Skip to content

Instantly share code, notes, and snippets.

@jcderr

jcderr/cloud-config

Created September 13, 2016 14:54
Show Gist options
  • Save jcderr/42c734620c30ac9eb5394f3644046c18 to your computer and use it in GitHub Desktop.
Save jcderr/42c734620c30ac9eb5394f3644046c18 to your computer and use it in GitHub Desktop.
Download ZIP
secured kubernetes cloud-config
Raw
cloud-config
#cloud-config
write-files:
- path: /opt/bin/wupiao
permissions: '0755'
content: |
#!/bin/bash
# [w]ait [u]ntil [p]ort [i]s [a]ctually [o]pen
[ -n "$1" ] && [ -n "$2" ] && while ! curl --output /dev/null \
--silent --head --fail \
http://${1}:${2}; do sleep 1 && echo -n .; done;
exit $?
- path: /etc/motd.d/system-id.conf
content: |
kube-nodes-stable-dev-us-east-1b
_ __ _ _ _ _
| |/ / | | | \ | | | |
| ' /_ _| |__ ___ | \| | ___ __| | ___
| <| | | | '_ \ / _ \ | . ` |/ _ \ / _` |/ _ \
| . \ |_| | |_) | __/ | |\ | (_) | (_| | __/
|_|\_\__,_|_.__/ \___| |_| \_|\___/ \__,_|\___|
- path: /etc/kubernetes/kubeconfig
encoding: b64
content: redacted
coreos:
flannel:
etcd-prefix: /coreos.com/us-east-1b/network
etcd2:
proxy: on
listen-client-urls: http://localhost:2379,http://localhost:4001
initial-cluster: etcdserver=https://etcd-1a.domain.tld:2380
cert-file: /var/lib/etcd2/certs/cert.pem
key-file: /var/lib/etcd2/certs/cert-key.pem
ca-file: /var/lib/etcd2/certs/ca.pem
client-cert-auth: true
peer-cert-file: /var/lib/etcd2/certs/cert.pem
peer-key-file: /var/lib/etcd2/certs/cert-key.pem
peer-ca-file: /var/lib/etcd2/certs/ca.pem
fleet:
metadata: "role=node"
units:
- name: etcd2.service
command: start
drop-ins:
- name: 50-configure-ssl-certs.conf
content: |
[Service]
ExecStartPre=/usr/bin/curl -o /tmp/etcd-certs.json -L https://vault.domain.tld/v1/etcd/dev-1a/pki/issue/client -H 'X-Vault-Token: some-vault-token' -d'{"common_name": "kube-master.domain.tld"}'
ExecStartPre=/usr/bin/mkdir -p /var/lib/etcd2/certs
ExecStartPre=/bin/sh -c '/usr/bin/jq -r .data.private_key /tmp/etcd-certs.json > /var/lib/etcd2/certs/cert-key.pem'
ExecStartPre=/bin/sh -c '/usr/bin/jq -r .data.certificate /tmp/etcd-certs.json > /var/lib/etcd2/certs/cert.pem'
ExecStartPre=/bin/sh -c '/usr/bin/jq -r .data.issuing_ca /tmp/etcd-certs.json > /var/lib/etcd2/certs/ca.pem'
ExecStartPre=/usr/bin/rm /tmp/etcd-certs.json
ExecStartPre=/usr/bin/chmod 0600 /var/lib/etcd2/certs/cert-key.pem
- name: fleet.service
command: start
- name: flanneld.service
command: start
drop-ins:
- name: 10-require-early-docker.conf
content: |
[Unit]
After=early-docker.service
Requires=early-docker.service
- name: docker.service
drop-ins:
- name: 10-wait-var-lib-docker.conf
content: |
[Unit]
After=var-lib-docker.mount
Requires=var-lib-docker.mount
command: start
- name: format-ebs.service
command: start
content: |
[Unit]
Description=Formats the EBS drive
After=dev-xvdf.device
Requires=dev-xvdf.device
Wants=docker.service
Wants=early-docker.service
Before=docker.service
Before=early-docker.service
Before=var-lib-docker.mount
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/wipefs -f /dev/xvdf
ExecStart=/usr/sbin/mkfs.btrfs -f /dev/xvdf
- name: var-lib-docker.mount
command: start
content: |
[Unit]
Description=Mount ephemeral to /var/lib/docker
Requires=format-ebs.service
Wants=format-ebs.service
After=format-ebs.service
Before=docker.service
Before=early-docker.service
[Mount]
What=/dev/xvdf
Where=/var/lib/docker
Type=btrfs
- name: setup-network-environment.service
command: start
content: |
[Unit]
Description=Setup Network Environment
Documentation=https://github.com/kelseyhightower/setup-network-environment
Requires=network-online.target
After=network-online.target
[Service]
ExecStartPre=-/usr/bin/mkdir -p /opt/bin
ExecStartPre=/usr/bin/curl -L -o /opt/bin/setup-network-environment -z /opt/bin/setup-network-environment https://github.com/kelseyhightower/setup-network-environment/releases/download/v1.0.0/setup-network-environment
ExecStartPre=/usr/bin/chmod +x /opt/bin/setup-network-environment
ExecStart=/opt/bin/setup-network-environment
RemainAfterExit=yes
Type=oneshot
- name: kubectl-fetch.service
command: start
content: |
[Unit]
Description=Install kubectl binary
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
Requires=kube-kubelet.service
After=kube-kubelet.service
[Service]
ExecStartPre=-/usr/bin/mkdir -p /opt/bin
ExecStart=/usr/bin/curl -L -o /opt/bin/kubectl -z /opt/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.3.6/bin/linux/amd64/kubectl
ExecStartPost=/usr/bin/chmod +x /opt/bin/kubectl
RemainAfterExit=yes
Type=oneshot
- name: kube-proxy.service
command: start
content: |
[Unit]
Description=Kubernetes Proxy
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
Requires=setup-network-environment.service
After=setup-network-environment.service
[Service]
ExecStartPre=/usr/bin/curl -L -o /opt/bin/kube-proxy -z /opt/bin/kube-proxy https://storage.googleapis.com/kubernetes-release/release/v1.3.6/bin/linux/amd64/kube-proxy
ExecStartPre=/usr/bin/chmod +x /opt/bin/kube-proxy
# wait for kubernetes master to be up and ready
ExecStart=/opt/bin/kube-proxy \
--kubeconfig=/etc/kubernetes/kubeconfig \
--master=https://dev-us-east-1b.k8s.domain.tld:443 \
--logtostderr=true
Restart=always
RestartSec=10
- name: kube-kubelet.service
command: start
content: |
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
Requires=setup-network-environment.service
After=setup-network-environment.service
[Service]
EnvironmentFile=/etc/network-environment
ExecStartPre=/usr/bin/curl -o /tmp/kubelet-certs.json -L https://vault.domain.tld/v1/k8s/dev-1a/pki/issue/kubelet -H 'X-Vault-Token: some-vault-token' -d'{"common_name": "kubelet"}'
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/ssl
ExecStartPre=/bin/sh -c '/usr/bin/jq -r .data.private_key /tmp/kubelet-certs.json > /etc/kubernetes/ssl/worker-key.pem'
ExecStartPre=/bin/sh -c '/usr/bin/jq -r .data.certificate /tmp/kubelet-certs.json > /etc/kubernetes/ssl/worker.pem'
ExecStartPre=/bin/sh -c '/usr/bin/jq -r .data.issuing_ca /tmp/kubelet-certs.json >> /etc/kubernetes/ssl/worker.pem'
ExecStartPre=/bin/sh -c '/usr/bin/jq -r .data.issuing_ca /tmp/kubelet-certs.json > /etc/kubernetes/ssl/ca.pem'
ExecStartPre=/usr/bin/rm /tmp/kubelet-certs.json
ExecStartPre=/usr/bin/chmod 0600 /etc/kubernetes/ssl/worker-key.pem
ExecStartPre=/usr/bin/curl -L -o /opt/bin/kubelet -z /opt/bin/kubelet https://storage.googleapis.com/kubernetes-release/release/v1.3.6/bin/linux/amd64/kubelet
ExecStartPre=/usr/bin/chmod +x /opt/bin/kubelet
# wait for kubernetes master to be up and ready
ExecStart=/opt/bin/kubelet \
--address=0.0.0.0 \
--port=10250 \
--hostname-override=${DEFAULT_IPV4} \
--api-servers=https://dev-us-east-1b.k8s.domain.tld \
--allow-privileged=true \
--logtostderr=true \
--cadvisor-port=4194 \
--healthz-bind-address=0.0.0.0 \
--healthz-port=10248 \
--kubeconfig=/etc/kubernetes/kubeconfig \
--cluster-dns=10.99.254.254 \
--cluster-domain=us-east-1b \
--low-diskspace-threshold-mb=512 \
--maximum-dead-containers=20 \
--tls-cert-file=/etc/kubernetes/ssl/worker.pem \
--tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem \
--cloud-provider=aws
Restart=always
RestartSec=10
- name: cfn-notify.service
command: start
content: |
[Unit]
Description=AWS Cloud Formation Signaling
After=kube-kubelet.service
After=kube-proxy.service
Wants=kube-kubelet.service
Wants=kube-proxy.service
[Service]
Type=oneshot
TimeoutStartSec=0
EnvironmentFile=/etc/environment
ExecStartPre=/usr/bin/docker pull jcderr/cfn-tools:1.4
ExecStart=/usr/bin/docker run jcderr/cfn-tools:1.4 cfn-signal --success=true --stack=kube-nodes-stable-dev-us-east-1b --resource=KubernetesNodeAutoScale
update:
group: stable
reboot-strategy: off
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment