/), [ServiceAccount](https://kubernetes.io/docs/concepts/security/service-accounts/), and [Service Account token volume projection (a JSON Web Token and OpenID Connect (OIDC) ID Token)](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) that target a different audience:
128 | 
129 | ```bash
130 | export KUBECONFIG=$PWD/tmp/admin.conf
131 | wget -qO- https://github.com/rgl/kubernetes-hello/raw/master/resources.yml \
132 |   | perl -pe 's,(\s+host: kubernetes-hello)\..+,\1.example.test,' \
133 |   > tmp/kubernetes-hello.yml
134 | kubectl apply -f tmp/kubernetes-hello.yml
135 | kubectl rollout status daemonset/kubernetes-hello
136 | kubectl get ingresses,services,pods,daemonset
137 | kubernetes_hello_ip="$(kubectl get ingress/kubernetes-hello -o json | jq -r .status.loadBalancer.ingress[0].ip)"
138 | kubernetes_hello_fqdn="$(kubectl get ingress/kubernetes-hello -o json | jq -r .spec.rules[0].host)"
139 | kubernetes_hello_url="http://$kubernetes_hello_fqdn"
140 | echo "kubernetes_hello_url: $kubernetes_hello_url"
141 | curl --resolve "$kubernetes_hello_fqdn:80:$kubernetes_hello_ip" "$kubernetes_hello_url"
142 | kubectl delete -f tmp/kubernetes-hello.yml
143 | ```
144 | 
145 | Access the example `nginx` ArgoCD application service (managed by ArgoCD as the
146 | [`nginx` ArgoCD Application](argocd/main.tf)):
147 | 
148 | ```bash
149 | nginx_ip="$(kubectl get service/nginx -o json | jq -r .status.loadBalancer.ingress[0].ip)"
150 | nginx_url="http://$nginx_ip"
151 | echo "nginx_url: $nginx_url"
152 | curl "$nginx_url"
153 | ```
154 | 
155 | List this repository dependencies (and which have newer versions):
156 | 
157 | ```bash
158 | GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN' ./renovate.sh
159 | ```
160 | 
161 | ## Traefik Dashboard
162 | 
163 | Access the Traefik Dashboard at:
164 | 
165 |     https://traefik.example.test/dashboard/
166 | 
167 | ## Rancher Server
168 | 
169 | Access the Rancher Server at:
170 | 
171 |     https://s.example.test:6443
172 | 
173 | **NB** This is a proxy to the k8s API server (which is running in port 6444).
174 | 
175 | **NB** You must use the client certificate that is inside the `tmp/admin.conf`,
176 | `tmp/*.pem`, or `/etc/rancher/k3s/k3s.yaml` (inside the `s1` machine) file.
177 | 
178 | Access the rancher server using the client certificate with httpie:
179 | 
180 | ```bash
181 | http \
182 |     --verify tmp/default-ca-crt.pem \
183 |     --cert tmp/default-crt.pem \
184 |     --cert-key tmp/default-key.pem \
185 |     https://s.example.test:6443
186 | ```
187 | 
188 | Or with curl:
189 | 
190 | ```bash
191 | curl \
192 |     --cacert tmp/default-ca-crt.pem \
193 |     --cert tmp/default-crt.pem \
194 |     --key tmp/default-key.pem \
195 |     https://s.example.test:6443
196 | ```
197 | 
198 | ## Kubernetes Dashboard
199 | 
200 | Access the Kubernetes Dashboard at:
201 | 
202 |     https://kubernetes-dashboard.example.test
203 | 
204 | Then select `Token` and use the contents of `tmp/admin-token.txt` as the token.
205 | 
206 | You can also launch the kubernetes API server proxy in background:
207 | 
208 | ```bash
209 | export KUBECONFIG=$PWD/tmp/admin.conf
210 | kubectl proxy &
211 | ```
212 | 
213 | And access the kubernetes dashboard at:
214 | 
215 |     http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
216 | 
217 | ## K9s Dashboard
218 | 
219 | The [K9s](https://github.com/derailed/k9s) console UI dashboard is also
220 | installed in the server node. You can access it by running:
221 | 
222 | ```bash
223 | vagrant ssh s1
224 | sudo su -l
225 | k9s
226 | ```
227 | 
228 | ## Zot Registry
229 | 
230 | The [Zot Registry](https://zotregistry.dev) is installed in the registry
231 | node and can be accessed at:
232 | 
233 | http://registry.example.test
234 | 
235 | ## Argo CD
236 | 
237 | Get the `admin` user password:
238 | 
239 | ```bash
240 | echo "Argo CD admin password: $(cat tmp/argocd-admin-password.txt)"
241 | ```
242 | 
243 | Access the web interface:
244 | 
245 |   https://argocd.example.test
246 | 
247 | Show the configuration:
248 | 
249 | ```bash
250 | kubectl get -n argocd configmap/argocd-cmd-params-cm -o yaml
251 | ```
252 | 
253 | ## Crossplane
254 | 
255 | Set the AWS credentials secret:
256 | 
257 | ```bash
258 | # NB for testing purposes, you can copy these from the AWS Management Console.
259 | cat >tmp/aws-credentials.txt <<'EOF'
260 | [default]
261 | aws_access_key_id = <AWS_ACCESS_KEY_ID>
262 | aws_secret_access_key = <AWS_SECRET_ACCESS_KEY>
263 | #aws_session_token = <AWS_SESSION_TOKEN>
264 | EOF
265 | export KUBECONFIG=$PWD/tmp/admin.conf
266 | kubectl delete secret/aws-credentials \
267 |   --namespace crossplane-system
268 | kubectl create secret generic aws-credentials \
269 |   --namespace crossplane-system \
270 |   --from-file credentials=tmp/aws-credentials.txt
271 | ```
272 | 
273 | Create an S3 bucket:
274 | 
275 | ```bash
276 | # see https://marketplace.upbound.io/providers/upbound/provider-aws-s3/v1.11.0/resources/s3.aws.upbound.io/Bucket/v1beta2
277 | # NB Bucket is cluster scoped.
278 | #    see kubectl get crd buckets.s3.aws.upbound.io -o yaml
279 | export KUBECONFIG=$PWD/tmp/admin.conf
280 | kubectl create -f - <<'EOF'
281 | apiVersion: s3.aws.upbound.io/v1beta2
282 | kind: Bucket
283 | metadata:
284 |   name: crossplane-hello-world
285 | spec:
286 |   forProvider:
287 |     region: eu-west-1
288 |     tags:
289 |       owner: rgl
290 |   providerConfigRef:
291 |     name: default
292 | EOF
293 | ```
294 | 
295 | List the created bucket:
296 | 
297 | ```bash
298 | kubectl get buckets
299 | ```
300 | 
301 | Describe the created bucket:
302 | 
303 | ```bash
304 | kubectl describe bucket/crossplane-hello-world
305 | ```
306 | 
307 | Using the AWS CLI, list the S3 buckets:
308 | 
309 | ```bash
310 | AWS_CONFIG_FILE=tmp/aws-credentials.txt aws s3 ls
311 | ```
312 | 
313 | Delete the created bucket:
314 | 
315 | ```bash
316 | kubectl delete bucket/crossplane-hello-world
317 | ```
318 | 
319 | # Notes
320 | 
321 | * k3s has a custom k8s authenticator module that does user authentication from `/var/lib/rancher/k3s/server/cred/passwd`.
322 | 
323 | # Reference
324 | 
325 | * [k3s Installation and Configuration Options](https://rancher.com/docs/k3s/latest/en/installation/install-options/)
326 | * [k3s Advanced Options and Configuration](https://rancher.com/docs/k3s/latest/en/advanced/)
327 | * [k3s Under the Hood: Building a Product-grade Lightweight Kubernetes Distro (KubeCon NA 2019)](https://www.youtube.com/watch?v=-HchRyqNtkU)
328 | 


--------------------------------------------------------------------------------
/provision-k3s-server.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | set -euxo pipefail
  3 | 
  4 | k3s_command="$1"; shift
  5 | k3s_channel="${1:-latest}"; shift
  6 | k3s_version="${1:-v1.30.3+k3s1}"; shift
  7 | k3s_token="$1"; shift
  8 | flannel_backend="$1"; shift
  9 | ip_address="$1"; shift
 10 | krew_version="${1:-v0.4.4}"; shift || true # NB see https://github.com/kubernetes-sigs/krew
 11 | taint="${1:-1}"; shift || true
 12 | fqdn="$(hostname --fqdn)"
 13 | k3s_fqdn="s.$(hostname --domain)"
 14 | k3s_url="https://$k3s_fqdn:6443"
 15 | 
 16 | # configure the motd.
 17 | # NB this was generated at http://patorjk.com/software/taag/#p=display&f=Big&t=k3s%0Aserver.
 18 | #    it could also be generated with figlet.org.
 19 | cat >/etc/motd <<'EOF'
 20 | 
 21 |   _    ____
 22 |  | |  |___ \
 23 |  | | __ __) |___
 24 |  | |/ /|__ </ __|
 25 |  |   < ___) \__ \
 26 |  |_|\_\____/|___/   _____ _ __
 27 |  / __|/ _ \ '__\ \ / / _ \ '__|
 28 |  \__ \  __/ |   \ V /  __/ |
 29 |  |___/\___|_|    \_/ \___|_|
 30 | 
 31 | EOF
 32 | 
 33 | # extra k3s server arguments.
 34 | k3s_extra_args=''
 35 | 
 36 | # init or join the cluster.
 37 | if [ "$k3s_command" == 'cluster-init' ]; then
 38 |   k3s_extra_args="$k3s_extra_args --cluster-init"
 39 | else
 40 |   k3s_extra_args="$k3s_extra_args --server $k3s_url"
 41 | fi
 42 | 
 43 | # taint.
 44 | if [ "$taint" == '1' ]; then
 45 |   k3s_extra_args="$k3s_extra_args --node-taint CriticalAddonsOnly=true:NoExecute"
 46 | fi
 47 | 
 48 | # install k3s.
 49 | # see server arguments at e.g. https://github.com/k3s-io/k3s/blob/v1.30.3+k3s1/pkg/cli/cmds/server.go#L589-L597
 50 | # or run k3s server --help
 51 | # see https://docs.k3s.io/installation/configuration
 52 | # see https://docs.k3s.io/reference/server-config
 53 | curl -sfL https://raw.githubusercontent.com/k3s-io/k3s/$k3s_version/install.sh \
 54 |     | \
 55 |         INSTALL_K3S_CHANNEL="$k3s_channel" \
 56 |         INSTALL_K3S_VERSION="$k3s_version" \
 57 |         K3S_TOKEN="$k3s_token" \
 58 |         sh -s -- \
 59 |             server \
 60 |             --node-ip "$ip_address" \
 61 |             --cluster-cidr '10.12.0.0/16' \
 62 |             --service-cidr '10.13.0.0/16' \
 63 |             --cluster-dns '10.13.0.10' \
 64 |             --cluster-domain 'cluster.local' \
 65 |             --flannel-iface 'eth1' \
 66 |             --flannel-backend "$flannel_backend" \
 67 |             --tls-san "$k3s_fqdn" \
 68 |             --disable servicelb \
 69 |             $k3s_extra_args
 70 | 
 71 | # see the systemd unit.
 72 | systemctl cat k3s
 73 | 
 74 | # check whether this system has the k3s requirements.
 75 | k3s check-config
 76 | 
 77 | # wait for this node to be Ready.
 78 | # e.g. s1     Ready    control-plane,master   3m    v1.30.3+k3s1
 79 | $SHELL -c 'node_name=$(hostname); echo "waiting for node $node_name to be ready..."; while [ -z "$(kubectl get nodes $node_name | grep -E "$node_name\s+Ready\s+")" ]; do sleep 3; done; echo "node ready!"'
 80 | 
 81 | # wait for the kube-dns pod to be Running.
 82 | # e.g. coredns-fb8b8dccf-rh4fg   1/1     Running   0          33m
 83 | $SHELL -c 'while [ -z "$(kubectl get pods --selector k8s-app=kube-dns --namespace kube-system | grep -E "\s+Running\s+")" ]; do sleep 3; done'
 84 | 
 85 | # install traefik as the k8s ingress controller.
 86 | # NB this is changing the /var/lib/rancher/k3s/server/manifests/traefik.yaml file
 87 | #    which will eventually be picked up by k3s, which will apply it using
 88 | #    something equivalent to:
 89 | #       kubectl -n kube-system apply -f /var/lib/rancher/k3s/server/manifests/traefik.yaml
 90 | # see https://doc.traefik.io/traefik/v2.9/operations/api/
 91 | # see https://github.com/k3s-io/k3s/issues/350#issuecomment-511218588
 92 | # see https://github.com/k3s-io/k3s/blob/v1.30.3+k3s1/manifests/traefik.yaml
 93 | # see https://github.com/traefik/traefik-helm-chart/blob/v25.0.3/traefik/values.yaml
 94 | echo 'configuring traefik...'
 95 | apt-get install -y python3-yaml
 96 | python3 - <<'EOF'
 97 | import difflib
 98 | import io
 99 | import sys
100 | import yaml
101 | 
102 | # configure the yaml library to write multiline strings using the block scalar
103 | # style syntax.
104 | # NB this uses a modified version of https://github.com/yaml/pyyaml/issues/240#issuecomment-1096224358:
105 | #      * uses the `in` operator.
106 | def str_presenter(dumper, data):
107 |     """configures yaml for dumping multiline strings
108 |     Ref: https://stackoverflow.com/questions/8640959/how-can-i-control-what-scalar-form-pyyaml-uses-for-my-data"""
109 |     if '\n' in data:
110 |         return dumper.represent_scalar('tag:yaml.org,2002:str', data, style='|')
111 |     return dumper.represent_scalar('tag:yaml.org,2002:str', data)
112 | yaml.add_representer(str, str_presenter)
113 | yaml.representer.SafeRepresenter.add_representer(str, str_presenter) # to use with safe_dum
114 | 
115 | config_path = '/var/lib/rancher/k3s/server/manifests/traefik.yaml'
116 | config_orig = open(config_path, 'r', encoding='utf-8').read()
117 | 
118 | documents = list(yaml.load_all(config_orig, Loader=yaml.FullLoader))
119 | d = documents[1]
120 | values = yaml.load(d['spec']['valuesContent'], Loader=yaml.FullLoader)
121 | 
122 | # configure logging.
123 | # NB you can see the logs with:
124 | #       kubectl -n kube-system logs -f -l app.kubernetes.io/name=traefik
125 | values['logs'] = {
126 |     'general': {
127 |         'level': 'WARN',
128 |     },
129 |     'access': {
130 |         'enabled': True,
131 |     },
132 | }
133 | 
134 | # configure traefik to skip certificate validation.
135 | # NB this is needed to expose the k8s dashboard as an ingress at
136 | #    https://kubernetes-dashboard.example.test.
137 | # NB without this, traefik returns "internal server error".
138 | # TODO see how to set the CAs in traefik.
139 | # NB this should never be done at production.
140 | values['additionalArguments'] = [
141 |     '--serverstransport.insecureskipverify=true'
142 | ]
143 | 
144 | # save values back.
145 | config = io.StringIO()
146 | yaml.dump(values, config, default_flow_style=False)
147 | d['spec']['valuesContent'] = config.getvalue()
148 | 
149 | # show the differences and save the modified yaml file.
150 | config = io.StringIO()
151 | yaml.dump_all(documents, config, default_flow_style=False)
152 | config = config.getvalue()
153 | sys.stdout.writelines(difflib.unified_diff(config_orig.splitlines(1), config.splitlines(1)))
154 | open(config_path, 'w', encoding='utf-8').write(config)
155 | EOF
156 | 
157 | # create the traefik ingress to access the traefik api/dashboard endpoints.
158 | # NB you cannot use kubectl apply here because the traefik CRDs are created
159 | #    from a non control-plane node. that's why this uses a local manifest
160 | #    file.
161 | # NB you must add any of the cluster node IP addresses to your computer hosts file, e.g.:
162 | #       10.11.10.101 traefik.example.test
163 | #    and access it as:
164 | #       https://traefik.example.test/dashboard/
165 | #       https://traefik.example.test/api/version
166 | #       https://traefik.example.test/api/overview
167 | #       https://traefik.example.test/api/http/routers
168 | #       https://traefik.example.test/api/http/services
169 | # NB you can see the traefik configuration with:
170 | #       kubectl --namespace kube-system get configmap/chart-values-traefik -o yaml
171 | #       kubectl --namespace kube-system get pods -l app.kubernetes.io/name=traefik -o yaml
172 | #       kubectl --namespace kube-system logs -l app.kubernetes.io/name=traefik
173 | # see https://doc.traefik.io/traefik/operations/api/#endpoints
174 | # see kubectl get -n kube-system service traefik -o yaml
175 | # see https://github.com/traefik/traefik-helm-chart/tree/v25.0.0#exposing-the-traefik-dashboard
176 | cat >/var/lib/rancher/k3s/server/manifests/traefik-local.yaml <<'EOF'
177 | apiVersion: traefik.containo.us/v1alpha1
178 | kind: IngressRoute
179 | metadata:
180 |   name: traefik
181 | spec:
182 |   entryPoints:
183 |     - websecure
184 |   routes:
185 |     - match: Host(`traefik.example.test`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
186 |       kind: Rule
187 |       services:
188 |         - name: api@internal
189 |           kind: TraefikService
190 | EOF
191 | 
192 | # install the krew kubectl package manager.
193 | echo "installing the krew $krew_version kubectl package manager..."
194 | apt-get install -y --no-install-recommends git-core
195 | wget -qO- "https://github.com/kubernetes-sigs/krew/releases/download/$krew_version/krew-linux_amd64.tar.gz" | tar xzf - ./krew-linux_amd64
196 | wget -q "https://github.com/kubernetes-sigs/krew/releases/download/$krew_version/krew.yaml"
197 | ./krew-linux_amd64 install --manifest=krew.yaml
198 | rm krew-linux_amd64
199 | cat >/etc/profile.d/krew.sh <<'EOF'
200 | export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
201 | EOF
202 | source /etc/profile.d/krew.sh
203 | kubectl krew version
204 | 
205 | # install the bash completion scripts.
206 | crictl completion bash >/usr/share/bash-completion/completions/crictl
207 | kubectl completion bash >/usr/share/bash-completion/completions/kubectl
208 | 
209 | # symlink the default kubeconfig path so local tools like k9s can easily
210 | # find it without exporting the KUBECONFIG environment variable.
211 | ln -s /etc/rancher/k3s/k3s.yaml ~/.kube/config
212 | 
213 | # save kubeconfig in the host.
214 | # NB the default users are generated at https://github.com/k3s-io/k3s/blob/v1.30.3+k3s1/pkg/daemons/control/deps/deps.go#L233-L261
215 | #    and saved at /var/lib/rancher/k3s/server/cred/passwd
216 | mkdir -p /vagrant/tmp
217 | python3 - <<EOF
218 | import base64
219 | import yaml
220 | 
221 | d = yaml.load(open('/etc/rancher/k3s/k3s.yaml', 'r'), Loader=yaml.FullLoader)
222 | 
223 | # save cluster ca certificate.
224 | for c in d['clusters']:
225 |     open(f"/vagrant/tmp/{c['name']}-ca-crt.pem", 'wb').write(base64.b64decode(c['cluster']['certificate-authority-data']))
226 | 
227 | # save user client certificates.
228 | for u in d['users']:
229 |     open(f"/vagrant/tmp/{u['name']}-crt.pem", 'wb').write(base64.b64decode(u['user']['client-certificate-data']))
230 |     open(f"/vagrant/tmp/{u['name']}-key.pem", 'wb').write(base64.b64decode(u['user']['client-key-data']))
231 |     print(f"Kubernetes API Server $k3s_url user {u['name']} client certificate in tmp/{u['name']}-*.pem")
232 | 
233 | # set the api-server server.
234 | for c in d['clusters']:
235 |     c['cluster']['server'] = '$k3s_url'
236 | 
237 | yaml.dump(d, open('/vagrant/tmp/admin.conf', 'w'), default_flow_style=False)
238 | EOF
239 | 
240 | # show cluster-info.
241 | kubectl cluster-info
242 | 
243 | # list etcd members.
244 | etcdctl --write-out table member list
245 | 
246 | # show the endpoint status.
247 | etcdctl --write-out table endpoint status
248 | 
249 | # list nodes.
250 | kubectl get nodes -o wide
251 | 
252 | # rbac info.
253 | kubectl get serviceaccount --all-namespaces
254 | kubectl get role --all-namespaces
255 | kubectl get rolebinding --all-namespaces
256 | kubectl get rolebinding --all-namespaces -o json | jq .items[].subjects
257 | kubectl get clusterrole --all-namespaces
258 | kubectl get clusterrolebinding --all-namespaces
259 | kubectl get clusterrolebinding --all-namespaces -o json | jq .items[].subjects
260 | 
261 | # rbac access matrix.
262 | # see https://github.com/corneliusweig/rakkess/blob/master/doc/USAGE.md
263 | kubectl krew install access-matrix
264 | kubectl access-matrix version --full
265 | kubectl access-matrix # at cluster scope.
266 | kubectl access-matrix --namespace default
267 | kubectl access-matrix --sa kubernetes-dashboard --namespace kubernetes-dashboard
268 | 
269 | # list system secrets.
270 | kubectl -n kube-system get secret
271 | 
272 | # list all objects.
273 | # NB without this hugly redirect the kubectl output will be all messed
274 | #    when used from a vagrant session.
275 | kubectl get all --all-namespaces
276 | 
277 | # really get all objects.
278 | # see https://github.com/corneliusweig/ketall/blob/master/doc/USAGE.md
279 | kubectl krew install get-all
280 | kubectl get-all
281 | 
282 | # list services.
283 | kubectl get svc
284 | 
285 | # list running pods.
286 | kubectl get pods --all-namespaces -o wide
287 | 
288 | # list runnnig pods.
289 | crictl pods
290 | 
291 | # list running containers.
292 | crictl ps
293 | ctr containers ls
294 | 
295 | # show listening ports.
296 | ss -n --tcp --listening --processes
297 | 
298 | # show network routes.
299 | ip route
300 | 
301 | # list wireguard peers.
302 | wg
303 | 
304 | # show memory info.
305 | free
306 | 
307 | # show versions.
308 | kubectl version --output=yaml
309 | crictl version
310 | ctr version
311 | 


--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
  1 | # to make sure the nodes are created in order, we
  2 | # have to force a --no-parallel execution.
  3 | ENV['VAGRANT_NO_PARALLEL'] = 'yes'
  4 | 
  5 | # enable typed triggers.
  6 | # NB this is needed to modify the libvirt domain scsi controller model to virtio-scsi.
  7 | ENV['VAGRANT_EXPERIMENTAL'] = 'typed_triggers'
  8 | 
  9 | require 'ipaddr'
 10 | require 'open3'
 11 | 
 12 | def get_or_generate_k3s_token
 13 |   # TODO generate an unique random an cache it.
 14 |   # generated with openssl rand -hex 32
 15 |   '7e982a7bbac5f385ecbb988f800787bc9bb617552813a63c4469521c53d83b6e'
 16 | end
 17 | 
 18 | def generate_nodes(first_ip_address, count, name_prefix)
 19 |   ip_addr = IPAddr.new first_ip_address
 20 |   (1..count).map do |n|
 21 |     ip_address, ip_addr = ip_addr.to_s, ip_addr.succ
 22 |     name = "#{name_prefix}#{n}"
 23 |     fqdn = "#{name}.example.test"
 24 |     [name, fqdn, ip_address, n]
 25 |   end
 26 | end
 27 | 
 28 | # see https://github.com/project-zot/zot/releases
 29 | # renovate: datasource=github-releases depName=project-zot/zot
 30 | ZOT_VERSION = '2.1.1'
 31 | 
 32 | # see https://get.k3s.io/
 33 | # see https://update.k3s.io/v1-release/channels
 34 | # see https://github.com/k3s-io/k3s/releases
 35 | K3S_CHANNEL = 'latest'
 36 | # renovate: datasource=github-releases depName=k3s-io/k3s extractVersion=(?<version>1\.30\..+)
 37 | K3S_VERSION = 'v1.30.3+k3s1'
 38 | 
 39 | # see https://github.com/kube-vip/kube-vip/releases
 40 | # renovate: datasource=github-releases depName=kube-vip/kube-vip
 41 | KUBE_VIP_VERSION = 'v0.8.2'
 42 | 
 43 | # see https://github.com/helm/helm/releases
 44 | # renovate: datasource=github-releases depName=helm/helm
 45 | HELM_VERSION = 'v3.15.3'
 46 | 
 47 | # see https://github.com/helmfile/helmfile/releases
 48 | # renovate: datasource=github-releases depName=helmfile/helmfile
 49 | HELMFILE_VERSION = '0.167.1'
 50 | 
 51 | # see https://github.com/kubernetes/dashboard/releases
 52 | # renovate: datasource=helm depName=kubernetes-dashboard registryUrl=https://kubernetes.github.io/dashboard
 53 | K8S_DASHBOARD_CHART_VERSION = 'v7.5.0'
 54 | 
 55 | # see https://github.com/derailed/k9s/releases
 56 | # renovate: datasource=github-releases depName=derailed/k9s
 57 | K9S_VERSION = 'v0.32.5'
 58 | 
 59 | # see https://github.com/kubernetes-sigs/krew/releases
 60 | # renovate: datasource=github-releases depName=kubernetes-sigs/krew
 61 | KREW_VERSION = 'v0.4.4'
 62 | 
 63 | # see https://github.com/etcd-io/etcd/releases
 64 | # NB make sure you use a version compatible with k3s.
 65 | # renovate: datasource=github-releases depName=etcd-io/etcd
 66 | ETCDCTL_VERSION = 'v3.5.15'
 67 | 
 68 | # see https://artifacthub.io/packages/helm/bitnami/metallb
 69 | # renovate: datasource=helm depName=metallb registryUrl=https://charts.bitnami.com/bitnami
 70 | METALLB_CHART_VERSION = '6.3.10' # app version: 0.14.8
 71 | 
 72 | # see https://www.terraform.io/downloads.html
 73 | # see https://github.com/hashicorp/terraform/releases
 74 | # renovate: datasource=github-releases depName=hashicorp/terraform
 75 | TERRAFORM_VERSION = '1.9.4'
 76 | 
 77 | # see https://artifacthub.io/packages/helm/cert-manager/cert-manager
 78 | # renovate: datasource=helm depName=cert-manager registryUrl=https://charts.jetstack.io
 79 | CERT_MANAGER_CHART_VERSION = '1.15.2' # app version: 1.15.2
 80 | 
 81 | # see https://github.com/stakater/reloader
 82 | # see https://artifacthub.io/packages/helm/stakater/reloader
 83 | # renovate: datasource=helm depName=reloader registryUrl=https://stakater.github.io/stakater-charts
 84 | RELOADER_CHART_VERSION = '1.0.121' # app version: 1.0.121
 85 | 
 86 | # see https://gitlab.com/gitlab-org/charts/gitlab-runner/-/tags
 87 | # renovate: datasource=helm depName=gitlab-runner registryUrl=https://charts.gitlab.io
 88 | GITLAB_RUNNER_CHART_VERSION = '0.67.1'
 89 | 
 90 | # link to the gitlab-vagrant environment (https://github.com/rgl/gitlab-vagrant running at ../gitlab-vagrant).
 91 | GITLAB_FQDN = 'gitlab.example.com'
 92 | GITLAB_IP = '10.10.9.99'
 93 | 
 94 | # see https://github.com/argoproj/argo-cd/releases
 95 | # renovate: datasource=github-releases depName=argoproj/argo-cd
 96 | ARGOCD_CLI_VERSION = '2.12.0'
 97 | 
 98 | # see https://artifacthub.io/packages/helm/argo/argo-cd
 99 | # see https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
100 | # renovate: datasource=helm depName=argo-cd registryUrl=https://argoproj.github.io/argo-helm
101 | ARGOCD_CHART_VERSION = '7.4.3' # app version 2.12.0.
102 | 
103 | # see https://artifacthub.io/packages/helm/crossplane/crossplane
104 | # see https://github.com/crossplane/crossplane/tree/master/cluster/charts/crossplane
105 | # see https://github.com/crossplane/crossplane/releases
106 | # renovate: datasource=github-releases depName=crossplane/crossplane
107 | CROSSPLANE_CHART_VERSION = '1.16.0' # app version 1.16.0.
108 | 
109 | # see https://marketplace.upbound.io/providers/upbound/provider-aws-s3
110 | # see https://github.com/upbound/provider-aws
111 | # renovate: datasource=github-releases depName=upbound/provider-aws
112 | CROSSPLANE_PROVIDER_AWS_S3_VERSION = '1.11.0'
113 | 
114 | # set the flannel backend. use one of:
115 | # * host-gw:          non-secure network (needs ethernet (L2) connectivity between nodes).
116 | # * vxlan:            non-secure network (needs UDP (L3) connectivity between nodes).
117 | # * wireguard-native: secure network (needs UDP (L3) connectivity between nodes).
118 | FLANNEL_BACKEND = 'host-gw'
119 | #FLANNEL_BACKEND = 'vxlan'
120 | #FLANNEL_BACKEND = 'wireguard-native'
121 | 
122 | NUMBER_OF_SERVER_NODES  = 1
123 | NUMBER_OF_AGENT_NODES   = 1
124 | 
125 | BRIDGE_NAME           = nil
126 | REGISTRY_FQDN         = 'registry.example.test'
127 | REGISTRY_IP           = '10.11.0.4'
128 | SERVER_FQDN           = 's.example.test'
129 | SERVER_VIP            = '10.11.0.30'
130 | FIRST_SERVER_NODE_IP  = '10.11.0.31'
131 | FIRST_AGENT_NODE_IP   = '10.11.0.41'
132 | LB_IP_RANGE           = '10.11.0.50-10.11.0.69'
133 | 
134 | # connect to the physical network through the host br-lan bridge.
135 | # BRIDGE_NAME           = 'br-lan'
136 | # REGISTRY_IP           = '192.168.1.4'
137 | # SERVER_VIP            = '192.168.1.30'
138 | # FIRST_SERVER_NODE_IP  = '192.168.1.31'
139 | # FIRST_AGENT_NODE_IP   = '192.168.1.41'
140 | # LB_IP_RANGE           = '192.168.1.50-192.168.1.69'
141 | 
142 | SERVER_NODES  = generate_nodes(FIRST_SERVER_NODE_IP, NUMBER_OF_SERVER_NODES, 's')
143 | AGENT_NODES   = generate_nodes(FIRST_AGENT_NODE_IP, NUMBER_OF_AGENT_NODES, 'a')
144 | K3S_TOKEN     = get_or_generate_k3s_token
145 | 
146 | EXTRA_HOSTS = """
147 | #{REGISTRY_IP} #{REGISTRY_FQDN}
148 | #{SERVER_VIP} #{SERVER_FQDN}
149 | #{GITLAB_IP} #{GITLAB_FQDN}
150 | """
151 | 
152 | # provision common tools between servers and agents.
153 | def provision_common(config, role, n)
154 |   config.vm.provision 'shell', path: 'provision-helm.sh', args: [HELM_VERSION] # NB k3s also has a HelmChart CRD.
155 |   config.vm.provision 'shell', path: 'provision-helmfile.sh', args: [HELMFILE_VERSION]
156 |   config.vm.provision 'shell', path: 'provision-k9s.sh', args: [K9S_VERSION]
157 | end
158 | 
159 | # provision the user workloads when running in the last agent or server (iif
160 | # there are no agents).
161 | def provision_user_workloads(config, role, n)
162 |   if (role == 'agent' && n == NUMBER_OF_AGENT_NODES) || (role == 'server' && n == NUMBER_OF_SERVER_NODES && NUMBER_OF_AGENT_NODES == 0) then
163 |     env = {
164 |       'KUBECONFIG' => '/vagrant/tmp/admin.conf',
165 |     }
166 |     config.vm.provision 'shell', path: 'provision-terraform.sh', args: [TERRAFORM_VERSION], env: env
167 |     config.vm.provision 'shell', path: 'provision-cert-manager.sh', args: [CERT_MANAGER_CHART_VERSION], env: env
168 |     config.vm.provision 'shell', path: 'provision-reloader.sh', args: [RELOADER_CHART_VERSION], env: env
169 |     config.vm.provision 'shell', path: 'provision-k8s-dashboard.sh', args: [K8S_DASHBOARD_CHART_VERSION], env: env
170 |     config.vm.provision 'shell', path: 'provision-gitlab-runner.sh', args: [GITLAB_RUNNER_CHART_VERSION, GITLAB_FQDN, GITLAB_IP], env: env
171 |     config.vm.provision 'shell', path: 'provision-argocd.sh', args: [ARGOCD_CLI_VERSION, ARGOCD_CHART_VERSION], env: env
172 |     config.vm.provision 'shell', path: 'provision-crossplane.sh', args: [CROSSPLANE_CHART_VERSION, CROSSPLANE_PROVIDER_AWS_S3_VERSION], env: env
173 |   end
174 | end
175 | 
176 | Vagrant.configure(2) do |config|
177 |   config.vm.box = 'debian-12-amd64'
178 | 
179 |   config.vm.provider 'libvirt' do |lv, config|
180 |     lv.cpus = 2
181 |     lv.cpu_mode = 'host-passthrough'
182 |     lv.nested = true
183 |     lv.keymap = 'pt'
184 |     lv.disk_bus = 'scsi'
185 |     lv.disk_device = 'sda'
186 |     lv.disk_driver :discard => 'unmap', :cache => 'unsafe'
187 |     lv.machine_virtual_size = 16
188 |     # NB vagrant-libvirt does not yet support urandom. but we'll modify this to
189 |     #    urandom in the trigger bellow.
190 |     lv.random :model => 'random'
191 |     config.vm.synced_folder '.', '/vagrant', type: 'nfs', nfs_version: '4.2', nfs_udp: false
192 |     config.trigger.before :'VagrantPlugins::ProviderLibvirt::Action::StartDomain', type: :action do |trigger|
193 |       trigger.ruby do |env, machine|
194 |         # modify the random model to use the urandom backend device.
195 |         stdout, stderr, status = Open3.capture3(
196 |           'virt-xml', machine.id,
197 |           '--edit',
198 |           '--rng', '/dev/urandom')
199 |         if status.exitstatus != 0
200 |           raise "failed to run virt-xml to modify the random backend device. status=#{status.exitstatus} stdout=#{stdout} stderr=#{stderr}"
201 |         end
202 |         # modify the scsi controller model to virtio-scsi.
203 |         # see https://github.com/vagrant-libvirt/vagrant-libvirt/pull/692
204 |         # see https://github.com/vagrant-libvirt/vagrant-libvirt/issues/999
205 |         stdout, stderr, status = Open3.capture3(
206 |           'virt-xml', machine.id,
207 |           '--edit', 'type=scsi',
208 |           '--controller', 'model=virtio-scsi')
209 |         if status.exitstatus != 0
210 |           raise "failed to run virt-xml to modify the scsi controller model. status=#{status.exitstatus} stdout=#{stdout} stderr=#{stderr}"
211 |         end
212 |       end
213 |     end
214 |   end
215 | 
216 |   config.vm.define 'registry' do |config|
217 |     config.vm.provider 'libvirt' do |lv, config|
218 |       lv.memory = 2*1024
219 |     end
220 |     config.vm.hostname = REGISTRY_FQDN
221 |     if BRIDGE_NAME
222 |       config.vm.network :public_network, mode: 'bridge', type: 'bridge', dev: BRIDGE_NAME, ip: REGISTRY_IP, auto_config: false
223 |       config.vm.provision 'shell', path: 'provision-network.sh', args: [REGISTRY_IP]
224 |       config.vm.provision 'reload'
225 |     else
226 |       config.vm.network :private_network, ip: REGISTRY_IP, libvirt__forward_mode: 'none', libvirt__dhcp_enabled: false
227 |     end
228 |     config.vm.provision 'shell', path: 'provision-base.sh', args: [EXTRA_HOSTS]
229 |     config.vm.provision 'shell', path: 'provision-zot.sh', args: [ZOT_VERSION]
230 |   end
231 | 
232 |   SERVER_NODES.each do |name, fqdn, ip_address, n|
233 |     config.vm.define name do |config|
234 |       config.vm.provider 'libvirt' do |lv, config|
235 |         lv.memory = 2*1024
236 |       end
237 |       config.vm.hostname = fqdn
238 |       if BRIDGE_NAME
239 |         config.vm.network :public_network, mode: 'bridge', type: 'bridge', dev: BRIDGE_NAME, ip: ip_address, auto_config: false
240 |         config.vm.provision 'shell', path: 'provision-network.sh', args: [ip_address]
241 |         config.vm.provision 'reload'
242 |       else
243 |         config.vm.network :private_network, ip: ip_address, libvirt__forward_mode: 'none', libvirt__dhcp_enabled: false
244 |       end
245 |       config.vm.provision 'shell', path: 'provision-base.sh', args: [EXTRA_HOSTS]
246 |       config.vm.provision 'shell', path: 'provision-wireguard.sh'
247 |       config.vm.provision 'shell', path: 'provision-etcdctl.sh', args: [ETCDCTL_VERSION]
248 |       config.vm.provision 'shell', path: 'provision-containerd-shim-spin-v2.sh'
249 |       config.vm.provision 'shell', path: 'provision-containerd-configuration.sh'
250 |       config.vm.provision 'shell', path: 'provision-k3s-registries.sh'
251 |       config.vm.provision 'shell', path: 'provision-k3s-server.sh', args: [
252 |         n == 1 ? "cluster-init" : "cluster-join",
253 |         K3S_CHANNEL,
254 |         K3S_VERSION,
255 |         K3S_TOKEN,
256 |         FLANNEL_BACKEND,
257 |         ip_address,
258 |         KREW_VERSION,
259 |         NUMBER_OF_AGENT_NODES > 0 && '1' || '0',
260 |       ]
261 |       provision_common(config, 'server', n)
262 |       if n == 1
263 |         config.vm.provision 'shell', path: 'provision-kube-vip.sh', args: [KUBE_VIP_VERSION, SERVER_VIP]
264 |         config.vm.provision 'shell', path: 'provision-metallb.sh', args: [METALLB_CHART_VERSION, LB_IP_RANGE]
265 |       end
266 |       provision_user_workloads(config, 'server', n)
267 |     end
268 |   end
269 | 
270 |   AGENT_NODES.each do |name, fqdn, ip_address, n|
271 |     config.vm.define name do |config|
272 |       config.vm.provider 'libvirt' do |lv, config|
273 |         lv.memory = 2*1024
274 |       end
275 |       config.vm.hostname = fqdn
276 |       if BRIDGE_NAME
277 |         config.vm.network :public_network, mode: 'bridge', type: 'bridge', dev: BRIDGE_NAME, ip: ip_address, auto_config: false
278 |         config.vm.provision 'shell', path: 'provision-network.sh', args: [ip_address]
279 |         config.vm.provision 'reload'
280 |       else
281 |         config.vm.network :private_network, ip: ip_address, libvirt__forward_mode: 'none', libvirt__dhcp_enabled: false
282 |       end
283 |       config.vm.provision 'shell', path: 'provision-base.sh', args: [EXTRA_HOSTS]
284 |       config.vm.provision 'shell', path: 'provision-wireguard.sh'
285 |       config.vm.provision 'shell', path: 'provision-containerd-shim-spin-v2.sh'
286 |       config.vm.provision 'shell', path: 'provision-containerd-configuration.sh'
287 |       config.vm.provision 'shell', path: 'provision-k3s-registries.sh'
288 |       config.vm.provision 'shell', path: 'provision-k3s-agent.sh', args: [
289 |         K3S_CHANNEL,
290 |         K3S_VERSION,
291 |         K3S_TOKEN,
292 |         ip_address
293 |       ]
294 |       provision_common(config, 'agent', n)
295 |       provision_user_workloads(config, 'agent', n)
296 |     end
297 |   end
298 | 
299 |   config.trigger.before :up do |trigger|
300 |     trigger.only_on = 'registry'
301 |     trigger.run = {
302 |       inline: '''bash -euc \'
303 | install -d tmp
304 | artifacts=(
305 |   ../gitlab-vagrant/tmp/gitlab.example.com-crt.pem
306 |   ../gitlab-vagrant/tmp/gitlab.example.com-crt.der
307 |   ../gitlab-vagrant/tmp/gitlab-runner-authentication-token-kubernetes-k3s.json
308 | )
309 | for artifact in "${artifacts[@]}"; do
310 |   if [ -f $artifact ]; then
311 |     rsync $artifact tmp
312 |   fi
313 | done
314 | \'
315 | '''
316 |     }
317 |   end
318 | end
319 | 


--------------------------------------------------------------------------------