CodeReady Containers (local OpenShift) tips

grafana-crc.md

CodeReady Containers (local openshift) tips

Use Grafana with CodeReady Containers

https://grafana.com/orgs/maelvls/api-keys

 kubectl create secret generic kubepromsecret \
  --from-literal=username=maelvls\
  --from-literal=password= \
  -n openshift-monitoring

k -n openshift-monitoring edit prometheus k8s

and add

  remoteWrite:
  - url: https://prometheus-us-central1.grafana.net/api/prom/push
    basicAuth:
      username:
        name: kubepromsecret
        key: username
      password:
        name: kubepromsecret
        key: password

Tailscale

# Service IP CIDR:
echo '{"apiVersion":"v1","kind":"Service","metadata":{"name":"tst"},"spec":{"clusterIP":"1.1.1.1","ports":[{"port":443}]}}' | kubectl apply -f - 2>&1 | sed 's/.*valid IPs is //'
10.217.4.0/23

# Pod IP CIDR:
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" "ps -ef | grep -o cluster-cidr=[0-9][0-9\.\/]* | cut -d= -f2"
10.217.0.0/22

# Node IPs:
kubectl get nodes -ojson | jq '.items[].status.addresses[] | select(.type | contains("IP")) | .address' -r
192.168.126.11

# Run tailscaled within the OpenShift node:
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" -- sudo podman run --name tailscaled --restart=always --net=host -v /var/lib:/var/lib -v /var/run:/var/run -v /lib/modules:/lib/modules -v /dev/net:/dev/net --privileged docker.io/tailscale/tailscale:latest tailscaled --tun tailscale0
# If the logs look fine, ctrl-c to let tailscaled do its thing.

# Log in:
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" -- sudo podman run --restart=always -v /var/run/tailscale:/var/run/tailscale --privileged docker.io/tailscale/tailscale:latest tailscale up --force-reauth --authkey $(lpass show -p tailscale-cm) --snat-subnet-routes --advertise-routes 10.217.0.0/22,10.217.4.0/23,192.168.126.11/32

# Remove tailscaled
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" sudo podman ps --all | grep tailscale | awk '{print $1}' | xargs --no-run-if-empty ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" sudo podman rm -f

# Tailscale status
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" -- sudo podman run --rm -v /var/run/tailscale:/var/run/tailscale --privileged docker.io/tailscale/tailscale:latest tailscale status
100.96.7.116    crc-dzk9v-master-0   maelvls@     linux   -
100.127.221.57  aorus                maelvls@     linux   -
100.70.129.74   iphone-de-mael       maelvls@     iOS     -
100.114.149.88  mbp-mael             maelvls@     macOS   -

Unfortunalyte I wasn't able to make it work.

For example:

curl -v https://10.217.4.169:5443

We can see the SYN properly sent (traffic on tailscale0 on the host):

But nothing comes out on the other side (tailscale0 on the OpenShift node):

ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" -- sudo podman run --net=host docker.io/itsthenetwork/alpine-tcpdump:latest -i tailscale0 -U -w - | wireshark -k -y RAW -i -

Scanafi

scp -i ~/.crc/machines/crc/id_ecdsa scanafi_linux_x64 core@"$(crc ip)":.
ssh -i ~/.crc/machines/crc/id_ecdsa core@"$(crc ip)" tee config.json <<EOF
{
   "zone":"Policy\\\\Kubernetes",
   "log_level":"info",
   "id":"scanafi",
   "provider":{
      "type":"tpp",
      "config":{
         "url": "$(dirname $VENAFI_TPP_URL)",
         "password":"$VENAFI_TPP_PASSWORD",
         "username": "$VENAFI_TPP_USERNAME"
      },
      "inputs":[
         {
            "type":"CIDR",
            "subnet":" 10.217.0.0/22",
            "ports":[
               "443",
               "80",
               "22"
            ]
         }
      ]
   }
}
EOF
ssh -i ~/.crc/machines/crc/id_ecdsa -t core@"$(crc ip)" ./scanafi_linux_x64  --config config.json