Skip to content

Instantly share code, notes, and snippets.

@rimusz

rimusz/cloud-init

Created July 7, 2016 14:14
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save rimusz/baa7c6dfa73d49b2477d3f8e7866e36c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save rimusz/baa7c6dfa73d49b2477d3f8e7866e36c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cloud-init
#cloud-config
hostname: k8smaster-01
coreos:
update:
reboot-strategy: off
etcd2:
name: k8smaster-01
initial-cluster-token: k8s_etcd
initial-cluster-state: new
listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
fleet:
metadata: role=control
units:
- name: etcd2-environment.service
command: start
content: |
[Unit]
Description=passes to etcd the properly setup initialization env vars
Requires=phone-home.service
Requires=etcd2.service
After=phone-home.service
Before=etcd2.service
[Service]
Type=oneshot
RemainAfterExit=yes
StandardOutput=journal+console
EnvironmentFile=/etc/environment
ExecStart=/bin/bash -c "echo \"ETCD_ADVERTISE_CLIENT_URLS=http://${COREOS_PRIVATE_IPV4}:2379,http://${COREOS_PRIVATE_IPV4}:4001\" > /etc/etcd2.environment"
ExecStart=/bin/bash -c "echo \"ETCD_INITIAL_ADVERTISE_PEER_URLS=http://${COREOS_PRIVATE_IPV4}:2380\" >> /etc/etcd2.environment"
ExecStart=/bin/bash -c "echo \"ETCD_INITIAL_CLUSTER=k8smaster-01=http://${COREOS_PRIVATE_IPV4}:2380\" >> /etc/etcd2.environment"
ExecStart=/bin/bash -c "echo \"ETCD_LISTEN_PEER_URLS=http://${COREOS_PRIVATE_IPV4}:2380,http://${COREOS_PRIVATE_IPV4}:7001\" >> /etc/etcd2.environment"
[Install]
RequiredBy=etcd2.service
- name: etcd2.service
command: start
drop-ins:
- name: 50-etc-env-vars.conf
content: |
[Service]
EnvironmentFile=/etc/etcd2.environment
[Unit]
Requires=etcd2-environment.service
After=etcd2-environment.service
- name: docker-tcp.socket
command: start
enable: true
content: |
[Unit]
Description=Docker Socket for the API
[Socket]
ListenStream=2375
BindIPv6Only=both
Service=docker.service
[Install]
WantedBy=sockets.target
- name: format-persistent-disk.service
command: start
content: |
[Unit]
Description=Formats the persistent drive (if not formated yet)
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sh -c '/usr/sbin/blkid -pi /dev/vda | grep TYPE= || /usr/sbin/mkfs.ext4 -i 8192 /dev/vda'
- name: data.mount
command: start
content: |
[Unit]
Description=Mounts ephemeral to /data
Requires=format-persistent-disk.service
After=format-persistent-disk.service
Before=etcd2.service fleet.service docker.service rkt-metadata.socket
[Mount]
What=/dev/vda
Where=/data
Type=ext4
- name: persistent-data-checks.service
command: start
content: |
[Unit]
Description=prepare for etcd,docker,rkt,opt
Requires=data.mount
After=data.mount
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sh -c '[[ -d /data/var/lib/docker ]] || mkdir -p /data/var/lib/docker'
ExecStart=/bin/sh -c '[[ -d /data/var/lib/rkt ]] || mkdir -p /data/var/lib/rkt && /usr/bin/chown root:rkt /data/var/lib/rkt && /usr/bin/chmod g+s /data/var/lib/rkt'
ExecStart=/bin/sh -c '[[ -d /data/var/lib/etcd2 ]] || mkdir -p /data/var/lib/etcd2 && /usr/bin/chown etcd:etcd /data/var/lib/etcd2'
ExecStart=/bin/sh -c '[[ -d /data/opt/bin ]] || mkdir -p /data/opt/bin'
ExecStart=/bin/sh -c '[[ -d /data/kubernetes ]] || mkdir -p /data/kubernetes'
ExecStart=/bin/sh -c '/usr/bin/chown root:rkt /data/var/lib/rkt && /usr/bin/chmod g+s /data/var/lib/rkt'
ExecStart=/bin/sh -c '/usr/bin/chown etcd:etcd /data/var/lib/etcd2'
- name: var-lib-etcd2.mount
command: start
content: |
[Unit]
Description=Binds /data/var/lib/etcd2 to /var/lib/etcd2
After=persistent-data-checks.service
Requires=persistent-data-checks docker.service etcd2.service
Before=etcd2.service
[Mount]
What=/data/var/lib/etcd2
Where=/var/lib/etcd2
Type=none
Options=bind
- name: var-lib-docker.mount
command: start
content: |
[Unit]
Description=Binds /data/var/lib/docker to /var/lib/docker
After=persistent-data-checks.service
Requires=persistent-data-checks docker.service
Before=docker.service
[Mount]
What=/data/var/lib/docker
Where=/var/lib/docker
Type=none
Options=bind
- name: var-lib-rkt.mount
command: start
content: |
[Unit]
Description=Binds /data/var/lib/rkt to /var/lib/rkt
Requires=persistent-data-checks.service rkt-metadata.socket
After=persistent-data-checks.service
Before=rkt-metadata.socket
[Mount]
What=/data/var/lib/rkt
Where=/var/lib/rkt
Type=none
Options=bind
- name: opt-bin.mount
command: start
content: |
[Unit]
Description=Binds /data/opt/bin to /opt/bin
Requires=persistent-data-checks.service
After=persistent-data-checks.service
Before=docker.service rkt-metadata.socket
[Mount]
What=/data/opt/bin
Where=/opt/bin
Type=none
Options=bind
- name: etcd2.service
command: start
- name: fleet.service
command: start
- name: flanneld.service
command: start
drop-ins:
- name: 50-network-config.conf
content: |
[Unit]
Requires=etcd2.service
[Service]
ExecStartPre=/usr/bin/etcdctl set /coreos.com/network/config '{"Network": "10.244.0.0/16", "SubnetLen": 24, "SubnetMin": "10.244.0.0", "Backend": {"Type": "udp"}}'
- name: docker.service
command: start
drop-ins:
- name: 50-insecure-registry.conf
content: |
[Unit]
Requires=flanneld.service
[Service]
Environment=DOCKER_OPTS='--insecure-registry="0.0.0.0/0"'
- name: update-engine.service
command: stop
write-files:
- path: /home/core/.ssh/id_rsa
permissions: '0600'
owner: core:core
content: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA18VKh3nRpHTOC+AAyg+YB1P0SSISR/2TjHG89c7ZhPTGCXr5
P60H5vU/YOrV8sQR542inDwxfAvhn86yHe/w8dX/g4krNDB+0NFL1fbQ9BktGsao
Apg5bWMGjBgVTp8WJlDfW7zYqJQu/wjZ90oz6EpL4+DhzAn/W0JUXWiFgCUpKDHJ
zZIZzebywLcJ/8jngMhxpae9OSDIkR9i5QNkeqLZhR0kB65Bq/8KbtFibduxAUyG
qxXnou3QB5VH9c4Ura8vzhMqsBCohKPuH5OLz2V4jcijZJY7vyNahXG3PB8Gw1c0
7XZUAlEUDuJaLA5kIBXSOMM9X5Tjq7Cvtfrz2wIDAQABAoIBAC3R0pLUVqWCvGKf
Leu6xgEAXgbNum4ZNiUD3imgxGZMiGVo/Nb9yojMGapeFBLaeibe1+Ivkh6Sc1Y5
UW+0DUl9tSXckhUiGzwCxgToxdSgKAjgmLr8Um2dMr27O4MXm1+FmvjjMGsUFKrJ
2Wd/FWjFpjn8/lYS5WweuMWhNYBRf8lwA4VdjU/pnlPDro8PqMysf4h+tRw26nJb
NXzqzJ5zQGfBJ0wIYuZSa25SF9l9gRWEUM/KxL36S/SpwuXSdBv/GtqKB21ogyOn
S3UZZjfTlkX0KvaLG0eVXptSRjqSJbZkzBbDX1WsBEJIvV1XqeJcptNtO6Ez7Kou
NqE4cfkCgYEA/IX2AZCLBmCfYsQm1M6WaQ/hgaWFrcimr/huNbASuc3fE4e5vFSR
Dh6jFikDg5t6Q8nUTySpRXovCHEfnvYFrS5s4tPOe/2JqBwK63KqjpeC/JPNGC1E
sXPEttiFo49kkTOOh1ImCbqHJT2EIPEIuXE3RUXlTk/+MwOwYL2HaHUCgYEA2r3K
5O1gf7Cfws3lRxOdS+eK+m4z8oF92tcX7sEVphJTG6wqRR0z2Llj8SsyGbFWSYfK
zalFkk66zr55MzTrOhJ35+LyJUx+IBAcYkQLTtTsp54JlJ8CMD1EcRPASYTg3L8R
Rf8+cgfcSslBiL/nyhnTN0hmyjVJp7ucvbep4Q8CgYEAhFn99xH4G86WmyBtrcnd
QZGGQvorF0t8Oey+brsrBWFmkwjnC1NTd5ANMDcs1VSu/0qQUS7I3VZNwmHwDdOq
Y/taLISQy6G1/Xs9Kew+gl/c0l7w9sP7JfqkVqUjXfdw4T2hbUFcGGtAG/+i+dT7
Gp7BNjiNF7+LXteHIR0VFGUCgYAaMorfOhLJmDS6FwCzr4SyN4vsjFBKZfnVwNcL
8DIQjrdHZCo31tSDy0hN9PduHlAQRGQkl3ZOnIFBC4zmdhsJ/HZB3mtTzkJ4wpUz
q6STD2s8c+//zb9sWZod1Ni9tV1c8sE12ej3rTtT9aCUqS8whEFIqLIu24zzusN9
8UY2PwKBgHWyekUzaQRcteEYsCWsl9KeX777EdtbK6bGh5JlD9rK5YVK3Ogq24Ts
9+yKbdYPv6KjXbAnb3ywDeifIx9vna+4jtXZ8cUuZQcj4nmBtKfeaxZeN7OlHv0d
LwDeOM4DDptEENhfzc0sPYHyGqUsfH6c4kq5KwtDAoY9MCS5/dGN
-----END RSA PRIVATE KEY-----
- path: /home/core/.ssh/id_rsa.pub
permissions: '0600'
owner: core:core
content: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXxUqHedGkdM4L4ADKD5gHU/RJIhJH/ZOMcbz1ztmE9MYJevk/rQfm9T9g6tXyxBHnjaKcPDF8C+GfzrId7/Dx1f+DiSs0MH7Q0UvV9tD0GS0axqgCmDltYwaMGBVOnxYmUN9bvNiolC7/CNn3SjPoSkvj4OHMCf9bQlRdaIWAJSkoMcnNkhnN5vLAtwn/yOeAyHGlp705IMiRH2LlA2R6otmFHSQHrkGr/wpu0WJt27EBTIarFeei7dAHlUf1zhStry/OEyqwEKiEo+4fk4vPZXiNyKNklju/I1qFcbc8HwbDVzTtdlQCURQO4losDmQgFdI4wz1flOOrsK+1+vPb core@k8smaster-01
- path: /opt/sbin/wupiao
permissions: '0755'
content: |
#!/bin/bash
# [w]ait [u]ntil [p]ort [i]s [a]ctually [o]pen
[ -n "$1" ] && \
until curl -o /dev/null -sIf http://${1}; do \
sleep 1 && echo .;
done;
exit $?
- path: /opt/sbin/make-certs.sh
permissions: '0755'
content: |
#!/bin/sh -
# Copyright 2014 The Kubernetes Authors All rights reserved.
#
set -o errexit
set -o nounset
set -o pipefail
cert_ip=$1
extra_sans=${2:-}
cert_dir=/data/kubernetes
cert_group=kube-cert
mkdir -p "$cert_dir"
use_cn=false
sans="IP:${cert_ip}"
if [[ -n "${extra_sans}" ]]; then
sans="${sans},${extra_sans}"
fi
tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
trap 'rm -rf "${tmpdir}"' EXIT
#
if [ ! -f /opt/tmp/easy-rsa.tar.gz ]
then
curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz > /dev/null 2>&1
tar xzf easy-rsa.tar.gz > /dev/null 2>&1
else
tar xzf /opt/tmp/easy-rsa.tar.gz > /dev/null 2>&1
fi
cd easy-rsa-master/easyrsa3
./easyrsa init-pki > /dev/null 2>&1
./easyrsa --batch "--req-cn=$cert_ip@`date +%s`" build-ca nopass > /dev/null 2>&1
if [ $use_cn = "true" ]; then
./easyrsa build-server-full $cert_ip nopass > /dev/null 2>&1
cp -p pki/issued/$cert_ip.crt "${cert_dir}/server.cert" > /dev/null 2>&1
cp -p pki/private/$cert_ip.key "${cert_dir}/server.key" > /dev/null 2>&1
else
./easyrsa --subject-alt-name="${sans}" build-server-full kubernetes-master nopass > /dev/null 2>&1
cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1
cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1
fi
./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1
cp -p pki/ca.crt "${cert_dir}/ca.crt"
cp -p pki/issued/kubecfg.crt "${cert_dir}/kubecfg.crt"
cp -p pki/private/kubecfg.key "${cert_dir}/kubecfg.key"
# Make server certs accessible to apiserver.
echo 3
chgrp $cert_group "${cert_dir}/server.key" "${cert_dir}/server.cert" "${cert_dir}/ca.crt"
chmod 660 "${cert_dir}/server.key" "${cert_dir}/server.cert" "${cert_dir}/ca.crt"
echo 4
- path: /opt/sbin/kube-certs.sh
permissions: '0755'
content: |
#!/bin/bash
source /etc/environment
/opt/sbin/make-certs.sh ${COREOS_PUBLIC_IPV4} IP:${COREOS_PUBLIC_IPV4},IP:10.100.0.1,DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment