"Fossies" - the Fresh Open Source Software Archive

Member "magnum-8.2.0/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh" (6 Dec 2019, 11018 Bytes) of package /linux/misc/openstack/magnum-8.2.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "configure-kubernetes-master.sh": 8.1.0_vs_8.2.0.

    1 #!/bin/sh -x
    2 
    3 . /etc/sysconfig/heat-params
    4 
    5 echo "configuring kubernetes (master)"
    6 
    7 if [ ! -z "$HTTP_PROXY" ]; then
    8     export HTTP_PROXY
    9 fi
   10 
   11 if [ ! -z "$HTTPS_PROXY" ]; then
   12     export HTTPS_PROXY
   13 fi
   14 
   15 if [ ! -z "$NO_PROXY" ]; then
   16     export NO_PROXY
   17 fi
   18 
   19 _prefix=${CONTAINER_INFRA_PREFIX:-docker.io/openstackmagnum/}
   20 
   21 rm -rf /etc/cni/net.d/*
   22 rm -rf /var/lib/cni/*
   23 rm -rf /opt/cni/*
   24 mkdir -p /opt/cni
   25 mkdir -p /etc/cni/net.d/
   26 _addtl_mounts=',{"type":"bind","source":"/opt/cni","destination":"/opt/cni","options":["bind","rw","slave","mode=777"]},{"type":"bind","source":"/var/lib/docker","destination":"/var/lib/docker","options":["bind","rw","slave","mode=755"]}'
   27 
   28 if [ "$NETWORK_DRIVER" = "calico" ]; then
   29     echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
   30     sysctl -p
   31     if [ "`systemctl status NetworkManager.service | grep -o "Active: active"`" = "Active: active" ]; then
   32         CALICO_NM=/etc/NetworkManager/conf.d/calico.conf
   33         [ -f ${CALICO_NM} ] || {
   34         echo "Writing File: $CALICO_NM"
   35         mkdir -p $(dirname ${CALICO_NM})
   36         cat << EOF > ${CALICO_NM}
   37 [keyfile]
   38 unmanaged-devices=interface-name:cali*;interface-name:tunl*
   39 EOF
   40 }
   41         systemctl restart NetworkManager
   42     fi
   43 fi
   44 
   45 atomic install --storage ostree --system --set=ADDTL_MOUNTS=${_addtl_mounts} --system-package=no --name=kubelet ${_prefix}kubernetes-kubelet:${KUBE_TAG}
   46 atomic install --storage ostree --system --system-package=no --name=kube-apiserver ${_prefix}kubernetes-apiserver:${KUBE_TAG}
   47 atomic install --storage ostree --system --system-package=no --name=kube-controller-manager ${_prefix}kubernetes-controller-manager:${KUBE_TAG}
   48 atomic install --storage ostree --system --system-package=no --name=kube-scheduler ${_prefix}kubernetes-scheduler:${KUBE_TAG}
   49 atomic install --storage ostree --system --system-package=no --name=kube-proxy ${_prefix}kubernetes-proxy:${KUBE_TAG}
   50 
   51 CERT_DIR=/etc/kubernetes/certs
   52 
   53 # kube-proxy config
   54 PROXY_KUBECONFIG=/etc/kubernetes/proxy-kubeconfig.yaml
   55 cat > /etc/kubernetes/proxy << EOF
   56 KUBE_PROXY_ARGS="--kubeconfig=${PROXY_KUBECONFIG} --cluster-cidr=${PODS_NETWORK_CIDR}"
   57 EOF
   58 
   59 cat > ${PROXY_KUBECONFIG} << EOF
   60 apiVersion: v1
   61 clusters:
   62 - cluster:
   63     certificate-authority: ${CERT_DIR}/ca.crt
   64     server: http://127.0.0.1:8080
   65   name: kubernetes
   66 contexts:
   67 - context:
   68     cluster: kubernetes
   69     user: kube-proxy
   70   name: default
   71 current-context: default
   72 kind: Config
   73 preferences: {}
   74 users:
   75 - name: kube-proxy
   76   user:
   77     as-user-extra: {}
   78 EOF
   79 
   80 sed -i '
   81     /^KUBE_ALLOW_PRIV=/ s/=.*/="--allow-privileged='"$KUBE_ALLOW_PRIV"'"/
   82     /^KUBE_MASTER=/ s|=.*|="--master=http://127.0.0.1:8080"|
   83 ' /etc/kubernetes/config
   84 
   85 KUBE_API_ARGS="--runtime-config=api/all=true"
   86 KUBE_API_ARGS="$KUBE_API_ARGS --allow-privileged=$KUBE_ALLOW_PRIV"
   87 KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP"
   88 KUBE_API_ARGS="$KUBE_API_ARGS $KUBEAPI_OPTIONS"
   89 if [ "$TLS_DISABLED" == "True" ]; then
   90     KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0 --insecure-port=$KUBE_API_PORT"
   91 else
   92     KUBE_API_ADDRESS="--bind-address=0.0.0.0 --secure-port=$KUBE_API_PORT"
   93     # insecure port is used internaly
   94     KUBE_API_ADDRESS="$KUBE_API_ADDRESS --insecure-bind-address=127.0.0.1 --insecure-port=8080"
   95     KUBE_API_ARGS="$KUBE_API_ARGS --authorization-mode=Node,RBAC --tls-cert-file=$CERT_DIR/server.crt"
   96     KUBE_API_ARGS="$KUBE_API_ARGS --tls-private-key-file=$CERT_DIR/server.key"
   97     KUBE_API_ARGS="$KUBE_API_ARGS --client-ca-file=$CERT_DIR/ca.crt"
   98     KUBE_API_ARGS="$KUBE_API_ARGS --service-account-key-file=${CERT_DIR}/service_account.key"
   99     KUBE_API_ARGS="$KUBE_API_ARGS --kubelet-certificate-authority=${CERT_DIR}/ca.crt --kubelet-client-certificate=${CERT_DIR}/server.crt --kubelet-client-key=${CERT_DIR}/server.key --kubelet-https=true"
  100     # Allow for metrics-server/aggregator communication
  101     KUBE_API_ARGS="${KUBE_API_ARGS} \
  102         --proxy-client-cert-file=${CERT_DIR}/server.crt \
  103         --proxy-client-key-file=${CERT_DIR}/server.key \
  104         --requestheader-allowed-names=front-proxy-client,kube,kubernetes \
  105         --requestheader-client-ca-file=${CERT_DIR}/ca.crt \
  106         --requestheader-extra-headers-prefix=X-Remote-Extra- \
  107         --requestheader-group-headers=X-Remote-Group \
  108         --requestheader-username-headers=X-Remote-User"
  109 fi
  110 
  111 KUBE_ADMISSION_CONTROL=""
  112 if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
  113     KUBE_ADMISSION_CONTROL="--admission-control=NodeRestriction,${ADMISSION_CONTROL_LIST}"
  114 fi
  115 
  116 if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
  117     KUBE_API_ARGS="$KUBE_API_ARGS --cloud-provider=external"
  118 fi
  119 
  120 if [ "$KEYSTONE_AUTH_ENABLED" == "True" ]; then
  121     KEYSTONE_WEBHOOK_CONFIG=/etc/kubernetes/keystone_webhook_config.yaml
  122 
  123     [ -f ${KEYSTONE_WEBHOOK_CONFIG} ] || {
  124 echo "Writing File: $KEYSTONE_WEBHOOK_CONFIG"
  125 mkdir -p $(dirname ${KEYSTONE_WEBHOOK_CONFIG})
  126 cat << EOF > ${KEYSTONE_WEBHOOK_CONFIG}
  127 ---
  128 apiVersion: v1
  129 kind: Config
  130 preferences: {}
  131 clusters:
  132   - cluster:
  133       insecure-skip-tls-verify: true
  134       server: https://127.0.0.1:8443/webhook
  135     name: webhook
  136 users:
  137   - name: webhook
  138 contexts:
  139   - context:
  140       cluster: webhook
  141       user: webhook
  142     name: webhook
  143 current-context: webhook
  144 EOF
  145 }
  146     KUBE_API_ARGS="$KUBE_API_ARGS --authentication-token-webhook-config-file=/etc/kubernetes/keystone_webhook_config.yaml --authorization-webhook-config-file=/etc/kubernetes/keystone_webhook_config.yaml"
  147     webhook_auth="--authorization-mode=Node,Webhook,RBAC"
  148     KUBE_API_ARGS=${KUBE_API_ARGS/--authorization-mode=Node,RBAC/$webhook_auth}
  149 fi
  150 
  151 sed -i '
  152     /^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/
  153     /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
  154     /^KUBE_API_ARGS=/ s|=.*|="'"${KUBE_API_ARGS}"'"|
  155     /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd-servers=http:\/\/127.0.0.1:2379"/
  156     /^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
  157 ' /etc/kubernetes/apiserver
  158 
  159 
  160 # Add controller manager args
  161 KUBE_CONTROLLER_MANAGER_ARGS="--leader-elect=true"
  162 KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cluster-name=${CLUSTER_UUID}"
  163 KUBE_CONTROLLER_MANAGER_ARGS="${KUBE_CONTROLLER_MANAGER_ARGS} --allocate-node-cidrs=true"
  164 KUBE_CONTROLLER_MANAGER_ARGS="${KUBE_CONTROLLER_MANAGER_ARGS} --cluster-cidr=${PODS_NETWORK_CIDR}"
  165 KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS $KUBECONTROLLER_OPTIONS"
  166 if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
  167     KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --service-account-private-key-file=$CERT_DIR/service_account_private.key --root-ca-file=$CERT_DIR/ca.crt"
  168 fi
  169 
  170 if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
  171     KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cloud-provider=external"
  172     KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --external-cloud-volume-plugin=openstack --cloud-config=/etc/kubernetes/cloud-config"
  173 fi
  174 
  175 
  176 if [ "$(echo $CERT_MANAGER_API | tr '[:upper:]' '[:lower:]')" = "true" ]; then
  177     KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cluster-signing-cert-file=$CERT_DIR/ca.crt --cluster-signing-key-file=$CERT_DIR/ca.key"
  178 fi
  179 
  180 sed -i '
  181     /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
  182     /^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
  183 ' /etc/kubernetes/controller-manager
  184 
  185 sed -i '/^KUBE_SCHEDULER_ARGS=/ s/=.*/="--leader-elect=true"/' /etc/kubernetes/scheduler
  186 
  187 mkdir -p /etc/kubernetes/manifests
  188 KUBELET_ARGS="--register-node=true --pod-manifest-path=/etc/kubernetes/manifests --cadvisor-port=0 --hostname-override=${INSTANCE_NAME}"
  189 KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${CONTAINER_INFRA_PREFIX:-gcr.io/google_containers/}pause:3.0"
  190 KUBELET_ARGS="${KUBELET_ARGS} --cluster_dns=${DNS_SERVICE_IP} --cluster_domain=${DNS_CLUSTER_DOMAIN}"
  191 KUBELET_ARGS="${KUBELET_ARGS} --volume-plugin-dir=/var/lib/kubelet/volumeplugins"
  192 KUBELET_ARGS="${KUBELET_ARGS} ${KUBELET_OPTIONS}"
  193 
  194 if [ "$(echo "${CLOUD_PROVIDER_ENABLED}" | tr '[:upper:]' '[:lower:]')" = "true" ]; then
  195     KUBELET_ARGS="${KUBELET_ARGS} --cloud-provider=external"
  196 fi
  197 
  198 # For using default log-driver, other options should be ignored
  199 sed -i 's/\-\-log\-driver\=journald//g' /etc/sysconfig/docker
  200 
  201 if [ -n "${INSECURE_REGISTRY_URL}" ]; then
  202     echo "INSECURE_REGISTRY='--insecure-registry ${INSECURE_REGISTRY_URL}'" >> /etc/sysconfig/docker
  203 fi
  204 
  205 KUBELET_ARGS="${KUBELET_ARGS} --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
  206 KUBELET_ARGS="${KUBELET_ARGS} --register-with-taints=CriticalAddonsOnly=True:NoSchedule,dedicated=master:NoSchedule"
  207 
  208 KUBELET_KUBECONFIG=/etc/kubernetes/kubelet-config.yaml
  209 cat << EOF >> ${KUBELET_KUBECONFIG}
  210 apiVersion: v1
  211 clusters:
  212 - cluster:
  213     certificate-authority: ${CERT_DIR}/ca.crt
  214     server: http://127.0.0.1:8080
  215   name: kubernetes
  216 contexts:
  217 - context:
  218     cluster: kubernetes
  219     user: system:node:${INSTANCE_NAME}
  220   name: default
  221 current-context: default
  222 kind: Config
  223 preferences: {}
  224 users:
  225 - name: system:node:${INSTANCE_NAME}
  226   user:
  227     as-user-extra: {}
  228     client-certificate: ${CERT_DIR}/server.crt
  229     client-key: ${CERT_DIR}/server.key
  230 EOF
  231 
  232 cat > /etc/kubernetes/get_require_kubeconfig.sh << EOF
  233 #!/bin/bash
  234 
  235 KUBE_VERSION=\$(kubelet --version | awk '{print \$2}')
  236 min_version=v1.8.0
  237 if [[ "\${min_version}" != \$(echo -e "\${min_version}\n\${KUBE_VERSION}" | sort -s -t. -k 1,1 -k 2,2n -k 3,3n | head -n1) && "\${KUBE_VERSION}" != "devel" ]]; then
  238     echo "--require-kubeconfig"
  239 fi
  240 EOF
  241 chmod +x /etc/kubernetes/get_require_kubeconfig.sh
  242 
  243 KUBELET_ARGS="${KUBELET_ARGS} --client-ca-file=${CERT_DIR}/ca.crt --tls-cert-file=${CERT_DIR}/kubelet.crt --tls-private-key-file=${CERT_DIR}/kubelet.key --kubeconfig ${KUBELET_KUBECONFIG}"
  244 
  245 # specified cgroup driver
  246 KUBELET_ARGS="${KUBELET_ARGS} --cgroup-driver=${CGROUP_DRIVER}"
  247 
  248 systemctl disable docker
  249 if cat /usr/lib/systemd/system/docker.service | grep 'native.cgroupdriver'; then
  250         cp /usr/lib/systemd/system/docker.service /etc/systemd/system/
  251         sed -i "s/\(native.cgroupdriver=\)\w\+/\1$CGROUP_DRIVER/" \
  252                 /etc/systemd/system/docker.service
  253 else
  254         cat > /etc/systemd/system/docker.service.d/cgroupdriver.conf << EOF
  255 ExecStart=---exec-opt native.cgroupdriver=$CGROUP_DRIVER
  256 EOF
  257 
  258 fi
  259 
  260 systemctl daemon-reload
  261 systemctl enable docker
  262 
  263 if [ -z "${KUBE_NODE_IP}" ]; then
  264     KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
  265 fi
  266 
  267 KUBELET_ARGS="${KUBELET_ARGS} --address=${KUBE_NODE_IP} --port=10250 --read-only-port=0 --anonymous-auth=false --authorization-mode=Webhook --authentication-token-webhook=true"
  268 
  269 sed -i '
  270 /^KUBELET_ADDRESS=/ s/=.*/="--address=${KUBE_NODE_IP}"/
  271 /^KUBELET_HOSTNAME=/ s/=.*/=""/
  272 /^KUBELET_ARGS=/ s|=.*|="'"\$(/etc/kubernetes/get_require_kubeconfig.sh) ${KUBELET_ARGS}"'"|
  273 ' /etc/kubernetes/kubelet
  274