https://grafana.com/orgs/maelvls/api-keys
kubectl create secret generic kubepromsecret \
--from-literal=username=maelvls\
--from-literal=password= \
-n openshift-monitoring
k -n openshift-monitoring edit prometheus k8s
and add
remoteWrite:
- url: https://prometheus-us-central1.grafana.net/api/prom/push
basicAuth:
username:
name: kubepromsecret
key: username
password:
name: kubepromsecret
key: password
# Service IP CIDR:
echo '{"apiVersion":"v1","kind":"Service","metadata":{"name":"tst"},"spec":{"clusterIP":"1.1.1.1","ports":[{"port":443}]}}' | kubectl apply -f - 2>&1 | sed 's/.*valid IPs is //'
10.217.4.0/23
# Pod IP CIDR:
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" "ps -ef | grep -o cluster-cidr=[0-9][0-9\.\/]* | cut -d= -f2"
10.217.0.0/22
# Node IPs:
kubectl get nodes -ojson | jq '.items[].status.addresses[] | select(.type | contains("IP")) | .address' -r
192.168.126.11
# Run tailscaled within the OpenShift node:
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" -- sudo podman run --name tailscaled --restart=always --net=host -v /var/lib:/var/lib -v /var/run:/var/run -v /lib/modules:/lib/modules -v /dev/net:/dev/net --privileged docker.io/tailscale/tailscale:latest tailscaled --tun tailscale0
# If the logs look fine, ctrl-c to let tailscaled do its thing.
# Log in:
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" -- sudo podman run --restart=always -v /var/run/tailscale:/var/run/tailscale --privileged docker.io/tailscale/tailscale:latest tailscale up --force-reauth --authkey $(lpass show -p tailscale-cm) --snat-subnet-routes --advertise-routes 10.217.0.0/22,10.217.4.0/23,192.168.126.11/32
# Remove tailscaled
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" sudo podman ps --all | grep tailscale | awk '{print $1}' | xargs --no-run-if-empty ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" sudo podman rm -f
# Tailscale status
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" -- sudo podman run --rm -v /var/run/tailscale:/var/run/tailscale --privileged docker.io/tailscale/tailscale:latest tailscale status
100.96.7.116 crc-dzk9v-master-0 maelvls@ linux -
100.127.221.57 aorus maelvls@ linux -
100.70.129.74 iphone-de-mael maelvls@ iOS -
100.114.149.88 mbp-mael maelvls@ macOS -
Unfortunalyte I wasn't able to make it work.
For example:
curl -v https://10.217.4.169:5443
We can see the SYN properly sent (traffic on tailscale0 on the host):
But nothing comes out on the other side (tailscale0 on the OpenShift node):
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" -- sudo podman run --net=host docker.io/itsthenetwork/alpine-tcpdump:latest -i tailscale0 -U -w - | wireshark -k -y RAW -i -
scp -i ~/.crc/machines/crc/id_ecdsa scanafi_linux_x64 core@"$(crc ip)":.
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" tee config.json <<EOF
{
"zone":"Policy\\\\Kubernetes",
"log_level":"info",
"id":"scanafi",
"provider":{
"type":"tpp",
"config":{
"url": "$(dirname $VENAFI_TPP_URL)",
"password":"$VENAFI_TPP_PASSWORD",
"username": "$VENAFI_TPP_USERNAME"
},
"inputs":[
{
"type":"CIDR",
"subnet":" 10.217.0.0/22",
"ports":[
"443",
"80",
"22"
]
}
]
}
}
EOF
ssh -i ~/.crc/machines/crc/id_ecdsa -t core@"$(crc ip)" ./scanafi_linux_x64 --config config.json