Last active
December 24, 2021 14:21
-
-
Save iamtakingiteasy/e51effb2547c7b87a99613ad6f668a83 to your computer and use it in GitHub Desktop.
CoreOS ignition file for setting up kubernetes master+worker node
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| passwd: | |
| users: | |
| - name: "root" | |
| groups: | |
| - "sudo" | |
| - "wheel" | |
| password_hash: "$6$gO2u2Sjk$Q5T/SqiwFzK95jRqO6FArDDmDGmdXblnKHtL4HiA.NrGgfJk8CJF5AfAfoMt8kF/jlsqHEgRDxYOFYzw9sroS/" | |
| - name: "user" | |
| groups: | |
| - "sudo" | |
| - "wheel" | |
| ssh_authorized_keys: | |
| - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC918WDfEGf0n5WZ0CowJKzKp3iglADYxqRraq05cysRQGnkH2P/pE0zR0rIIuE37cAev3Y78xf4AcEmCpjvsCo0MWBf+v2VNvPFGQCxSWHOnuw1kc0QZrRMBcUpP5wIb8fk9DSgo7KDvGTH2ycdBfvkmGd6z553HV105YvE0iM6qCZ4XMePACnTvM/cDDzLeKJQpPwYyHlsY1Uo4crfHjGMt6YGN6nl2Z6809FPXgy8ZxdDgVT9+LMeukNRKULIB3bg9n6VQMVknvU8bvvhO/x9lHkvSDaCek9OWmtoIHmzHw454dDEDq6ZZU2ZZblGzZ8/LrZ9u3bHsC5enAhTSLf user@navy270" | |
| storage: | |
| files: | |
| - filesystem: "root" | |
| path: "/opt/bin/wupiao" | |
| mode: 0755 | |
| contents: | |
| inline: | | |
| #!/bin/bash | |
| # [w]ait [u]ntil [p]ort [i]s [a]ctually [o]pen | |
| if [ -n "$1" ]; then | |
| until curl -o /dev/null -sIf http://${1}; do | |
| sleep 1 && echo "." | |
| done | |
| fi | |
| exit $? | |
| - filesystem: "root" | |
| path: "/opt/cert/ca.conf" | |
| mode: 0644 | |
| contents: | |
| inline: | | |
| [ca] | |
| basicConstraints = critical, CA:TRUE | |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
| [req] | |
| distinguished_name = req_distinguished_name | |
| [req_distinguished_name] | |
| - filesystem: "root" | |
| path: "/opt/kube/manager-kubeconfig.yaml" | |
| mode: 0644 | |
| contents: | |
| inline: | | |
| apiVersion: v1 | |
| kind: Config | |
| clusters: | |
| - name: local | |
| cluster: | |
| certificate-authority: /opt/cert/ca-cert.pem | |
| server: https://127.0.0.1:6443 | |
| users: | |
| - name: kube-controller-manager | |
| user: | |
| client-certificate: /opt/cert/client-manager-cert.pem | |
| client-key: /opt/cert/client-manager-key.pem | |
| contexts: | |
| - name: kube-controller-manager-local | |
| context: | |
| cluster: local | |
| user: kube-controller-manager | |
| current-context: kube-controller-manager-local | |
| - filesystem: "root" | |
| path: "/opt/kube/scheduler-kubeconfig.yaml" | |
| mode: 0644 | |
| contents: | |
| inline: | | |
| apiVersion: v1 | |
| kind: Config | |
| clusters: | |
| - name: local | |
| cluster: | |
| certificate-authority: /opt/cert/ca-cert.pem | |
| server: https://127.0.0.1:6443 | |
| users: | |
| - name: kube-scheduler | |
| user: | |
| client-certificate: /opt/cert/client-scheduler-cert.pem | |
| client-key: /opt/cert/client-scheduler-key.pem | |
| contexts: | |
| - name: kube-scheduler-local | |
| context: | |
| cluster: local | |
| user: kube-scheduler | |
| current-context: kube-scheduler-local | |
| - filesystem: "root" | |
| path: "/opt/kube/proxy-kubeconfig.yaml" | |
| mode: 0644 | |
| contents: | |
| inline: | | |
| apiVersion: v1 | |
| kind: Config | |
| clusters: | |
| - name: local | |
| cluster: | |
| certificate-authority: /opt/cert/ca-cert.pem | |
| server: https://127.0.0.1:6443 | |
| users: | |
| - name: kube-proxy | |
| user: | |
| client-certificate: /opt/cert/client-proxy-cert.pem | |
| client-key: /opt/cert/client-proxy-key.pem | |
| contexts: | |
| - name: kube-proxy-local | |
| context: | |
| cluster: local | |
| user: kube-proxy | |
| current-context: kube-proxy-local | |
| - filesystem: "root" | |
| path: "/opt/kube/kubelet-kubeconfig.yaml" | |
| mode: 0644 | |
| contents: | |
| inline: | | |
| apiVersion: v1 | |
| kind: Config | |
| clusters: | |
| - name: local | |
| cluster: | |
| certificate-authority: /opt/cert/ca-cert.pem | |
| server: https://127.0.0.1:6443 | |
| users: | |
| - name: kube-kubelet | |
| user: | |
| client-certificate: /opt/cert/client-kubelet-cert.pem | |
| client-key: /opt/cert/client-kubelet-key.pem | |
| contexts: | |
| - name: kube-kubelet-local | |
| context: | |
| cluster: local | |
| user: kube-kubelet | |
| current-context: kube-kubelet-local | |
| - filesystem: "root" | |
| path: "/opt/kube/scheduler-config.yaml" | |
| mode: 0644 | |
| contents: | |
| inline: | | |
| algorithmSource: | |
| provider: DefaultProvider | |
| apiVersion: kubescheduler.config.k8s.io/v1alpha1 | |
| bindTimeoutSeconds: 600 | |
| clientConnection: | |
| acceptContentTypes: "" | |
| burst: 100 | |
| contentType: application/vnd.kubernetes.protobuf | |
| kubeconfig: "/opt/kube/scheduler-kubeconfig.yaml" | |
| qps: 50 | |
| disablePreemption: false | |
| enableContentionProfiling: false | |
| enableProfiling: false | |
| failureDomains: kubernetes.io/hostname,failure-domain.beta.kubernetes.io/zone,failure-domain.beta.kubernetes.io/region | |
| hardPodAffinitySymmetricWeight: 1 | |
| healthzBindAddress: 0.0.0.0:10251 | |
| kind: KubeSchedulerConfiguration | |
| leaderElection: | |
| leaderElect: true | |
| leaseDuration: 15s | |
| lockObjectName: kube-scheduler | |
| lockObjectNamespace: kube-system | |
| renewDeadline: 10s | |
| resourceLock: endpoints | |
| retryPeriod: 2s | |
| metricsBindAddress: 0.0.0.0:10251 | |
| percentageOfNodesToScore: 50 | |
| schedulerName: default-scheduler | |
| - filesystem: "root" | |
| path: "/opt/kube/proxy-config.yaml" | |
| mode: 0644 | |
| contents: | |
| inline: | | |
| apiVersion: kubeproxy.config.k8s.io/v1alpha1 | |
| bindAddress: 0.0.0.0 | |
| clientConnection: | |
| acceptContentTypes: "" | |
| burst: 10 | |
| contentType: application/vnd.kubernetes.protobuf | |
| kubeconfig: "/opt/kube/proxy-kubeconfig.yaml" | |
| qps: 5 | |
| clusterCIDR: "" | |
| configSyncPeriod: 15m0s | |
| conntrack: | |
| max: 0 | |
| maxPerCore: 32768 | |
| min: 131072 | |
| tcpCloseWaitTimeout: 1h0m0s | |
| tcpEstablishedTimeout: 24h0m0s | |
| enableProfiling: false | |
| healthzBindAddress: 0.0.0.0:10256 | |
| hostnameOverride: "" | |
| iptables: | |
| masqueradeAll: false | |
| masqueradeBit: 14 | |
| minSyncPeriod: 0s | |
| syncPeriod: 30s | |
| ipvs: | |
| excludeCIDRs: null | |
| minSyncPeriod: 0s | |
| scheduler: "" | |
| syncPeriod: 30s | |
| kind: KubeProxyConfiguration | |
| metricsBindAddress: 127.0.0.1:10249 | |
| mode: "" | |
| nodePortAddresses: null | |
| oomScoreAdj: -999 | |
| portRange: "" | |
| resourceContainer: /kube-proxy | |
| udpIdleTimeout: 250ms | |
| - filesystem: "root" | |
| path: "/opt/bin/issue-cert" | |
| mode: 0755 | |
| contents: | |
| inline: | | |
| #!/bin/bash | |
| TYPE="$1" | |
| CN="$2" | |
| SAN="$3" | |
| if [ "$TYPE" = "server" ]; then | |
| CERT_TYPE="server" | |
| CERT_USAGE="" | |
| CERT_AUTH=":always" | |
| CERT_SAN="subjectAltName = $SAN" | |
| else | |
| CERT_TYPE="client" | |
| CERT_USAGE=", nonRepudiation" | |
| CERT_AUTH="" | |
| CERT_SAN="" | |
| fi | |
| openssl req \ | |
| -new \ | |
| -sha256 \ | |
| -subj "/CN=coreos-${CN}" \ | |
| -nodes \ | |
| -newkey rsa:4096 \ | |
| -keyout "/opt/cert/${CN}-key.pem" \ | |
| -out "/tmp/${CN}-cert.csr" | |
| openssl x509 \ | |
| -req \ | |
| -sha256 \ | |
| -days 3000 \ | |
| -extfile <( \ | |
| cat <<EOF | |
| [key] | |
| basicConstraints = CA:FALSE | |
| nsCertType = ${CERT_TYPE} | |
| authorityKeyIdentifier = keyid,issuer${CERT_AUTH} | |
| keyUsage = critical, digitalSignature, keyEncipherment${CERT_USAGE} | |
| extendedKeyUsage = ${CERT_TYPE}Auth | |
| ${CERT_SAN} | |
| [req] | |
| distinguished_name = req_distinguished_name | |
| [req_distinguished_name] | |
| EOF | |
| ) \ | |
| -extensions "key" \ | |
| -in "/tmp/${CN}-cert.csr" \ | |
| -CA "/opt/cert/ca-cert.pem" \ | |
| -CAkey "/opt/cert/ca-key.pem" \ | |
| -CAserial "/opt/cert/ca.srl" \ | |
| -CAcreateserial \ | |
| -out "/tmp/${CN}-cert.pem" | |
| cat "/tmp/${CN}-cert.pem" "/opt/cert/ca-cert.pem" > "/opt/cert/${CN}-cert.pem" | |
| - filesystem: "root" | |
| path: "/opt/bin/export-conf" | |
| mode: 0755 | |
| contents: | |
| inline: | | |
| #!/bin/bash | |
| NAME="$1" | |
| . /etc/network-environment | |
| cat <<EOF | |
| apiVersion: v1 | |
| kind: Config | |
| clusters: | |
| - name: ${NAME} | |
| cluster: | |
| certificate-authority-data: $(base64 -w0 /opt/cert/ca-cert.pem) | |
| server: https://${DEFAULT_IPV4}:6443 | |
| users: | |
| - name: ${NAME} | |
| user: | |
| client-certificate-data: $(base64 -w0 /opt/cert/${NAME}-cert.pem) | |
| client-key-data: $(base64 -w0 /opt/cert/${NAME}-key.pem) | |
| contexts: | |
| - name: ${NAME} | |
| context: | |
| cluster: ${NAME} | |
| user: ${NAME} | |
| current-context: ${NAME} | |
| EOF | |
| systemd: | |
| units: | |
| - name: "etcd-member.service" | |
| enabled: true | |
| dropins: | |
| - name: "etcd-options.conf" | |
| contents: | | |
| [Service] | |
| Environment="ETCD_OPTS=\ | |
| --name master \ | |
| --listen-client-urls http://127.0.0.1:2379 \ | |
| --advertise-client-urls http://127.0.0.1:2379 \ | |
| --initial-cluster-token coreos-master \ | |
| --listen-peer-urls http://127.0.0.1:2380 \ | |
| --initial-advertise-peer-urls http://127.0.0.1:2380 \ | |
| --initial-cluster master=http://127.0.0.1:2380 \ | |
| --initial-cluster-state new \ | |
| " | |
| - name: "setup-network-environment-fetch.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=network-online.target | |
| After=network-online.target | |
| ConditionPathExists=!/opt/bin/setup-network-environment | |
| [Service] | |
| ExecStart=/usr/bin/curl -L -o /opt/bin/setup-network-environment https://github.com/kelseyhightower/setup-network-environment/releases/download/1.0.1/setup-network-environment | |
| ExecStart=/usr/bin/chmod +x /opt/bin/setup-network-environment | |
| RemainAfterExit=yes | |
| Type=oneshot | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "kube-apiserver-fetch.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=network-online.target | |
| After=network-online.target | |
| ConditionPathExists=!/opt/bin/kube-apiserver | |
| [Service] | |
| ExecStart=/usr/bin/curl -L -o /opt/bin/kube-apiserver https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kube-apiserver | |
| ExecStart=/usr/bin/chmod +x /opt/bin/kube-apiserver | |
| RemainAfterExit=yes | |
| Type=oneshot | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "kube-controller-manager-fetch.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=network-online.target | |
| After=network-online.target | |
| ConditionPathExists=!/opt/bin/kube-controller-manager | |
| [Service] | |
| ExecStart=/usr/bin/curl -L -o /opt/bin/kube-controller-manager https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kube-controller-manager | |
| ExecStart=/usr/bin/chmod +x /opt/bin/kube-controller-manager | |
| RemainAfterExit=yes | |
| Type=oneshot | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "kube-scheduler-fetch.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=network-online.target | |
| After=network-online.target | |
| ConditionPathExists=!/opt/bin/kube-scheduler | |
| [Service] | |
| ExecStart=/usr/bin/curl -L -o /opt/bin/kube-scheduler https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kube-scheduler | |
| ExecStart=/usr/bin/chmod +x /opt/bin/kube-scheduler | |
| RemainAfterExit=yes | |
| Type=oneshot | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "kube-proxy-fetch.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=network-online.target | |
| After=network-online.target | |
| ConditionPathExists=!/opt/bin/kube-proxy | |
| [Service] | |
| ExecStart=/usr/bin/curl -L -o /opt/bin/kube-proxy https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kube-proxy | |
| ExecStart=/usr/bin/chmod +x /opt/bin/kube-proxy | |
| RemainAfterExit=yes | |
| Type=oneshot | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "kubelet-fetch.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=network-online.target | |
| After=network-online.target | |
| ConditionPathExists=!/opt/bin/kubelet | |
| [Service] | |
| ExecStart=/usr/bin/curl -L -o /opt/bin/kubelet https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kubelet | |
| ExecStart=/usr/bin/chmod +x /opt/bin/kubelet | |
| RemainAfterExit=yes | |
| Type=oneshot | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "setup-network-environment.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=setup-network-environment-fetch.service | |
| After=setup-network-environment-fetch.service | |
| [Service] | |
| ExecStart=/opt/bin/setup-network-environment | |
| RemainAfterExit=yes | |
| Type=oneshot | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "flanneld.service" | |
| enabled: true | |
| dropins: | |
| - name: "etcd-setup.conf" | |
| contents: | | |
| [Unit] | |
| Requires=etcd-member.service | |
| After=etcd-member.service | |
| [Service] | |
| ExecStartPre=/usr/bin/etcdctl set /coreos.com/network/config '{"Network":"10.244.0.0/16", "Backend": {"Type": "vxlan"}}' | |
| - name: "docker.service" | |
| enabled: true | |
| - name: "generate-ca.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=setup-network-environment.service | |
| After=setup-network-environment.service | |
| ConditionPathExists=!/opt/cert/ca-cert.pem | |
| ConditionPathExists=!/opt/cert/ca-key.pem | |
| [Service] | |
| EnvironmentFile=/etc/network-environment | |
| ExecStart=/bin/mkdir -p /opt/cert | |
| ExecStart=/bin/openssl req \ | |
| -x509 \ | |
| -subj "/CN=ca-coreos/DN=ca-coreos" \ | |
| -config "/opt/cert/ca.conf" \ | |
| -extensions "ca" \ | |
| -days "3600" \ | |
| -nodes \ | |
| -newkey "rsa:4096" \ | |
| -keyout "/opt/cert/ca-key.pem" \ | |
| -out "/opt/cert/ca-cert.pem" | |
| ExecStart=/bin/cp "/opt/cert/ca-cert.pem" "/etc/ssl/certs/" | |
| ExecStart=/usr/sbin/update-ca-certificates | |
| ExecStart=/opt/bin/issue-cert "server" "server-api" "IP:127.0.0.1,IP:10.100.0.1,IP:${DEFAULT_IPV4}" | |
| ExecStart=/opt/bin/issue-cert "server" "server-manager" "IP:127.0.0.1,IP:10.100.0.1,IP:${DEFAULT_IPV4}" | |
| ExecStart=/opt/bin/issue-cert "server" "server-kubelet" "IP:127.0.0.1,IP:10.100.0.1,IP:${DEFAULT_IPV4}" | |
| ExecStart=/opt/bin/issue-cert "client" "client-manager" | |
| ExecStart=/opt/bin/issue-cert "client" "client-scheduler" | |
| ExecStart=/opt/bin/issue-cert "client" "client-proxy" | |
| ExecStart=/opt/bin/issue-cert "client" "client-kubelet" | |
| ExecStart=/opt/bin/issue-cert "client" "client-user" | |
| RemainAfterExit=yes | |
| Type=oneshot | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "generate-serviceaccount-key.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| ConditionPathExists=!/opt/cert/kube-serviceaccount.key | |
| [Service] | |
| ExecStart=/bin/mkdir -p /opt/cert | |
| ExecStart=/bin/openssl genrsa -out /opt/cert/kube-serviceaccount.key 2048 2>/dev/null | |
| RemainAfterExit=yes | |
| Type=oneshot | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "kube-apiserver.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=kube-apiserver-fetch.service etcd-member.service generate-serviceaccount-key.service generate-ca.service | |
| After=kube-apiserver-fetch.service etcd-member.service generate-serviceaccount-key.service generate-ca.service | |
| [Service] | |
| ExecStartPre=/opt/bin/wupiao 127.0.0.1:2379/v2/machines | |
| ExecStart=/opt/bin/kube-apiserver \ | |
| --service-account-key-file "/opt/cert/kube-serviceaccount.key" \ | |
| --service-account-lookup "false" \ | |
| --runtime-config "api/all=true" \ | |
| --allow-privileged "true" \ | |
| --kubelet-https "true" \ | |
| --bind-address "0.0.0.0" \ | |
| --secure-port "6443" \ | |
| --service-cluster-ip-range "10.100.0.0/16" \ | |
| --etcd-servers "http://127.0.0.1:2379" \ | |
| --tls-cert-file "/opt/cert/server-api-cert.pem" \ | |
| --tls-private-key-file "/opt/cert/server-api-key.pem" \ | |
| --client-ca-file "/opt/cert/ca-cert.pem" | |
| Restart=always | |
| RestartSec=10 | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "kube-controller-manager.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=kube-controller-manager-fetch.service kube-apiserver.service | |
| After=kube-controller-manager-fetch.service kube-apiserver.service | |
| [Service] | |
| ExecStart=/opt/bin/kube-controller-manager \ | |
| --service-account-private-key-file "/opt/cert/kube-serviceaccount.key" \ | |
| --cluster-signing-cert-file "/opt/cert/ca-cert.pem" \ | |
| --cluster-signing-key-file "/opt/cert/ca-key.pem" \ | |
| --client-ca-file "/opt/cert/ca-cert.pem" \ | |
| --root-ca-file "/opt/cert/ca-cert.pem" \ | |
| --tls-cert-file "/opt/cert/server-manager-cert.pem" \ | |
| --tls-private-key-file "/opt/cert/server-manager-key.pem" \ | |
| --client-ca-file "/opt/cert/ca-cert.pem" \ | |
| --kubeconfig "/opt/kube/manager-kubeconfig.yaml" \ | |
| --authentication-kubeconfig "/opt/kube/manager-kubeconfig.yaml" \ | |
| --authorization-kubeconfig "/opt/kube/manager-kubeconfig.yaml" | |
| Restart=always | |
| RestartSec=10 | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "kube-scheduler.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=kube-scheduler-fetch.service kube-apiserver.service | |
| After=kube-scheduler-fetch.service kube-apiserver.service | |
| [Service] | |
| ExecStart=/opt/bin/kube-scheduler --config "/opt/kube/scheduler-config.yaml" | |
| Restart=always | |
| RestartSec=10 | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "kube-proxy.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=kube-proxy-fetch.service kube-apiserver.service | |
| After=kube-proxy-fetch.service kube-apiserver.service | |
| [Service] | |
| ExecStart=/opt/bin/kube-proxy --config "/opt/kube/proxy-config.yaml" | |
| Restart=always | |
| RestartSec=10 | |
| [Install] | |
| WantedBy=multi-user.target | |
| - name: "kubelet.service" | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Requires=setup-network-environment.service kubelet-fetch.service kube-apiserver.service | |
| After=setup-network-environment.service kubelet-fetch.service kube-apiserver.service | |
| [Service] | |
| EnvironmentFile=/etc/network-environment | |
| ExecStart=/opt/bin/kubelet \ | |
| --kubeconfig "/opt/kube/kubelet-kubeconfig.yaml" \ | |
| --allow-privileged \ | |
| --register-node \ | |
| --tls-cert-file "/opt/cert/server-kubelet-cert.pem" \ | |
| --tls-private-key-file "/opt/cert/server-kubelet-key.pem" \ | |
| --cluster-dns "10.100.0.10" \ | |
| --hostname-override "${DEFAULT_IPV4}" | |
| Restart=always | |
| RestartSec=10 | |
| [Install] | |
| WantedBy=multi-user.target | |
| update: | |
| group: "stable" | |
| locksmith: | |
| reboot_strategy: "off" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment