export SAFE_CIDR="192.168.0.0/16"
export POD_CIDR="10.42.0.0/16"
mkdir -p /etc/sysconfig
cat > /etc/sysconfig/iptables <<EOF
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp --source $SAFE_CIDR --dport 9345 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --source $SAFE_CIDR --dport 6443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --source $SAFE_CIDR --dport 8443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --source $SAFE_CIDR --dport 8472 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --source $SAFE_CIDR --dport 10250 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --source $SAFE_CIDR --dport 2379 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --source $SAFE_CIDR --dport 2380 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --source $SAFE_CIDR --dport 30000:32767 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --source $SAFE_CIDR --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --source $SAFE_CIDR --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p icmp --source $SAFE_CIDR -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --source $SAFE_CIDR -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s $POD_CIDR -j ACCEPT
-A INPUT -d $POD_CIDR -j ACCEPT
-A FORWARD -s $POD_CIDR -j ACCEPT
-A FORWARD -d $POD_CIDR -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
iptables-restore < /etc/sysconfig/iptablesif [ "$(id -u)" -ne 0 ] ; then sudo -s; fi
touch /etc/NetworkManager/conf.d/rke2-canal.conf
cat > /etc/NetworkManager/conf.d/rke2-canal.conf <<EOF
[keyfile]
unmanaged-devices=interface-name:cali*;interface-name:flannel*
EOF
systemctl reload NetworkManageryum install -y tar iscsi-initiator-utils nfs-utils gitgit clone git@gist.github.com:bbdea59c0739226d1360837cdec2cf17.gitmkdir -p /var/lib/rancher/rke2/agent/images/
curl -L https://rfed-public.s3-us-gov-east-1.amazonaws.com/harbor-1.7.3-images.tar -o /var/lib/rancher/rke2/agent/images/harbor-1.7.3-images.tar
curl -L https://rfed-public.s3-us-gov-east-1.amazonaws.com/longhorn-1.2.2-images.tar -o /var/lib/rancher/rke2/agent/images/longhorn-1.2.2-images.tar
curl -LO https://rfed-public.s3-us-gov-east-1.amazonaws.com/bundles/rke-government-deps-offline-bundle-el8-v1.21.6%2Brke2r1.tar.gztar xzvf rke-government-deps-offline-bundle-el8-v1.21.6%2Brke2r1.tar.gz
chmod +x install.sh
./install.sh
rm -f install.sh rke2-images-canal.linux-amd64.tar.zst rke2-images-core.linux-amd64.tar.zst rke2.linux-amd64.tar.gz rke-government-deps-offline-bundle-el8-v1.21.6%2Brke2r1.tar.gz rke_rpm_deps.tar.gzcat >> ~/.bashrc <<EOF export KUBECONFIG=/etc/rancher/rke2/rke2.yaml export PATH=$PATH:/var/lib/rancher/rke2/bin:/usr/local/bin export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml export KU_NS=default alias ku="kubectl -n \$KU_NS" EOF source ~/.bashrc
cd consulting/rke2_offline_bootstrap_w_harbor/
mkdir -p /var/lib/rancher/rke2/server/manifests/
cp longhorn-1.2.2-chart.yaml /var/lib/rancher/rke2/server/manifests/
cp longhorn-system-ns.yaml /var/lib/rancher/rke2/server/manifests/
cp harbor-ns.yaml /var/lib/rancher/rke2/server/manifests/
cp harbor-1.7.3-chart.yaml /var/lib/rancher/rke2/server/manifests/systemctl start rke2-server &
journalctl -u rke2-server -fyum install -y tar curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
helm repo add harbor https://helm.goharbor.io helm search repo harbor --versions helm search repo harbor helm fetch harbor/harbor --version 1.7.3 helm template harbor harbor/harbor | grep -i Image:
kubectl get pods -n longhorn-system -o jsonpath="{.items[].spec.containers[].image}" |
tr -s '[[:space:]]' '\n' |
sort |
uniq -c
kubectl get pods -n harbor -o jsonpath="{.items[].spec.containers[].image}" |
tr -s '[[:space:]]' '\n' |
sort |
uniq -c
docker pull goharbor/harbor-core:v2.3.3 &&
docker pull goharbor/harbor-db:v2.3.3 &&
docker pull goharbor/harbor-jobservice:v2.3.3 &&
docker pull goharbor/harbor-portal:v2.3.3 &&
docker pull goharbor/harbor-registryctl:v2.3.3 &&
docker pull goharbor/nginx-photon:v2.3.3 &&
docker pull goharbor/redis-photon:v2.3.3 &&
docker pull goharbor/registry-photon:v2.3.3 &&
docker pull goharbor/chartmuseum-photon:v2.4.0 &&
docker pull goharbor/notary-server-photon:v2.4.0 &&
docker pull goharbor/trivy-adapter-photon:v2.4.0
docker save goharbor/harbor-core:v2.3.3 goharbor/harbor-db:v2.3.3 goharbor/harbor-jobservice:v2.3.3 goharbor/harbor-portal:v2.3.3 goharbor/harbor-registryctl:v2.3.3 goharbor/nginx-photon:v2.3.3 goharbor/redis-photon:v2.3.3 goharbor/registry-photon:v2.3.3 goharbor/chartmuseum-photon:v2.4.0 goharbor/notary-server-photon:v2.4.0 goharbor/trivy-adapter-photon:v2.4.0 -o harbor-1.7.3-images.tar
docker pull k8s.gcr.io/sig-storage/csi-attacher:v3.2.1 &&
docker pull k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.3.0 &&
docker pull k8s.gcr.io/sig-storage/csi-provisioner:v2.1.2 &&
docker pull k8s.gcr.io/sig-storage/csi-resizer:v1.2.0 &&
docker pull k8s.gcr.io/sig-storage/csi-snapshotter:v3.0.3 &&
docker pull docker.io/longhornio/longhorn-engine:v1.2.2 &&
docker pull docker.io/longhornio/longhorn-instance-manager:v1_20210731 &&
docker pull docker.io/longhornio/longhorn-manager:v1.2.2 &&
docker pull docker.io/longhornio/longhorn-ui:v1.2.2
docker save k8s.gcr.io/sig-storage/csi-attacher:v3.2.1 k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.3.0 k8s.gcr.io/sig-storage/csi-provisioner:v2.1.2 k8s.gcr.io/sig-storage/csi-resizer:v1.2.0 k8s.gcr.io/sig-storage/csi-snapshotter:v3.0.3 docker.io/longhornio/longhorn-engine:v1.2.2 docker.io/longhornio/longhorn-instance-manager:v1_20210731 docker.io/longhornio/longhorn-manager:v1.2.2 docker.io/longhornio/longhorn-ui:v1.2.2 -o longhorn-1.2.2-images.tar