From 5969987ad9f18e7b8fc5b4505f78e612311d09e6 Mon Sep 17 00:00:00 2001 From: Mark Burnett Date: Thu, 18 May 2017 11:42:22 -0500 Subject: [PATCH] Add initial containerized version --- .dockerignore | 2 + .gitignore | 8 + Dockerfile.genesis | 37 ++ Dockerfile.join | 37 ++ Makefile | 141 +++++++ README.md | 10 + Vagrantfile | 59 +++ assets/auth/kubeconfig | 17 + .../bootstrap-apiserver.yaml | 60 +++ .../bootstrap-controller-manager.yaml | 35 ++ .../bootstrap-manifests/bootstrap-etcd.yaml | 30 ++ .../bootstrap-scheduler.yaml | 24 ++ assets/kubeconfig | 1 + assets/manifests/etcd-operator.yaml | 31 ++ assets/manifests/etcd-service.yaml | 15 + assets/manifests/kube-apiserver-secret.yaml | 12 + assets/manifests/kube-apiserver.yaml | 82 ++++ .../kube-controller-manager-disruption.yaml | 12 + .../kube-controller-manager-secret.yaml | 10 + assets/manifests/kube-controller-manager.yaml | 77 ++++ assets/manifests/kube-dns-deployment.yaml | 156 ++++++++ assets/manifests/kube-dns-svc.yaml | 21 + .../kube-etcd-network-checkpointer.yaml | 49 +++ assets/manifests/kube-flannel-cfg.yaml | 39 ++ assets/manifests/kube-flannel.yaml | 368 ++++++++++++++++++ assets/manifests/kube-proxy.yaml | 56 +++ .../manifests/kube-scheduler-disruption.yaml | 12 + assets/manifests/kube-scheduler.yaml | 56 +++ .../kube-system-rbac-role-binding.yaml | 14 + assets/manifests/pod-checkpointer.yaml | 59 +++ assets/tls/apiserver.crt | 21 + assets/tls/apiserver.key | 27 ++ assets/tls/ca.crt | 18 + assets/tls/ca.key | 27 ++ assets/tls/kubelet.crt | 19 + assets/tls/kubelet.key | 27 ++ assets/tls/service-account.key | 27 ++ assets/tls/service-account.pub | 9 + kubelet.service.template | 26 ++ scripts/common/func.sh | 64 +++ scripts/common/start-kubelet.sh | 21 + scripts/entrypoint-genesis.sh | 35 ++ scripts/entrypoint-join.sh | 27 ++ test-install.sh | 20 + vagrant-assets/dnsmasq-kubernetes | 3 + vagrant-assets/docker-daemon.json | 3 + 46 files changed, 1904 insertions(+) create mode 100644 .dockerignore create mode 100644 .gitignore create mode 100644 Dockerfile.genesis create mode 100644 Dockerfile.join create mode 100644 Makefile create mode 100644 README.md create mode 100644 Vagrantfile create mode 100644 assets/auth/kubeconfig create mode 100644 assets/bootstrap-manifests/bootstrap-apiserver.yaml create mode 100644 assets/bootstrap-manifests/bootstrap-controller-manager.yaml create mode 100644 assets/bootstrap-manifests/bootstrap-etcd.yaml create mode 100644 assets/bootstrap-manifests/bootstrap-scheduler.yaml create mode 120000 assets/kubeconfig create mode 100644 assets/manifests/etcd-operator.yaml create mode 100644 assets/manifests/etcd-service.yaml create mode 100644 assets/manifests/kube-apiserver-secret.yaml create mode 100644 assets/manifests/kube-apiserver.yaml create mode 100644 assets/manifests/kube-controller-manager-disruption.yaml create mode 100644 assets/manifests/kube-controller-manager-secret.yaml create mode 100644 assets/manifests/kube-controller-manager.yaml create mode 100644 assets/manifests/kube-dns-deployment.yaml create mode 100644 assets/manifests/kube-dns-svc.yaml create mode 100644 assets/manifests/kube-etcd-network-checkpointer.yaml create mode 100644 assets/manifests/kube-flannel-cfg.yaml create mode 100644 assets/manifests/kube-flannel.yaml create mode 100644 assets/manifests/kube-proxy.yaml create mode 100644 assets/manifests/kube-scheduler-disruption.yaml create mode 100644 assets/manifests/kube-scheduler.yaml create mode 100644 assets/manifests/kube-system-rbac-role-binding.yaml create mode 100644 assets/manifests/pod-checkpointer.yaml create mode 100644 assets/tls/apiserver.crt create mode 100644 assets/tls/apiserver.key create mode 100644 assets/tls/ca.crt create mode 100644 assets/tls/ca.key create mode 100644 assets/tls/kubelet.crt create mode 100644 assets/tls/kubelet.key create mode 100644 assets/tls/service-account.key create mode 100644 assets/tls/service-account.pub create mode 100644 kubelet.service.template create mode 100644 scripts/common/func.sh create mode 100755 scripts/common/start-kubelet.sh create mode 100755 scripts/entrypoint-genesis.sh create mode 100755 scripts/entrypoint-join.sh create mode 100755 test-install.sh create mode 100644 vagrant-assets/dnsmasq-kubernetes create mode 100644 vagrant-assets/docker-daemon.json diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..3bedcc10 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,2 @@ +Makefile +promenade-*.tar diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..6f122c39 --- /dev/null +++ b/.gitignore @@ -0,0 +1,8 @@ +/*.log +/*.tar +/.vagrant +/cni.tgz +/env.sh +/helm +/kubelet +/linux-amd64 diff --git a/Dockerfile.genesis b/Dockerfile.genesis new file mode 100644 index 00000000..6b1f0871 --- /dev/null +++ b/Dockerfile.genesis @@ -0,0 +1,37 @@ +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM ubuntu:xenial + +ENV NODE_HOSTNAME= + +RUN apt-get update -qq \ + && apt-get install --no-install-recommends -y \ + docker.io \ + gettext-base \ + && rm -rf /var/lib/apt/lists/* \ + && mkdir /promenade \ + && mkdir /promenade/assets \ + && mkdir /promenade/scripts + +WORKDIR /promenade + +ENTRYPOINT /promenade/scripts/entrypoint.sh + +COPY genesis-images.tar cni.tgz helm kubelet /promenade/ + +COPY kubelet.service.template /promenade/ +COPY env.sh scripts/common/* /promenade/scripts/ +COPY scripts/entrypoint-genesis.sh /promenade/scripts/entrypoint.sh +COPY assets/ /promenade/assets/ diff --git a/Dockerfile.join b/Dockerfile.join new file mode 100644 index 00000000..0f8850e4 --- /dev/null +++ b/Dockerfile.join @@ -0,0 +1,37 @@ +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM ubuntu:xenial + +ENV NODE_HOSTNAME= + +RUN apt-get update -qq \ + && apt-get install --no-install-recommends -y \ + docker.io \ + gettext-base \ + && rm -rf /var/lib/apt/lists/* \ + && mkdir /promenade \ + && mkdir /promenade/assets \ + && mkdir /promenade/scripts + +WORKDIR /promenade + +ENTRYPOINT /promenade/scripts/entrypoint.sh + +COPY join-images.tar cni.tgz kubelet /promenade/ + +COPY kubelet.service.template /promenade/ +COPY env.sh scripts/common/* /promenade/scripts/ +COPY scripts/entrypoint-join.sh /promenade/scripts/entrypoint.sh +COPY assets/kubeconfig assets/auth/kubeconfig /promenade/assets/ diff --git a/Makefile b/Makefile new file mode 100644 index 00000000..6e63853e --- /dev/null +++ b/Makefile @@ -0,0 +1,141 @@ +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#---------------# +# Configuration # +#---------------# +BOOTKUBE_VERSION := v0.4.1 +CNI_VERSION := v0.5.2 +HELM_VERSION := v2.3.1 +KUBERNETES_VERSION := v1.6.2 + +NAMESPACE := quay.io/attcomdev +GENESIS_REPO := promenade-genesis +JOIN_REPO := promenade-join +TAG := dev + +GENESIS_IMAGES := \ + gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1 \ + gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1 \ + gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1 \ + gcr.io/google_containers/pause-amd64:3.0 \ + quay.io/calico/cni:v1.7.0 \ + quay.io/calico/kube-policy-controller:v0.5.4 \ + quay.io/calico/node:v1.1.3 \ + quay.io/coreos/bootkube:$(BOOTKUBE_VERSION) \ + quay.io/coreos/etcd-operator:v0.2.5 \ + quay.io/coreos/etcd:v3.1.4 \ + quay.io/coreos/etcd:v3.1.6 \ + quay.io/coreos/flannel:v0.7.1 \ + quay.io/coreos/hyperkube:$(KUBERNETES_VERSION)_coreos.0 \ + quay.io/coreos/kenc:48b6feceeee56c657ea9263f47b6ea091e8d3035 \ + quay.io/coreos/pod-checkpointer:20cf8b9a6018731a0770192f30dfa7a1941521e3 \ + +JOIN_IMAGES := \ + gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1 \ + gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1 \ + gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1 \ + gcr.io/google_containers/pause-amd64:3.0 \ + quay.io/calico/cni:v1.7.0 \ + quay.io/calico/kube-policy-controller:v0.5.4 \ + quay.io/calico/node:v1.1.3 \ + quay.io/coreos/etcd-operator:v0.2.5 \ + quay.io/coreos/etcd:v3.1.4 \ + quay.io/coreos/etcd:v3.1.6 \ + quay.io/coreos/flannel:v0.7.1 \ + quay.io/coreos/hyperkube:$(KUBERNETES_VERSION)_coreos.0 \ + quay.io/coreos/kenc:48b6feceeee56c657ea9263f47b6ea091e8d3035 \ + quay.io/coreos/pod-checkpointer:20cf8b9a6018731a0770192f30dfa7a1941521e3 \ + + +#-------# +# Rules # +#-------# +all: build + +build: build-genesis build-join + +push: push-genesis push-join + +save: save-genesis save-join + +genesis: build-genesis + +build-genesis: Dockerfile.genesis cni.tgz env.sh helm genesis-images.tar kubelet kubelet.service.template + sudo docker build -f Dockerfile.genesis -t $(NAMESPACE)/$(GENESIS_REPO):$(TAG) . + +push-genesis: build-genesis + sudo docker push $(NAMESPACE)/$(GENESIS_REPO):$(TAG) + +save-genesis: build-genesis + sudo docker save $(NAMESPACE)/$(GENESIS_REPO):$(TAG) > promenade-genesis.tar + + +join: build-join + +build-join: Dockerfile.join join-images.tar kubelet.service.template + sudo docker build -f Dockerfile.join -t $(NAMESPACE)/$(JOIN_REPO):$(TAG) . + +push-join: build-join + sudo docker push $(NAMESPACE)/$(JOIN_REPO):$(TAG) + +save-join: build-join + sudo docker save $(NAMESPACE)/$(JOIN_REPO):$(TAG) > promenade-join.tar + +cni.tgz: + wget https://github.com/containernetworking/cni/releases/download/$(CNI_VERSION)/cni-amd64-$(CNI_VERSION).tgz + mv cni-amd64-$(CNI_VERSION).tgz cni.tgz + +env.sh: Makefile + rm -f env.sh + echo export BOOTKUBE_VERSION=$(BOOTKUBE_VERSION) >> env.sh + echo export CNI_VERSION=$(CNI_VERSION) >> env.sh + echo export HELM_VERSION=$(HELM_VERSION) >> env.sh + echo export KUBERNETES_VERSION=$(KUBERNETES_VERSION) >> env.sh + +helm: + wget https://storage.googleapis.com/kubernetes-helm/helm-$(HELM_VERSION)-linux-amd64.tar.gz + tar xf helm-$(HELM_VERSION)-linux-amd64.tar.gz + mv linux-amd64/helm ./helm + rm -rf ./linux-amd64/ + rm -f helm-$(HELM_VERSION)-linux-amd64.tar.gz* + chmod +x helm + +genesis-images.tar: + for IMAGE in $(GENESIS_IMAGES); do \ + sudo docker pull $$IMAGE; \ + done + sudo docker save -o genesis-images.tar $(GENESIS_IMAGES) + +join-images.tar: + for IMAGE in $(JOIN_IMAGES); do \ + sudo docker pull $$IMAGE; \ + done + sudo docker save -o join-images.tar $(JOIN_IMAGES) + +kubelet: + wget http://storage.googleapis.com/kubernetes-release/release/$(KUBERNETES_VERSION)/bin/linux/amd64/kubelet + chmod +x kubelet + +clean: + rm -rf \ + cni.tgz \ + env.sh \ + helm \ + helm-*-linux-amd64* \ + *.tar \ + kubelet \ + + +.PHONY : build build-genesis build-join clean genesis join push push-genesis push-join diff --git a/README.md b/README.md new file mode 100644 index 00000000..0a1ee0c5 --- /dev/null +++ b/README.md @@ -0,0 +1,10 @@ +# Overview + +To give this a try: + +``` +make save +vagrant plugin install vagrant-hostmanager + +./test-install.sh +``` diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 00000000..1b243476 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,59 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.box = "ubuntu/xenial64" + config.vm.box_check_update = false + + config.vm.provision :file, source: "vagrant-assets/docker-daemon.json", destination: "/tmp/docker-daemon.json" + config.vm.provision :file, source: "vagrant-assets/dnsmasq-kubernetes", destination: "/tmp/dnsmasq-kubernetes" + + config.vm.provision :shell, privileged: true, inline:< host communication. + # If left blank, then the interface is chosen using the node's + # default route. + canal_iface: "" + + # Whether or not to masquerade traffic to destinations not within + # the pod network. + masquerade: "true" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "name": "canal", + "type": "flannel", + "delegate": { + "type": "calico", + "etcd_endpoints": "__ETCD_ENDPOINTS__", + "log_level": "info", + "policy": { + "type": "k8s", + "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__", + "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__" + } + } + } diff --git a/assets/manifests/kube-flannel.yaml b/assets/manifests/kube-flannel.yaml new file mode 100644 index 00000000..3f4fd8a9 --- /dev/null +++ b/assets/manifests/kube-flannel.yaml @@ -0,0 +1,368 @@ +--- +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: canal-etcd + namespace: kube-system + labels: + k8s-app: canal-etcd +spec: + template: + metadata: + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + labels: + k8s-app: canal-etcd + spec: + # Only run this pod on the master. + nodeSelector: + node-role.kubernetes.io/master: "" + hostNetwork: true + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: canal-etcd + image: quay.io/coreos/etcd:v3.1.4 + env: + - name: ETCD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: ["/bin/sh","-c"] + args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"] + volumeMounts: + - name: var-etcd + mountPath: /var/etcd + volumes: + - name: var-etcd + hostPath: + path: /var/etcd + +--- +# This manfiest installs the Service which gets traffic to the Calico +# etcd. +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: canal-etcd + name: canal-etcd + namespace: kube-system +spec: + # Select the canal-etcd pod running on the master. + selector: + k8s-app: canal-etcd + # This ClusterIP needs to be known in advance, since we cannot rely + # on DNS to get access to etcd. + clusterIP: 10.3.0.136 + ports: + - port: 6666 +--- +# This manifest installs the per-node agents, as well +# as the CNI plugins and network config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: extensions/v1beta1 +metadata: + name: canal-node + namespace: kube-system + labels: + k8s-app: canal-node +spec: + selector: + matchLabels: + k8s-app: canal-node + template: + metadata: + labels: + k8s-app: canal-node + spec: + hostNetwork: true + serviceAccountName: calico-cni-plugin + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + # Runs the flannel daemon to enable vxlan networking between + # container hosts. + - name: flannel + image: quay.io/coreos/flannel:v0.7.1 + env: + # The location of the etcd cluster. + - name: FLANNELD_ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints + # The interface flannel should run on. + - name: FLANNELD_IFACE + valueFrom: + configMapKeyRef: + name: canal-config + key: canal_iface + # Perform masquerade on traffic leaving the pod cidr. + - name: FLANNELD_IP_MASQ + valueFrom: + configMapKeyRef: + name: canal-config + key: masquerade + # Write the subnet.env file to the mounted directory. + - name: FLANNELD_SUBNET_FILE + value: "/run/flannel/subnet.env" + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/resolv.conf + name: resolv + - mountPath: /run/flannel + name: run-flannel + # Runs calico/node container on each Kubernetes node. This + # container programs network policy and local routes on each + # host. + - name: calico-node + image: quay.io/calico/node:v1.1.3 + env: + # The location of the etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints + # Disable Calico BGP. Calico is simply enforcing policy. + - name: CALICO_NETWORKING + value: "false" + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + # All pods to speak to services that resolve to the same host. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "ACCEPT" + securityContext: + privileged: true + resources: + requests: + cpu: 250m + volumeMounts: + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + # This container installs the Calico CNI binaries + # and CNI network config file on each node. + - name: install-calico-cni + image: quay.io/calico/cni:v1.7.0 + imagePullPolicy: Always + command: ["/install-cni.sh"] + env: + # The name of the CNI network config file to install. + - name: CNI_CONF_NAME + value: "10-canal.conf" + # The location of the etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: canal-config + key: cni_network_config + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + volumes: + # Used by calico/node. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + # Used by flannel daemon. + - name: run-flannel + hostPath: + path: /run/flannel + - name: resolv + hostPath: + path: /etc/resolv.conf + +--- + +# This manifest deploys a Job which performs one time +# configuration of Canal. +apiVersion: batch/v1 +kind: Job +metadata: + name: configure-canal + namespace: kube-system + labels: + k8s-app: canal +spec: + template: + metadata: + name: configure-canal + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + hostNetwork: true + restartPolicy: OnFailure + containers: + # Writes basic flannel configuration to etcd. + - name: configure-flannel + image: quay.io/coreos/etcd:v3.1.4 + command: + - "etcdctl" + - "--no-sync" + - "set" + - "/coreos.com/network/config" + - '{ "Network": "10.2.0.0/16", "Backend": {"Type": "vxlan"} }' + env: + # The location of the etcd cluster. + - name: ETCDCTL_PEERS + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints + +--- + +# This manifest deploys the Calico policy controller on Kubernetes. +# See https://github.com/projectcalico/k8s-policy +apiVersion: extensions/v1beta1 +kind: ReplicaSet +metadata: + name: calico-policy-controller + namespace: kube-system + labels: + k8s-app: calico-policy +spec: + # The policy controller can only have a single active instance. + replicas: 1 + template: + metadata: + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + name: calico-policy-controller + namespace: kube-system + labels: + k8s-app: calico-policy + spec: + # The policy controller must run in the host network namespace so that + # it isn't governed by policy that would prevent it from working. + hostNetwork: true + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: calico-policy-controller + containers: + - name: calico-policy-controller + image: quay.io/calico/kube-policy-controller:v0.5.4 + env: + # The location of the Calico etcd cluster. + - name: ETCD_ENDPOINTS + valueFrom: + configMapKeyRef: + name: canal-config + key: etcd_endpoints + # The location of the Kubernetes API. Use the default Kubernetes + # service for API access. + - name: K8S_API + value: "https://kubernetes.default:443" + # Since we're running in the host namespace and might not have KubeDNS + # access, configure the container's /etc/hosts to resolve + # kubernetes.default to the correct service clusterIP. + - name: CONFIGURE_ETC_HOSTS + value: "true" + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-cni-plugin + namespace: kube-system +rules: + - apiGroups: [""] + resources: + - pods + - nodes + verbs: + - get + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system + +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: calico-policy-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-policy-controller +subjects: +- kind: ServiceAccount + name: calico-policy-controller + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-policy-controller + namespace: kube-system +rules: + - apiGroups: + - "" + - extensions + resources: + - pods + - namespaces + - networkpolicies + verbs: + - watch + - list + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-policy-controller + namespace: kube-system diff --git a/assets/manifests/kube-proxy.yaml b/assets/manifests/kube-proxy.yaml new file mode 100644 index 00000000..a52281d6 --- /dev/null +++ b/assets/manifests/kube-proxy.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: "extensions/v1beta1" +kind: DaemonSet +metadata: + name: kube-proxy + namespace: kube-system + labels: + tier: node + component: kube-proxy +spec: + template: + metadata: + labels: + tier: node + component: kube-proxy + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + containers: + - name: kube-proxy + image: quay.io/coreos/hyperkube:v1.6.2_coreos.0 + command: + - /hyperkube + - proxy + - --cluster-cidr=10.2.0.0/16 + - --hostname-override=$(NODE_NAME) + - --kubeconfig=/etc/kubernetes/kubeconfig + - --proxy-mode=iptables + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + privileged: true + volumeMounts: + - mountPath: /etc/ssl/certs + name: ssl-certs-host + readOnly: true + - name: etc-kubernetes + mountPath: /etc/kubernetes + readOnly: true + hostNetwork: true + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + volumes: + - hostPath: + path: /usr/share/ca-certificates + name: ssl-certs-host + - name: etc-kubernetes + hostPath: + path: /etc/kubernetes diff --git a/assets/manifests/kube-scheduler-disruption.yaml b/assets/manifests/kube-scheduler-disruption.yaml new file mode 100644 index 00000000..c6ab7f2d --- /dev/null +++ b/assets/manifests/kube-scheduler-disruption.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: kube-scheduler + namespace: kube-system +spec: + minAvailable: 1 + selector: + matchLabels: + tier: control-plane + component: kube-scheduler diff --git a/assets/manifests/kube-scheduler.yaml b/assets/manifests/kube-scheduler.yaml new file mode 100644 index 00000000..ab81828f --- /dev/null +++ b/assets/manifests/kube-scheduler.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: kube-scheduler + namespace: kube-system + labels: + tier: control-plane + component: kube-scheduler +spec: + replicas: 2 + template: + metadata: + labels: + tier: control-plane + component: kube-scheduler + annotations: + scheduler.alpha.kubernetes.io/critical-pod: '' + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: tier + operator: In + values: + - control-plane + - key: component + operator: In + values: + - kube-scheduler + topologyKey: kubernetes.io/hostname + containers: + - name: kube-scheduler + image: quay.io/coreos/hyperkube:v1.6.2_coreos.0 + command: + - ./hyperkube + - scheduler + - --leader-elect=true + livenessProbe: + httpGet: + path: /healthz + port: 10251 # Note: Using default port. Update if --port option is set differently. + initialDelaySeconds: 15 + timeoutSeconds: 15 + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule diff --git a/assets/manifests/kube-system-rbac-role-binding.yaml b/assets/manifests/kube-system-rbac-role-binding.yaml new file mode 100644 index 00000000..80438fee --- /dev/null +++ b/assets/manifests/kube-system-rbac-role-binding.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1alpha1 +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1alpha1 +metadata: + name: system:default-sa +subjects: + - kind: ServiceAccount + name: default + namespace: kube-system +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/assets/manifests/pod-checkpointer.yaml b/assets/manifests/pod-checkpointer.yaml new file mode 100644 index 00000000..813dc5b1 --- /dev/null +++ b/assets/manifests/pod-checkpointer.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: "extensions/v1beta1" +kind: DaemonSet +metadata: + name: pod-checkpointer + namespace: kube-system + labels: + tier: control-plane + component: pod-checkpointer +spec: + template: + metadata: + labels: + tier: control-plane + component: pod-checkpointer + annotations: + checkpointer.alpha.coreos.com/checkpoint: "true" + spec: + containers: + - name: checkpoint + image: quay.io/coreos/pod-checkpointer:20cf8b9a6018731a0770192f30dfa7a1941521e3 + command: + - /checkpoint + - --v=4 + - --lock-file=/var/run/lock/pod-checkpointer.lock + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + imagePullPolicy: Always + volumeMounts: + - mountPath: /etc/kubernetes + name: etc-kubernetes + - mountPath: /var/run + name: var-run + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/master: "" + restartPolicy: Always + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + volumes: + - name: etc-kubernetes + hostPath: + path: /etc/kubernetes + - name: var-run + hostPath: + path: /var/run diff --git a/assets/tls/apiserver.crt b/assets/tls/apiserver.crt new file mode 100644 index 00000000..1679b269 --- /dev/null +++ b/assets/tls/apiserver.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhDCCAmygAwIBAgIIYRTnEUWPB2EwDQYJKoZIhvcNAQELBQAwJTERMA8GA1UE +ChMIYm9vdGt1YmUxEDAOBgNVBAMTB2t1YmUtY2EwHhcNMTcwNTE5MTg0MTIwWhcN +MTgwNTE5MTg0MTIxWjAvMRQwEgYDVQQKEwtrdWJlLW1hc3RlcjEXMBUGA1UEAxMO +a3ViZS1hcGlzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB +sXDQGt4CSkm+H0oT3HgzADzK3IQtc5QVKTb2DTyw2/m+h4MRd6n+lra8pto09Is/ +YiVx8OCCFFsO726ZZqLQlQePDF36QKJbpIyGq2b3GVByDQqtn47xhXUeLu0z7IMK +8906xmZXeg8HHTIS9P66z3xA9kLn0nwSSFJHGTXMoFr8cnLySnrtDHe9pGo/+jcR +0+jiH3at3w2F1tCaTZ8znEMRP80BTysb7IlZdmNBfaSoT45Nje2eBpZDdxvI8qhi +J2ZWZ7vQsu6AlCneKpTj4tgsV6sEAgs2V8pabRaSM5t0Hq1lGo/npcOamIUQAq1u +O2SpSTIojdSHmWdD9h5dAgMBAAGjga0wgaowDgYDVR0PAQH/BAQDAgWgMB0GA1Ud +JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB5BgNVHREEcjBwggprdWJlcm5ldGVz +ggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVybmV0ZXMuZGVm +YXVsdC5zdmOCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcE +CgMAATANBgkqhkiG9w0BAQsFAAOCAQEAj8G9Lc75QNbhADQuOXsSGEi6bJ0UdFoV +vv5VLNMOdZ0+jXtHtLYrB3RygIcolSdqlaqpM9nj61xgnhG3OIYIw8BCqQlaBgO+ +5cAvzmql29AoDbLeu3JctmySScqyCj4mqtlOGHgIotUq226Re1aqSJ8zLH7UDVEa +jyQo8vn5GQm/XwyGUt4nSpYXMi6MztebcePdyOe4387NFJS9/OUQIdWlhv1cegK+ +fU8KRv2MiBfZZqJ1DQD17eV9494DImGN1nCpVlmPNBGTCe75SOYCBOwYhHKoNMLn +YmtnpzBtfAkU4EzjiMm6V22XI/lZsQdxeQfMMScmh+M60DHr7ToRdg== +-----END CERTIFICATE----- diff --git a/assets/tls/apiserver.key b/assets/tls/apiserver.key new file mode 100644 index 00000000..2547d282 --- /dev/null +++ b/assets/tls/apiserver.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAwbFw0BreAkpJvh9KE9x4MwA8ytyELXOUFSk29g08sNv5voeD +EXep/pa2vKbaNPSLP2IlcfDgghRbDu9umWai0JUHjwxd+kCiW6SMhqtm9xlQcg0K +rZ+O8YV1Hi7tM+yDCvPdOsZmV3oPBx0yEvT+us98QPZC59J8EkhSRxk1zKBa/HJy +8kp67Qx3vaRqP/o3EdPo4h92rd8NhdbQmk2fM5xDET/NAU8rG+yJWXZjQX2kqE+O +TY3tngaWQ3cbyPKoYidmVme70LLugJQp3iqU4+LYLFerBAILNlfKWm0WkjObdB6t +ZRqP56XDmpiFEAKtbjtkqUkyKI3Uh5lnQ/YeXQIDAQABAoIBAERN1ZGdl+LI3b5s +/EuKuNyLXeTP5NC+bF8V/KrCOj/IIwccdI0JXOpJrcFTOano/t3oN3o5zoIwuXfH +2YHBHvNdSqAYZV+lwVt96IxpD1NeGu9NSBG4LclgHc/6Dm38Hq4TF1XttxNsGLaS +hiEHQnkQSCoEbc2gfV5ZIKKv8jfpShYiaAPzrt3saE/2+OliJ5p6zfXKNlEsg1US +78g+JiOVXZdEQFyPP5Yo8gje8wQ2NetnilQQ9rtBbPv9FfsTrj03srlU2D7IIBdQ +7D3Z5AN7e7RiwRGmStZ4GllcCuhvjhvfhav132G01o8/DwvVLTnfSKFA7+E8UYG9 +6ZAzX4UCgYEA/pXt8ehj3s1f8cNaSEJlD8AsOHgzcuxRvdrE+zA8l4eEFpP5UJej +OcDu966q1yt4Qp7Yx2sW3UA76m7RugdqA5MP25fgzGV5n22iwYbnBQvqDQEOjMH1 +1k0CkaRXhDCzGuwb07og/rhOJdCI3OSCQpLD6BsX8MVPJ/2Gfe4XECcCgYEAwsTo +/iNZFNKkPwlfjpirry6gB7GZYRYdkneMM92fTzuDdqSIrM9oLBeUyixAfPP9c0yV +2cwhc8TLdHxIwatzNNJkwp2+eANfg8jQ0vK9J8V0649C5iM3aZ5MUVG2IS4RAZtH +MG2w5fvdd7SqJ8ROWUy7+E0s472yfJNL3auNa9sCgYEA5AXPwEsAII/cboMlevEU +6Z2bPdzTYAywThcDNWSH8MStFzfkJz4aMWFP6EHmvKAvr6Psz/hn2zVsNNabPD7l +wlvW6T1IWGpPG++rxiCZDJkWQh1/Na2IDjCdq2sCA+FGmkd9yQ69/MeBHzd/TjHR +ReWEWIDj2YAwHMZjzqkQuSMCgYA10Kp/7cxjUIBJWpGomM53LO7SsWOry6yIF7gJ +bKbkAZGlanjJJtWluS5HXkrDO7c/8F1HPHvRvQJqQRzpRjIi2i81Btjl2CjABPCO +GLvjDU/s9jyJ0hkxeaekoGsuZ8gTJZBZ9TT3lsvuk2CgdEEhs24MgWZx1qxGd3xy +1z/QGQKBgQCE7afZwIEUQ6epGlUPwmm+mqGiUNbXAz/PnK/IhuOeV9aEU78lPH8p +6rMpuh5SOqGcRaZhpRSIY3vqU9Yk49OO4BOawF2j8k4pVkTaJGgD71in8aDbcVBc +VlIMP2q93mnyO7OC8znQKHMs5WRWEokRbSsjWEeQF1MtyBWaIiWmlg== +-----END RSA PRIVATE KEY----- diff --git a/assets/tls/ca.crt b/assets/tls/ca.crt new file mode 100644 index 00000000..cca186c3 --- /dev/null +++ b/assets/tls/ca.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC6DCCAdCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAlMREwDwYDVQQKEwhib290 +a3ViZTEQMA4GA1UEAxMHa3ViZS1jYTAeFw0xNzA1MTkxODQxMjBaFw0yNzA1MTcx +ODQxMjBaMCUxETAPBgNVBAoTCGJvb3RrdWJlMRAwDgYDVQQDEwdrdWJlLWNhMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAulAVfzTe/mMl31NAx7P524sz +nQKmxG+BXfDPt4O778tBF76RsEX+wKrRtooBr7axhvR0ok5kDZPARGpNKARmdCSm +336ErFtqTwMoreY7WVCU2CBFOtt2umfJDuGVoNUHEkD8MeV2lYJCoxwJrhe5wiqq +m4hptSCepUjilmkReWQ+/N4+RVDpr86GY2QBUlv9OtA5hxTisbA01SwSPAWrpOqV +8JIj2RLZn85FTzMFTQk0Wu0Zugiryqdaxl33VL3+URI3QC2r2dpvd1SeyWDEXvjm +kn9238we+2wBeRaceCvC7jyDvYSOhS+j92wFdnQYx+HinA8nn8Qfdm38u6A9hwID +AQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG +9w0BAQsFAAOCAQEADHvgtDCE8tv0lKIzEqfubUA5LKQ4NiT5SUAucYazMpKw1QIW +QinCoLEfyPMwgkbgXjzwne8PxeEjjvwCRqwbyViBWnv937p94poZ/9G3CW3bSYwQ +4ZeZnwW6wW0IGsEheMwknBeQboocM6cXu8hto1AYHOnjtg2t1RufWpsDn5aokuW/ +RI8Hg5vnWWKAAAwcwkmg8aiN/1nYQG/coD41kXe/iJ1DTPZa2CPxgm71f2hRnEYT +c7uT7uueBapo1O+ttPkghsIvPZKc6vKxK0wrvzHGRoULl77Z83z92aoPLzcmnJ3d +MFEq4d7JQ5u5i+SaqqqOdp1RGAiuiNpcvyP9ew== +-----END CERTIFICATE----- diff --git a/assets/tls/ca.key b/assets/tls/ca.key new file mode 100644 index 00000000..f3c15499 --- /dev/null +++ b/assets/tls/ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAulAVfzTe/mMl31NAx7P524sznQKmxG+BXfDPt4O778tBF76R +sEX+wKrRtooBr7axhvR0ok5kDZPARGpNKARmdCSm336ErFtqTwMoreY7WVCU2CBF +Ott2umfJDuGVoNUHEkD8MeV2lYJCoxwJrhe5wiqqm4hptSCepUjilmkReWQ+/N4+ +RVDpr86GY2QBUlv9OtA5hxTisbA01SwSPAWrpOqV8JIj2RLZn85FTzMFTQk0Wu0Z +ugiryqdaxl33VL3+URI3QC2r2dpvd1SeyWDEXvjmkn9238we+2wBeRaceCvC7jyD +vYSOhS+j92wFdnQYx+HinA8nn8Qfdm38u6A9hwIDAQABAoIBADpNLSztQoqgRA2q +Y68aZqmI2dHcLotxyS24WYe3tWvIUso3XCeo/5sS2SUh8n0l0k/E12qi1TRac+P0 +z8gh+F2HyqBNWv8EbDPlbSldzlyYlrs6/e75FiImsAf0F3qIrvnLVB/ZCk6mwGuC +LpVH310fNNwOx+ViG8LlF+KxZkJxzoKQ2RwiCwzMzpvNBTJyEE1jfqNlc92XnP65 +FhjcFfzSJhFK3VH1gdpfO8bUiLiiUhzKzXH7Af73UqZ22wHeYx87ZJBv7e9ymbWT +GMf9js92e3OdXa3al75JlXgexSDmV2OdZNj6zpqAyupo5b+jXNxcxDaQCitOAcyU +H6HqMiECgYEAwWeEvOL/JC1hFBniM3jtG7ZcXjT1nuc0I9z+b0O6i3JXp1AXuxqU +COOn0udgJ4SJZZk2LOja7Mq6DsPvbPK9OA/XvSju6U/cqALpLdT+bvcG1J5km80w +F9d5a8CmABYsIzIm5VOYCZN/ELxo9uzDhNpiU1m7EVZengg8E1/xSpMCgYEA9pz/ +SGZTFHdLZn7jgg9EzdnjZ2SlSnGc1tHayiRbHknwt8JFMwHeL/TPI6/4ns4A8l59 +IEl1Zf8pWDhwa2qGITXQBmauLYzuPGSIBdABLnJQtE4r6o+vYafZxZVvTAv5B4Sz +TCWFkLYtvHvs71+u7IKS+dJg3EYy3Gx5KVhddb0CgYAr8QMdj018wLqvwHm+TBlD +FJnD5bBwnAMiqtE8Il091YrIvs/FePJtWpwEtQEJuXkmFjtS1Mz4w86mECpTzIrl +M+RGXAh8BeMSYSbtfNkaCRIKOLqPE317zT8PFkQg/OimTny72dRPSK2z9bq7b2u0 +wZFZcqen9sGkkiZkGIZP9QKBgQDcgX6FVvD8QLqLl/OHLG3h/ewmW8irqrCJKDUQ +P7e1enmhZTSIqifoC2ZXS5XrMNmJ3VDWWLh/DcsDFdv3P9VUxpAN2SvukK/IEj/J +qrYTuKVOwwLjhbxUfkfrMnXEsoPl5BKJiJdH0I1OliRB2PVIhmwysphm/OGnU9p2 +TIuspQKBgQCq5QJcny6CWHnFh/Q1faYqIjvaS4MqLfnDndvZ98abpcjik3AKgWof +iaROSk40L+q4uDuaM5tU1ufS/FS94hwlk2O1bQ/xgJBkNZnvZJRFU3oZjhggyl6G +iFtBTAGGtJqHTPMtn/Y6dUOJ/ZFIZWzuNhJGYX/S3ifpZeldKXmXew== +-----END RSA PRIVATE KEY----- diff --git a/assets/tls/kubelet.crt b/assets/tls/kubelet.crt new file mode 100644 index 00000000..859df1d1 --- /dev/null +++ b/assets/tls/kubelet.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAzCCAeugAwIBAgIILMPkLd2E/uAwDQYJKoZIhvcNAQELBQAwJTERMA8GA1UE +ChMIYm9vdGt1YmUxEDAOBgNVBAMTB2t1YmUtY2EwHhcNMTcwNTE5MTg0MTIwWhcN +MTgwNTE5MTg0MTIxWjArMRcwFQYDVQQKEw5zeXN0ZW06bWFzdGVyczEQMA4GA1UE +AxMHa3ViZWxldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALtz9mHo +tPkidPbQeu9RS6tAOQhAhPOzV7y5kxo9ZkyGR5mOJ5MElfoofHWGXDqJs3IHO6Zr +ZTKTYgX6c3jisMhIT62JnN9ZaATWcrd+qQ15ixTNhqdy3UcX6xlB8YF8KpVZ40rO +wrP/UsG9EaBit37iOmmINIkZtbNIhvOYhkJvr+NOtX/8TsnRZpT9PyCeyZJbsZIZ +d1Apfu2ENeS1C1OgOQIEOREBehc3GVH11D9BRtFob22MjZUjxyGj0SButUmpvnY9 +ogfE5pT0yhI+kZlP6iMPkk0oGlkcc+U4X8VrSyYXfJNEbmI5aDZe3A4lk4fXiF/Y +NosbHYnzdf/j0acCAwEAAaMxMC8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG +CCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAIgaxO6aAyGRq +MINPID5bG/ZSRoIBSEX0bAviLKWP9RonjfayM8Xb3r2WZ4TmJoYYDNMRFoyCeStw +1fjl7b2vpmFBOxlpmRvNhRF1dlI9Rt4GRRVkxeS7c4dkc0LFTHEPp0X/RmSt4uf+ +X9sYsWOGSBf52+qZ/7UNI6SYwoltenzbwnLHY9NSLXiVFommCXPaBma1GlkQN2F3 +cEInhf78BXKXeIpWdZboHuWOUu3aoRT0p6fegb2Uxh2a73s6sToHjE7oy3H2ZvKR +kcFJ2TnKMrqzEK/9wyc/gu/kYVx8/zCoPlDQASem7aTZgOIDZ8wc4g9rBitnxdIs +jxZwjOKt9g== +-----END CERTIFICATE----- diff --git a/assets/tls/kubelet.key b/assets/tls/kubelet.key new file mode 100644 index 00000000..27816a66 --- /dev/null +++ b/assets/tls/kubelet.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAu3P2Yei0+SJ09tB671FLq0A5CECE87NXvLmTGj1mTIZHmY4n +kwSV+ih8dYZcOomzcgc7pmtlMpNiBfpzeOKwyEhPrYmc31loBNZyt36pDXmLFM2G +p3LdRxfrGUHxgXwqlVnjSs7Cs/9Swb0RoGK3fuI6aYg0iRm1s0iG85iGQm+v4061 +f/xOydFmlP0/IJ7Jkluxkhl3UCl+7YQ15LULU6A5AgQ5EQF6FzcZUfXUP0FG0Whv +bYyNlSPHIaPRIG61Sam+dj2iB8TmlPTKEj6RmU/qIw+STSgaWRxz5ThfxWtLJhd8 +k0RuYjloNl7cDiWTh9eIX9g2ixsdifN1/+PRpwIDAQABAoIBAQCRpzJbs4DjUHXH +zgin6eg9AaMPGWr1HXZgC2YU7n6NmY0K8N0pLFgIz+qdOzBwv8xyHtKnpi001jZF +ZOzSknpAtYdL1XDST1s23xa2I7Hh6X47RNOLSwJLGnev4YBxV3STJgwpdWzuhcbd +CTcoA2yHJ+uxUodXvGVmEEXkA7DW7zLZpvLJ//nD5z5CM0IUPdaSgXhYQp2NZWtI +RjLdjkuYVyBYC2rU4LpmiH1eIVL7bDHoUQhOaHN0wSFG80o46gvrqbhrMPw7BwIu +bCW30q4Y4JPRYn5ru0zCForne65I2kRtnJUDjn99dOntWVZibRojY0hFFEyGYOjZ +WItzGAbxAoGBANFj2ZHitQxtqYs7MNIY9jz/7pzuPaX8dm+2/3WW5Aot01+s4yVH +pd7HE8l5NjnejWG7nG2GPsIhbCCVXEtSMGt1BRioKpc2dLq+ZQb75LGDMaJzMWEm +/HimJuhXvxOzzKC9Z29vo4d6JC58vPwyu27dFAv3rzAcdiWb/aib7S6ZAoGBAOUu +BePZgqlpwl3wqDlAljiLsH8AeZUH2rDA4n4d+1kKPMqJYMmftGaTkDJMeJfisfKb +EXcQsGJAeOLHRpY1VvkHqn5v+7qg9JHSnlw+/nTF5Vk6ISAFMs2Qfwdq6fZ898GZ +mi9VXr0hez7Z/v/liCxBcl0hgAhnjIFGvQ5rSmo/AoGBAIvlVFWdzCyTj/UQBNw6 +BTpYHAoJOnMNq+uTrjXYLF+IonKHxfMAXZfsFhJDw7ECOh+UAz1BtehqAB387H7+ +WI9SzabdpCcHIRIrZsA1x2O6LY1FvTYVoBTTnacaCPWW6R5zrQnM4sr/FfFhMbqm +AohdeKlOQGO6gE08XUsrclnxAoGBALOv+f5DtCaQPUzaO4toEGAVZjStcqZemiCr +mum3KDMPy8ohHDn5dcBXQl+thX/QxiSpYHAyLZlbY2yrQbTT7XUjhZHMy1nwiNEs +ie1ZlriH0OK8qOwqJ0L1YCO4t+gC415vyGwES1uOvMrysPSCStooFjre4Tu1tHxH +skNz68yRAoGBAJyMFoQu0rzOxCwQx+8m1encm9pcUvu2eSwwy+9460W474Ww4qZA +F4DWwjDg5dBG1Im21KIJkhoX579dh3QIRr3PRwlQUkQlxTrUSEtpfNTU3pvWV9BF +tuLS1TnOdweoQ8cGZZd9PWMLLrBd0JeR4FyH23rOUmMFwJ2A6OopeX6B +-----END RSA PRIVATE KEY----- diff --git a/assets/tls/service-account.key b/assets/tls/service-account.key new file mode 100644 index 00000000..26c20230 --- /dev/null +++ b/assets/tls/service-account.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA1OJQmE9JCI20h3BI/xJpQoNIfYviHIhlx6Al60Kv4Zb+taD+ +Jd6pCbHqjgYyiYH1wq0nMC9MiRbphdMsKfJXo57H2X1QWNc+3RYzNEL2ra2rkCGw +q1jKGk6RofagbrinjAC9hGcm/V713fCdSpULH6Ruro9Kjvtca0nLjBcGC03pkuUi +1e7EPj2SALQxA1iV2+sqqpg2axlpyAN7gecafjVN10kkMw9GKumQqUpejCtf3tTv +zzfmGqiNnHDB8lDnXpHecKIZkfXdH5Pd4jRY5DyFfrsL5xy0OHF4rA/EDSFkdEZ2 +rTYiCB/O17pw6LuEu79V3N2hJVEwe4Uti3olQwIDAQABAoIBAHSWjXUc1u6sTNZw +FEo9lxAqPiUj2u2tdbBicOHrX8+4lj56sTWkQAdjPQYTNtJALowzsGafQNdDiRkV +kfZXFtAxQVpHWx2MpI0If3p7wgVUO8Vv7gWpVuYZaYC+RRbeYkQ2k5RTufLBcv3d +rQcPoUvvDf7j0v2DhBXuEF/krBa70OnI6Fv5b6Tay4cN6vmNJSPUlDPvicCizmvV +WtAq5pkPfXW1uweMYDOSD10zaetclMae/0C1hahk9kGoLv49XnKCX/Luzwx0ShJL +F0Zk+0s9nmMAAfRL8JM7E9iwXa8I4zXpaNON5RfzdUQeU6puhNQrMExrfzFYWYVl +rPaRnqECgYEA4C7i9B08wR+JEbKeEvTTzUAS8W+S5lSkzPN75Tt4aHeTojzvRXa0 +nUvbr+0PGctpa3OwDzh/SayKqkJvWzxWmzKELTsWkpUZLyx37oxkoQ+dUKSFDYF7 +ejGYfqthUC65NA0rqmz6qiCK/RFXL1ihMY0f/74+IzChoiftpFQ0pt8CgYEA8xjn +jHcBpGmUOyKRWkmTM1x3l5NhT2bZYy5CGPXZ8tiu6zdi2gw2xUmgVIPzUnTDqmOH +NPuRvHv2sovqZsApDankwzsWthFLVFjPdpXjVa+Gvp6YN0FTeeIEjGujmCJ9Zj9b +oIk4o6gRzQNx5L/RaE2/oQrTGwlCWeA44pH6gh0CgYEA0KZSzOk5VnVHWZVo0jPT +vUBZYSR7EKzPBYHIWj3Tf0drvKACAiDNUWj8+uwkFdngMAXoYwIuVh+kn3pdsgii +gqetpXtNMvhaDDHTHc7FCbJCtH+q5jsQ9VWbnKldVQdnkC6B6YisdBL9yTOOdZ6D +yF6U3a3un0nv5cBLyZoltvkCgYEA5Aexc6ZSKQpMXGghlmK7rIsJN2qs9hFQy2Mh +503+oni1I7jxhf29BrT4qy6W+PrEa7kuo/lzDC3wDC2Is9d+6u05xBRSSnjQg49H +FEKnW8HpkDcuK26gwgzMHXf+nf+ER3wZE+6D7agDAp8/n8Z6xO9hWMvRmGPIFIxq +b8VlCdUCgYBgwfUsSsCMP8KVOJAuwf4/SWOkIUUQHQUj1CyEz2UWG5QiP2wqFiA7 +IH8K8JsO9MSWq3ndR9kR+HGBCkJyyoD1GzBZeRhPb+69fYWao3lKUzEDqmxB7zjh +NPltbLlGGNbPhczXyJeSv1N94MUwY1wt0aAX6G+HiBI8a3cjC/cQPg== +-----END RSA PRIVATE KEY----- diff --git a/assets/tls/service-account.pub b/assets/tls/service-account.pub new file mode 100644 index 00000000..a43e38fc --- /dev/null +++ b/assets/tls/service-account.pub @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1OJQmE9JCI20h3BI/xJp +QoNIfYviHIhlx6Al60Kv4Zb+taD+Jd6pCbHqjgYyiYH1wq0nMC9MiRbphdMsKfJX +o57H2X1QWNc+3RYzNEL2ra2rkCGwq1jKGk6RofagbrinjAC9hGcm/V713fCdSpUL +H6Ruro9Kjvtca0nLjBcGC03pkuUi1e7EPj2SALQxA1iV2+sqqpg2axlpyAN7geca +fjVN10kkMw9GKumQqUpejCtf3tTvzzfmGqiNnHDB8lDnXpHecKIZkfXdH5Pd4jRY +5DyFfrsL5xy0OHF4rA/EDSFkdEZ2rTYiCB/O17pw6LuEu79V3N2hJVEwe4Uti3ol +QwIDAQAB +-----END PUBLIC KEY----- diff --git a/kubelet.service.template b/kubelet.service.template new file mode 100644 index 00000000..e0fa7f79 --- /dev/null +++ b/kubelet.service.template @@ -0,0 +1,26 @@ +[Unit] +Description=Kubernetes Kubelet +Documentation=https://kubernetes.io/docs/admin/kubelet/ + +[Service] +ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests +ExecStart=/usr/local/bin/kubelet \ + --kubeconfig=/etc/kubernetes/kubeconfig \ + --require-kubeconfig \ + --cni-conf-dir=/etc/cni/net.d \ + --cni-bin-dir=/opt/cni/bin \ + --network-plugin=cni \ + --lock-file=/var/run/lock/kubelet.lock \ + --exit-on-lock-contention \ + --pod-manifest-path=/etc/kubernetes/manifests \ + --allow-privileged \ + --cluster_dns=192.168.1.70,8.8.8.8,10.3.0.10 \ + --cluster_domain=cluster.local \ + --node-labels=node-role.kubernetes.io/canal-node=true,node-role.kubernetes.io/master= \ + --hostname-override=${NODE_HOSTNAME} \ + --v=2 +Restart=on-failure +RestartSec=5 + +[Install] +WantedBy=multi-user.target diff --git a/scripts/common/func.sh b/scripts/common/func.sh new file mode 100644 index 00000000..26742d65 --- /dev/null +++ b/scripts/common/func.sh @@ -0,0 +1,64 @@ +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +function validate_environment { + local ERRORS= + + if [ "x${NODE_HOSTNAME}" = "x" ]; then + echo Error: NODE_HOSTNAME not defined, but required. + ERRORS=1 + fi + + if ! docker info; then + cat < /target/etc/systemd/system/kubelet.service + chown root:root /target/etc/systemd/system/kubelet.service + chmod 644 /target/etc/systemd/system/kubelet.service + + chroot --userspec root:root /target /bin/bash < ./scripts/start-kubelet.sh +} diff --git a/scripts/common/start-kubelet.sh b/scripts/common/start-kubelet.sh new file mode 100755 index 00000000..b94787d4 --- /dev/null +++ b/scripts/common/start-kubelet.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +systemctl daemon-reload +systemctl enable kubelet.service +systemctl start kubelet.service diff --git a/scripts/entrypoint-genesis.sh b/scripts/entrypoint-genesis.sh new file mode 100755 index 00000000..c45ab7d9 --- /dev/null +++ b/scripts/entrypoint-genesis.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +source ./scripts/env.sh +source ./scripts/func.sh + +validate_environment +# XXX validate_genesis_assets + +docker load -i ./genesis-images.tar + +install_assets +install_cni +install_kubelet + +docker run --rm \ + -v /etc/kubernetes:/etc/kubernetes \ + quay.io/coreos/bootkube:${BOOTKUBE_VERSION} \ + /bootkube start \ + --asset-dir=/etc/kubernetes diff --git a/scripts/entrypoint-join.sh b/scripts/entrypoint-join.sh new file mode 100755 index 00000000..b2c1ceae --- /dev/null +++ b/scripts/entrypoint-join.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Copyright 2017 The Promenade Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ex + +source ./scripts/env.sh +source ./scripts/func.sh + +validate_environment +# XXX validate_join_assets + +install_assets +install_cni +install_kubelet diff --git a/test-install.sh b/test-install.sh new file mode 100755 index 00000000..0376ec62 --- /dev/null +++ b/test-install.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +set -ex + +# Setup master +vagrant ssh n0 <