openstack-helm-infra/tools/images/kubeadm-aio/assets/entrypoint.sh
Dmitrii Kabanov 0c5e2c4830 [Calico] Update TLS settings for Calico
PS provides possibility to use TLS in etcd (for Calico).
The ansible scripts were updated as well.

Change-Id: I522a78043a125660153aaa60f13d61ba8e325e75
2019-01-18 19:53:46 +00:00

139 lines
5.3 KiB
Bash
Executable File

#!/usr/bin/env bash
# Copyright 2017 The Openstack-Helm Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
if [ "x${ACTION}" == "xgenerate-join-cmd" ]; then
: ${TTL:="10m"}
DISCOVERY_TOKEN="$(kubeadm token --kubeconfig /etc/kubernetes/admin.conf create --ttl ${TTL} --usages signing,authentication --groups '')"
TLS_BOOTSTRAP_TOKEN="$(kubeadm token --kubeconfig /etc/kubernetes/admin.conf create --ttl ${TTL} --usages authentication --groups \"system:bootstrappers:kubeadm:default-node-token\")"
DISCOVERY_TOKEN_CA_HASH="$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* /sha256:/')"
API_SERVER=$(cat /etc/kubernetes/admin.conf | python -c "import sys, yaml; print yaml.safe_load(sys.stdin)['clusters'][0]['cluster']['server'].split(\"//\",1).pop()")
exec echo "kubeadm join \
--tls-bootstrap-token ${TLS_BOOTSTRAP_TOKEN} \
--discovery-token ${DISCOVERY_TOKEN} \
--discovery-token-ca-cert-hash ${DISCOVERY_TOKEN_CA_HASH} \
${API_SERVER}"
elif [ "x${ACTION}" == "xjoin-kube" ]; then
exec ansible-playbook /opt/playbooks/kubeadm-aio-deploy-node.yaml \
--inventory=/opt/playbooks/inventory.ini \
--extra-vars="kubeadm_join_command=\"${KUBEADM_JOIN_COMMAND}\""
fi
: ${ACTION:="deploy-kube"}
: ${CONTAINER_NAME:="null"}
: ${CONTAINER_RUNTIME:="docker"}
: ${CNI_ENABLED:="calico"}
: ${CNI_HOST_IP:="10.96.232.136"}
: ${NET_SUPPORT_LINUXBRIDGE:="true"}
: ${PVC_SUPPORT_CEPH:="false"}
: ${PVC_SUPPORT_NFS:="false"}
: ${HELM_TILLER_IMAGE:="gcr.io/kubernetes-helm/tiller:${HELM_VERSION}"}
: ${KUBE_VERSION:="${KUBE_VERSION}"}
: ${KUBE_IMAGE_REPO:="gcr.io/google_containers"}
: ${KUBE_API_BIND_PORT:="6443"}
: ${KUBE_NET_DNS_DOMAIN:="cluster.local"}
: ${KUBE_NET_POD_SUBNET:="192.168.0.0/16"}
: ${KUBE_NET_SUBNET_SUBNET:="10.96.0.0/12"}
: ${KUBE_BIND_DEVICE:=""}
: ${KUBE_BIND_ADDR:=""}
: ${KUBE_API_BIND_DEVICE:="${KUBE_BIND_DEVICE}"}
: ${KUBE_API_BIND_ADDR:="${KUBE_BIND_ADDR}"}
: ${KUBE_CERTS_DIR:="/etc/kubernetes/pki"}
: ${KUBE_SELF_HOSTED:="false"}
: ${KUBE_KEYSTONE_AUTH:="false"}
: ${KUBELET_NODE_LABELS:=""}
: ${GATE_FQDN_TEST:="false"}
: ${GATE_INGRESS_IP:="127.0.0.1"}
: ${GATE_FQDN_TLD:="openstackhelm.test"}
PLAYBOOK_VARS="{
\"my_container_name\": \"${CONTAINER_NAME}\",
\"user\": {
\"uid\": ${USER_UID},
\"gid\": ${USER_GID},
\"home\": \"${USER_HOME}\"
},
\"cluster\": {
\"cni\": \"${CNI_ENABLED}\",
\"cni_host_ip\": \"${CNI_HOST_IP}\"
},
\"kubelet\": {
\"container_runtime\": \"${CONTAINER_RUNTIME}\",
\"net_support_linuxbridge\": ${NET_SUPPORT_LINUXBRIDGE},
\"pv_support_nfs\": ${PVC_SUPPORT_NFS},
\"pv_support_ceph\": ${PVC_SUPPORT_CEPH}
},
\"helm\": {
\"tiller_image\": \"${HELM_TILLER_IMAGE}\"
},
\"k8s\": {
\"kubernetesVersion\": \"${KUBE_VERSION}\",
\"imageRepository\": \"${KUBE_IMAGE_REPO}\",
\"certificatesDir\": \"${KUBE_CERTS_DIR}\",
\"selfHosted\": \"${KUBE_SELF_HOSTED}\",
\"keystoneAuth\": \"${KUBE_KEYSTONE_AUTH}\",
\"api\": {
\"bindPort\": ${KUBE_API_BIND_PORT}
},
\"networking\": {
\"dnsDomain\": \"${KUBE_NET_DNS_DOMAIN}\",
\"podSubnet\": \"${KUBE_NET_POD_SUBNET}\",
\"serviceSubnet\": \"${KUBE_NET_SUBNET_SUBNET}\"
}
},
\"gate\": {
\"fqdn_testing\": \"${GATE_FQDN_TEST}\",
\"ingress_ip\": \"${GATE_INGRESS_IP}\",
\"fqdn_tld\": \"${GATE_FQDN_TLD}\"
}
}"
set -x
if [ "x${ACTION}" == "xdeploy-kubelet" ]; then
if [ "x${KUBE_BIND_ADDR}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"bind_addr\": \"${KUBE_BIND_ADDR}\"}")
elif [ "x${KUBE_BIND_DEVICE}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"bind_device\": \"${KUBE_BIND_DEVICE}\"}")
fi
if [ "x${KUBELET_NODE_LABELS}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".kubelet += {\"kubelet_labels\": \"${KUBELET_NODE_LABELS}\"}")
fi
exec ansible-playbook /opt/playbooks/kubeadm-aio-deploy-kubelet.yaml \
--inventory=/opt/playbooks/inventory.ini \
--inventory=/opt/playbooks/vars.yaml \
--extra-vars="${PLAYBOOK_VARS}"
elif [ "x${ACTION}" == "xdeploy-kube" ]; then
if [ "x${KUBE_API_BIND_ADDR}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".k8s.api += {\"advertiseAddress\": \"${KUBE_API_BIND_ADDR}\"}")
elif [ "x${KUBE_API_BIND_DEVICE}" != "x" ]; then
PLAYBOOK_VARS=$(echo $PLAYBOOK_VARS | jq ".k8s.api += {\"advertiseAddressDevice\": \"${KUBE_API_BIND_DEVICE}\"}")
fi
exec ansible-playbook /opt/playbooks/kubeadm-aio-deploy-master.yaml \
--inventory=/opt/playbooks/inventory.ini \
--inventory=/opt/playbooks/vars.yaml \
--extra-vars="${PLAYBOOK_VARS}"
elif [ "x${ACTION}" == "xclean-host" ]; then
exec ansible-playbook /opt/playbooks/kubeadm-aio-clean.yaml \
--inventory=/opt/playbooks/inventory.ini \
--inventory=/opt/playbooks/vars.yaml \
--extra-vars="${PLAYBOOK_VARS}"
else
exec ${ACTION}
fi