-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcreate_cloudinit.sh
executable file
·246 lines (212 loc) · 10.1 KB
/
create_cloudinit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
#!/bin/bash
# Author: pblaas ([email protected])
# Initial version 04-2017
# This script is used to generate Kubernetes cloud-init files for CoreoS.
if [ ! -f config.env ]; then
echo config.env not found.
echo cp config.env.sample to config.env to get started.
exit 1
fi
. config.env
echo This will DESTROY all files in the set directory. Continue? [No/YES]
read ANSWER
if [ $ANSWER == "YES" ]; then
if [ ! -d set ]; then
mkdir set
fi
rm -vf set/*
#create new discovery KEY
#Thank you for the service CoreOS team!
DISCOVERY_ID=`curl -sB https://discovery.etcd.io/new?size=3|cut -d/ -f4`
#DISCOVERY_ID="1234"
CUSTOMSALT=$(openssl rand -base64 14)
HASHED_USER_CORE_PASSWORD=$(perl -le "print crypt '$USER_CORE_PASSWORD', '\$6\$$CUSTOMSALT' ")
cd set
# Saving discovery ID for future worker use.
echo DISCOVERY_ID:$DISCOVERY_ID >> index.txt
#create root CA
openssl genrsa -out ca-key.pem 2048
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca"
#create etcd CA
openssl genrsa -out etcd-ca-key.pem 2048
openssl req -x509 -new -nodes -key etcd-ca-key.pem -days 10000 -out etcd-ca.pem -subj "/CN=etcd-ca"
sed -e s/K8S_SERVICE_IP/$K8S_SERVICE_IP/ -e s/MASTER_HOST_IP/$MASTER_HOST_IP/ -e s/FLOATING_IP/$FLOATING_IP/ ../template/openssl.cnf > openssl.cnf
#create API certs
openssl genrsa -out apiserver-key.pem 2048
if [ "$CLOUD_PROVIDER" == "openstack" ]; then
CERTID=k8s-${CLUSTERNAME}-node${MASTER_HOST_IP##*.}
else
CERTID=${MASTER_HOST_IP}
fi
openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=system:node:${CERTID}/O=system:nodes" -config openssl.cnf
openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile openssl.cnf
#create ETCD-API-certs
openssl genrsa -out etcd-apiserver-key.pem 2048
openssl req -new -key etcd-apiserver-key.pem -out etcd-apiserver.csr -subj "/CN=etcd-kube-apiserver" -config openssl.cnf
openssl x509 -req -in etcd-apiserver.csr -CA etcd-ca.pem -CAkey etcd-ca-key.pem -CAcreateserial -out etcd-apiserver.pem -days 365 -extensions v3_req -extfile openssl.cnf
#create worker certs
for i in ${WORKER_HOSTS[@]}; do
openssl genrsa -out ${i}-worker-key.pem 2048
if [ "$CLOUD_PROVIDER" == "openstack" ]; then
CERTID=k8s-${CLUSTERNAME}-node${i##*.}
else
CERTID=${i}
fi
WORKER_IP=${i} openssl req -new -key ${i}-worker-key.pem -out ${i}-worker.csr -subj "/CN=system:node:${CERTID}/O=system:nodes" -config ../template/worker-openssl.cnf
WORKER_IP=${i} openssl x509 -req -in ${i}-worker.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${i}-worker.pem -days 365 -extensions v3_req -extfile ../template/worker-openssl.cnf
done
#create ETCD-worker certs
for i in ${WORKER_HOSTS[@]}; do
openssl genrsa -out ${i}-etcd-worker-key.pem 2048
WORKER_IP=${i} openssl req -new -key ${i}-etcd-worker-key.pem -out ${i}-etcd-worker.csr -subj "/CN=${i}" -config ../template/worker-openssl.cnf
WORKER_IP=${i} openssl x509 -req -in ${i}-etcd-worker.csr -CA etcd-ca.pem -CAkey etcd-ca-key.pem -CAcreateserial -out ${i}-etcd-worker.pem -days 365 -extensions v3_req -extfile ../template/worker-openssl.cnf
done
#create admin certs
openssl genrsa -out admin-key.pem 2048
openssl req -new -key admin-key.pem -out admin.csr -subj "/CN=kube-admin/O=system:masters"
openssl x509 -req -in admin.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin.pem -days 365
#create demouser certs
openssl genrsa -out demouser-key.pem 2048
openssl req -new -key demouser-key.pem -out demouser.csr -subj "/CN=demouser/O=demonamespace"
openssl x509 -req -in demouser.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out demouser.pem -days 365
# encode to base64 gzip files.
# cat ca.pem | gzip | base64 -w0
# decode from base64 gzip string
# echo '<encoded-string> | base64 -di | zcat
#gzip base64 encode files to store in the cloud init files.
CAKEY=$(cat ca-key.pem | gzip | base64 -w0)
CACERT=$(cat ca.pem | gzip | base64 -w0)
ETCDCAKEY=$(cat etcd-ca-key.pem | gzip | base64 -w0)
ETCDCACERT=$(cat etcd-ca.pem | gzip | base64 -w0)
ETCDCACERT_BASE64=$(cat etcd-ca.pem | base64 -w0)
APISERVERKEY=$(cat apiserver-key.pem | gzip | base64 -w0)
APISERVER=$(cat apiserver.pem | gzip | base64 -w0)
ETCDAPISERVERKEY=$(cat etcd-apiserver-key.pem | gzip | base64 -w0)
ETCDAPISERVER=$(cat etcd-apiserver.pem | gzip | base64 -w0)
ETCDCACERTBASE64=$(cat etcd-ca.pem | base64 -w0)
ETCDAPISERVERKEYBASE64=$(cat etcd-apiserver-key.pem | base64 -w0)
ETCDAPISERVERBASE64=$(cat etcd-apiserver.pem | base64 -w0)
for i in ${WORKER_HOSTS[@]}; do
j=$i-worker-key.pem
k=$i-worker.pem
l=$i-etcd-worker-key.pem
m=$i-etcd-worker.pem
WORKERKEY=$(cat $j | gzip | base64 -w0)
WORKER=$(cat $k | gzip | base64 -w0)
ETCDWORKERKEY=$(cat $l | gzip | base64 -w0)
ETCDWORKER=$(cat $m | gzip | base64 -w0)
ETCDWORKERKEYBASE64=$(cat $l | base64 -w0)
ETCDWORKERBASE64=$(cat $m | base64 -w0)
echo WORKERKEY_$i:$WORKERKEY >> index.txt
echo WORKER_$i:$WORKER >> index.txt
echo ETCDWORKERKEY_$i:$ETCDWORKERKEY >> index.txt
echo ETCDWORKER_$i:$ETCDWORKER >> index.txt
echo ETCDWORKERKEYBASE64_$i:$ETCDWORKERKEYBASE64 >> index.txt
echo ETCDWORKERBASE64_$i:$ETCDWORKERBASE64 >> index.txt
done
ADMINKEY=`cat admin-key.pem | gzip | base64 -w0`
ADMIN=`cat admin.pem | gzip | base64 -w0`
CLOUDCONF=`cat ../../cloud.conf | gzip | base64 -w0`
#create indexfile with hashes
echo CAKEY:$CAKEY >> index.txt
echo CACERT:$CACERT >> index.txt
echo ETCDCAKEY:$ETCDCAKEY >> index.txt
echo ETCDCACERT:$ETCDCACERT >> index.txt
echo ETCDCACERTBASE64:$ETCDCACERTBASE64 >> index.txt
echo APISERVERKEY:$APISERVERKEY >> index.txt
echo APISERVER:$APISERVER >> index.txt
echo ADMINKEY:$ADMINKEY >> index.txt
echo ADMIN:$ADMIN >> index.txt
echo CLOUDCONF:$CLOUDCONF >> index.txt
#convert ssh public key to base64 gzip.
UCK1=`echo $USER_CORE_KEY1 | gzip | base64 -w0`
if [ $NET_OVERLAY == "calico" ]; then
NETOVERLAY_MOUNTS="--volume cni-net,kind=host,source=/etc/cni/net.d \\\\\n --mount volume=cni-net,target=/etc/cni/net.d \\\\\n --volume cni-bin,kind=host,source=/opt/cni/bin \\\\\n --mount volume=cni-bin,target=/opt/cni/bin \\\\"
NETOVERLAY_DIRS="ExecStartPre=/usr/bin/mkdir -p /opt/cni/bin\n ExecStartPre=/usr/bin/mkdir -p /etc/cni/net.d"
NETOVERLAY_CNICONF="--cni-conf-dir=/etc/cni/net.d \\\\\n --cni-bin-dir=/opt/cni/bin \\\\"
else
NETOVERLAY_CNICONF="--cni-conf-dir=/etc/kubernetes/cni/net.d \\\\"
NETOVERLAY_MOUNTS="\\\\"
NETOVERLAY_DIRS="\\\\"
fi
#generate the master.yaml from the controller.yaml template
sed -e "s,MASTER_HOST_FQDN,$MASTER_HOST_FQDN,g" \
-e "s,MASTER_HOST_IP,$MASTER_HOST_IP,g" \
-e "s,MASTER_HOST_GW,$MASTER_HOST_GW,g" \
-e "s,DISCOVERY_ID,$DISCOVERY_ID,g" \
-e "s,DNSSERVER,$DNSSERVER,g" \
-e "s,CLUSTER_DNS,$CLUSTER_DNS,g" \
-e "s@ETCD_ENDPOINTS_URLS@${ETCD_ENDPOINTS_URLS}@g" \
-e "s,SERVICE_CLUSTER_IP_RANGE,$SERVICE_CLUSTER_IP_RANGE,g" \
-e "s,USER_CORE_SSHKEY1,${USER_CORE_KEY1}," \
-e "s,USER_CORE_SSHKEY2,${USER_CORE_KEY2}," \
-e "s,USER_CORE_PASSWORD,$HASHED_USER_CORE_PASSWORD,g" \
-e "s,CLOUD_PROVIDER,${CLOUD_PROVIDER},g" \
-e "s,K8S_VER,$K8S_VER,g" \
-e "s,\<CACERT\>,$CACERT,g" \
-e "s,\<APISERVERKEY\>,$APISERVERKEY,g" \
-e "s,\<APISERVER\>,$APISERVER,g" \
-e "s,\<ETCDCACERT\>,$ETCDCACERT,g" \
-e "s,\<ETCDAPISERVERKEY\>,$ETCDAPISERVERKEY,g" \
-e "s,\<ETCDAPISERVER\>,$ETCDAPISERVER,g" \
-e "s,CLOUDCONF,$CLOUDCONF,g" \
-e "s,FLANNEL_VER,$FLANNEL_VER,g" \
-e "s@AUTHORIZATION_MODE@${AUTHORIZATION_MODE}@g" \
-e "s@NETOVERLAY_MOUNTS@${NETOVERLAY_MOUNTS}@g" \
-e "s@NETOVERLAY_DIRS@${NETOVERLAY_DIRS}@g" \
-e "s@NETOVERLAY_CNICONF@${NETOVERLAY_CNICONF}@g" \
../template/controller.yaml > node_$MASTER_HOST_IP.yaml
echo ----------------------
echo Generated: Master: node_$MASTER_HOST_IP.yaml
#genereate the worker yamls from the worker.yaml template
for i in ${WORKER_HOSTS[@]}; do
sed -e "s,WORKER_IP,$i,g" \
-e "s,DISCOVERY_ID,$DISCOVERY_ID,g" \
-e "s,WORKER_GW,$WORKER_GW,g" \
-e "s,DNSSERVER,$DNSSERVER,g" \
-e "s,MASTER_HOST_IP,$MASTER_HOST_IP,g" \
-e "s,CLUSTER_DNS,$CLUSTER_DNS,g" \
-e "s@ETCD_ENDPOINTS_URLS@${ETCD_ENDPOINTS_URLS}@g" \
-e "s,USER_CORE_SSHKEY1,${USER_CORE_KEY1}," \
-e "s,USER_CORE_SSHKEY2,${USER_CORE_KEY2}," \
-e "s,USER_CORE_PASSWORD,$HASHED_USER_CORE_PASSWORD,g" \
-e "s,CLOUD_PROVIDER,${CLOUD_PROVIDER},g" \
-e "s,K8S_VER,$K8S_VER,g" \
-e "s,\<CACERT\>,$CACERT,g" \
-e "s,\<WORKERKEY\>,`cat index.txt|grep -w WORKERKEY_$i|cut -d: -f2`,g" \
-e "s,\<WORKER\>,`cat index.txt|grep -w WORKER_$i|cut -d: -f2`,g" \
-e "s,\<ETCDCACERT\>,$ETCDCACERT,g" \
-e "s,\<ETCDWORKERKEY\>,`cat index.txt|grep -w ETCDWORKERKEY_$i|cut -d: -f2`,g" \
-e "s,\<ETCDWORKER\>,`cat index.txt|grep -w ETCDWORKER_$i|cut -d: -f2`,g" \
-e "s,CLOUDCONF,$CLOUDCONF,g" \
-e "s,FLANNEL_VER,$FLANNEL_VER,g" \
-e "s@NETOVERLAY_MOUNTS@${NETOVERLAY_MOUNTS}@g" \
-e "s@NETOVERLAY_DIRS@${NETOVERLAY_DIRS}@g" \
-e "s@NETOVERLAY_CNICONF@${NETOVERLAY_CNICONF}@g" \
../template/worker.yaml > node_$i.yaml
echo Generated: Worker: node_$i.yaml
done
echo ---------------------
sed -e "s,\<ETCDCACERTBASE64\>,$ETCDCACERTBASE64,g" \
-e "s,\<ETCDAPISERVERKEYBASE64\>,$ETCDAPISERVERKEYBASE64,g" \
-e "s,\<ETCDAPISERVERBASE64\>,$ETCDAPISERVERBASE64,g" \
-e "s@ETCD_ENDPOINTS_URLS@${ETCD_ENDPOINTS_URLS}@g" \
../template/calico.tmpl.yaml > calico.yaml
echo Generated: Calico.yaml
echo ---------------------
cp ../template/calico_ctl_tmpl.yaml calico_ctl.yaml
cd -
echo You can run the following to interact with your new cluster:
echo ""
echo "kubectl config set-cluster $MASTER_HOST_IP-cluster --server=https://$MASTER_HOST_IP --certificate-authority=./set/ca.pem"
echo "kubectl config set-credentials $MASTER_HOST_IP-admin --certificate-authority=./set/ca.pem --client-key=./set/admin-key.pem --client-certificate=./set/admin.pem"
echo "kubectl config set-credentials $MASTER_HOST_IP-demouser --certificate-authority=./set/ca.pem --client-key=./set/demouser-key.pem --client-certificate=./set/demouser.pem"
echo "kubectl config set-context $MASTER_HOST_IP-admin --cluster=$MASTER_HOST_IP-cluster --user=$MASTER_HOST_IP-admin"
echo "kubectl config set-context $MASTER_HOST_IP-demouser --cluster=$MASTER_HOST_IP-cluster --user=$MASTER_HOST_IP-demouser"
echo "kubectl config use-context $MASTER_HOST_IP-admin"
echo "#OR"
echo "kubectl config use-context $MASTER_HOST_IP-demouser"
echo ""
else
echo Aborting.
fi