diff --git a/docs/airgap/README.md b/docs/airgap/README.md
index e25d3aa59ceaaa954415a78f8f6f2d1269b4e9da..82f24f72bd3b0f1095549353a6adf48aae5f06e0 100644
--- a/docs/airgap/README.md
+++ b/docs/airgap/README.md
@@ -88,7 +88,7 @@ You can follow the process below to setup git with `repositories.tar.gz` on the
```bash
$ sudo useradd --create-home --shell /bin/bash git
-$ ssh-keygen -f ~/.ssh/identity
+$ ssh-keygen -b 4096 -t rsa -f ~/.ssh/identity -q -N ""
```
- Create .SSH folder for `git` user
@@ -114,18 +114,29 @@ $ ssh-keygen -f ~/.ssh/identity
$ sudo tar -xvf repositories.tar.gz --directory /home/git/
```
+- Add Hostname alias
+
+ ```bash
+ PRIVATEIP=$( curl http://169.254.169.254/latest/meta-data/local-ipv4 )
+ sudo sed -i -e '1i'$PRIVATEIP' 'myhostname.com'\' /etc/hosts
+ sudo sed -i -e '1i'$PRIVATEIP' 'host.k3d.internal'\' /etc/hosts #only for k3d
+ ```
+
+
+
- To test the client key;
```bash
GIT_SSH_COMMAND='ssh -i /[client-private-key-path] -o IdentitiesOnly=yes' git clone git@[hostname/IP]:/home/git/repos/[sample-repo]
#For example;
- PRIVATEIP=$( curl http://169.254.169.254/latest/meta-data/local-ipv4 )
- GIT_SSH_COMMAND='ssh -i ~/.ssh/identity -o IdentitiesOnly=yes' git clone git@$PRIVATEIP:/home/git/repos/istio-controlplane
+ GIT_SSH_COMMAND='ssh -i ~/.ssh/identity -o IdentitiesOnly=yes' git clone git@host.k3d.internal:/home/git/repos/bigbang
+ #checkout release branch
+ git checkout 1.3.0
```
-
+
## Private Registry
Images needed to run BB in your cluster is packaged as part of the release in `images.tar.gz`. You can see the list of required images in `images.txt`. In our airgap environment, we need to setup a registry that our cluster can pull required images from or an existing cluster where we can copy images from `images.tar.gz` into.
@@ -134,16 +145,28 @@ Images needed to run BB in your cluster is packaged as part of the release in `i
To setup the registry, we will be using `registry:2` to run a private registry with self-signed certificate.
-First, untar `images.tar.gz`;
+- First, untar `images.tar.gz`;
```bash
-tar -xf images.tar.gz -C .
+tar -xvf images.tar.gz -C .
```
-Use the script [registry.sh](./scripts/registry.sh) to create registry;
+- SCP `registry:2` tar file
+
+ ```bash
+ docker save -o registry2.tar registry:2
+ docker save -o k3s.tar rancher/k3s:v1.20.5-rc1-k3s1 #check release matching version
+ scp registry2.tar k3s.tar ubuntu@hostname:~ #modify according to your environment
+ docker load -i registry2.tar #on your registry server
+ docker load -i k3s.tar
+ ```
+
+
+
+- Use the script [registry.sh](./scripts/registry.sh) to create registry;
```bash
-$ sudo ./registry.sh
+$ chmod +x registry.sh && sudo ./registry.sh
Required information:
Enter bit size for certs (Ex. 4096): 4096
@@ -181,7 +204,7 @@ Notes
To see images in the registry;
=========================
-curl https://myregistry.com:5443/v2/_catalog -k
+curl https://myhostname.com:5443/v2/_catalog -k
=========================
```
@@ -191,7 +214,7 @@ A folder is created with TLS certs that we are going to supply to our k8s cluste
You can ensure the images are now loaded in the registry;
```bash
- curl -k https://10.0.52.144:5443/v2/_catalog
+ curl -k https://myhostname.com:5443/v2/_catalog
{"repositories":["ironbank/anchore/engine/engine","ironbank/anchore/enterprise/enterprise","ironbank/anchore/enterpriseui/enterpriseui","ironbank/big-bang/argocd","ironbank/bitnami/analytics/redis-exporter","ironbank/elastic/eck-operator/eck-operator","ironbank/elastic/elasticsearch/elasticsearch","ironbank/elastic/kibana/kibana","ironbank/fluxcd/helm-controller","ironbank/fluxcd/kustomize-controller","ironbank/fluxcd/notification-controller","ironbank/fluxcd/source-controller","ironbank/gitlab/gitlab/alpine-certificates","ironbank/gitlab/gitlab/cfssl-self-sign","ironbank/gitlab/gitlab/gitaly",...]
```
@@ -246,15 +269,19 @@ spec:
#### RKE2 cluster
```yaml
+#registries.yaml
mirrors:
registry.dso.mil:
endpoint:
- - https://myregistry.com:5443
+ - https://myhostname.com:5443
+ registry1.dso.mil:
+ endpoint:
+ - https://myhostname.com:5443
registry1.dso.mil:
endpoint:
- - https://myregistry.com:5443
+ - https://myhostname.com:5443
configs:
- myregistry.com:5443:
+ myhostname.com:5443:
tls:
ca_file: "/etc/ssl/certs/registry1.pem"
```
@@ -263,10 +290,7 @@ configs:
## Installing Big Bang
-Untar bigbag
-
```bash
-$ tar -xf bigbang-[version].tar.gz -C .
$ cd bigbang
```
@@ -276,10 +300,13 @@ Install Flux 2 into the cluster using the provided artifacts. These are located
kubectl apply -f ./scripts/deploy/flux.yaml
-
After Flux is up and running you are ready to deploy Big Bang. We will do this using Helm. To first check to see if Flux is ready you can do.
- kubectl get all -n flux-system
+You can watch to see if Flux is reconciling the projects by watching the progress.
+
+```bash
+watch kubectl get all -n flux-system
+```
We need a namespace for our preparations and eventually for Big Bang to deploy into.
@@ -308,8 +335,8 @@ For your Git repository you have two options for setting up the credentials.
Option 1: Use an existing secret.
cd ~/.ssh
- ssh-keygen -q -N "" -f ./identity
- ssh-keyscan <YOUR GIT URL HERE> ./known_hosts
+ ssh-keygen -b 4096 -t rsa -f ~/.ssh/identity -q -N ""
+ ssh-keyscan <YOUR GIT URL HERE> ./known_hosts
kubectl create secret generic -n bigbang ssh-credentials \
--from-file=./identity \
@@ -388,12 +415,9 @@ Take the values from each of these files and place in the correct fields in the
Then install Big Bang using Helm.
helm upgrade -i bigbang chart -n bigbang --create-namespace -f values.yaml
+ watch kubectl get gitrepositories,kustomizations,hr,po -A
** Note that the --create-namespace isn't needed if you created it earlier, but it doesn't hurt anything.
-You can watch to see if Flux is reconciling the projects by watching the progress.
-
- watch kubectl get gitrepositories,kustomizations,hr,po -A
-
You should see the diffent projects configure working through their reconciliation starting with "gatekeeper".
diff --git a/docs/airgap/developer/developer.md b/docs/airgap/developer/developer.md
index d5d38690536879940e8dc4baca793985b0b823ec..47de786d7e677023d28dcf35b77ea0475e8cb15c 100644
--- a/docs/airgap/developer/developer.md
+++ b/docs/airgap/developer/developer.md
@@ -6,16 +6,14 @@ To test Airgap BigBang on k3d
- Launch ec2 instance of size `c5.2xlarge` and ssh into the instance with at least 50GB storage.
-- Install [Docker](https://docs.docker.com/engine/install/ubuntu/)
-
-- Install [K3D](https://k3d.io/#installation)
+- Install `k3d` and `docker` cli tools
- Download `images.tar.gz`, `repositories.tar.gz` and `bigbang-version.tar.gz` from BigBang release.
```bash
- $ curl -O https://umbrella-bigbang-releases.s3-us-gov-west-1.amazonaws.com/umbrella/1.2.0/repositories.tar.gz
- $ curl -O https://umbrella-bigbang-releases.s3-us-gov-west-1.amazonaws.com/umbrella/1.2.0/images.tar.gz
- $ curl -O https://repo1.dso.mil/platform-one/big-bang/bigbang/-/archive/1.2.0/bigbang-1.2.0.tar.gz
+ $ curl -O https://umbrella-bigbang-releases.s3-us-gov-west-1.amazonaws.com/umbrella/1.3.0/repositories.tar.gz
+ $ curl -O https://umbrella-bigbang-releases.s3-us-gov-west-1.amazonaws.com/umbrella/1.3.0/images.tar.gz
+ $ sudo apt install -y net-tools
```
@@ -28,15 +26,15 @@ To test Airgap BigBang on k3d
mirrors:
registry.dso.mil:
endpoint:
- - https://[$PRIVATEIP]:5443
+ - https://host.k3d.internal:5443
registry1.dso.mil:
endpoint:
- - https://[$PRIVATEIP]:5443
+ - https://host.k3d.internal:5443
docker.io:
endpoint:
- - https://[$PRIVATEIP]:5443
+ - https://host.k3d.internal:5443
configs:
- myregistry.com:5443:
+ host.k3d.internal:5443:
tls:
ca_file: "/etc/ssl/certs/registry1.pem"
```
@@ -47,22 +45,17 @@ To test Airgap BigBang on k3d
```bash
$ PRIVATEIP=$( curl http://169.254.169.254/latest/meta-data/local-ipv4 )
- $ k3d cluster create --api-port "${PRIVATEIP}:33989" -s 1 -a 2 -v "${HOME}/registries.yaml:/etc/rancher/k3s/registries.yaml" -v /etc/machine-id:/etc/machine-id -v "${HOME}/certs/myregistry.com.public.pem:/etc/ssl/certs/registry1.pem" --k3s-server-arg "--disable=traefik" --k3s-server-arg "--disable=metrics-server" --k3s-server-arg "--tls-san=$PRIVATEIP" -p 80:80@loadbalancer -p 443:443@loadbalancer
+ $ k3d cluster create --image "rancher/k3s:v1.20.5-rc1-k3s1" --api-port "33989" -s 1 -a 2 -v "${HOME}/registries.yaml:/etc/rancher/k3s/registries.yaml" -v /etc/machine-id:/etc/machine-id -v "${HOME}/certs/host.k3d.internal.public.pem:/etc/ssl/certs/registry1.pem" --k3s-server-arg "--disable=traefik" --k3s-server-arg "--disable=metrics-server" --k3s-server-arg "--tls-san=$PRIVATEIP" -p 80:80@loadbalancer -p 443:443@loadbalancer
```
- Bock all egress with `iptables` except those going to instance IP before deploying bigbang by running [k3d_airgap.sh](./scripts/k3d_airgap.sh)
- ```bash
-
- ```
-
```bash
$ sudo ./k3d_airgap.sh
- $ curl https://index.docker.io/ #shouldnt work
$ curl https://$PRIVATEIP:5443/v2/_catalog -k #show return list of images
curl https://$PRIVATEIP:5443/v2/repositories/rancher/library-busybox/tags
```
@@ -72,7 +65,8 @@ To test Airgap BigBang on k3d
- Test that mirroring is working
```bash
-$ kubectl run -i --tty test --image=registry1.dso.mil/rancher/library-busybox:1.31.1 --image-pull-policy='Always' -- sh
+$ curl -k -X GET https://$PRIVATEIP:5443/v2/rancher/local-path-provisioner/tags/list
+$ kubectl run -i --tty test --image=registry1.dso.mil/rancher/local-path-provisioner:v0.0.19 --image-pull-policy='Always' --command sleep infinity -- sh
$ kubectl run test --image=registry1.dso.mil/rancher/library-busybox:1.31.1 --image-pull-policy='Always' --restart=Never --command sleep infinity
$ telnet default.kube-system.svc.cluster.local 443
$ kubectl describe po test
@@ -87,7 +81,4 @@ $ kubectl describe po test #should fail
$ kubectl delete po test
```
-
-
--
- Proceed to [bigbang deployment process](../README.md#installing-big-bang)
\ No newline at end of file
diff --git a/docs/airgap/scripts/airgap.sh b/docs/airgap/scripts/airgap.sh
index fbe3e352fd9504d73d728d0640e2ae0c6fe5834e..312b7271954cecd29c80cde2ba5bb155a0c88641 100644
--- a/docs/airgap/scripts/airgap.sh
+++ b/docs/airgap/scripts/airgap.sh
@@ -4,3 +4,4 @@ PUBLICINTERFACE=$( route | grep '^default' | grep -o '[^ ]*$' )
iptables -I DOCKER-USER -i ${PUBLICINTERFACE} -j DROP
iptables -I DOCKER-USER -d 10.42.0.0/16 -j RETURN
iptables -I DOCKER-USER -d 10.43.0.0/16 -j RETURN
+iptables -A DOCKER-USER -j RETURN
\ No newline at end of file
diff --git a/docs/airgap/scripts/registry.sh b/docs/airgap/scripts/registry.sh
index e9502d1096a52c3ebe35b138e86f80a23ac9e075..c277cd051b548eca3a93dd12c4fab2722e22b938 100644
--- a/docs/airgap/scripts/registry.sh
+++ b/docs/airgap/scripts/registry.sh
@@ -1,4 +1,5 @@
#!/usr/bin/env bash
+set -e
# Installs/Configures:
# - Docker Registy Container with self-signed cert
@@ -37,10 +38,8 @@ prompt STATE "Enter the 'State' for the cert (Ex. CO)"
prompt LOCATION "Enter the 'Location' for the cert (Ex. ColoradoSprings)"
prompt ORGANIZATION "Enter the 'Organization' for the cert (Ex. PlatformOne)"
prompt OUNIT "Enter the 'Organizational Unit' for the cert (Ex. Bigbang)"
-prompt COMMON "Enter the 'Common Name' for the cert (Must be a FQDN (at least one period character) E.g. myregistry.com)"
-
-PRIVATEIP=$( curl http://169.254.169.254/latest/meta-data/local-ipv4 )
-
+prompt COMMON "Enter the 'Common Name' for the cert (Must be a FQDN (at least one period character) E.g. host.k3d.internal"
+prompt ALTNAMES "Enter the 'Subject Alternative Names' for the cert E.g. DNS:host.k3d.internal,IP:PRIVATEIP)"
# ... Certs ...
# ~~~~~~~~~~~~~
@@ -48,7 +47,7 @@ PRIVATEIP=$( curl http://169.254.169.254/latest/meta-data/local-ipv4 )
# ... prep certs ...
echo -e "\nGenerating certs ..."
-mkdir certs
+mkdir -p certs
cd certs
# Generate a root key
openssl genrsa -out rootCA.key ${BITS}
@@ -67,10 +66,11 @@ openssl req -new -key ${COMMON}.key \
-out ${COMMON}.csr
# Sign certificate request
-echo subjectAltName = IP:${PRIVATEIP} > extfile.cnf
+echo subjectAltName = DNS:${COMMON},${ALTNAMES} > extfile.cnf
openssl x509 -req -in ${COMMON}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -days ${DAYS} \
-out ${COMMON}.crt -extfile extfile.cnf
+
openssl rsa -in ${COMMON}.key -text > ${COMMON}.private.pem
openssl x509 -inform PEM -in ${COMMON}.crt > ${COMMON}.public.pem
@@ -100,7 +100,8 @@ Notes
To see images in the registry;
=========================
-curl https://${PRIVATEIP}:5443/v2/_catalog -k
+For example,
+ curl https://host.k3d.internal:5443/v2/_catalog -k
=========================
"
\ No newline at end of file
diff --git a/docs/airgap/scripts/values.yaml b/docs/airgap/scripts/values.yaml
index 4ee9677a85e91b6b76f3c93c6eee01fd3cbbc72b..a68db060dd901882926eff46455cbd9eff07ed27 100644
--- a/docs/airgap/scripts/values.yaml
+++ b/docs/airgap/scripts/values.yaml
@@ -1,7 +1,7 @@
# -- Domain used for BigBang created exposed services, can be overridden by individual packages.
hostname: bigbang.dev
registryCredentials:
- registry: 10.25.21.9
+ registry: host.k3d.internal
username: ""
password: ""
email: ""
@@ -16,33 +16,33 @@ flux:
eckoperator:
- enabled: false
+ enabled: true
git:
- repo: ssh://git@10.25.21.9/home/git/repos/eck-operator
+ repo: ssh://git@host.k3d.internal/home/git/repos/eck-operator
fluentbit:
- enabled: false
+ enabled: true
git:
- repo: ssh://git@10.25.21.9/home/git/repos/fluentbit
+ repo: ssh://git@host.k3d.internal/home/git/repos/fluentbit
logging:
- enabled: false
+ enabled: true
git:
- repo: ssh://git@10.25.21.9/home/git/repos/elasticsearch-kibana
+ repo: ssh://git@host.k3d.internal/home/git/repos/elasticsearch-kibana
istio:
- enabled: false
+ enabled: true
git:
- repo: ssh://git@10.25.21.9/home/git/repos/istio-controlplane
+ repo: ssh://git@host.k3d.internal/home/git/repos/istio-controlplane
istiooperator:
- enabled: false
+ enabled: true
git:
- repo: ssh://git@10.25.21.9/home/git/repos/istio-operator
+ repo: ssh://git@host.k3d.internal/home/git/repos/istio-operator
clusterAuditor:
- enabled: false
+ enabled: true
git:
- repo: ssh://git@10.25.21.9/home/git/repos/cluster-auditor
+ repo: ssh://git@host.k3d.internal/home/git/repos/cluster-auditor
values:
resources:
requests:
@@ -50,68 +50,68 @@ clusterAuditor:
memory: 0.5Gi
monitoring:
- enabled: false
+ enabled: true
git:
- repo: ssh://git@10.25.21.9/home/git/repos/monitoring
+ repo: ssh://git@host.k3d.internal/home/git/repos/monitoring
gatekeeper:
enabled: true
git:
- repo: ssh://git@10.25.21.9/home/git/repos/policy
+ repo: ssh://git@host.k3d.internal/home/git/repos/policy
twistlock:
- enabled: false
+ enabled: true
git:
- repo: ssh://git@10.25.21.9/home/git/repos/twistlock
+ repo: ssh://git@host.k3d.internal/home/git/repos/twistlock
# Explicitly enable all addons for CI
addons:
argocd:
enabled: false
git:
- repo: ssh://git@10.25.21.9/home/git/repos/argocd
+ repo: ssh://git@host.k3d.internal/home/git/repos/argocd
authservice:
enabled: false
git:
- repo: ssh://git@10.25.21.9/home/git/repos/authservice
+ repo: ssh://git@host.k3d.internal/home/git/repos/authservice
chains:
minimal:
callback_uri: "https://minimal.bigbang.dev"
gitlab:
enabled: false
git:
- repo: ssh://git@10.25.21.9/home/git/repos/gitlab
+ repo: ssh://git@host.k3d.internal/home/git/repos/gitlab
sso:
enabled: false
gitlabRunner:
enabled: false
git:
- repo: ssh://git@10.25.21.9/home/git/repos/gitlab-runner
+ repo: ssh://git@host.k3d.internal/home/git/repos/gitlab-runner
anchore:
enabled: false
git:
- repo: ssh://git@10.25.21.9/home/git/repos/anchore-enterprise
+ repo: ssh://git@host.k3d.internal/home/git/repos/anchore-enterprise
sonarqube:
- enabled: false
+ enabled: true
git:
- repo: ssh://git@10.25.21.9/home/git/repos/sonarqube
+ repo: ssh://git@host.k3d.internal/home/git/repos/sonarqube
minioOperator:
enabled: false
git:
- repo: ssh://git@10.25.21.9/home/git/repos/minio-operator
+ repo: ssh://git@host.k3d.internal/home/git/repos/minio-operator
minio:
enabled: false
git:
- repo: ssh://git@10.25.21.9/home/git/repos/minio
+ repo: ssh://git@host.k3d.internal/home/git/repos/minio
haproxy:
enabled: false
git:
- repo: ssh://git@10.25.21.9/home/git/repos/haproxy
+ repo: ssh://git@host.k3d.internal/home/git/repos/haproxy
mattermostoperator:
enabled: false
git:
- repo: ssh://git@10.25.21.9/home/git/repos/mattermost-operator
+ repo: ssh://git@host.k3d.internal/home/git/repos/mattermost-operator
mattermost:
enabled: false
git:
- repo: ssh://git@10.25.21.9/home/git/repos/mattermost
\ No newline at end of file
+ repo: ssh://git@host.k3d.internal/home/git/repos/mattermost
\ No newline at end of file