#!/bin/bash # Copyright 2014 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. set -o errexit set -o nounset set -o pipefail # Set the host name explicitly # See: https://github.com/mitchellh/vagrant/issues/2430 hostnamectl set-hostname $(MASTER_NAME) # Set the variable to empty value explicitly global if_to_edit := ''"" if [[ "$(grep 'VERSION_ID' /etc/os-release)" =~ ^VERSION_ID=23 ]] { # Disable network interface being managed by Network Manager (needed for Fedora 21+) global NETWORK_CONF_PATH := '/etc/sysconfig/network-scripts/' global if_to_edit := $[ find $(NETWORK_CONF_PATH)ifcfg-* | xargs grep -l VAGRANT-BEGIN] for if_conf in [$(if_to_edit)] { grep -q ^NM_CONTROLLED= $(if_conf) || echo 'NM_CONTROLLED=no' >> $(if_conf) sed -i 's/#^NM_CONTROLLED=.*/NM_CONTROLLED=no/' $(if_conf) }; systemctl restart network } # needed for vsphere support # handle the case when no 'VAGRANT-BEGIN' comment was defined in network-scripts # set the NETWORK_IF_NAME to have a default value in such case global NETWORK_IF_NAME := $[echo $(if_to_edit) | awk -F- '{ print $3 }] if [[ -z "$NETWORK_IF_NAME" ]] { global NETWORK_IF_NAME := $(DEFAULT_NETWORK_IF_NAME) } # Setup hosts file to support ping by hostname to each node in the cluster from apiserver for (( i=0; i<${#NODE_NAMES[@]}; i++)); do node=${NODE_NAMES[$i]} ip=${NODE_IPS[$i]} if [ ! "$(cat /etc/hosts | grep $node)" ]; then echo "Adding $node to hosts file" echo "$ip $node" >> /etc/hosts fi done echo "127.0.0.1 localhost" >> /etc/hosts # enables cmds like 'kubectl get pods' on master. echo "$MASTER_IP $MASTER_NAME" >> /etc/hosts enable-accounting prepare-package-manager # Configure the master network if test $(NETWORK_PROVIDER) != "kubenet" { provision-network-master } write-salt-config kubernetes-master # Generate and distribute a shared secret (bearer token) to # apiserver and kubelet so that kubelet can authenticate to # apiserver to send events. global known_tokens_file := '"/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv'" if [[ ! -f "${known_tokens_file}" ]] { mkdir -p /srv/salt-overlay/salt/kube-apiserver global known_tokens_file := '"/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv'" shell {umask u=rw,go= ; echo "$KUBELET_TOKEN,kubelet,kubelet" > $known_tokens_file; echo "$KUBE_PROXY_TOKEN,kube_proxy,kube_proxy" >> $known_tokens_file; echo "$KUBE_BEARER_TOKEN,admin,admin" >> $known_tokens_file} mkdir -p /srv/salt-overlay/salt/kubelet global kubelet_auth_file := '"/srv/salt-overlay/salt/kubelet/kubernetes_auth'" shell {umask u=rw,go= ; echo "{\"BearerToken\": \"$KUBELET_TOKEN\", \"Insecure\": true }" > $kubelet_auth_file} create-salt-kubelet-auth create-salt-kubeproxy-auth # Generate tokens for other "service accounts". Append to known_tokens. # # NB: If this list ever changes, this script actually has to # change to detect the existence of this file, kill any deleted # old tokens and add any new tokens (to handle the upgrade case). global service_accounts := '("'system:scheduler" "system:controller_manager" "system:logging" "system:monitoring" "system:dns") for account in [$(service_accounts[@])] { global token := $[dd if=/dev/urandom bs=128 count=1 !2 >/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 !2 >/dev/null] echo "$(token),$(account),$(account)" >> $(known_tokens_file) } }setconst global FOO = "bar" readonly BASIC_AUTH_FILE = '"/srv/salt-overlay/salt/kube-apiserver/basic_auth.csv'" if test ! -e $(BASIC_AUTH_FILE) { mkdir -p /srv/salt-overlay/salt/kube-apiserver shell {umask 077; echo "$(MASTER_PASSWD),$(MASTER_USER),admin" > $(BASIC_AUTH_FILE)} } # Enable Fedora Cockpit on host to support Kubernetes administration # Access it by going to :9090 and login as vagrant/vagrant if ! which /usr/libexec/cockpit-ws &>/dev/null; { pushd /etc/yum.repos.d curl -OL https://copr.fedorainfracloud.org/coprs/g/cockpit/cockpit-preview/repo/fedora-23/msuchy-cockpit-preview-fedora-23.repo dnf install -y cockpit cockpit-kubernetes docker socat ethtool popd systemctl enable cockpit.socket systemctl start cockpit.socket } install-salt run-salt (CommandList children: [ (C {(set)} {(-o)} {(errexit)}) (C {(set)} {(-o)} {(nounset)}) (C {(set)} {(-o)} {(pipefail)}) (C {(hostnamectl)} {(set-hostname)} {(${ VSub_Name MASTER_NAME)}) (Assignment keyword: Assign_None pairs: [(assign_pair lhs:(LhsName name:if_to_edit) op:Equal rhs:{(DQ )} spids:[80])] spids: [80] ) (If arms: [ (if_arm cond: [ (Sentence child: (DBracket expr: (BoolBinary op_id: BoolBinary_EqualTilde left: { (DQ (CommandSubPart command_list: (CommandList children: [(C {(grep)} {(SQ )} {(/etc/os-release)})] ) left_token: spids: [90 98] ) ) } right: {(Lit_Other "^") (Lit_VarLike "VERSION_ID=") (23)} ) ) terminator: ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:NETWORK_CONF_PATH) op: Equal rhs: {(/etc/sysconfig/network-scripts/)} spids: [117] ) ] spids: [117] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:if_to_edit) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {(find)} {(${ VSub_Name NETWORK_CONF_PATH) (ifcfg-) (Lit_Other "*")} ) (C {(xargs)} {(grep)} {(-l)} {(VAGRANT-BEGIN)}) ] negated: False ) ] ) left_token: spids: [122 142] ) } spids: [121] ) ] spids: [121] ) (Sentence child: (ForEach iter_name: if_conf iter_words: [{(${ VSub_Name if_to_edit)}] do_arg_iter: False body: (DoGroup children: [ (AndOr children: [ (C {(grep)} {(-q)} {(Lit_Other "^") (Lit_VarLike "NM_CONTROLLED=")} {(${ VSub_Name if_conf)} ) (SimpleCommand words: [{(echo)} {(SQ <"NM_CONTROLLED=no">)}] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {(${ VSub_Name if_conf)} spids: [178] ) ] ) ] op_id: Op_DPipe ) (C {(sed)} {(-i)} {(SQ <"s/#^NM_CONTROLLED=.*/NM_CONTROLLED=no/">)} {(${ VSub_Name if_conf)} ) ] spids: [156 198] ) spids: [150 154] ) terminator: ) (C {(systemctl)} {(restart)} {(network)}) ] spids: [-1 110] ) ] spids: [-1 208] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:NETWORK_IF_NAME) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {(echo)} {(${ VSub_Name if_to_edit)}) (C {(awk)} {(-F-)} {(SQ <"{ print $3 }">)}) ] negated: False ) ] ) left_token: spids: [221 237] ) } spids: [220] ) ] spids: [220] ) (If arms: [ (if_arm cond: [ (Sentence child: (DBracket expr: (BoolUnary op_id:BoolUnary_z child:{(DQ ($ VSub_Name "$NETWORK_IF_NAME"))}) ) terminator: ) ] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:NETWORK_IF_NAME) op: Equal rhs: {(${ VSub_Name DEFAULT_NETWORK_IF_NAME)} spids: [255] ) ] spids: [255] ) ] spids: [-1 252] ) ] spids: [-1 260] ) (ForExpr init: (BinaryAssign op_id:Arith_Equal left:(LhsName name:i) right:(ArithWord w:{(Lit_Digits 0)})) cond: (ArithBinary op_id: Arith_Less left: (ArithVarRef name:i) right: (ArithWord w: { (BracedVarSub token: prefix_op: VSub_Pound bracket_op: (WholeArray op_id:Lit_At) spids: [277 283] ) } ) ) update: (UnaryAssign op_id:Node_PostDPlus child:(LhsName name:i)) body: (DoGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:node) op: Equal rhs: { (BracedVarSub token: bracket_op: (ArrayIndex expr:(ArithWord w:{($ VSub_Name "$i")})) spids: [296 301] ) } spids: [295] ) ] spids: [295] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:ip) op: Equal rhs: { (BracedVarSub token: bracket_op: (ArrayIndex expr:(ArithWord w:{($ VSub_Name "$i")})) spids: [305 310] ) } spids: [304] ) ] spids: [304] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other "[")} {(KW_Bang "!")} { (DQ (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (C {(cat)} {(/etc/hosts)}) (C {(grep)} {($ VSub_Name "$node")}) ] negated: False ) ] ) left_token: spids: [320 330] ) ) } {(Lit_Other "]")} ) terminator: ) ] action: [ (C {(echo)} {(DQ ("Adding ") ($ VSub_Name "$node") (" to hosts file"))}) (SimpleCommand words: [{(echo)} {(DQ ($ VSub_Name "$ip") (" ") ($ VSub_Name "$node"))}] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {(/etc/hosts)} spids: [356] ) ] ) ] spids: [-1 336] ) ] spids: [-1 361] ) ] spids: [292 363] ) ) (SimpleCommand words: [{(echo)} {(DQ ("127.0.0.1 localhost"))}] redirects: [(Redir op_id:Redir_DGreat fd:-1 arg_word:{(/etc/hosts)} spids:[371])] ) (SimpleCommand words: [{(echo)} {(DQ ($ VSub_Name "$MASTER_IP") (" ") ($ VSub_Name "$MASTER_NAME"))}] redirects: [(Redir op_id:Redir_DGreat fd:-1 arg_word:{(/etc/hosts)} spids:[386])] ) (C {(enable-accounting)}) (C {(prepare-package-manager)}) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other "[")} {(DQ (${ VSub_Name NETWORK_PROVIDER))} {(KW_Bang "!") (Lit_Other "=")} {(DQ (kubenet))} {(Lit_Other "]")} ) terminator: ) ] action: [(C {(provision-network-master)})] spids: [-1 419] ) ] spids: [-1 424] ) (C {(write-salt-config)} {(kubernetes-master)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:known_tokens_file) op: Equal rhs: {(DQ (/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv))} spids: [441] ) ] spids: [441] ) (If arms: [ (if_arm cond: [ (Sentence child: (DBracket expr: (LogicalNot child: (BoolUnary op_id:BoolUnary_f child:{(DQ (${ VSub_Name known_tokens_file))}) ) ) terminator: ) ] action: [ (C {(mkdir)} {(-p)} {(/srv/salt-overlay/salt/kube-apiserver)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:known_tokens_file) op: Equal rhs: {(DQ (/srv/salt-overlay/salt/kube-apiserver/known_tokens.csv))} spids: [474] ) ] spids: [474] ) (Subshell child: (CommandList children: [ (Sentence child: (C {(umask)} {(Lit_VarLike "u=") (rw) (Lit_Comma ",") (Lit_VarLike "go=")}) terminator: ) (Sentence child: (SimpleCommand words: [{(echo)} {(DQ ($ VSub_Name "$KUBELET_TOKEN") (",kubelet,kubelet"))}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name "$known_tokens_file")} spids: [498] ) ] ) terminator: ) (Sentence child: (SimpleCommand words: [ {(echo)} {(DQ ($ VSub_Name "$KUBE_PROXY_TOKEN") (",kube_proxy,kube_proxy"))} ] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name "$known_tokens_file")} spids: [511] ) ] ) terminator: ) (SimpleCommand words: [{(echo)} {(DQ ($ VSub_Name "$KUBE_BEARER_TOKEN") (",admin,admin"))}] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {($ VSub_Name "$known_tokens_file")} spids: [524] ) ] ) ] ) spids: [480 527] ) (C {(mkdir)} {(-p)} {(/srv/salt-overlay/salt/kubelet)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:kubelet_auth_file) op: Equal rhs: {(DQ (/srv/salt-overlay/salt/kubelet/kubernetes_auth))} spids: [538] ) ] spids: [538] ) (Subshell child: (CommandList children: [ (Sentence child: (C {(umask)} {(Lit_VarLike "u=") (rw) (Lit_Comma ",") (Lit_VarLike "go=")}) terminator: ) (SimpleCommand words: [ {(echo)} { (DQ ("{") (EscapedLiteralPart token:) (BearerToken) (EscapedLiteralPart token: ) (": ") (EscapedLiteralPart token:) ($ VSub_Name "$KUBELET_TOKEN") (EscapedLiteralPart token: ) (", ") (EscapedLiteralPart token:) (Insecure) (EscapedLiteralPart token: ) (": true }") ) } ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {($ VSub_Name "$kubelet_auth_file")} spids: [572] ) ] ) ] ) spids: [544 575] ) (C {(create-salt-kubelet-auth)}) (C {(create-salt-kubeproxy-auth)}) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:service_accounts) op: Equal rhs: { (ArrayLiteralPart words: [ {(DQ ("system:scheduler"))} {(DQ ("system:controller_manager"))} {(DQ ("system:logging"))} {(DQ ("system:monitoring"))} {(DQ ("system:dns"))} ] ) } spids: [605] ) ] spids: [605] ) (ForEach iter_name: account iter_words: [ { (DQ (BracedVarSub token: bracket_op: (WholeArray op_id:Lit_At) spids: [636 641] ) ) } ] do_arg_iter: False body: (DoGroup children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:token) op: Equal rhs: { (CommandSubPart command_list: (CommandList children: [ (Pipeline children: [ (SimpleCommand words: [ {(dd)} {(Lit_VarLike "if=") (/dev/urandom)} {(Lit_VarLike "bs=") (128)} {(Lit_VarLike "count=") (1)} ] redirects: [ (Redir op_id: Redir_Great fd: 2 arg_word: {(/dev/null)} spids: [661] ) ] ) (C {(base64)}) (C {(tr)} {(-d)} {(DQ ("=+/"))}) (SimpleCommand words: [ {(dd)} {(Lit_VarLike "bs=") (32)} {(Lit_VarLike "count=") (1)} ] redirects: [ (Redir op_id: Redir_Great fd: 2 arg_word: {(/dev/null)} spids: [688] ) ] ) ] negated: False ) ] ) left_token: spids: [649 690] ) } spids: [648] ) ] spids: [648] ) (SimpleCommand words: [ {(echo)} { (DQ (${ VSub_Name token) (",") (${ VSub_Name account) (",") (${ VSub_Name account) ) } ] redirects: [ (Redir op_id: Redir_DGreat fd: -1 arg_word: {(DQ (${ VSub_Name known_tokens_file))} spids: [709] ) ] ) ] spids: [645 718] ) spids: [634 643] ) ] spids: [-1 463] ) ] spids: [-1 720] ) (Assignment keyword: Assign_Readonly pairs: [ (assign_pair lhs: (LhsName name:BASIC_AUTH_FILE) op: Equal rhs: {(DQ (/srv/salt-overlay/salt/kube-apiserver/basic_auth.csv))} spids: [726] ) ] spids: [724] ) (If arms: [ (if_arm cond: [ (Sentence child: (C {(Lit_Other "[")} {(KW_Bang "!")} {(-e)} {(DQ (${ VSub_Name BASIC_AUTH_FILE))} {(Lit_Other "]")} ) terminator: ) ] action: [ (C {(mkdir)} {(-p)} {(/srv/salt-overlay/salt/kube-apiserver)}) (Subshell child: (CommandList children: [ (Sentence child: (C {(umask)} {(077)}) terminator: ) (SimpleCommand words: [ {(echo)} { (DQ (${ VSub_Name MASTER_PASSWD) (",") (${ VSub_Name MASTER_USER) (",admin")) } ] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(DQ (${ VSub_Name BASIC_AUTH_FILE))} spids: [778] ) ] ) ] ) spids: [758 785] ) ] spids: [-1 748] ) ] spids: [-1 787] ) (If arms: [ (if_arm cond: [ (Sentence child: (Pipeline children:[(C {(which)} {(/usr/libexec/cockpit-ws)})] negated:True) terminator: ) (Sentence child: (SimpleCommand redirects: [(Redir op_id:Redir_Great fd:-1 arg_word:{(/dev/null)} spids:[805])] ) terminator: ) ] action: [ (C {(pushd)} {(/etc/yum.repos.d)}) (C {(curl)} {(-OL)} {(https) (Lit_Other ":") ( //copr.fedorainfracloud.org/coprs/g/cockpit/cockpit-preview/repo/fedora-23/msuchy-cockpit-preview-fedora-23.repo ) } ) (C {(dnf)} {(install)} {(-y)} {(cockpit)} {(cockpit-kubernetes)} {(docker)} {(socat)} {(ethtool)}) (C {(popd)}) (C {(systemctl)} {(enable)} {(cockpit.socket)}) (C {(systemctl)} {(start)} {(cockpit.socket)}) ] spids: [-1 809] ) ] spids: [-1 861] ) (C {(install-salt)}) (C {(run-salt)}) ] )