2023-11-04-k3s-setup-plain-rootless

← 2024-03-06-restore-gitlab | posts | 2023-08-13-k3s-i-want-a-rootless-cluster-with-bgp-damn-it →

https://docs.k3s.io/advanced#known-issues-with-rootless-mode https://github.com/k3s-io/k3s/issues/6488#issuecomment-1339946080 https://bank-vaults.dev/docs/installing/

adduser k3s-vault

# user gets ID 1003

cat /etc/systemd/system/user@1003.service.d/override.conf; echo
[Service]
Delegate=cpu cpuset io memory pids


sudo tee -a /etc/modules-load.d/k3s-rootless <<EOF
fuse
tun
tap 
bridge
br_netfilter 
veth
ip_tables
ip6_tables
iptable_nat
ip6table_nat
iptable_filter
ip6table_filter
nf_tables
x_tables
xt_MASQUERADE
xt_addrtype
xt_comment
xt_conntrack
xt_mark
xt_multiport
xt_nat
xt_tcpudp
EOF

apt install uidmap fuse-overlayfs

printf "net.ipv4.ip_forward=1\n net.ipv6.conf.all.forwarding=1\n" | sudo tee -a /etc/sysctl.d/forwarding.conf
sysctl --system

loginctl enable-linger username # enable k3s to be always on

as user(machinectl shell username@ to ensure systemd session):

wget https://raw.githubusercontent.com/k3s-io/k3s/master/k3s-rootless.service
$ mkdir -p .config/systemd/user
# adapt file and add following env vars
Environment=K3S_ROOTLESS_CIDR="10.41.0.0/16"
Environment=K3S_ROOTLESS_PORT_DRIVER=slirp4netns
Environment=K3S_ROOTLESS_DISABLE_HOST_LOOPBACK=true
Environment=K3S_ROOTLESS_MTU=1500

mkdir bin
   10  wget https://github.com/k3s-io/k3s/releases/download/v1.28.2%2Bk3s1/k3s
   12  mv k3s bin/
   17  chmod +x bin/k3s
   18  ln -rs bin/k3s bin/kubectl

add to .bashrc:
export PATH=~/bin:$PATH
export KUBECONFIG=~/.kube/k3s.yaml

   21  systemctl --user enable --now k3s-rootless.service
   22  systemctl --user status k3s-rootless

# kubectl version should now work.

   54  wget https://get.helm.sh/helm-v3.13.1-linux-amd64.tar.gz
   55  tar xfvz helm-v3.13.1-linux-amd64.tar.gz
   56  mv linux-amd64/helm bin/
   57  chmod +x bin/helm


helm upgrade --install --wait vault-operator oci://ghcr.io/bank-vaults/helm-charts/vault-operator
kubectl kustomize https://github.com/bank-vaults/vault-operator/deploy/rbac | kubectl apply -f -
kubectl apply -f https://raw.githubusercontent.com/bank-vaults/vault-operator/v1.21.0/deploy/examples/cr-raft.yaml


kubectl edit vault
add disable_mlock: true to config # or figure out how to allow mlock in rootless k3s

  104  wget https://github.com/bank-vaults/bank-vaults/releases/download/1.20.4/bank-vaults-linux-amd64.tar.gz
  105  tar xfvz bank-vaults-linux-amd64.tar.gz
  106  mv bank-vaults bin/
  107  chmod +x bin/bank-vaults

  109  wget https://releases.hashicorp.com/vault/1.15.1/vault_1.15.1_linux_amd64.zip
  110  unzip vault_1.15.1_linux_amd64.zip
  111  mv vault bin/
  112  chmod +x bin/vault


kubectl create namespace vault-infra
kubectl label namespace vault-infra name=vault-infra

helm upgrade --install --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --namespace vault-infra



kubectl apply -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vault-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: vault
  template:
    metadata:
      labels:
        app.kubernetes.io/name: vault
      annotations:
        vault.security.banzaicloud.io/vault-addr: "https://vault:8200" # optional, the address of the Vault service, default values is https://vault:8200
        vault.security.banzaicloud.io/vault-role: "default" # optional, the default value is the name of the ServiceAccount the Pod runs in, in case of Secrets and ConfigMaps it is "default"
        vault.security.banzaicloud.io/vault-skip-verify: "false" # optional, skip TLS verification of the Vault server certificate
        vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" # optional, the name of the Secret where the Vault CA cert is, if not defined it is not mounted
        vault.security.banzaicloud.io/vault-agent: "false" # optional, if true, a Vault Agent will be started to do Vault authentication, by default not needed and vault-env will do Kubernetes Service Account based Vault authentication
        vault.security.banzaicloud.io/vault-path: "kubernetes" # optional, the Kubernetes Auth mount path in Vault the default value is "kubernetes"
    spec:
      serviceAccountName: default
      containers:
      - name: alpine
        image: alpine
        command: ["sh", "-c", "echo \$AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000"]
        env:
        - name: AWS_SECRET_ACCESS_KEY
          value: vault:secret/data/demosecret/aws#AWS_SECRET_ACCESS_KEY
EOF