diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..3bedcc10 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,2 @@ +Makefile +promenade-*.tar diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..6f122c39 --- /dev/null +++ b/.gitignore @@ -0,0 +1,8 @@ +/*.log +/*.tar +/.vagrant +/cni.tgz +/env.sh +/helm +/kubelet +/linux-amd64 diff --git a/Dockerfile.genesis b/Dockerfile.genesis new file mode 100644 index 00000000..6b1f0871 --- /dev/null +++ b/Dockerfile.genesis @@ -0,0 +1,37 @@ +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM ubuntu:xenial + +ENV NODE_HOSTNAME= + +RUN apt-get update -qq \ + && apt-get install --no-install-recommends -y \ + docker.io \ + gettext-base \ + && rm -rf /var/lib/apt/lists/* \ + && mkdir /promenade \ + && mkdir /promenade/assets \ + && mkdir /promenade/scripts + +WORKDIR /promenade + +ENTRYPOINT /promenade/scripts/entrypoint.sh + +COPY genesis-images.tar cni.tgz helm kubelet /promenade/ + +COPY kubelet.service.template /promenade/ +COPY env.sh scripts/common/* /promenade/scripts/ +COPY scripts/entrypoint-genesis.sh /promenade/scripts/entrypoint.sh +COPY assets/ /promenade/assets/ diff --git a/Dockerfile.join b/Dockerfile.join new file mode 100644 index 00000000..0f8850e4 --- /dev/null +++ b/Dockerfile.join @@ -0,0 +1,37 @@ +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM ubuntu:xenial + +ENV NODE_HOSTNAME= + +RUN apt-get update -qq \ + && apt-get install --no-install-recommends -y \ + docker.io \ + gettext-base \ + && rm -rf /var/lib/apt/lists/* \ + && mkdir /promenade \ + && mkdir /promenade/assets \ + && mkdir /promenade/scripts + +WORKDIR /promenade + +ENTRYPOINT /promenade/scripts/entrypoint.sh + +COPY join-images.tar cni.tgz kubelet /promenade/ + +COPY kubelet.service.template /promenade/ +COPY env.sh scripts/common/* /promenade/scripts/ +COPY scripts/entrypoint-join.sh /promenade/scripts/entrypoint.sh +COPY assets/kubeconfig assets/auth/kubeconfig /promenade/assets/ diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..6e63853e --- /dev/null +++ b/Makefile @@ -0,0 +1,141 @@ +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#---------------# +# Configuration # +#---------------# +BOOTKUBE_VERSION := v0.4.1 +CNI_VERSION := v0.5.2 +HELM_VERSION := v2.3.1 +KUBERNETES_VERSION := v1.6.2 + +NAMESPACE := quay.io/attcomdev +GENESIS_REPO := promenade-genesis +JOIN_REPO := promenade-join +TAG := dev + +GENESIS_IMAGES := \ + gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1 \ + gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1 \ + gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1 \ + gcr.io/google_containers/pause-amd64:3.0 \ + quay.io/calico/cni:v1.7.0 \ + quay.io/calico/kube-policy-controller:v0.5.4 \ + quay.io/calico/node:v1.1.3 \ + quay.io/coreos/bootkube:$(BOOTKUBE_VERSION) \ + quay.io/coreos/etcd-operator:v0.2.5 \ + quay.io/coreos/etcd:v3.1.4 \ + quay.io/coreos/etcd:v3.1.6 \ + quay.io/coreos/flannel:v0.7.1 \ + quay.io/coreos/hyperkube:$(KUBERNETES_VERSION)_coreos.0 \ + quay.io/coreos/kenc:48b6feceeee56c657ea9263f47b6ea091e8d3035 \ + quay.io/coreos/pod-checkpointer:20cf8b9a6018731a0770192f30dfa7a1941521e3 \ + +JOIN_IMAGES := \ + gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1 \ + gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1 \ + gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1 \ + gcr.io/google_containers/pause-amd64:3.0 \ + quay.io/calico/cni:v1.7.0 \ + quay.io/calico/kube-policy-controller:v0.5.4 \ + quay.io/calico/node:v1.1.3 \ + quay.io/coreos/etcd-operator:v0.2.5 \ + quay.io/coreos/etcd:v3.1.4 \ + quay.io/coreos/etcd:v3.1.6 \ + quay.io/coreos/flannel:v0.7.1 \ + quay.io/coreos/hyperkube:$(KUBERNETES_VERSION)_coreos.0 \ + quay.io/coreos/kenc:48b6feceeee56c657ea9263f47b6ea091e8d3035 \ + quay.io/coreos/pod-checkpointer:20cf8b9a6018731a0770192f30dfa7a1941521e3 \ + + +#-------# +# Rules # +#-------# +all: build + +build: build-genesis build-join + +push: push-genesis push-join + +save: save-genesis save-join + +genesis: build-genesis + +build-genesis: Dockerfile.genesis cni.tgz env.sh helm genesis-images.tar kubelet kubelet.service.template + sudo docker build -f Dockerfile.genesis -t $(NAMESPACE)/$(GENESIS_REPO):$(TAG) . + +push-genesis: build-genesis + sudo docker push $(NAMESPACE)/$(GENESIS_REPO):$(TAG) + +save-genesis: build-genesis + sudo docker save $(NAMESPACE)/$(GENESIS_REPO):$(TAG) > promenade-genesis.tar + + +join: build-join + +build-join: Dockerfile.join join-images.tar kubelet.service.template + sudo docker build -f Dockerfile.join -t $(NAMESPACE)/$(JOIN_REPO):$(TAG) . + +push-join: build-join + sudo docker push $(NAMESPACE)/$(JOIN_REPO):$(TAG) + +save-join: build-join + sudo docker save $(NAMESPACE)/$(JOIN_REPO):$(TAG) > promenade-join.tar + +cni.tgz: + wget https://github.com/containernetworking/cni/releases/download/$(CNI_VERSION)/cni-amd64-$(CNI_VERSION).tgz + mv cni-amd64-$(CNI_VERSION).tgz cni.tgz + +env.sh: Makefile + rm -f env.sh + echo export BOOTKUBE_VERSION=$(BOOTKUBE_VERSION) >> env.sh + echo export CNI_VERSION=$(CNI_VERSION) >> env.sh + echo export HELM_VERSION=$(HELM_VERSION) >> env.sh + echo export KUBERNETES_VERSION=$(KUBERNETES_VERSION) >> env.sh + +helm: + wget https://storage.googleapis.com/kubernetes-helm/helm-$(HELM_VERSION)-linux-amd64.tar.gz + tar xf helm-$(HELM_VERSION)-linux-amd64.tar.gz + mv linux-amd64/helm ./helm + rm -rf ./linux-amd64/ + rm -f helm-$(HELM_VERSION)-linux-amd64.tar.gz* + chmod +x helm + +genesis-images.tar: + for IMAGE in $(GENESIS_IMAGES); do \ + sudo docker pull $$IMAGE; \ + done + sudo docker save -o genesis-images.tar $(GENESIS_IMAGES) + +join-images.tar: + for IMAGE in $(JOIN_IMAGES); do \ + sudo docker pull $$IMAGE; \ + done + sudo docker save -o join-images.tar $(JOIN_IMAGES) + +kubelet: + wget http://storage.googleapis.com/kubernetes-release/release/$(KUBERNETES_VERSION)/bin/linux/amd64/kubelet + chmod +x kubelet + +clean: + rm -rf \ + cni.tgz \ + env.sh \ + helm \ + helm-*-linux-amd64* \ + *.tar \ + kubelet \ + + +.PHONY : build build-genesis build-join clean genesis join push push-genesis push-join diff --git a/README.md b/README.md new file mode 100644 index 00000000..0a1ee0c5 --- /dev/null +++ b/README.md @@ -0,0 +1,10 @@ +# Overview + +To give this a try: + +``` +make save +vagrant plugin install vagrant-hostmanager + +./test-install.sh +``` diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 00000000..1b243476 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,59 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.box = "ubuntu/xenial64" + config.vm.box_check_update = false + + config.vm.provision :file, source: "vagrant-assets/docker-daemon.json", destination: "/tmp/docker-daemon.json" + config.vm.provision :file, source: "vagrant-assets/dnsmasq-kubernetes", destination: "/tmp/dnsmasq-kubernetes" + + config.vm.provision :shell, privileged: true, inline:< host communication. + # If left blank, then the interface is chosen using the node's + # default route. + canal_iface: "" + + # Whether or not to masquerade traffic to destinations not within + # the pod network. + masquerade: "true" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "name": "canal", + "type": "flannel", + "delegate": { + "type": "calico", + "etcd_endpoints": "__ETCD_ENDPOINTS__", + "log_level": "info", + "policy": { + "type": "k8s", + "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", + "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__" + } + } + } diff --git a/assets/manifests/kube-flannel.yaml b/assets/manifests/kube-flannel.yaml new file mode 100644 index 00000000..3f4fd8a9 --- /dev/null +++ b/assets/manifests/kube-flannel.yaml @@ -0,0 +1,368 @@ +--- +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: canal-etcd + namespace: kube-system + labels: + k8s-app: canal-etcd +spec: + template: + metadata: + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + labels: + k8s-app: canal-etcd + spec: + # Only run this pod on the master. + nodeSelector: + node-role.kubernetes.io/master: "" + hostNetwork: true + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: canal-etcd + image: quay.io/coreos/etcd:v3.1.4 + env: + - name: ETCD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: ["/bin/sh","-c"] + args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"] + volumeMounts: + - name: var-etcd + mountPath: /var/etcd + volumes: + - name: var-etcd + hostPath: + path: /var/etcd + +--- +# This manfiest installs the Service which gets traffic to the Calico +# etcd. +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: canal-etcd + name: canal-etcd + namespace: kube-system +spec: + # Select the canal-etcd pod running on the master. + selector: + k8s-app: canal-etcd + # This ClusterIP needs to be known in advance, since we cannot rely + # on DNS to get access to etcd. + clusterIP: 10.3.0.136 + ports: + - port: 6666 +--- +# This manifest installs the per-node agents, as well +# as the CNI plugins and network config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: extensions/v1beta1 +metadata: + name: canal-node + namespace: kube-system + labels: + k8s-app: canal-node +spec: + selector: + matchLabels: + k8s-app: canal-node + template: + metadata: + labels: + k8s-app: canal-node + spec: + hostNetwork: true + serviceAccountName: calico-cni-plugin + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + # Runs the flannel daemon to enable vxlan networking between + # container hosts. + - name: flannel + image: quay.io/coreos/flannel:v0.7.1 + env: + # The location of the etcd cluster. + - name: FLANNELD_ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints + # The interface flannel should run on. + - name: FLANNELD_IFACE + valueFrom: + configMapKeyRef: + name: canal-config + key: canal_iface + # Perform masquerade on traffic leaving the pod cidr. + - name: FLANNELD_IP_MASQ + valueFrom: + configMapKeyRef: + name: canal-config + key: masquerade + # Write the subnet.env file to the mounted directory. + - name: FLANNELD_SUBNET_FILE + value: "/run/flannel/subnet.env" + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/resolv.conf + name: resolv + - mountPath: /run/flannel + name: run-flannel + # Runs calico/node container on each Kubernetes node. This + # container programs network policy and local routes on each + # host. + - name: calico-node + image: quay.io/calico/node:v1.1.3 + env: + # The location of the etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints + # Disable Calico BGP. Calico is simply enforcing policy. + - name: CALICO_NETWORKING + value: "false" + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + # All pods to speak to services that resolve to the same host. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "ACCEPT" + securityContext: + privileged: true + resources: + requests: + cpu: 250m + volumeMounts: + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + # This container installs the Calico CNI binaries + # and CNI network config file on each node. + - name: install-calico-cni + image: quay.io/calico/cni:v1.7.0 + imagePullPolicy: Always + command: ["/install-cni.sh"] + env: + # The name of the CNI network config file to install. + - name: CNI_CONF_NAME + value: "10-canal.conf" + # The location of the etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: canal-config + key: cni_network_config + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + volumes: + # Used by calico/node. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + # Used by flannel daemon. + - name: run-flannel + hostPath: + path: /run/flannel + - name: resolv + hostPath: + path: /etc/resolv.conf + +--- + +# This manifest deploys a Job which performs one time +# configuration of Canal. +apiVersion: batch/v1 +kind: Job +metadata: + name: configure-canal + namespace: kube-system + labels: + k8s-app: canal +spec: + template: + metadata: + name: configure-canal + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + hostNetwork: true + restartPolicy: OnFailure + containers: + # Writes basic flannel configuration to etcd. + - name: configure-flannel + image: quay.io/coreos/etcd:v3.1.4 + command: + - "etcdctl" + - "--no-sync" + - "set" + - "/coreos.com/network/config" + - '{ "Network": "10.2.0.0/16", "Backend": {"Type": "vxlan"} }' + env: + # The location of the etcd cluster. + - name: ETCDCTL_PEERS + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints + +--- + +# This manifest deploys the Calico policy controller on Kubernetes. +# See https://github.com/projectcalico/k8s-policy +apiVersion: extensions/v1beta1 +kind: ReplicaSet +metadata: + name: calico-policy-controller + namespace: kube-system + labels: + k8s-app: calico-policy +spec: + # The policy controller can only have a single active instance. + replicas: 1 + template: + metadata: + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + name: calico-policy-controller + namespace: kube-system + labels: + k8s-app: calico-policy + spec: + # The policy controller must run in the host network namespace so that + # it isn't governed by policy that would prevent it from working. + hostNetwork: true + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: calico-policy-controller + containers: + - name: calico-policy-controller + image: quay.io/calico/kube-policy-controller:v0.5.4 + env: + # The location of the Calico etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints + # The location of the Kubernetes API. Use the default Kubernetes + # service for API access. + - name: K8S_API + value: "https://kubernetes.default:443" + # Since we're running in the host namespace and might not have KubeDNS + # access, configure the container's /etc/hosts to resolve + # kubernetes.default to the correct service clusterIP. + - name: CONFIGURE_ETC_HOSTS + value: "true" + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-cni-plugin + namespace: kube-system +rules: + - apiGroups: [""] + resources: + - pods + - nodes + verbs: + - get + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: calico-policy-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-policy-controller +subjects: +- kind: ServiceAccount + name: calico-policy-controller + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-policy-controller + namespace: kube-system +rules: + - apiGroups: + - "" + - extensions + resources: + - pods + - namespaces + - networkpolicies + verbs: + - watch + - list + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-policy-controller + namespace: kube-system diff --git a/assets/manifests/kube-proxy.yaml b/assets/manifests/kube-proxy.yaml new file mode 100644 index 00000000..a52281d6 --- /dev/null +++ b/assets/manifests/kube-proxy.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: "extensions/v1beta1" +kind: DaemonSet +metadata: + name: kube-proxy + namespace: kube-system + labels: + tier: node + component: kube-proxy +spec: + template: + metadata: + labels: + tier: node + component: kube-proxy + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + containers: + - name: kube-proxy + image: quay.io/coreos/hyperkube:v1.6.2_coreos.0 + command: + - /hyperkube + - proxy + - --cluster-cidr=10.2.0.0/16 + - --hostname-override=$(NODE_NAME) + - --kubeconfig=/etc/kubernetes/kubeconfig + - --proxy-mode=iptables + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/ssl/certs + name: ssl-certs-host + readOnly: true + - name: etc-kubernetes + mountPath: /etc/kubernetes + readOnly: true + hostNetwork: true + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + volumes: + - hostPath: + path: /usr/share/ca-certificates + name: ssl-certs-host + - name: etc-kubernetes + hostPath: + path: /etc/kubernetes diff --git a/assets/manifests/kube-scheduler-disruption.yaml b/assets/manifests/kube-scheduler-disruption.yaml new file mode 100644 index 00000000..c6ab7f2d --- /dev/null +++ b/assets/manifests/kube-scheduler-disruption.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: kube-scheduler + namespace: kube-system +spec: + minAvailable: 1 + selector: + matchLabels: + tier: control-plane + component: kube-scheduler diff --git a/assets/manifests/kube-scheduler.yaml b/assets/manifests/kube-scheduler.yaml new file mode 100644 index 00000000..ab81828f --- /dev/null +++ b/assets/manifests/kube-scheduler.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: kube-scheduler + namespace: kube-system + labels: + tier: control-plane + component: kube-scheduler +spec: + replicas: 2 + template: + metadata: + labels: + tier: control-plane + component: kube-scheduler + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: tier + operator: In + values: + - control-plane + - key: component + operator: In + values: + - kube-scheduler + topologyKey: kubernetes.io/hostname + containers: + - name: kube-scheduler + image: quay.io/coreos/hyperkube:v1.6.2_coreos.0 + command: + - ./hyperkube + - scheduler + - --leader-elect=true + livenessProbe: + httpGet: + path: /healthz + port: 10251 # Note: Using default port. Update if --port option is set differently. + initialDelaySeconds: 15 + timeoutSeconds: 15 + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule diff --git a/assets/manifests/kube-system-rbac-role-binding.yaml b/assets/manifests/kube-system-rbac-role-binding.yaml new file mode 100644 index 00000000..80438fee --- /dev/null +++ b/assets/manifests/kube-system-rbac-role-binding.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1alpha1 +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1alpha1 +metadata: + name: system:default-sa +subjects: + - kind: ServiceAccount + name: default + namespace: kube-system +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/assets/manifests/pod-checkpointer.yaml b/assets/manifests/pod-checkpointer.yaml new file mode 100644 index 00000000..813dc5b1 --- /dev/null +++ b/assets/manifests/pod-checkpointer.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: "extensions/v1beta1" +kind: DaemonSet +metadata: + name: pod-checkpointer + namespace: kube-system + labels: + tier: control-plane + component: pod-checkpointer +spec: + template: + metadata: + labels: + tier: control-plane + component: pod-checkpointer + annotations: + checkpointer.alpha.coreos.com/checkpoint: "true" + spec: + containers: + - name: checkpoint + image: quay.io/coreos/pod-checkpointer:20cf8b9a6018731a0770192f30dfa7a1941521e3 + command: + - /checkpoint + - --v=4 + - --lock-file=/var/run/lock/pod-checkpointer.lock + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + imagePullPolicy: Always + volumeMounts: + - mountPath: /etc/kubernetes + name: etc-kubernetes + - mountPath: /var/run + name: var-run + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/master: "" + restartPolicy: Always + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + volumes: + - name: etc-kubernetes + hostPath: + path: /etc/kubernetes + - name: var-run + hostPath: + path: /var/run diff --git a/assets/tls/apiserver.crt b/assets/tls/apiserver.crt new file mode 100644 index 00000000..1679b269 --- /dev/null +++ b/assets/tls/apiserver.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhDCCAmygAwIBAgIIYRTnEUWPB2EwDQYJKoZIhvcNAQELBQAwJTERMA8GA1UE +ChMIYm9vdGt1YmUxEDAOBgNVBAMTB2t1YmUtY2EwHhcNMTcwNTE5MTg0MTIwWhcN +MTgwNTE5MTg0MTIxWjAvMRQwEgYDVQQKEwtrdWJlLW1hc3RlcjEXMBUGA1UEAxMO +a3ViZS1hcGlzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB +sXDQGt4CSkm+H0oT3HgzADzK3IQtc5QVKTb2DTyw2/m+h4MRd6n+lra8pto09Is/ +YiVx8OCCFFsO726ZZqLQlQePDF36QKJbpIyGq2b3GVByDQqtn47xhXUeLu0z7IMK +8906xmZXeg8HHTIS9P66z3xA9kLn0nwSSFJHGTXMoFr8cnLySnrtDHe9pGo/+jcR +0+jiH3at3w2F1tCaTZ8znEMRP80BTysb7IlZdmNBfaSoT45Nje2eBpZDdxvI8qhi +J2ZWZ7vQsu6AlCneKpTj4tgsV6sEAgs2V8pabRaSM5t0Hq1lGo/npcOamIUQAq1u +O2SpSTIojdSHmWdD9h5dAgMBAAGjga0wgaowDgYDVR0PAQH/BAQDAgWgMB0GA1Ud +JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB5BgNVHREEcjBwggprdWJlcm5ldGVz +ggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVybmV0ZXMuZGVm +YXVsdC5zdmOCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcE +CgMAATANBgkqhkiG9w0BAQsFAAOCAQEAj8G9Lc75QNbhADQuOXsSGEi6bJ0UdFoV +vv5VLNMOdZ0+jXtHtLYrB3RygIcolSdqlaqpM9nj61xgnhG3OIYIw8BCqQlaBgO+ +5cAvzmql29AoDbLeu3JctmySScqyCj4mqtlOGHgIotUq226Re1aqSJ8zLH7UDVEa +jyQo8vn5GQm/XwyGUt4nSpYXMi6MztebcePdyOe4387NFJS9/OUQIdWlhv1cegK+ +fU8KRv2MiBfZZqJ1DQD17eV9494DImGN1nCpVlmPNBGTCe75SOYCBOwYhHKoNMLn +YmtnpzBtfAkU4EzjiMm6V22XI/lZsQdxeQfMMScmh+M60DHr7ToRdg== +-----END CERTIFICATE----- diff --git a/assets/tls/apiserver.key b/assets/tls/apiserver.key new file mode 100644 index 00000000..2547d282 --- /dev/null +++ b/assets/tls/apiserver.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAwbFw0BreAkpJvh9KE9x4MwA8ytyELXOUFSk29g08sNv5voeD +EXep/pa2vKbaNPSLP2IlcfDgghRbDu9umWai0JUHjwxd+kCiW6SMhqtm9xlQcg0K +rZ+O8YV1Hi7tM+yDCvPdOsZmV3oPBx0yEvT+us98QPZC59J8EkhSRxk1zKBa/HJy +8kp67Qx3vaRqP/o3EdPo4h92rd8NhdbQmk2fM5xDET/NAU8rG+yJWXZjQX2kqE+O +TY3tngaWQ3cbyPKoYidmVme70LLugJQp3iqU4+LYLFerBAILNlfKWm0WkjObdB6t +ZRqP56XDmpiFEAKtbjtkqUkyKI3Uh5lnQ/YeXQIDAQABAoIBAERN1ZGdl+LI3b5s +/EuKuNyLXeTP5NC+bF8V/KrCOj/IIwccdI0JXOpJrcFTOano/t3oN3o5zoIwuXfH +2YHBHvNdSqAYZV+lwVt96IxpD1NeGu9NSBG4LclgHc/6Dm38Hq4TF1XttxNsGLaS +hiEHQnkQSCoEbc2gfV5ZIKKv8jfpShYiaAPzrt3saE/2+OliJ5p6zfXKNlEsg1US +78g+JiOVXZdEQFyPP5Yo8gje8wQ2NetnilQQ9rtBbPv9FfsTrj03srlU2D7IIBdQ +7D3Z5AN7e7RiwRGmStZ4GllcCuhvjhvfhav132G01o8/DwvVLTnfSKFA7+E8UYG9 +6ZAzX4UCgYEA/pXt8ehj3s1f8cNaSEJlD8AsOHgzcuxRvdrE+zA8l4eEFpP5UJej +OcDu966q1yt4Qp7Yx2sW3UA76m7RugdqA5MP25fgzGV5n22iwYbnBQvqDQEOjMH1 +1k0CkaRXhDCzGuwb07og/rhOJdCI3OSCQpLD6BsX8MVPJ/2Gfe4XECcCgYEAwsTo +/iNZFNKkPwlfjpirry6gB7GZYRYdkneMM92fTzuDdqSIrM9oLBeUyixAfPP9c0yV +2cwhc8TLdHxIwatzNNJkwp2+eANfg8jQ0vK9J8V0649C5iM3aZ5MUVG2IS4RAZtH +MG2w5fvdd7SqJ8ROWUy7+E0s472yfJNL3auNa9sCgYEA5AXPwEsAII/cboMlevEU +6Z2bPdzTYAywThcDNWSH8MStFzfkJz4aMWFP6EHmvKAvr6Psz/hn2zVsNNabPD7l +wlvW6T1IWGpPG++rxiCZDJkWQh1/Na2IDjCdq2sCA+FGmkd9yQ69/MeBHzd/TjHR +ReWEWIDj2YAwHMZjzqkQuSMCgYA10Kp/7cxjUIBJWpGomM53LO7SsWOry6yIF7gJ +bKbkAZGlanjJJtWluS5HXkrDO7c/8F1HPHvRvQJqQRzpRjIi2i81Btjl2CjABPCO +GLvjDU/s9jyJ0hkxeaekoGsuZ8gTJZBZ9TT3lsvuk2CgdEEhs24MgWZx1qxGd3xy +1z/QGQKBgQCE7afZwIEUQ6epGlUPwmm+mqGiUNbXAz/PnK/IhuOeV9aEU78lPH8p +6rMpuh5SOqGcRaZhpRSIY3vqU9Yk49OO4BOawF2j8k4pVkTaJGgD71in8aDbcVBc +VlIMP2q93mnyO7OC8znQKHMs5WRWEokRbSsjWEeQF1MtyBWaIiWmlg== +-----END RSA PRIVATE KEY----- diff --git a/assets/tls/ca.crt b/assets/tls/ca.crt new file mode 100644 index 00000000..cca186c3 --- /dev/null +++ b/assets/tls/ca.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6DCCAdCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAlMREwDwYDVQQKEwhib290 +a3ViZTEQMA4GA1UEAxMHa3ViZS1jYTAeFw0xNzA1MTkxODQxMjBaFw0yNzA1MTcx +ODQxMjBaMCUxETAPBgNVBAoTCGJvb3RrdWJlMRAwDgYDVQQDEwdrdWJlLWNhMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAulAVfzTe/mMl31NAx7P524sz +nQKmxG+BXfDPt4O778tBF76RsEX+wKrRtooBr7axhvR0ok5kDZPARGpNKARmdCSm +336ErFtqTwMoreY7WVCU2CBFOtt2umfJDuGVoNUHEkD8MeV2lYJCoxwJrhe5wiqq +m4hptSCepUjilmkReWQ+/N4+RVDpr86GY2QBUlv9OtA5hxTisbA01SwSPAWrpOqV +8JIj2RLZn85FTzMFTQk0Wu0Zugiryqdaxl33VL3+URI3QC2r2dpvd1SeyWDEXvjm +kn9238we+2wBeRaceCvC7jyDvYSOhS+j92wFdnQYx+HinA8nn8Qfdm38u6A9hwID +AQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG +9w0BAQsFAAOCAQEADHvgtDCE8tv0lKIzEqfubUA5LKQ4NiT5SUAucYazMpKw1QIW +QinCoLEfyPMwgkbgXjzwne8PxeEjjvwCRqwbyViBWnv937p94poZ/9G3CW3bSYwQ +4ZeZnwW6wW0IGsEheMwknBeQboocM6cXu8hto1AYHOnjtg2t1RufWpsDn5aokuW/ +RI8Hg5vnWWKAAAwcwkmg8aiN/1nYQG/coD41kXe/iJ1DTPZa2CPxgm71f2hRnEYT +c7uT7uueBapo1O+ttPkghsIvPZKc6vKxK0wrvzHGRoULl77Z83z92aoPLzcmnJ3d +MFEq4d7JQ5u5i+SaqqqOdp1RGAiuiNpcvyP9ew== +-----END CERTIFICATE----- diff --git a/assets/tls/ca.key b/assets/tls/ca.key new file mode 100644 index 00000000..f3c15499 --- /dev/null +++ b/assets/tls/ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAulAVfzTe/mMl31NAx7P524sznQKmxG+BXfDPt4O778tBF76R +sEX+wKrRtooBr7axhvR0ok5kDZPARGpNKARmdCSm336ErFtqTwMoreY7WVCU2CBF +Ott2umfJDuGVoNUHEkD8MeV2lYJCoxwJrhe5wiqqm4hptSCepUjilmkReWQ+/N4+ +RVDpr86GY2QBUlv9OtA5hxTisbA01SwSPAWrpOqV8JIj2RLZn85FTzMFTQk0Wu0Z +ugiryqdaxl33VL3+URI3QC2r2dpvd1SeyWDEXvjmkn9238we+2wBeRaceCvC7jyD +vYSOhS+j92wFdnQYx+HinA8nn8Qfdm38u6A9hwIDAQABAoIBADpNLSztQoqgRA2q +Y68aZqmI2dHcLotxyS24WYe3tWvIUso3XCeo/5sS2SUh8n0l0k/E12qi1TRac+P0 +z8gh+F2HyqBNWv8EbDPlbSldzlyYlrs6/e75FiImsAf0F3qIrvnLVB/ZCk6mwGuC +LpVH310fNNwOx+ViG8LlF+KxZkJxzoKQ2RwiCwzMzpvNBTJyEE1jfqNlc92XnP65 +FhjcFfzSJhFK3VH1gdpfO8bUiLiiUhzKzXH7Af73UqZ22wHeYx87ZJBv7e9ymbWT +GMf9js92e3OdXa3al75JlXgexSDmV2OdZNj6zpqAyupo5b+jXNxcxDaQCitOAcyU +H6HqMiECgYEAwWeEvOL/JC1hFBniM3jtG7ZcXjT1nuc0I9z+b0O6i3JXp1AXuxqU +COOn0udgJ4SJZZk2LOja7Mq6DsPvbPK9OA/XvSju6U/cqALpLdT+bvcG1J5km80w +F9d5a8CmABYsIzIm5VOYCZN/ELxo9uzDhNpiU1m7EVZengg8E1/xSpMCgYEA9pz/ +SGZTFHdLZn7jgg9EzdnjZ2SlSnGc1tHayiRbHknwt8JFMwHeL/TPI6/4ns4A8l59 +IEl1Zf8pWDhwa2qGITXQBmauLYzuPGSIBdABLnJQtE4r6o+vYafZxZVvTAv5B4Sz +TCWFkLYtvHvs71+u7IKS+dJg3EYy3Gx5KVhddb0CgYAr8QMdj018wLqvwHm+TBlD +FJnD5bBwnAMiqtE8Il091YrIvs/FePJtWpwEtQEJuXkmFjtS1Mz4w86mECpTzIrl +M+RGXAh8BeMSYSbtfNkaCRIKOLqPE317zT8PFkQg/OimTny72dRPSK2z9bq7b2u0 +wZFZcqen9sGkkiZkGIZP9QKBgQDcgX6FVvD8QLqLl/OHLG3h/ewmW8irqrCJKDUQ +P7e1enmhZTSIqifoC2ZXS5XrMNmJ3VDWWLh/DcsDFdv3P9VUxpAN2SvukK/IEj/J +qrYTuKVOwwLjhbxUfkfrMnXEsoPl5BKJiJdH0I1OliRB2PVIhmwysphm/OGnU9p2 +TIuspQKBgQCq5QJcny6CWHnFh/Q1faYqIjvaS4MqLfnDndvZ98abpcjik3AKgWof +iaROSk40L+q4uDuaM5tU1ufS/FS94hwlk2O1bQ/xgJBkNZnvZJRFU3oZjhggyl6G +iFtBTAGGtJqHTPMtn/Y6dUOJ/ZFIZWzuNhJGYX/S3ifpZeldKXmXew== +-----END RSA PRIVATE KEY----- diff --git a/assets/tls/kubelet.crt b/assets/tls/kubelet.crt new file mode 100644 index 00000000..859df1d1 --- /dev/null +++ b/assets/tls/kubelet.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAzCCAeugAwIBAgIILMPkLd2E/uAwDQYJKoZIhvcNAQELBQAwJTERMA8GA1UE +ChMIYm9vdGt1YmUxEDAOBgNVBAMTB2t1YmUtY2EwHhcNMTcwNTE5MTg0MTIwWhcN +MTgwNTE5MTg0MTIxWjArMRcwFQYDVQQKEw5zeXN0ZW06bWFzdGVyczEQMA4GA1UE +AxMHa3ViZWxldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALtz9mHo +tPkidPbQeu9RS6tAOQhAhPOzV7y5kxo9ZkyGR5mOJ5MElfoofHWGXDqJs3IHO6Zr +ZTKTYgX6c3jisMhIT62JnN9ZaATWcrd+qQ15ixTNhqdy3UcX6xlB8YF8KpVZ40rO +wrP/UsG9EaBit37iOmmINIkZtbNIhvOYhkJvr+NOtX/8TsnRZpT9PyCeyZJbsZIZ +d1Apfu2ENeS1C1OgOQIEOREBehc3GVH11D9BRtFob22MjZUjxyGj0SButUmpvnY9 +ogfE5pT0yhI+kZlP6iMPkk0oGlkcc+U4X8VrSyYXfJNEbmI5aDZe3A4lk4fXiF/Y +NosbHYnzdf/j0acCAwEAAaMxMC8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAIgaxO6aAyGRq +MINPID5bG/ZSRoIBSEX0bAviLKWP9RonjfayM8Xb3r2WZ4TmJoYYDNMRFoyCeStw +1fjl7b2vpmFBOxlpmRvNhRF1dlI9Rt4GRRVkxeS7c4dkc0LFTHEPp0X/RmSt4uf+ +X9sYsWOGSBf52+qZ/7UNI6SYwoltenzbwnLHY9NSLXiVFommCXPaBma1GlkQN2F3 +cEInhf78BXKXeIpWdZboHuWOUu3aoRT0p6fegb2Uxh2a73s6sToHjE7oy3H2ZvKR +kcFJ2TnKMrqzEK/9wyc/gu/kYVx8/zCoPlDQASem7aTZgOIDZ8wc4g9rBitnxdIs +jxZwjOKt9g== +-----END CERTIFICATE----- diff --git a/assets/tls/kubelet.key b/assets/tls/kubelet.key new file mode 100644 index 00000000..27816a66 --- /dev/null +++ b/assets/tls/kubelet.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAu3P2Yei0+SJ09tB671FLq0A5CECE87NXvLmTGj1mTIZHmY4n +kwSV+ih8dYZcOomzcgc7pmtlMpNiBfpzeOKwyEhPrYmc31loBNZyt36pDXmLFM2G +p3LdRxfrGUHxgXwqlVnjSs7Cs/9Swb0RoGK3fuI6aYg0iRm1s0iG85iGQm+v4061 +f/xOydFmlP0/IJ7Jkluxkhl3UCl+7YQ15LULU6A5AgQ5EQF6FzcZUfXUP0FG0Whv +bYyNlSPHIaPRIG61Sam+dj2iB8TmlPTKEj6RmU/qIw+STSgaWRxz5ThfxWtLJhd8 +k0RuYjloNl7cDiWTh9eIX9g2ixsdifN1/+PRpwIDAQABAoIBAQCRpzJbs4DjUHXH +zgin6eg9AaMPGWr1HXZgC2YU7n6NmY0K8N0pLFgIz+qdOzBwv8xyHtKnpi001jZF +ZOzSknpAtYdL1XDST1s23xa2I7Hh6X47RNOLSwJLGnev4YBxV3STJgwpdWzuhcbd +CTcoA2yHJ+uxUodXvGVmEEXkA7DW7zLZpvLJ//nD5z5CM0IUPdaSgXhYQp2NZWtI +RjLdjkuYVyBYC2rU4LpmiH1eIVL7bDHoUQhOaHN0wSFG80o46gvrqbhrMPw7BwIu +bCW30q4Y4JPRYn5ru0zCForne65I2kRtnJUDjn99dOntWVZibRojY0hFFEyGYOjZ +WItzGAbxAoGBANFj2ZHitQxtqYs7MNIY9jz/7pzuPaX8dm+2/3WW5Aot01+s4yVH +pd7HE8l5NjnejWG7nG2GPsIhbCCVXEtSMGt1BRioKpc2dLq+ZQb75LGDMaJzMWEm +/HimJuhXvxOzzKC9Z29vo4d6JC58vPwyu27dFAv3rzAcdiWb/aib7S6ZAoGBAOUu +BePZgqlpwl3wqDlAljiLsH8AeZUH2rDA4n4d+1kKPMqJYMmftGaTkDJMeJfisfKb +EXcQsGJAeOLHRpY1VvkHqn5v+7qg9JHSnlw+/nTF5Vk6ISAFMs2Qfwdq6fZ898GZ +mi9VXr0hez7Z/v/liCxBcl0hgAhnjIFGvQ5rSmo/AoGBAIvlVFWdzCyTj/UQBNw6 +BTpYHAoJOnMNq+uTrjXYLF+IonKHxfMAXZfsFhJDw7ECOh+UAz1BtehqAB387H7+ +WI9SzabdpCcHIRIrZsA1x2O6LY1FvTYVoBTTnacaCPWW6R5zrQnM4sr/FfFhMbqm +AohdeKlOQGO6gE08XUsrclnxAoGBALOv+f5DtCaQPUzaO4toEGAVZjStcqZemiCr +mum3KDMPy8ohHDn5dcBXQl+thX/QxiSpYHAyLZlbY2yrQbTT7XUjhZHMy1nwiNEs +ie1ZlriH0OK8qOwqJ0L1YCO4t+gC415vyGwES1uOvMrysPSCStooFjre4Tu1tHxH +skNz68yRAoGBAJyMFoQu0rzOxCwQx+8m1encm9pcUvu2eSwwy+9460W474Ww4qZA +F4DWwjDg5dBG1Im21KIJkhoX579dh3QIRr3PRwlQUkQlxTrUSEtpfNTU3pvWV9BF +tuLS1TnOdweoQ8cGZZd9PWMLLrBd0JeR4FyH23rOUmMFwJ2A6OopeX6B +-----END RSA PRIVATE KEY----- diff --git a/assets/tls/service-account.key b/assets/tls/service-account.key new file mode 100644 index 00000000..26c20230 --- /dev/null +++ b/assets/tls/service-account.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA1OJQmE9JCI20h3BI/xJpQoNIfYviHIhlx6Al60Kv4Zb+taD+ +Jd6pCbHqjgYyiYH1wq0nMC9MiRbphdMsKfJXo57H2X1QWNc+3RYzNEL2ra2rkCGw +q1jKGk6RofagbrinjAC9hGcm/V713fCdSpULH6Ruro9Kjvtca0nLjBcGC03pkuUi +1e7EPj2SALQxA1iV2+sqqpg2axlpyAN7gecafjVN10kkMw9GKumQqUpejCtf3tTv +zzfmGqiNnHDB8lDnXpHecKIZkfXdH5Pd4jRY5DyFfrsL5xy0OHF4rA/EDSFkdEZ2 +rTYiCB/O17pw6LuEu79V3N2hJVEwe4Uti3olQwIDAQABAoIBAHSWjXUc1u6sTNZw +FEo9lxAqPiUj2u2tdbBicOHrX8+4lj56sTWkQAdjPQYTNtJALowzsGafQNdDiRkV +kfZXFtAxQVpHWx2MpI0If3p7wgVUO8Vv7gWpVuYZaYC+RRbeYkQ2k5RTufLBcv3d +rQcPoUvvDf7j0v2DhBXuEF/krBa70OnI6Fv5b6Tay4cN6vmNJSPUlDPvicCizmvV +WtAq5pkPfXW1uweMYDOSD10zaetclMae/0C1hahk9kGoLv49XnKCX/Luzwx0ShJL +F0Zk+0s9nmMAAfRL8JM7E9iwXa8I4zXpaNON5RfzdUQeU6puhNQrMExrfzFYWYVl +rPaRnqECgYEA4C7i9B08wR+JEbKeEvTTzUAS8W+S5lSkzPN75Tt4aHeTojzvRXa0 +nUvbr+0PGctpa3OwDzh/SayKqkJvWzxWmzKELTsWkpUZLyx37oxkoQ+dUKSFDYF7 +ejGYfqthUC65NA0rqmz6qiCK/RFXL1ihMY0f/74+IzChoiftpFQ0pt8CgYEA8xjn +jHcBpGmUOyKRWkmTM1x3l5NhT2bZYy5CGPXZ8tiu6zdi2gw2xUmgVIPzUnTDqmOH +NPuRvHv2sovqZsApDankwzsWthFLVFjPdpXjVa+Gvp6YN0FTeeIEjGujmCJ9Zj9b +oIk4o6gRzQNx5L/RaE2/oQrTGwlCWeA44pH6gh0CgYEA0KZSzOk5VnVHWZVo0jPT +vUBZYSR7EKzPBYHIWj3Tf0drvKACAiDNUWj8+uwkFdngMAXoYwIuVh+kn3pdsgii +gqetpXtNMvhaDDHTHc7FCbJCtH+q5jsQ9VWbnKldVQdnkC6B6YisdBL9yTOOdZ6D +yF6U3a3un0nv5cBLyZoltvkCgYEA5Aexc6ZSKQpMXGghlmK7rIsJN2qs9hFQy2Mh +503+oni1I7jxhf29BrT4qy6W+PrEa7kuo/lzDC3wDC2Is9d+6u05xBRSSnjQg49H +FEKnW8HpkDcuK26gwgzMHXf+nf+ER3wZE+6D7agDAp8/n8Z6xO9hWMvRmGPIFIxq +b8VlCdUCgYBgwfUsSsCMP8KVOJAuwf4/SWOkIUUQHQUj1CyEz2UWG5QiP2wqFiA7 +IH8K8JsO9MSWq3ndR9kR+HGBCkJyyoD1GzBZeRhPb+69fYWao3lKUzEDqmxB7zjh +NPltbLlGGNbPhczXyJeSv1N94MUwY1wt0aAX6G+HiBI8a3cjC/cQPg== +-----END RSA PRIVATE KEY----- diff --git a/assets/tls/service-account.pub b/assets/tls/service-account.pub new file mode 100644 index 00000000..a43e38fc --- /dev/null +++ b/assets/tls/service-account.pub @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1OJQmE9JCI20h3BI/xJp +QoNIfYviHIhlx6Al60Kv4Zb+taD+Jd6pCbHqjgYyiYH1wq0nMC9MiRbphdMsKfJX +o57H2X1QWNc+3RYzNEL2ra2rkCGwq1jKGk6RofagbrinjAC9hGcm/V713fCdSpUL +H6Ruro9Kjvtca0nLjBcGC03pkuUi1e7EPj2SALQxA1iV2+sqqpg2axlpyAN7geca +fjVN10kkMw9GKumQqUpejCtf3tTvzzfmGqiNnHDB8lDnXpHecKIZkfXdH5Pd4jRY +5DyFfrsL5xy0OHF4rA/EDSFkdEZ2rTYiCB/O17pw6LuEu79V3N2hJVEwe4Uti3ol +QwIDAQAB +-----END PUBLIC KEY----- diff --git a/kubelet.service.template b/kubelet.service.template new file mode 100644 index 00000000..e0fa7f79 --- /dev/null +++ b/kubelet.service.template @@ -0,0 +1,26 @@ +[Unit] +Description=Kubernetes Kubelet +Documentation=https://kubernetes.io/docs/admin/kubelet/ + +[Service] +ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests +ExecStart=/usr/local/bin/kubelet \ + --kubeconfig=/etc/kubernetes/kubeconfig \ + --require-kubeconfig \ + --cni-conf-dir=/etc/cni/net.d \ + --cni-bin-dir=/opt/cni/bin \ + --network-plugin=cni \ + --lock-file=/var/run/lock/kubelet.lock \ + --exit-on-lock-contention \ + --pod-manifest-path=/etc/kubernetes/manifests \ + --allow-privileged \ + --cluster_dns=192.168.1.70,8.8.8.8,10.3.0.10 \ + --cluster_domain=cluster.local \ + --node-labels=node-role.kubernetes.io/canal-node=true,node-role.kubernetes.io/master= \ + --hostname-override=${NODE_HOSTNAME} \ + --v=2 +Restart=on-failure +RestartSec=5 + +[Install] +WantedBy=multi-user.target diff --git a/scripts/common/func.sh b/scripts/common/func.sh new file mode 100644 index 00000000..26742d65 --- /dev/null +++ b/scripts/common/func.sh @@ -0,0 +1,64 @@ +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +function validate_environment { + local ERRORS= + + if [ "x${NODE_HOSTNAME}" = "x" ]; then + echo Error: NODE_HOSTNAME not defined, but required. + ERRORS=1 + fi + + if ! docker info; then + cat < /target/etc/systemd/system/kubelet.service + chown root:root /target/etc/systemd/system/kubelet.service + chmod 644 /target/etc/systemd/system/kubelet.service + + chroot --userspec root:root /target /bin/bash < ./scripts/start-kubelet.sh +} diff --git a/scripts/common/start-kubelet.sh b/scripts/common/start-kubelet.sh new file mode 100755 index 00000000..b94787d4 --- /dev/null +++ b/scripts/common/start-kubelet.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +systemctl daemon-reload +systemctl enable kubelet.service +systemctl start kubelet.service diff --git a/scripts/entrypoint-genesis.sh b/scripts/entrypoint-genesis.sh new file mode 100755 index 00000000..c45ab7d9 --- /dev/null +++ b/scripts/entrypoint-genesis.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +source ./scripts/env.sh +source ./scripts/func.sh + +validate_environment +# XXX validate_genesis_assets + +docker load -i ./genesis-images.tar + +install_assets +install_cni +install_kubelet + +docker run --rm \ + -v /etc/kubernetes:/etc/kubernetes \ + quay.io/coreos/bootkube:${BOOTKUBE_VERSION} \ + /bootkube start \ + --asset-dir=/etc/kubernetes diff --git a/scripts/entrypoint-join.sh b/scripts/entrypoint-join.sh new file mode 100755 index 00000000..b2c1ceae --- /dev/null +++ b/scripts/entrypoint-join.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +source ./scripts/env.sh +source ./scripts/func.sh + +validate_environment +# XXX validate_join_assets + +install_assets +install_cni +install_kubelet diff --git a/test-install.sh b/test-install.sh new file mode 100755 index 00000000..0376ec62 --- /dev/null +++ b/test-install.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +set -ex + +# Setup master +vagrant ssh n0 <