public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-15 10:46:34 +00:00
Code Issues Releases Wiki Activity

Update title suffix

Browse Source 
Signed-off-by: David Young <davidy@funkypenguin.co.nz>
This commit is contained in:
David Young
2022-07-05 18:04:05 +12:00
parent d1bdbf5e88
commit d301279348
4 changed files with 19 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
manuscript/kubernetes/loadbalancer/metallb/pfsense.md
View File

@@ -22,23 +22,23 @@ Install the FRR package in pfsense, under **System -> Package Manager -> Availab
Under **Services -> FRR Global/Zebra**, enable FRR, set your router ID (*this will be your router's peer IP in MetalLB config*), and set a master password (*because apparently you have to, even though we don't use it*): Under **Services -> FRR Global/Zebra**, enable FRR, set your router ID (*this will be your router's peer IP in MetalLB config*), and set a master password (*because apparently you have to, even though we don't use it*):
![Enabling BGP routing](../../../../../../images/metallb-pfsense-00.png) ![Enabling BGP routing](/images/metallb-pfsense-00.png)
### Configure FRR BGP ### Configure FRR BGP
Under **Services -> FRR BGP**, globally enable BGP, and set your local AS and router ID: Under **Services -> FRR BGP**, globally enable BGP, and set your local AS and router ID:
![Enabling BGP routing](../../../../../../images/metallb-pfsense-01.png) ![Enabling BGP routing](/images/metallb-pfsense-01.png)
### Configure FRR BGP Advanced ### Configure FRR BGP Advanced
Use the tabs at the top of the FRR configuration to navigate to "**Advanced**"... Use the tabs at the top of the FRR configuration to navigate to "**Advanced**"...
![Enabling BGP routing](../../../../../../images/metallb-pfsense-02.png) ![Enabling BGP routing](/images/metallb-pfsense-02.png)
... and scroll down to **eBGP**. Check the checkbox titled "**Disable eBGP Require Policy**: ... and scroll down to **eBGP**. Check the checkbox titled "**Disable eBGP Require Policy**:
![Enabling BGP routing](../../../../../../images/metallb-pfsense-03.png) ![Enabling BGP routing](/images/metallb-pfsense-03.png)
!!! question "Isn't disabling a policy check a Bad Idea(tm)?" !!! question "Isn't disabling a policy check a Bad Idea(tm)?"
If you're an ISP, sure. If you're only using eBGP to share routes between MetalLB and pfsense, then applying policy is an unnecessary complication.[^1] If you're an ISP, sure. If you're only using eBGP to share routes between MetalLB and pfsense, then applying policy is an unnecessary complication.[^1]
@@ -58,13 +58,13 @@ It's useful to bundle our configurations within a "peer group" (*a collection of
Now add each node running MetalLB, as a BGP neighbor. Pick the peer-group you created above, and configure each neighbor's ASN: Now add each node running MetalLB, as a BGP neighbor. Pick the peer-group you created above, and configure each neighbor's ASN:
![Enabling BGP routing](../../../../../../images/metallb-pfsense-04.png) ![Enabling BGP routing](/images/metallb-pfsense-04.png)
## Serving ## Serving
Once you've added your neighbors, you should be able to use the FRR tab navigation (*it's weird, I know!*) to get to Status / BGP, and identify your neighbors, and all the routes learned from them. In the screenshot below, you'll note that **most** routes are learned from all the neighbors - that'll be service backed by a daemonset, running on all nodes. The `192.168.32.3/32` route, however, is only received from `192.168.33.22`, meaning only one node is running the pods backing this service, so only those pods are advertising the route to pfSense: Once you've added your neighbors, you should be able to use the FRR tab navigation (*it's weird, I know!*) to get to Status / BGP, and identify your neighbors, and all the routes learned from them. In the screenshot below, you'll note that **most** routes are learned from all the neighbors - that'll be service backed by a daemonset, running on all nodes. The `192.168.32.3/32` route, however, is only received from `192.168.33.22`, meaning only one node is running the pods backing this service, so only those pods are advertising the route to pfSense:
![BGP route-](../../../../../../images/metallb-pfsense-05.png) ![BGP route-](/images/metallb-pfsense-05.png)
### Troubleshooting ### Troubleshooting

2
manuscript/kubernetes/sealed-secrets.md
View File

@@ -14,7 +14,7 @@ They're still not very secret though, and you certainly wouldn't want to be stor
An elegant solution to this problem is Bitnami Labs' Sealed Secrets. An elegant solution to this problem is Bitnami Labs' Sealed Secrets.
![Sealed Secrets illustration](../../images/sealed-secrets.png) ![Sealed Secrets illustration](/images/sealed-secrets.png)
A "[SealedSecret](https://github.com/bitnami-labs/sealed-secrets)" can only be decrypted (*and turned back into a regular Secret*) by the controller in the target cluster. (*or by a controller in another cluster which has been primed with your own private/public pair)* This means the SealedSecret is safe to store and expose anywhere. A "[SealedSecret](https://github.com/bitnami-labs/sealed-secrets)" can only be decrypted (*and turned back into a regular Secret*) by the controller in the target cluster. (*or by a controller in another cluster which has been primed with your own private/public pair)* This means the SealedSecret is safe to store and expose anywhere.

2
manuscript/kubernetes/ssl-certificates/cert-manager.md
View File

@@ -7,7 +7,7 @@ To interact with your cluster externally, you'll almost certainly be using a web
Cert Manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. Cert Manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.
![Sealed Secrets illustration](../../../../images/cert-manager.svg) ![Sealed Secrets illustration](/images/cert-manager.svg)
It can issue certificates from a variety of supported sources, including Lets Encrypt, HashiCorp Vault, and Venafi as well as private PKI. It can issue certificates from a variety of supported sources, including Lets Encrypt, HashiCorp Vault, and Venafi as well as private PKI.

11
overrides/main.html
View File

@@ -25,3 +25,14 @@
<script src="/js/i-am-groot.js"></script> <script src="/js/i-am-groot.js"></script>
<script>window.plausible = window.plausible || function() { (window.plausible.q = window.plausible.q || []).push(arguments) }</script> <script>window.plausible = window.plausible || function() { (window.plausible.q = window.plausible.q || []).push(arguments) }</script>
{% endblock %} {% endblock %}
<!-- Add little penguin ascii-art to titles instead of 20-character-long site name -->
{% block htmltitle %}
{% if page.meta and page.meta.title %}
<title>{{ page.meta.title }} |・∀・</title>
{% elif page.title and not page.is_homepage %}
<title>{{ page.title | striptags }} |・∀・</title>
{% else %}
<title>{{ config.site_name }}</title>
{% endif %}
{% endblock %}