github.com/coreos/mantle@v0.13.0/kola/tests/kubernetes/workerInstall.go (about) 1 package kubernetes 2 3 // https://github.com/coreos/coreos-kubernetes/tree/master/multi-node/generic. 4 // The only change besides paramaterizing the env vars was: 5 // s/COREOS_PUBLIC_IP/COREOS_PRIVATE so this works on GCE. 6 const workerInstallScript = `#!/bin/bash 7 set -e 8 9 # List of etcd servers (http://ip:port), comma separated 10 export ETCD_ENDPOINTS={{.ETCD_ENDPOINTS}} 11 12 # The endpoint the worker node should use to contact controller nodes (https://ip:port) 13 # In HA configurations this should be an external DNS record or loadbalancer in front of the control nodes. 14 # However, it is also possible to point directly to a single control node. 15 export CONTROLLER_ENDPOINT={{.CONTROLLER_ENDPOINT}} 16 17 # Specify the version (vX.Y.Z) of Kubernetes assets to deploy 18 export K8S_VER={{.K8S_VER}} 19 20 # Hyperkube image repository to use. 21 export HYPERKUBE_IMAGE_REPO={{.HYPERKUBE_IMAGE_REPO}} 22 23 # The IP address of the cluster DNS service. 24 # This must be the same DNS_SERVICE_IP used when configuring the controller nodes. 25 export DNS_SERVICE_IP=10.3.0.10 26 27 # Whether to use Calico for Kubernetes network policy. 28 export USE_CALICO=false 29 30 # Determines the container runtime for kubernetes to use. Accepts 'docker' or 'rkt'. 31 export CONTAINER_RUNTIME={{.CONTAINER_RUNTIME}} 32 33 # The above settings can optionally be overridden using an environment file: 34 ENV_FILE=/run/coreos-kubernetes/options.env 35 36 # ------------- 37 38 function init_config { 39 local REQUIRED=( 'ADVERTISE_IP' 'ETCD_ENDPOINTS' 'CONTROLLER_ENDPOINT' 'DNS_SERVICE_IP' 'K8S_VER' 'HYPERKUBE_IMAGE_REPO' 'USE_CALICO' ) 40 41 if [ -f $ENV_FILE ]; then 42 export $(cat $ENV_FILE | xargs) 43 fi 44 45 if [ -z $ADVERTISE_IP ]; then 46 export ADVERTISE_IP=$(awk -F= '/COREOS_PRIVATE_IPV4/ {print $2}' /etc/environment) 47 fi 48 49 for REQ in "${REQUIRED[@]}"; do 50 if [ -z "$(eval echo \$$REQ)" ]; then 51 echo "Missing required config value: ${REQ}" 52 exit 1 53 fi 54 done 55 } 56 57 function init_templates { 58 local TEMPLATE=/etc/systemd/system/kubelet.service 59 if [ ! -f $TEMPLATE ]; then 60 echo "TEMPLATE: $TEMPLATE" 61 mkdir -p $(dirname $TEMPLATE) 62 cat << EOF > $TEMPLATE 63 [Service] 64 Environment=KUBELET_VERSION=${K8S_VER} 65 Environment=KUBELET_ACI=${HYPERKUBE_IMAGE_REPO} 66 Environment="RKT_OPTS=--volume dns,kind=host,source=/etc/resolv.conf \ 67 --mount volume=dns,target=/etc/resolv.conf \ 68 --volume=rkt,kind=host,source=/opt/bin/host-rkt \ 69 --mount volume=rkt,target=/usr/bin/rkt \ 70 --volume var-lib-rkt,kind=host,source=/var/lib/rkt \ 71 --mount volume=var-lib-rkt,target=/var/lib/rkt \ 72 --volume=stage,kind=host,source=/tmp \ 73 --mount volume=stage,target=/tmp" 74 ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests 75 ExecStart=/usr/lib/coreos/kubelet-wrapper \ 76 --api-servers=${CONTROLLER_ENDPOINT} \ 77 --network-plugin-dir=/etc/kubernetes/cni/net.d \ 78 --network-plugin=cni \ 79 --container-runtime=${CONTAINER_RUNTIME} \ 80 --rkt-path=/usr/bin/rkt \ 81 --rkt-stage1-image=coreos.com/rkt/stage1-coreos \ 82 --register-node=true \ 83 --allow-privileged=true \ 84 --config=/etc/kubernetes/manifests \ 85 --hostname-override=${ADVERTISE_IP} \ 86 --cluster_dns=${DNS_SERVICE_IP} \ 87 --cluster_domain=cluster.local \ 88 --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \ 89 --tls-cert-file=/etc/kubernetes/ssl/worker.pem \ 90 --tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem 91 Restart=always 92 RestartSec=10 93 94 [Install] 95 WantedBy=multi-user.target 96 EOF 97 fi 98 99 local TEMPLATE=/opt/bin/host-rkt 100 if [ ! -f $TEMPLATE ]; then 101 echo "TEMPLATE: $TEMPLATE" 102 mkdir -p $(dirname $TEMPLATE) 103 cat << EOF > $TEMPLATE 104 #!/bin/sh 105 # This is bind mounted into the kubelet rootfs and all rkt shell-outs go 106 # through this rkt wrapper. It essentially enters the host mount namespace 107 # (which it is already in) only for the purpose of breaking out of the chroot 108 # before calling rkt. It makes things like rkt gc work and avoids bind mounting 109 # in certain rkt filesystem dependancies into the kubelet rootfs. This can 110 # eventually be obviated when the write-api stuff gets upstream and rkt gc is 111 # through the api-server. Related issue: 112 # https://github.com/coreos/rkt/issues/2878 113 exec nsenter -m -u -i -n -p -t 1 -- /usr/bin/rkt "\$@" 114 EOF 115 fi 116 117 local TEMPLATE=/etc/systemd/system/load-rkt-stage1.service 118 if [ ${CONTAINER_RUNTIME} = "rkt" ] && [ ! -f $TEMPLATE ]; then 119 echo "TEMPLATE: $TEMPLATE" 120 mkdir -p $(dirname $TEMPLATE) 121 cat << EOF > $TEMPLATE 122 [Unit] 123 Description=Load rkt stage1 images 124 Documentation=http://github.com/coreos/rkt 125 Requires=network-online.target 126 After=network-online.target 127 Before=rkt-api.service 128 129 [Service] 130 Type=oneshot 131 RemainAfterExit=yes 132 ExecStart=/usr/bin/rkt fetch /usr/lib/rkt/stage1-images/stage1-coreos.aci /usr/lib/rkt/stage1-images/stage1-fly.aci --insecure-options=image 133 134 [Install] 135 RequiredBy=rkt-api.service 136 EOF 137 fi 138 139 local TEMPLATE=/etc/systemd/system/rkt-api.service 140 if [ ${CONTAINER_RUNTIME} = "rkt" ] && [ ! -f $TEMPLATE ]; then 141 echo "TEMPLATE: $TEMPLATE" 142 mkdir -p $(dirname $TEMPLATE) 143 cat << EOF > $TEMPLATE 144 [Unit] 145 Before=kubelet.service 146 147 [Service] 148 ExecStart=/usr/bin/rkt api-service 149 Restart=always 150 RestartSec=10 151 152 [Install] 153 RequiredBy=kubelet.service 154 EOF 155 fi 156 157 local TEMPLATE=/etc/systemd/system/calico-node.service 158 if [ "${USE_CALICO}" = "true" ] && [ ! -f "${TEMPLATE}" ]; then 159 echo "TEMPLATE: $TEMPLATE" 160 mkdir -p $(dirname $TEMPLATE) 161 cat << EOF > $TEMPLATE 162 [Unit] 163 Description=Calico per-host agent 164 Requires=network-online.target 165 After=network-online.target 166 167 [Service] 168 Slice=machine.slice 169 Environment=CALICO_DISABLE_FILE_LOGGING=true 170 Environment=HOSTNAME=${ADVERTISE_IP} 171 Environment=IP=${ADVERTISE_IP} 172 Environment=FELIX_FELIXHOSTNAME=${ADVERTISE_IP} 173 Environment=CALICO_NETWORKING=false 174 Environment=NO_DEFAULT_POOLS=true 175 Environment=ETCD_ENDPOINTS=${ETCD_ENDPOINTS} 176 ExecStart=/usr/bin/rkt run --inherit-env --stage1-from-dir=stage1-fly.aci \ 177 --volume=modules,kind=host,source=/lib/modules,readOnly=false \ 178 --mount=volume=modules,target=/lib/modules \ 179 --trust-keys-from-https quay.io/calico/node:v0.19.0 180 KillMode=mixed 181 Restart=always 182 TimeoutStartSec=0 183 184 [Install] 185 WantedBy=multi-user.target 186 EOF 187 fi 188 189 local TEMPLATE=/etc/kubernetes/worker-kubeconfig.yaml 190 if [ ! -f $TEMPLATE ]; then 191 echo "TEMPLATE: $TEMPLATE" 192 mkdir -p $(dirname $TEMPLATE) 193 cat << EOF > $TEMPLATE 194 apiVersion: v1 195 kind: Config 196 clusters: 197 - name: local 198 cluster: 199 certificate-authority: /etc/kubernetes/ssl/ca.pem 200 users: 201 - name: kubelet 202 user: 203 client-certificate: /etc/kubernetes/ssl/worker.pem 204 client-key: /etc/kubernetes/ssl/worker-key.pem 205 contexts: 206 - context: 207 cluster: local 208 user: kubelet 209 name: kubelet-context 210 current-context: kubelet-context 211 EOF 212 fi 213 214 local TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml 215 if [ ! -f $TEMPLATE ]; then 216 echo "TEMPLATE: $TEMPLATE" 217 mkdir -p $(dirname $TEMPLATE) 218 cat << EOF > $TEMPLATE 219 apiVersion: v1 220 kind: Pod 221 metadata: 222 name: kube-proxy 223 namespace: kube-system 224 annotations: 225 rkt.alpha.kubernetes.io/stage1-name-override: coreos.com/rkt/stage1-fly 226 spec: 227 hostNetwork: true 228 containers: 229 - name: kube-proxy 230 image: ${HYPERKUBE_IMAGE_REPO}:$K8S_VER 231 command: 232 - /hyperkube 233 - proxy 234 - --master=${CONTROLLER_ENDPOINT} 235 - --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml 236 securityContext: 237 privileged: true 238 volumeMounts: 239 - mountPath: /etc/ssl/certs 240 name: "ssl-certs" 241 - mountPath: /etc/kubernetes/worker-kubeconfig.yaml 242 name: "kubeconfig" 243 readOnly: true 244 - mountPath: /etc/kubernetes/ssl 245 name: "etc-kube-ssl" 246 readOnly: true 247 - mountPath: /var/run/dbus 248 name: dbus 249 readOnly: false 250 volumes: 251 - name: "ssl-certs" 252 hostPath: 253 path: "/usr/share/ca-certificates" 254 - name: "kubeconfig" 255 hostPath: 256 path: "/etc/kubernetes/worker-kubeconfig.yaml" 257 - name: "etc-kube-ssl" 258 hostPath: 259 path: "/etc/kubernetes/ssl" 260 - hostPath: 261 path: /var/run/dbus 262 name: dbus 263 EOF 264 fi 265 266 local TEMPLATE=/etc/flannel/options.env 267 if [ ! -f $TEMPLATE ]; then 268 echo "TEMPLATE: $TEMPLATE" 269 mkdir -p $(dirname $TEMPLATE) 270 cat << EOF > $TEMPLATE 271 FLANNELD_IFACE=$ADVERTISE_IP 272 FLANNELD_ETCD_ENDPOINTS=$ETCD_ENDPOINTS 273 EOF 274 fi 275 276 local TEMPLATE=/etc/systemd/system/flanneld.service.d/40-ExecStartPre-symlink.conf.conf 277 if [ ! -f $TEMPLATE ]; then 278 echo "TEMPLATE: $TEMPLATE" 279 mkdir -p $(dirname $TEMPLATE) 280 cat << EOF > $TEMPLATE 281 [Service] 282 ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env 283 EOF 284 fi 285 286 local TEMPLATE=/etc/systemd/system/docker.service.d/40-flannel.conf 287 if [ ! -f $TEMPLATE ]; then 288 echo "TEMPLATE: $TEMPLATE" 289 mkdir -p $(dirname $TEMPLATE) 290 cat << EOF > $TEMPLATE 291 [Unit] 292 Requires=flanneld.service 293 After=flanneld.service 294 [Service] 295 EnvironmentFile=/etc/kubernetes/cni/docker_opts_cni.env 296 EOF 297 fi 298 299 local TEMPLATE=/etc/kubernetes/cni/docker_opts_cni.env 300 if [ ! -f $TEMPLATE ]; then 301 echo "TEMPLATE: $TEMPLATE" 302 mkdir -p $(dirname $TEMPLATE) 303 cat << EOF > $TEMPLATE 304 DOCKER_OPT_BIP="" 305 DOCKER_OPT_IPMASQ="" 306 EOF 307 fi 308 309 local TEMPLATE=/etc/kubernetes/cni/net.d/10-calico.conf 310 if [ "${USE_CALICO}" = "true" ] && [ ! -f "${TEMPLATE}" ]; then 311 echo "TEMPLATE: $TEMPLATE" 312 mkdir -p $(dirname $TEMPLATE) 313 cat << EOF > $TEMPLATE 314 { 315 "name": "calico", 316 "type": "flannel", 317 "delegate": { 318 "type": "calico", 319 "etcd_endpoints": "$ETCD_ENDPOINTS", 320 "log_level": "none", 321 "log_level_stderr": "info", 322 "hostname": "${ADVERTISE_IP}", 323 "policy": { 324 "type": "k8s", 325 "k8s_api_root": "${CONTROLLER_ENDPOINT}:443/api/v1/", 326 "k8s_client_key": "/etc/kubernetes/ssl/worker-key.pem", 327 "k8s_client_certificate": "/etc/kubernetes/ssl/worker.pem" 328 } 329 } 330 } 331 EOF 332 fi 333 334 local TEMPLATE=/etc/kubernetes/cni/net.d/10-flannel.conf 335 if [ "${USE_CALICO}" = "false" ] && [ ! -f "${TEMPLATE}" ]; then 336 echo "TEMPLATE: $TEMPLATE" 337 mkdir -p $(dirname $TEMPLATE) 338 cat << EOF > $TEMPLATE 339 { 340 "name": "podnet", 341 "type": "flannel", 342 "delegate": { 343 "isDefaultGateway": true 344 } 345 } 346 EOF 347 fi 348 349 } 350 351 init_config 352 init_templates 353 354 chmod +x /opt/bin/host-rkt 355 356 systemctl stop update-engine; systemctl mask update-engine 357 358 systemctl daemon-reload 359 360 if [ $CONTAINER_RUNTIME = "rkt" ]; then 361 systemctl enable load-rkt-stage1 362 systemctl enable rkt-api 363 fi 364 365 systemctl enable flanneld; systemctl start flanneld 366 systemctl enable kubelet; systemctl start kubelet 367 368 if [ $USE_CALICO = "true" ]; then 369 systemctl enable calico-node; systemctl start calico-node 370 fi`