kubernetes-edge-demo/README.org

#+TITLE: Pinephone kubernetes edge deployment
#+AUTHOR: James Blair <mail@jamesblair.net>
#+DATE: 9th November 2022

This repository is intended to guide you through the process of deploying [[https://kubernetes.io/][kubernetes]] on an edge device, specifically an original [[https://www.pine64.org/pinephone/][pinephone]].

I used this guide to run a live demo at the [[https://community.cncf.io/events/details/cncf-wellington-presents-cloud-native-computing-wellington-november-2022-meetup/][November 2022 Wellington CNCF Meetup]] as part of a talk titled "A hitchhikers guide to edge kubernetes."

* Pre-requisites

This guide assumes you have the following:
- A pinephone running [[https://mobian-project.org/][mobian]] that has internet connectivity.
- A domain with authoritative dns managed by cloudflare.
- The ~tmate~ package installed via ~apt~.


* Initial device terminal

With our edge device powered on we need a way to get a starting remote terminal running so we can start our deployment process.

For this we can leverage [[https://tmate.io][tmate]], this is a fork of ~tmux~ that allows for secure terminal sharing, primarily for pairing.

Let's start a new tmate session on our device and connect to it 🚀

#+NAME: Start a named tmate session
#+begin_src tmate
tmate -n "kubernetes-edge-demo"
#+end_src


* Remote access to edge device

Our first challenge will be how we will setup secure remote access to an edge device. When we are dealing with edge devices traditional network concepts like static ip's, port forwarding and firewalls can go out the window as these devices are often operating on networks that we don't have any control over.

In our example we have a pinephone that is currently on a 4G cellular connection. We need to establish a secure tunnel connection to the device, in our case we will use [[https://www.cloudflare.com/products/tunnel/][cloudflare tunnel]] as it is very quick to setup however there are a lot of solutions in this space including options you can self host like [[https://goteleport.com/][teleport]].

Let's start by installing and configuriong ~openssh-server~ on our device:

#+Install openssh-server
#+begin_src tmate :socket /tmp/james.tmate.tmate
sudo apt install -y openssh-server
#+end_src


#+NAME: Configure ssh and start
#+begin_src tmate :socket /tmp/james.tmate.tmate
# Configure openssh-server auth to be key based
sudo sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config || true

# Add my key to authorized keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsYhu2xE5cxq+sA7bNyHjZUk9IHKXHsd58ZCFLfCHbK5nnWLgJwxFnF1NzBylyOJviJ2v54VYQoXvsWLTbehlyH/kqJS8icmo0iu2mUFcp09n/3NcGw2BJefwMbK+mofxBBR78RRNI8DG3yk7Apa19BrLpFWaL/VljGidgR61WhPH7FbXjTh5NuQR494LG3yBRn16yIPNN+xZhf0TW7uoVCiSr77kFELgrTqjpPyoYiYLZZdKqJZ7PDgOEcLq5oDEZfYME8sGRPyufGByH7tnK9fgFaZ9wW747wTNN2naUIhCNzJLxKgr8fMMRBXuqeUjk+5/EzxGFXjxE+4a+dhD51OO5mSN1ctG/061HIQjJwZ2Zk6CACypBEv6nLVREaMqKQtcEPPooZ2SK4SdiMtwC8XLCZ6wRQDVskMentI1uy3bbCwV9AG0auiLA3sfbyKI8093p5NLsLEiR+BScu4/tLx7kzPetl89QOKzTI60GXzBaSnBXhAtQTijZZFrOGbQ1NQ1deWb6pT8foOPOs3P2F0a4Y/nY/xlomBuNqTI48Vi8MZJjhTvAe8BF+Y7C8HlSaCZeH1DrnymkbLhpXvVH7Tuir/DLOyhrwnXqNuxpMyWsfy5UrTfe67GP2+jzriFxteTMbvZjmgbF2UDMYs5U59NaYPdAYxjwdzH5nHoIWw== james@james-desktop" >> ~/.ssh/authorized_keys

# Start and enable ssh daemon
sudo systemctl enable --now sshd.service
#+end_src


Once we have ssh running we are ready to set up our cloudflare access tunnel. The first step here is to install the ~cloudflared~ daemon on our device:

#+NAME: Install cloudflared
#+begin_src tmate :socket /tmp/james.tmate.tmate
# Download latest cloudflared release
curl -L --output cloudflared.deb "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb"

# Install cloudflared via dpkg
sudo dpkg -i cloudflared.deb
#+end_src


Once ~cloudflared~ is installed we need to set up a tunnel in the [[https://one.dash.cloudflare.com][cloudflare zero trust dashboard]]. Once a tunnel has been created we will have a token that can be used with the following command to establish our secure tunnel:

#+NAME: Start cloudflare tunnel service
#+begin_src tmate :socket /tmp/james.tmate.tmate
sudo cloudflared service install "<token>"
#+end_src

Wohoo - we now have secure access to our device, from anywhere, provided our device has any active internet connection 🎉

Let's test our new tunnel by disconnecting from the tmate session and connecting back with ~ssh~ over ~cloudflared~.

#+NAME: Reconnect via cloudflared
#+begin_src tmate :socket /tmp/james.tmate.tmate
ssh -o ProxyCommand="cloudflared access ssh --hostname %h" mobian@phone.jamma.dev
#+end_src


* Install kubernetes

Now that we have secure connectivity to our edge device, let's install kubernetes. For our demo today we need a lightweight kubernetes distribution because our device has an old CPU with four slow 1.2Ghz cores and 3GB of low power DDR3 ram.

With these constraints in mind we will be deploying ~microshift~ today which is a [[https://github.com/openshift/microshift][lightweight kubernetes distribution]] of OpenShift that is specifically designed for edge devices.

#+NAME: Install microshift
#+begin_src tmate :socket /tmp/james.tmate.tmate
# Clone down repository
cd Downloads && git clone https://github.com/jmhbnz/kubernetes-edge-demo.git

# Run the install script
cd kubernetes-edge-demo && sudo ./microshift-install.sh
#+end_src

Once our cluster has been installed let's verify that it's running with ~kubectl~:

#+NAME: Verify cluster state
#+begin_src tmate :socket /tmp/james.tmate.tmate
sudo kubectl get nodes

sudo kubectl get pods -A
#+end_src


* Bonus - deploying a workload

With out cluster deployed, let's have some fun!

#+NAME: Deploying a workload
#+begin_src :socket /tmp/james.tmate.tmate
sudo kubectl apply -f doom.yaml

sudo kubectl expose deployment kubedoom -n kubedoom --type NodePort
#+end_src