k3s/cluster/vagrant/provision-master.sh

#!/bin/bash

# Copyright 2014 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -o errexit
set -o nounset
set -o pipefail

# Set the host name explicitly
# See: https://github.com/mitchellh/vagrant/issues/2430
hostnamectl set-hostname ${MASTER_NAME}
# Set the variable to empty value explicitly
if_to_edit=""

if [[ "$(grep 'VERSION_ID' /etc/os-release)" =~ ^VERSION_ID=23 ]]; then
  # Disable network interface being managed by Network Manager (needed for Fedora 21+)
  NETWORK_CONF_PATH=/etc/sysconfig/network-scripts/
  if_to_edit=$( find ${NETWORK_CONF_PATH}ifcfg-* | xargs grep -l VAGRANT-BEGIN )
  for if_conf in ${if_to_edit}; do
    grep -q ^NM_CONTROLLED= ${if_conf} || echo 'NM_CONTROLLED=no' >> ${if_conf}
    sed -i 's/#^NM_CONTROLLED=.*/NM_CONTROLLED=no/' ${if_conf}
  done;
  systemctl restart network
fi

# needed for vsphere support
# handle the case when no 'VAGRANT-BEGIN' comment was defined in network-scripts
# set the NETWORK_IF_NAME to have a default value in such case
NETWORK_IF_NAME=`echo ${if_to_edit} | awk -F- '{ print $3 }'`
if [[ -z "$NETWORK_IF_NAME" ]]; then
  NETWORK_IF_NAME=${DEFAULT_NETWORK_IF_NAME}
fi

# Setup hosts file to support ping by hostname to each node in the cluster from apiserver
for (( i=0; i<${#NODE_NAMES[@]}; i++)); do
  node=${NODE_NAMES[$i]}
  ip=${NODE_IPS[$i]}
  if [ ! "$(cat /etc/hosts | grep $node)" ]; then
    echo "Adding $node to hosts file"
    echo "$ip $node" >> /etc/hosts
  fi
done
echo "127.0.0.1 localhost" >> /etc/hosts # enables cmds like 'kubectl get pods' on master.
echo "$MASTER_IP $MASTER_NAME" >> /etc/hosts

enable-accounting
prepare-package-manager

# Configure the master network
if [ "${NETWORK_PROVIDER}" != "kubenet" ]; then
  provision-network-master
fi

write-salt-config kubernetes-master

# Generate and distribute a shared secret (bearer token) to
# apiserver and kubelet so that kubelet can authenticate to
# apiserver to send events.
known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
if [[ ! -f "${known_tokens_file}" ]]; then

  mkdir -p /srv/salt-overlay/salt/kube-apiserver
  known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"
  (umask u=rw,go= ;
   echo "$KUBELET_TOKEN,kubelet,kubelet" > $known_tokens_file;
   echo "$KUBE_PROXY_TOKEN,kube_proxy,kube_proxy" >> $known_tokens_file;
   echo "$KUBE_BEARER_TOKEN,admin,admin" >> $known_tokens_file)

  mkdir -p /srv/salt-overlay/salt/kubelet
  kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"
  (umask u=rw,go= ; echo "{\"BearerToken\": \"$KUBELET_TOKEN\", \"Insecure\": true }" > $kubelet_auth_file)

  create-salt-kubelet-auth
  create-salt-kubeproxy-auth
  # Generate tokens for other "service accounts".  Append to known_tokens.
  #
  # NB: If this list ever changes, this script actually has to
  # change to detect the existence of this file, kill any deleted
  # old tokens and add any new tokens (to handle the upgrade case).
  service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")
  for account in "${service_accounts[@]}"; do
    token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
    echo "${token},${account},${account}" >> "${known_tokens_file}"
  done
fi


readonly BASIC_AUTH_FILE="/srv/salt-overlay/salt/kube-apiserver/basic_auth.csv"
if [ ! -e "${BASIC_AUTH_FILE}" ]; then
  mkdir -p /srv/salt-overlay/salt/kube-apiserver
  (umask 077;
    echo "${MASTER_PASSWD},${MASTER_USER},admin" > "${BASIC_AUTH_FILE}")
fi

# Enable Fedora Cockpit on host to support Kubernetes administration
# Access it by going to <master-ip>:9090 and login as vagrant/vagrant
if ! which /usr/libexec/cockpit-ws &>/dev/null; then

  pushd /etc/yum.repos.d
    curl -OL https://copr.fedorainfracloud.org/coprs/g/cockpit/cockpit-preview/repo/fedora-23/msuchy-cockpit-preview-fedora-23.repo
    dnf install -y cockpit cockpit-kubernetes docker socat ethtool
  popd

  systemctl enable cockpit.socket
  systemctl start cockpit.socket
fi

install-salt

run-salt
Initial vagrant setup and e2e testing support 2014-07-14 17:50:04 +00:00			`#!/bin/bash`

Remove "All rights reserved" from all the headers. 2016-06-03 00:25:58 +00:00			`# Copyright 2014 The Kubernetes Authors.`
Initial vagrant setup and e2e testing support 2014-07-14 17:50:04 +00:00			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

move vagrant to masterless salt 2015-11-30 03:33:53 +00:00			`set -o errexit`
			`set -o nounset`
			`set -o pipefail`
Initial vagrant setup and e2e testing support 2014-07-14 17:50:04 +00:00
Upgrade to Fedora 21, Docker 1.6, clean-up SDN 2015-06-02 01:19:38 +00:00			`# Set the host name explicitly`
			`# See: https://github.com/mitchellh/vagrant/issues/2430`
			`hostnamectl set-hostname ${MASTER_NAME}`
added vagrant vsphere support updated vsphere-dummy box for the vagrant vsphere using vagrant vsphere plugin added solution for cases when the NETWORK_IF_NAME was left empty 2016-03-13 19:58:23 +00:00			`# Set the variable to empty value explicitly`
			`if_to_edit=""`
Upgrade to Fedora 21, Docker 1.6, clean-up SDN 2015-06-02 01:19:38 +00:00
Updated Vagrant VMs to Fedora 23 Signed-off-by: André Martins <aanm90@gmail.com> 2015-10-21 00:56:18 +00:00			`if [[ "$(grep 'VERSION_ID' /etc/os-release)" =~ ^VERSION_ID=23 ]]; then`
Vagrant: Make F21 fixup conditional The default Fedora 21 image requires some manual networking fixup that breaks Fedora 22. This change ensures that the fixup in question is run only for Fedora 21. 2015-07-01 18:16:20 +00:00			`# Disable network interface being managed by Network Manager (needed for Fedora 21+)`
			`NETWORK_CONF_PATH=/etc/sysconfig/network-scripts/`
Booting a Kubernetes cluster on Vagrant * Using Fedora 21 as the base box * Discover the active network interfaces in the box to avoid hardcoding them in configuration. * Use the master IP for the certificate. 2015-07-17 21:28:54 +00:00			`if_to_edit=$( find ${NETWORK_CONF_PATH}ifcfg-* \| xargs grep -l VAGRANT-BEGIN )`
			`for if_conf in ${if_to_edit}; do`
			`grep -q ^NM_CONTROLLED= ${if_conf} \|\| echo 'NM_CONTROLLED=no' >> ${if_conf}`
			`sed -i 's/#^NM_CONTROLLED=.*/NM_CONTROLLED=no/' ${if_conf}`
			`done;`
Vagrant: Make F21 fixup conditional The default Fedora 21 image requires some manual networking fixup that breaks Fedora 22. This change ensures that the fixup in question is run only for Fedora 21. 2015-07-01 18:16:20 +00:00			`systemctl restart network`
			`fi`
Upgrade to Fedora 21, Docker 1.6, clean-up SDN 2015-06-02 01:19:38 +00:00
added vagrant vsphere support updated vsphere-dummy box for the vagrant vsphere using vagrant vsphere plugin added solution for cases when the NETWORK_IF_NAME was left empty 2016-03-13 19:58:23 +00:00			`# needed for vsphere support`
			`# handle the case when no 'VAGRANT-BEGIN' comment was defined in network-scripts`
			`# set the NETWORK_IF_NAME to have a default value in such case`
Booting a Kubernetes cluster on Vagrant * Using Fedora 21 as the base box * Discover the active network interfaces in the box to avoid hardcoding them in configuration. * Use the master IP for the certificate. 2015-07-17 21:28:54 +00:00			NETWORK_IF_NAME=`echo ${if_to_edit} \| awk -F- '{ print $3 }'`
added vagrant vsphere support updated vsphere-dummy box for the vagrant vsphere using vagrant vsphere plugin added solution for cases when the NETWORK_IF_NAME was left empty 2016-03-13 19:58:23 +00:00			`if [[ -z "$NETWORK_IF_NAME" ]]; then`
			`NETWORK_IF_NAME=${DEFAULT_NETWORK_IF_NAME}`
			`fi`
Booting a Kubernetes cluster on Vagrant * Using Fedora 21 as the base box * Discover the active network interfaces in the box to avoid hardcoding them in configuration. * Use the master IP for the certificate. 2015-07-17 21:28:54 +00:00
Minion->Name rename: cluster/vagrant, docs and Vagrantfile 2015-11-09 07:08:58 +00:00			`# Setup hosts file to support ping by hostname to each node in the cluster from apiserver`
Minion->Node rename: NODE_NAMES, NODE_NAME, NODE_PORT 2015-11-24 03:04:40 +00:00			`for (( i=0; i<${#NODE_NAMES[@]}; i++)); do`
Minion->Name rename: cluster/vagrant, docs and Vagrantfile 2015-11-09 07:08:58 +00:00			`node=${NODE_NAMES[$i]}`
Minion->Node rename: NODE_IP_BASE, NODE_IP_RANGES, NODE_IP_RANGE, etc NODE_IPS NODE_IP NODE_MEMORY_MB 2015-11-24 03:03:44 +00:00			`ip=${NODE_IPS[$i]}`
Minion->Name rename: cluster/vagrant, docs and Vagrantfile 2015-11-09 07:08:58 +00:00			`if [ ! "$(cat /etc/hosts \| grep $node)" ]; then`
			`echo "Adding $node to hosts file"`
			`echo "$ip $node" >> /etc/hosts`
Don't print Kubernetes username/password to console. It is too easy to copy/paste this on-line. Fixes #1483 2014-09-29 20:11:31 +00:00			`fi`
Improve vagrant hostname support across cluster 2014-09-05 16:33:52 +00:00			`done`
Remove duplicate localhost setting 2015-04-09 16:10:47 +00:00			`echo "127.0.0.1 localhost" >> /etc/hosts # enables cmds like 'kubectl get pods' on master.`
Upgrade to Fedora 21, Docker 1.6, clean-up SDN 2015-06-02 01:19:38 +00:00			`echo "$MASTER_IP $MASTER_NAME" >> /etc/hosts`

Enable CPU and Memory accounting on vagrant 2016-05-24 15:23:09 +00:00			`enable-accounting`
Fix Vagrant issue with Salt Package manager "dnf" does not work correctly with Salt (cf https://github.com/saltstack/salt/issues/31001) It causes Salt to consider that some packages (python, git, curl, etc.) are not installed, which breaks the Vagrant Kubernetes setup. Updating dnf and dnf-plugins-core to their latest version solves the issue. Additionally, I've added the "fastestmirror" to dnf, which is useful if a RPM mirror is broken or very slow. (In my case, dnf used a broken mirror which froze the Kubernetes setup). 2016-02-08 16:20:02 +00:00			`prepare-package-manager`

Move vagrant to flannel 2015-09-15 19:42:38 +00:00			`# Configure the master network`
Add a network plugin that duplicates "configureCBR0" functionality 2015-12-16 23:31:10 +00:00			`if [ "${NETWORK_PROVIDER}" != "kubenet" ]; then`
			`provision-network-master`
			`fi`
Improve vagrant hostname support across cluster 2014-09-05 16:33:52 +00:00
move vagrant to masterless salt 2015-11-30 03:33:53 +00:00			`write-salt-config kubernetes-master`
Rework vagrant cluster set up. * Have a single config file that mirrors other cluster providers * Warn users not to use 'vagrant up' directly * Allow 'extra' parameters to the docker daemon. Fixes #2685 * Renumbers things so that they are more sane. Master/minions are 10.245.1.x, container subnets are 10.246.x.1/24, portal is 10.247.0.0/16 2014-12-12 19:08:22 +00:00
Implement apiserver communication for Vagrant This implementation is based on the GCE impementation from 618a367dbb48dbaa9c3b50e877858d854322fd0b. 2014-12-04 18:40:00 +00:00			`# Generate and distribute a shared secret (bearer token) to`
			`# apiserver and kubelet so that kubelet can authenticate to`
			`# apiserver to send events.`
			`known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"`
Rework vagrant cluster set up. * Have a single config file that mirrors other cluster providers * Warn users not to use 'vagrant up' directly * Allow 'extra' parameters to the docker daemon. Fixes #2685 * Renumbers things so that they are more sane. Master/minions are 10.245.1.x, container subnets are 10.246.x.1/24, portal is 10.247.0.0/16 2014-12-12 19:08:22 +00:00			`if [[ ! -f "${known_tokens_file}" ]]; then`
Implement apiserver communication for Vagrant This implementation is based on the GCE impementation from 618a367dbb48dbaa9c3b50e877858d854322fd0b. 2014-12-04 18:40:00 +00:00
Rework vagrant cluster set up. * Have a single config file that mirrors other cluster providers * Warn users not to use 'vagrant up' directly * Allow 'extra' parameters to the docker daemon. Fixes #2685 * Renumbers things so that they are more sane. Master/minions are 10.245.1.x, container subnets are 10.246.x.1/24, portal is 10.247.0.0/16 2014-12-12 19:08:22 +00:00			`mkdir -p /srv/salt-overlay/salt/kube-apiserver`
			`known_tokens_file="/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv"`
Generate a token for kube-proxy. Tested on GCE. Includes untested modifications for AWS and Vagrant. No changes for any other distros. Probably will work on other up-to-date providers but beware. Symptom would be that service proxying stops working. 1. Generates a token kube-proxy in AWS, GCE, and Vagrant setup scripts. 1. Distributes the token via salt-overlay, and salt to /var/lib/kube-proxy/kubeconfig 1. Changes kube-proxy args: - use the --kubeconfig argument - changes --master argument from http://MASTER:7080 to https://MASTER - http -> https - explicit port 7080 -> implied 443 Possible ways this might break other distros: Mitigation: there is an default empty kubeconfig file. If the distro does not populate the salt-overlay, then it should get the empty, which parses to an empty object, which, combined with the --master argument, should still work. Mitigation: - azure: Special case to use 7080 in - rackspace: way out of date, so don't care. - vsphere: way out of date, so don't care. - other distros: not using salt. 2015-04-24 16:27:11 +00:00			`(umask u=rw,go= ;`
Fix vagrant client authorization. 2015-06-10 06:02:27 +00:00			`echo "$KUBELET_TOKEN,kubelet,kubelet" > $known_tokens_file;`
Add bearer token authentication to Vagrant clusters This does not remove basic authentication in Vagrant clusters. Users will still be able to authenticate with username=vagrant, password=vagrant 2016-02-10 09:33:04 +00:00			`echo "$KUBE_PROXY_TOKEN,kube_proxy,kube_proxy" >> $known_tokens_file;`
			`echo "$KUBE_BEARER_TOKEN,admin,admin" >> $known_tokens_file)`
Rework vagrant cluster set up. * Have a single config file that mirrors other cluster providers * Warn users not to use 'vagrant up' directly * Allow 'extra' parameters to the docker daemon. Fixes #2685 * Renumbers things so that they are more sane. Master/minions are 10.245.1.x, container subnets are 10.246.x.1/24, portal is 10.247.0.0/16 2014-12-12 19:08:22 +00:00
			`mkdir -p /srv/salt-overlay/salt/kubelet`
			`kubelet_auth_file="/srv/salt-overlay/salt/kubelet/kubernetes_auth"`
Fix vagrant client authorization. 2015-06-10 06:02:27 +00:00			`(umask u=rw,go= ; echo "{\"BearerToken\": \"$KUBELET_TOKEN\", \"Insecure\": true }" > $kubelet_auth_file)`
Generate a token for kube-proxy. Tested on GCE. Includes untested modifications for AWS and Vagrant. No changes for any other distros. Probably will work on other up-to-date providers but beware. Symptom would be that service proxying stops working. 1. Generates a token kube-proxy in AWS, GCE, and Vagrant setup scripts. 1. Distributes the token via salt-overlay, and salt to /var/lib/kube-proxy/kubeconfig 1. Changes kube-proxy args: - use the --kubeconfig argument - changes --master argument from http://MASTER:7080 to https://MASTER - http -> https - explicit port 7080 -> implied 443 Possible ways this might break other distros: Mitigation: there is an default empty kubeconfig file. If the distro does not populate the salt-overlay, then it should get the empty, which parses to an empty object, which, combined with the --master argument, should still work. Mitigation: - azure: Special case to use 7080 in - rackspace: way out of date, so don't care. - vsphere: way out of date, so don't care. - other distros: not using salt. 2015-04-24 16:27:11 +00:00
move vagrant to masterless salt 2015-11-30 03:33:53 +00:00			`create-salt-kubelet-auth`
			`create-salt-kubeproxy-auth`
Extend PR#5470 for AWS and Vagrant 2015-04-21 15:22:31 +00:00			`# Generate tokens for other "service accounts". Append to known_tokens.`
			`#`
			`# NB: If this list ever changes, this script actually has to`
			`# change to detect the existence of this file, kill any deleted`
			`# old tokens and add any new tokens (to handle the upgrade case).`
Fix vagrant setup broken by commit 7475efbcfb6a2e. - 'local' can be used only inside bash functions - s/KNOWN_TOKENS_FILE/known_tokens_file 2015-04-23 09:00:10 +00:00			`service_accounts=("system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns")`
Extend PR#5470 for AWS and Vagrant 2015-04-21 15:22:31 +00:00			`for account in "${service_accounts[@]}"; do`
			`token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null \| base64 \| tr -d "=+/" \| dd bs=32 count=1 2>/dev/null)`
Fix vagrant setup broken by commit 7475efbcfb6a2e. - 'local' can be used only inside bash functions - s/KNOWN_TOKENS_FILE/known_tokens_file 2015-04-23 09:00:10 +00:00			`echo "${token},${account},${account}" >> "${known_tokens_file}"`
Extend PR#5470 for AWS and Vagrant 2015-04-21 15:22:31 +00:00			`done`
Rework vagrant cluster set up. * Have a single config file that mirrors other cluster providers * Warn users not to use 'vagrant up' directly * Allow 'extra' parameters to the docker daemon. Fixes #2685 * Renumbers things so that they are more sane. Master/minions are 10.245.1.x, container subnets are 10.246.x.1/24, portal is 10.247.0.0/16 2014-12-12 19:08:22 +00:00			`fi`
Implement apiserver communication for Vagrant This implementation is based on the GCE impementation from 618a367dbb48dbaa9c3b50e877858d854322fd0b. 2014-12-04 18:40:00 +00:00
Remove nginx from vagrant 2015-06-23 17:07:50 +00:00
			`readonly BASIC_AUTH_FILE="/srv/salt-overlay/salt/kube-apiserver/basic_auth.csv"`
			`if [ ! -e "${BASIC_AUTH_FILE}" ]; then`
			`mkdir -p /srv/salt-overlay/salt/kube-apiserver`
			`(umask 077;`
Fix the issue of generate BASIC_AUTH_FILE file. 2015-09-28 04:02:18 +00:00			`echo "${MASTER_PASSWD},${MASTER_USER},admin" > "${BASIC_AUTH_FILE}")`
Rework vagrant cluster set up. * Have a single config file that mirrors other cluster providers * Warn users not to use 'vagrant up' directly * Allow 'extra' parameters to the docker daemon. Fixes #2685 * Renumbers things so that they are more sane. Master/minions are 10.245.1.x, container subnets are 10.246.x.1/24, portal is 10.247.0.0/16 2014-12-12 19:08:22 +00:00			`fi`
Break out dynamic salt files to enable clean kube-push. This lets us blow away salt files and replace them with a new version while keeping a tree of "overlay" files that are cluster specific and generated at cluster up time. Fixes #1783 2014-10-14 22:00:52 +00:00
Add Fedora Cockpit to vagrant setup to administer/introspect kubernetes 2015-09-10 15:25:57 +00:00			`# Enable Fedora Cockpit on host to support Kubernetes administration`
			`# Access it by going to <master-ip>:9090 and login as vagrant/vagrant`
			`if ! which /usr/libexec/cockpit-ws &>/dev/null; then`
move vagrant to masterless salt 2015-11-30 03:33:53 +00:00
Add Fedora Cockpit to vagrant setup to administer/introspect kubernetes 2015-09-10 15:25:57 +00:00			`pushd /etc/yum.repos.d`
Vagrant fixes for fedora 23 - wget is not installed by default on fedora 23. Use curl instead since it is always available on recent Fedora. - The repo url for cockpit resulted in an http redirect message being saved as the repo file which broke deployment. Update the url to url that was redirected to and ensure that future redirects will be handled correctly. - The main Fedora 23 repo includes salt packages, and there is no salt repo for 23. The salt bootstrap still creates a repo file for a nonexistent repo, though, and this change removes it to avoid having dnf report an error on every update. 2016-01-20 18:08:53 +00:00			`curl -OL https://copr.fedorainfracloud.org/coprs/g/cockpit/cockpit-preview/repo/fedora-23/msuchy-cockpit-preview-fedora-23.repo`
Fix vagrant issues with salt bootstrap 2016-05-24 14:05:00 +00:00			`dnf install -y cockpit cockpit-kubernetes docker socat ethtool`
Add Fedora Cockpit to vagrant setup to administer/introspect kubernetes 2015-09-10 15:25:57 +00:00			`popd`

			`systemctl enable cockpit.socket`
			`systemctl start cockpit.socket`
			`fi`

move vagrant to masterless salt 2015-11-30 03:33:53 +00:00			`install-salt`
Add vagrant cloudprovider 2014-08-06 17:15:14 +00:00
move vagrant to masterless salt 2015-11-30 03:33:53 +00:00			`run-salt`