Last active
December 24, 2021 14:21
-
-
Save iamtakingiteasy/e51effb2547c7b87a99613ad6f668a83 to your computer and use it in GitHub Desktop.
CoreOS ignition file for setting up kubernetes master+worker node
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
passwd: | |
users: | |
- name: "root" | |
groups: | |
- "sudo" | |
- "wheel" | |
password_hash: "$6$gO2u2Sjk$Q5T/SqiwFzK95jRqO6FArDDmDGmdXblnKHtL4HiA.NrGgfJk8CJF5AfAfoMt8kF/jlsqHEgRDxYOFYzw9sroS/" | |
- name: "user" | |
groups: | |
- "sudo" | |
- "wheel" | |
ssh_authorized_keys: | |
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC918WDfEGf0n5WZ0CowJKzKp3iglADYxqRraq05cysRQGnkH2P/pE0zR0rIIuE37cAev3Y78xf4AcEmCpjvsCo0MWBf+v2VNvPFGQCxSWHOnuw1kc0QZrRMBcUpP5wIb8fk9DSgo7KDvGTH2ycdBfvkmGd6z553HV105YvE0iM6qCZ4XMePACnTvM/cDDzLeKJQpPwYyHlsY1Uo4crfHjGMt6YGN6nl2Z6809FPXgy8ZxdDgVT9+LMeukNRKULIB3bg9n6VQMVknvU8bvvhO/x9lHkvSDaCek9OWmtoIHmzHw454dDEDq6ZZU2ZZblGzZ8/LrZ9u3bHsC5enAhTSLf user@navy270" | |
storage: | |
files: | |
- filesystem: "root" | |
path: "/opt/bin/wupiao" | |
mode: 0755 | |
contents: | |
inline: | | |
#!/bin/bash | |
# [w]ait [u]ntil [p]ort [i]s [a]ctually [o]pen | |
if [ -n "$1" ]; then | |
until curl -o /dev/null -sIf http://${1}; do | |
sleep 1 && echo "." | |
done | |
fi | |
exit $? | |
- filesystem: "root" | |
path: "/opt/cert/ca.conf" | |
mode: 0644 | |
contents: | |
inline: | | |
[ca] | |
basicConstraints = critical, CA:TRUE | |
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
[req] | |
distinguished_name = req_distinguished_name | |
[req_distinguished_name] | |
- filesystem: "root" | |
path: "/opt/kube/manager-kubeconfig.yaml" | |
mode: 0644 | |
contents: | |
inline: | | |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: local | |
cluster: | |
certificate-authority: /opt/cert/ca-cert.pem | |
server: https://127.0.0.1:6443 | |
users: | |
- name: kube-controller-manager | |
user: | |
client-certificate: /opt/cert/client-manager-cert.pem | |
client-key: /opt/cert/client-manager-key.pem | |
contexts: | |
- name: kube-controller-manager-local | |
context: | |
cluster: local | |
user: kube-controller-manager | |
current-context: kube-controller-manager-local | |
- filesystem: "root" | |
path: "/opt/kube/scheduler-kubeconfig.yaml" | |
mode: 0644 | |
contents: | |
inline: | | |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: local | |
cluster: | |
certificate-authority: /opt/cert/ca-cert.pem | |
server: https://127.0.0.1:6443 | |
users: | |
- name: kube-scheduler | |
user: | |
client-certificate: /opt/cert/client-scheduler-cert.pem | |
client-key: /opt/cert/client-scheduler-key.pem | |
contexts: | |
- name: kube-scheduler-local | |
context: | |
cluster: local | |
user: kube-scheduler | |
current-context: kube-scheduler-local | |
- filesystem: "root" | |
path: "/opt/kube/proxy-kubeconfig.yaml" | |
mode: 0644 | |
contents: | |
inline: | | |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: local | |
cluster: | |
certificate-authority: /opt/cert/ca-cert.pem | |
server: https://127.0.0.1:6443 | |
users: | |
- name: kube-proxy | |
user: | |
client-certificate: /opt/cert/client-proxy-cert.pem | |
client-key: /opt/cert/client-proxy-key.pem | |
contexts: | |
- name: kube-proxy-local | |
context: | |
cluster: local | |
user: kube-proxy | |
current-context: kube-proxy-local | |
- filesystem: "root" | |
path: "/opt/kube/kubelet-kubeconfig.yaml" | |
mode: 0644 | |
contents: | |
inline: | | |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: local | |
cluster: | |
certificate-authority: /opt/cert/ca-cert.pem | |
server: https://127.0.0.1:6443 | |
users: | |
- name: kube-kubelet | |
user: | |
client-certificate: /opt/cert/client-kubelet-cert.pem | |
client-key: /opt/cert/client-kubelet-key.pem | |
contexts: | |
- name: kube-kubelet-local | |
context: | |
cluster: local | |
user: kube-kubelet | |
current-context: kube-kubelet-local | |
- filesystem: "root" | |
path: "/opt/kube/scheduler-config.yaml" | |
mode: 0644 | |
contents: | |
inline: | | |
algorithmSource: | |
provider: DefaultProvider | |
apiVersion: kubescheduler.config.k8s.io/v1alpha1 | |
bindTimeoutSeconds: 600 | |
clientConnection: | |
acceptContentTypes: "" | |
burst: 100 | |
contentType: application/vnd.kubernetes.protobuf | |
kubeconfig: "/opt/kube/scheduler-kubeconfig.yaml" | |
qps: 50 | |
disablePreemption: false | |
enableContentionProfiling: false | |
enableProfiling: false | |
failureDomains: kubernetes.io/hostname,failure-domain.beta.kubernetes.io/zone,failure-domain.beta.kubernetes.io/region | |
hardPodAffinitySymmetricWeight: 1 | |
healthzBindAddress: 0.0.0.0:10251 | |
kind: KubeSchedulerConfiguration | |
leaderElection: | |
leaderElect: true | |
leaseDuration: 15s | |
lockObjectName: kube-scheduler | |
lockObjectNamespace: kube-system | |
renewDeadline: 10s | |
resourceLock: endpoints | |
retryPeriod: 2s | |
metricsBindAddress: 0.0.0.0:10251 | |
percentageOfNodesToScore: 50 | |
schedulerName: default-scheduler | |
- filesystem: "root" | |
path: "/opt/kube/proxy-config.yaml" | |
mode: 0644 | |
contents: | |
inline: | | |
apiVersion: kubeproxy.config.k8s.io/v1alpha1 | |
bindAddress: 0.0.0.0 | |
clientConnection: | |
acceptContentTypes: "" | |
burst: 10 | |
contentType: application/vnd.kubernetes.protobuf | |
kubeconfig: "/opt/kube/proxy-kubeconfig.yaml" | |
qps: 5 | |
clusterCIDR: "" | |
configSyncPeriod: 15m0s | |
conntrack: | |
max: 0 | |
maxPerCore: 32768 | |
min: 131072 | |
tcpCloseWaitTimeout: 1h0m0s | |
tcpEstablishedTimeout: 24h0m0s | |
enableProfiling: false | |
healthzBindAddress: 0.0.0.0:10256 | |
hostnameOverride: "" | |
iptables: | |
masqueradeAll: false | |
masqueradeBit: 14 | |
minSyncPeriod: 0s | |
syncPeriod: 30s | |
ipvs: | |
excludeCIDRs: null | |
minSyncPeriod: 0s | |
scheduler: "" | |
syncPeriod: 30s | |
kind: KubeProxyConfiguration | |
metricsBindAddress: 127.0.0.1:10249 | |
mode: "" | |
nodePortAddresses: null | |
oomScoreAdj: -999 | |
portRange: "" | |
resourceContainer: /kube-proxy | |
udpIdleTimeout: 250ms | |
- filesystem: "root" | |
path: "/opt/bin/issue-cert" | |
mode: 0755 | |
contents: | |
inline: | | |
#!/bin/bash | |
TYPE="$1" | |
CN="$2" | |
SAN="$3" | |
if [ "$TYPE" = "server" ]; then | |
CERT_TYPE="server" | |
CERT_USAGE="" | |
CERT_AUTH=":always" | |
CERT_SAN="subjectAltName = $SAN" | |
else | |
CERT_TYPE="client" | |
CERT_USAGE=", nonRepudiation" | |
CERT_AUTH="" | |
CERT_SAN="" | |
fi | |
openssl req \ | |
-new \ | |
-sha256 \ | |
-subj "/CN=coreos-${CN}" \ | |
-nodes \ | |
-newkey rsa:4096 \ | |
-keyout "/opt/cert/${CN}-key.pem" \ | |
-out "/tmp/${CN}-cert.csr" | |
openssl x509 \ | |
-req \ | |
-sha256 \ | |
-days 3000 \ | |
-extfile <( \ | |
cat <<EOF | |
[key] | |
basicConstraints = CA:FALSE | |
nsCertType = ${CERT_TYPE} | |
authorityKeyIdentifier = keyid,issuer${CERT_AUTH} | |
keyUsage = critical, digitalSignature, keyEncipherment${CERT_USAGE} | |
extendedKeyUsage = ${CERT_TYPE}Auth | |
${CERT_SAN} | |
[req] | |
distinguished_name = req_distinguished_name | |
[req_distinguished_name] | |
EOF | |
) \ | |
-extensions "key" \ | |
-in "/tmp/${CN}-cert.csr" \ | |
-CA "/opt/cert/ca-cert.pem" \ | |
-CAkey "/opt/cert/ca-key.pem" \ | |
-CAserial "/opt/cert/ca.srl" \ | |
-CAcreateserial \ | |
-out "/tmp/${CN}-cert.pem" | |
cat "/tmp/${CN}-cert.pem" "/opt/cert/ca-cert.pem" > "/opt/cert/${CN}-cert.pem" | |
- filesystem: "root" | |
path: "/opt/bin/export-conf" | |
mode: 0755 | |
contents: | |
inline: | | |
#!/bin/bash | |
NAME="$1" | |
. /etc/network-environment | |
cat <<EOF | |
apiVersion: v1 | |
kind: Config | |
clusters: | |
- name: ${NAME} | |
cluster: | |
certificate-authority-data: $(base64 -w0 /opt/cert/ca-cert.pem) | |
server: https://${DEFAULT_IPV4}:6443 | |
users: | |
- name: ${NAME} | |
user: | |
client-certificate-data: $(base64 -w0 /opt/cert/${NAME}-cert.pem) | |
client-key-data: $(base64 -w0 /opt/cert/${NAME}-key.pem) | |
contexts: | |
- name: ${NAME} | |
context: | |
cluster: ${NAME} | |
user: ${NAME} | |
current-context: ${NAME} | |
EOF | |
systemd: | |
units: | |
- name: "etcd-member.service" | |
enabled: true | |
dropins: | |
- name: "etcd-options.conf" | |
contents: | | |
[Service] | |
Environment="ETCD_OPTS=\ | |
--name master \ | |
--listen-client-urls http://127.0.0.1:2379 \ | |
--advertise-client-urls http://127.0.0.1:2379 \ | |
--initial-cluster-token coreos-master \ | |
--listen-peer-urls http://127.0.0.1:2380 \ | |
--initial-advertise-peer-urls http://127.0.0.1:2380 \ | |
--initial-cluster master=http://127.0.0.1:2380 \ | |
--initial-cluster-state new \ | |
" | |
- name: "setup-network-environment-fetch.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=network-online.target | |
After=network-online.target | |
ConditionPathExists=!/opt/bin/setup-network-environment | |
[Service] | |
ExecStart=/usr/bin/curl -L -o /opt/bin/setup-network-environment https://github.com/kelseyhightower/setup-network-environment/releases/download/1.0.1/setup-network-environment | |
ExecStart=/usr/bin/chmod +x /opt/bin/setup-network-environment | |
RemainAfterExit=yes | |
Type=oneshot | |
[Install] | |
WantedBy=multi-user.target | |
- name: "kube-apiserver-fetch.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=network-online.target | |
After=network-online.target | |
ConditionPathExists=!/opt/bin/kube-apiserver | |
[Service] | |
ExecStart=/usr/bin/curl -L -o /opt/bin/kube-apiserver https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kube-apiserver | |
ExecStart=/usr/bin/chmod +x /opt/bin/kube-apiserver | |
RemainAfterExit=yes | |
Type=oneshot | |
[Install] | |
WantedBy=multi-user.target | |
- name: "kube-controller-manager-fetch.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=network-online.target | |
After=network-online.target | |
ConditionPathExists=!/opt/bin/kube-controller-manager | |
[Service] | |
ExecStart=/usr/bin/curl -L -o /opt/bin/kube-controller-manager https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kube-controller-manager | |
ExecStart=/usr/bin/chmod +x /opt/bin/kube-controller-manager | |
RemainAfterExit=yes | |
Type=oneshot | |
[Install] | |
WantedBy=multi-user.target | |
- name: "kube-scheduler-fetch.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=network-online.target | |
After=network-online.target | |
ConditionPathExists=!/opt/bin/kube-scheduler | |
[Service] | |
ExecStart=/usr/bin/curl -L -o /opt/bin/kube-scheduler https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kube-scheduler | |
ExecStart=/usr/bin/chmod +x /opt/bin/kube-scheduler | |
RemainAfterExit=yes | |
Type=oneshot | |
[Install] | |
WantedBy=multi-user.target | |
- name: "kube-proxy-fetch.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=network-online.target | |
After=network-online.target | |
ConditionPathExists=!/opt/bin/kube-proxy | |
[Service] | |
ExecStart=/usr/bin/curl -L -o /opt/bin/kube-proxy https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kube-proxy | |
ExecStart=/usr/bin/chmod +x /opt/bin/kube-proxy | |
RemainAfterExit=yes | |
Type=oneshot | |
[Install] | |
WantedBy=multi-user.target | |
- name: "kubelet-fetch.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=network-online.target | |
After=network-online.target | |
ConditionPathExists=!/opt/bin/kubelet | |
[Service] | |
ExecStart=/usr/bin/curl -L -o /opt/bin/kubelet https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kubelet | |
ExecStart=/usr/bin/chmod +x /opt/bin/kubelet | |
RemainAfterExit=yes | |
Type=oneshot | |
[Install] | |
WantedBy=multi-user.target | |
- name: "setup-network-environment.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=setup-network-environment-fetch.service | |
After=setup-network-environment-fetch.service | |
[Service] | |
ExecStart=/opt/bin/setup-network-environment | |
RemainAfterExit=yes | |
Type=oneshot | |
[Install] | |
WantedBy=multi-user.target | |
- name: "flanneld.service" | |
enabled: true | |
dropins: | |
- name: "etcd-setup.conf" | |
contents: | | |
[Unit] | |
Requires=etcd-member.service | |
After=etcd-member.service | |
[Service] | |
ExecStartPre=/usr/bin/etcdctl set /coreos.com/network/config '{"Network":"10.244.0.0/16", "Backend": {"Type": "vxlan"}}' | |
- name: "docker.service" | |
enabled: true | |
- name: "generate-ca.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=setup-network-environment.service | |
After=setup-network-environment.service | |
ConditionPathExists=!/opt/cert/ca-cert.pem | |
ConditionPathExists=!/opt/cert/ca-key.pem | |
[Service] | |
EnvironmentFile=/etc/network-environment | |
ExecStart=/bin/mkdir -p /opt/cert | |
ExecStart=/bin/openssl req \ | |
-x509 \ | |
-subj "/CN=ca-coreos/DN=ca-coreos" \ | |
-config "/opt/cert/ca.conf" \ | |
-extensions "ca" \ | |
-days "3600" \ | |
-nodes \ | |
-newkey "rsa:4096" \ | |
-keyout "/opt/cert/ca-key.pem" \ | |
-out "/opt/cert/ca-cert.pem" | |
ExecStart=/bin/cp "/opt/cert/ca-cert.pem" "/etc/ssl/certs/" | |
ExecStart=/usr/sbin/update-ca-certificates | |
ExecStart=/opt/bin/issue-cert "server" "server-api" "IP:127.0.0.1,IP:10.100.0.1,IP:${DEFAULT_IPV4}" | |
ExecStart=/opt/bin/issue-cert "server" "server-manager" "IP:127.0.0.1,IP:10.100.0.1,IP:${DEFAULT_IPV4}" | |
ExecStart=/opt/bin/issue-cert "server" "server-kubelet" "IP:127.0.0.1,IP:10.100.0.1,IP:${DEFAULT_IPV4}" | |
ExecStart=/opt/bin/issue-cert "client" "client-manager" | |
ExecStart=/opt/bin/issue-cert "client" "client-scheduler" | |
ExecStart=/opt/bin/issue-cert "client" "client-proxy" | |
ExecStart=/opt/bin/issue-cert "client" "client-kubelet" | |
ExecStart=/opt/bin/issue-cert "client" "client-user" | |
RemainAfterExit=yes | |
Type=oneshot | |
[Install] | |
WantedBy=multi-user.target | |
- name: "generate-serviceaccount-key.service" | |
enabled: true | |
contents: | | |
[Unit] | |
ConditionPathExists=!/opt/cert/kube-serviceaccount.key | |
[Service] | |
ExecStart=/bin/mkdir -p /opt/cert | |
ExecStart=/bin/openssl genrsa -out /opt/cert/kube-serviceaccount.key 2048 2>/dev/null | |
RemainAfterExit=yes | |
Type=oneshot | |
[Install] | |
WantedBy=multi-user.target | |
- name: "kube-apiserver.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=kube-apiserver-fetch.service etcd-member.service generate-serviceaccount-key.service generate-ca.service | |
After=kube-apiserver-fetch.service etcd-member.service generate-serviceaccount-key.service generate-ca.service | |
[Service] | |
ExecStartPre=/opt/bin/wupiao 127.0.0.1:2379/v2/machines | |
ExecStart=/opt/bin/kube-apiserver \ | |
--service-account-key-file "/opt/cert/kube-serviceaccount.key" \ | |
--service-account-lookup "false" \ | |
--runtime-config "api/all=true" \ | |
--allow-privileged "true" \ | |
--kubelet-https "true" \ | |
--bind-address "0.0.0.0" \ | |
--secure-port "6443" \ | |
--service-cluster-ip-range "10.100.0.0/16" \ | |
--etcd-servers "http://127.0.0.1:2379" \ | |
--tls-cert-file "/opt/cert/server-api-cert.pem" \ | |
--tls-private-key-file "/opt/cert/server-api-key.pem" \ | |
--client-ca-file "/opt/cert/ca-cert.pem" | |
Restart=always | |
RestartSec=10 | |
[Install] | |
WantedBy=multi-user.target | |
- name: "kube-controller-manager.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=kube-controller-manager-fetch.service kube-apiserver.service | |
After=kube-controller-manager-fetch.service kube-apiserver.service | |
[Service] | |
ExecStart=/opt/bin/kube-controller-manager \ | |
--service-account-private-key-file "/opt/cert/kube-serviceaccount.key" \ | |
--cluster-signing-cert-file "/opt/cert/ca-cert.pem" \ | |
--cluster-signing-key-file "/opt/cert/ca-key.pem" \ | |
--client-ca-file "/opt/cert/ca-cert.pem" \ | |
--root-ca-file "/opt/cert/ca-cert.pem" \ | |
--tls-cert-file "/opt/cert/server-manager-cert.pem" \ | |
--tls-private-key-file "/opt/cert/server-manager-key.pem" \ | |
--client-ca-file "/opt/cert/ca-cert.pem" \ | |
--kubeconfig "/opt/kube/manager-kubeconfig.yaml" \ | |
--authentication-kubeconfig "/opt/kube/manager-kubeconfig.yaml" \ | |
--authorization-kubeconfig "/opt/kube/manager-kubeconfig.yaml" | |
Restart=always | |
RestartSec=10 | |
[Install] | |
WantedBy=multi-user.target | |
- name: "kube-scheduler.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=kube-scheduler-fetch.service kube-apiserver.service | |
After=kube-scheduler-fetch.service kube-apiserver.service | |
[Service] | |
ExecStart=/opt/bin/kube-scheduler --config "/opt/kube/scheduler-config.yaml" | |
Restart=always | |
RestartSec=10 | |
[Install] | |
WantedBy=multi-user.target | |
- name: "kube-proxy.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=kube-proxy-fetch.service kube-apiserver.service | |
After=kube-proxy-fetch.service kube-apiserver.service | |
[Service] | |
ExecStart=/opt/bin/kube-proxy --config "/opt/kube/proxy-config.yaml" | |
Restart=always | |
RestartSec=10 | |
[Install] | |
WantedBy=multi-user.target | |
- name: "kubelet.service" | |
enabled: true | |
contents: | | |
[Unit] | |
Requires=setup-network-environment.service kubelet-fetch.service kube-apiserver.service | |
After=setup-network-environment.service kubelet-fetch.service kube-apiserver.service | |
[Service] | |
EnvironmentFile=/etc/network-environment | |
ExecStart=/opt/bin/kubelet \ | |
--kubeconfig "/opt/kube/kubelet-kubeconfig.yaml" \ | |
--allow-privileged \ | |
--register-node \ | |
--tls-cert-file "/opt/cert/server-kubelet-cert.pem" \ | |
--tls-private-key-file "/opt/cert/server-kubelet-key.pem" \ | |
--cluster-dns "10.100.0.10" \ | |
--hostname-override "${DEFAULT_IPV4}" | |
Restart=always | |
RestartSec=10 | |
[Install] | |
WantedBy=multi-user.target | |
update: | |
group: "stable" | |
locksmith: | |
reboot_strategy: "off" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment