VMware/TMConEKS: Difference between revisions

From DER's LLC
Jump to navigation Jump to search
 
Line 181: Line 181:
  #    Create TMC Values File    #
  #    Create TMC Values File    #
  ##################################
  ##################################
  #tmc/tmc-local generate-values-schema --output-file tmc-eks-values.yaml  #(Depending on the version or TMC you will use this or the next command.)
  #tmc/tmc-sm generate-values-schema --output-file tmc-eks-values.yaml  #(Depending on the version or TMC you will use this or the next command.)
  #tmc/tmc-local show-values-schema --output-filet tmc-eks-values.yaml
  #tmc/tmc-sm show-values-schema --output-filet tmc-eks-values.yaml
   
   
  #############################################
  #############################################
Line 188: Line 188:
  #############################################
  #############################################
  curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/HomeLab/TMC/tmc-eks-values.yaml > tmc-eks-values.yaml
  curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/HomeLab/TMC/tmc-eks-values.yaml > tmc-eks-values.yaml
  tmc/tmc-local validate-values tmc-values.yaml
  tmc/tmc-sm validate-values tmc-values.yaml
   
   
  ############################################
  ############################################
  #    Finally Install TMC Self-Managed    #
  #    Finally Install TMC Self-Managed    #
  ############################################
  ############################################
  tmc/tmc-local deploy --image-prefix $PRIVATE_IMAGE_REGISTRY/$TMC_HARBOR_PROJECT --kubeconfig ~/.kube/config --values=tmc-eks-values.yaml
  tmc/tmc-sm deploy --image-prefix $PRIVATE_IMAGE_REGISTRY/$TMC_HARBOR_PROJECT --kubeconfig ~/.kube/config --values=tmc-eks-values.yaml
   
   
  ###############################################################
  ###############################################################

Latest revision as of 19:40, 21 July 2023

TMC on EKS Setup

Create Harbor on AWS

SSH to Harbor-AWS EC2 Instance

#On Plex
ssh -i ~/.ssh/aws-keypair.pem [email protected]

Install Harbor-AWS

#THIS IS JUST PULLING IN MY STAR CERT and KEY FOR DERSLLC
mkdir /data
cd /data
curl https://ders-gitlab.dersllc.com/ders/ders-proxy/-/raw/master/STAR_dersllc_com.crt > /data/ders-star-chain.crt
curl https://ders-gitlab.dersllc.com/ders/ders-proxy/-/raw/master/AddTrustExternalCARoot.crt >> /data/ders-star-chain.crt
cp /data/ders-star-chain.crt /data/ders-star-chain.pem
curl https://ders-gitlab.dersllc.com/ders/ders-proxy/-/raw/master/AddTrustExternalCARoot.crt > /data/ders-ca.crt
cat /data/ders-ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
curl https://ders-gitlab.dersllc.com/ders/ders-proxy/-/raw/master/dersllc-new.key > /data/ders-star.key

yum -y install docker
service docker start
systemctl enable docker

wget https://github.com/docker/compose/releases/download/v2.18.1/docker-compose-linux-x86_64 -O /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
wget https://github.com/goharbor/harbor/releases/download/v2.8.1/harbor-offline-installer-v2.8.1.tgz
tar -zxvf harbor-offline-installer-v2.8.1.tgz
cd harbor
cp harbor.yml.tmpl harbor.yml
vi harbor.yml
# add Hostname and certs and location
#### harbor-aws.dersllc.com
#### /data/ders-star-chain.crt
#### /data/ders-star.key
#### /data/harbor-data

./install.sh --with-trivy --with-notary

Load Harbor with Images

# On a Jumpbox...
docker login harbor-aws.dersllc.com
#################################
#     Set Install Variables     #
#################################
export IMGPKG_REGISTRY_HOSTNAME_0="harbor-aws.dersllc.com"
export IMGPKG_REGISTRY_USERNAME_0="admin"
export IMGPKG_REGISTRY_PASSWORD_0=<PASSWORD>
export PRIVATE_IMAGE_REGISTRY_CA_PATH="/data/ders-ca.crt"
export PRIVATE_IMAGE_REGISTRY="harbor-aws.dersllc.com"
export TKG_IMAGE_REGISTRY="projects.registry.vmware.com/tkg"
export TKG_REPO_VERSION="v2.2.0_update.1"
export TMC_HARBOR_PROJECT="tmc-sm-1.0.0"
export TMC_BUNDLE="tmc-self-managed-1.0.0"
#########################
#     Prep TMC Bits     #
#########################
mkdir tmc
tar -xf $TMC_BUNDLE.tar -C tmc
chmod +x /usr/local/bin/tmc
tmc/tmc-sm push-images harbor --project $IMGPKG_REGISTRY_HOSTNAME_0/$TMC_HARBOR_PROJECT --username $IMGPKG_REGISTRY_USERNAME_0 --password $IMGPKG_REGISTRY_PASSWORD_0
############################################################
#     Upload Tanzu Standard Packages for TMC into Reop     #
############################################################
imgpkg copy --registry-ca-cert-path $PRIVATE_IMAGE_REGISTRY_CA_PATH \
-b $TKG_IMAGE_REGISTRY/packages/standard/repo:$TKG_REPO_VERSION \
--to-repo $PRIVATE_IMAGE_REGISTRY/$TMC_HARBOR_PROJECT/498533941640.dkr.ecr.us-west-2.amazonaws.com/packages/standard/repo

Setup EKS Cluster

#########################
#     AWS AUTH INFO     #
#########################
export AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID>
export AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>
export AWS_SESSION_TOKEN=<AWS_SESSION_TOKEN>

##########################
#     INSTALL AWSCLI     #
##########################
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version

##########################
#     Install EKSCLI     #
##########################
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin

export eks_region=us-east-2
export eks_cluster_name=ders-tmc-sm
export eks_nodegroup_size=m5.xlarge

eksctl create cluster --name $eks_cluster_name -r $eks_region -t $eks_nodegroup_size --nodes 3 --nodes-min 3 --nodes-max 11
#Wait for Status Complete....... 

#Get Kubeconfig for EKS if needed
#aws eks update-kubeconfig --region $eks_region --name $eks_cluster_name

#Add another Node group if needed
#export eks_nodegroup_name=ders-tmc-nodes
#eksctl create nodegroup -c $eks_cluster_name -r $eks_region -n $eks_nodegroup_name -t $eks_nodegroup_size --nodes 3 --nodes-min 3 --nodes-max 11

Prepare EKS for TMC Deploy

# Prep the EBS CSI
eksctl utils associate-iam-oidc-provider \
 --region=$eks_region \
 --cluster=$eks_cluster_name \
 --approve

eksctl create iamserviceaccount \
 --name ebs-csi-controller-sa \
 --namespace kube-system \
 --cluster $eks_cluster_name \
 --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \
 --approve \
 --role-only \
 --region=$eks_region \
 --role-name AmazonEKS_EBS_CSI_DriverRole

eksctl create addon --name aws-ebs-csi-driver \
 --cluster $eks_cluster_name \
 --service-account-role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/AmazonEKS_EBS_CSI_DriverRole \
 --region=$eks_region \
 --force

Create CA Cert for Cert-Manager

################################################
#     Create Config for CA SSL Certificate     #
################################################
mkdir -p /tmp/ssl
cd /tmp/ssl
cat <<EOF > ca.cnf
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
[ dn ]
countryName = US
stateOrProvinceName = Ohio
localityName = Beavercreek
organizationName = DER's LLC
organizationalUnitName = IT
commonName = ca.dersllc.com
[ext]
keyUsage=critical,keyCertSign,cRLSign
basicConstraints=critical,CA:true,pathlen:1
subjectAltName=DNS:ca.dersllc.com 
EOF

###############################################################
#     Create a Self-Signed CA Cert Using the Config Above     #
###############################################################
openssl req -x509 -nodes -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout ders-ca.key -out ders-ca.cer -extensions ext -config ca.cnf

########################################################################################
#     Get Base64 encoded PEM and KEY for the K8S Issuer YAML Used in the Next Step     #
########################################################################################
cat ders-ca.cer | base64 -w0
cat ders-ca.key | base64 -w0

Install TMC

################################################
#     Setup TMC Namespace and Cert-Manager     #
################################################
kubectl create ns tmc-local
# Deploy Cert-Manager into EKS Cluster
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
sleep 60
# Add ders-ca issuer (this is referenced in the tmc-eks-values.yaml)
kubectl apply -f https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/HomeLab/TMC%20on%20TKGm/tmc-issuer.yaml 

################################################################
#     Setup Harbor Credentials For The tmc-local Namespace     #
################################################################
kubectl create secret generic regcred --from-file=.dockerconfigjson=/root/.docker/config.json --type=kubernetes.io/dockerconfigjson -n tmc-local
kubectl patch serviceaccount default -p "{\"imagePullSecrets\": [{\"name\": \"regcred\"}]}" -n tmc-local

##################################
#     Create TMC Values File     #
##################################
#tmc/tmc-sm generate-values-schema --output-file tmc-eks-values.yaml  #(Depending on the version or TMC you will use this or the next command.)
#tmc/tmc-sm show-values-schema --output-filet tmc-eks-values.yaml

#############################################
#     Pull TMC Values File and Validate     #
#############################################
curl https://ders-gitlab.dersllc.com/ders/vmware-se/-/raw/main/HomeLab/TMC/tmc-eks-values.yaml > tmc-eks-values.yaml
tmc/tmc-sm validate-values tmc-values.yaml

############################################
#     Finally Install TMC Self-Managed     #
############################################
tmc/tmc-sm deploy --image-prefix $PRIVATE_IMAGE_REGISTRY/$TMC_HARBOR_PROJECT --kubeconfig ~/.kube/config --values=tmc-eks-values.yaml

###############################################################
#     During Install get the LB IP/Name and add it to DNS     #
###############################################################
kubectl get service -n tmc-local contour-envoy -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'

Uninstall TMC

tmc/tmc-local uninstall --kubeconfig ~/.kube/config

Setup Inspection Images

Run the below command to create the download script. 

cat > ./inspection-images.sh << "EOF"
   #!/bin/bash
   
   # https://github.com/vmware-tanzu/sonobuoy/releases
   VERSION=${1:-"v0.56.16"}
   LATEST_RELEASE=${2:-"sonobuoy_0.56.16_linux_amd64.tar.gz"}
   CUSTOM_REGISTRY=${3:-"harbor-aws.dersllc.com/tmc-1.0.0-beta.2-rc.3"}
   DOCKER_PROXY=${4:-"harbor.tanzu.io:8443/dockerhub-proxy-cache"} # optional argument
   CUSTOM_TMC_REPO="${CUSTOM_REGISTRY}/498533941640.dkr.ecr.us-west-2.amazonaws.com"
   
   # https://kubernetes.io/releases/patch-releases/
   k8s_versions=(v1.23.8 v1.24.10)
   
   wget "https://github.com/vmware-tanzu/sonobuoy/releases/download/${VERSION}/${LATEST_RELEASE}"
   tar -xvf ${LATEST_RELEASE}
   
   for i in "${k8s_versions[@]}"
   do
   echo "================CHECKING K8S: $i======================="
   ./sonobuoy images list --kubernetes-version $i > images_$i.txt
   
   while read image
   do
   echo "================CHECKING IMAGE: $image=================="
   base=$(basename "$image")
   output=${image#*/*}
   
   if $image == *"docker"* && -n $DOCKER_PROXY ;
   then
       docker pull $DOCKER_PROXY/$output
       docker tag $DOCKER_PROXY/$output ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base
   else
       docker pull $image
       docker tag $image ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base
   fi
   
   docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base
   echo "===================PUSHING: ${CUSTOM_TMC_REPO}/extensions/inspection-images/$base ==========="
   done < images_$i.txt
   done
   
   # not part of sonobuoy image list, install manually, update these as images are found
   docker pull k8s.gcr.io/e2e-test-images/agnhost:2.31
   docker pull k8s.gcr.io/pause:3.9
   docker tag k8s.gcr.io/e2e-test-images/agnhost:2.31 ${CUSTOM_TMC_REPO}/extensions/inspection-images/agnhost:2.31
   docker tag k8s.gcr.io/pause:3.9 ${CUSTOM_TMC_REPO}/extensions/inspection-images/pause:3.9
   docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/agnhost:2.31
   docker push ${CUSTOM_TMC_REPO}/extensions/inspection-images/pause:3.9
   
   # clean up text files and sonobuoy tar
   rm images_*
   rm sonobuoy_*
EOF

Edit the file and set the Variables at the top. (VERSION, LATEST_RELEASE, CUSTOM_REGISTRY, and k8s_versions) 

vi inspection-images.sh

Save the file and change the permissions 

chmod +x inspection-images.sh

Run the Script 

./inspection-images.sh
Retrieved from "http://wiki.dersllc.com/index.php?title=VMware/TMConEKS&oldid=67"