testproject

Ansible environment setup

cd ansible
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

Ubuntu pre bootstrap

Ubuntu 18.04 has default user and password ubuntu. The first login requires password change. Ansible does not expect that and fails to connect. To fix that, login manually and change password to raspberry1.

The first attempt was based on calico.

curl -OL https://docs.projectcalico.org/v3.7/manifests/calico.yaml
sed s/v3.7.2/v3.7.2-arm64/ calico.yaml > calico-arm64.yaml
kubectl apply -f calico-arm64.yaml

For some reason calico pods were crashing:

eduard@master1:~$ kubectl get pod -n kube-system
NAME                                         READY   STATUS              RESTARTS   AGE
calico-kube-controllers-55b489fd78-qxsbw     0/1     Error               0          8m8s
calico-node-74ls7                            0/1     CrashLoopBackOff    5          8m8s
calico-node-hch8l                            0/1     CrashLoopBackOff    5          8m8s
calico-node-m4j6d                            0/1     CrashLoopBackOff    2          8m8s
coredns-fb8b8dccf-hjsn5                      0/1     ContainerCreating   0          7h3m
coredns-fb8b8dccf-kmht5                      0/1     ContainerCreating   0          7h3m
etcd-master1.kube.local                      1/1     Running             0          7h3m
kube-apiserver-master1.kube.local            1/1     Running             0          7h2m
kube-controller-manager-master1.kube.local   1/1     Running             4          7h3m
kube-proxy-6pfz7                             1/1     Running             0          6h20m
kube-proxy-ncjqb                             1/1     Running             0          6h20m
kube-proxy-ptt85                             1/1     Running             0          7h3m
kube-scheduler-master1.kube.local            1/1     Running             4          7h3m

Flannel is the simplest network plugin for kubernetes. It worked fine for Raspberry Pi.

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/v0.11.0/Documentation/kube-flannel.yml

Expose to the Internet

Dynamic DNS on Mikrotik

/ip cloud set ddns-enabled=yes
/ip cloud> print
          ddns-enabled: yes
  ddns-update-interval: none
           update-time: yes
        public-address: aa.bb.cc.dd
              dns-name: xxxxxxxxxxxx.sn.mynetname.net
                status: updated

CDN using Cloudflare

Cloudflare SSL should be set to Flexible SSL mode. That mode ensures connections from client to Cloudflare CDN use HTTPS.

One the other hand, Cloudflare connects to backend using plain HTTP.

Since at the moment, we do not terminate SSL on backend side - Flexible SSL mode works for us.

ansible-playbook --vault-id @prompt -i hosts cloudflare.yml

Load balancer on Mikrotik

Load balancer implementation will use Per Connection Classifier and Port Forwarding(DST NAT).

/ip firewall mangle
add chain=prerouting action=mark-connection \
  in-interface=all-ppp protocol=tcp dst-port=80 \
  new-connection-mark=kube_node_1 per-connection-classifier=src-address-and-port:2/0 \
  comment="Load balancer. Service nginx. Mark connections to kube node 1"
add chain=prerouting action=mark-connection \
  in-interface=all-ppp protocol=tcp dst-port=80 \
  new-connection-mark=kube_node_2 per-connection-classifier=src-address-and-port:2/1 \
  comment="Load balancer. Service nginx. Mark connections to kube node 2"

/ip firewall nat
add chain=dstnat action=dst-nat \
 connection-mark=kube_node_1 to-addresses=192.168.40.103 protocol=tcp to-ports=30560 \
 comment="Load balancer. Service nginx. DST NAT to kube node 1"
add chain=dstnat action=dst-nat \
  connection-mark=kube_node_2 to-addresses=192.168.40.104 protocol=tcp to-ports=30560 \
  comment="Load balancer. Service nginx. DST NAT to kube node 2"