Archy's Blog

We'll be working on the Servers that are surrounded by the continous lines in this drawing: The Cluster is in the process of building if you've arrived here. However, there's still some steps left to do like: remove the bootstrap node from haproxy approve the signing requests for the worker nodes monitor the cluster state and cluster operators create an initial htpasswd auth provider for a fallback admin account create a storage class for the openshift internal image registry Let's start with removing the bootstrap Node after the bootstrap monitoring command tells us it's safe to remove: [archy@helper01 ~]# sudo vim /etc/haproxy/haproxy.cfg [archy@helper02 ~]# sudo vim /etc/haproxy/haproxy.cfg global log 127.0.0.1 local2 pidfile /var/run/haproxy.pid maxconn 4000 daemon defaults mode http log global option dontlognull option http-server-close option redispatch retries 3 timeout http-request 10s tim...

We'll be working on the Servers that are surrounded by the continous lines in this drawing: Most of the Setup is already done, from here on out the heavylifting will be done from the installer. But first, there's still a few small things left to do: getting the installation artifacts. Specifically, I'm talking about these artifacts that still need to be downloaded: fedora coreos image openshift-installer openshift-client helm butane Since we've set up a shared-storage for the webservers that will host these files, they will only need to be downloaded once and can be served from the interal share. I'll download all the artifacts on one of the helper nodes: [archy@helper01 ~]$ sudo -Hiu root [root@helper01 ~]# curl -4kLo '/var/www/html/okd/fcos-39.iso' -X 'GET' -H 'Accept: application/octet-stream' -H 'User-Agent: curl/7.76.1' 'https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/39.20240210.3.0/x86_64/fedora-coreo...

We'll be working on the Servers that are surrounded by the continous lines in this drawing: Keepalived is a useful tool to share a single Virtual IP (VIP) between multiple nodes without dealing with pacemaker, corosync and fencing. Keepalived is also fairly lightweight and easy to configure, so a good fit four this setup. Start by installing keepalived: [archy@helper01 ~]$ sudo dnf -4y --refresh install keepalived [archy@helper02 ~]$ sudo dnf -4y --refresh install keepalived After the packages are done installing, configure keepalived on the first helper node: [archy@helper01 ~]$ sudo vim /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { notification_email { admins@archyslife.lab } notification_email_from root@helper01.okd.archyslife.lab smtp_server 127.0.0.1 smtp_connect_timeout 30 script_user root root } vrrp_script chk_haproxy { script '/usr/bin/pidof haproxy' interval 2 ...

We'll be working on the Servers that are surrounded by the continous lines in this drawing: The HTTPD Setup for this setup is only for sharing installer required files, meaning I'll barely use any features and leave the default config in place for most things. First, install httpd: [archy@helper01 ~]$ sudo dnf -4y --refresh install httpd Now, let's edit the httpd config and change the default ports since they're already in use by HAProxy for the 'http-ingress' and 'https-ingress' services: [archy@helper01 ~]$ sudo sed -i 's/Listen 80/Listen 8080/g' /etc/httpd/conf/httpd.conf [archy@helper01 ~]$ sudo sed -i 's/Listen 443/Listen 8443/g' /etc/httpd/conf/httpd.conf Also, edit the dummy ssl config to listen on Port 10443 to ensure there are no conflics with port bindings on reboots: [archy@helper01 ~]$ sudo sed -i 's/Listen 443/Listen 10443/g' /etc/httpd/conf.d/ssl.conf Using Port 10443/tcp will also require adding the ...

We'll be working on the Servers that are surrounded by the continous lines in this drawing: In this part I'll cover the HAProxy setup on each helper node. Haproxy is a TCP / HTTP Load Balancer which I'll be use to proxy traffic for the following Services: Kubernetes API Server (6443/tcp) OpenShift Machine Config Server (22623/tcp) HTTP Ingress (80/tcp) HTTPS Ingress (443/tcp) HAProxy Stats (9000/tcp) Make sure to have no other services running on any of these ports. These steps will apply to all helper nodes, so you can just copy and paste these steps for each helper node. First, install HAProxy: [archy@helper01 ~]$ sudo dnf -4y --refresh install haproxy Now, edit /etc/haproxy/haproxy.cfg according to your environment: [archy@helper01 ~]$ sudo vim /etc/haproxy/haproxy.cfg global log 127.0.0.1 local2 pidfile /var/run/haproxy.pid maxconn 4000 daemon defaults mode http log global option dontlognull option http-server-close ...

We'll be working on the Servers that are surrounded by the continous lines in this drawing: Setting up DHCP for the cluster is probably the easiest and shortest task. All we need to do is add a reservation for each node in the cluster that is running CoreOS, in my case that's just 6 static reservations. Since I'll be hosting this cluster in my homelab and will provide the infrastructure myself, I'll manually assign the mac-addresses. A static lease will look like this: host bootstrap.okd { hardware ethernet 52:54:00:0f:0f:00; fixed-address 172.31.10.150; } I'd like to explain it for a minute so there's no confusion on why I'm adding the clustername to the nodename. With my DHCP Setup, I've set 'option domain-name "archyslife.lan"' so I'm using the clustername / subdomain for the cluster here as well in each host definition. For reference, this is my full subnet declaration: subnet 172.31.10.0 netmask 255.255.255.0 ...

We'll be working on the Servers that are surrounded by the continous lines in this drawing: I'm using FreeIPA as my authoritative DNS Servers for my homelab. I'll be using a separate dns zone for all servers of this cluster as well as the helper nodes. The helper nodes will be provisioned by my foreman server, so they're already integrated with FreeIPA and no dns records or domain-joins will have to be performed on these servers. I'll be using an additional DNS Zone for my OKD Cluster: 'okd.archyslife.lan' . Create the zone using the ipa cli utility: [archy@ipa03 ~]$ ipa dnszone-add okd.archyslife.lan --dynamic-update 'true' --forward-policy 'first' --allow-query '127.0.0.0/8;172.31.10.0/24' --allow-sync-ptr 'true' We'll also be needing dns records for each node, 'api', 'api-int' and '*.apps', so let's create them: [archy@ipa03 ~]$ ipa dnsrecord-add okd.archyslife.lan bootstrap --a-ip-addres...

I've had a few encounters with OCP and OKD for a bit of time now so I thought I might as well write a short guide on how to set up a Cluster in your homelab. I'll be using the UPI Method, meaning I'll have to stand up the infrastructure myself but this allows me for more flexibility down the road. This is a rough schematic of what we'll be working on: Some Prerequirements: a functional FreeIPA setup which will be used for DNS a working dhcpd instance to reserve fixed addresses based on the mac addresses of all coreos nodes two helper nodes for HAProxy, Keepalived and HTTPD to host files required by the installer three control plane (master) nodes at least two worker nodes This is the (virtual) hardware sizing used for my cluster: helper nodes: vCPU: 2 RM: 2048MiB Disk: 32GB control plane nodes: CPU: 8 RAM: 16384MiB Disk: 128GB worker nodes: CPU: 8 RAM: 16384MiB Disk: 128GB So there's definitely a bit of hardware involved to satisfy these requirements. This tutorial ...

So yeah, I just recently was asked by my employer to go for the CKA and CKAD certifications. To be fair, I've been dabbling with kubernetes for a bit of time now so the basic concepts were already clear to me. Since the udemy courses were on sale I though I might as well get those, you know ... just in case. While watching the videos I did the practice exercises in advance on kodekloud. I think this material was really good and well prepared so I would definitely recommend that. CKA Once done with udemy, I was using the first killer.sh setup and scored decently I think. Overall I did the killer.sh exam simulator 4 times with a break of 2 hours in between the first two and then did the other 2 test-runs the next day. These were the scores I got: 103/125 with 25/25 Tasks completed in 1h45min 113/125 with 25/25 Tasks completed in 1h30min 125/125 with 25/25 Tasks completed in 1h15min 125/125 with 25/25 Tasks completed in 1h15min I had my exam scheduled for the next day after work and s...