"Fossies" - the Fresh Open Source Software Archive

Member "magnum-8.1.0/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh" (1 Oct 2019, 11176 Bytes) of package /linux/misc/openstack/magnum-8.1.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "configure-kubernetes-master.sh": 8.0.0_vs_8.1.0.

    1 #!/bin/sh -x
    2 
    3 . /etc/sysconfig/heat-params
    4 
    5 echo "configuring kubernetes (master)"
    6 
    7 if [ ! -z "$HTTP_PROXY" ]; then
    8     export HTTP_PROXY
    9 fi
   10 
   11 if [ ! -z "$HTTPS_PROXY" ]; then
   12     export HTTPS_PROXY
   13 fi
   14 
   15 if [ ! -z "$NO_PROXY" ]; then
   16     export NO_PROXY
   17 fi
   18 
   19 _prefix=${CONTAINER_INFRA_PREFIX:-docker.io/openstackmagnum/}
   20 
   21 rm -rf /etc/cni/net.d/*
   22 rm -rf /var/lib/cni/*
   23 rm -rf /opt/cni/*
   24 mkdir -p /opt/cni
   25 mkdir -p /etc/cni/net.d/
   26 _addtl_mounts=',{"type":"bind","source":"/opt/cni","destination":"/opt/cni","options":["bind","rw","slave","mode=777"]},{"type":"bind","source":"/var/lib/docker","destination":"/var/lib/docker","options":["bind","rw","slave","mode=755"]}'
   27 
   28 if [ "$NETWORK_DRIVER" = "calico" ]; then
   29     if [ "`systemctl status NetworkManager.service | grep -o "Active: active"`" = "Active: active" ]; then
   30         CALICO_NM=/etc/NetworkManager/conf.d/calico.conf
   31         [ -f ${CALICO_NM} ] || {
   32         echo "Writing File: $CALICO_NM"
   33         mkdir -p $(dirname ${CALICO_NM})
   34         cat << EOF > ${CALICO_NM}
   35 [keyfile]
   36 unmanaged-devices=interface-name:cali*;interface-name:tunl*
   37 EOF
   38 }
   39         systemctl restart NetworkManager
   40         echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
   41         sysctl -p
   42     fi
   43 fi
   44 
   45 atomic install --storage ostree --system --set=ADDTL_MOUNTS=${_addtl_mounts} --system-package=no --name=kubelet ${_prefix}kubernetes-kubelet:${KUBE_TAG}
   46 atomic install --storage ostree --system --system-package=no --name=kube-apiserver ${_prefix}kubernetes-apiserver:${KUBE_TAG}
   47 atomic install --storage ostree --system --system-package=no --name=kube-controller-manager ${_prefix}kubernetes-controller-manager:${KUBE_TAG}
   48 atomic install --storage ostree --system --system-package=no --name=kube-scheduler ${_prefix}kubernetes-scheduler:${KUBE_TAG}
   49 atomic install --storage ostree --system --system-package=no --name=kube-proxy ${_prefix}kubernetes-proxy:${KUBE_TAG}
   50 
   51 CERT_DIR=/etc/kubernetes/certs
   52 
   53 # kube-proxy config
   54 PROXY_KUBECONFIG=/etc/kubernetes/proxy-kubeconfig.yaml
   55 cat > /etc/kubernetes/proxy << EOF
   56 KUBE_PROXY_ARGS="--kubeconfig=${PROXY_KUBECONFIG} --cluster-cidr=${PODS_NETWORK_CIDR}"
   57 EOF
   58 
   59 cat > ${PROXY_KUBECONFIG} << EOF
   60 apiVersion: v1
   61 clusters:
   62 - cluster:
   63     certificate-authority: ${CERT_DIR}/ca.crt
   64     server: http://127.0.0.1:8080
   65   name: kubernetes
   66 contexts:
   67 - context:
   68     cluster: kubernetes
   69     user: kube-proxy
   70   name: default
   71 current-context: default
   72 kind: Config
   73 preferences: {}
   74 users:
   75 - name: kube-proxy
   76   user:
   77     as-user-extra: {}
   78 EOF
   79 
   80 sed -i '
   81     /^KUBE_ALLOW_PRIV=/ s/=.*/="--allow-privileged='"$KUBE_ALLOW_PRIV"'"/
   82     /^KUBE_MASTER=/ s|=.*|="--master=http://127.0.0.1:8080"|
   83 ' /etc/kubernetes/config
   84 
   85 KUBE_API_ARGS="--runtime-config=api/all=true"
   86 KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"
   87 KUBE_API_ARGS="$KUBE_API_ARGS $KUBEAPI_OPTIONS"
   88 if [ "$TLS_DISABLED" == "True" ]; then
   89     KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0 --insecure-port=$KUBE_API_PORT"
   90 else
   91     KUBE_API_ADDRESS="--bind-address=0.0.0.0 --secure-port=$KUBE_API_PORT"
   92     # insecure port is used internaly
   93     KUBE_API_ADDRESS="$KUBE_API_ADDRESS --insecure-bind-address=127.0.0.1 --insecure-port=8080"
   94     KUBE_API_ARGS="$KUBE_API_ARGS --authorization-mode=Node,RBAC --tls-cert-file=$CERT_DIR/server.crt"
   95     KUBE_API_ARGS="$KUBE_API_ARGS --tls-private-key-file=$CERT_DIR/server.key"
   96     KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=$CERT_DIR/ca.crt"
   97     KUBE_API_ARGS="$KUBE_API_ARGS --service-account-key-file=${CERT_DIR}/service_account.key"
   98     KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-certificate-authority=${CERT_DIR}/ca.crt --kubelet-client-certificate=${CERT_DIR}/server.crt --kubelet-client-key=${CERT_DIR}/server.key --kubelet-https=true"
   99     # Allow for metrics-server/aggregator communication
  100     KUBE_API_ARGS="${KUBE_API_ARGS} \
  101         --proxy-client-cert-file=${CERT_DIR}/server.crt \
  102         --proxy-client-key-file=${CERT_DIR}/server.key \
  103         --requestheader-allowed-names=front-proxy-client,kube,kubernetes \
  104         --requestheader-client-ca-file=${CERT_DIR}/ca.crt \
  105         --requestheader-extra-headers-prefix=X-Remote-Extra- \
  106         --requestheader-group-headers=X-Remote-Group \
  107         --requestheader-username-headers=X-Remote-User"
  108 fi
  109 
  110 KUBE_ADMISSION_CONTROL=""
  111 if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
  112     KUBE_ADMISSION_CONTROL="--admission-control=NodeRestriction,${ADMISSION_CONTROL_LIST}"
  113 fi
  114 
  115 if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
  116     KUBE_API_ARGS="$KUBE_API_ARGS --cloud-provider=external"
  117 fi
  118 
  119 if [ "$KEYSTONE_AUTH_ENABLED" == "True" ]; then
  120     KEYSTONE_WEBHOOK_CONFIG=/etc/kubernetes/keystone_webhook_config.yaml
  121 
  122     [ -f ${KEYSTONE_WEBHOOK_CONFIG} ] || {
  123 echo "Writing File: $KEYSTONE_WEBHOOK_CONFIG"
  124 mkdir -p $(dirname ${KEYSTONE_WEBHOOK_CONFIG})
  125 cat << EOF > ${KEYSTONE_WEBHOOK_CONFIG}
  126 ---
  127 apiVersion: v1
  128 kind: Config
  129 preferences: {}
  130 clusters:
  131   - cluster:
  132       insecure-skip-tls-verify: true
  133       server: https://127.0.0.1:8443/webhook
  134     name: webhook
  135 users:
  136   - name: webhook
  137 contexts:
  138   - context:
  139       cluster: webhook
  140       user: webhook
  141     name: webhook
  142 current-context: webhook
  143 EOF
  144 }
  145     KUBE_API_ARGS="$KUBE_API_ARGS --authentication-token-webhook-config-file=/etc/kubernetes/keystone_webhook_config.yaml --authorization-webhook-config-file=/etc/kubernetes/keystone_webhook_config.yaml"
  146     webhook_auth="--authorization-mode=Node,Webhook,RBAC"
  147     KUBE_API_ARGS=${KUBE_API_ARGS/--authorization-mode=Node,RBAC/$webhook_auth}
  148 fi
  149 
  150 sed -i '
  151     /^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/
  152     /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
  153     /^KUBE_API_ARGS=/ s|=.*|="'"${KUBE_API_ARGS}"'"|
  154     /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd-servers=http:\/\/127.0.0.1:2379"/
  155     /^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
  156 ' /etc/kubernetes/apiserver
  157 
  158 
  159 # Add controller manager args
  160 KUBE_CONTROLLER_MANAGER_ARGS="--leader-elect=true"
  161 KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cluster-name=${CLUSTER_UUID}"
  162 KUBE_CONTROLLER_MANAGER_ARGS="${KUBE_CONTROLLER_MANAGER_ARGS} --allocate-node-cidrs=true"
  163 KUBE_CONTROLLER_MANAGER_ARGS="${KUBE_CONTROLLER_MANAGER_ARGS} --cluster-cidr=${PODS_NETWORK_CIDR}"
  164 KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS $KUBECONTROLLER_OPTIONS"
  165 if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
  166     KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --service-account-private-key-file=$CERT_DIR/service_account_private.key --root-ca-file=$CERT_DIR/ca.crt"
  167 fi
  168 
  169 if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
  170     KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cloud-provider=external"
  171     KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --external-cloud-volume-plugin=openstack --cloud-config=/etc/kubernetes/cloud-config"
  172 fi
  173 
  174 
  175 if [ "$(echo $CERT_MANAGER_API | tr '[:upper:]' '[:lower:]')" = "true" ]; then
  176     KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cluster-signing-cert-file=$CERT_DIR/ca.crt --cluster-signing-key-file=$CERT_DIR/ca.key"
  177 fi
  178 
  179 sed -i '
  180     /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
  181     /^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
  182 ' /etc/kubernetes/controller-manager
  183 
  184 sed -i '/^KUBE_SCHEDULER_ARGS=/ s/=.*/="--leader-elect=true"/' /etc/kubernetes/scheduler
  185 
  186 mkdir -p /etc/kubernetes/manifests
  187 HOSTNAME_OVERRIDE=$(hostname --short | sed 's/\.novalocal//')
  188 KUBELET_ARGS="--register-node=true --pod-manifest-path=/etc/kubernetes/manifests --cadvisor-port=0 --hostname-override=${HOSTNAME_OVERRIDE}"
  189 KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${CONTAINER_INFRA_PREFIX:-gcr.io/google_containers/}pause:3.0"
  190 KUBELET_ARGS="${KUBELET_ARGS} --cluster_dns=${DNS_SERVICE_IP} --cluster_domain=${DNS_CLUSTER_DOMAIN}"
  191 KUBELET_ARGS="${KUBELET_ARGS} --volume-plugin-dir=/var/lib/kubelet/volumeplugins"
  192 KUBELET_ARGS="${KUBELET_ARGS} ${KUBELET_OPTIONS}"
  193 
  194 if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
  195     KUBELET_ARGS="${KUBELET_ARGS} --cloud-provider=external"
  196 fi
  197 
  198 # For using default log-driver, other options should be ignored
  199 sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
  200 
  201 if [ -n "${INSECURE_REGISTRY_URL}" ]; then
  202     echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
  203 fi
  204 
  205 KUBELET_ARGS="${KUBELET_ARGS} --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
  206 KUBELET_ARGS="${KUBELET_ARGS} --register-with-taints=CriticalAddonsOnly=True:NoSchedule,dedicated=master:NoSchedule"
  207 KUBELET_ARGS="${KUBELET_ARGS} --node-labels=node-role.kubernetes.io/master=\"\""
  208 
  209 KUBELET_KUBECONFIG=/etc/kubernetes/kubelet-config.yaml
  210 HOSTNAME_OVERRIDE=$(hostname --short | sed 's/\.novalocal//')
  211 cat << EOF >> ${KUBELET_KUBECONFIG}
  212 apiVersion: v1
  213 clusters:
  214 - cluster:
  215     certificate-authority: ${CERT_DIR}/ca.crt
  216     server: http://127.0.0.1:8080
  217   name: kubernetes
  218 contexts:
  219 - context:
  220     cluster: kubernetes
  221     user: system:node:${HOSTNAME_OVERRIDE}
  222   name: default
  223 current-context: default
  224 kind: Config
  225 preferences: {}
  226 users:
  227 - name: system:node:${HOSTNAME_OVERRIDE}
  228   user:
  229     as-user-extra: {}
  230     client-certificate: ${CERT_DIR}/server.crt
  231     client-key: ${CERT_DIR}/server.key
  232 EOF
  233 
  234 cat > /etc/kubernetes/get_require_kubeconfig.sh << EOF
  235 #!/bin/bash
  236 
  237 KUBE_VERSION=\$(kubelet --version | awk '{print \$2}')
  238 min_version=v1.8.0
  239 if [[ "\${min_version}" != \$(echo -e "\${min_version}\n\${KUBE_VERSION}" | sort -s -t. -k 1,1 -k 2,2n -k 3,3n | head -n1) && "\${KUBE_VERSION}" != "devel" ]]; then
  240     echo "--require-kubeconfig"
  241 fi
  242 EOF
  243 chmod +x /etc/kubernetes/get_require_kubeconfig.sh
  244 
  245 KUBELET_ARGS="${KUBELET_ARGS} --client-ca-file=${CERT_DIR}/ca.crt --tls-cert-file=${CERT_DIR}/kubelet.crt --tls-private-key-file=${CERT_DIR}/kubelet.key --kubeconfig ${KUBELET_KUBECONFIG}"
  246 
  247 # specified cgroup driver
  248 KUBELET_ARGS="${KUBELET_ARGS} --cgroup-driver=${CGROUP_DRIVER}"
  249 
  250 systemctl disable docker
  251 if cat /usr/lib/systemd/system/docker.service | grep 'native.cgroupdriver'; then
  252         cp /usr/lib/systemd/system/docker.service /etc/systemd/system/
  253         sed -i "s/\(native.cgroupdriver=\)\w\+/\1$CGROUP_DRIVER/" \
  254                 /etc/systemd/system/docker.service
  255 else
  256         cat > /etc/systemd/system/docker.service.d/cgroupdriver.conf << EOF
  257 ExecStart=---exec-opt native.cgroupdriver=$CGROUP_DRIVER
  258 EOF
  259 
  260 fi
  261 
  262 systemctl daemon-reload
  263 systemctl enable docker
  264 
  265 if [ -z "${KUBE_NODE_IP}" ]; then
  266     KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
  267 fi
  268 
  269 KUBELET_ARGS="${KUBELET_ARGS} --address=${KUBE_NODE_IP} --port=10250 --read-only-port=0 --anonymous-auth=false --authorization-mode=Webhook --authentication-token-webhook=true"
  270 
  271 sed -i '
  272 /^KUBELET_ADDRESS=/ s/=.*/="--address=${KUBE_NODE_IP}"/
  273 /^KUBELET_HOSTNAME=/ s/=.*/=""/
  274 /^KUBELET_ARGS=/ s|=.*|="'"\$(/etc/kubernetes/get_require_kubeconfig.sh) ${KUBELET_ARGS}"'"|
  275 ' /etc/kubernetes/kubelet
  276