github.com/fafucoder/cilium@v1.6.11/examples/kubernetes-ingress/scripts/03-install-kubernetes-worker.sh (about) 1 #!/usr/bin/env bash 2 # 3 # Installs, configures and starts kubernetes worker, it will use default values 4 # from ./helpers.bash 5 # Globals: 6 # INSTALL, if set installs k8s binaries, otherwise it will only configure k8s 7 ####################################### 8 9 dir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 10 11 source "${dir}/helpers.bash" 12 13 cache_dir="${dir}/../../../hack/cache" 14 k8s_cache_dir="${cache_dir}/k8s/${k8s_version}" 15 certs_dir="${dir}/certs" 16 17 function install_crio() { 18 sudo apt-key adv --recv-key --keyserver keyserver.ubuntu.com 8BECF1637AD8C79D 19 20 cat <<EOF > /etc/apt/sources.list.d/projectatomic-ubuntu-ppa-artful.list 21 deb http://ppa.launchpad.net/projectatomic/ppa/ubuntu bionic main 22 deb-src http://ppa.launchpad.net/projectatomic/ppa/ubuntu bionic main 23 EOF 24 sudo apt-get update 25 sudo apt-get remove cri-o-1.* -y || true 26 sudo apt-get install cri-o-1.13 -y || true 27 sudo ln -s /usr/sbin/runc /usr/local/sbin/runc || true 28 } 29 30 function install_containerd() { 31 sudo service docker stop 32 sudo apt remove containerd* -y 33 download_to "${cache_dir}/containerd" "containerd-1.2.1.linux-amd64.tar.gz" \ 34 "https://github.com/containerd/containerd/releases/download/v1.2.1/containerd-1.2.1.linux-amd64.tar.gz" 35 36 cp "${cache_dir}/containerd/containerd-1.2.1.linux-amd64.tar.gz" . 37 38 sudo apt-get install runc -y 39 sudo tar -xvf containerd-1.2.1.linux-amd64.tar.gz -C / --no-same-owner 40 41 sudo rm -f /etc/systemd/system/containerd.service 42 sudo ln -s /bin/containerd /usr/local/bin/containerd 43 cat << EOF | sudo tee /etc/systemd/system/containerd.service 44 [Unit] 45 Description=containerd container runtime 46 Documentation=https://containerd.io 47 After=network.target 48 49 [Service] 50 ExecStartPre=-/sbin/modprobe overlay 51 ExecStart=/usr/local/bin/containerd 52 53 Delegate=yes 54 KillMode=process 55 # Having non-zero Limit*s causes performance problems due to accounting overhead 56 # in the kernel. We recommend using cgroups to do container-local accounting. 57 LimitNPROC=infinity 58 LimitCORE=infinity 59 LimitNOFILE=infinity 60 # Comment TasksMax if your systemd version does not supports it. 61 # Only systemd 226 and above support this version. 62 TasksMax=infinity 63 64 [Install] 65 WantedBy=multi-user.target 66 EOF 67 68 cat << EOF | sudo tee /etc/containerd/config.toml 69 [plugins] 70 [plugins.cri.containerd] 71 snapshotter = "overlayfs" 72 [plugins.cri.containerd.default_runtime] 73 runtime_type = "io.containerd.runtime.v1.linux" 74 runtime_engine = "/usr/sbin/runc" 75 runtime_root = "" 76 EOF 77 sudo systemctl daemon-reload 78 } 79 80 log "Installing kubernetes worker components..." 81 82 set -e 83 84 sudo mkdir -p /opt/cni/bin 85 86 if [ -n "${INSTALL}" ]; then 87 for component in kubectl kubelet kube-proxy; do 88 download_to "${k8s_cache_dir}" "${component}" \ 89 "https://dl.k8s.io/release/${k8s_version}/bin/linux/amd64/${component}" 90 91 cp "${k8s_cache_dir}/${component}" . 92 done 93 94 download_to "${cache_dir}/cni" "cni-plugins-amd64-v0.7.5.tgz" \ 95 "https://github.com/containernetworking/plugins/releases/download/v0.7.5/cni-plugins-amd64-v0.7.5.tgz" 96 97 cp "${cache_dir}/cni/cni-plugins-amd64-v0.7.5.tgz" . 98 99 sudo tar -xvf cni-plugins-amd64-v0.7.5.tgz -C /opt/cni/bin 100 101 chmod +x kubelet kubectl kube-proxy 102 103 sudo cp kubelet kubectl kube-proxy /usr/bin/ 104 105 fi 106 107 case "${RUNTIME}" in 108 "containerd" | "containerD") 109 cat <<EOF > /etc/crictl.yaml 110 runtime-endpoint: unix:///var/run/containerd/containerd.sock 111 EOF 112 ;; 113 "crio" | "cri-o") 114 cat <<EOF > /etc/crictl.yaml 115 runtime-endpoint: unix:///var/run/crio/crio.sock 116 EOF 117 ;; 118 *) 119 ;; 120 esac 121 122 log "Copying cilium certificates to /var/lib/cilium" 123 # Copy cilium certificates to /var/lib/cilium 124 sudo mkdir -p /var/lib/cilium 125 126 cp "${certs_dir}/ca-k8s.pem" \ 127 "${certs_dir}/ca-etcd.pem" \ 128 "${certs_dir}/etcd-cilium-key.pem" \ 129 "${certs_dir}/etcd-cilium.pem" \ 130 "${certs_dir}/k8s-cilium-key.pem" \ 131 "${certs_dir}/k8s-cilium.pem" \ 132 /var/lib/cilium 133 134 log "Copying nginx certificates to /var/lib/nginx" 135 # Copy nginx certificates to /var/lib/nginx 136 sudo mkdir -p /var/lib/nginx 137 138 cp "${certs_dir}/ca-k8s.pem" \ 139 "${certs_dir}/k8s-nginx-key.pem" \ 140 "${certs_dir}/k8s-nginx.pem" \ 141 /var/lib/nginx 142 143 log "Copying kubelet certificates to /var/lib/kubelet" 144 # Copy kube-proxy certificates to /var/lib/kubelet 145 sudo mkdir -p /var/lib/kubelet/ 146 147 hostname=$(hostname) 148 cp "${certs_dir}/ca-k8s.pem" \ 149 "${certs_dir}/ca-kubelet.pem" \ 150 "${certs_dir}/k8s-kubelet-${hostname}-key.pem" \ 151 "${certs_dir}/k8s-kubelet-${hostname}.pem" \ 152 "${certs_dir}/kubelet-kubelet-${hostname}.pem" \ 153 "${certs_dir}/kubelet-kubelet-${hostname}-key.pem" \ 154 /var/lib/kubelet/ 155 156 log "Copying kube-proxy certificates to /var/lib/kube-proxy" 157 # Copy kube-proxy certificates to /var/lib/kube-proxy 158 sudo mkdir -p /var/lib/kube-proxy/ 159 160 hostname=$(hostname) 161 cp "${certs_dir}/ca-k8s.pem" \ 162 "${certs_dir}/k8s-kube-proxy-${hostname}-key.pem" \ 163 "${certs_dir}/k8s-kube-proxy-${hostname}.pem" \ 164 /var/lib/kube-proxy/ 165 166 log "Generating etc-docnfig file for cilium to contact etcd" 167 # Generate etcd-config file for cilium to contact etcd 168 sudo tee /var/lib/cilium/etcd-config.yml <<EOF 169 --- 170 endpoints: 171 - https://${controllers_ips[0]}:2379 172 trusted-ca-file: '/var/lib/cilium/ca-etcd.pem' 173 key-file: '/var/lib/cilium/etcd-cilium-key.pem' 174 cert-file: '/var/lib/cilium/etcd-cilium.pem' 175 EOF 176 177 log "Generating kubeconfig file for cilium" 178 # Create dedicated kube-config file for cilium 179 kubectl config set-cluster kubernetes \ 180 --certificate-authority=/var/lib/cilium/ca-k8s.pem \ 181 --embed-certs=true \ 182 --server=https://${controllers_ips[0]}:6443 \ 183 --kubeconfig=cilium.kubeconfig 184 185 kubectl config set-credentials cilium \ 186 --client-certificate=/var/lib/cilium/k8s-cilium.pem \ 187 --client-key=/var/lib/cilium/k8s-cilium-key.pem \ 188 --embed-certs=true \ 189 --kubeconfig=cilium.kubeconfig 190 191 kubectl config set-context default \ 192 --cluster=kubernetes \ 193 --user=cilium \ 194 --kubeconfig=cilium.kubeconfig 195 196 kubectl config use-context default \ 197 --kubeconfig=cilium.kubeconfig 198 199 sudo cp ./cilium.kubeconfig /var/lib/cilium/cilium.kubeconfig 200 201 202 # Create dedicated kube-config file for nginx 203 log "creating kubeconfig file for nginx" 204 kubectl config set-cluster kubernetes \ 205 --certificate-authority=/var/lib/nginx/ca-k8s.pem \ 206 --embed-certs=true \ 207 --server=https://${controllers_ips[0]}:6443 \ 208 --kubeconfig=nginx.kubeconfig 209 210 kubectl config set-credentials nginx \ 211 --client-certificate=/var/lib/nginx/k8s-nginx.pem \ 212 --client-key=/var/lib/nginx/k8s-nginx-key.pem \ 213 --embed-certs=true \ 214 --kubeconfig=nginx.kubeconfig 215 216 kubectl config set-context default \ 217 --cluster=kubernetes \ 218 --user=nginx \ 219 --kubeconfig=nginx.kubeconfig 220 221 kubectl config use-context default \ 222 --kubeconfig=nginx.kubeconfig 223 224 sudo cp ./nginx.kubeconfig /var/lib/nginx/nginx.kubeconfig 225 226 227 log "creating kubeconfig file for kubelet" 228 # Create dedicated kube-config file for kubelet 229 sudo mkdir -p /var/lib/kubelet/ 230 231 kubectl config set-cluster kubernetes \ 232 --certificate-authority=/var/lib/kubelet/ca-k8s.pem \ 233 --embed-certs=true \ 234 --server=https://${controllers_ips[0]}:6443 \ 235 --kubeconfig=kubelet.kubeconfig 236 237 kubectl config set-credentials kubelet \ 238 --client-certificate=/var/lib/kubelet/k8s-kubelet-${hostname}.pem \ 239 --client-key=/var/lib/kubelet/k8s-kubelet-${hostname}-key.pem \ 240 --embed-certs=true \ 241 --kubeconfig=kubelet.kubeconfig 242 243 kubectl config set-context default \ 244 --cluster=kubernetes \ 245 --user=kubelet \ 246 --kubeconfig=kubelet.kubeconfig 247 248 kubectl config use-context default \ 249 --kubeconfig=kubelet.kubeconfig 250 251 sudo cp ./kubelet.kubeconfig /var/lib/kubelet/kubelet.kubeconfig 252 253 254 log "creating kubeconfig file for kube-proxy" 255 # Create dedicated kube-config file for kube-proxy 256 sudo mkdir -p /var/lib/kube-proxy/ 257 258 kubectl config set-cluster kubernetes \ 259 --certificate-authority=/var/lib/kube-proxy/ca-k8s.pem \ 260 --embed-certs=true \ 261 --server=https://${controllers_ips[0]}:6443 \ 262 --kubeconfig=kube-proxy.kubeconfig 263 264 kubectl config set-credentials kubelet \ 265 --client-certificate=/var/lib/kube-proxy/k8s-kube-proxy-${hostname}.pem \ 266 --client-key=/var/lib/kube-proxy/k8s-kube-proxy-${hostname}-key.pem \ 267 --embed-certs=true \ 268 --kubeconfig=kube-proxy.kubeconfig 269 270 kubectl config set-context default \ 271 --cluster=kubernetes \ 272 --user=kube-proxy \ 273 --kubeconfig=kube-proxy.kubeconfig 274 275 kubectl config use-context default \ 276 --kubeconfig=kube-proxy.kubeconfig 277 278 sudo cp ./kube-proxy.kubeconfig /var/lib/kube-proxy/kube-proxy.kubeconfig 279 # FIXME remove this once we know how to set up kube-proxy in RBAC properly 280 sudo cp ./cilium.kubeconfig /var/lib/kube-proxy/kube-proxy.kubeconfig 281 282 log "creating kube-proxy systemd service" 283 sudo tee /etc/systemd/system/kube-proxy.service <<EOF 284 [Unit] 285 Description=Kubernetes Kube-Proxy Server 286 Documentation=https://kubernetes.io/docs/concepts/overview/components/#kube-proxy https://kubernetes.io/docs/reference/generated/kube-proxy/ 287 After=network.target 288 289 [Service] 290 ExecStart=/usr/bin/kube-proxy \\ 291 --cluster-cidr=${k8s_cluster_cidr} \\ 292 --kubeconfig=/var/lib/kube-proxy/kube-proxy.kubeconfig \\ 293 --proxy-mode=iptables \\ 294 --v=2 295 296 Restart=on-failure 297 RestartSec=5 298 299 [Install] 300 WantedBy=multi-user.target 301 EOF 302 303 log "reloading systemctl daemon and enabling and restarting kube-proxy" 304 sudo systemctl daemon-reload 305 sudo systemctl enable kube-proxy 306 sudo systemctl restart kube-proxy 307 308 sudo systemctl status kube-proxy --no-pager 309 310 log "creating systemd service for kubelet" 311 sudo tee /etc/systemd/system/kubelet.service <<EOF 312 [Unit] 313 Description=Kubernetes Kubelet 314 Documentation=https://kubernetes.io/docs/home 315 After=${container_runtime_name}.service 316 Requires=${container_runtime_name}.service 317 318 [Service] 319 # Mount BPF fs for cilium 320 ExecStartPre=/bin/bash -c ' \\ 321 if [[ \$(/bin/mount | /bin/grep /sys/fs/bpf -c) -eq 0 ]]; then \\ 322 /bin/mount bpffs /sys/fs/bpf -t bpf; \\ 323 fi' 324 ExecStart=/usr/bin/kubelet \\ 325 --client-ca-file=/var/lib/kubelet/ca-k8s.pem \\ 326 --cloud-provider= \\ 327 --cluster-dns=${cluster_dns_ip} \\ 328 --cluster-domain=cluster.local \\ 329 --container-runtime=${container_runtime_kubelet} \\ 330 ${container_runtime_endpoint} \\ 331 ${cgroup_driver} \\ 332 --kubeconfig=/var/lib/kubelet/kubelet.kubeconfig \\ 333 --fail-swap-on=false \\ 334 --make-iptables-util-chains=false \\ 335 --network-plugin=cni \\ 336 --node-ip=${node_ip} \\ 337 --register-node=true \\ 338 --serialize-image-pulls=false \\ 339 --tls-cert-file=/var/lib/kubelet/kubelet-kubelet-${hostname}.pem \\ 340 --tls-private-key-file=/var/lib/kubelet/kubelet-kubelet-${hostname}-key.pem \\ 341 --v=2 342 343 Restart=on-failure 344 RestartSec=5 345 346 [Install] 347 WantedBy=multi-user.target 348 EOF 349 350 log "reloading systemctl daemon and enabling and restarting kubelet" 351 sudo systemctl daemon-reload 352 sudo systemctl enable kubelet 353 sudo systemctl restart kubelet 354 355 sudo systemctl status kubelet --no-pager 356 357 log "Installing kubernetes worker components... DONE!"