hashipi

Raspberry Pi Test Cluster for HashiCorp Vault, Nomad and Consul
git clone https://git.in0rdr.ch/hashipi.git
Log | Files | Refs | README
commit 4737d6f6df01855f28d0e2f9f3e18457c83e9d27
parent bca7be975a7170edbd6f7f58bd509bc1df8a6841
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date:   Tue, 22 Aug 2023 00:14:16 +0200

feat: remove cilium

Diffstat:

Mhashi-pi.json | 4+---


Mnomad.sh | 110-------------------------------------------------------------------------------


2 files changed, 1 insertion(+), 113 deletions(-)

diff --git a/hashi-pi.json b/hashi-pi.json
@@ -25,8 +25,7 @@
     "vault_tls_ca_key": "./tls/vault/ca/vault_ca.key",
     "vault_tls_subj_alt_name": "IP:127.0.0.1",
     "vault_transit_server": null,
-    "vault_transit_token": null,
-    "cilium_version": "1.13.2"
+    "vault_transit_token": null
   },
   "sensitive-variables": [
     "consul_encrypt",
@@ -125,7 +124,6 @@
         "NFS_SERVER={{ user `nomad_nfs_server` }}",
         "NFS_MOUNT={{ user `nomad_nfs_mount` }}",
         "NFS_MOUNT_TARGET={{ user `nomad_nfs_target` }}",
-        "CILIUM_VERSION={{ user `cilium_version` }}",
         "NOMAD_SERVER={{ user `nomad_server` }}",
         "NOMAD_CLIENT={{ user `nomad_client` }}",
         "NOMAD_PODMAN_DRIVER_VERSION={{ user `nomad_podman_driver_version` }}"
diff --git a/nomad.sh b/nomad.sh
@@ -120,12 +120,6 @@ client {
 
 plugin "nomad-driver-podman" {
   config {
-    volumes {
-      # Netreap Cilium operator connects to Cilium agent on the node through
-      # Unix socket on shared host path volume
-      # https://cosmonic.com/blog/engineering/netreap-a-practical-guide-to-running-cilium-in-nomad
-      enabled = true
-    }
     recover_stopped = false
   }
 }
@@ -162,112 +156,8 @@ ip6table_raw
 ip6table_filter
 EOF
 
-# prepare Consul TLS config for Cilium
-mkdir -p /etc/cilium
-cat << EOF > /etc/cilium/consul-tlsconfig.yaml
----
-# https://docs.cilium.io/en/v1.13/cmdref/kvstore
-# https://github.com/cilium/cilium/blob/main/pkg/kvstore/consul.go
-# https://github.com/hashicorp/consul/blob/main/api/api.go
-# https://github.com/cilium/cilium/pull/6260
-cafile: /var/lib/cilium/consul-tls/consul-agent-ca.pem
-certfile: /var/lib/cilium/consul-tls/dc1-server-consul.pem
-keyfile: /var/lib/cilium/consul-tls/dc1-server-consul-key.pem
-#insecureSkipVerify: true
-EOF
-
-# Run Cilium as privileged container on the node
-cat << EOF > /etc/systemd/system/cilium.service
-[Unit]
-Description=Cilium Agent
-After=consul.service
-Wants=consul.service
-Before=nomad.service
-
-[Service]
-Restart=always
-ExecStartPre=-/usr/bin/podman exec %n stop
-ExecStartPre=-/usr/bin/podman rm %n
-ExecStartPre=-/usr/bin/mkdir -p /var/run/cilium
-
-ExecStart=/usr/bin/podman run --rm --name %n \\
-  -v /var/run/cilium:/var/run/cilium \\
-  -v /sys/fs/bpf:/sys/fs/bpf \\
-  -v /opt/consul/tls/:/var/lib/cilium/consul-tls \\
-  -v /etc/cilium/consul-tlsconfig.yaml:/var/lib/cilium/consul-tlsconfig.yaml \\
-  --net=host \\
-  --privileged \\
-  docker://cilium/cilium:v$CILIUM_VERSION \\
-  cilium-agent --kvstore consul \\
-    --kvstore-opt consul.address=https://127.0.0.1:8501,consul.tlsconfig=/var/lib/cilium/consul-tlsconfig.yaml \\
-    --enable-ipv6=false \\
-    --enable-l7-proxy=false  \\
-    --ipv4-range 172.16.0.0/16
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-mkdir -p /var/run/cilium
-systemctl enable cilium
-
-# Configure Cilium CNI
-mkdir -p /opt/cni/conf
-cat << EOF > /opt/cni/conf/cilium.conflist
-{
-  "name": "cilium",
-  "cniVersion": "1.0.0",
-  "plugins": [
-    {
-      "type": "cilium-cni",
-      "enable-debug": false
-    }
-  ]
-}
-EOF
-
-# Install Cilium CNI and binaries to node during first boot
-rm -rf /etc/cloud/*
-mkdir -p /etc/cloud/cloud.cfg.d
-
-cat << EOF > /etc/cloud/cloud.cfg
-# https://cloudinit.readthedocs.io/en/latest/explanation/boot.html
-# init modules are run before config modules
-cloud_init_modules:
-# create a script which will be run later by scripts-user
-# https://cloudinit.readthedocs.io/en/latest/reference/modules.html#runcmd
-- runcmd
-
-cloud_config_modules:
-# execute the runcmd scripts
-- scripts-user
-EOF
-
-cat << EOF > /etc/cloud/cloud.cfg.d/99_cilium.cfg
-#cloud-config
-# create a script which runs only on first boot
-runcmd:
-# create a cilium container, but does not start it yet
-- cid=\$(podman create "docker://cilium/cilium:v${CILIUM_VERSION}")
-# extract the cilium binaries from the container
-- podman cp "\$cid:/opt/cni/bin/cilium-cni" /opt/cni/bin/cilium-cni
-# unfortunately, docker cp does not support globbing yet
-- podman cp "\$cid:/usr/bin/cilium" /usr/local/bin/
-- podman cp "\$cid:/usr/bin/cilium-agent" /usr/local/bin/
-- podman cp "\$cid:/usr/bin/cilium-bugtool" /usr/local/bin/
-- podman cp "\$cid:/usr/bin/cilium-envoy" /usr/local/bin/
-- podman cp "\$cid:/usr/bin/cilium-health" /usr/local/bin/
-- podman cp "\$cid:/usr/bin/cilium-health-responder" /usr/local/bin/
-- podman cp "\$cid:/usr/bin/cilium-mount" /usr/local/bin/
-- podman cp "\$cid:/usr/bin/cilium-sysctlfix" /usr/local/bin/
-- podman rm "\$cid"
-EOF
-
 # Install CNI plugin for Consul connect integration for Consul snapshot tasks
-# and Netreap Cilium operator
 # - https://www.nomadproject.io/docs/integrations/consul-connect
-# - https://github.com/cosmonic/netreap
-# - https://cosmonic.com/blog/engineering/netreap-a-practical-guide-to-running-cilium-in-nomad
 curl -L -o cni-plugins.tgz "https://github.com/containernetworking/plugins/releases/download/v1.3.0/cni-plugins-linux-amd64-v1.3.0.tgz"
 mkdir -p /opt/cni/bin
 tar -C /opt/cni/bin -xzf cni-plugins.tgz