diff --git a/docs/services/sealed-secrets.md b/docs/services/sealed-secrets.md deleted file mode 100644 index 84c0534..0000000 --- a/docs/services/sealed-secrets.md +++ /dev/null @@ -1,7 +0,0 @@ -# Sealed Secrets - -Add the normal helm release for sealed secrets. Place into its own namespace. - -## Adding an Existing Certificate - -## Explanation of Certificate Rotation diff --git a/docs/technical/conventions.md b/docs/technical/conventions.md new file mode 100644 index 0000000..e1a55d0 --- /dev/null +++ b/docs/technical/conventions.md @@ -0,0 +1,6 @@ +# Cluster Conventions + +Try and stick to these, so our life is a bit easier. + +- Place all components in their own namespace +- Place all system components into a `*-system` namespace diff --git a/docs/technical/index.md b/docs/technical/index.md new file mode 100644 index 0000000..e3040bf --- /dev/null +++ b/docs/technical/index.md @@ -0,0 +1,5 @@ +# Technical Documentation + +This is techical documentation on operating services, primarily inteded for me. +Therefore, it may be incomplete, and make large assumptions about the knowledge of +the one reading the documentation. diff --git a/docs/technical/longhorn.md b/docs/technical/longhorn.md new file mode 100644 index 0000000..bbb4842 --- /dev/null +++ b/docs/technical/longhorn.md @@ -0,0 +1,10 @@ +# Longhorn + +In cluster storage management. Good for small amounts of data that needs to be +physically close to the host system, or data that needs to be available regardless +of the state of the NFS server. + +> NOTE +> +> Longhorn is really cool, but I hate using it. It causes so many headaches trying +> to set it up. Really thankful it exists, but just use an NFS share if you can. diff --git a/docs/services/metallb.md b/docs/technical/metallb.md similarity index 100% rename from docs/services/metallb.md rename to docs/technical/metallb.md diff --git a/docs/technical/nfs-storage.md b/docs/technical/nfs-storage.md new file mode 100644 index 0000000..43b9b20 --- /dev/null +++ b/docs/technical/nfs-storage.md @@ -0,0 +1,34 @@ +# NFS Storage + +You will want to make NFS based PV/PVC. Here is a sample one just in case. + +```yaml +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-pv + namespace: my-namespace +spec: + capacity: + storage: 20Gi + accessModes: + - ReadWriteMany + nfs: + path: /path/to/your/nfs/share + server: +``` + +```yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-pvc + namespace: my-namespace +spec: + accessModes: + - ReadWriteMany + storageClassName: "" + resources: + requests: + storage: 20Gi +``` diff --git a/docs/technical/nvidia.md b/docs/technical/nvidia.md new file mode 100644 index 0000000..9cf13c2 --- /dev/null +++ b/docs/technical/nvidia.md @@ -0,0 +1,21 @@ +# Nvidia Operator + +The nvidia operator is responsible for making `gpus` a resource that can be requested +by pods, and allowing pods to use the nvidia container runtime (You did run the ansible +script to install the nvidia container runtime, right?). + +Bring over the helmchart release. Put it into its own namespace. + +## Verify it worked + +To verify it worked, run a describe on a node that has GPUs, such as, + +```bash +kubectl describe node gluttony-gpu +``` + +Quicker than reading, check that this has the expected output, + +```bash +kubectl describe node gluttony-gpu | grep nvidia.com +``` diff --git a/docs/technical/sealed-secrets.md b/docs/technical/sealed-secrets.md new file mode 100644 index 0000000..ddd0a18 --- /dev/null +++ b/docs/technical/sealed-secrets.md @@ -0,0 +1,58 @@ +# Sealed Secrets + +Add the normal helm release for sealed secrets. Place into its own namespace. + +## Adding an Existing Certificate + +### Extracting certs + +Store secrets in a json format, something of the form, + +```json +{ + "tls.crt": "ABC123...", + "tls.key": "XYZ987..." +} + +``` + +Both values will be base64 encoded. Something to this effect will get what you want. + +```bash +pass my-secret-key | jq -r '.[tls.crt]' | base64 -d | base64 -d | tee pub-cert.pem +pass my-secret-key | jq -r '.[tls.key]' | base64 -d | base64 -d | tee private-key.pem +``` + +You will know it worked if the outputted keys from `tee` contain the normal headers. + + +### Apply cert into cluster + +To apply the cert into the cluster, just make the secret + +```bash +kubectl create secret tls sealed-secrets-key \ + --cert=pub-cert.pem \ + --key=private-key.pem \ + --namespace=sealed-secrets +``` + +After that just restart the sealed-secrets pod to make sure it takes up the changes. + +```bash +kubectl rollout restart deployment sealed-secrets -n sealed-secrets +``` + +Check the logs of the sealed-secrets pod after restart, and you should +see `sealed-secrets-key` registered as a private key in the logs. And thats it! + + +## Explanation of Certificate Rotation + +So by default sealed secrets is going to make a tls cert in the `sealed-secrets` +namespace. Its gonna be something like `sealed-secrets-key`. It will generate +one every 30 days (configurable value). + +*All secrets* are valid for decrypting secrets in the git repo. If you want it to decrypt +older stuff, add the older cert as outlined above. + diff --git a/mkdocs.yaml b/mkdocs.yaml index 14d1d82..ab5aba7 100644 --- a/mkdocs.yaml +++ b/mkdocs.yaml @@ -13,13 +13,22 @@ nav: - Setup Cluster: setup.md - User Documentation: - Overview: user/index.md - - Registering a mail account: user/mailcow.md - - Registering an account: user/account.md - - Requesting Media: user/request.md - - Downloading Media: user/download.md + - Accounts: + - Registering a mail account: user/mailcow.md + - Registering an account: user/account.md + - Media: + - Requesting Media: user/request.md + - Downloading Media: user/download.md - Technical: - - MetalLB: services/metallb.md - - Sealed Secrets: services/sealed-secrets.md + - Overview: technical/index.md + - Conventions: technical/conventions.md + - Infrastructure: + - MetalLB: technical/metallb.md + - Sealed Secrets: technical/sealed-secrets.md + - Nvidia Operator: technical/nvidia.md + - Longhorn: technical/longhorn.md + - Misc: + - NFS: technical/nfs-storage.md theme: name: material