From cfa74ce9634d84a4d0c0f2c4e4e2f72ee29181d3 Mon Sep 17 00:00:00 2001 From: savagebidoof Date: Thu, 20 Jul 2023 13:22:30 +0200 Subject: [PATCH] in progress migration, backing progress. --- .../Istio/External_Services/01-Namespace.yaml | 6 ++ .../Filebrowser/DestinationRule.yaml | 14 +++++ .../Filebrowser/ServiceEntry.yaml | 20 ++++++ .../Filebrowser/VirtualService.yaml | 23 +++++++ .../Istio/External_Services/Gateway.yaml | 63 +++++++++++++++++++ .../Gitea/DestinationRule.yaml | 14 +++++ .../External_Services/Gitea/ServiceEntry.yaml | 20 ++++++ .../Gitea/VirtualService.yaml | 23 +++++++ .../Istio/External_Services/Hosts.yaml | 9 +++ .../Jelly/DestinationRule.yaml | 14 +++++ .../External_Services/Jelly/ServiceEntry.yaml | 20 ++++++ .../Jelly/VirtualService.yaml | 23 +++++++ .../Tube/DestinationRule.yaml | 14 +++++ .../External_Services/Tube/ServiceEntry.yaml | 20 ++++++ .../Tube/VirtualService.yaml | 23 +++++++ .../Forget_Traefik_2023/Istio/Issuer.yaml | 57 +++++++++++++++++ .../Forget_Traefik_2023}/README.md | 57 ++++++++++++++--- README.md | 3 +- 18 files changed, 412 insertions(+), 11 deletions(-) create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/01-Namespace.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/DestinationRule.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/ServiceEntry.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/VirtualService.yaml create mode 100755 Migrations/Forget_Traefik_2023/Istio/External_Services/Gateway.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/DestinationRule.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/ServiceEntry.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/VirtualService.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Hosts.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/DestinationRule.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/ServiceEntry.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/VirtualService.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/DestinationRule.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/ServiceEntry.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/VirtualService.yaml create mode 100644 Migrations/Forget_Traefik_2023/Istio/Issuer.yaml rename {Migration => Migrations/Forget_Traefik_2023}/README.md (96%) diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/01-Namespace.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/01-Namespace.yaml new file mode 100644 index 0000000..182d2da --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/01-Namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: external + labels: + istio-injection: "enabled" \ No newline at end of file diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/DestinationRule.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/DestinationRule.yaml new file mode 100644 index 0000000..44cfece --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/DestinationRule.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: filebrowser +# namespace: default + namespace: external +spec: + host: "filebrowser.filterhome.xyz" + trafficPolicy: + tls: + mode: SIMPLE + connectionPool: + http: + h2UpgradePolicy: UPGRADE diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/ServiceEntry.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/ServiceEntry.yaml new file mode 100644 index 0000000..d3dee41 --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/ServiceEntry.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: filebrowser-se +# namespace: default + namespace: external +spec: + hosts: + - filebrowser.filterhome.xyz + - filebrowser.filterhome.duckdns.org + - filebrowser.filter.home + location: MESH_INTERNAL + ports: + - number: 443 + name: https + protocol: HTTPS + resolution: NONE + workloadSelector: + labels: + host: srv diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/VirtualService.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/VirtualService.yaml new file mode 100644 index 0000000..bde747e --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Filebrowser/VirtualService.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: filebrowser-vs +# namespace: default + namespace: external +spec: + hosts: + - "filebrowser.filter.home" + - "filebrowser.filterhome.xyz" + - "filebrowser.filterhome.duckdns.org" + gateways: + - default/public-gateway + http: + - route: + - destination: + host: filebrowser.filterhome.xyz + port: + number: 443 +# headers: +# request: +# set: +# HOST: "filebrowser.filterhome.xyz" diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Gateway.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Gateway.yaml new file mode 100755 index 0000000..94a5977 --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Gateway.yaml @@ -0,0 +1,63 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: public-gateway + namespace: default +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +# - "*.filterhome.xyz" +# - "filterhome.xyz" +# +# - "filterhome.duckdns.org" +# - "*.filterhome.duckdns.org" + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "*.filterhome.xyz" + - "filterhome.xyz" + + - "filterhome.duckdns.org" + - "*.filterhome.duckdns.org" + tls: + mode: SIMPLE + credentialName: filterhome-domain-cert-public +--- +#apiVersion: networking.istio.io/v1alpha3 +#kind: Gateway +#metadata: +# name: home-gateway +#spec: +# selector: +# istio: ingressgateway +# servers: +# - port: +# number: 80 +# name: http +# protocol: HTTP +# hosts: +# - "*.filter.home" +# - "filter.home" +# # tls: +# # httpsRedirect: true +## - port: +## number: 443 +## name: secure-http +## protocol: HTTPS +## hosts: +## - "*.filter.home" +## - "filter.home" +## tls: +## mode: SIMPLE +## credentialName: filterhome-domain-cert-public diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/DestinationRule.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/DestinationRule.yaml new file mode 100644 index 0000000..7230a9c --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/DestinationRule.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: gitea +# namespace: default + namespace: external +spec: + host: "gitea.filterhome.xyz" + trafficPolicy: + tls: + mode: SIMPLE + connectionPool: + http: + h2UpgradePolicy: UPGRADE diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/ServiceEntry.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/ServiceEntry.yaml new file mode 100644 index 0000000..d5408e2 --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/ServiceEntry.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: gitea-se +# namespace: default + namespace: external +spec: + hosts: + - gitea.filterhome.xyz + - gitea.filterhome.duckdns.org + - gitea.filter.home + location: MESH_INTERNAL + ports: + - number: 443 + name: https + protocol: HTTPS + resolution: NONE + workloadSelector: + labels: + host: srv diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/VirtualService.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/VirtualService.yaml new file mode 100644 index 0000000..124893f --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Gitea/VirtualService.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: gitea-vs +# namespace: default + namespace: external +spec: + hosts: + - "gitea.filter.home" + - "gitea.filterhome.xyz" + - "gitea.filterhome.duckdns.org" + gateways: + - default/public-gateway + http: + - route: + - destination: + host: gitea.filterhome.xyz + port: + number: 443 +# headers: +# request: +# set: +# HOST: "gitea.filterhome.xyz" diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Hosts.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Hosts.yaml new file mode 100644 index 0000000..410189b --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Hosts.yaml @@ -0,0 +1,9 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: WorkloadEntry +metadata: + name: srv-host + namespace: external +spec: + address: 192.168.1.3 + labels: + host: srv \ No newline at end of file diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/DestinationRule.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/DestinationRule.yaml new file mode 100644 index 0000000..a552f4d --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/DestinationRule.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: jelly +# namespace: default + namespace: external +spec: + host: "jelly.filterhome.xyz" + trafficPolicy: + tls: + mode: SIMPLE + connectionPool: + http: + h2UpgradePolicy: UPGRADE diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/ServiceEntry.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/ServiceEntry.yaml new file mode 100644 index 0000000..87d655f --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/ServiceEntry.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: jelly-se +# namespace: default + namespace: external +spec: + hosts: + - jelly.filterhome.xyz + - jelly.filterhome.duckdns.org + - jelly.filter.home + location: MESH_INTERNAL + ports: + - number: 443 + name: https + protocol: HTTPS + resolution: NONE + workloadSelector: + labels: + host: srv diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/VirtualService.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/VirtualService.yaml new file mode 100644 index 0000000..731a518 --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Jelly/VirtualService.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: jelly-vs +# namespace: default + namespace: external +spec: + hosts: + - "jelly.filter.home" + - "jelly.filterhome.xyz" + - "jelly.filterhome.duckdns.org" + gateways: + - default/public-gateway + http: + - route: + - destination: + host: jelly.filterhome.xyz + port: + number: 443 +# headers: +# request: +# set: +# HOST: "jelly.filterhome.xyz" diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/DestinationRule.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/DestinationRule.yaml new file mode 100644 index 0000000..5f9b286 --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/DestinationRule.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: tube +# namespace: default + namespace: external +spec: + host: "tube.filterhome.xyz" + trafficPolicy: + tls: + mode: SIMPLE + connectionPool: + http: + h2UpgradePolicy: UPGRADE diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/ServiceEntry.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/ServiceEntry.yaml new file mode 100644 index 0000000..86bae41 --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/ServiceEntry.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: tube-se +# namespace: default + namespace: external +spec: + hosts: + - tube.filterhome.xyz + - tube.filterhome.duckdns.org + - tube.filter.home + location: MESH_INTERNAL + ports: + - number: 443 + name: https + protocol: HTTPS + resolution: NONE + workloadSelector: + labels: + host: srv diff --git a/Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/VirtualService.yaml b/Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/VirtualService.yaml new file mode 100644 index 0000000..4376bf8 --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/External_Services/Tube/VirtualService.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: tube-vs +# namespace: default + namespace: external +spec: + hosts: + - "tube.filter.home" + - "tube.filterhome.xyz" + - "tube.filterhome.duckdns.org" + gateways: + - default/public-gateway + http: + - route: + - destination: + host: tube.filterhome.xyz + port: + number: 443 +# headers: +# request: +# set: +# HOST: "tube.filterhome.xyz" diff --git a/Migrations/Forget_Traefik_2023/Istio/Issuer.yaml b/Migrations/Forget_Traefik_2023/Istio/Issuer.yaml new file mode 100644 index 0000000..f6604bb --- /dev/null +++ b/Migrations/Forget_Traefik_2023/Istio/Issuer.yaml @@ -0,0 +1,57 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-public + namespace: istio-system +spec: + acme: + # The ACME server URL +# server: https://acme-staging-v02.api.letsencrypt.org/directory # Testing + server: https://acme-v02.api.letsencrypt.org/directory # Prod + # Email address used for ACME registration + email: filter.oriol@gmail.com + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-public + # Enable the HTTP-01 challenge provider + solvers: + - http01: + ingress: + class: istio +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: filterhome-domain-cert-public + namespace: istio-system +spec: + secretName: filterhome-domain-cert-public + duration: 48h # 90d + renewBefore: 2h # 15d + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 + rotationPolicy: Always + usages: + - server auth + - client auth + dnsNames: +# - "*.filterhome.xyz" + + # Gitea + - "gitea.filterhome.xyz" + + # Jellyfin + - "jelly.filterhome.xyz" + + # Filebrowser + - "filebrowser.filterhome.xyz" + + # Tube + - "tube.filterhome.xyz" + issuerRef: + name: letsencrypt-public + kind: ClusterIssuer + group: cert-manager.io \ No newline at end of file diff --git a/Migration/README.md b/Migrations/Forget_Traefik_2023/README.md similarity index 96% rename from Migration/README.md rename to Migrations/Forget_Traefik_2023/README.md index 9b829f0..b52c369 100644 --- a/Migration/README.md +++ b/Migrations/Forget_Traefik_2023/README.md @@ -68,6 +68,30 @@ Slave01: 192.168.1.11 - Another option would be, moving everything to the SRV and use that meanwhile, this would allow for less downtime, and I could get to do whatever I want with the Pi4 and Cluster in the meantime, could deploy the `Traefik` with the Pi4 IP (.2) to allow for *shooting down the Pi4 shenanigans*. +### Regarding the Cert-Manager + +> https://cert-manager.io/ + +`HTTP01 challenge`, doesn't allow for wildcard certificates, therefore, for better comfort, use the `DNS01 challange`. + +Current Issue? For X and y, I need to wait for a while for the DNS provider to release the domain and acquire it back again. + +### Core services + +- Tube + +- Jellyfin + +- Gitea + +- Filebrowser + +## Limitations + +- Limited hardware + +- Only 1 external IP / router, therefore I need to do some Cert Manager tests before. + ## Pi4 Storage related-specific - If I keep using a SSD, 3D print a base for it, the Pi4 doesn't need a shell as it already has one, but just a platform that allows the Pi4 to sit on the top. @@ -103,21 +127,27 @@ Slave01: 192.168.1.11 [//]: # (> Started 19/July/2023) -- [ ] Deploy Certificate Manager on the current `Kluster` with let's encrypt certificate provisioning. +[//]: # (> Finished /July/2023) -- [ ] Deploy an Istio Ingress to allow access to the Gitea service. -- [ ] Update the router `Virtual Service Port Mapping` to set the Istio Ingress deployed as the new Public Ingress. +- [x] Deploy Certificate Manager on the current `Kluster` with let's encrypt certificate provisioning. -- [ ] Ensure the Certificates are being provisioned. +- [ ] Deploy an Istio Ingress Gateway to allow access to the "core" services. + +- [ ] Deploy an Istio Egress Gateway to allow egress towards the "core" services. + +- [x] Update the router `Virtual Service Port Mapping` to set the Istio Ingress deployed as the new Public Ingress. + +- [x] Ensure the Certificates are being provisioned. #### Rollback plan -- As much, delete the deployed configurations. +- Delete the deployed configurations. +- Update the router `Virtual Service Port Mapping` to set back the Traefik Ingress form the Pi4 host. ### Part 3 -- [ ] Configure Istio to route traffic towards Jellyfin and Filebrowser services. +- [x] Configure Istio to route traffic towards Jellyfin and Filebrowser services. - [ ] Backup the Istio/Kubernetes configurations used. @@ -139,6 +169,9 @@ Slave01: 192.168.1.11 - [ ] ~~Wipe~~ (**don't wipe** just use a different drive) and recreate the current `Kluster`, this time using the Pi4 as a _master_, and the 2 Orange Pi5 as _slaves_ (this will require updating the DNS/DHCP local services). +> **Note**:\ +> I can make a new cluster on the Pi4, and remove the taint that prevents from scheduling pods on that node. Deploy everything inside (a well a LB with the same exact IP than the current one, and proceed to stop the Orange PI 5), then "reformat" the OPi5s with a new distro, install stuff etc, and join them to the cluster running on the Pi4. + - [ ] Update the `Current Setup` documentation with the new container and architecture rearrangement. - [ ] Deploy NFS service on the `media SRV` host. @@ -147,6 +180,10 @@ Slave01: 192.168.1.11 - [ ] Update the `Current Setup` documentation with the new container and architecture rearrangement. +### Part 6 + +- Set wildcards certificates. + #### Rollback plan - Revert orange Pi 5 to the previous drive. @@ -157,9 +194,9 @@ Slave01: 192.168.1.11 - Run the old migrated services back on the `media SRV` host. -## Execution - +# Execution +## Part 1 ### Transfer local network dependencies services from Pi4 to SRV. #### Install ZIP on `Pi4` @@ -792,7 +829,9 @@ x-frame-options: DENY x-xss-protection: 1; mode=block ``` -... +## Part 2 & 3 + + **I am HERE right now** diff --git a/README.md b/README.md index 9492c9f..e684644 100644 --- a/README.md +++ b/README.md @@ -119,8 +119,7 @@ Traefik generates public certificates automatically #### Kluster -> Idk I can run whatever I want. -> +> Idk I can run whatever I want.\ > So far been a playground of Istio for me to create [an Istio documentation](https://gitea.filterhome.xyz/ofilter/Istio_Examples).