add: multiple fixes, docs for deployment

2025-04-19 15:06:54 -07:00
parent eb46dccc61
commit 57102e7fa3
6 changed files with 190 additions and 17 deletions
--- a/README.md
+++ b/README.md
@@ -38,4 +38,83 @@ skubelb --needle some_node_ip \
 Replacing `some_node_ip` with the node IP you used during the initial setup.

 Next, configure the Kubernetes nodes to POST `http://loadbalancer:8080/register` when
-they started, and DELETE `http://loadbalancer:8080/register` when they shutdown.
+they started, and DELETE `http://loadbalancer:8080/register` when they shutdown.
+
+#### Running as a system service
+
+Add the systemd config to `/etc/systemd/system/skubelb.service`:
+
+```toml
+[Unit]
+Description=Simple Kubernetes Load Balancer
+After=network.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+User=skubelb
+ExecStart=/usr/local/bin/skubelb --needle some_node_ip \
+    --workspace_dir /var/skubelb \
+    --config_symlink /etc/nginx \
+    --template_dir /etc/nginx-template
+    --listen 0.0.0.0:8080
+    --reload-cmd '/usr/bin/sudo systemctl reload nginx'
+
+[Install]
+WantedBy=multi-user.target
+```
+
+### Sample Kubernets configuration
+
+Deploy this [daemon set](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/)
+to your cluster, replacing `lb_address` with the address of your load balancer.
+
+```yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: skubelb
+  namespace: skubelb
+  labels:
+    k8s-app: skubelb
+spec:
+  selector:
+    matchLabels:
+      name: skubelb
+  template:
+    metadata:
+      labels:
+        name: skubelb
+    spec:
+      tolerations:
+      # these tolerations are to have the daemonset runnable on control plane nodes
+      # remove them if your control plane nodes should not run pods
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      containers:
+      - name: skubelb
+        image: alpine/curl:latest
+        command: ['sh', '-c', 'echo "Wait for heat death of universe" && sleep 999999d']
+        lifecycle:
+          postStart:
+            exec:
+              command: ['curl', '-X', 'POST', '34.56.7.198:8888/register']
+          preStart:
+            exec:
+              command: ['curl', '-X', 'POST', '34.56.7.198:8888/register']
+        resources:
+          limits:
+            memory: 200Mi
+          requests:
+            cpu: 10m
+            memory: 100Mi
+      terminationGracePeriodSeconds: 30
+```
+
+NOTE: you should need to make an entry in the firewall to allow this request through. It is very important that the firewall entry has a source filter; it should only be allowed from the Kubernetes cluster. Nginx will forward traffic to any host that registers, and this could easily become a MitM vulnerability.