-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathubuntu-setup-control-repo.txt
87 lines (63 loc) · 2.92 KB
/
ubuntu-setup-control-repo.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#
# Setup seba control repo in a pod
#
# Sets up ansible ssh keying and optionally a TLS CA, apt, docker, helm, and oar repositories.
#
#
# Make sure that on all 3 destination node hosts the non-root-user can
# sudo to root without password. The following must be the bottom of /etc/sudoers
# non-root-user ALL=(ALL:ALL) NOPASSWD:ALL
# For example on each host using a user called "foundry" as the non-root-user:
# useradd -m -d /home/foundry -s /bin/bash foundry
# passwd foundry
# export EDITOR=vi; visudo
# ...
# foundry ALL=(ALL:ALL) NOPASSWD:ALL
# SSH and run from the seba-control-repo vm instance...
# Generate needed SSH keyed authentication as non-root-user (foundry). needed for ansible
cd ~/
ssh-keygen -t rsa
# Replace with 3 IP of your to be installed k8s hosts. Replace non-root-user with username
# that exists on to be installed k8s hosts. Replace 10.242.11.X with your 3 to be installed k8s hosts
# This pre-shared ssh key is needed for ansible to work
declare -a IPS=(10.242.11.1 10.242.11.2 10.242.11.3)
for i in ${IPS[@]}; do cat ~/.ssh/id_rsa.pub | ssh foundry@$i 'mkdir -p ~/.ssh/; cat >> ~/.ssh/authorized_keys'; done
# Add 3 workers to /etc/hosts on ansible/seba-control-repo host
vi /etc/hosts
10.242.11.1 lab-kube-01
10.242.11.2 lab-kube-02
10.242.11.3 lab-kube-03
# Install versioned seba-control-repo.tgz if does not exist. Pull from external storage or scp copy in. Or git clone.
cd ~/
tar -zxvf seba-control-repo.tgz
# or
# git clone https://github.com/etowah/seba-control-repo.git
#
# Below is optional if you want to run a local docker registry
#
# Generate pod CA key.
# Generate pod docker-repo key
cp -a ~/seba-control-repo/seba-pod-ca ~/
cd ~/seba-pod-ca/
# setup CA dir structure
mkdir -p issued
mkdir -p ca/private
mkdir -p ca/newcerts
touch ca/index.txt
echo 00 > ca/serial
# generate and self sign CA
openssl req -config seba-pod-ca-selfsign.cnf -new -newkey rsa:4096 -nodes -keyout ca/private/ca.key -out ca/ca.csr
openssl ca -config seba-pod-ca-certauth.cnf -out ca/ca.crt -days 3650 -keyfile ca/private/ca.key -selfsign -extensions v3_ca -infiles ca/ca.csr
# generate docker repo key and csr
openssl req -config docker-repo.cnf -new -newkey rsa:4096 -nodes -keyout issued/docker-repo.key -out issued/docker-repo.csr
# sign docker repo csr, generate cert, from ca
openssl ca -config seba-pod-ca-certauth.cnf -keyfile ca/private/ca.key -cert ca/ca.crt -policy policy_anything -days 3650 -in issued/docker-repo.csr -out issued/docker-repo.crt
# Install ca locally
sudo cp ~/seba-pod-ca/ca/ca.crt /usr/local/share/ca-certificates/seba-pod-ca.crt
sudo update-ca-certificates
sudo systemctl restart docker
# Setup Docker repo. Adding key/cert allows docker-repo to start
sudo cp ~/seba-pod-ca/issued/docker-repo.key /var/docker-persist/docker-registry/certs
sudo cp ~/seba-pod-ca/issued/docker-repo.crt /var/docker-persist/docker-registry/certs
sudo systemctl start docker-repo
sudo systemctl enable docker-repo