cd ansible
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
Ubuntu 18.04 has default user and password ubuntu
. The first login requires
password change. Ansible does not expect that and fails to connect.
To fix that, login manually and change password to raspberry1
.
The first attempt was based on calico.
curl -OL https://docs.projectcalico.org/v3.7/manifests/calico.yaml
sed s/v3.7.2/v3.7.2-arm64/ calico.yaml > calico-arm64.yaml
kubectl apply -f calico-arm64.yaml
For some reason calico pods were crashing:
eduard@master1:~$ kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-55b489fd78-qxsbw 0/1 Error 0 8m8s
calico-node-74ls7 0/1 CrashLoopBackOff 5 8m8s
calico-node-hch8l 0/1 CrashLoopBackOff 5 8m8s
calico-node-m4j6d 0/1 CrashLoopBackOff 2 8m8s
coredns-fb8b8dccf-hjsn5 0/1 ContainerCreating 0 7h3m
coredns-fb8b8dccf-kmht5 0/1 ContainerCreating 0 7h3m
etcd-master1.kube.local 1/1 Running 0 7h3m
kube-apiserver-master1.kube.local 1/1 Running 0 7h2m
kube-controller-manager-master1.kube.local 1/1 Running 4 7h3m
kube-proxy-6pfz7 1/1 Running 0 6h20m
kube-proxy-ncjqb 1/1 Running 0 6h20m
kube-proxy-ptt85 1/1 Running 0 7h3m
kube-scheduler-master1.kube.local 1/1 Running 4 7h3m
Flannel is the simplest network plugin for kubernetes. It worked fine for Raspberry Pi.
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/v0.11.0/Documentation/kube-flannel.yml
/ip cloud set ddns-enabled=yes
/ip cloud> print
ddns-enabled: yes
ddns-update-interval: none
update-time: yes
public-address: aa.bb.cc.dd
dns-name: xxxxxxxxxxxx.sn.mynetname.net
status: updated
Cloudflare SSL should be set to Flexible SSL mode. That mode ensures connections from client to Cloudflare CDN use HTTPS.
One the other hand, Cloudflare connects to backend using plain HTTP.
Since at the moment, we do not terminate SSL on backend side - Flexible SSL mode works for us.
ansible-playbook --vault-id @prompt -i hosts cloudflare.yml
Load balancer implementation will use Per Connection Classifier and Port Forwarding(DST NAT).
/ip firewall mangle
add chain=prerouting action=mark-connection \
in-interface=all-ppp protocol=tcp dst-port=80 \
new-connection-mark=kube_node_1 per-connection-classifier=src-address-and-port:2/0 \
comment="Load balancer. Service nginx. Mark connections to kube node 1"
add chain=prerouting action=mark-connection \
in-interface=all-ppp protocol=tcp dst-port=80 \
new-connection-mark=kube_node_2 per-connection-classifier=src-address-and-port:2/1 \
comment="Load balancer. Service nginx. Mark connections to kube node 2"
/ip firewall nat
add chain=dstnat action=dst-nat \
connection-mark=kube_node_1 to-addresses=192.168.40.103 protocol=tcp to-ports=30560 \
comment="Load balancer. Service nginx. DST NAT to kube node 1"
add chain=dstnat action=dst-nat \
connection-mark=kube_node_2 to-addresses=192.168.40.104 protocol=tcp to-ports=30560 \
comment="Load balancer. Service nginx. DST NAT to kube node 2"