Last active
December 27, 2019 20:29
-
-
Save johnybradshaw/1fe50f87262dec26fd233ed2f261ff5f to your computer and use it in GitHub Desktop.
OpenShift Cluster Platform 4 - 3 master nodes, 3 worker nodes, network building script to be run on the Networking host
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if [[ $EUID -ne 0 ]]; then | |
| echo "This script must be run as root" | |
| exit 1 | |
| fi | |
| ############################# | |
| # | |
| # OCP4 on Skytap Builder | |
| # | |
| ############################# | |
| # Version 1.1 | |
| # [email protected] | |
| ############################# | |
| # Boot ISO: https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.1/latest/ | |
| ############################# | |
| # Variables | |
| ############################# | |
| # paths | |
| haproxy_path="/etc/haproxy" | |
| bind_path="/etc/bind" | |
| dhcp_path="/etc/dhcp" | |
| apache_path="/etc/apache2" | |
| ############################# | |
| # env | |
| server_user="networking" | |
| ############################# | |
| # networking values | |
| ip_networking="192.168.1.5" | |
| ip_broadcast="192.168.1.255" | |
| ip_gateway="192.168.1.254" | |
| ip_range_lower="192.168.1.2" | |
| ip_range_upper="192.168.1.250" | |
| ip_subnet="192.168.1.0" | |
| # servers | |
| ip_bootstrap="192.168.1.96" | |
| ip_master0="192.168.1.97" | |
| ip_master1="192.168.1.98" | |
| ip_master2="192.168.1.99" | |
| ip_worker0="192.168.1.11" | |
| ip_worker1="192.168.1.7" | |
| ip_worker2="192.168.1.15" | |
| if_nfs="192.168.1.1" | |
| domain="skytap.ninja" | |
| cluster="ocp4" | |
| ############################# | |
| # files | |
| oc_linux_version="4.1.6" #client | |
| oci_linux_version="4.1.9" #installer | |
| ocp_version="4.1" | |
| ocp_version_long="4.1.0" | |
| ############################# | |
| #DO NOT EDIT ANY FURTHER | |
| ############################# | |
| echo "This will configure your networking server to support an OCP4 installation" | |
| echo "Enter your Pull Secret, followed by [ENTER]:" | |
| read pullSecret | |
| echo "Download files? (yes or no)" | |
| read downloadFiles | |
| # Initialise | |
| apt-get update | |
| apt-get upgrade -y | |
| apt-get autoremove -y | |
| # get the client binaries | |
| if [[ downloadFiles=="yes" ]]; then | |
| wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${oc_linux_version}/openshift-client-linux-${oc_linux_version}.tar.gz | |
| tar xvf openshift-client-linux-${oc_linux_version}.tar.gz | |
| rm -f openshift-client-linux-${oc_linux_version}.tar.gz | |
| rm -f README.md | |
| mv kubectl /usr/local/bin/ | |
| mv oc /usr/local/bin/ | |
| fi | |
| # haproxy installation | |
| apt-get install haproxy -y | |
| config_haproxy=" | |
| #--------------------------------------------------------------------- | |
| # Global settings | |
| #--------------------------------------------------------------------- | |
| global | |
| log 127.0.0.1 local2 | |
| chroot /var/lib/haproxy | |
| pidfile /var/run/haproxy.pid | |
| maxconn 4000 | |
| user haproxy | |
| group haproxy | |
| daemon | |
| # turn on stats unix socket | |
| stats socket /var/lib/haproxy/stats | |
| #--------------------------------------------------------------------- | |
| # common defaults that all the 'listen' and 'backend' sections will | |
| # use if not designated in their block | |
| #--------------------------------------------------------------------- | |
| defaults | |
| mode http | |
| log global | |
| option httplog | |
| option dontlognull | |
| option http-server-close | |
| option forwardfor except 127.0.0.0/8 | |
| option redispatch | |
| retries 3 | |
| timeout http-request 10s | |
| timeout queue 1m | |
| timeout connect 10s | |
| timeout client 1m | |
| timeout server 1m | |
| timeout http-keep-alive 10s | |
| timeout check 10s | |
| maxconn 3000 | |
| #--------------------------------------------------------------------- | |
| listen stats | |
| bind :9000 | |
| mode http | |
| stats enable | |
| stats uri / | |
| monitor-uri /healthz | |
| frontend openshift-api-server | |
| bind *:6443 | |
| default_backend openshift-api-server | |
| mode tcp | |
| option tcplog | |
| backend openshift-api-server | |
| balance source | |
| mode tcp | |
| server bootstrap ${ip_bootstrap}:6443 check | |
| server master0 ${ip_master0}:6443 check | |
| server master1 ${ip_master1}:6443 check | |
| server master2 ${ip_master2}:6443 check | |
| frontend machine-config-server | |
| bind *:22623 | |
| default_backend machine-config-server | |
| mode tcp | |
| option tcplog | |
| backend machine-config-server | |
| balance source | |
| mode tcp | |
| server bootstrap ${ip_bootstrap}:22623 check | |
| server master0 ${ip_master0}:22623 check | |
| server master1 ${ip_master1}:22623 check | |
| server master2 ${ip_master2}:22623 check | |
| frontend ingress-http | |
| bind *:80 | |
| default_backend ingress-http | |
| mode tcp | |
| option tcplog | |
| backend ingress-http | |
| balance source | |
| mode tcp | |
| server worker0 ${ip_worker0}:80 check | |
| server worker1 ${ip_worker1}:80 check | |
| server worker2 ${ip_worker2}:80 check | |
| frontend ingress-https | |
| bind *:443 | |
| default_backend ingress-https | |
| mode tcp | |
| option tcplog | |
| backend ingress-https | |
| balance source | |
| mode tcp | |
| server worker0 ${ip_worker0}:443 check | |
| server worker1 ${ip_worker1}:443 check | |
| server worker2 ${ip_worker2}:443 check | |
| #---------------------------------------------------------------------" | |
| echo "${config_haproxy}" > ${haproxy_path}/haproxy.cfg | |
| systemctl haproxy enable | |
| service haproxy restart | |
| ############################# | |
| # bind # | |
| ############################# | |
| apt-get install bind9 bind9utils bind9-doc dnsutils -y | |
| config_bind_local="zone \"${domain}\" { | |
| type master; | |
| file \"/var/lib/bind/${domain}\"; | |
| };" | |
| echo "${config_bind_local}" > "${bind_path}/named.conf.local" | |
| config_bind_zone="\$TTL 1W | |
| @ IN SOA ns1.${domain}. root ( | |
| 2019070702 | |
| 3H | |
| 30M | |
| 2W | |
| 1W ) | |
| IN NS ns1.${domain}. | |
| IN MX 10 smtp.${domain}. | |
| ; | |
| ; | |
| ns1 IN A ${ip_networking} | |
| smtp IN A ${ip_networking} | |
| ; | |
| helper IN A ${ip_networking} | |
| helper.${cluster} IN A ${ip_networking} | |
| ; | |
| ; The api points to the IP of your load balancer | |
| api.${cluster} IN A ${ip_networking} | |
| api-int.${cluster} IN A ${ip_networking} | |
| ; | |
| ; The wildcard also points to the load balancer | |
| *.apps.${cluster} IN A ${ip_networking} | |
| ; | |
| ; Create entry for the bootstrap host | |
| bootstrap.${cluster} IN A ${ip_bootstrap} | |
| ; | |
| ; Create entries for the master hosts | |
| master0.${cluster} IN A ${ip_master0} | |
| master1.${cluster} IN A ${ip_master1} | |
| master2.${cluster} IN A ${ip_master2} | |
| ; | |
| ; Create entries for the worker hosts | |
| worker0.${cluster} IN A ${ip_worker0} | |
| worker1.${cluster} IN A ${ip_worker1} | |
| worker2.${cluster} IN A ${ip_worker2} | |
| ; | |
| ; The ETCd cluster lives on the masters...so point these to the IP of the masters | |
| etcd-0.${cluster} IN A ${ip_master0} | |
| etcd-1.${cluster} IN A ${ip_master1} | |
| etcd-2.${cluster} IN A ${ip_master2} | |
| ; | |
| ; The SRV records are IMPORTANT....make sure you get these right...note the trailing dot at the end... | |
| _etcd-server-ssl._tcp.${cluster} IN SRV 0 10 2380 etcd-0.${cluster}.${domain}. | |
| _etcd-server-ssl._tcp.${cluster} IN SRV 0 10 2380 etcd-1.${cluster}.${domain}. | |
| _etcd-server-ssl._tcp.${cluster} IN SRV 0 10 2380 etcd-2.${cluster}.${domain}. | |
| ; | |
| ;EOF" | |
| echo "${config_bind_zone}" > "/var/lib/bind/${domain}" | |
| config_bind_options="acl \"trusted\" { | |
| 10.254.0.0/16; # | |
| 192.168.0.0/16; | |
| 172.30.0.0/16; | |
| 127.0.0.0/8; #allow networking server to resolve externals | |
| }; | |
| options { | |
| directory \"/var/cache/bind\"; | |
| recursion yes; # enables resursive queries | |
| allow-recursion { trusted; }; # allows recursive queries from "trusted" clients | |
| #listen-on { ${ip_networking}; }; # ns1 private IP address - listen on private network only | |
| allow-transfer { none; }; # disable zone transfers by default | |
| forwarders { | |
| 1.1.1.1; | |
| 1.0.0.1; | |
| }; | |
| dnssec-validation auto; | |
| auth-nxdomain no; # conform to RFC1035 | |
| listen-on-v6 { any; }; | |
| };" | |
| echo "${config_bind_options}" > "${bind_path}/named.conf.options" | |
| service bind9 restart | |
| ############################# | |
| # install webserver # | |
| ############################# | |
| apt install apache2 -y | |
| #service apache2 start | |
| cd ~ | |
| config_apache="DefaultRuntimeDir \${APACHE_RUN_DIR} | |
| PidFile \${APACHE_PID_FILE} | |
| Timeout 300 | |
| KeepAlive On | |
| MaxKeepAliveRequests 100 | |
| KeepAliveTimeout 5 | |
| User \${APACHE_RUN_USER} | |
| Group \${APACHE_RUN_GROUP} | |
| HostnameLookups Off | |
| ErrorLog \${APACHE_LOG_DIR}/error.log | |
| LogLevel warn | |
| IncludeOptional mods-enabled/*.load | |
| IncludeOptional mods-enabled/*.conf | |
| Include ports.conf | |
| <Directory /> | |
| Options FollowSymLinks | |
| AllowOverride None | |
| Require all denied | |
| </Directory> | |
| <Directory /usr/share> | |
| AllowOverride None | |
| Require all granted | |
| </Directory> | |
| <Directory /var/www/> | |
| Options Indexes FollowSymLinks | |
| AllowOverride None | |
| Require all granted | |
| Order allow,deny | |
| Allow from all | |
| </Directory> | |
| AccessFileName .htaccess | |
| <FilesMatch "^\\.ht"> | |
| Require all denied | |
| </FilesMatch> | |
| LogFormat \"%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"\" vhost_combined | |
| LogFormat \"%h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"\" combined | |
| LogFormat \"%h %l %u %t \\"%r\\" %>s %O\" common | |
| LogFormat \"%{Referer}i -> %U\" referer | |
| LogFormat \"%{User-agent}i\" agent | |
| IncludeOptional conf-enabled/*.conf | |
| IncludeOptional sites-enabled/*.conf" | |
| echo "$config_apache" > $apache_path/apache2.conf | |
| config_apache_site="<VirtualHost *:8000> | |
| ServerAdmin webmaster@localhost | |
| ErrorLog \${APACHE_LOG_DIR}/error.log | |
| CustomLog \${APACHE_LOG_DIR}/access.log combined | |
| DocumentRoot /var/www/html | |
| IndexOptions | |
| </VirtualHost>" | |
| echo "$config_apache_site" > $apache_path/sites-available/000-default.conf | |
| #Update port numbers | |
| config_apache_port="Listen 8000 | |
| <IfModule ssl_module> | |
| Listen 443 | |
| </IfModule> | |
| <IfModule mod_gnutls.c> | |
| Listen 443 | |
| </IfModule>" | |
| echo "$config_apache_port" > $apache_path/ports.conf | |
| if [[ downloadFiles=="yes" ]]; then | |
| cd /var/www/html | |
| wget https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/${ocp_version}/latest/rhcos-${ocp_version_long}-x86_64-metal-bios.raw.gz | |
| mv rhcos-${ocp_version_long}-x86_64-metal-bios.raw.gz rhcos.gz #rename to something simpler | |
| fi | |
| cd ~ | |
| systemctl enable apache2 | |
| systemctl start apache2 | |
| systemctl reload apache2 | |
| ############################# | |
| # prep ignition file # | |
| ############################# | |
| ssh-keygen -f ~/id_rsa -t rsa -b 4096 -N '' | |
| sshkey_pub=$(<id_rsa.pub) | |
| yaml="apiVersion: v1 | |
| baseDomain: $domain | |
| compute: | |
| - hyperthreading: Enabled | |
| name: worker | |
| replicas: 0 | |
| controlPlane: | |
| hyperthreading: Enabled | |
| name: master | |
| replicas: 3 | |
| metadata: | |
| name: $cluster | |
| networking: | |
| clusterNetworks: | |
| - cidr: 10.254.0.0/16 | |
| hostPrefix: 24 | |
| networkType: OpenShiftSDN | |
| serviceNetwork: | |
| - 172.30.0.0/16 | |
| platform: | |
| none: {} | |
| pullSecret: '${pullSecret}' | |
| sshKey: '${sshkey_pub}'" | |
| mkdir ~/ocp4 | |
| cd ~/ocp4 | |
| echo "$yaml" > install-config.yaml | |
| if [[ downloadFiles=="yes" ]]; then | |
| wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${oci_linux_version}/openshift-install-linux-${oci_linux_version}.tar.gz | |
| tar xvf openshift-install-linux-${oci_linux_version}.tar.gz | |
| fi | |
| ./openshift-install create ignition-configs | |
| mv *.ign /var/www/html/ | |
| rm /var/www/html/index.html | |
| ############################# | |
| # prep files for serving # | |
| ############################# | |
| chown -R ${server_user}:www-data /var/www/html | |
| chmod -R a+r /var/www/html | |
| service apache2 restart | |
| ############################# | |
| # tidy up # | |
| ############################# | |
| sed -i "/^[^#]*PasswordAuthentication[[:space:]]no/c\PasswordAuthentication yes" /etc/ssh/sshd_config | |
| sudo service sshd restart | |
| #Configure firewall | |
| ufw default deny incoming | |
| ufw allow 53 | |
| ufw allow ssh | |
| ufw allow 80 | |
| ufw allow 8000 #local webhost | |
| ufw allow 443 | |
| ufw allow 9000 #haproxy status | |
| ufw allow 22623 #machine config | |
| ufw allow 6443 #api | |
| echo "When finished, remove /usr/local/bin/oc and /usr/local/bin/kubectl" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment