Last active
April 16, 2020 13:59
-
-
Save ppwfx/69de8b7e3cedbd364e1973098deb5fe5 to your computer and use it in GitHub Desktop.
single node kubernetes cluster [tested on Ubuntu 18.04 LTS]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: certmanager.k8s.io/v1alpha1 | |
| kind: ClusterIssuer | |
| metadata: | |
| name: letsencrypt-prod | |
| namespace: default | |
| spec: | |
| acme: | |
| email: [email protected] | |
| server: https://acme-v02.api.letsencrypt.org/directory | |
| privateKeySecretRef: | |
| name: letsencrypt-prod | |
| http01: {} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl -O -L https://github.com/projectcalico/calicoctl/releases/download/v3.1.3/calicoctl | |
| chmod +x calicoctl | |
| mv calicoctl /usr/bin/calicoctl | |
| export DATASTORE_TYPE=kubernetes KUBECONFIG=~/.kube/config |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo rm /etc/resolv.conf && \ | |
| sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf | |
| # temporary | |
| swapoff -a | |
| # comment to turn swap off permanently | |
| vim /etc/fstab | |
| apt-get update | |
| ufw allow ssh/tcp && \ | |
| ufw allow http/tcp && \ | |
| ufw allow https/tcp && \ | |
| ufw allow 6443/tcp && \ # Kubernetes API Server | |
| # ufw allow 2379-2380/tcp # etcd server client API | |
| ufw allow 10250/tcp && \ # Kubelet API | |
| ufw allow 10251/tcp && \ # kube-scheduler | |
| ufw allow 10252/tcp && \ # kube-controller-manager | |
| ufw allow 10255/tcp && \ # Read-Only Kubelet API | |
| ufw logging on && \ | |
| ufw enable && \ | |
| ufw status | |
| apt-get install -y apt-transport-https curl docker.io | |
| curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - | |
| cat <<EOF >/etc/apt/sources.list.d/kubernetes.list | |
| deb http://apt.kubernetes.io/ kubernetes-xenial main | |
| EOF | |
| apt-get update | |
| apt-get install -y kubelet kubeadm kubectl | |
| echo "source <(kubectl completion bash)" >> ~/.bashrc | |
| source ~/.bashrc | |
| kubeadm init --pod-network-cidr=192.168.0.0/16 | |
| mkdir -p $HOME/.kube | |
| sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config | |
| sudo chown $(id -u):$(id -g) $HOME/.kube/config | |
| kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml | |
| kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml | |
| # add nodes | |
| kubectl label nodes ${DB_NODE} DB_ID=1 | |
| kubectl label nodes ${INGRESS_NODE} INGRESS_ID=1 | |
| curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get > get_helm.sh | |
| chmod 700 get_helm.sh | |
| ./get_helm.sh | |
| kubectl create serviceaccount tiller --namespace kube-system | |
| kubectl apply -f https://gist.githubusercontent.com/21stio/69de8b7e3cedbd364e1973098deb5fe5/raw/1defb331b87b8b137667a9844030c27438585e8b/tiller-service-account.yaml | |
| helm init --service-account tiller | |
| helm install stable/nginx-ingress \ | |
| --name nginx-ingress \ | |
| --set controller.hostNetwork=true \ | |
| --set-string controller.nodeSelector."INGRESS_ID"="1" | |
| helm install --name cert-manager --namespace kube-system stable/cert-manager | |
| # apply cluster-issuer.yaml | |
| helm upgrade cert-manager stable/cert-manager \ | |
| --namespace kube-system \ | |
| --set ingressShim.defaultIssuerName=letsencrypt-prod \ | |
| --set ingressShim.defaultIssuerKind=ClusterIssuer |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo rm /etc/resolv.conf | |
| sudo ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf | |
| # temporary | |
| swapoff -a | |
| # comment to turn swap off permanently | |
| vim /etc/fstab | |
| apt-get update | |
| ufw allow 10250/tcp # Kubelet API | |
| ufw allow 10255/tcp # Read-Only Kubelet API | |
| ufw allow ssh/tcp | |
| ufw allow http/tcp | |
| ufw allow https/tcp | |
| ufw logging on | |
| ufw enable | |
| ufw status | |
| apt-get install -y apt-transport-https curl docker.io | |
| curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - | |
| cat <<EOF >/etc/apt/sources.list.d/kubernetes.list | |
| deb http://apt.kubernetes.io/ kubernetes-xenial main | |
| EOF | |
| apt-get update | |
| apt-get install -y kubelet kubeadm | |
| kubeadm join ${MASTER_IP}:6443 --token ${TOKEN} --discovery-token-ca-cert-hash ${DISCOVERY_TOKEN} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: tiller | |
| namespace: kube-system | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: tiller | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: cluster-admin | |
| subjects: | |
| - kind: ServiceAccount | |
| name: tiller | |
| namespace: kube-system |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment