forked from m3adow/k8single
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathkubeform.sh
executable file
·152 lines (122 loc) · 6.25 KB
/
kubeform.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#!/bin/bash
set -xeuo pipefail
NODE_IP=$1
KEYSDIR="${HOME}/keys"
K8VERSION="v1.8.2_coreos.0"
MYUSER=$2
MYPASS=$3
NODE_DNS=${4:-}
echo "Enabling iptables"
sudo systemctl enable iptables-restore
sudo cp files/iptables-rules /var/lib/iptables/rules-save
sudo sed -i "s/__PUBLICIP__/${NODE_IP}/g" /var/lib/iptables/rules-save
sudo iptables-restore < /var/lib/iptables/rules-save
echo "setting k8s in ${NODE_IP}"
sudo mkdir -p /etc/systemd/system/etcd2.service.d
sudo mkdir -p /etc/kubernetes/manifests
sudo mkdir -p /etc/kubernetes/kubelet
sudo mkdir -p /etc/kubernetes/ssl/apiserver
sudo mkdir -p /etc/kubernetes/ssl/kube-dns
sudo mkdir -p /etc/kubernetes/ssl/kube-dashboard
sudo mkdir -p /etc/flannel/
sudo mkdir -p /etc/systemd/system/flanneld.service.d
sudo mkdir -p /etc/systemd/system/docker.service.d
sudo mkdir -p /opt/bin/
mkdir -p ${KEYSDIR}
sed "s/__PUBLICIP__/${NODE_IP}/g" files/40-listen-address.conf > /tmp/40-listen-address.conf
sudo mv /tmp/40-listen-address.conf /etc/systemd/system/etcd2.service.d/40-listen-address.conf
echo "starting etcd..."
sudo systemctl start etcd2
sudo systemctl enable etcd2
echo "creating keys in ${KEYSDIR}"
openssl genrsa -out ${KEYSDIR}/ca-key.pem 2048
openssl req -x509 -new -nodes -key ${KEYSDIR}/ca-key.pem -days 10000 -out ${KEYSDIR}/ca.pem -subj "/CN=kube-ca"
sed "s/__PUBLICIP__/${NODE_IP}/g" files/openssl.cnf > ${KEYSDIR}/openssl.cnf
if [ -n "${NODE_DNS}" ]
then
echo "DNS.5 = ${NODE_DNS}" >> ${KEYSDIR}/openssl.cnf
fi
# APIserver
openssl genrsa -out ${KEYSDIR}/apiserver-key.pem 2048
openssl req -new -key ${KEYSDIR}/apiserver-key.pem -out ${KEYSDIR}/apiserver.csr -subj "/CN=kube-apiserver" -config ${KEYSDIR}/openssl.cnf
openssl x509 -req -in ${KEYSDIR}/apiserver.csr -CA ${KEYSDIR}/ca.pem -CAkey ${KEYSDIR}/ca-key.pem -CAcreateserial -out ${KEYSDIR}/apiserver.pem -days 365 -extensions v3_req -extfile ${KEYSDIR}/openssl.cnf
# kubectl
openssl genrsa -out ${KEYSDIR}/admin-key.pem 2048
openssl req -new -key ${KEYSDIR}/admin-key.pem -out ${KEYSDIR}/admin.csr -subj "/CN=kube-admin"
openssl x509 -req -in ${KEYSDIR}/admin.csr -CA ${KEYSDIR}/ca.pem -CAkey ${KEYSDIR}/ca-key.pem -CAcreateserial -out ${KEYSDIR}/admin.pem -days 365
# kube-dns
openssl genrsa -out ${KEYSDIR}/kube-dns-key.pem 2048
openssl req -new -key ${KEYSDIR}/kube-dns-key.pem -out ${KEYSDIR}/kube-dns.csr -subj "/CN=kube-dns"
openssl x509 -req -in ${KEYSDIR}/kube-dns.csr -CA ${KEYSDIR}/ca.pem -CAkey ${KEYSDIR}/ca-key.pem -CAcreateserial -out ${KEYSDIR}/kube-dns.pem -days 365
# kube-dashboard
openssl genrsa -out ${KEYSDIR}/kube-dashboard-key.pem 2048
openssl req -new -key ${KEYSDIR}/kube-dashboard-key.pem -out ${KEYSDIR}/kube-dashboard.csr -subj "/CN=kube-dashboard"
openssl x509 -req -in ${KEYSDIR}/kube-dashboard.csr -CA ${KEYSDIR}/ca.pem -CAkey ${KEYSDIR}/ca-key.pem -CAcreateserial -out ${KEYSDIR}/kube-dashboard.pem -days 365
# Client Cert for Browser
openssl genrsa -out ${KEYSDIR}/clientcert-key.pem 2048
openssl req -new -key ${KEYSDIR}/clientcert-key.pem -out ${KEYSDIR}/clientcert.csr -subj "/CN=kubecert4browser"
openssl x509 -req -in ${KEYSDIR}/clientcert.csr -CA ${KEYSDIR}/ca.pem -CAkey ${KEYSDIR}/ca-key.pem -CAcreateserial -out ${KEYSDIR}/clientcert.pem
openssl pkcs12 -export -in ${KEYSDIR}/clientcert.pem -inkey ${KEYSDIR}/clientcert-key.pem -out ${KEYSDIR}/clientcert.p12 -passout pass:K8sCert -certfile ${KEYSDIR}/ca.pem
sudo cp -p files/kubelet.yml /etc/kubernetes/kubelet/
sudo cp -p ${KEYSDIR}/ca.pem /etc/kubernetes/ssl/
for POD in "apiserver" "kube-dns" "kube-dashboard"
do
sudo cp -p ${KEYSDIR}/${POD}.pem /etc/kubernetes/ssl/${POD}/
sudo cp -p ${KEYSDIR}/${POD}-key.pem /etc/kubernetes/ssl/${POD}/
sudo cp -p files/kube.conf /etc/kubernetes/ssl/${POD}/
sudo sed -i -e "s/__POD__/${POD}/g" /etc/kubernetes/ssl/${POD}/kube.conf
done
sudo find /etc/kubernetes/ssl/ -name '*-key.pem' -exec chown root:root {} \; -exec chmod 600 {} \;
sed "s/__PUBLICIP__/${NODE_IP}/g" files/options.env > /tmp/options.env
sudo mv /tmp/options.env /etc/flannel/
sudo cp files/40-ExecStartPre-symlink.conf /etc/systemd/system/flanneld.service.d/
sed "s/__PUBLICIP__/${NODE_IP}/g" files/kubelet.service | sed "s/K8VERSION/${K8VERSION}/g" > /tmp/kubelet.service
sudo mv /tmp/kubelet.service /etc/systemd/system/
sed "s/__PUBLICIP__/${NODE_IP}/g" files/kube-apiserver.yml > /tmp/kube-apiserver.yml
sudo mv /tmp/kube-apiserver.yml /etc/kubernetes/manifests/
sudo cp files/kube-proxy.yml /etc/kubernetes/manifests/
sudo cp files/kube-controller-manager.yml /etc/kubernetes/manifests/
sudo cp files/kube-scheduler.yml /etc/kubernetes/manifests/
sudo systemctl daemon-reload
echo "configuring etcd"
curl -s -X PUT -d "value={\"Network\":\"10.2.0.0/16\",\"Backend\":{\"Type\":\"vxlan\"}}" "http://${NODE_IP}:2379/v2/keys/coreos.com/network/config"
echo "Creating basicauth file"
sudo bash -c "echo ${MYPASS},${MYUSER},1 > /etc/kubernetes/ssl/apiserver/basicauth.pass"
echo "starting kubernetes"
sudo systemctl start kubelet
sudo systemctl enable kubelet
echo "waiting for api server to set up"
set +x
max=10
for (( i=0; i <= ${max}; ++i ))
do
printf "."
set +e
status=$(curl -s -w %{http_code} "http:/127.0.0.1:8080/version")
set -e
if [ "${status}" != "000" ]; then
break
fi
echo -n "."
sleep 30
done
set -x
echo "install kubectl"
curl -s -O https://storage.googleapis.com/kubernetes-release/release/v1.8.2/bin/linux/amd64/kubectl
sudo mv kubectl /opt/bin
sudo chmod +x /opt/bin/kubectl
kubectl config set-cluster default-cluster --server=https://${NODE_IP}:6443 --certificate-authority=${KEYSDIR}/ca.pem
kubectl config set-credentials default-admin --certificate-authority=${KEYSDIR}/ca.pem --client-key=${KEYSDIR}/admin-key.pem --client-certificate=${KEYSDIR}/admin.pem
kubectl config set-context default-system --cluster=default-cluster --user=default-admin
kubectl config use-context default-system
kubectl create -f files/kube-dns.yml
kubectl create -f files/kube-dashboard.yml
kubectl get pods --all-namespaces
set +x
echo -e "\n=== Basic Auth Credentials ==="
echo "User: ${MYUSER}"
echo "Pass: ${MYPASS}"
echo "You can change those in /etc/kubernetes/ssl/apiserver/basicauth.pass. APIserver restart is required afterwards."
echo "The client certificate for the browser is: ${KEYSDIR}/clientcert.p12"
echo "Import password is 'K8sCert'."
echo -e "=============================\n"