THIS PROJECT IS STILL WORK IN PROGRESS
The configuration and automatation of a k3s cluster.
Flux is used to automatically provision the manifests.
MacOS: brew install fluxcd/tap/flux
export CLUSTER=
$CLUSTER-ansible.key
cp inventory-sample.yaml inventory-$CLUSTER.yaml
pbpaste | ansible-vault encrypt_string --vault-password-file $CLUSTER-ansible.key --name k3sToken
. --name
has to be the name of the encrypted key.)cp -r clusters/sample clusters/$CLUSTER
clusters/$CLUSTER/infrastructure.yaml
manifestcp -r infrastructure/sample infrastructure/$CLUSTER
ansible-playbook -i inventory-$CLUSTER.yaml tools/generate_files.yml --extra-vars=cluster_name=$CLUSTER
./generate-secrets.sh
ansible-playbook -i inventory-$CLUSTER.yaml tools/store_known_hosts.yml
ansible-playbook -i inventory-$CLUSTER.yaml main.yml --extra-vars=cluster_name=$CLUSTER --vault-password-file $CLUSTER-ansible.key
export CLUSTER=
again.ansible-playbook -i inventory-$CLUSTER.yaml tools/get_kubeconfig.yml --extra-vars=cluster_name=$CLUSTER
ssh -L 6443:10.1.0.1:6443 IP_OF_A_MASTER
export CLUSTER=
again.kubeconfig-$CLUSTER.yaml
with 127.0.0.1
.KUBECONFIG=kubeconfig-$CLUSTER.yaml
export GITHUB_TOKEN=$(pbpaste)
with a personal access token (everything in repo is enabled) in your clipboard.flux bootstrap github --owner=fischerscode --repository=my-k3s --path=clusters/$CLUSTER --branch master --personal
flux get all
.kubeconfig-$CLUSTER.yaml
with kubernetes_api_public_address
..github/workflows/update-flux.yaml
kubectl get secret -n monitoring grafana-cred --template={{.data.ADMIN_PASSWORD}} | base64 -d | pbcopy
brew install gnupg sops
Generate a GPG/OpenPGP key with no passphrase (%no-protection):
export KEY_NAME="$CLUSTER.my-k3s.fischerscode.com"
export KEY_COMMENT="flux secrets"
gpg --batch --full-generate-key <<EOF
%no-protection
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Expire-Date: 0
Name-Comment: ${KEY_COMMENT}
Name-Real: ${KEY_NAME}
EOF
gpg --list-keys "${KEY_NAME}"
export KEY_FP=
gpg --export-secret-keys --armor ${KEY_NAME} > $CLUSTER.key
(Ansible will search for this key and apply it as a secret if present.)gpg --export-secret-keys --armor ${KEY_NAME} | pbcopy
gpg --export --armor ${KEY_NAME} > ./clusters/$CLUSTER/.sops.pub.asc
cat <<EOF >> .sops.yaml
- path_regex: /$CLUSTER\/.*\.yaml$
encrypted_regex: ^(data|stringData)$
pgp: ${KEY_FP}
- path_regex: /$CLUSTER\/.*\.encrypted$
pgp: ${KEY_FP}
EOF
gpg --delete-secret-keys ${KEY_NAME}
gpg --import $CLUSTER.key