Skip to content

Instantly share code, notes, and snippets.

@shahidhk

shahidhk/cloudconfig-customdata.sh

Created September 22, 2016 17:24
Show Gist options
  • Save shahidhk/ed6d1121b212659e126638169d928e45 to your computer and use it in GitHub Desktop.
Save shahidhk/ed6d1121b212659e126638169d928e45 to your computer and use it in GitHub Desktop.
Download ZIP
foo
Raw
cloudconfig-customdata.sh
#!/bin/bash
set -e
function init_ssl {
mkdir -p /etc/kubernetes/ssl
local TEMPLATE=/etc/kubernetes/ssl/ca.pem
[ -f $TEMPLATE ] || {
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIJAKDn9d9+6tKxMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
BAMMB2t1YmUtY2EwHhcNMTYwOTIxMDg0MzMxWhcNNDQwMjA3MDg0MzMxWjASMRAw
DgYDVQQDDAdrdWJlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
zvkPtSJbJsMwuUf2l/lnuLnXE+D4UfQT8yhQ02jHEutcEj52KQI1F2ndVBXOQNSb
fTYJlqyFJX0L7xYbZuQY14xaoRQBkTWxpKMrXRFoCsvI4tdbUchwX2ez2p99ws4n
a3SP9UT/iXWrwmAxveHgT7KbUkZHGYPd0k2FFZ904qm0fpeEfqyALGqN6xsLmvce
U6Rejr2kxEzFxWrlVcKNqQ72EcEqrJky0qYcPK9P62foEBtc/EglUV/0sPwCLxom
EEGmyXcsR/dHD3OXzzhsDnjC6CylSZpAcuzOi6NuF0Tw1pO6ASLSM0ADN8YHlaI0
xHOTSE4v/3RBZaLhftQ67QIDAQABo1AwTjAdBgNVHQ4EFgQUsG47QGjIIwSpofk/
UIVPaHKCdg0wHwYDVR0jBBgwFoAUsG47QGjIIwSpofk/UIVPaHKCdg0wDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAyycm405Nfel/uuJFy6VJfbS+d79Q
0dMnZcPNipYz3tlHNKBTa6Hcm5oNT2sijmxg8JHZYGYoZnMimjltsHweWVhgFX0C
w0tgLNz/FdegHtOdNkqCEsmo20mTlW60lQptgkxeGr4Glqx7YFYWJP1SjMJMGzb9
BcWL69Bg047wBXLpz+k8CDctRi0qEokC4XSOokoKEfnxTgcAljhufwdLPBv+nx6l
lhVKJPLrv8OqtPQJYOYBmqWCZ2KNaSVo5qXPcdVVlqot2oYTXVpo3/YfwDI3HFU7
3vYJeN+OnJ/OeJKodpMYZ79RgnUjb7niSZ58JvyyUTbPwlsKSKQwys//mA==
-----END CERTIFICATE-----
EOF
}
local TEMPLATE=/etc/kubernetes/ssl/apiserver.pem
[ -f $TEMPLATE ] || {
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
-----BEGIN CERTIFICATE-----
MIIDOTCCAiGgAwIBAgIJALAvBIdmLXGHMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
BAMMB2t1YmUtY2EwHhcNMTYwOTIxMDg0MzMxWhcNMTcwOTIxMDg0MzMxWjAZMRcw
FQYDVQQDDA5rdWJlLWFwaXNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAO1fKaDZS5AjNcWSEahfW3j6Gr20znIrDWWNfsa2OVxAjdd1ZJnRE4jp
lBM41xdhkpOxEHHGTO1s4Bpq7KPwDzEdRYTxw08iWMYoPjUC958+wfcsM5a2Qspq
BEzknfbTuzMQ+KcQFnBMQAsZVaHoaTqfsW+0RZLYu+lbJ+vICX3YMRY6Pl2GZ9ez
Sw5LJgLWARBz9jD7BEUExlM4JrWkooxJB5idrOCVqPsi3nILkuOJGdfhe8s1gyR3
VJurG7FYvOHBMNWLrmTPPzc7UmVRiX+plUhGGxfdS3U/Q0Nc43XOZFRlUS7cc/02
4f6VfsWLTKb2tnaWkDMd6vlvqK/QIMUCAwEAAaOBijCBhzAJBgNVHRMEAjAAMAsG
A1UdDwQEAwIF4DBtBgNVHREEZjBkggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRl
ZmF1bHSHBH8AAAGHBAoDAAGHBArwAAKHBArwAAOCFms4cy50ZXN0Lmhhc3VyYS1h
cHAuaW+CEnRlc3QuaGFzdXJhLWFwcC5pbzANBgkqhkiG9w0BAQsFAAOCAQEAfqfc
/5SCickaoFWHHEXRpV7E2VOUdP7BlJrUgZVRxc5yc20xWymgsfL52Ld2yKGtkmd/
miTB5t4nU5yqik7mBrELTM9kp24GvD/NWMbb54SN8R8IqxCEFEfKJZwVWe436xa/
pIYSHoFrkZyaQfrfTozx7WcqB49NBGpmqUP73YvibMTfA8WtQCv5jPO/LBujH1aW
9csGD0icf4r6E08CMNB7upEDKiJmnS8G+rOKq4WvLf9KY+4qVQvtzS3GX5NcFJrY
fLEZPEh60PBMtAsKMIj8ExaHZHx1cvrreX3lloJYCWCPQvOMcaVNVsDKS+7ImztQ
wrgOjCyT0+FIjf6oew==
-----END CERTIFICATE-----
EOF
}
local TEMPLATE=/etc/kubernetes/ssl/apiserver-key.pem
[ -f $TEMPLATE ] || {
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA7V8poNlLkCM1xZIRqF9bePoavbTOcisNZY1+xrY5XECN13Vk
mdETiOmUEzjXF2GSk7EQccZM7WzgGmrso/APMR1FhPHDTyJYxig+NQL3nz7B9ywz
lrZCymoETOSd9tO7MxD4pxAWcExACxlVoehpOp+xb7RFkti76Vsn68gJfdgxFjo+
XYZn17NLDksmAtYBEHP2MPsERQTGUzgmtaSijEkHmJ2s4JWo+yLecguS44kZ1+F7
yzWDJHdUm6sbsVi84cEw1YuuZM8/NztSZVGJf6mVSEYbF91LdT9DQ1zjdc5kVGVR
Ltxz/Tbh/pV+xYtMpva2dpaQMx3q+W+or9AgxQIDAQABAoIBAQCDXU/faYIM8b93
aIAHK0anK9qStDYwLq1KT0Ui2YPjDwKwg5I6Id/qvEGrZaB7mw8QV0RfgrveBYv8
csIlc9wkdSudCGLrL3nrqCfNFKhPY97aWIbwWEucU5GvsDHPgJuwBitl4VxZp4kl
205tvP5HaEs9I4oBW5qa6UytitXd4y9ltXJ1CG+EiZoceF60V5hnOVdJFybt5BAd
g8r1vT0zELZp0WtD0Hdg/25xHomK3ROvPIuKVlRJU0051RbXLoIJv8LGO6JxZEln
7HKsbvU4h1j6+a+883iyDKtm+wJCCnRrR0zDTtjrmnhDLlqzAX+a2e7Gp4WJfzcQ
GJw+T4qBAoGBAPd6eJ6YEeFBHrp3qMucEqUCyXC3AM3bzzSBbd5ku6iP7Ka29hpT
MgpBUsERxH8s91WLgAVCvTx4sxcSZBe1Tt3cT/JQEEFB+E1DLOulXWmglGH0Sjtp
RQB3uowxeUFqNN+F3tGJD9gH1H7dDlaqJXtzCzOpXOQAn1fYYY/jVuAhAoGBAPWL
mdBQvR3/WpqcXLiY7pDPFNLq+MPzwECdrcqjVhefKarw8baG9CyPfDkRuaadvaF0
vvPj+4WkIBDc5Ut0pkaqH2J2ceZZarapW8rLxZy+oaiQt2jbXyhtyUizXFC36u1A
ViYEJOhlwgPU0f9V2MBaHbZzXsGHCpShXxioejwlAoGADz6PEY3ihBKj1u6qCijK
CTobuIK9XPDuWZijcPCZkq+S704T6Nk5GuKdO2Fhzkex0KYwM6LBz2jL917dpYw4
mHgKwK1n4u0yY2gA618bWvdWTJZkwDYi1v2JEzu08W+eZCp16EheHnuU/l+Vk4cV
mf4jMYJ8Q1s6dYnRsLBbWKECgYEA3qRWM60BzdFcNhTRfhAtQOCD4TttlT/PcseG
bdbsmT6YaYdPpFF51W3FFXoc/BbLezqAamSuC99ls+SXhHOg0TIwgvcjD9rECBxI
PvnFlPrFWjLeGxXOkrn5aRI5AnfBbJ6Jfq8DSDX8Vb0DLKKKht8vUeAKazAnR92K
fLFHJIECgYA5ts6XfZnNjywD9e4SjudGNURBYEE2ZP54CwOdJoWXwsbfwS0JrAwg
QHSuQzNCga2meni1+3TgAOm3/OUIDuZOvRoTa9T72g/e8U7ZI+Nt50xS0+FrLJel
w9lGqPY5ruNHR3yiSQEoAhnBM7Ui6ausTSlfJnW3zoJ3mMrkviPULQ==
-----END RSA PRIVATE KEY-----
EOF
}
local TEMPLATE=/etc/kubernetes/ssl/worker.pem
[ -f $TEMPLATE ] || {
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
-----BEGIN CERTIFICATE-----
MIICpDCCAYwCCQCwLwSHZi1xiDANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdr
dWJlLWNhMB4XDTE2MDkyMTA4NDMzMVoXDTE3MDkyMTA4NDMzMVowFjEUMBIGA1UE
AwwLa3ViZS13b3JrZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf
p1/iog0WTZTGj5y8CDl1WrpRQpSYdWSmktp/+0b44fTwFCMcrklpgZikBgaXhT3A
5iOiLkEUkoZl5zTqmmsOJdaPrq1IYyIDaJlJoJHyVC6d0SfjDkWFwrnu3H9tdEGF
IoevfCtxNk/HHFI7W9zJ/6JUsKDMTv1ruVV9vmvoUV7AaRp9IgFW3QX1z4IGu1ag
cQplwvqmNhAoe0iyHK+PHxMOck2S/IEjGbMVB8T7InBtNmgUqNF88q8BI6nElic3
6+A8eRVUhH8fyWVX0gRlzwq9gLb4p77gtZFGrtxSp+CUOKthxlp2qDpXBekOUMux
M4CKzG5S1Myfuk7OE2alAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADjZrdM0DHgh
LNIEE6jZUnJNmt9cYjxrdrcPpsUUdaQ/LRnuzZIgAoJweusCHieegmUsxJquHJNv
XBmDtNXkYnE2ZGDTgMHI2leNHCoWi6FsgdkRb9nyQJBCHNC1p5wbOUqPzECOIV4+
u+3c3pZwW0E20FSBuB4kzYOzIlwA9f9ltYo1QmnX1cnYEREwGQLu4nrR4Govx8pk
5giAMl054cgi51xpOb7lVadUq1StKaubSH744so7IZaT116H+A5lOPowkBzDWriw
mgezDc9av9wesp0fh6t7vlBGYJ3UElcBSPUOnHcdmzD58SDV9ktyUgXjB54Mpxqk
oK1DIOSJiS4=
-----END CERTIFICATE-----
EOF
}
local TEMPLATE=/etc/kubernetes/ssl/worker-key.pem
[ -f $TEMPLATE ] || {
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA36df4qINFk2Uxo+cvAg5dVq6UUKUmHVkppLaf/tG+OH08BQj
HK5JaYGYpAYGl4U9wOYjoi5BFJKGZec06pprDiXWj66tSGMiA2iZSaCR8lQundEn
4w5FhcK57tx/bXRBhSKHr3wrcTZPxxxSO1vcyf+iVLCgzE79a7lVfb5r6FFewGka
fSIBVt0F9c+CBrtWoHEKZcL6pjYQKHtIshyvjx8TDnJNkvyBIxmzFQfE+yJwbTZo
FKjRfPKvASOpxJYnN+vgPHkVVIR/H8llV9IEZc8KvYC2+Ke+4LWRRq7cUqfglDir
YcZadqg6VwXpDlDLsTOAisxuUtTMn7pOzhNmpQIDAQABAoIBAQDDkV0kFOXyubY9
hrjcJyjvOH2xrtG3Gvf/PGy5+qTN3u/KuyEU5EYnbv5ldytudUFRmyxPlbis34+M
Lge0mYDBZ07eZzT5Fk5Ywq8/lZvpVblJoOoK/qDGXUcu2jrHICBm5ZHWXnKyVXaf
OmGhrCs9qz5sZeLFpNCu0OozwT4kbtg8I2LP7GRTwTW2pQLLDmctPc6NDKWw4y5e
wsvGVEyktE5tVunzC/hWA+Scqxbm9RvD4alJki+Gbc9gwWHXxsM9B2XDgn0uMzKn
HLEy4suPs/aBZ9/X/q8Fyjy/e0PmjlqhPrqElVvrar70y0+IRPeURixxPEnNnEpA
bqzgy8HhAoGBAPC9qqtyu5OZJCJzvmd+0rU2CAPG908Uv0xo/brCYDRo6ky5s4/D
5eackI13byBri/3kfwu71jDteaM8tXI+q6HMzRHigBmBbDoQgWIkpXSwsbQmcbpG
xpJZ94HM+Wt9WJI/udndH50MPNAcefsP6EjvrXfN+1w4Nlo33wKokAj5AoGBAO3U
cqYB+6mIkuyzwHuSJYai9vUopaRw0YS63JmYYECEhGkMmUq4sdqW2UtHv2AFWwfk
081sYL7IVXvUAjT/moAvELse5vAOE92ks7pZ6K5FBacCxzP7KT9EubdJLWjIwYNE
jg+8STaI97NCkGCkHHQUib4+5t2o7djSO88peQINAoGAIx/pON6ik6Ryazxr+Xm9
kIbzoGl1R+qFBscCzi7yDnOIS+2ET2OLtZv+U0WrxxUp9b9S8glT9QuRBcojxylx
rUfOW9+qRQ5nFgm2dvVV1rK5GsnJKh6Ndmj9/chEU/ST6bK2kRz8MdPJQ6wD+CeY
ApxFuQcqt4fUFlG0jhS9/zECgYAxWZccqWauLB/IrBfxzEarJF+4SWHtuFdRgnDK
EltOp/DN14Zrgd2t7QVT4KRuaU4VWj807hs5G1rZogl/M9a8aIfBPE1RXKp0oHuG
3KcymjHtEN+DAsfxT/J1fOLGTnoRIgWUcE6E2XEEqnhJBWS+FZDrgCPptOb9ycoN
V567dQKBgQDv+ewaJNBD81T/hPSsOmuQcbdNTa4Yxidmz/j4Y+9hO6UQJjybvMf+
NmuwoUz/FOsk1OJWYAbvJIZio25ieBs5YKNT5zyqfH3rVX7vxybD3h3eMHvn/RKr
N6KGJX/3lOtPm++05GQgXnfRUrGFK3uV30OURKb3jSkQk5EpeLzU9w==
-----END RSA PRIVATE KEY-----
EOF
}
}
function basic_auth {
local TEMPLATE=/etc/kubernetes/ssl/passwd.csv
[ -f $TEMPLATE ] || {
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
hydride-kindling-armed,admin,1
EOF
}
}
function token_auth {
local TEMPLATE=/etc/kubernetes/ssl/token.csv
[ -f $TEMPLATE ] || {
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
G9Jzcrvo6TZvJmndl2r84sia12QhraIM,admin,1
EOF
}
}
init_ssl
basic_auth
token_auth
echo "Generated required creds.."
#wget https://hasura.blob.core.windows.net/cloudconfig/coreos-singlenode-v1.3.4_coreos.0.sh
#chmod +x coreos-singlenode-v1.3.4_coreos.0.sh
#/bin/bash $PWD/coreos-singlenode-v1.3.4_coreos.0.sh
#!/bin/bash
set -e
export ETCD_ENDPOINTS="http://127.0.0.1:2379"
export G_K8S_VER=v1.3.4
export K8S_VER=v1.3.4_coreos.0
export HYPERKUBE_IMAGE_REPO=quay.io/coreos/hyperkube
export POD_NETWORK=10.2.0.0/16
export SERVICE_IP_RANGE=10.3.0.0/24
export K8S_SERVICE_IP=10.3.0.1
export DNS_SERVICE_IP=10.3.0.10
export USE_CALICO=false
export CONTAINER_RUNTIME=docker
function init_kube_binaries {
[ ! -x /opt/bin/kubectl ] || return 0
mkdir -p /opt/bin
rm -f /opt/bin/kubectl
curl -o /opt/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/$G_K8S_VER/bin/linux/amd64/kubectl
chmod +x /opt/bin/kubectl
}
function init_config {
local REQUIRED=('ADVERTISE_IP' 'POD_NETWORK' 'ETCD_ENDPOINTS' 'SERVICE_IP_RANGE' 'K8S_SERVICE_IP' 'DNS_SERVICE_IP' 'K8S_VER' 'USE_CALICO')
if [ -z $ADVERTISE_IP ]; then
export ADVERTISE_IP=$(awk -F= '/COREOS_PRIVATE_IPV4/ {print $2}' /etc/environment)
fi
for REQ in "${REQUIRED[@]}"; do
if [ -z "$(eval echo \$$REQ)" ]; then
echo "Missing required config value: ${REQ}"
exit 1
fi
done
}
function init_flannel {
echo "Waiting for etcd..."
while true
do
IFS=',' read -ra ES <<< "$ETCD_ENDPOINTS"
for ETCD in "${ES[@]}"; do
echo "Trying: $ETCD"
if [ -n "$(curl --silent "$ETCD/v2/machines")" ]; then
local ACTIVE_ETCD=$ETCD
break
fi
sleep 1
done
if [ -n "$ACTIVE_ETCD" ]; then
break
fi
done
RES=$(curl --silent -X PUT -d "value={\"Network\":\"$POD_NETWORK\",\"Backend\":{\"Type\":\"vxlan\"}}" "$ACTIVE_ETCD/v2/keys/coreos.com/network/config?prevExist=false")
if [ -z "$(echo $RES | grep '"action":"create"')" ] && [ -z "$(echo $RES | grep 'Key already exists')" ]; then
echo "Unexpected error configuring flannel pod network: $RES"
fi
}
function init_templates {
local TEMPLATE=/etc/systemd/system/kubelet.service
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
[Service]
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
Environment=KUBELET_VERSION=${K8S_VER}
Environment=KUBELET_ACI=${HYPERKUBE_IMAGE_REPO}
Environment="RKT_OPTS=--volume dns,kind=host,source=/etc/resolv.conf \
--mount volume=dns,target=/etc/resolv.conf \
--volume=rkt,kind=host,source=/opt/bin/host-rkt \
--mount volume=rkt,target=/usr/bin/rkt \
--volume var-lib-rkt,kind=host,source=/var/lib/rkt \
--mount volume=var-lib-rkt,target=/var/lib/rkt \
--volume=stage,kind=host,source=/tmp \
--mount volume=stage,target=/tmp"
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
ExecStart=/usr/lib/coreos/kubelet-wrapper \
--api-servers=http://127.0.0.1:8080 \
--network-plugin-dir=/etc/kubernetes/cni/net.d \
--network-plugin=cni \
--container-runtime=${CONTAINER_RUNTIME} \
--rkt-path=/usr/bin/rkt \
--rkt-stage1-image=coreos.com/rkt/stage1-coreos \
--register-node=true \
--allow-privileged=true \
--node-labels="app=postgres" \
--config=/etc/kubernetes/manifests \
--hostname-override=$(hostname -s) \
--cluster_dns=${DNS_SERVICE_IP} \
--cluster_domain=cluster.local
Restart=always
RestartSec=10
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
fi
local TEMPLATE=/opt/bin/host-rkt
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
exec nsenter -m -u -i -n -p -t 1 -- /usr/bin/rkt "\$@"
EOF
fi
local TEMPLATE=/etc/systemd/system/load-rkt-stage1.service
if [ ${CONTAINER_RUNTIME} = "rkt" ] && [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
[Unit]
Requires=network-online.target
After=network-online.target
Before=rkt-api.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/rkt fetch /usr/lib/rkt/stage1-images/stage1-coreos.aci /usr/lib/rkt/stage1-images/stage1-fly.aci --insecure-options=image
[Install]
RequiredBy=rkt-api.service
EOF
fi
local TEMPLATE=/etc/systemd/system/rkt-api.service
if [ ${CONTAINER_RUNTIME} = "rkt" ] && [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
[Unit]
Before=kubelet.service
[Service]
ExecStart=/usr/bin/rkt api-service
Restart=always
RestartSec=10
[Install]
RequiredBy=kubelet.service
EOF
fi
local TEMPLATE=/etc/systemd/system/calico-node.service
if [ "${USE_CALICO}" = "true" ] && [ ! -f "${TEMPLATE}" ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
[Unit]
Description=Calico per-host agent
Requires=network-online.target
After=network-online.target
[Service]
Slice=machine.slice
Environment=CALICO_DISABLE_FILE_LOGGING=true
Environment=HOSTNAME=${ADVERTISE_IP}
Environment=IP=${ADVERTISE_IP}
Environment=FELIX_FELIXHOSTNAME=${ADVERTISE_IP}
Environment=CALICO_NETWORKING=false
Environment=NO_DEFAULT_POOLS=true
Environment=ETCD_ENDPOINTS=${ETCD_ENDPOINTS}
ExecStart=/usr/bin/rkt run --inherit-env --stage1-from-dir=stage1-fly.aci \
--volume=modules,kind=host,source=/lib/modules,readOnly=false \
--mount=volume=modules,target=/lib/modules \
--trust-keys-from-https quay.io/calico/node:v0.19.0
KillMode=mixed
Restart=always
TimeoutStartSec=0
[Install]
WantedBy=multi-user.target
EOF
fi
local TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
apiVersion: v1
kind: Pod
metadata:
name: kube-proxy
namespace: kube-system
annotations:
rkt.alpha.kubernetes.io/stage1-name-override: coreos.com/rkt/stage1-fly
spec:
hostNetwork: true
containers:
- name: kube-proxy
image: ${HYPERKUBE_IMAGE_REPO}:$K8S_VER
command:
- /hyperkube
- proxy
- --master=http://127.0.0.1:8080
securityContext:
privileged: true
volumeMounts:
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
- mountPath: /var/run/dbus
name: dbus
readOnly: false
volumes:
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
- hostPath:
path: /var/run/dbus
name: dbus
EOF
fi
local TEMPLATE=/etc/kubernetes/manifests/kube-apiserver.yaml
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-apiserver
image: ${HYPERKUBE_IMAGE_REPO}:$K8S_VER
command:
- /hyperkube
- apiserver
- --bind-address=0.0.0.0
- --etcd-servers=${ETCD_ENDPOINTS}
- --allow-privileged=true
- --service-cluster-ip-range=${SERVICE_IP_RANGE}
- --secure-port=3443
- --advertise-address=${ADVERTISE_IP}
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
- --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
- --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --client-ca-file=/etc/kubernetes/ssl/ca.pem
- --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --basic-auth-file=/etc/kubernetes/ssl/passwd.csv
- --token-auth-file=/etc/kubernetes/ssl/token.csv
- --runtime-config=extensions/v1beta1/networkpolicies=true,extensions/v1beta1=true,extensions/v1beta1/thirdpartyresources=true
livenessProbe:
httpGet:
host: 127.0.0.1
port: 8080
path: /healthz
initialDelaySeconds: 15
timeoutSeconds: 15
ports:
- containerPort: 3443
hostPort: 3443
name: https
- containerPort: 8080
hostPort: 8080
name: local
volumeMounts:
- mountPath: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
readOnly: true
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
volumes:
- hostPath:
path: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
EOF
fi
local TEMPLATE=/etc/kubernetes/manifests/kube-controller-manager.yaml
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
apiVersion: v1
kind: Pod
metadata:
name: kube-controller-manager
namespace: kube-system
spec:
containers:
- name: kube-controller-manager
image: ${HYPERKUBE_IMAGE_REPO}:$K8S_VER
command:
- /hyperkube
- controller-manager
- --master=http://127.0.0.1:8080
- --service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem
- --root-ca-file=/etc/kubernetes/ssl/ca.pem
- --cloud-provider=aws
resources:
requests:
cpu: 200m
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
port: 10252
initialDelaySeconds: 15
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
readOnly: true
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
hostNetwork: true
volumes:
- hostPath:
path: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
EOF
fi
local TEMPLATE=/etc/kubernetes/manifests/kube-scheduler.yaml
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
apiVersion: v1
kind: Pod
metadata:
name: kube-scheduler
namespace: kube-system
spec:
hostNetwork: true
containers:
- name: kube-scheduler
image: ${HYPERKUBE_IMAGE_REPO}:$K8S_VER
command:
- /hyperkube
- scheduler
- --master=http://127.0.0.1:8080
resources:
requests:
cpu: 100m
livenessProbe:
httpGet:
host: 127.0.0.1
path: /healthz
port: 10251
initialDelaySeconds: 15
timeoutSeconds: 15
EOF
fi
local TEMPLATE=/etc/kubernetes/manifests/calico-policy-controller.yaml
if [ "${USE_CALICO}" = "true" ] && [ ! -f "${TEMPLATE}" ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
apiVersion: v1
kind: Pod
metadata:
name: calico-policy-controller
namespace: calico-system
spec:
hostNetwork: true
containers:
# The Calico policy controller.
- name: kube-policy-controller
image: calico/kube-policy-controller:v0.2.0
env:
- name: ETCD_ENDPOINTS
value: "${ETCD_ENDPOINTS}"
- name: K8S_API
value: "http://127.0.0.1:8080"
- name: LEADER_ELECTION
value: "true"
# Leader election container used by the policy controller.
- name: leader-elector
image: quay.io/calico/leader-elector:v0.1.0
imagePullPolicy: IfNotPresent
args:
- "--election=calico-policy-election"
- "--election-namespace=calico-system"
- "--http=127.0.0.1:4040"
EOF
fi
local TEMPLATE=/srv/kubernetes/manifests/calico-system.json
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
{
"apiVersion": "v1",
"kind": "Namespace",
"metadata": {
"name": "calico-system"
}
}
EOF
fi
local TEMPLATE=/srv/kubernetes/manifests/kube-dns-rc.json
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
{
"apiVersion": "v1",
"kind": "ReplicationController",
"metadata": {
"labels": {
"k8s-app": "kube-dns",
"kubernetes.io/cluster-service": "true",
"version": "v15"
},
"name": "kube-dns-v15",
"namespace": "kube-system"
},
"spec": {
"replicas": 1,
"selector": {
"k8s-app": "kube-dns",
"version": "v15"
},
"template": {
"metadata": {
"labels": {
"k8s-app": "kube-dns",
"kubernetes.io/cluster-service": "true",
"version": "v15"
}
},
"spec": {
"containers": [
{
"args": [
"--domain=cluster.local.",
"--dns-port=10053"
],
"image": "gcr.io/google_containers/kubedns-amd64:1.3",
"livenessProbe": {
"failureThreshold": 5,
"httpGet": {
"path": "/healthz",
"port": 8080,
"scheme": "HTTP"
},
"initialDelaySeconds": 60,
"successThreshold": 1,
"timeoutSeconds": 5
},
"name": "kubedns",
"ports": [
{
"containerPort": 10053,
"name": "dns-local",
"protocol": "UDP"
},
{
"containerPort": 10053,
"name": "dns-tcp-local",
"protocol": "TCP"
}
],
"readinessProbe": {
"httpGet": {
"path": "/readiness",
"port": 8081,
"scheme": "HTTP"
},
"initialDelaySeconds": 30,
"timeoutSeconds": 5
},
"resources": {
"limits": {
"cpu": "100m",
"memory": "200Mi"
},
"requests": {
"cpu": "100m",
"memory": "50Mi"
}
}
},
{
"args": [
"--cache-size=1000",
"--no-resolv",
"--server=127.0.0.1#10053"
],
"image": "gcr.io/google_containers/kube-dnsmasq-amd64:1.3",
"name": "dnsmasq",
"ports": [
{
"containerPort": 53,
"name": "dns",
"protocol": "UDP"
},
{
"containerPort": 53,
"name": "dns-tcp",
"protocol": "TCP"
}
]
},
{
"args": [
"-cmd=nslookup kubernetes.default.svc.cluster.local 127.0.0.1 >/dev/null",
"-port=8080",
"-quiet"
],
"image": "gcr.io/google_containers/exechealthz-amd64:1.0",
"name": "healthz",
"ports": [
{
"containerPort": 8080,
"protocol": "TCP"
}
],
"resources": {
"limits": {
"cpu": "10m",
"memory": "20Mi"
},
"requests": {
"cpu": "10m",
"memory": "20Mi"
}
}
}
],
"dnsPolicy": "Default"
}
}
}
}
EOF
fi
local TEMPLATE=/srv/kubernetes/manifests/kube-dns-svc.json
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
{
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"labels": {
"k8s-app": "kube-dns",
"kubernetes.io/cluster-service": "true",
"kubernetes.io/name": "KubeDNS"
},
"name": "kube-dns",
"namespace": "kube-system"
},
"spec": {
"clusterIP": "$DNS_SERVICE_IP",
"ports": [
{
"name": "dns",
"port": 53,
"protocol": "UDP"
},
{
"name": "dns-tcp",
"port": 53,
"protocol": "TCP"
}
],
"selector": {
"k8s-app": "kube-dns"
}
}
}
EOF
fi
local TEMPLATE=/srv/kubernetes/manifests/heapster-de.json
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
{
"apiVersion": "extensions/v1beta1",
"kind": "Deployment",
"metadata": {
"labels": {
"k8s-app": "heapster",
"kubernetes.io/cluster-service": "true",
"version": "v1.1.0"
},
"name": "heapster-v1.1.0",
"namespace": "kube-system"
},
"spec": {
"replicas": 1,
"selector": {
"matchLabels": {
"k8s-app": "heapster",
"version": "v1.1.0"
}
},
"template": {
"metadata": {
"labels": {
"k8s-app": "heapster",
"version": "v1.1.0"
}
},
"spec": {
"containers": [
{
"command": [
"/heapster",
"--source=kubernetes.summary_api:''"
],
"image": "gcr.io/google_containers/heapster:v1.1.0",
"name": "heapster",
"resources": {
"limits": {
"cpu": "100m",
"memory": "200Mi"
},
"requests": {
"cpu": "100m",
"memory": "200Mi"
}
}
},
{
"command": [
"/pod_nanny",
"--cpu=100m",
"--extra-cpu=0.5m",
"--memory=200Mi",
"--extra-memory=4Mi",
"--threshold=5",
"--deployment=heapster-v1.1.0",
"--container=heapster",
"--poll-period=300000",
"--estimator=exponential"
],
"env": [
{
"name": "MY_POD_NAME",
"valueFrom": {
"fieldRef": {
"fieldPath": "metadata.name"
}
}
},
{
"name": "MY_POD_NAMESPACE",
"valueFrom": {
"fieldRef": {
"fieldPath": "metadata.namespace"
}
}
}
],
"image": "gcr.io/google_containers/addon-resizer:1.3",
"name": "heapster-nanny",
"resources": {
"limits": {
"cpu": "50m",
"memory": "100Mi"
},
"requests": {
"cpu": "50m",
"memory": "100Mi"
}
}
}
]
}
}
}
}
EOF
fi
local TEMPLATE=/srv/kubernetes/manifests/heapster-svc.json
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
{
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"labels": {
"kubernetes.io/cluster-service": "true",
"kubernetes.io/name": "Heapster"
},
"name": "heapster",
"namespace": "kube-system"
},
"spec": {
"ports": [
{
"port": 80,
"targetPort": 8082
}
],
"selector": {
"k8s-app": "heapster"
}
}
}
EOF
fi
local TEMPLATE=/srv/kubernetes/manifests/kube-dashboard-rc.json
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
{
"apiVersion": "v1",
"kind": "ReplicationController",
"metadata": {
"labels": {
"k8s-app": "kubernetes-dashboard",
"kubernetes.io/cluster-service": "true",
"version": "v1.1.0"
},
"name": "kubernetes-dashboard-v1.1.0",
"namespace": "kube-system"
},
"spec": {
"replicas": 1,
"selector": {
"k8s-app": "kubernetes-dashboard"
},
"template": {
"metadata": {
"labels": {
"k8s-app": "kubernetes-dashboard",
"kubernetes.io/cluster-service": "true",
"version": "v1.1.0"
}
},
"spec": {
"containers": [
{
"image": "gcr.io/google_containers/kubernetes-dashboard-amd64:v1.1.0",
"livenessProbe": {
"httpGet": {
"path": "/",
"port": 9090
},
"initialDelaySeconds": 30,
"timeoutSeconds": 30
},
"name": "kubernetes-dashboard",
"ports": [
{
"containerPort": 9090
}
],
"resources": {
"limits": {
"cpu": "100m",
"memory": "50Mi"
},
"requests": {
"cpu": "100m",
"memory": "50Mi"
}
}
}
]
}
}
}
}
EOF
fi
local TEMPLATE=/srv/kubernetes/manifests/kube-dashboard-svc.json
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
{
"apiVersion": "v1",
"kind": "Service",
"metadata": {
"labels": {
"k8s-app": "kubernetes-dashboard",
"kubernetes.io/cluster-service": "true"
},
"name": "kubernetes-dashboard",
"namespace": "kube-system"
},
"spec": {
"ports": [
{
"port": 80,
"targetPort": 9090
}
],
"selector": {
"k8s-app": "kubernetes-dashboard"
}
}
}
EOF
fi
local TEMPLATE=/etc/flannel/options.env
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
FLANNELD_IFACE=$ADVERTISE_IP
FLANNELD_ETCD_ENDPOINTS=$ETCD_ENDPOINTS
EOF
fi
local TEMPLATE=/etc/systemd/system/flanneld.service.d/40-ExecStartPre-symlink.conf.conf
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
[Service]
ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
EOF
fi
local TEMPLATE=/etc/systemd/system/docker.service.d/40-flannel.conf
if [ ! -f $TEMPLATE ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
[Unit]
Requires=flanneld.service
After=flanneld.service
[Service]
ExecStart=
ExecStart=/usr/lib/coreos/dockerd daemon --host=fd:// \$DOCKER_OPTS \$DOCKER_CGROUPS \$DOCKER_OPT_MTU
EOF
fi
local TEMPLATE=/etc/kubernetes/cni/net.d/10-calico.conf
if [ "${USE_CALICO}" = "true" ] && [ ! -f "${TEMPLATE}" ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
{
"name": "calico",
"type": "flannel",
"delegate": {
"type": "calico",
"etcd_endpoints": "$ETCD_ENDPOINTS",
"log_level": "none",
"log_level_stderr": "info",
"hostname": "${ADVERTISE_IP}",
"policy": {
"type": "k8s",
"k8s_api_root": "http://127.0.0.1:8080/api/v1/"
}
}
}
EOF
fi
local TEMPLATE=/etc/kubernetes/cni/net.d/10-flannel.conf
if [ "${USE_CALICO}" = "false" ] && [ ! -f "${TEMPLATE}" ]; then
echo "TEMPLATE: $TEMPLATE"
mkdir -p $(dirname $TEMPLATE)
cat << EOF > $TEMPLATE
{
"name": "podnet",
"type": "flannel",
"delegate": {
"isDefaultGateway": true
}
}
EOF
fi
}
function start_addons {
echo "Waiting for Kubernetes API..."
until curl --silent "http://127.0.0.1:8080/version"
do
sleep 5
done
echo
echo "K8S: DNS addon"
curl --silent -H "Content-Type: application/json" -XPOST -d"$(cat /srv/kubernetes/manifests/kube-dns-rc.json)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/replicationcontrollers" > /dev/null
curl --silent -H "Content-Type: application/json" -XPOST -d"$(cat /srv/kubernetes/manifests/kube-dns-svc.json)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/services" > /dev/null
echo "K8S: Heapster addon"
curl --silent -H "Content-Type: application/json" -XPOST -d"$(cat /srv/kubernetes/manifests/heapster-de.json)" "http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/kube-system/deployments" > /dev/null
curl --silent -H "Content-Type: application/json" -XPOST -d"$(cat /srv/kubernetes/manifests/heapster-svc.json)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/services" > /dev/null
echo "K8S: Dashboard addon"
curl --silent -H "Content-Type: application/json" -XPOST -d"$(cat /srv/kubernetes/manifests/kube-dashboard-rc.json)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/replicationcontrollers" > /dev/null
curl --silent -H "Content-Type: application/json" -XPOST -d"$(cat /srv/kubernetes/manifests/kube-dashboard-svc.json)" "http://127.0.0.1:8080/api/v1/namespaces/kube-system/services" > /dev/null
}
function enable_calico_policy {
echo "Waiting for Kubernetes API..."
until curl --silent "http://127.0.0.1:8080/version"
do
sleep 5
done
echo
echo "K8S: Calico Policy"
curl --silent -H "Content-Type: application/json" -XPOST -d"$(cat /srv/kubernetes/manifests/calico-system.json)" "http://127.0.0.1:8080/api/v1/namespaces/" > /dev/null
}
init_kube_binaries
init_config
init_templates
systemctl enable etcd2; systemctl start etcd2
chmod +x /opt/bin/host-rkt
init_flannel
systemctl stop update-engine; systemctl mask update-engine
systemctl daemon-reload
if [ $CONTAINER_RUNTIME = "rkt" ]; then
systemctl enable load-rkt-stage1
systemctl enable rkt-api
fi
systemctl enable flanneld; systemctl start flanneld
systemctl enable kubelet; systemctl start kubelet
if [ $USE_CALICO = "true" ]; then
systemctl enable calico-node; systemctl start calico-node
enable_calico_policy
fi
start_addons
echo "DONE"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment