# kubeadm-photon-os

### Pre-Requisitos

sed -i -e "s/^PermitRootLogin *no$/PermitRootLogin yes/" /etc/ssh/sshd_config && systemctl restart sshd

mkdir /etc/docker

cat > /etc/docker/daemon.json <<EOF
{
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2",
  "storage-opts": [
    "overlay2.override_kernel_check=true"
  ]
}
EOF
 
systemctl daemon-reload
systemctl enable docker
systemctl restart docker

tdnf install -y tar wget ebtables ethtool socat conntrack-tools
CNI_VERSION="v0.8.2"
mkdir -p /opt/cni/bin

curl -L "https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-amd64-${CNI_VERSION}.tgz" | tar -C /opt/cni/bin -xz

DOWNLOAD_DIR=/usr/local/bin

CRICTL_VERSION="v1.21.3"

curl -L "https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz" | tar -C $DOWNLOAD_DIR -xz

RELEASE="$(curl -sSL https://dl.k8s.io/release/stable.txt)"
cd $DOWNLOAD_DIR

curl -L --remote-name-all https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/amd64/{kubeadm,kubelet,kubectl}

chmod +x {kubeadm,kubelet,kubectl}

RELEASE_VERSION="v0.2.7"

curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service" | sed "s:/usr/bin:${DOWNLOAD_DIR}:g" | tee /etc/systemd/system/kubelet.service

mkdir -p /etc/systemd/system/kubelet.service.d

curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf" | sed "s:/usr/bin:${DOWNLOAD_DIR}:g" | tee /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

systemctl enable --now kubelet
systemctl daemon-reload

cat <<EOF >  /etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system

systemctl disable iptables
systemctl stop iptables

### Instalación de ETCD Externo

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64

wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

chmod +x cfssl*

mv cfssl_linux-amd64 /usr/local/bin/cfssl

mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname=172.16.100.100,172.16.100.111,172.16.100.112,172.16.100.113,127.0.0.1,kubernetes.default -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes

scp ca.pem kubernetes.pem kubernetes-key.pem root@<"PeerIPx">:~

mkdir /etc/etcd

cp ca.pem kubernetes.pem kubernetes-key.pem /etc/etcd

cd /tmp

wget https://github.com/coreos/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz

tar -zxvf etcd-v3.5.0-linux-amd64.tar.gz

mv etcd-v3.5.0-linux-amd64/etcd* /usr/local/bin/

cd /opt/bootstrap

mv etcd.service /etc/systemd/system/etcd.service

systemctl daemon-reload

systemctl enable etcd

systemctl start etcd

### Actualizar la configuración

kubeadm config migrate --old-config config.yaml --new-config config1.yaml

### Inicializar el cluster

kubeadm init --config=config.yaml

kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}'

      kubectl patch node photon-kubectr01 -p '{"spec":{"podCIDR":"10.244.0.0/24"}}'


### Copiar certificados al resto de nodos master

scp -r /etc/kubernetes/pki root@172.16.100.112:/etc/kubernetes/.
scp -r /etc/kubernetes/pki root@172.16.100.113:/etc/kubernetes/.

### Realizar en los nuevos nodos

rm /etc/kubernetes/pki/apiserver.*

### Incorporar nuevos master

  kubeadm join 172.16.100.100:6443 --token colmta.7uxl2adqk6x6w6wu \
        --discovery-token-ca-cert-hash sha256:87497e41439ff2d7c620eff16c534d1c67c8dc0a9b6c43543bc4e008305f7106 \
        --control-plane



### Incorporar nuevos workers

kubeadm join 172.16.100.100:6443 --token colmta.7uxl2adqk6x6w6wu \
        --discovery-token-ca-cert-hash sha256:87497e41439ff2d7c620eff16c534d1c67c8dc0a9b6c43543bc4e008305f7106


### Despliegue de calico

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

### Ajustar iptables /etc/systemd/scripts/ip4save

# init
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow local-only connections
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#keep commented till upgrade issues are sorted
#-A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2379:2380 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10250:10252 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4789 -j ACCEPT

-A OUTPUT -j ACCEPT

COMMIT
# Completed on Wed Jul 28 18:36:00 2021