Add Ubiquity EdgeRouter documentation

docs/bare-metal.md

@@ -94,7 +94,7 @@ For networks already supporting iPXE clients, you can add a `default.ipxe` confi
 chain http://matchbox.foo:8080/boot.ipxe
 ```
 
-For networks with Ubiquiti Routers, you can [configure the router](TODO) itself to chainload machines to iPXE and Matchbox.
+For networks with Ubiquiti Routers, you can [configure the router](/topics/hardware/#ubiquiti) itself to chainload machines to iPXE and Matchbox.
 
 For a small lab, you may wish to checkout the [quay.io/coreos/dnsmasq](https://quay.io/repository/coreos/dnsmasq) container image and [copy-paste examples](https://github.com/coreos/matchbox/blob/master/Documentation/network-setup.md#coreosdnsmasq).
 

docs/topics/hardware.md

@@ -0,0 +1,143 @@
+# Hardware
+
+While bare-metal Kubernetes clusters have no special hardware requirements (beyond the [min reqs](/bare-metal#requirements)), Typhoon does ensure certain router and server hardware integrates well with Kubernetes.
+
+## Ubiquitiy
+
+Ubiquity EdgeRouters work well with bare-metal Kubernetes clusters. Knowledge about how to setup an EdgeRouter and use the CLI is required.
+
+### PXE
+
+Ubiquiti EdgeRouters can provide a PXE-enabled network boot environment for client machines.
+
+#### ISC DHCP
+
+Add a subnet parameter to the LAN DHCP server to include an ISC DHCP config file.
+
+```
+configure
+show service dhcp-server shared-network-name NAME subnet SUBNET
+set service dhcp-server shared-network-name NAME subnet SUBNET subnet-parameters "include "/config/scripts/ipxe.conf";"
+commit-confirm
+```
+
+Switch to root (i.e. `sudo -i`) and write the ISC DHCP config `/config/scripts/ipxe.conf`. iPXE client machines will chainload to `matchbox.example.com`, while non-iPXE clients will chainload to `undionly.kpxe` (requires TFTP to be enabled).
+
+```
+allow bootp;
+allow booting;
+next-server ADD_ROUTER_IP_HERE;
+
+if exists user-class and option user-class = "iPXE" {
+  filename "http://matchbox.example.com/boot.ipxe";
+} else {
+  filename "undionly.kpxe";
+}
+```
+
+### TFTP
+
+Use `dnsmasq` as a TFTP server to serve [undionly.kpxe](http://boot.ipxe.org/undionly.kpxe).
+
+```
+sudo -i
+mkdir /var/lib/tftpboot
+cd /var/lib/tftpboot
+curl http://boot.ipxe.org/undionly.kpxe -o undionly.kpxe
+```
+
+Add `dnsmasq` command line options to enable the TFTP file server.
+
+```
+configure
+show servce dns forwarding
+set service dns forwarding options enable-tftp
+set service dns forwarding options tftp-root=/var/lib/tftpboot
+commit-confirm
+```
+
+!!! warning
+    After firmware upgrades, the `/var/lib/tftpboot` directory will not exist and dnsmasq will not start properly. Repeat this process following an upgrade.
+
+### DHCP
+
+Assign static IPs to clients with known MAC addresses. This is called a static mapping by EdgeOS. Configure the router with the commands based on region inventory.
+
+```
+configure
+show service dhcp-server shared-network
+set service dhcp-server shared-network-name LAN subnet SUBNET static-mapping NAME mac-address MACADDR
+set service dhcp-server shared-network-name LAN subnet SUBNET static-mapping NAME ip-address 10.0.0.20
+```
+
+### DNS
+
+Assign DNS A records to nodes as options to `dnsmasq`.
+
+```
+configure
+set service dns forwarding options host-record=node.example.com,10.0.0.20
+```
+
+Restart `dnsmasq`.
+
+```
+sudo /etc/init.d/dnsmasq restart
+```
+
+Configure queries for `*.svc.cluster.local` to be forwarded to a Kubernetes `kube-dns` service IP to allow hosts to resolve cluster-local Kubernetes names.
+
+```
+configure
+show service dns forwarding
+set service dns forwarding options server=/svc.cluster.local/10.3.0.10
+commit-confirm
+```
+
+### Kubernetes Services
+
+Add static routes for the Kubernetes IPv4 service range to Kubernetes node(s) so hosts can route to Kubernetes services (default: 10.3.0.0/16).
+
+```
+configure
+show protocols static route
+set protocols static route 10.3.0.0/16 next-hop NODE_IP
+...
+commit-confirm
+```
+
+### Port Forwarding
+
+Expose the [Ingress Controller](/addons/ingress#bare-metal) by adding `port-forward` rules that DNAT a port on the router's WAN interface to an internal IP and port. By convention, a public Ingress controller is assigned a fixed service IP like kube-dns (e.g. 10.3.0.12).
+
+```
+configure
+set port-forward wan-interface eth0
+set port-forward lan-interface eth1
+set port-forward auto-firewall enable
+set port-forward hairpin-nat enable
+set port-forward rule 1 description 'ingress http'
+set port-forward rule 1 forward-to address 10.3.0.12
+set port-forward rule 1 forward-to port 80
+set port-forward rule 1 original-port 80
+set port-forward rule 1 protocol tcp_udp
+set port-forward rule 2 description 'ingress https'
+set port-forward rule 2 forward-to address 10.3.0.12
+set port-forward rule 2 forward-to port 443
+set port-forward rule 2 original-port 443
+set port-forward rule 2 protocol tcp_udp
+commit-confirm
+```
+
+### Web UI
+
+The web UI is often accessible from the LAN on ports 80/443 by default. Edit the ports to 8080 and 4443 to avoid a conflict.
+
+```
+configure
+show service gui
+set service gui http-port 8080
+set service gui https-port 4443
+commit-confirm
+```
+

mkdocs.yml

@@ -51,6 +51,7 @@ pages:
     - 'Dashboard': 'addons/dashboard.md'
     - 'CLUO': 'addons/cluo.md'
   - 'Topics':
+    - 'Hardware': 'topics/hardware.md'
     - 'Security': 'topics/security.md'
     - 'Performance': 'topics/performance.md'
   - 'FAQ': 'faq.md'