Created
June 27, 2021 00:16
-
-
Save Ichbinjoe/599260bec27842f4b6845036ad586368 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variant: fcos | |
version: 1.2.0 | |
passwd: | |
users: | |
- name: core | |
password_hash: $1$Tl/oqLxt$r51.Qdtd50jxJPvCdW9cO0 | |
ssh_authorized_keys: | |
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxTPaIwBsZIeJniHYe75gdm5p0M5J7KWtJxbk60ZMhxaq/cl/s0NBCX+UOzL9EFEMeUCQdslJ1g6BgNeYc1rMaPbYYPfYE/kcFO9e4vi7Wnjiv/2cyF+IUIPoi4FSOsQWCWt6eAciWjtGvVB1i2Cx6qr2dzutukdT3Ts5u3DnCKhbxmSUMZLOb8Iof4lu6rjOwJ31/7+Hn5nsL0JaAA8TnVMxhDbqw21dpPCsNoe1Jff1/rYcZsgqkoVOtOOERD1HtxADHWQFiQuswKilAsOzTLyYQLosRnK8Pu7O5tmdoe0lDIHnrMjIpvMT0l9PnqvvWjsTu9ZeBaPKxdcQLfuWv joe@xps.ibj.io | |
storage: | |
#disks: | |
# Bay #1 | |
#- device: /dev/disk/by-path/pci-0000:00:1f.2-ata-1 | |
# wipe_table: false | |
# partitions: | |
# - size_mib: 100000 | |
# start_mib: 5000 | |
# label: node-state | |
filesystems: | |
- path: /var | |
device: /dev/disk/by-partlabel/node-state | |
format: ext4 | |
wipe_filesystem: false | |
with_mount_unit: true | |
directories: | |
# - path: /var/lib/rook | |
# overwrite: true | |
- path: /var/etcd | |
user: | |
name: root | |
group: | |
name: root | |
- path: /var/lib/containers | |
user: | |
name: root | |
group: | |
name: root | |
overwrite: true | |
- path: /var/lib/kubelet | |
user: | |
name: root | |
group: | |
name: root | |
overwrite: true | |
- path: /var/etcd-certs | |
user: | |
id: 100 | |
mode: 0755 | |
overwrite: true | |
- path: /var/cni | |
user: | |
id: 100 | |
mode: 0755 | |
overwrite: true | |
- path: /var/kubelet-certs | |
user: | |
id: 100 | |
mode: 0755 | |
overwrite: true | |
- path: /var/api-certs | |
user: | |
id: 100 | |
mode: 0755 | |
overwrite: true | |
- path: /var/controllermanager-certs | |
user: | |
id: 100 | |
mode: 0755 | |
overwrite: true | |
- path: /var/proxy-certs | |
user: | |
id: 100 | |
mode: 0755 | |
overwrite: true | |
- path: /var/scheduler-certs | |
user: | |
id: 100 | |
mode: 0755 | |
overwrite: true | |
- path: /etc/vault | |
user: | |
name: root | |
group: | |
name: root | |
- path: /etc/kubelet | |
user: | |
name: root | |
group: | |
name: root | |
- path: /etc/kubelet.d | |
user: | |
name: root | |
group: | |
name: root | |
- path: /usr/local/bin | |
user: | |
name: root | |
group: | |
name: root | |
files: | |
- path: /etc/sysctl.d/90-ipv6-forwarding.conf | |
contents: | |
inline: net.ipv6.conf.all.forwarding = 1 | |
- path: /etc/hostname | |
mode: 0644 | |
contents: | |
inline: "{{.hostname}}" | |
- path: /etc/vault/vault.key | |
mode: 0444 | |
contents: | |
source: "data:,{{.vault_key}}" | |
- path: /etc/vault/vault.crt | |
mode: 0444 | |
contents: | |
source: "data:,{{.vault_crt}}" | |
- path: /etc/vault/config.hcl | |
mode: 0444 | |
contents: | |
inline: | | |
vault { | |
address = "https://leader.infra.ibj.io:8200" | |
tls_skip_verify="true" | |
client_key="/etc/vault/vault.key" | |
client_cert="/etc/vault/vault.crt" | |
} | |
auto_auth { | |
method "cert" { | |
mount_path = "auth/cert" | |
} | |
} | |
template { | |
destination = "/var/etcd-certs/client.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-client/issue/client\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/etcd-certs/client.key" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-client/issue/client\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.private_key]}{[end]}" | |
} | |
template { | |
destination = "/var/api-certs/etcd-client.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-client/issue/client\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/api-certs/etcd-client.key" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-client/issue/client\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.private_key]}{[end]}" | |
} | |
template { | |
destination = "/var/etcd-certs/client.ca.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-client/cert/ca\"]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/etcd-certs/server.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-server/issue/server\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/etcd-certs/server.key" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-server/issue/server\" \"common_name={{.hostname}}.infra.ibj.io\" ]}{[.Data.private_key]}{[end]}" | |
} | |
template { | |
destination = "/var/etcd-certs/server.ca.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-server/cert/ca\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/api-certs/etcd-server.ca.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-server/cert/ca\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/etcd-certs/peer.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-peer/issue/peer\" \"common_name={{.hostname}}i.infra.ibj.io\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/etcd-certs/peer.key" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-peer/issue/peer\" \"common_name={{.hostname}}i.infra.ibj.io\" ]}{[.Data.private_key]}{[end]}" | |
} | |
template { | |
destination = "/var/etcd-certs/peer.ca.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-etcd-peer/cert/ca\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/kubelet-certs/server.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-kubelet-server/issue/server\" \"common_name={{.hostname}}i.infra.ibj.io\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/kubelet-certs/server.key" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-kubelet-server/issue/server\" \"common_name={{.hostname}}i.infra.ibj.io\" ]}{[.Data.private_key]}{[end]}" | |
} | |
template { | |
destination = "/var/kubelet-certs/server.ca.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-kubelet-server/cert/ca\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/kubelet-certs/client.ca.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-kubelet-client/cert/ca\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/kubelet-certs/kubeconfig" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
source = "/var/kubelet-certs/kubeconfig.tmpl" | |
} | |
template { | |
destination = "/var/proxy-certs/kubeconfig" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
source = "/var/proxy-certs/kubeconfig.tmpl" | |
} | |
template { | |
destination = "/var/controllermanager-certs/kubeconfig" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
source = "/var/controllermanager-certs/kubeconfig.tmpl" | |
} | |
template { | |
destination = "/var/scheduler-certs/kubeconfig" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
source = "/var/scheduler-certs/kubeconfig.tmpl" | |
} | |
template { | |
destination = "/var/cni/kubeconfig" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
source = "/var/cni/kubeconfig.tmpl" | |
} | |
template { | |
destination = "/var/api-certs/client.ca.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"kube-api-client/cert/ca\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/api-certs/server.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"kube-api-server/issue/server\" \"common_name=api.infra.ibj.io\" \"ip_sans=fde7:76fd:7444:1000::b9d8\" ]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/api-certs/server.key" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"kube-api-server/issue/server\" \"common_name=api.infra.ibj.io\" \"ip_sans=fde7:76fd:7444:1000::b9d8\" ]}{[.Data.private_key]}{[end]}" | |
} | |
template { | |
destination = "/var/api-certs/kubelet-client.crt" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-kubelet-client/issue/client\" \"common_name={{.hostname}}i.infra.ibj.io\"]}{[.Data.certificate]}{[end]}" | |
} | |
template { | |
destination = "/var/api-certs/kubelet-client.key" | |
left_delimiter="{[" | |
right_delimiter="]}" | |
contents = "{[ with secret \"infra-kubelet-client/issue/client\" \"common_name={{.hostname}}i.infra.ibj.io\"]}{[.Data.private_key]}{[end]}" | |
} | |
- path: /var/kubelet-certs/kubeconfig.tmpl | |
mode: 0444 | |
overwrite: true | |
contents: | |
inline: | | |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: joedc | |
cluster: | |
server: https://api.infra.ibj.io:6443 | |
certificate-authority-data: {[ with secret "kube-api-server/cert/ca" ]}{[base64Encode .Data.certificate]}{[end]} | |
users: | |
- name: local | |
user: | |
client-certificate-data: {[ with secret "kube-api-client/issue/node" "common_name=system:node:{{.hostname}}i.infra.ibj.io"]}{[base64Encode .Data.certificate]}{[end]} | |
client-key-data: {[ with secret "kube-api-client/issue/node" "common_name=system:node:{{.hostname}}i.infra.ibj.io" ]}{[base64Encode .Data.private_key]}{[end]} | |
contexts: | |
- context: | |
cluster: joedc | |
user: local | |
name: local@joedc | |
current-context: local@joedc | |
- path: /var/controllermanager-certs/kubeconfig.tmpl | |
mode: 0444 | |
overwrite: true | |
contents: | |
inline: | | |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: joedc | |
cluster: | |
server: https://api.infra.ibj.io:6443 | |
certificate-authority-data: {[ with secret "kube-api-server/cert/ca" ]}{[base64Encode .Data.certificate]}{[end]} | |
users: | |
- name: local | |
user: | |
client-certificate-data: {[ with secret "kube-api-client/issue/controllermanager" "common_name=system:kube-controller-manager"]}{[base64Encode .Data.certificate]}{[end]} | |
client-key-data: {[ with secret "kube-api-client/issue/controllermanager" "common_name=system:kube-controller-manager" ]}{[base64Encode .Data.private_key]}{[end]} | |
contexts: | |
- context: | |
cluster: joedc | |
user: local | |
name: local@joedc | |
current-context: local@joedc | |
- path: /var/proxy-certs/kubeconfig.tmpl | |
mode: 0444 | |
overwrite: true | |
contents: | |
inline: | | |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: joedc | |
cluster: | |
server: https://api.infra.ibj.io:6443 | |
certificate-authority-data: {[ with secret "kube-api-server/cert/ca" ]}{[base64Encode .Data.certificate]}{[end]} | |
users: | |
- name: local | |
user: | |
client-certificate-data: {[ with secret "kube-api-client/issue/proxy" "common_name=system:kube-proxy"]}{[base64Encode .Data.certificate]}{[end]} | |
client-key-data: {[ with secret "kube-api-client/issue/proxy" "common_name=system:kube-proxy" ]}{[base64Encode .Data.private_key]}{[end]} | |
contexts: | |
- context: | |
cluster: joedc | |
user: local | |
name: local@joedc | |
current-context: local@joedc | |
- path: /var/scheduler-certs/kubeconfig.tmpl | |
mode: 0444 | |
overwrite: true | |
contents: | |
inline: | | |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: joedc | |
cluster: | |
server: https://api.infra.ibj.io:6443 | |
certificate-authority-data: {[ with secret "kube-api-server/cert/ca" ]}{[base64Encode .Data.certificate]}{[end]} | |
users: | |
- name: local | |
user: | |
client-certificate-data: {[ with secret "kube-api-client/issue/scheduler" "common_name=system:kube-scheduler"]}{[base64Encode .Data.certificate]}{[end]} | |
client-key-data: {[ with secret "kube-api-client/issue/scheduler" "common_name=system:kube-scheduler" ]}{[base64Encode .Data.private_key]}{[end]} | |
contexts: | |
- context: | |
cluster: joedc | |
user: local | |
name: local@joedc | |
current-context: local@joedc | |
- path: /var/cni/kubeconfig.tmpl | |
mode: 0444 | |
overwrite: true | |
contents: | |
inline: | | |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: joedc | |
cluster: | |
server: https://api.infra.ibj.io:6443 | |
certificate-authority-data: {[ with secret "kube-api-server/cert/ca" ]}{[base64Encode .Data.certificate]}{[end]} | |
users: | |
- name: local | |
user: | |
client-certificate-data: {[ with secret "kube-api-client/issue/basic" "common_name=calico-cni"]}{[base64Encode .Data.certificate]}{[end]} | |
client-key-data: {[ with secret "kube-api-client/issue/basic" "common_name=calico-cni" ]}{[base64Encode .Data.private_key]}{[end]} | |
contexts: | |
- context: | |
cluster: joedc | |
user: local | |
name: local@joedc | |
current-context: local@joedc | |
- path: /usr/local/bin/vault | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/vault/vault | |
- path: /usr/local/bin/crio | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/crio | |
- path: /usr/local/bin/crio-status | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/crio-status | |
- path: /usr/local/bin/crun | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/crun | |
- path: /usr/local/bin/pinns | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/pinns | |
- path: /usr/local/bin/etcd | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/etcd/etcd | |
- path: /usr/local/bin/etcdctl | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/etcd/etcdctl | |
- path: /usr/local/bin/conmon | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/conmon | |
- path: /usr/local/bin/crictl | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/crio-v1.20.0/bin/crictl | |
- path: /usr/local/bin/conntrack | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/conntrack/conntrack | |
- path: /usr/local/bin/tcpdump | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/tcpdump | |
- path: /usr/local/lib64/libipset.so.13 | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/libipset.so.13.1.0 | |
- path: /usr/local/bin/ipset | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/ipset | |
- path: /usr/local/bin/ipvsadm | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/ipvsadm | |
- path: /usr/local/bin/ipvsadm-restore | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/ipvsadm-restore | |
- path: /usr/local/bin/ipvsadm-save | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/ipvsadm-save | |
- path: /usr/local/bin/strapper | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/strapper | |
- path: /usr/local/lib/libnetfilter_conntrack.so.3 | |
mode: 0444 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/conntrack/libnetfilter_conntrack.so.3 | |
- path: /usr/local/lib/libnfnetlink.so.0 | |
mode: 0444 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/conntrack/libnfnetlink.so.0 | |
- path: /usr/local/bin/kubelet | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/kubernetes/server/bin/kubelet | |
- path: /usr/local/bin/kube-apiserver | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/kubernetes/server/bin/kube-apiserver | |
- path: /usr/local/bin/kube-controller-manager | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/kubernetes/server/bin/kube-controller-manager | |
- path: /usr/local/bin/kube-proxy | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/kubernetes/server/bin/kube-proxy | |
- path: /usr/local/bin/kube-scheduler | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/kubernetes/server/bin/kube-scheduler | |
- path: /usr/local/bin/calicoctl | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/calico/calicoctl | |
- path: /opt/cni/bin/calico | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/calico/calico-amd64 | |
- path: /opt/cni/bin/calico-ipam | |
mode: 0555 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/k8s/calico/calico-ipam-amd64 | |
- path: /var/api-certs/serviceaccount.key | |
mode: 0444 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/tls/serviceaccount.key | |
- path: /var/api-certs/serviceaccount.crt | |
mode: 0444 | |
overwrite: true | |
contents: | |
source: http://leader.infra.ibj.io:8080/assets/tls/serviceaccount.crt | |
- path: /etc/ld.so.conf.d/local.conf | |
mode: 0444 | |
overwrite: true | |
contents: | |
inline: | | |
/usr/local/lib | |
/usr/local/lib64 | |
- path: /etc/kubelet/config.yaml | |
mode: 0444 | |
contents: | |
inline: | | |
apiVersion: kubelet.config.k8s.io/v1beta1 | |
kind: KubeletConfiguration | |
cgroupDriver: systemd | |
tlsCertFile: /var/kubelet-certs/server.crt | |
tlsPrivateKeyFile: /var/kubelet-certs/server.key | |
clusterDNS: | |
- fde7:76fd:7444:1000::a0dc | |
- 10.69.240.169 | |
authentication: | |
x509: | |
clientCAFile: /var/kubelet-certs/client.ca.crt | |
authorization: | |
mode: AlwaysAllow | |
clusterDomain: internal.ibj.io | |
featureGates: | |
IPv6DualStack: true | |
- path: /etc/cni/net.d/10-crio.conf | |
contents: | |
inline: | | |
{ | |
"name": "crio", | |
"cniVersion": "0.3.1", | |
"plugins": [ | |
{ | |
"type": "calico", | |
"log_level": "info", | |
"datastore_type": "kubernetes", | |
"mtu": 1500, | |
"ipam": { | |
"type": "calico-ipam" | |
}, | |
"policy": { | |
"type": "k8s" | |
}, | |
"kubernetes": { | |
"kubeconfig": "/var/cni/kubeconfig" | |
} | |
}, | |
{ | |
"type": "portmap", | |
"snat": true, | |
"capabilities": {"portMappings": true} | |
} | |
] | |
} | |
- path: /etc/NetworkManager/conf.d/calico.conf | |
contents: | |
inline: | | |
[keyfile] | |
unmanaged-devices=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico | |
- path: /etc/cni/net.d/99-loopback.conf | |
contents: | |
inline: | | |
{ | |
"cniVersion": "0.3.1", | |
"name": "lo", | |
"type": "loopback" | |
} | |
systemd: | |
units: | |
- name: strapper-agent.service | |
enabled: true | |
contents: | | |
[Unit] | |
Description=Run the strapper agent | |
After=network-online.target | |
Wants=network-online.target | |
[Service] | |
User=root | |
Group=root | |
Type=notify | |
ExecStart=/usr/local/bin/strapper | |
[Install] | |
WantedBy=multi-user.target | |
- name: root-vault-agent.service | |
enabled: true | |
contents: | | |
[Unit] | |
Description=Run the root vault agent | |
After=root-vault-agent-init.service | |
Wants=root-vault-agent-init.service | |
[Service] | |
Type=oneshot | |
User=root | |
Group=root | |
Restart=on-failure | |
ExecStart=/usr/local/bin/vault agent -config /etc/vault/config.hcl | |
[Install] | |
WantedBy=multi-user.target | |
- name: root-vault-agent-init.service | |
enabled: true | |
contents: | | |
[Unit] | |
Description=Run the root vault agent | |
After=strapper-agent.service | |
Wants=strapper-agent.service | |
After=systemd-resolved.service | |
Wants=systemd-resolved.service | |
[Service] | |
Type=oneshot | |
User=root | |
Group=root | |
Environment="HOME=/root" | |
Restart=on-failure | |
ExecStart=/usr/local/bin/vault agent -config /etc/vault/config.hcl -exit-after-auth | |
[Install] | |
WantedBy=multi-user.target | |
- name: etcd-member.service | |
enabled: true | |
contents: | | |
[Unit] | |
Description=Run an etcd node | |
After=root-vault-agent-init.service | |
Wants=root-vault-agent-init.service | |
StartLimitBurst=5 | |
[Service] | |
User=root | |
Group=root | |
Restart=on-failure | |
RestartSec=30 | |
ExecStart=/usr/local/bin/etcd --data-dir /var/etcd --name {{.hostname}} \ | |
--initial-advertise-peer-urls https://{{.hostname}}i.infra.ibj.io:2380 --listen-peer-urls https://[::]:2380 \ | |
--advertise-client-urls https://{{.hostname}}.infra.ibj.io:2379 --listen-client-urls https://[::]:2379 \ | |
--initial-cluster node1=https://node1i.infra.ibj.io:2380,node2=https://node2i.infra.ibj.io:2380,node3=https://node3i.infra.ibj.io:2380,node4=https://node4i.infra.ibj.io:2380,node5=https://node5i.infra.ibj.io:2380 \ | |
--peer-cert-file=/var/etcd-certs/peer.crt --peer-key-file=/var/etcd-certs/peer.key --peer-trusted-ca-file=/var/etcd-certs/peer.ca.crt --peer-client-cert-auth \ | |
--cert-file=/var/etcd-certs/server.crt --key-file=/var/etcd-certs/server.key --trusted-ca-file=/var/etcd-certs/client.ca.crt --client-cert-auth | |
[Install] | |
WantedBy=multi-user.target | |
- name: crio.service | |
enabled: true | |
contents: | | |
[Unit] | |
Description=Container Runtime Interface for OCI (CRI-O) | |
Documentation=https://github.com/cri-o/cri-o | |
Wants=network-online.target | |
After=network-online.target | |
[Service] | |
User=root | |
Group=root | |
Environment="HOME=/root" | |
Type=notify | |
EnvironmentFile=-/etc/sysconfig/crio | |
Environment=GOTRACEBACK=crash | |
ExecStart=/usr/local/bin/crio | |
ExecReload=/bin/kill -s HUP $MAINPID | |
TasksMax=infinity | |
LimitNOFILE=1048576 | |
LimitNPROC=1048576 | |
LimitCORE=infinity | |
OOMScoreAdjust=-999 | |
TimeoutStartSec=0 | |
Restart=on-abnormal | |
[Install] | |
WantedBy=multi-user.target | |
- name: kubelet.service | |
enabled: true | |
contents: | | |
[Unit] | |
Description=Run the kubelet agent | |
After=root-vault-agent-init.service | |
Wants=root-vault-agent-init.service | |
After=crio.service | |
Requires=crio.service | |
User=root | |
Group=root | |
[Service] | |
Restart=on-failure | |
RestartSec=30 | |
ExecStart=/usr/local/bin/kubelet \ | |
--config /etc/kubelet/config.yaml \ | |
--container-runtime=remote \ | |
--container-runtime-endpoint=unix:///var/run/crio/crio.sock \ | |
--hostname-override={{.hostname}}i.infra.ibj.io \ | |
--kubeconfig /var/kubelet-certs/kubeconfig | |
[Install] | |
WantedBy=multi-user.target | |
- name: apiserver.service | |
enabled: true | |
contents: | | |
[Unit] | |
Description=Run the kube apiserver | |
After=root-vault-agent-init.service | |
Wants=root-vault-agent-init.service | |
[Service] | |
User=root | |
Group=root | |
Environment="HOME=/root" | |
Restart=on-failure | |
RestartSec=30 | |
ExecStart=/usr/local/bin/kube-apiserver \ | |
--allow-privileged \ | |
--authorization-mode=Node,RBAC \ | |
--bind-address=:: \ | |
--client-ca-file=/var/api-certs/client.ca.crt \ | |
--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \ | |
--etcd-cafile=/var/api-certs/etcd-server.ca.crt \ | |
--etcd-certfile=/var/api-certs/etcd-client.crt \ | |
--etcd-keyfile=/var/api-certs/etcd-client.key \ | |
--etcd-servers=https://{{.hostname}}.infra.ibj.io:2379 \ | |
--event-ttl=1h \ | |
--feature-gates="IPv6DualStack=true,EphemeralContainers=true" \ | |
--kubelet-certificate-authority=/var/kubelet-certs/server.ca.crt \ | |
--kubelet-client-certificate=/var/api-certs/kubelet-client.crt \ | |
--kubelet-client-key=/var/api-certs/kubelet-client.key \ | |
--runtime-config='api/v1=true,api/ga=true,api/beta=true,api/alpha=true' \ | |
--service-account-issuer=joedc \ | |
--service-account-key-file=/var/api-certs/serviceaccount.key \ | |
--service-account-signing-key-file=/var/api-certs/serviceaccount.key \ | |
--service-node-port-range=30000-32767 \ | |
--service-cluster-ip-range="10.69.0.0/16,fde7:76fd:7444:1000::/108" \ | |
--tls-cert-file=/var/api-certs/server.crt \ | |
--tls-private-key-file=/var/api-certs/server.key | |
[Install] | |
WantedBy=multi-user.target | |
- name: controllermanager.service | |
enabled: true | |
contents: | | |
[Unit] | |
Description=Run the kube controller-manager | |
After=root-vault-agent-init.service | |
Wants=root-vault-agent-init.service | |
[Service] | |
User=root | |
Group=root | |
Environment="HOME=/root" | |
Restart=on-failure | |
RestartSec=30 | |
ExecStart=/usr/local/bin/kube-controller-manager \ | |
--allocate-node-cidrs=true \ | |
--cluster-cidr="10.68.0.0/16,fde7:76fd:7444:2000::/56" \ | |
--service-cluster-ip-range="10.69.0.0/16,fde7:76fd:7444:1000::/108" \ | |
--feature-gates="IPv6DualStack=true,EphemeralContainers=true" \ | |
--flex-volume-plugin-dir=/opt/libexec/kubernetes/kubelet-plugins/volume/exec \ | |
--kubeconfig=/var/controllermanager-certs/kubeconfig \ | |
--service-account-private-key-file=/var/api-certs/serviceaccount.key \ | |
--use-service-account-credentials | |
[Install] | |
WantedBy=multi-user.target | |
- name: scheduler.service | |
enabled: true | |
contents: | | |
[Unit] | |
Description=Run the kube scheduler | |
After=root-vault-agent-init.service | |
Wants=root-vault-agent-init.service | |
[Service] | |
User=root | |
Group=root | |
Environment="HOME=/root" | |
Restart=on-failure | |
RestartSec=30 | |
ExecStart=/usr/local/bin/kube-scheduler \ | |
--feature-gates="IPv6DualStack=true,EphemeralContainers=true" \ | |
--kubeconfig=/var/scheduler-certs/kubeconfig | |
[Install] | |
WantedBy=multi-user.target | |
- name: proxy.service | |
enabled: true | |
contents: | | |
[Unit] | |
Description=Run the kube scheduler | |
After=root-vault-agent-init.service | |
Wants=root-vault-agent-init.service | |
[Service] | |
User=root | |
Group=root | |
Environment="HOME=/root" | |
Restart=on-failure | |
RestartSec=30 | |
ExecStart=/usr/local/bin/kube-proxy \ | |
--cluster-cidr="10.68.0.0/16,fde7:76fd:7444:2000::/56" \ | |
--feature-gates="IPv6DualStack=true,EphemeralContainers=true" \ | |
--hostname-override="{{.hostname}}i.infra.ibj.io" \ | |
--kubeconfig=/var/proxy-certs/kubeconfig \ | |
--proxy-mode=ipvs | |
[Install] | |
WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment