mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-10-06 13:11:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

docs: improve configuration documentation (#186)

Browse Source
This commit is contained in:
Andrew Rynhard 2018-11-04 13:44:54 -08:00 committed by GitHub
parent de01e950f8
commit c5fbe9957d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 1085 additions and 206 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/categories/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

13
docs/components/blockd/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>
@ -260,7 +267,7 @@
</ul>
<p>These partitions are reserved and cannot be modified.
The one expection to this is that the <code>DATA</code> partition will be resized automatically in the <code>init</code> process to the maximum size possible.
The one exception to this is that the <code>DATA</code> partition will be resized automatically in the <code>init</code> process to the maximum size possible.
Managing any other block device can be done via the <code>blockd</code> service.</p>
</p>
</section>

11
docs/components/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

2
docs/components/index.xml
View File

@ -86,7 +86,7 @@ To make this work, we needed an out-of-band tool for managing the nodes. In an i
<guid>https://dianemo.autonomy.io/components/blockd/</guid>
<description>Dianemo comes with a reserved block device with three partitions:
an EFI System Partition (ESP) a ROOT partition mounted as read-only that contains the minimal set of binaries to operate system services and a DATA partion that is mounted as read/write at /var/run These partitions are reserved and cannot be modified. The one expection to this is that the DATA partition will be resized automatically in the init process to the maximum size possible.</description>
an EFI System Partition (ESP) a ROOT partition mounted as read-only that contains the minimal set of binaries to operate system services and a DATA partion that is mounted as read/write at /var/run These partitions are reserved and cannot be modified. The one exception to this is that the DATA partition will be resized automatically in the init process to the maximum size possible.</description>
</item>
</channel>

11
docs/components/init/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

11
docs/components/kernel/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

11
docs/components/kubeadm/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

11
docs/components/osctl/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

13
docs/components/osd/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>
@ -263,7 +270,7 @@ But, in the real world, this does not happen.
We still need a way to handle operational scenarios that may arise.</p>
<p>The <code>osd</code> daemon provides a way to do just that.
Based on the Principle of Least Privilege, <code>osd</code> provides operational value for cluster administrations by providing an API for node management.</p>
Based on the Principle of Least Privilege, <code>osd</code> provides operational value for cluster administrators by providing an API for node management.</p>
</p>
</section>
</div>

11
docs/components/proxyd/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

11
docs/components/trustd/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

20
docs/configuration/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>
@ -245,7 +252,14 @@
<div class="column document">
<section class="document">
<h1 class="title">Configuration</h1>
<p><p>In this section we will discuss the configuration of a Dianemo node.</p>
<p><p>In this section, we will step through the configuration of a Dianemo based Kubernetes cluster.
There are three major components we will configure:</p>
<ul>
<li><code>osd</code> and <code>osctl</code></li>
<li>the master nodes</li>
<li>the worker nodes</li>
</ul>
</p>
</section>
</div>

25
docs/configuration/index.xml
View File

@ -12,12 +12,25 @@
<item>
<title>Control Plane</title>
<link>https://dianemo.autonomy.io/configuration/controlplane/</link>
<title>osd</title>
<link>https://dianemo.autonomy.io/configuration/osd/</link>
<pubDate>Sat, 03 Nov 2018 17:14:49 -0700</pubDate>
<guid>https://dianemo.autonomy.io/configuration/osd/</guid>
<description>The osd service enforces a high level of security by utilizing mutual TLS for authentication and authorization. In this section we will configure mutual TLS by generating the certificates for the servers (osd) and clients (osctl).
Cluster Owners We recommend that the configuration of osd be performed by a cluster owner. A cluster owner should be a person of authority within an organization. Perhaps a director, manager, or senior member of a team.</description>
</item>
<item>
<title>Masters</title>
<link>https://dianemo.autonomy.io/configuration/masters/</link>
<pubDate>Mon, 29 Oct 2018 19:40:55 -0700</pubDate>
<guid>https://dianemo.autonomy.io/configuration/controlplane/</guid>
<description>version: &amp;quot;&amp;quot; security: os: ca: crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509} key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509} identity: crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509} key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509} kubernetes: ca: crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509} key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509} networking: os: {} kubernetes: {} services: kubeadm: init: type: initial etcdMemberName: etcd-1 containerRuntime: docker configuration: | apiVersion: kubeadm.k8s.io/v1alpha2 kind: MasterConfiguration clusterName: example bootstrapTokens: - token: abcdef.0123456789abcdef ttl: 0s kubeProxy: config: ipvs: scheduler: lc mode: ipvs networking: dnsDomain: cluster.local podSubnet: 10.244.0.0/16 serviceSubnet: 10.96.0.0/12 trustd: username: example password: example You can generate the PKI resources and inject them into the configuration with osctl.</description>
<guid>https://dianemo.autonomy.io/configuration/masters/</guid>
<description>Configuring master nodes in a Dianemo Kubernetes cluster is a two part process:
configuring the Dianemo specific options and configuring the Kubernetes specific options To get started, create a YAML file we will use in the following steps:
touch &amp;lt;node-name&amp;gt;.yaml Configuring Dianemo Injecting the Dianemo PKI Using osctl, and our output from the PKI instructions, inject the generated PKI into the configuration file:
osctl inject os --crt &amp;lt;organization&amp;gt;.</description>
</item>
<item>
@ -26,7 +39,9 @@
<pubDate>Mon, 29 Oct 2018 19:40:55 -0700</pubDate>
<guid>https://dianemo.autonomy.io/configuration/workers/</guid>
<description>version: &amp;quot;&amp;quot; security: os: ca: crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509} networking: os: {} kubernetes: {} services: kubeadm: containerRuntime: docker configuration: | apiVersion: kubeadm.k8s.io/v1alpha2 kind: NodeConfiguration token: abcdef.0123456789abcdef discoveryTokenAPIServers: - ${MASTER_IP}:443 discoveryTokenCACertHashes: - sha256:${CA_CERT_HASH} trustd: username: example password: example endpoints: - ${MASTER_IP} </description>
<description>Configuring the worker nodes is much more simple in comparison to configuring the master nodes. Using the trustd API, worker nodes submit a CSR, and, if authenticated, receive a valid osd certificate. Similarly, using a kubeadm token, the node joins an existing cluster.
We need to specify:
the osd public certificate trustd credentials and endpoints and a kubeadm JoinConfiguration version: &amp;quot;&amp;quot; security: os: ca: crt: &amp;lt;base 64 encoded root public certificate&amp;gt; services: kubeadm: configuration: | apiVersion: kubeadm.</description>
</item>
</channel>

166
docs/configuration/controlplane/index.html → docs/configuration/masters/index.html
View File

@ -189,10 +189,17 @@
</a>
<ul class="sidebar-list active">
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link active"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>
@ -243,55 +250,142 @@
<div class="row ">
<div class="column column-10">
<a class="navigation navigation-previous" href="https://dianemo.autonomy.io/configuration/osd/">
<i class="fa fa-chevron-left"></i>
</a>
</div>
<div class="column document">
<section class="document">
<h1 class="title">Control Plane</h1>
<p><pre><code class="language-yaml">version: &quot;&quot;
security:
<h1 class="title">Masters</h1>
<p>
<p>Configuring master nodes in a Dianemo Kubernetes cluster is a two part process:</p>
<ul>
<li>configuring the Dianemo specific options</li>
<li>and configuring the Kubernetes specific options</li>
</ul>
<p>To get started, create a YAML file we will use in the following steps:</p>
<pre><code class="language-bash">touch &lt;node-name&gt;.yaml
</code></pre>
<h2 id="configuring-dianemo">Configuring Dianemo</h2>
<h3 id="injecting-the-dianemo-pki">Injecting the Dianemo PKI</h3>
<p>Using <code>osctl</code>, and our output from the <a href="https://dianemo.autonomy.io/configuration/osd/">PKI</a> instructions, inject the generated PKI into the configuration file:</p>
<pre><code class="language-bash">osctl inject os --crt &lt;organization&gt;.crt --key &lt;organization&gt;.key &lt;node-name&gt;.yaml
osctl inject identity --crt &lt;node-name&gt;.crt --key &lt;node-name&gt;.key &lt;node-name&gt;.yaml
</code></pre>
<p>You should see the following fields populated:</p>
<pre><code class="language-yaml">security:
os:
ca:
crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509}
key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509}
crt: &lt;base 64 encoded root public certificate&gt;
key: &lt;base 64 encoded root private key&gt;
identity:
crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509}
key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509}
crt: &lt;base 64 encoded identity public certificate&gt;
key: &lt;base 64 encoded identity private key&gt;
...
</code></pre>
<h3 id="configuring-trustd">Configuring <code>trustd</code></h3>
<p>Each master node participates as a Root of Trust in the cluster.
The responsibilities of <code>trustd</code> include:</p>
<ul>
<li>certificate as a service</li>
<li>and Kubernetes PKI distribution amongst master nodes</li>
</ul>
<p>The auth done between <code>trustd</code> and a client is, for now, a simple username and password combination.
Having these credentials gives a client the power to request a certifcate that identifies itself.
In the <code>&lt;node-name&gt;.yaml</code>, add the follwing:</p>
<pre><code class="language-yaml">security:
...
services:
...
trustd:
username: &lt;username&gt;
password: &lt;password&gt;
...
</code></pre>
<h2 id="configuring-kubernetes">Configuring Kubernetes</h2>
<h3 id="generating-the-root-ca">Generating the Root CA</h3>
<p>To create the root CA for the Kubernetes cluster, run:</p>
<pre><code class="language-bash">osctl gen ca --rsa --hours &lt;hours&gt; --organization &lt;kubernetes-organization&gt;
</code></pre>
<blockquote class="note " >
<p>Note: The <code>--rsa</code> flag is required for the generation of the Kubernetes CA.</p>
</blockquote>
<h3 id="injecting-the-kubernetes-pki">Injecting the Kubernetes PKI</h3>
<p>Using <code>osctl</code>, inject the generated PKI into the configuration file:</p>
<pre><code class="language-bash">osctl inject kubernetes --crt &lt;kubernetes-organization&gt;.crt --key &lt;kubernetes-organization&gt;.key &lt;node-name&gt;.yaml
</code></pre>
<p>You should see the following fields populated:</p>
<pre><code class="language-yaml">security:
...
kubernetes:
ca:
crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509}
key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509}
networking:
os: {}
kubernetes: {}
services:
crt: &lt;base 64 encoded root public certificate&gt;
key: &lt;base 64 encoded root private key&gt;
...
</code></pre>
<h3 id="configuring-kubeadm">Configuring Kubeadm</h3>
<p>The configuration of the <code>kubeadm</code> service is done in two parts:</p>
<ul>
<li>supplying the Dianemo specific options</li>
<li>supplying the <code>kubeadm</code> <code>InitConfiguration</code></li>
</ul>
<h4 id="dianemo-specific-options">Dianemo Specific Options</h4>
<pre><code class="language-yaml">services:
...
kubeadm:
init:
type: initial
etcdMemberName: etcd-1
containerRuntime: docker
etcdMemberName: &lt;member-name&gt;
...
</code></pre>
<h4 id="kubeadm-specific-options">Kubeadm Specific Options</h4>
<pre><code class="language-yaml">services:
...
kubeadm:
...
configuration: |
apiVersion: kubeadm.k8s.io/v1alpha2
kind: MasterConfiguration
clusterName: example
bootstrapTokens:
- token: abcdef.0123456789abcdef
ttl: 0s
kubeProxy:
config:
ipvs:
scheduler: lc
mode: ipvs
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
trustd:
username: example
password: example
apiVersion: kubeadm.k8s.io/v1alpha3
kind: InitConfiguration
...
...
</code></pre>
<blockquote>
<p>You can generate the PKI resources and inject them into the configuration with <a href="/components/osctl/">osctl</a>.</p>
<p>See the official <a href="https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/">documentation</a> for the options available in <code>InitConfiguration</code>.</p>
</blockquote>
</p>
</section>

381
docs/configuration/osd/index.html Normal file
View File

@ -0,0 +1,381 @@
<!DOCTYPE html>
<head>
<meta charset="utf-8">
<title>Autonomy</title>
<meta name="description" content="">
<meta name="author" content="andrew.rynhard@autonomy.io">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="https://fonts.googleapis.com/css?family=Raleway|Fira+Mono|Roboto:300" rel="stylesheet">
<link rel="icon" type="image/png" href="https://dianemo.autonomy.io/img/favicon.png">
<script src="https://code.jquery.com/jquery-3.3.1.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/fuse.js/3.2.0/fuse.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/mark.js/8.11.1/jquery.mark.min.js"></script>
<script src="https://dianemo.autonomy.io/js/search.js"></script>
<link rel="stylesheet" href="https://dianemo.autonomy.io//css/milligram.min.css">
<link rel="stylesheet" href="https://dianemo.autonomy.io/css/main.css">
</head>
<nav class="navbar">
<div class="container">
<div class="row">
<div class="column column-50">
<ul class="navbar-list navbar-left">
<li class="navbar-item">
<a class="navbar-link logo" href="/">
<img src="https://dianemo.autonomy.io//img/logo.svg" class="logo">
</a>
</li>
</ul>
</div>
<div class="column column-50">
<ul class="navbar-list navbar-right">
<li class="navbar-item">
<a class="navbar-link navbar-logo" rel="noopener noreferrer" href="https://github.com/autonomy/dianemo" target="_blank">
<span class="octicon octicon-mark-github"></span>
</a>
</li>
<li class="navbar-item">
<a class="navbar-link navbar-logo" rel="noopener noreferrer" href="https://hub.docker.com/u/autonomy" target="_blank">
<span class="fab fa-docker"></span>
</a>
</li>
</ul>
</div>
</div>
</div>
</nav>
<script id="search-result-template" type="text/x-js-template">
<li class="sidebar-item">
<div id="summary-${key}">
<a class="sidebar-link" href="${link}">${title}</a>
<p class="search-result-item">${preview}</p>
</div>
</li>
</script>
<nav class="sidebar">
<div class="row">
<div class="column">
<span>
<a class="logo" href="https://dianemo.autonomy.io/">
<img src="https://dianemo.autonomy.io//img/logo.svg" class="logo">
</a>
</span>
</div>
</div>
<hr>
<div class="row">
<div class="column">
<div class="button-group button-group-center">
<a class="button" href="https://github.com/autonomy/dianemo/fork">
<span class="octicon octicon-repo-forked"></span>
Fork
</a>
<a class="button" href="https://github.com/autonomy/dianemo/stargazers">
<span class="octicon octicon-star"></span>
Star
</a>
</div>
</div>
</div>
<hr>
<div class="row search-area">
<form class="search-form" action="" onSubmit="return">
<input class="search-box" id="search-query" name="s" type="text" placeholder="search" />
</form>
<ul class="sidebar-list search-results" id="search-results">
</ul>
</div>
<div class="row">
<div class="column">
<ul class="sidebar-list parent">
<li class="sidebar-item">
<a class="sidebar-link sidebar-link-parent"
href="https://dianemo.autonomy.io/components/" >
Components
</a>
<ul class="sidebar-list">
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/components/kernel/" >
kernel
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/components/init/" >
init
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/components/kubeadm/" >
kubeadm
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/components/trustd/" >
trustd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/components/proxyd/" >
proxyd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/components/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/components/osctl/" >
osctl
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/components/blockd/" >
blockd
</a>
</li>
</ul>
</li>
<li class="sidebar-item">
<a class="sidebar-link sidebar-link-parent active"
href="https://dianemo.autonomy.io/configuration/" >
Configuration
</a>
<ul class="sidebar-list active">
<li class="sidebar-item">
<a class="sidebar-link active"
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/workers/" >
Workers
</a>
</li>
</ul>
</li>
<li class="sidebar-item">
<a class="sidebar-link sidebar-link-parent"
href="https://dianemo.autonomy.io/examples/" >
Examples
</a>
<ul class="sidebar-list">
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/examples/aws/" >
AWS
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/examples/kvm/" >
KVM
</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</nav>
<body>
<div class="container">
<div class="content">
<div class="row ">
<div class="column column-10">
</div>
<div class="column document">
<section class="document">
<h1 class="title">osd</h1>
<p>
<p>The <code>osd</code> service enforces a high level of security by utilizing mutual TLS for authentication and authorization.
In this section we will configure mutual TLS by generating the certificates for the servers (<code>osd</code>) and clients (<code>osctl</code>).</p>
<h3 id="cluster-owners">Cluster Owners</h3>
<p>We recommend that the configuration of <code>osd</code> be performed by a cluster owner.
A cluster owner should be a person of authority within an organization.
Perhaps a director, manager, or senior member of a team.
They are responsible for storing the root CA, and distributing the PKI for authorized cluster administrators.</p>
<h3 id="cluster-administrators">Cluster Administrators</h3>
<p>The authorization to use <code>osctl</code> should be granted to a person fit for cluster administration.
As a cluster administrator, the user gains access to the out-of-band management tools offered by Dianemo.</p>
<h2 id="configuring-osd">Configuring <code>osd</code></h2>
<p>To configure <code>osd</code>, we will need:</p>
<ul>
<li>static IP addresses for each node that will participate as a master</li>
<li>a root CA</li>
<li>and identity certificates for each node participating as a master signed by the root CA</li>
</ul>
<p>The following steps should be performed by a cluster owner.</p>
<h3 id="generating-the-root-ca">Generating the Root CA</h3>
<p>The root CA can be generated by running:</p>
<pre><code class="language-bash">osctl gen ca --hours &lt;hours&gt; --organization &lt;organization&gt;
</code></pre>
<p>The cluster owner should store the generated private key (<code>&lt;organization&gt;.key</code>) in a safe place, that only other cluster owners have access to.
The public certificate (<code>&lt;organization&gt;.crt</code>) should be made available to cluster administrators because, as we will see shortly, it is required to configure <code>osctl</code>.</p>
<blockquote class="note " >
<p>Note: The <code>--rsa</code> flag should <em>not</em> be specified for the generation of the <code>osd</code> CA.</p>
</blockquote>
<h3 id="generating-the-identity-certificates">Generating the Identity Certificates</h3>
<p>Now that we have our root CA, we must create certificates that identify the node.
As the cluster owner, run:</p>
<pre><code class="language-bash">osctl gen key --name &lt;node-name&gt;
osctl gen csr --ip &lt;node-ip&gt; --key &lt;node-name&gt;.key
osctl gen crt --hours &lt;hours&gt; --ca &lt;organization&gt; --csr &lt;node-name&gt;.csr --name &lt;node-name&gt;
</code></pre>
<p>Repeat this process for each node that will participate as a master.</p>
<h2 id="configuring-osctl">Configuring <code>osctl</code></h2>
<p>To configure <code>osctl</code>, we will need:</p>
<ul>
<li>the root CA we generated above</li>
<li>and a certificate signed by the root CA specific to the user</li>
</ul>
<p>The process for setting up <code>osctl</code> is done in part between a cluster owner and a user requesting to become a cluster administrator.</p>
<h3 id="generating-the-user-certificate">Generating the User Certificate</h3>
<p>The user requesting cluster administration access runs the following:</p>
<pre><code class="language-bash">osctl gen key --name &lt;user&gt;
osctl gen csr --ip 127.0.0.1 --key &lt;user&gt;.key
</code></pre>
<p>Now, the cluster owner must generate a certificate from the above CSR.
To do this, the user requesting access submits the CSR generated above to the cluster owner, and the cluster owner runs the following:</p>
<pre><code class="language-bash">osctl gen crt --hours &lt;hours&gt; --ca &lt;organization&gt; --csr &lt;user&gt;.csr --name &lt;user&gt;
</code></pre>
<p>The generated certificate is then sent to the requesting user using a secure channel.</p>
<h3 id="the-configuration-file">The Configuration File</h3>
<p>With all the above steps done, the new cluster administrator can now create the configuration file for <code>osctl</code>.</p>
<pre><code class="language-bash">cat &lt;organization&gt;.crt | base64
cat &lt;user&gt;.crt | base64
cat &lt;user&gt;.key | base64
</code></pre>
<p>Now, create <code>~/.dianemo/config</code> with the following contents:</p>
<pre><code class="language-yaml">context: &lt;context&gt;
contexts:
&lt;context&gt;:
target: &lt;node-ip&gt;
ca: &lt;base 64 encoded root public certificate&gt;
crt: &lt;base 64 encoded user public certificate&gt;
key: &lt;base 64 encoded user private key&gt;
</code></pre>
</p>
</section>
</div>
<div class="column column-10">
<a class="navigation navigation-next" href="https://dianemo.autonomy.io/configuration/masters/">
<i class="fa fa-chevron-right"></i>
</a>
</div>
</div>
</div>
</div>
</body>
<div class="footer">
<aside class="copyright">
&copy; 2018 Released under Mozilla Public License 2.0
</aside>
</div>

55
docs/configuration/workers/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>
@ -243,7 +250,7 @@
<div class="row ">
<div class="column column-10">
<a class="navigation navigation-previous" href="https://dianemo.autonomy.io/configuration/controlplane/">
<a class="navigation navigation-previous" href="https://dianemo.autonomy.io/configuration/masters/">
<i class="fa fa-chevron-left"></i>
</a>
@ -251,31 +258,41 @@
<div class="column document">
<section class="document">
<h1 class="title">Workers</h1>
<p><pre><code class="language-yaml">version: &quot;&quot;
<p><p>Configuring the worker nodes is much more simple in comparison to configuring the master nodes.
Using the <code>trustd</code> API, worker nodes submit a <code>CSR</code>, and, if authenticated, receive a valid <code>osd</code> certificate.
Similarly, using a <code>kubeadm</code> token, the node joins an existing cluster.</p>
<p>We need to specify:</p>
<ul>
<li>the <code>osd</code> public certificate</li>
<li><code>trustd</code> credentials and endpoints</li>
<li>and a <code>kubeadm</code> <code>JoinConfiguration</code></li>
</ul>
<pre><code class="language-yaml">version: &quot;&quot;
security:
os:
ca:
crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509}
networking:
os: {}
kubernetes: {}
crt: &lt;base 64 encoded root public certificate&gt;
services:
kubeadm:
containerRuntime: docker
configuration: |
apiVersion: kubeadm.k8s.io/v1alpha2
kind: NodeConfiguration
token: abcdef.0123456789abcdef
discoveryTokenAPIServers:
- ${MASTER_IP}:443
discoveryTokenCACertHashes:
- sha256:${CA_CERT_HASH}
apiVersion: kubeadm.k8s.io/v1alpha3
kind: JoinConfiguration
...
trustd:
username: example
password: example
username: &lt;username&gt;
password: &lt;password&gt;
endpoints:
- ${MASTER_IP}
- &lt;master-1&gt;
...
- &lt;master-n&gt;
</code></pre>
<blockquote>
<p>See the official <a href="https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-join/">documentation</a> for the options available in <code>InitConfiguration</code>.</p>
</blockquote>
</p>
</section>
</div>

11
docs/css/main.css
View File

@ -164,7 +164,16 @@ input.search-box {
input.search-box::placeholder {
text-align: center;
opacity: 0.7;
opacity: 0.2;
}
h1>code,
h2>code,
h3>code,
h4>code,
h5>code,
h6>code {
font-size: inherit;
}
/* Larger than mobile screen */

11
docs/dianemo/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

11
docs/examples/aws/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

11
docs/examples/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

11
docs/examples/kvm/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

11
docs/index.html
View File

@ -192,8 +192,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

2
docs/index.json
View File

File diff suppressed because one or more lines are too long

55
docs/index.xml
View File

@ -6,11 +6,21 @@
<description>Recent content on Dianemo</description>
<generator>Hugo -- gohugo.io</generator>
<language>en-us</language>
<lastBuildDate>Mon, 29 Oct 2018 19:40:55 -0700</lastBuildDate>
<lastBuildDate>Sat, 03 Nov 2018 17:14:49 -0700</lastBuildDate>
<atom:link href="https://dianemo.autonomy.io/index.xml" rel="self" type="application/rss+xml" />
<item>
<title>osd</title>
<link>https://dianemo.autonomy.io/configuration/osd/</link>
<pubDate>Sat, 03 Nov 2018 17:14:49 -0700</pubDate>
<guid>https://dianemo.autonomy.io/configuration/osd/</guid>
<description>The osd service enforces a high level of security by utilizing mutual TLS for authentication and authorization. In this section we will configure mutual TLS by generating the certificates for the servers (osd) and clients (osctl).
Cluster Owners We recommend that the configuration of osd be performed by a cluster owner. A cluster owner should be a person of authority within an organization. Perhaps a director, manager, or senior member of a team.</description>
</item>
<item>
<title>kernel</title>
<link>https://dianemo.autonomy.io/components/kernel/</link>
@ -20,6 +30,18 @@
<description>The kernel included with Dianemo is configured according to the recommendations outlined in the Kernel Self Protection Project (KSSP).</description>
</item>
<item>
<title>Masters</title>
<link>https://dianemo.autonomy.io/configuration/masters/</link>
<pubDate>Mon, 29 Oct 2018 19:40:55 -0700</pubDate>
<guid>https://dianemo.autonomy.io/configuration/masters/</guid>
<description>Configuring master nodes in a Dianemo Kubernetes cluster is a two part process:
configuring the Dianemo specific options and configuring the Kubernetes specific options To get started, create a YAML file we will use in the following steps:
touch &amp;lt;node-name&amp;gt;.yaml Configuring Dianemo Injecting the Dianemo PKI Using osctl, and our output from the PKI instructions, inject the generated PKI into the configuration file:
osctl inject os --crt &amp;lt;organization&amp;gt;.</description>
</item>
<item>
<title>init</title>
<link>https://dianemo.autonomy.io/components/init/</link>
@ -31,6 +53,17 @@ We wanted to create a focused init that had one job - run Kubernetes. There simp
To accomplish this, we must address real world operations needs like:</description>
</item>
<item>
<title>Workers</title>
<link>https://dianemo.autonomy.io/configuration/workers/</link>
<pubDate>Mon, 29 Oct 2018 19:40:55 -0700</pubDate>
<guid>https://dianemo.autonomy.io/configuration/workers/</guid>
<description>Configuring the worker nodes is much more simple in comparison to configuring the master nodes. Using the trustd API, worker nodes submit a CSR, and, if authenticated, receive a valid osd certificate. Similarly, using a kubeadm token, the node joins an existing cluster.
We need to specify:
the osd public certificate trustd credentials and endpoints and a kubeadm JoinConfiguration version: &amp;quot;&amp;quot; security: os: ca: crt: &amp;lt;base 64 encoded root public certificate&amp;gt; services: kubeadm: configuration: | apiVersion: kubeadm.</description>
</item>
<item>
<title>kubeadm</title>
<link>https://dianemo.autonomy.io/components/kubeadm/</link>
@ -86,7 +119,7 @@ To make this work, we needed an out-of-band tool for managing the nodes. In an i
<guid>https://dianemo.autonomy.io/components/blockd/</guid>
<description>Dianemo comes with a reserved block device with three partitions:
an EFI System Partition (ESP) a ROOT partition mounted as read-only that contains the minimal set of binaries to operate system services and a DATA partion that is mounted as read/write at /var/run These partitions are reserved and cannot be modified. The one expection to this is that the DATA partition will be resized automatically in the init process to the maximum size possible.</description>
an EFI System Partition (ESP) a ROOT partition mounted as read-only that contains the minimal set of binaries to operate system services and a DATA partion that is mounted as read/write at /var/run These partitions are reserved and cannot be modified. The one exception to this is that the DATA partition will be resized automatically in the init process to the maximum size possible.</description>
</item>
<item>
@ -101,15 +134,6 @@ docker run \ --rm \ --volume $HOME/.aws/credentials:/root/.aws/credentials \ --e
</description>
</item>
<item>
<title>Control Plane</title>
<link>https://dianemo.autonomy.io/configuration/controlplane/</link>
<pubDate>Mon, 29 Oct 2018 19:40:55 -0700</pubDate>
<guid>https://dianemo.autonomy.io/configuration/controlplane/</guid>
<description>version: &amp;quot;&amp;quot; security: os: ca: crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509} key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509} identity: crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509} key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509} kubernetes: ca: crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509} key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509} networking: os: {} kubernetes: {} services: kubeadm: init: type: initial etcdMemberName: etcd-1 containerRuntime: docker configuration: | apiVersion: kubeadm.k8s.io/v1alpha2 kind: MasterConfiguration clusterName: example bootstrapTokens: - token: abcdef.0123456789abcdef ttl: 0s kubeProxy: config: ipvs: scheduler: lc mode: ipvs networking: dnsDomain: cluster.local podSubnet: 10.244.0.0/16 serviceSubnet: 10.96.0.0/12 trustd: username: example password: example You can generate the PKI resources and inject them into the configuration with osctl.</description>
</item>
<item>
<title>Dianemo</title>
<link>https://dianemo.autonomy.io/dianemo/</link>
@ -130,14 +154,5 @@ docker run \ --rm \ --privileged \ --volume /dev:/dev \ autonomy/dianemo:latest
virt-install \ -n master \ --description &amp;quot;Kubernetes master node.&amp;quot; \ --os-type=Linux \ --os-variant=generic \ --virt-type=kvm \ --cpu=host \ --ram=4096 \ --vcpus=2 \ --disk path=/dev/sdc \ --network bridge=br0,model=e1000,mac=52:54:00:A8:4C:E1 \ --graphics none \ --boot hd \ --rng /dev/random Install a Worker Node Similarly, install a worker node to an available block device:</description>
</item>
<item>
<title>Workers</title>
<link>https://dianemo.autonomy.io/configuration/workers/</link>
<pubDate>Mon, 29 Oct 2018 19:40:55 -0700</pubDate>
<guid>https://dianemo.autonomy.io/configuration/workers/</guid>
<description>version: &amp;quot;&amp;quot; security: os: ca: crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509} networking: os: {} kubernetes: {} services: kubeadm: containerRuntime: docker configuration: | apiVersion: kubeadm.k8s.io/v1alpha2 kind: NodeConfiguration token: abcdef.0123456789abcdef discoveryTokenAPIServers: - ${MASTER_IP}:443 discoveryTokenCACertHashes: - sha256:${CA_CERT_HASH} trustd: username: example password: example endpoints: - ${MASTER_IP} </description>
</item>
</channel>
</rss>

27
docs/sitemap.xml
View File

@ -2,16 +2,31 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
xmlns:xhtml="http://www.w3.org/1999/xhtml">
<url>
<loc>https://dianemo.autonomy.io/configuration/osd/</loc>
<lastmod>2018-11-03T17:14:49-07:00</lastmod>
</url>
<url>
<loc>https://dianemo.autonomy.io/components/kernel/</loc>
<lastmod>2018-10-29T19:40:55-07:00</lastmod>
</url>
<url>
<loc>https://dianemo.autonomy.io/configuration/masters/</loc>
<lastmod>2018-10-29T19:40:55-07:00</lastmod>
</url>
<url>
<loc>https://dianemo.autonomy.io/components/init/</loc>
<lastmod>2018-10-29T19:40:55-07:00</lastmod>
</url>
<url>
<loc>https://dianemo.autonomy.io/configuration/workers/</loc>
<lastmod>2018-10-29T19:40:55-07:00</lastmod>
</url>
<url>
<loc>https://dianemo.autonomy.io/components/kubeadm/</loc>
<lastmod>2018-10-29T19:40:55-07:00</lastmod>
@ -57,11 +72,6 @@
<lastmod>2018-10-29T19:40:55-07:00</lastmod>
</url>
<url>
<loc>https://dianemo.autonomy.io/configuration/controlplane/</loc>
<lastmod>2018-10-29T19:40:55-07:00</lastmod>
</url>
<url>
<loc>https://dianemo.autonomy.io/dianemo/</loc>
<lastmod>2018-10-29T19:40:55-07:00</lastmod>
@ -77,11 +87,6 @@
<lastmod>2018-10-29T19:40:55-07:00</lastmod>
</url>
<url>
<loc>https://dianemo.autonomy.io/configuration/workers/</loc>
<lastmod>2018-10-29T19:40:55-07:00</lastmod>
</url>
<url>
<loc>https://dianemo.autonomy.io/categories/</loc>
<priority>0</priority>
@ -89,7 +94,7 @@
<url>
<loc>https://dianemo.autonomy.io/</loc>
<lastmod>2018-10-29T19:40:55-07:00</lastmod>
<lastmod>2018-11-03T17:14:49-07:00</lastmod>
<priority>0</priority>
</url>

11
docs/tags/index.html
View File

@ -191,8 +191,15 @@
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/controlplane/" >
Control Plane
href="https://dianemo.autonomy.io/configuration/osd/" >
osd
</a>
</li>
<li class="sidebar-item">
<a class="sidebar-link"
href="https://dianemo.autonomy.io/configuration/masters/" >
Masters
</a>
</li>

3
src/docs/src/content/components/blockd.md
View File

@ -2,6 +2,7 @@
title: "blockd"
date: 2018-10-30T09:16:35-07:00
draft: false
weight: 80
menu:
main:
parent: 'components'
@ -15,5 +16,5 @@ Dianemo comes with a reserved block device with three partitions:
- and a `DATA` partion that is mounted as read/write at `/var/run`
These partitions are reserved and cannot be modified.
The one expection to this is that the `DATA` partition will be resized automatically in the `init` process to the maximum size possible.
The one exception to this is that the `DATA` partition will be resized automatically in the `init` process to the maximum size possible.
Managing any other block device can be done via the `blockd` service.

2
src/docs/src/content/components/osd.md
View File

@ -21,4 +21,4 @@ But, in the real world, this does not happen.
We still need a way to handle operational scenarios that may arise.
The `osd` daemon provides a way to do just that.
Based on the Principle of Least Privilege, `osd` provides operational value for cluster administrations by providing an API for node management.
Based on the Principle of Least Privilege, `osd` provides operational value for cluster administrators by providing an API for node management.

7
src/docs/src/content/configuration/_index.md
View File

@ -4,4 +4,9 @@ date: 2018-10-29T19:40:55-07:00
draft: false
---
In this section we will discuss the configuration of a Dianemo node.
In this section, we will step through the configuration of a Dianemo based Kubernetes cluster.
There are three major components we will configure:
- `osd` and `osctl`
- the master nodes
- the worker nodes

55
src/docs/src/content/configuration/controlplane.md
View File

@ -1,55 +0,0 @@
---
title: "Control Plane"
date: 2018-10-29T19:40:55-07:00
draft: false
menu:
main:
parent: 'configuration'
weight: 10
---
```yaml
version: ""
security:
os:
ca:
crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509}
key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509}
identity:
crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509}
key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509}
kubernetes:
ca:
crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509}
key: ${BASE64_ENCODED_PEM_FORMATTED_PRIVATE_X509}
networking:
os: {}
kubernetes: {}
services:
kubeadm:
init:
type: initial
etcdMemberName: etcd-1
containerRuntime: docker
configuration: |
apiVersion: kubeadm.k8s.io/v1alpha2
kind: MasterConfiguration
clusterName: example
bootstrapTokens:
- token: abcdef.0123456789abcdef
ttl: 0s
kubeProxy:
config:
ipvs:
scheduler: lc
mode: ipvs
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
trustd:
username: example
password: example
```
> You can generate the PKI resources and inject them into the configuration with [osctl]({{< relref "/components/osctl" >}}).

136
src/docs/src/content/configuration/masters.md Normal file
View File

@ -0,0 +1,136 @@
---
title: "Masters"
date: 2018-10-29T19:40:55-07:00
draft: false
weight: 20
menu:
main:
parent: 'configuration'
weight: 20
---
Configuring master nodes in a Dianemo Kubernetes cluster is a two part process:
- configuring the Dianemo specific options
- and configuring the Kubernetes specific options
To get started, create a YAML file we will use in the following steps:
```bash
touch <node-name>.yaml
```
## Configuring Dianemo
### Injecting the Dianemo PKI
Using `osctl`, and our output from the [PKI]({{< ref "osd.md" >}}) instructions, inject the generated PKI into the configuration file:
```bash
osctl inject os --crt <organization>.crt --key <organization>.key <node-name>.yaml
osctl inject identity --crt <node-name>.crt --key <node-name>.key <node-name>.yaml
```
You should see the following fields populated:
```yaml
security:
os:
ca:
crt: <base 64 encoded root public certificate>
key: <base 64 encoded root private key>
identity:
crt: <base 64 encoded identity public certificate>
key: <base 64 encoded identity private key>
...
```
### Configuring `trustd`
Each master node participates as a Root of Trust in the cluster.
The responsibilities of `trustd` include:
- certificate as a service
- and Kubernetes PKI distribution amongst master nodes
The auth done between `trustd` and a client is, for now, a simple username and password combination.
Having these credentials gives a client the power to request a certifcate that identifies itself.
In the `<node-name>.yaml`, add the follwing:
```yaml
security:
...
services:
...
trustd:
username: <username>
password: <password>
...
```
## Configuring Kubernetes
### Generating the Root CA
To create the root CA for the Kubernetes cluster, run:
```bash
osctl gen ca --rsa --hours <hours> --organization <kubernetes-organization>
```
{{% note %}}The `--rsa` flag is required for the generation of the Kubernetes CA. {{% /note %}}
### Injecting the Kubernetes PKI
Using `osctl`, inject the generated PKI into the configuration file:
```bash
osctl inject kubernetes --crt <kubernetes-organization>.crt --key <kubernetes-organization>.key <node-name>.yaml
```
You should see the following fields populated:
```yaml
security:
...
kubernetes:
ca:
crt: <base 64 encoded root public certificate>
key: <base 64 encoded root private key>
...
```
### Configuring Kubeadm
The configuration of the `kubeadm` service is done in two parts:
- supplying the Dianemo specific options
- supplying the `kubeadm` `InitConfiguration`
#### Dianemo Specific Options
```yaml
services:
...
kubeadm:
init:
type: initial
etcdMemberName: <member-name>
...
```
#### Kubeadm Specific Options
```yaml
services:
...
kubeadm:
...
configuration: |
apiVersion: kubeadm.k8s.io/v1alpha3
kind: InitConfiguration
...
...
```
> See the official [documentation](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/) for the options available in `InitConfiguration`.

111
src/docs/src/content/configuration/osd.md Normal file
View File

@ -0,0 +1,111 @@
---
title: "osd"
date: 2018-11-03T17:14:49-07:00
draft: false
weight: 10
menu:
main:
identifier: "osd-configuration"
parent: 'configuration'
weight: 10
---
The `osd` service enforces a high level of security by utilizing mutual TLS for authentication and authorization.
In this section we will configure mutual TLS by generating the certificates for the servers (`osd`) and clients (`osctl`).
### Cluster Owners
We recommend that the configuration of `osd` be performed by a cluster owner.
A cluster owner should be a person of authority within an organization.
Perhaps a director, manager, or senior member of a team.
They are responsible for storing the root CA, and distributing the PKI for authorized cluster administrators.
### Cluster Administrators
The authorization to use `osctl` should be granted to a person fit for cluster administration.
As a cluster administrator, the user gains access to the out-of-band management tools offered by Dianemo.
## Configuring `osd`
To configure `osd`, we will need:
- static IP addresses for each node that will participate as a master
- a root CA
- and identity certificates for each node participating as a master signed by the root CA
The following steps should be performed by a cluster owner.
### Generating the Root CA
The root CA can be generated by running:
```bash
osctl gen ca --hours <hours> --organization <organization>
```
The cluster owner should store the generated private key (`<organization>.key`) in a safe place, that only other cluster owners have access to.
The public certificate (`<organization>.crt`) should be made available to cluster administrators because, as we will see shortly, it is required to configure `osctl`.
{{% note %}}The `--rsa` flag should _not_ be specified for the generation of the `osd` CA.{{% /note %}}
### Generating the Identity Certificates
Now that we have our root CA, we must create certificates that identify the node.
As the cluster owner, run:
```bash
osctl gen key --name <node-name>
osctl gen csr --ip <node-ip> --key <node-name>.key
osctl gen crt --hours <hours> --ca <organization> --csr <node-name>.csr --name <node-name>
```
Repeat this process for each node that will participate as a master.
## Configuring `osctl`
To configure `osctl`, we will need:
- the root CA we generated above
- and a certificate signed by the root CA specific to the user
The process for setting up `osctl` is done in part between a cluster owner and a user requesting to become a cluster administrator.
### Generating the User Certificate
The user requesting cluster administration access runs the following:
```bash
osctl gen key --name <user>
osctl gen csr --ip 127.0.0.1 --key <user>.key
```
Now, the cluster owner must generate a certificate from the above CSR.
To do this, the user requesting access submits the CSR generated above to the cluster owner, and the cluster owner runs the following:
```bash
osctl gen crt --hours <hours> --ca <organization> --csr <user>.csr --name <user>
```
The generated certificate is then sent to the requesting user using a secure channel.
### The Configuration File
With all the above steps done, the new cluster administrator can now create the configuration file for `osctl`.
```bash
cat <organization>.crt | base64
cat <user>.crt | base64
cat <user>.key | base64
```
Now, create `~/.dianemo/config` with the following contents:
```yaml
context: <context>
contexts:
<context>:
target: <node-ip>
ca: <base 64 encoded root public certificate>
crt: <base 64 encoded user public certificate>
key: <base 64 encoded user private key>
```

39
src/docs/src/content/configuration/workers.md
View File

@ -2,35 +2,42 @@
title: "Workers"
date: 2018-10-29T19:40:55-07:00
draft: false
weight: 30
menu:
main:
parent: 'configuration'
weight: 20
weight: 30
---
Configuring the worker nodes is much more simple in comparison to configuring the master nodes.
Using the `trustd` API, worker nodes submit a `CSR`, and, if authenticated, receive a valid `osd` certificate.
Similarly, using a `kubeadm` token, the node joins an existing cluster.
We need to specify:
- the `osd` public certificate
- `trustd` credentials and endpoints
- and a `kubeadm` `JoinConfiguration`
```yaml
version: ""
security:
os:
ca:
crt: ${BASE64_ENCODED_PEM_FORMATTED_PUBLIC_X509}
networking:
os: {}
kubernetes: {}
crt: <base 64 encoded root public certificate>
services:
kubeadm:
containerRuntime: docker
configuration: |
apiVersion: kubeadm.k8s.io/v1alpha2
kind: NodeConfiguration
token: abcdef.0123456789abcdef
discoveryTokenAPIServers:
- ${MASTER_IP}:443
discoveryTokenCACertHashes:
- sha256:${CA_CERT_HASH}
apiVersion: kubeadm.k8s.io/v1alpha3
kind: JoinConfiguration
...
trustd:
username: example
password: example
username: <username>
password: <password>
endpoints:
- ${MASTER_IP}
- <master-1>
...
- <master-n>
```
> See the official [documentation](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-join/) for the options available in `InitConfiguration`.

3
src/docs/src/themes/autonomy/layouts/shortcodes/note.html Normal file
View File

@ -0,0 +1,3 @@
<blockquote class="note {{ .Get 0 }}" {{ if len .Params | eq 2 }} id="{{ .Get 1 }}" {{ end }}>
<p>Note: {{ .Inner }}</p>
</blockquote>

11
src/docs/src/themes/autonomy/static/css/main.css
View File

@ -164,7 +164,16 @@ input.search-box {
input.search-box::placeholder {
text-align: center;
opacity: 0.7;
opacity: 0.2;
}
h1>code,
h2>code,
h3>code,
h4>code,
h5>code,
h6>code {
font-size: inherit;
}
/* Larger than mobile screen */