Add initial containerized version

.dockerignore

@@ -0,0 +1,2 @@
+Makefile
+promenade-*.tar

.gitignore

@@ -0,0 +1,8 @@
+/*.log
+/*.tar
+/.vagrant
+/cni.tgz
+/env.sh
+/helm
+/kubelet
+/linux-amd64

Dockerfile.genesis

@@ -0,0 +1,37 @@
+# Copyright 2017 The Promenade Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:xenial
+
+ENV NODE_HOSTNAME=
+
+RUN apt-get update -qq \
+    && apt-get install --no-install-recommends -y \
+        docker.io \
+        gettext-base \
+    && rm -rf /var/lib/apt/lists/* \
+    && mkdir /promenade \
+    && mkdir /promenade/assets \
+    && mkdir /promenade/scripts
+
+WORKDIR /promenade
+
+ENTRYPOINT /promenade/scripts/entrypoint.sh
+
+COPY genesis-images.tar cni.tgz helm kubelet /promenade/
+
+COPY kubelet.service.template /promenade/
+COPY env.sh scripts/common/* /promenade/scripts/
+COPY scripts/entrypoint-genesis.sh /promenade/scripts/entrypoint.sh
+COPY assets/ /promenade/assets/

Dockerfile.join

@@ -0,0 +1,37 @@
+# Copyright 2017 The Promenade Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:xenial
+
+ENV NODE_HOSTNAME=
+
+RUN apt-get update -qq \
+    && apt-get install --no-install-recommends -y \
+        docker.io \
+        gettext-base \
+    && rm -rf /var/lib/apt/lists/* \
+    && mkdir /promenade \
+    && mkdir /promenade/assets \
+    && mkdir /promenade/scripts
+
+WORKDIR /promenade
+
+ENTRYPOINT /promenade/scripts/entrypoint.sh
+
+COPY join-images.tar cni.tgz kubelet /promenade/
+
+COPY kubelet.service.template /promenade/
+COPY env.sh scripts/common/* /promenade/scripts/
+COPY scripts/entrypoint-join.sh /promenade/scripts/entrypoint.sh
+COPY assets/kubeconfig assets/auth/kubeconfig /promenade/assets/

Makefile

@@ -0,0 +1,141 @@
+# Copyright 2017 The Promenade Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#---------------#
+# Configuration #
+#---------------#
+BOOTKUBE_VERSION := v0.4.1
+CNI_VERSION := v0.5.2
+HELM_VERSION := v2.3.1
+KUBERNETES_VERSION := v1.6.2
+
+NAMESPACE := quay.io/attcomdev
+GENESIS_REPO := promenade-genesis
+JOIN_REPO := promenade-join
+TAG := dev
+
+GENESIS_IMAGES := \
+	gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1 \
+	gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1 \
+	gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1 \
+	gcr.io/google_containers/pause-amd64:3.0 \
+	quay.io/calico/cni:v1.7.0 \
+	quay.io/calico/kube-policy-controller:v0.5.4 \
+	quay.io/calico/node:v1.1.3 \
+	quay.io/coreos/bootkube:$(BOOTKUBE_VERSION) \
+	quay.io/coreos/etcd-operator:v0.2.5 \
+	quay.io/coreos/etcd:v3.1.4 \
+	quay.io/coreos/etcd:v3.1.6 \
+	quay.io/coreos/flannel:v0.7.1 \
+	quay.io/coreos/hyperkube:$(KUBERNETES_VERSION)_coreos.0 \
+	quay.io/coreos/kenc:48b6feceeee56c657ea9263f47b6ea091e8d3035 \
+	quay.io/coreos/pod-checkpointer:20cf8b9a6018731a0770192f30dfa7a1941521e3 \
+
+JOIN_IMAGES := \
+	gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1 \
+	gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1 \
+	gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1 \
+	gcr.io/google_containers/pause-amd64:3.0 \
+	quay.io/calico/cni:v1.7.0 \
+	quay.io/calico/kube-policy-controller:v0.5.4 \
+	quay.io/calico/node:v1.1.3 \
+	quay.io/coreos/etcd-operator:v0.2.5 \
+	quay.io/coreos/etcd:v3.1.4 \
+	quay.io/coreos/etcd:v3.1.6 \
+	quay.io/coreos/flannel:v0.7.1 \
+	quay.io/coreos/hyperkube:$(KUBERNETES_VERSION)_coreos.0 \
+	quay.io/coreos/kenc:48b6feceeee56c657ea9263f47b6ea091e8d3035 \
+	quay.io/coreos/pod-checkpointer:20cf8b9a6018731a0770192f30dfa7a1941521e3 \
+
+
+#-------#
+# Rules #
+#-------#
+all: build
+
+build: build-genesis build-join
+
+push: push-genesis push-join
+
+save: save-genesis save-join
+
+genesis: build-genesis
+
+build-genesis: Dockerfile.genesis cni.tgz env.sh helm genesis-images.tar kubelet kubelet.service.template
+	sudo docker build -f Dockerfile.genesis -t $(NAMESPACE)/$(GENESIS_REPO):$(TAG) .
+
+push-genesis: build-genesis
+	sudo docker push $(NAMESPACE)/$(GENESIS_REPO):$(TAG)
+
+save-genesis: build-genesis
+	sudo docker save $(NAMESPACE)/$(GENESIS_REPO):$(TAG) > promenade-genesis.tar
+
+
+join: build-join
+
+build-join: Dockerfile.join join-images.tar kubelet.service.template
+	sudo docker build -f Dockerfile.join -t $(NAMESPACE)/$(JOIN_REPO):$(TAG) .
+
+push-join: build-join
+	sudo docker push $(NAMESPACE)/$(JOIN_REPO):$(TAG)
+
+save-join: build-join
+	sudo docker save $(NAMESPACE)/$(JOIN_REPO):$(TAG) > promenade-join.tar
+
+cni.tgz:
+	wget https://github.com/containernetworking/cni/releases/download/$(CNI_VERSION)/cni-amd64-$(CNI_VERSION).tgz
+	mv cni-amd64-$(CNI_VERSION).tgz cni.tgz
+
+env.sh: Makefile
+	rm -f env.sh
+	echo export BOOTKUBE_VERSION=$(BOOTKUBE_VERSION) >> env.sh
+	echo export CNI_VERSION=$(CNI_VERSION) >> env.sh
+	echo export HELM_VERSION=$(HELM_VERSION) >> env.sh
+	echo export KUBERNETES_VERSION=$(KUBERNETES_VERSION) >> env.sh
+
+helm:
+	wget https://storage.googleapis.com/kubernetes-helm/helm-$(HELM_VERSION)-linux-amd64.tar.gz
+	tar xf helm-$(HELM_VERSION)-linux-amd64.tar.gz
+	mv linux-amd64/helm ./helm
+	rm -rf ./linux-amd64/
+	rm -f helm-$(HELM_VERSION)-linux-amd64.tar.gz*
+	chmod +x helm
+
+genesis-images.tar:
+	for IMAGE in $(GENESIS_IMAGES); do \
+		sudo docker pull $$IMAGE; \
+	done
+	sudo docker save -o genesis-images.tar $(GENESIS_IMAGES)
+
+join-images.tar:
+	for IMAGE in $(JOIN_IMAGES); do \
+		sudo docker pull $$IMAGE; \
+	done
+	sudo docker save -o join-images.tar $(JOIN_IMAGES)
+
+kubelet:
+	wget http://storage.googleapis.com/kubernetes-release/release/$(KUBERNETES_VERSION)/bin/linux/amd64/kubelet
+	chmod +x kubelet
+
+clean:
+	rm -rf \
+		cni.tgz \
+		env.sh \
+		helm \
+		helm-*-linux-amd64* \
+		*.tar \
+		kubelet \
+
+
+.PHONY : build build-genesis build-join clean genesis join push push-genesis push-join

README.md

@@ -0,0 +1,10 @@
+# Overview
+
+To give this a try:
+
+```
+make save
+vagrant plugin install vagrant-hostmanager
+
+./test-install.sh
+```

Vagrantfile

@@ -0,0 +1,59 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.box = "ubuntu/xenial64"
+  config.vm.box_check_update = false
+
+  config.vm.provision :file, source: "vagrant-assets/docker-daemon.json", destination: "/tmp/docker-daemon.json"
+  config.vm.provision :file, source: "vagrant-assets/dnsmasq-kubernetes", destination: "/tmp/dnsmasq-kubernetes"
+
+  config.vm.provision :shell, privileged: true, inline:<<EOS
+set -ex
+
+echo === Installing packages ===
+apt-get update -qq
+apt-get install -y -qq --no-install-recommends \
+  docker.io \
+  dnsmasq \
+  gettext-base \
+
+echo === Setting up DNSMasq ===
+mv /tmp/dnsmasq-kubernetes /etc/dnsmasq.d/
+chown root:root /etc/dnsmasq.d/dnsmasq-kubernetes
+chmod 444 /etc/dnsmasq.d/dnsmasq-kubernetes
+systemctl restart dnsmasq
+
+echo === Reconfiguring Docker ===
+mv /tmp/docker-daemon.json /etc/docker/daemon.json
+chown root:root /etc/docker/daemon.json
+chmod 444 /etc/docker/daemon.json
+systemctl restart docker
+
+echo === Done ===
+EOS
+
+  config.hostmanager.enabled = true
+  config.hostmanager.manage_guest = true
+
+  config.vm.provider "virtualbox" do |vb|
+    vb.cpus = 2
+    vb.memory = "2048"
+  end
+
+  config.vm.define "n0" do |c|
+      c.vm.hostname = "n0"
+      c.vm.network "private_network", ip: "192.168.77.10"
+  end
+
+  config.vm.define "n1" do |c|
+      c.vm.hostname = "n1"
+      c.vm.network "private_network", ip: "192.168.77.11"
+  end
+
+  config.vm.define "n2" do |c|
+      c.vm.hostname = "n2"
+      c.vm.network "private_network", ip: "192.168.77.12"
+  end
+
+end

assets/auth/kubeconfig

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Config
+clusters:
+- name: local
+  cluster:
+    server: https://kubernetes:443
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2RENDQWRDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFsTVJFd0R3WURWUVFLRXdoaWIyOTAKYTNWaVpURVFNQTRHQTFVRUF4TUhhM1ZpWlMxallUQWVGdzB4TnpBMU1Ua3hPRFF4TWpCYUZ3MHlOekExTVRjeApPRFF4TWpCYU1DVXhFVEFQQmdOVkJBb1RDR0p2YjNScmRXSmxNUkF3RGdZRFZRUURFd2RyZFdKbExXTmhNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1bEFWZnpUZS9tTWwzMU5BeDdQNTI0c3oKblFLbXhHK0JYZkRQdDRPNzc4dEJGNzZSc0VYK3dLclJ0b29CcjdheGh2UjBvazVrRFpQQVJHcE5LQVJtZENTbQozMzZFckZ0cVR3TW9yZVk3V1ZDVTJDQkZPdHQydW1mSkR1R1ZvTlVIRWtEOE1lVjJsWUpDb3h3SnJoZTV3aXFxCm00aHB0U0NlcFVqaWxta1JlV1ErL040K1JWRHByODZHWTJRQlVsdjlPdEE1aHhUaXNiQTAxU3dTUEFXcnBPcVYKOEpJajJSTFpuODVGVHpNRlRRazBXdTBadWdpcnlxZGF4bDMzVkwzK1VSSTNRQzJyMmRwdmQxU2V5V0RFWHZqbQprbjkyMzh3ZSsyd0JlUmFjZUN2QzdqeUR2WVNPaFMrajkyd0ZkblFZeCtIaW5BOG5uOFFmZG0zOHU2QTlod0lECkFRQUJveU13SVRBT0JnTlZIUThCQWY4RUJBTUNBcVF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUcKOXcwQkFRc0ZBQU9DQVFFQURIdmd0RENFOHR2MGxLSXpFcWZ1YlVBNUxLUTROaVQ1U1VBdWNZYXpNcEt3MVFJVwpRaW5Db0xFZnlQTXdna2JnWGp6d25lOFB4ZUVqanZ3Q1Jxd2J5VmlCV252OTM3cDk0cG9aLzlHM0NXM2JTWXdRCjRaZVpud1c2d1cwSUdzRWhlTXdrbkJlUWJvb2NNNmNYdThodG8xQVlIT25qdGcydDFSdWZXcHNEbjVhb2t1Vy8KUkk4SGc1dm5XV0tBQUF3Y3drbWc4YWlOLzFuWVFHL2NvRDQxa1hlL2lKMURUUFphMkNQeGdtNzFmMmhSbkVZVApjN3VUN3V1ZUJhcG8xTyt0dFBrZ2hzSXZQWktjNnZLeEswd3J2ekhHUm9VTGw3N1o4M3o5MmFvUEx6Y21uSjNkCk1GRXE0ZDdKUTV1NWkrU2FxcXFPZHAxUkdBaXVpTnBjdnlQOWV3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+users:
+- name: kubelet
+  user:
+    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURBekNDQWV1Z0F3SUJBZ0lJTE1Qa0xkMkUvdUF3RFFZSktvWklodmNOQVFFTEJRQXdKVEVSTUE4R0ExVUUKQ2hNSVltOXZkR3QxWW1VeEVEQU9CZ05WQkFNVEIydDFZbVV0WTJFd0hoY05NVGN3TlRFNU1UZzBNVEl3V2hjTgpNVGd3TlRFNU1UZzBNVEl4V2pBck1SY3dGUVlEVlFRS0V3NXplWE4wWlcwNmJXRnpkR1Z5Y3pFUU1BNEdBMVVFCkF4TUhhM1ZpWld4bGREQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUx0ejltSG8KdFBraWRQYlFldTlSUzZ0QU9RaEFoUE96Vjd5NWt4bzlaa3lHUjVtT0o1TUVsZm9vZkhXR1hEcUpzM0lITzZacgpaVEtUWWdYNmMzamlzTWhJVDYySm5OOVphQVRXY3JkK3FRMTVpeFROaHFkeTNVY1g2eGxCOFlGOEtwVlo0MHJPCndyUC9Vc0c5RWFCaXQzN2lPbW1JTklrWnRiTklodk9ZaGtKdnIrTk90WC84VHNuUlpwVDlQeUNleVpKYnNaSVoKZDFBcGZ1MkVOZVMxQzFPZ09RSUVPUkVCZWhjM0dWSDExRDlCUnRGb2IyMk1qWlVqeHlHajBTQnV0VW1wdm5ZOQpvZ2ZFNXBUMHloSStrWmxQNmlNUGtrMG9HbGtjYytVNFg4VnJTeVlYZkpORWJtSTVhRFplM0E0bGs0ZlhpRi9ZCk5vc2JIWW56ZGYvajBhY0NBd0VBQWFNeE1DOHdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRV01CUUcKQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUlnYXhPNmFBeUdScQpNSU5QSUQ1YkcvWlNSb0lCU0VYMGJBdmlMS1dQOVJvbmpmYXlNOFhiM3IyV1o0VG1Kb1lZRE5NUkZveUNlU3R3CjFmamw3YjJ2cG1GQk94bHBtUnZOaFJGMWRsSTlSdDRHUlJWa3hlUzdjNGRrYzBMRlRIRVBwMFgvUm1TdDR1ZisKWDlzWXNXT0dTQmY1MitxWi83VU5JNlNZd29sdGVuemJ3bkxIWTlOU0xYaVZGb21tQ1hQYUJtYTFHbGtRTjJGMwpjRUluaGY3OEJYS1hlSXBXZFpib0h1V09VdTNhb1JUMHA2ZmVnYjJVeGgyYTczczZzVG9IakU3b3kzSDJadktSCmtjRkoyVG5LTXJxekVLLzl3eWMvZ3Uva1lWeDgvekNvUGxEUUFTZW03YVRaZ09JRFo4d2M0ZzlyQml0bnhkSXMKanhad2pPS3Q5Zz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBdTNQMlllaTArU0owOXRCNjcxRkxxMEE1Q0VDRTg3Tlh2TG1UR2oxbVRJWkhtWTRuCmt3U1YraWg4ZFlaY09vbXpjZ2M3cG10bE1wTmlCZnB6ZU9Ld3lFaFByWW1jMzFsb0JOWnl0MzZwRFhtTEZNMkcKcDNMZFJ4ZnJHVUh4Z1h3cWxWbmpTczdDcy85U3diMFJvR0szZnVJNmFZZzBpUm0xczBpRzg1aUdRbSt2NDA2MQpmL3hPeWRGbWxQMC9JSjdKa2x1eGtobDNVQ2wrN1lRMTVMVUxVNkE1QWdRNUVRRjZGemNaVWZYVVAwRkcwV2h2CmJZeU5sU1BISWFQUklHNjFTYW0rZGoyaUI4VG1sUFRLRWo2Um1VL3FJdytTVFNnYVdSeHo1VGhmeFd0TEpoZDgKazBSdVlqbG9ObDdjRGlXVGg5ZUlYOWcyaXhzZGlmTjEvK1BScHdJREFRQUJBb0lCQVFDUnB6SmJzNERqVUhYSAp6Z2luNmVnOUFhTVBHV3IxSFhaZ0MyWVU3bjZObVkwSzhOMHBMRmdJeitxZE96Qnd2OHh5SHRLbnBpMDAxalpGClpPelNrbnBBdFlkTDFYRFNUMXMyM3hhMkk3SGg2WDQ3Uk5PTFN3SkxHbmV2NFlCeFYzU1RKZ3dwZFd6dWhjYmQKQ1Rjb0EyeUhKK3V4VW9kWHZHVm1FRVhrQTdEVzd6TFpwdkxKLy9uRDV6NUNNMElVUGRhU2dYaFlRcDJOWld0SQpSakxkamt1WVZ5QllDMnJVNExwbWlIMWVJVkw3YkRIb1VRaE9hSE4wd1NGRzgwbzQ2Z3ZycWJock1QdzdCd0l1CmJDVzMwcTRZNEpQUlluNXJ1MHpDRm9ybmU2NUkya1J0bkpVRGpuOTlkT250V1ZaaWJSb2pZMGhGRkV5R1lPaloKV0l0ekdBYnhBb0dCQU5GajJaSGl0UXh0cVlzN01OSVk5anovN3B6dVBhWDhkbSsyLzNXVzVBb3QwMStzNHlWSApwZDdIRThsNU5qbmVqV0c3bkcyR1BzSWhiQ0NWWEV0U01HdDFCUmlvS3BjMmRMcStaUWI3NUxHRE1hSnpNV0VtCi9IaW1KdWhYdnhPenpLQzlaMjl2bzRkNkpDNTh2UHd5dTI3ZEZBdjNyekFjZGlXYi9haWI3UzZaQW9HQkFPVXUKQmVQWmdxbHB3bDN3cURsQWxqaUxzSDhBZVpVSDJyREE0bjRkKzFrS1BNcUpZTW1mdEdhVGtESk1lSmZpc2ZLYgpFWGNRc0dKQWVPTEhScFkxVnZrSHFuNXYrN3FnOUpIU25sdysvblRGNVZrNklTQUZNczJRZndkcTZmWjg5OEdaCm1pOVZYcjBoZXo3Wi92L2xpQ3hCY2wwaGdBaG5qSUZHdlE1clNtby9Bb0dCQUl2bFZGV2R6Q3lUai9VUUJOdzYKQlRwWUhBb0pPbk1OcSt1VHJqWFlMRitJb25LSHhmTUFYWmZzRmhKRHc3RUNPaCtVQXoxQnRlaHFBQjM4N0g3KwpXSTlTemFiZHBDY0hJUklyWnNBMXgyTzZMWTFGdlRZVm9CVFRuYWNhQ1BXVzZSNXpyUW5NNHNyL0ZmRmhNYnFtCkFvaGRlS2xPUUdPNmdFMDhYVXNyY2xueEFvR0JBTE92K2Y1RHRDYVFQVXphTzR0b0VHQVZaalN0Y3FaZW1pQ3IKbXVtM0tETVB5OG9oSERuNWRjQlhRbCt0aFgvUXhpU3BZSEF5TFpsYlkyeXJRYlRUN1hVamhaSE15MW53aU5FcwppZTFabHJpSDBPSzhxT3dxSjBMMVlDTzR0K2dDNDE1dnlHd0VTMXVPdk1yeXNQU0NTdG9vRmpyZTRUdTF0SHhICnNrTno2OHlSQW9HQkFKeU1Gb1F1MHJ6T3hDd1F4KzhtMWVuY205cGNVdnUyZVN3d3krOTQ2MFc0NzRXdzRxWkEKRjREV3dqRGc1ZEJHMUltMjFLSUpraG9YNTc5ZGgzUUlScjNQUndsUVVrUWx4VHJVU0V0cGZOVFUzcHZXVjlCRgp0dUxTMVRuT2R3ZW9ROGNHWlpkOVBXTUxMckJkMEplUjRGeUgyM3JPVW1NRndKMkE2T29wZVg2QgotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+contexts:
+- context:
+    cluster: local
+    user: kubelet

assets/bootstrap-manifests/bootstrap-apiserver.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bootstrap-kube-apiserver
+  namespace: kube-system
+spec:
+  containers:
+  - name: kube-apiserver
+    image: quay.io/coreos/hyperkube:v1.6.2_coreos.0
+    command:
+    - /usr/bin/flock
+    - --exclusive
+    - --timeout=30
+    - /var/lock/api-server.lock
+    - /hyperkube
+    - apiserver
+    - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
+    - --advertise-address=$(POD_IP)
+    - --allow-privileged=true
+    - --authorization-mode=RBAC
+    - --bind-address=0.0.0.0
+    - --client-ca-file=/etc/kubernetes/secrets/ca.crt
+    - --etcd-servers=http://10.3.0.15:2379,http://127.0.0.1:12379
+    - --insecure-port=0
+    - --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt
+    - --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
+    - --secure-port=443
+    - --service-account-key-file=/etc/kubernetes/secrets/service-account.pub
+    - --service-cluster-ip-range=10.3.0.0/24
+    - --storage-backend=etcd3
+    - --tls-ca-file=/etc/kubernetes/secrets/ca.crt
+    - --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
+    - --tls-private-key-file=/etc/kubernetes/secrets/apiserver.key
+    env:
+    - name: POD_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.podIP
+    volumeMounts:
+    - mountPath: /etc/ssl/certs
+      name: ssl-certs-host
+      readOnly: true
+    - mountPath: /etc/kubernetes/secrets
+      name: secrets
+      readOnly: true
+    - mountPath: /var/lock
+      name: var-lock
+      readOnly: false
+  hostNetwork: true
+  volumes:
+  - name: secrets
+    hostPath:
+      path: /etc/kubernetes/bootstrap-secrets
+  - name: ssl-certs-host
+    hostPath:
+      path: /usr/share/ca-certificates
+  - name: var-lock
+    hostPath:
+      path: /var/lock

assets/bootstrap-manifests/bootstrap-controller-manager.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bootstrap-kube-controller-manager
+  namespace: kube-system
+spec:
+  containers:
+  - name: kube-controller-manager
+    image: quay.io/coreos/hyperkube:v1.6.2_coreos.0
+    command:
+    - ./hyperkube
+    - controller-manager
+    - --allocate-node-cidrs=true
+    - --cluster-cidr=10.2.0.0/16
+    - --configure-cloud-routes=false
+    - --kubeconfig=/etc/kubernetes/kubeconfig
+    - --leader-elect=true
+    - --root-ca-file=/etc/kubernetes/bootstrap-secrets/ca.crt
+    - --service-account-private-key-file=/etc/kubernetes/bootstrap-secrets/service-account.key
+    volumeMounts:
+    - name: kubernetes
+      mountPath: /etc/kubernetes
+      readOnly: true
+    - name: ssl-host
+      mountPath: /etc/ssl/certs
+      readOnly: true
+  hostNetwork: true
+  volumes:
+  - name: kubernetes
+    hostPath:
+      path: /etc/kubernetes
+  - name: ssl-host
+    hostPath:
+      path: /usr/share/ca-certificates

assets/bootstrap-manifests/bootstrap-etcd.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bootstrap-etcd
+  namespace: kube-system
+  labels:
+    k8s-app: boot-etcd
+spec:
+  containers:
+  - name: etcd
+    image: quay.io/coreos/etcd:v3.1.6
+    command:
+    - /usr/local/bin/etcd
+    - --name=boot-etcd
+    - --listen-client-urls=http://0.0.0.0:12379
+    - --listen-peer-urls=http://0.0.0.0:12380
+    - --advertise-client-urls=http://$(MY_POD_IP):12379
+    - --initial-advertise-peer-urls=http://$(MY_POD_IP):12380
+    - --initial-cluster=boot-etcd=http://$(MY_POD_IP):12380
+    - --initial-cluster-token=bootkube
+    - --initial-cluster-state=new
+    - --data-dir=/var/etcd/data
+    env:
+      - name: MY_POD_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.podIP
+  hostNetwork: true
+  restartPolicy: Never

assets/bootstrap-manifests/bootstrap-scheduler.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bootstrap-kube-scheduler
+  namespace: kube-system
+spec:
+  containers:
+  - name: kube-scheduler
+    image: quay.io/coreos/hyperkube:v1.6.2_coreos.0
+    command:
+    - ./hyperkube
+    - scheduler
+    - --kubeconfig=/etc/kubernetes/kubeconfig
+    - --leader-elect=true
+    volumeMounts:
+    - name: kubernetes
+      mountPath: /etc/kubernetes
+      readOnly: true
+  hostNetwork: true
+  volumes:
+  - name: kubernetes
+    hostPath:
+      path: /etc/kubernetes

assets/kubeconfig

@@ -0,0 +1 @@
+auth/kubeconfig

assets/manifests/etcd-operator.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: etcd-operator
+  namespace: kube-system
+  labels:
+    k8s-app: etcd-operator
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        k8s-app: etcd-operator
+    spec:
+      containers:
+      - name: etcd-operator
+        image: quay.io/coreos/etcd-operator:v0.2.5
+        env:
+        - name: MY_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MY_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule

assets/manifests/etcd-service.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: etcd-service
+  namespace: kube-system
+spec:
+  selector:
+    app: etcd
+    etcd_cluster: kube-etcd
+  clusterIP: 10.3.0.15
+  ports:
+  - name: client
+    port: 2379
+    protocol: TCP

assets/manifests/kube-apiserver-secret.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+data:
+  apiserver.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURoRENDQW15Z0F3SUJBZ0lJWVJUbkVVV1BCMkV3RFFZSktvWklodmNOQVFFTEJRQXdKVEVSTUE4R0ExVUUKQ2hNSVltOXZkR3QxWW1VeEVEQU9CZ05WQkFNVEIydDFZbVV0WTJFd0hoY05NVGN3TlRFNU1UZzBNVEl3V2hjTgpNVGd3TlRFNU1UZzBNVEl4V2pBdk1SUXdFZ1lEVlFRS0V3dHJkV0psTFcxaGMzUmxjakVYTUJVR0ExVUVBeE1PCmEzVmlaUzFoY0dselpYSjJaWEl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRREIKc1hEUUd0NENTa20rSDBvVDNIZ3pBRHpLM0lRdGM1UVZLVGIyRFR5dzIvbStoNE1SZDZuK2xyYThwdG8wOUlzLwpZaVZ4OE9DQ0ZGc083MjZaWnFMUWxRZVBERjM2UUtKYnBJeUdxMmIzR1ZCeURRcXRuNDd4aFhVZUx1MHo3SU1LCjg5MDZ4bVpYZWc4SEhUSVM5UDY2ejN4QTlrTG4wbndTU0ZKSEdUWE1vRnI4Y25MeVNucnRESGU5cEdvLytqY1IKMCtqaUgzYXQzdzJGMXRDYVRaOHpuRU1SUDgwQlR5c2I3SWxaZG1OQmZhU29UNDVOamUyZUJwWkRkeHZJOHFoaQpKMlpXWjd2UXN1NkFsQ25lS3BUajR0Z3NWNnNFQWdzMlY4cGFiUmFTTTV0MEhxMWxHby9ucGNPYW1JVVFBcTF1Ck8yU3BTVElvamRTSG1XZEQ5aDVkQWdNQkFBR2pnYTB3Z2Fvd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWQKSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakI1QmdOVkhSRUVjakJ3Z2dwcmRXSmxjbTVsZEdWegpnZ3ByZFdKbGNtNWxkR1Z6Z2hKcmRXSmxjbTVsZEdWekxtUmxabUYxYkhTQ0ZtdDFZbVZ5Ym1WMFpYTXVaR1ZtCllYVnNkQzV6ZG1PQ0pHdDFZbVZ5Ym1WMFpYTXVaR1ZtWVhWc2RDNXpkbU11WTJ4MWMzUmxjaTVzYjJOaGJJY0UKQ2dNQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFqOEc5TGM3NVFOYmhBRFF1T1hzU0dFaTZiSjBVZEZvVgp2djVWTE5NT2RaMCtqWHRIdExZckIzUnlnSWNvbFNkcWxhcXBNOW5qNjF4Z25oRzNPSVlJdzhCQ3FRbGFCZ08rCjVjQXZ6bXFsMjlBb0RiTGV1M0pjdG15U1NjcXlDajRtcXRsT0dIZ0lvdFVxMjI2UmUxYXFTSjh6TEg3VURWRWEKanlRbzh2bjVHUW0vWHd5R1V0NG5TcFlYTWk2TXp0ZWJjZVBkeU9lNDM4N05GSlM5L09VUUlkV2xodjFjZWdLKwpmVThLUnYyTWlCZlpacUoxRFFEMTdlVjk0OTRESW1HTjFuQ3BWbG1QTkJHVENlNzVTT1lDQk93WWhIS29OTUxuClltdG5wekJ0ZkFrVTRFemppTW02VjIyWEkvbFpzUWR4ZVFmTU1TY21oK002MERIcjdUb1JkZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  apiserver.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd2JGdzBCcmVBa3BKdmg5S0U5eDRNd0E4eXR5RUxYT1VGU2syOWcwOHNOdjV2b2VECkVYZXAvcGEydktiYU5QU0xQMklsY2ZEZ2doUmJEdTl1bVdhaTBKVUhqd3hkK2tDaVc2U01ocXRtOXhsUWNnMEsKclorTzhZVjFIaTd0TSt5REN2UGRPc1ptVjNvUEJ4MHlFdlQrdXM5OFFQWkM1OUo4RWtoU1J4azF6S0JhL0hKeQo4a3A2N1F4M3ZhUnFQL28zRWRQbzRoOTJyZDhOaGRiUW1rMmZNNXhERVQvTkFVOHJHK3lKV1haalFYMmtxRStPClRZM3RuZ2FXUTNjYnlQS29ZaWRtVm1lNzBMTHVnSlFwM2lxVTQrTFlMRmVyQkFJTE5sZktXbTBXa2pPYmRCNnQKWlJxUDU2WERtcGlGRUFLdGJqdGtxVWt5S0kzVWg1bG5RL1llWFFJREFRQUJBb0lCQUVSTjFaR2RsK0xJM2I1cwovRXVLdU55TFhlVFA1TkMrYkY4Vi9LckNPai9JSXdjY2RJMEpYT3BKcmNGVE9hbm8vdDNvTjNvNXpvSXd1WGZICjJZSEJIdk5kU3FBWVpWK2x3VnQ5Nkl4cEQxTmVHdTlOU0JHNExjbGdIYy82RG0zOEhxNFRGMVh0dHhOc0dMYVMKaGlFSFFua1FTQ29FYmMyZ2ZWNVpJS0t2OGpmcFNoWWlhQVB6cnQzc2FFLzIrT2xpSjVwNnpmWEtObEVzZzFVUwo3OGcrSmlPVlhaZEVRRnlQUDVZbzhnamU4d1EyTmV0bmlsUVE5cnRCYlB2OUZmc1RyajAzc3JsVTJEN0lJQmRRCjdEM1o1QU43ZTdSaXdSR21TdFo0R2xsY0N1aHZqaHZmaGF2MTMyRzAxbzgvRHd2VkxUbmZTS0ZBNytFOFVZRzkKNlpBelg0VUNnWUVBL3BYdDhlaGozczFmOGNOYVNFSmxEOEFzT0hnemN1eFJ2ZHJFK3pBOGw0ZUVGcFA1VUplagpPY0R1OTY2cTF5dDRRcDdZeDJzVzNVQTc2bTdSdWdkcUE1TVAyNWZnekdWNW4yMml3WWJuQlF2cURRRU9qTUgxCjFrMENrYVJYaERDekd1d2IwN29nL3JoT0pkQ0kzT1NDUXBMRDZCc1g4TVZQSi8yR2ZlNFhFQ2NDZ1lFQXdzVG8KL2lOWkZOS2tQd2xmanBpcnJ5NmdCN0daWVJZZGtuZU1NOTJmVHp1RGRxU0lyTTlvTEJlVXlpeEFmUFA5YzB5VgoyY3doYzhUTGRIeEl3YXR6Tk5Ka3dwMitlQU5mZzhqUTB2SzlKOFYwNjQ5QzVpTTNhWjVNVVZHMklTNFJBWnRICk1HMnc1ZnZkZDdTcUo4Uk9XVXk3K0UwczQ3MnlmSk5MM2F1TmE5c0NnWUVBNUFYUHdFc0FJSS9jYm9NbGV2RVUKNloyYlBkelRZQXl3VGhjRE5XU0g4TVN0Rnpma0p6NGFNV0ZQNkVIbXZLQXZyNlBzei9objJ6VnNOTmFiUEQ3bAp3bHZXNlQxSVdHcFBHKytyeGlDWkRKa1dRaDEvTmEySURqQ2RxMnNDQStGR21rZDl5UTY5L01lQkh6ZC9UakhSClJlV0VXSURqMllBd0hNWmp6cWtRdVNNQ2dZQTEwS3AvN2N4alVJQkpXcEdvbU01M0xPN1NzV09yeTZ5SUY3Z0oKYktia0FaR2xhbmpKSnRXbHVTNUhYa3JETzdjLzhGMUhQSHZSdlFKcVFSenBSaklpMmk4MUJ0amwyQ2pBQlBDTwpHTHZqRFUvczlqeUowaGt4ZWFla29Hc3VaOGdUSlpCWjlUVDNsc3Z1azJDZ2RFRWhzMjRNZ1daeDFxeEdkM3h5CjF6L1FHUUtCZ1FDRTdhZlp3SUVVUTZlcEdsVVB3bW0rbXFHaVVOYlhBei9QbksvSWh1T2VWOWFFVTc4bFBIOHAKNnJNcHVoNVNPcUdjUmFaaHBSU0lZM3ZxVTlZazQ5T080Qk9hd0YyajhrNHBWa1RhSkdnRDcxaW44YURiY1ZCYwpWbElNUDJxOTNtbnlPN09DOHpuUUtITXM1V1JXRW9rUmJTc2pXRWVRRjFNdHlCV2FJaVdtbGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2RENDQWRDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFsTVJFd0R3WURWUVFLRXdoaWIyOTAKYTNWaVpURVFNQTRHQTFVRUF4TUhhM1ZpWlMxallUQWVGdzB4TnpBMU1Ua3hPRFF4TWpCYUZ3MHlOekExTVRjeApPRFF4TWpCYU1DVXhFVEFQQmdOVkJBb1RDR0p2YjNScmRXSmxNUkF3RGdZRFZRUURFd2RyZFdKbExXTmhNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1bEFWZnpUZS9tTWwzMU5BeDdQNTI0c3oKblFLbXhHK0JYZkRQdDRPNzc4dEJGNzZSc0VYK3dLclJ0b29CcjdheGh2UjBvazVrRFpQQVJHcE5LQVJtZENTbQozMzZFckZ0cVR3TW9yZVk3V1ZDVTJDQkZPdHQydW1mSkR1R1ZvTlVIRWtEOE1lVjJsWUpDb3h3SnJoZTV3aXFxCm00aHB0U0NlcFVqaWxta1JlV1ErL040K1JWRHByODZHWTJRQlVsdjlPdEE1aHhUaXNiQTAxU3dTUEFXcnBPcVYKOEpJajJSTFpuODVGVHpNRlRRazBXdTBadWdpcnlxZGF4bDMzVkwzK1VSSTNRQzJyMmRwdmQxU2V5V0RFWHZqbQprbjkyMzh3ZSsyd0JlUmFjZUN2QzdqeUR2WVNPaFMrajkyd0ZkblFZeCtIaW5BOG5uOFFmZG0zOHU2QTlod0lECkFRQUJveU13SVRBT0JnTlZIUThCQWY4RUJBTUNBcVF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUcKOXcwQkFRc0ZBQU9DQVFFQURIdmd0RENFOHR2MGxLSXpFcWZ1YlVBNUxLUTROaVQ1U1VBdWNZYXpNcEt3MVFJVwpRaW5Db0xFZnlQTXdna2JnWGp6d25lOFB4ZUVqanZ3Q1Jxd2J5VmlCV252OTM3cDk0cG9aLzlHM0NXM2JTWXdRCjRaZVpud1c2d1cwSUdzRWhlTXdrbkJlUWJvb2NNNmNYdThodG8xQVlIT25qdGcydDFSdWZXcHNEbjVhb2t1Vy8KUkk4SGc1dm5XV0tBQUF3Y3drbWc4YWlOLzFuWVFHL2NvRDQxa1hlL2lKMURUUFphMkNQeGdtNzFmMmhSbkVZVApjN3VUN3V1ZUJhcG8xTyt0dFBrZ2hzSXZQWktjNnZLeEswd3J2ekhHUm9VTGw3N1o4M3o5MmFvUEx6Y21uSjNkCk1GRXE0ZDdKUTV1NWkrU2FxcXFPZHAxUkdBaXVpTnBjdnlQOWV3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  service-account.pub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUExT0pRbUU5SkNJMjBoM0JJL3hKcApRb05JZll2aUhJaGx4NkFsNjBLdjRaYit0YUQrSmQ2cENiSHFqZ1l5aVlIMXdxMG5NQzlNaVJicGhkTXNLZkpYCm81N0gyWDFRV05jKzNSWXpORUwycmEycmtDR3dxMWpLR2s2Um9mYWdicmluakFDOWhHY20vVjcxM2ZDZFNwVUwKSDZSdXJvOUtqdnRjYTBuTGpCY0dDMDNwa3VVaTFlN0VQajJTQUxReEExaVYyK3NxcXBnMmF4bHB5QU43Z2VjYQpmalZOMTBra013OUdLdW1RcVVwZWpDdGYzdFR2enpmbUdxaU5uSERCOGxEblhwSGVjS0laa2ZYZEg1UGQ0alJZCjVEeUZmcnNMNXh5ME9IRjRyQS9FRFNGa2RFWjJyVFlpQ0IvTzE3cHc2THVFdTc5VjNOMmhKVkV3ZTRVdGkzb2wKUXdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
+kind: Secret
+metadata:
+  name: kube-apiserver
+  namespace: kube-system
+type: Opaque

assets/manifests/kube-apiserver.yaml

@@ -0,0 +1,82 @@
+---
+apiVersion: "extensions/v1beta1"
+kind: DaemonSet
+metadata:
+  name: kube-apiserver
+  namespace: kube-system
+  labels:
+    tier: control-plane
+    component: kube-apiserver
+spec:
+  template:
+    metadata:
+      labels:
+        tier: control-plane
+        component: kube-apiserver
+      annotations:
+        checkpointer.alpha.coreos.com/checkpoint: "true"
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      containers:
+      - name: kube-apiserver
+        image: quay.io/coreos/hyperkube:v1.6.2_coreos.0
+        command:
+        - /usr/bin/flock
+        - --exclusive
+        - --timeout=30
+        - /var/lock/api-server.lock
+        - /hyperkube
+        - apiserver
+        - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
+        - --advertise-address=$(POD_IP)
+        - --allow-privileged=true
+        - --anonymous-auth=false
+        - --authorization-mode=RBAC
+        - --bind-address=0.0.0.0
+        - --client-ca-file=/etc/kubernetes/secrets/ca.crt
+        - --cloud-provider=
+        - --etcd-servers=http://10.3.0.15:2379
+        - --insecure-port=0
+        - --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt
+        - --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
+        - --secure-port=443
+        - --service-account-key-file=/etc/kubernetes/secrets/service-account.pub
+        - --service-cluster-ip-range=10.3.0.0/24
+        - --storage-backend=etcd3
+        - --tls-ca-file=/etc/kubernetes/secrets/ca.crt
+        - --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
+        - --tls-private-key-file=/etc/kubernetes/secrets/apiserver.key
+        env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        volumeMounts:
+        - mountPath: /etc/ssl/certs
+          name: ssl-certs-host
+          readOnly: true
+        - mountPath: /etc/kubernetes/secrets
+          name: secrets
+          readOnly: true
+        - mountPath: /var/lock
+          name: var-lock
+          readOnly: false
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+      - name: ssl-certs-host
+        hostPath:
+          path: /usr/share/ca-certificates
+      - name: secrets
+        secret:
+          secretName: kube-apiserver
+      - name: var-lock
+        hostPath:
+          path: /var/lock

assets/manifests/kube-controller-manager-disruption.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: kube-controller-manager
+  namespace: kube-system
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      tier: control-plane
+      component: kube-controller-manager

assets/manifests/kube-controller-manager-secret.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+data:
+  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2RENDQWRDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFsTVJFd0R3WURWUVFLRXdoaWIyOTAKYTNWaVpURVFNQTRHQTFVRUF4TUhhM1ZpWlMxallUQWVGdzB4TnpBMU1Ua3hPRFF4TWpCYUZ3MHlOekExTVRjeApPRFF4TWpCYU1DVXhFVEFQQmdOVkJBb1RDR0p2YjNScmRXSmxNUkF3RGdZRFZRUURFd2RyZFdKbExXTmhNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1bEFWZnpUZS9tTWwzMU5BeDdQNTI0c3oKblFLbXhHK0JYZkRQdDRPNzc4dEJGNzZSc0VYK3dLclJ0b29CcjdheGh2UjBvazVrRFpQQVJHcE5LQVJtZENTbQozMzZFckZ0cVR3TW9yZVk3V1ZDVTJDQkZPdHQydW1mSkR1R1ZvTlVIRWtEOE1lVjJsWUpDb3h3SnJoZTV3aXFxCm00aHB0U0NlcFVqaWxta1JlV1ErL040K1JWRHByODZHWTJRQlVsdjlPdEE1aHhUaXNiQTAxU3dTUEFXcnBPcVYKOEpJajJSTFpuODVGVHpNRlRRazBXdTBadWdpcnlxZGF4bDMzVkwzK1VSSTNRQzJyMmRwdmQxU2V5V0RFWHZqbQprbjkyMzh3ZSsyd0JlUmFjZUN2QzdqeUR2WVNPaFMrajkyd0ZkblFZeCtIaW5BOG5uOFFmZG0zOHU2QTlod0lECkFRQUJveU13SVRBT0JnTlZIUThCQWY4RUJBTUNBcVF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUcKOXcwQkFRc0ZBQU9DQVFFQURIdmd0RENFOHR2MGxLSXpFcWZ1YlVBNUxLUTROaVQ1U1VBdWNZYXpNcEt3MVFJVwpRaW5Db0xFZnlQTXdna2JnWGp6d25lOFB4ZUVqanZ3Q1Jxd2J5VmlCV252OTM3cDk0cG9aLzlHM0NXM2JTWXdRCjRaZVpud1c2d1cwSUdzRWhlTXdrbkJlUWJvb2NNNmNYdThodG8xQVlIT25qdGcydDFSdWZXcHNEbjVhb2t1Vy8KUkk4SGc1dm5XV0tBQUF3Y3drbWc4YWlOLzFuWVFHL2NvRDQxa1hlL2lKMURUUFphMkNQeGdtNzFmMmhSbkVZVApjN3VUN3V1ZUJhcG8xTyt0dFBrZ2hzSXZQWktjNnZLeEswd3J2ekhHUm9VTGw3N1o4M3o5MmFvUEx6Y21uSjNkCk1GRXE0ZDdKUTV1NWkrU2FxcXFPZHAxUkdBaXVpTnBjdnlQOWV3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  service-account.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMU9KUW1FOUpDSTIwaDNCSS94SnBRb05JZll2aUhJaGx4NkFsNjBLdjRaYit0YUQrCkpkNnBDYkhxamdZeWlZSDF3cTBuTUM5TWlSYnBoZE1zS2ZKWG81N0gyWDFRV05jKzNSWXpORUwycmEycmtDR3cKcTFqS0drNlJvZmFnYnJpbmpBQzloR2NtL1Y3MTNmQ2RTcFVMSDZSdXJvOUtqdnRjYTBuTGpCY0dDMDNwa3VVaQoxZTdFUGoyU0FMUXhBMWlWMitzcXFwZzJheGxweUFON2dlY2FmalZOMTBra013OUdLdW1RcVVwZWpDdGYzdFR2Cnp6Zm1HcWlObkhEQjhsRG5YcEhlY0tJWmtmWGRINVBkNGpSWTVEeUZmcnNMNXh5ME9IRjRyQS9FRFNGa2RFWjIKclRZaUNCL08xN3B3Nkx1RXU3OVYzTjJoSlZFd2U0VXRpM29sUXdJREFRQUJBb0lCQUhTV2pYVWMxdTZzVE5adwpGRW85bHhBcVBpVWoydTJ0ZGJCaWNPSHJYOCs0bGo1NnNUV2tRQWRqUFFZVE50SkFMb3d6c0dhZlFOZERpUmtWCmtmWlhGdEF4UVZwSFd4Mk1wSTBJZjNwN3dnVlVPOFZ2N2dXcFZ1WVphWUMrUlJiZVlrUTJrNVJUdWZMQmN2M2QKclFjUG9VdnZEZjdqMHYyRGhCWHVFRi9rckJhNzBPbkk2RnY1YjZUYXk0Y042dm1OSlNQVWxEUHZpY0Npem12VgpXdEFxNXBrUGZYVzF1d2VNWURPU0QxMHphZXRjbE1hZS8wQzFoYWhrOWtHb0x2NDlYbktDWC9MdXp3eDBTaEpMCkYwWmsrMHM5bm1NQUFmUkw4Sk03RTlpd1hhOEk0elhwYU5PTjVSZnpkVVFlVTZwdWhOUXJNRXhyZnpGWVdZVmwKclBhUm5xRUNnWUVBNEM3aTlCMDh3UitKRWJLZUV2VFR6VUFTOFcrUzVsU2t6UE43NVR0NGFIZVRvanp2UlhhMApuVXZiciswUEdjdHBhM093RHpoL1NheUtxa0p2V3p4V216S0VMVHNXa3BVWkx5eDM3b3hrb1ErZFVLU0ZEWUY3CmVqR1lmcXRoVUM2NU5BMHJxbXo2cWlDSy9SRlhMMWloTVkwZi83NCtJekNob2lmdHBGUTBwdDhDZ1lFQTh4am4KakhjQnBHbVVPeUtSV2ttVE0xeDNsNU5oVDJiWll5NUNHUFhaOHRpdTZ6ZGkyZ3cyeFVtZ1ZJUHpVblREcW1PSApOUHVSdkh2MnNvdnFac0FwRGFua3d6c1d0aEZMVkZqUGRwWGpWYStHdnA2WU4wRlRlZUlFakd1am1DSjlaajliCm9JazRvNmdSelFOeDVML1JhRTIvb1FyVEd3bENXZUE0NHBINmdoMENnWUVBMEtaU3pPazVWblZIV1pWbzBqUFQKdlVCWllTUjdFS3pQQllISVdqM1RmMGRydktBQ0FpRE5VV2o4K3V3a0ZkbmdNQVhvWXdJdVZoK2tuM3Bkc2dpaQpncWV0cFh0Tk12aGFEREhUSGM3RkNiSkN0SCtxNWpzUTlWV2JuS2xkVlFkbmtDNkI2WWlzZEJMOXlUT09kWjZECnlGNlUzYTN1bjBudjVjQkx5Wm9sdHZrQ2dZRUE1QWV4YzZaU0tRcE1YR2dobG1LN3JJc0pOMnFzOWhGUXkyTWgKNTAzK29uaTFJN2p4aGYyOUJyVDRxeTZXK1ByRWE3a3VvL2x6REMzd0RDMklzOWQrNnUwNXhCUlNTbmpRZzQ5SApGRUtuVzhIcGtEY3VLMjZnd2d6TUhYZituZitFUjN3WkUrNkQ3YWdEQXA4L244WjZ4TzloV012Um1HUElGSXhxCmI4VmxDZFVDZ1lCZ3dmVXNTc0NNUDhLVk9KQXV3ZjQvU1dPa0lVVVFIUVVqMUN5RXoyVVdHNVFpUDJ3cUZpQTcKSUg4SzhKc085TVNXcTNuZFI5a1IrSEdCQ2tKeXlvRDFHekJaZVJoUGIrNjlmWVdhbzNsS1V6RURxbXhCN3pqaApOUGx0YkxsR0dOYlBoY3pYeUplU3YxTjk0TVV3WTF3dDBhQVg2RytIaUJJOGEzY2pDL2NRUGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
+kind: Secret
+metadata:
+  name: kube-controller-manager
+  namespace: kube-system
+type: Opaque

assets/manifests/kube-controller-manager.yaml

@@ -0,0 +1,77 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: kube-controller-manager
+  namespace: kube-system
+  labels:
+    tier: control-plane
+    component: kube-controller-manager
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        tier: control-plane
+        component: kube-controller-manager
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: tier
+                  operator: In
+                  values:
+                  - control-plane
+                - key: component
+                  operator: In
+                  values:
+                  - kube-contoller-manager
+              topologyKey: kubernetes.io/hostname
+      containers:
+      - name: kube-controller-manager
+        image: quay.io/coreos/hyperkube:v1.6.2_coreos.0
+        command:
+        - ./hyperkube
+        - controller-manager
+        - --allocate-node-cidrs=true
+        - --cloud-provider=
+        - --cluster-cidr=10.2.0.0/16
+        - --configure-cloud-routes=false
+        - --leader-elect=true
+        - --root-ca-file=/etc/kubernetes/secrets/ca.crt
+        - --service-account-private-key-file=/etc/kubernetes/secrets/service-account.key
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 10252  # Note: Using default port. Update if --port option is set differently.
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
+        volumeMounts:
+        - name: secrets
+          mountPath: /etc/kubernetes/secrets
+          readOnly: true
+        - name: ssl-host
+          mountPath: /etc/ssl/certs
+          readOnly: true
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+      - name: secrets
+        secret:
+          secretName: kube-controller-manager
+      - name: ssl-host
+        hostPath:
+          path: /usr/share/ca-certificates
+      dnsPolicy: Default # Don't use cluster DNS.

assets/manifests/kube-dns-deployment.yaml

@@ -0,0 +1,156 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: kube-dns
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+spec:
+  # replicas: not specified here:
+  # 1. In order to make Addon Manager do not reconcile this replicas parameter.
+  # 2. Default is 1.
+  # 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
+  strategy:
+    rollingUpdate:
+      maxSurge: 10%
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      k8s-app: kube-dns
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-dns
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      containers:
+      - name: kubedns
+        image: gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1
+        resources:
+          # TODO: Set memory limits when we've profiled the container for large
+          # clusters, then set request = limit to keep this container in
+          # guaranteed class. Currently, this container falls into the
+          # "burstable" category so the kubelet doesn't backoff from restarting it.
+          limits:
+            memory: 170Mi
+          requests:
+            cpu: 100m
+            memory: 70Mi
+        livenessProbe:
+          httpGet:
+            path: /healthcheck/kubedns
+            port: 10054
+            scheme: HTTP
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+        readinessProbe:
+          httpGet:
+            path: /readiness
+            port: 8081
+            scheme: HTTP
+          # we poll on pod startup for the Kubernetes master service and
+          # only setup the /readiness HTTP server once that's available.
+          initialDelaySeconds: 3
+          timeoutSeconds: 5
+        args:
+        - --domain=cluster.local.
+        - --dns-port=10053
+        - --config-dir=/kube-dns-config
+        - --v=2
+        env:
+        - name: PROMETHEUS_PORT
+          value: "10055"
+        ports:
+        - containerPort: 10053
+          name: dns-local
+          protocol: UDP
+        - containerPort: 10053
+          name: dns-tcp-local
+          protocol: TCP
+        - containerPort: 10055
+          name: metrics
+          protocol: TCP
+        volumeMounts:
+        - name: kube-dns-config
+          mountPath: /kube-dns-config
+      - name: dnsmasq
+        image: gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1
+        livenessProbe:
+          httpGet:
+            path: /healthcheck/dnsmasq
+            port: 10054
+            scheme: HTTP
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+        args:
+        - -v=2
+        - -logtostderr
+        - -configDir=/etc/k8s/dns/dnsmasq-nanny
+        - -restartDnsmasq=true
+        - --
+        - -k
+        - --cache-size=1000
+        - --log-facility=-
+        - --server=/cluster.local/127.0.0.1#10053
+        - --server=/in-addr.arpa/127.0.0.1#10053
+        - --server=/ip6.arpa/127.0.0.1#10053
+        ports:
+        - containerPort: 53
+          name: dns
+          protocol: UDP
+        - containerPort: 53
+          name: dns-tcp
+          protocol: TCP
+        # see: https://github.com/kubernetes/kubernetes/issues/29055 for details
+        resources:
+          requests:
+            cpu: 150m
+            memory: 20Mi
+        volumeMounts:
+        - name: kube-dns-config
+          mountPath: /etc/k8s/dns/dnsmasq-nanny
+      - name: sidecar
+        image: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1
+        livenessProbe:
+          httpGet:
+            path: /metrics
+            port: 10054
+            scheme: HTTP
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+        args:
+        - --v=2
+        - --logtostderr
+        - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local,5,A
+        - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local,5,A
+        ports:
+        - containerPort: 10054
+          name: metrics
+          protocol: TCP
+        resources:
+          requests:
+            memory: 20Mi
+            cpu: 10m
+      dnsPolicy: Default  # Don't use cluster DNS.
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+      - name: kube-dns-config
+        configMap:
+          name: kube-dns
+          optional: true

assets/manifests/kube-dns-svc.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-dns
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "KubeDNS"
+spec:
+  selector:
+    k8s-app: kube-dns
+  clusterIP: 10.3.0.10
+  ports:
+  - name: dns
+    port: 53
+    protocol: UDP
+  - name: dns-tcp
+    port: 53
+    protocol: TCP

assets/manifests/kube-etcd-network-checkpointer.yaml

@@ -0,0 +1,49 @@
+---
+apiVersion: "extensions/v1beta1"
+kind: DaemonSet
+metadata:
+  name: kube-etcd-network-checkpointer
+  namespace: kube-system
+  labels:
+    tier: control-plane
+    component: kube-etcd-network-checkpointer
+spec:
+  template:
+    metadata:
+      labels:
+        tier: control-plane
+        component: kube-etcd-network-checkpointer
+      annotations:
+        checkpointer.alpha.coreos.com/checkpoint: "true"
+    spec:
+      containers:
+      - image: quay.io/coreos/kenc:48b6feceeee56c657ea9263f47b6ea091e8d3035
+        name: kube-etcd-network-checkpointer
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /etc/kubernetes/selfhosted-etcd
+          name: checkpoint-dir
+          readOnly: false
+        - mountPath: /var/lock
+          name: var-lock
+          readOnly: false
+        command:
+        - /usr/bin/flock
+        - /var/lock/kenc.lock
+        - -c
+        - "kenc -r -m iptables && kenc -m iptables"
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+      - name: checkpoint-dir
+        hostPath:
+          path: /etc/kubernetes/checkpoint-iptables
+      - name: var-lock
+        hostPath:
+          path: /var/lock

assets/manifests/kube-flannel-cfg.yaml

@@ -0,0 +1,39 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: canal-config
+  namespace: kube-system
+data:
+  # Configure this with the location of your etcd cluster.
+  etcd_endpoints: "http://10.3.0.136:6666"
+
+  # The interface used by Canal for host <-> host communication.
+  # If left blank, then the interface is chosen using the node's
+  # default route.
+  canal_iface: ""
+
+  # Whether or not to masquerade traffic to destinations not within
+  # the pod network.
+  masquerade: "true"
+
+  # The CNI network configuration to install on each node.  The special
+  # values in this config will be automatically populated.
+  cni_network_config: |-
+    {
+        "name": "canal",
+        "type": "flannel",
+        "delegate": {
+          "type": "calico",
+          "etcd_endpoints": "__ETCD_ENDPOINTS__",
+          "log_level": "info",
+          "policy": {
+            "type": "k8s",
+             "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
+             "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
+          },
+          "kubernetes": {
+            "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
+          }
+        }
+    }

assets/manifests/kube-flannel.yaml

@@ -0,0 +1,368 @@
+---
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: canal-etcd
+  namespace: kube-system
+  labels:
+    k8s-app: canal-etcd
+spec:
+  template:
+    metadata:
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+      labels:
+        k8s-app: canal-etcd
+    spec:
+      # Only run this pod on the master.
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      hostNetwork: true
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+      containers:
+        - name: canal-etcd
+          image: quay.io/coreos/etcd:v3.1.4
+          env:
+            - name: ETCD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+          command: ["/bin/sh","-c"]
+          args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"]
+          volumeMounts:
+            - name: var-etcd
+              mountPath: /var/etcd
+      volumes:
+        - name: var-etcd
+          hostPath:
+            path: /var/etcd
+
+---
+# This manfiest installs the Service which gets traffic to the Calico
+# etcd.
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    k8s-app: canal-etcd
+  name: canal-etcd
+  namespace: kube-system
+spec:
+  # Select the canal-etcd pod running on the master.
+  selector:
+    k8s-app: canal-etcd
+  # This ClusterIP needs to be known in advance, since we cannot rely
+  # on DNS to get access to etcd.
+  clusterIP: 10.3.0.136
+  ports:
+    - port: 6666
+---
+# This manifest installs the per-node agents, as well
+# as the CNI plugins and network config on
+# each master and worker node in a Kubernetes cluster.
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+  name: canal-node
+  namespace: kube-system
+  labels:
+    k8s-app: canal-node
+spec:
+  selector:
+    matchLabels:
+      k8s-app: canal-node
+  template:
+    metadata:
+      labels:
+        k8s-app: canal-node
+    spec:
+      hostNetwork: true
+      serviceAccountName: calico-cni-plugin
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      containers:
+        # Runs the flannel daemon to enable vxlan networking between
+        # container hosts.
+        - name: flannel
+          image: quay.io/coreos/flannel:v0.7.1
+          env:
+            # The location of the etcd cluster.
+            - name: FLANNELD_ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: etcd_endpoints
+            # The interface flannel should run on.
+            - name: FLANNELD_IFACE
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: canal_iface
+            # Perform masquerade on traffic leaving the pod cidr.
+            - name: FLANNELD_IP_MASQ
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: masquerade
+            # Write the subnet.env file to the mounted directory.
+            - name: FLANNELD_SUBNET_FILE
+              value: "/run/flannel/subnet.env"
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - mountPath: /etc/resolv.conf
+              name: resolv
+            - mountPath: /run/flannel
+              name: run-flannel
+        # Runs calico/node container on each Kubernetes node.  This
+        # container programs network policy and local routes on each
+        # host.
+        - name: calico-node
+          image: quay.io/calico/node:v1.1.3
+          env:
+            # The location of the etcd cluster.
+            - name: ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: etcd_endpoints
+            # Disable Calico BGP.  Calico is simply enforcing policy.
+            - name: CALICO_NETWORKING
+              value: "false"
+            # Disable file logging so `kubectl logs` works.
+            - name: CALICO_DISABLE_FILE_LOGGING
+              value: "true"
+            # All pods to speak to services that resolve to the same host.
+            - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
+              value: "ACCEPT"
+          securityContext:
+            privileged: true
+          resources:
+            requests:
+              cpu: 250m
+          volumeMounts:
+            - mountPath: /lib/modules
+              name: lib-modules
+              readOnly: true
+            - mountPath: /var/run/calico
+              name: var-run-calico
+              readOnly: false
+        # This container installs the Calico CNI binaries
+        # and CNI network config file on each node.
+        - name: install-calico-cni
+          image: quay.io/calico/cni:v1.7.0
+          imagePullPolicy: Always
+          command: ["/install-cni.sh"]
+          env:
+            # The name of the CNI network config file to install.
+            - name: CNI_CONF_NAME
+              value: "10-canal.conf"
+            # The location of the etcd cluster.
+            - name: ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: etcd_endpoints
+            # The CNI network config to install on each node.
+            - name: CNI_NETWORK_CONFIG
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: cni_network_config
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+      volumes:
+        # Used by calico/node.
+        - name: lib-modules
+          hostPath:
+            path: /lib/modules
+        - name: var-run-calico
+          hostPath:
+            path: /var/run/calico
+        # Used to install CNI.
+        - name: cni-bin-dir
+          hostPath:
+            path: /opt/cni/bin
+        - name: cni-net-dir
+          hostPath:
+            path: /etc/cni/net.d
+        # Used by flannel daemon.
+        - name: run-flannel
+          hostPath:
+            path: /run/flannel
+        - name: resolv
+          hostPath:
+            path: /etc/resolv.conf
+
+---
+
+# This manifest deploys a Job which performs one time
+# configuration of Canal.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: configure-canal
+  namespace: kube-system
+  labels:
+    k8s-app: canal
+spec:
+  template:
+    metadata:
+      name: configure-canal
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      hostNetwork: true
+      restartPolicy: OnFailure
+      containers:
+        # Writes basic flannel configuration to etcd.
+        - name: configure-flannel
+          image: quay.io/coreos/etcd:v3.1.4
+          command:
+          - "etcdctl"
+          - "--no-sync"
+          - "set"
+          - "/coreos.com/network/config"
+          - '{ "Network": "10.2.0.0/16", "Backend": {"Type": "vxlan"} }'
+          env:
+            # The location of the etcd cluster.
+            - name: ETCDCTL_PEERS
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: etcd_endpoints
+
+---
+
+# This manifest deploys the Calico policy controller on Kubernetes.
+# See https://github.com/projectcalico/k8s-policy
+apiVersion: extensions/v1beta1
+kind: ReplicaSet
+metadata:
+  name: calico-policy-controller
+  namespace: kube-system
+  labels:
+    k8s-app: calico-policy
+spec:
+  # The policy controller can only have a single active instance.
+  replicas: 1
+  template:
+    metadata:
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+      name: calico-policy-controller
+      namespace: kube-system
+      labels:
+        k8s-app: calico-policy
+    spec:
+      # The policy controller must run in the host network namespace so that
+      # it isn't governed by policy that would prevent it from working.
+      hostNetwork: true
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+      serviceAccountName: calico-policy-controller
+      containers:
+        - name: calico-policy-controller
+          image: quay.io/calico/kube-policy-controller:v0.5.4
+          env:
+            # The location of the Calico etcd cluster.
+            - name: ETCD_ENDPOINTS
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: etcd_endpoints
+            # The location of the Kubernetes API.  Use the default Kubernetes
+            # service for API access.
+            - name: K8S_API
+              value: "https://kubernetes.default:443"
+            # Since we're running in the host namespace and might not have KubeDNS
+            # access, configure the container's /etc/hosts to resolve
+            # kubernetes.default to the correct service clusterIP.
+            - name: CONFIGURE_ETC_HOSTS
+              value: "true"
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-cni-plugin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-cni-plugin
+subjects:
+- kind: ServiceAccount
+  name: calico-cni-plugin
+  namespace: kube-system
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-cni-plugin
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+      - nodes
+    verbs:
+      - get
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-cni-plugin
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-policy-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-policy-controller
+subjects:
+- kind: ServiceAccount
+  name: calico-policy-controller
+  namespace: kube-system
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-policy-controller
+  namespace: kube-system
+rules:
+  - apiGroups:
+    - ""
+    - extensions
+    resources:
+      - pods
+      - namespaces
+      - networkpolicies
+    verbs:
+      - watch
+      - list
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-policy-controller
+  namespace: kube-system

assets/manifests/kube-proxy.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: "extensions/v1beta1"
+kind: DaemonSet
+metadata:
+  name: kube-proxy
+  namespace: kube-system
+  labels:
+    tier: node
+    component: kube-proxy
+spec:
+  template:
+    metadata:
+      labels:
+        tier: node
+        component: kube-proxy
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      containers:
+      - name: kube-proxy
+        image: quay.io/coreos/hyperkube:v1.6.2_coreos.0
+        command:
+        - /hyperkube
+        - proxy
+        - --cluster-cidr=10.2.0.0/16
+        - --hostname-override=$(NODE_NAME)
+        - --kubeconfig=/etc/kubernetes/kubeconfig
+        - --proxy-mode=iptables
+        env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /etc/ssl/certs
+          name: ssl-certs-host
+          readOnly: true
+        - name: etc-kubernetes
+          mountPath: /etc/kubernetes
+          readOnly: true
+      hostNetwork: true
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+      - hostPath:
+          path: /usr/share/ca-certificates
+        name: ssl-certs-host
+      - name: etc-kubernetes
+        hostPath:
+          path: /etc/kubernetes

assets/manifests/kube-scheduler-disruption.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: kube-scheduler
+  namespace: kube-system
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      tier: control-plane
+      component: kube-scheduler

assets/manifests/kube-scheduler.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: kube-scheduler
+  namespace: kube-system
+  labels:
+    tier: control-plane
+    component: kube-scheduler
+spec:
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        tier: control-plane
+        component: kube-scheduler
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: tier
+                  operator: In
+                  values:
+                  - control-plane
+                - key: component
+                  operator: In
+                  values:
+                  - kube-scheduler
+              topologyKey: kubernetes.io/hostname
+      containers:
+      - name: kube-scheduler
+        image: quay.io/coreos/hyperkube:v1.6.2_coreos.0
+        command:
+        - ./hyperkube
+        - scheduler
+        - --leader-elect=true
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 10251  # Note: Using default port. Update if --port option is set differently.
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      tolerations:
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule

assets/manifests/kube-system-rbac-role-binding.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: system:default-sa
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io

assets/manifests/pod-checkpointer.yaml

@@ -0,0 +1,59 @@
+---
+apiVersion: "extensions/v1beta1"
+kind: DaemonSet
+metadata:
+  name: pod-checkpointer
+  namespace: kube-system
+  labels:
+    tier: control-plane
+    component: pod-checkpointer
+spec:
+  template:
+    metadata:
+      labels:
+        tier: control-plane
+        component: pod-checkpointer
+      annotations:
+        checkpointer.alpha.coreos.com/checkpoint: "true"
+    spec:
+      containers:
+      - name: checkpoint
+        image: quay.io/coreos/pod-checkpointer:20cf8b9a6018731a0770192f30dfa7a1941521e3
+        command:
+        - /checkpoint
+        - --v=4
+        - --lock-file=/var/run/lock/pod-checkpointer.lock
+        env:
+        - name: NODE_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: spec.nodeName
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        imagePullPolicy: Always
+        volumeMounts:
+        - mountPath: /etc/kubernetes
+          name: etc-kubernetes
+        - mountPath: /var/run
+          name: var-run
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
+      restartPolicy: Always
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
+      volumes:
+      - name: etc-kubernetes
+        hostPath:
+          path: /etc/kubernetes
+      - name: var-run
+        hostPath:
+          path: /var/run

assets/tls/apiserver.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAmygAwIBAgIIYRTnEUWPB2EwDQYJKoZIhvcNAQELBQAwJTERMA8GA1UE
+ChMIYm9vdGt1YmUxEDAOBgNVBAMTB2t1YmUtY2EwHhcNMTcwNTE5MTg0MTIwWhcN
+MTgwNTE5MTg0MTIxWjAvMRQwEgYDVQQKEwtrdWJlLW1hc3RlcjEXMBUGA1UEAxMO
+a3ViZS1hcGlzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB
+sXDQGt4CSkm+H0oT3HgzADzK3IQtc5QVKTb2DTyw2/m+h4MRd6n+lra8pto09Is/
+YiVx8OCCFFsO726ZZqLQlQePDF36QKJbpIyGq2b3GVByDQqtn47xhXUeLu0z7IMK
+8906xmZXeg8HHTIS9P66z3xA9kLn0nwSSFJHGTXMoFr8cnLySnrtDHe9pGo/+jcR
+0+jiH3at3w2F1tCaTZ8znEMRP80BTysb7IlZdmNBfaSoT45Nje2eBpZDdxvI8qhi
+J2ZWZ7vQsu6AlCneKpTj4tgsV6sEAgs2V8pabRaSM5t0Hq1lGo/npcOamIUQAq1u
+O2SpSTIojdSHmWdD9h5dAgMBAAGjga0wgaowDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
+JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB5BgNVHREEcjBwggprdWJlcm5ldGVz
+ggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVybmV0ZXMuZGVm
+YXVsdC5zdmOCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcE
+CgMAATANBgkqhkiG9w0BAQsFAAOCAQEAj8G9Lc75QNbhADQuOXsSGEi6bJ0UdFoV
+vv5VLNMOdZ0+jXtHtLYrB3RygIcolSdqlaqpM9nj61xgnhG3OIYIw8BCqQlaBgO+
+5cAvzmql29AoDbLeu3JctmySScqyCj4mqtlOGHgIotUq226Re1aqSJ8zLH7UDVEa
+jyQo8vn5GQm/XwyGUt4nSpYXMi6MztebcePdyOe4387NFJS9/OUQIdWlhv1cegK+
+fU8KRv2MiBfZZqJ1DQD17eV9494DImGN1nCpVlmPNBGTCe75SOYCBOwYhHKoNMLn
+YmtnpzBtfAkU4EzjiMm6V22XI/lZsQdxeQfMMScmh+M60DHr7ToRdg==
+-----END CERTIFICATE-----

assets/tls/apiserver.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAwbFw0BreAkpJvh9KE9x4MwA8ytyELXOUFSk29g08sNv5voeD
+EXep/pa2vKbaNPSLP2IlcfDgghRbDu9umWai0JUHjwxd+kCiW6SMhqtm9xlQcg0K
+rZ+O8YV1Hi7tM+yDCvPdOsZmV3oPBx0yEvT+us98QPZC59J8EkhSRxk1zKBa/HJy
+8kp67Qx3vaRqP/o3EdPo4h92rd8NhdbQmk2fM5xDET/NAU8rG+yJWXZjQX2kqE+O
+TY3tngaWQ3cbyPKoYidmVme70LLugJQp3iqU4+LYLFerBAILNlfKWm0WkjObdB6t
+ZRqP56XDmpiFEAKtbjtkqUkyKI3Uh5lnQ/YeXQIDAQABAoIBAERN1ZGdl+LI3b5s
+/EuKuNyLXeTP5NC+bF8V/KrCOj/IIwccdI0JXOpJrcFTOano/t3oN3o5zoIwuXfH
+2YHBHvNdSqAYZV+lwVt96IxpD1NeGu9NSBG4LclgHc/6Dm38Hq4TF1XttxNsGLaS
+hiEHQnkQSCoEbc2gfV5ZIKKv8jfpShYiaAPzrt3saE/2+OliJ5p6zfXKNlEsg1US
+78g+JiOVXZdEQFyPP5Yo8gje8wQ2NetnilQQ9rtBbPv9FfsTrj03srlU2D7IIBdQ
+7D3Z5AN7e7RiwRGmStZ4GllcCuhvjhvfhav132G01o8/DwvVLTnfSKFA7+E8UYG9
+6ZAzX4UCgYEA/pXt8ehj3s1f8cNaSEJlD8AsOHgzcuxRvdrE+zA8l4eEFpP5UJej
+OcDu966q1yt4Qp7Yx2sW3UA76m7RugdqA5MP25fgzGV5n22iwYbnBQvqDQEOjMH1
+1k0CkaRXhDCzGuwb07og/rhOJdCI3OSCQpLD6BsX8MVPJ/2Gfe4XECcCgYEAwsTo
+/iNZFNKkPwlfjpirry6gB7GZYRYdkneMM92fTzuDdqSIrM9oLBeUyixAfPP9c0yV
+2cwhc8TLdHxIwatzNNJkwp2+eANfg8jQ0vK9J8V0649C5iM3aZ5MUVG2IS4RAZtH
+MG2w5fvdd7SqJ8ROWUy7+E0s472yfJNL3auNa9sCgYEA5AXPwEsAII/cboMlevEU
+6Z2bPdzTYAywThcDNWSH8MStFzfkJz4aMWFP6EHmvKAvr6Psz/hn2zVsNNabPD7l
+wlvW6T1IWGpPG++rxiCZDJkWQh1/Na2IDjCdq2sCA+FGmkd9yQ69/MeBHzd/TjHR
+ReWEWIDj2YAwHMZjzqkQuSMCgYA10Kp/7cxjUIBJWpGomM53LO7SsWOry6yIF7gJ
+bKbkAZGlanjJJtWluS5HXkrDO7c/8F1HPHvRvQJqQRzpRjIi2i81Btjl2CjABPCO
+GLvjDU/s9jyJ0hkxeaekoGsuZ8gTJZBZ9TT3lsvuk2CgdEEhs24MgWZx1qxGd3xy
+1z/QGQKBgQCE7afZwIEUQ6epGlUPwmm+mqGiUNbXAz/PnK/IhuOeV9aEU78lPH8p
+6rMpuh5SOqGcRaZhpRSIY3vqU9Yk49OO4BOawF2j8k4pVkTaJGgD71in8aDbcVBc
+VlIMP2q93mnyO7OC8znQKHMs5WRWEokRbSsjWEeQF1MtyBWaIiWmlg==
+-----END RSA PRIVATE KEY-----

assets/tls/ca.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6DCCAdCgAwIBAgIBADANBgkqhkiG9w0BAQsFADAlMREwDwYDVQQKEwhib290
+a3ViZTEQMA4GA1UEAxMHa3ViZS1jYTAeFw0xNzA1MTkxODQxMjBaFw0yNzA1MTcx
+ODQxMjBaMCUxETAPBgNVBAoTCGJvb3RrdWJlMRAwDgYDVQQDEwdrdWJlLWNhMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAulAVfzTe/mMl31NAx7P524sz
+nQKmxG+BXfDPt4O778tBF76RsEX+wKrRtooBr7axhvR0ok5kDZPARGpNKARmdCSm
+336ErFtqTwMoreY7WVCU2CBFOtt2umfJDuGVoNUHEkD8MeV2lYJCoxwJrhe5wiqq
+m4hptSCepUjilmkReWQ+/N4+RVDpr86GY2QBUlv9OtA5hxTisbA01SwSPAWrpOqV
+8JIj2RLZn85FTzMFTQk0Wu0Zugiryqdaxl33VL3+URI3QC2r2dpvd1SeyWDEXvjm
+kn9238we+2wBeRaceCvC7jyDvYSOhS+j92wFdnQYx+HinA8nn8Qfdm38u6A9hwID
+AQABoyMwITAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEADHvgtDCE8tv0lKIzEqfubUA5LKQ4NiT5SUAucYazMpKw1QIW
+QinCoLEfyPMwgkbgXjzwne8PxeEjjvwCRqwbyViBWnv937p94poZ/9G3CW3bSYwQ
+4ZeZnwW6wW0IGsEheMwknBeQboocM6cXu8hto1AYHOnjtg2t1RufWpsDn5aokuW/
+RI8Hg5vnWWKAAAwcwkmg8aiN/1nYQG/coD41kXe/iJ1DTPZa2CPxgm71f2hRnEYT
+c7uT7uueBapo1O+ttPkghsIvPZKc6vKxK0wrvzHGRoULl77Z83z92aoPLzcmnJ3d
+MFEq4d7JQ5u5i+SaqqqOdp1RGAiuiNpcvyP9ew==
+-----END CERTIFICATE-----

assets/tls/ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAulAVfzTe/mMl31NAx7P524sznQKmxG+BXfDPt4O778tBF76R
+sEX+wKrRtooBr7axhvR0ok5kDZPARGpNKARmdCSm336ErFtqTwMoreY7WVCU2CBF
+Ott2umfJDuGVoNUHEkD8MeV2lYJCoxwJrhe5wiqqm4hptSCepUjilmkReWQ+/N4+
+RVDpr86GY2QBUlv9OtA5hxTisbA01SwSPAWrpOqV8JIj2RLZn85FTzMFTQk0Wu0Z
+ugiryqdaxl33VL3+URI3QC2r2dpvd1SeyWDEXvjmkn9238we+2wBeRaceCvC7jyD
+vYSOhS+j92wFdnQYx+HinA8nn8Qfdm38u6A9hwIDAQABAoIBADpNLSztQoqgRA2q
+Y68aZqmI2dHcLotxyS24WYe3tWvIUso3XCeo/5sS2SUh8n0l0k/E12qi1TRac+P0
+z8gh+F2HyqBNWv8EbDPlbSldzlyYlrs6/e75FiImsAf0F3qIrvnLVB/ZCk6mwGuC
+LpVH310fNNwOx+ViG8LlF+KxZkJxzoKQ2RwiCwzMzpvNBTJyEE1jfqNlc92XnP65
+FhjcFfzSJhFK3VH1gdpfO8bUiLiiUhzKzXH7Af73UqZ22wHeYx87ZJBv7e9ymbWT
+GMf9js92e3OdXa3al75JlXgexSDmV2OdZNj6zpqAyupo5b+jXNxcxDaQCitOAcyU
+H6HqMiECgYEAwWeEvOL/JC1hFBniM3jtG7ZcXjT1nuc0I9z+b0O6i3JXp1AXuxqU
+COOn0udgJ4SJZZk2LOja7Mq6DsPvbPK9OA/XvSju6U/cqALpLdT+bvcG1J5km80w
+F9d5a8CmABYsIzIm5VOYCZN/ELxo9uzDhNpiU1m7EVZengg8E1/xSpMCgYEA9pz/
+SGZTFHdLZn7jgg9EzdnjZ2SlSnGc1tHayiRbHknwt8JFMwHeL/TPI6/4ns4A8l59
+IEl1Zf8pWDhwa2qGITXQBmauLYzuPGSIBdABLnJQtE4r6o+vYafZxZVvTAv5B4Sz
+TCWFkLYtvHvs71+u7IKS+dJg3EYy3Gx5KVhddb0CgYAr8QMdj018wLqvwHm+TBlD
+FJnD5bBwnAMiqtE8Il091YrIvs/FePJtWpwEtQEJuXkmFjtS1Mz4w86mECpTzIrl
+M+RGXAh8BeMSYSbtfNkaCRIKOLqPE317zT8PFkQg/OimTny72dRPSK2z9bq7b2u0
+wZFZcqen9sGkkiZkGIZP9QKBgQDcgX6FVvD8QLqLl/OHLG3h/ewmW8irqrCJKDUQ
+P7e1enmhZTSIqifoC2ZXS5XrMNmJ3VDWWLh/DcsDFdv3P9VUxpAN2SvukK/IEj/J
+qrYTuKVOwwLjhbxUfkfrMnXEsoPl5BKJiJdH0I1OliRB2PVIhmwysphm/OGnU9p2
+TIuspQKBgQCq5QJcny6CWHnFh/Q1faYqIjvaS4MqLfnDndvZ98abpcjik3AKgWof
+iaROSk40L+q4uDuaM5tU1ufS/FS94hwlk2O1bQ/xgJBkNZnvZJRFU3oZjhggyl6G
+iFtBTAGGtJqHTPMtn/Y6dUOJ/ZFIZWzuNhJGYX/S3ifpZeldKXmXew==
+-----END RSA PRIVATE KEY-----

assets/tls/kubelet.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDAzCCAeugAwIBAgIILMPkLd2E/uAwDQYJKoZIhvcNAQELBQAwJTERMA8GA1UE
+ChMIYm9vdGt1YmUxEDAOBgNVBAMTB2t1YmUtY2EwHhcNMTcwNTE5MTg0MTIwWhcN
+MTgwNTE5MTg0MTIxWjArMRcwFQYDVQQKEw5zeXN0ZW06bWFzdGVyczEQMA4GA1UE
+AxMHa3ViZWxldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALtz9mHo
+tPkidPbQeu9RS6tAOQhAhPOzV7y5kxo9ZkyGR5mOJ5MElfoofHWGXDqJs3IHO6Zr
+ZTKTYgX6c3jisMhIT62JnN9ZaATWcrd+qQ15ixTNhqdy3UcX6xlB8YF8KpVZ40rO
+wrP/UsG9EaBit37iOmmINIkZtbNIhvOYhkJvr+NOtX/8TsnRZpT9PyCeyZJbsZIZ
+d1Apfu2ENeS1C1OgOQIEOREBehc3GVH11D9BRtFob22MjZUjxyGj0SButUmpvnY9
+ogfE5pT0yhI+kZlP6iMPkk0oGlkcc+U4X8VrSyYXfJNEbmI5aDZe3A4lk4fXiF/Y
+NosbHYnzdf/j0acCAwEAAaMxMC8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
+CCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAIgaxO6aAyGRq
+MINPID5bG/ZSRoIBSEX0bAviLKWP9RonjfayM8Xb3r2WZ4TmJoYYDNMRFoyCeStw
+1fjl7b2vpmFBOxlpmRvNhRF1dlI9Rt4GRRVkxeS7c4dkc0LFTHEPp0X/RmSt4uf+
+X9sYsWOGSBf52+qZ/7UNI6SYwoltenzbwnLHY9NSLXiVFommCXPaBma1GlkQN2F3
+cEInhf78BXKXeIpWdZboHuWOUu3aoRT0p6fegb2Uxh2a73s6sToHjE7oy3H2ZvKR
+kcFJ2TnKMrqzEK/9wyc/gu/kYVx8/zCoPlDQASem7aTZgOIDZ8wc4g9rBitnxdIs
+jxZwjOKt9g==
+-----END CERTIFICATE-----

assets/tls/kubelet.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEAu3P2Yei0+SJ09tB671FLq0A5CECE87NXvLmTGj1mTIZHmY4n
+kwSV+ih8dYZcOomzcgc7pmtlMpNiBfpzeOKwyEhPrYmc31loBNZyt36pDXmLFM2G
+p3LdRxfrGUHxgXwqlVnjSs7Cs/9Swb0RoGK3fuI6aYg0iRm1s0iG85iGQm+v4061
+f/xOydFmlP0/IJ7Jkluxkhl3UCl+7YQ15LULU6A5AgQ5EQF6FzcZUfXUP0FG0Whv
+bYyNlSPHIaPRIG61Sam+dj2iB8TmlPTKEj6RmU/qIw+STSgaWRxz5ThfxWtLJhd8
+k0RuYjloNl7cDiWTh9eIX9g2ixsdifN1/+PRpwIDAQABAoIBAQCRpzJbs4DjUHXH
+zgin6eg9AaMPGWr1HXZgC2YU7n6NmY0K8N0pLFgIz+qdOzBwv8xyHtKnpi001jZF
+ZOzSknpAtYdL1XDST1s23xa2I7Hh6X47RNOLSwJLGnev4YBxV3STJgwpdWzuhcbd
+CTcoA2yHJ+uxUodXvGVmEEXkA7DW7zLZpvLJ//nD5z5CM0IUPdaSgXhYQp2NZWtI
+RjLdjkuYVyBYC2rU4LpmiH1eIVL7bDHoUQhOaHN0wSFG80o46gvrqbhrMPw7BwIu
+bCW30q4Y4JPRYn5ru0zCForne65I2kRtnJUDjn99dOntWVZibRojY0hFFEyGYOjZ
+WItzGAbxAoGBANFj2ZHitQxtqYs7MNIY9jz/7pzuPaX8dm+2/3WW5Aot01+s4yVH
+pd7HE8l5NjnejWG7nG2GPsIhbCCVXEtSMGt1BRioKpc2dLq+ZQb75LGDMaJzMWEm
+/HimJuhXvxOzzKC9Z29vo4d6JC58vPwyu27dFAv3rzAcdiWb/aib7S6ZAoGBAOUu
+BePZgqlpwl3wqDlAljiLsH8AeZUH2rDA4n4d+1kKPMqJYMmftGaTkDJMeJfisfKb
+EXcQsGJAeOLHRpY1VvkHqn5v+7qg9JHSnlw+/nTF5Vk6ISAFMs2Qfwdq6fZ898GZ
+mi9VXr0hez7Z/v/liCxBcl0hgAhnjIFGvQ5rSmo/AoGBAIvlVFWdzCyTj/UQBNw6
+BTpYHAoJOnMNq+uTrjXYLF+IonKHxfMAXZfsFhJDw7ECOh+UAz1BtehqAB387H7+
+WI9SzabdpCcHIRIrZsA1x2O6LY1FvTYVoBTTnacaCPWW6R5zrQnM4sr/FfFhMbqm
+AohdeKlOQGO6gE08XUsrclnxAoGBALOv+f5DtCaQPUzaO4toEGAVZjStcqZemiCr
+mum3KDMPy8ohHDn5dcBXQl+thX/QxiSpYHAyLZlbY2yrQbTT7XUjhZHMy1nwiNEs
+ie1ZlriH0OK8qOwqJ0L1YCO4t+gC415vyGwES1uOvMrysPSCStooFjre4Tu1tHxH
+skNz68yRAoGBAJyMFoQu0rzOxCwQx+8m1encm9pcUvu2eSwwy+9460W474Ww4qZA
+F4DWwjDg5dBG1Im21KIJkhoX579dh3QIRr3PRwlQUkQlxTrUSEtpfNTU3pvWV9BF
+tuLS1TnOdweoQ8cGZZd9PWMLLrBd0JeR4FyH23rOUmMFwJ2A6OopeX6B
+-----END RSA PRIVATE KEY-----

assets/tls/service-account.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA1OJQmE9JCI20h3BI/xJpQoNIfYviHIhlx6Al60Kv4Zb+taD+
+Jd6pCbHqjgYyiYH1wq0nMC9MiRbphdMsKfJXo57H2X1QWNc+3RYzNEL2ra2rkCGw
+q1jKGk6RofagbrinjAC9hGcm/V713fCdSpULH6Ruro9Kjvtca0nLjBcGC03pkuUi
+1e7EPj2SALQxA1iV2+sqqpg2axlpyAN7gecafjVN10kkMw9GKumQqUpejCtf3tTv
+zzfmGqiNnHDB8lDnXpHecKIZkfXdH5Pd4jRY5DyFfrsL5xy0OHF4rA/EDSFkdEZ2
+rTYiCB/O17pw6LuEu79V3N2hJVEwe4Uti3olQwIDAQABAoIBAHSWjXUc1u6sTNZw
+FEo9lxAqPiUj2u2tdbBicOHrX8+4lj56sTWkQAdjPQYTNtJALowzsGafQNdDiRkV
+kfZXFtAxQVpHWx2MpI0If3p7wgVUO8Vv7gWpVuYZaYC+RRbeYkQ2k5RTufLBcv3d
+rQcPoUvvDf7j0v2DhBXuEF/krBa70OnI6Fv5b6Tay4cN6vmNJSPUlDPvicCizmvV
+WtAq5pkPfXW1uweMYDOSD10zaetclMae/0C1hahk9kGoLv49XnKCX/Luzwx0ShJL
+F0Zk+0s9nmMAAfRL8JM7E9iwXa8I4zXpaNON5RfzdUQeU6puhNQrMExrfzFYWYVl
+rPaRnqECgYEA4C7i9B08wR+JEbKeEvTTzUAS8W+S5lSkzPN75Tt4aHeTojzvRXa0
+nUvbr+0PGctpa3OwDzh/SayKqkJvWzxWmzKELTsWkpUZLyx37oxkoQ+dUKSFDYF7
+ejGYfqthUC65NA0rqmz6qiCK/RFXL1ihMY0f/74+IzChoiftpFQ0pt8CgYEA8xjn
+jHcBpGmUOyKRWkmTM1x3l5NhT2bZYy5CGPXZ8tiu6zdi2gw2xUmgVIPzUnTDqmOH
+NPuRvHv2sovqZsApDankwzsWthFLVFjPdpXjVa+Gvp6YN0FTeeIEjGujmCJ9Zj9b
+oIk4o6gRzQNx5L/RaE2/oQrTGwlCWeA44pH6gh0CgYEA0KZSzOk5VnVHWZVo0jPT
+vUBZYSR7EKzPBYHIWj3Tf0drvKACAiDNUWj8+uwkFdngMAXoYwIuVh+kn3pdsgii
+gqetpXtNMvhaDDHTHc7FCbJCtH+q5jsQ9VWbnKldVQdnkC6B6YisdBL9yTOOdZ6D
+yF6U3a3un0nv5cBLyZoltvkCgYEA5Aexc6ZSKQpMXGghlmK7rIsJN2qs9hFQy2Mh
+503+oni1I7jxhf29BrT4qy6W+PrEa7kuo/lzDC3wDC2Is9d+6u05xBRSSnjQg49H
+FEKnW8HpkDcuK26gwgzMHXf+nf+ER3wZE+6D7agDAp8/n8Z6xO9hWMvRmGPIFIxq
+b8VlCdUCgYBgwfUsSsCMP8KVOJAuwf4/SWOkIUUQHQUj1CyEz2UWG5QiP2wqFiA7
+IH8K8JsO9MSWq3ndR9kR+HGBCkJyyoD1GzBZeRhPb+69fYWao3lKUzEDqmxB7zjh
+NPltbLlGGNbPhczXyJeSv1N94MUwY1wt0aAX6G+HiBI8a3cjC/cQPg==
+-----END RSA PRIVATE KEY-----

assets/tls/service-account.pub

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1OJQmE9JCI20h3BI/xJp
+QoNIfYviHIhlx6Al60Kv4Zb+taD+Jd6pCbHqjgYyiYH1wq0nMC9MiRbphdMsKfJX
+o57H2X1QWNc+3RYzNEL2ra2rkCGwq1jKGk6RofagbrinjAC9hGcm/V713fCdSpUL
+H6Ruro9Kjvtca0nLjBcGC03pkuUi1e7EPj2SALQxA1iV2+sqqpg2axlpyAN7geca
+fjVN10kkMw9GKumQqUpejCtf3tTvzzfmGqiNnHDB8lDnXpHecKIZkfXdH5Pd4jRY
+5DyFfrsL5xy0OHF4rA/EDSFkdEZ2rTYiCB/O17pw6LuEu79V3N2hJVEwe4Uti3ol
+QwIDAQAB
+-----END PUBLIC KEY-----

kubelet.service.template

@@ -0,0 +1,26 @@
+[Unit]
+Description=Kubernetes Kubelet
+Documentation=https://kubernetes.io/docs/admin/kubelet/
+
+[Service]
+ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
+ExecStart=/usr/local/bin/kubelet \
+    --kubeconfig=/etc/kubernetes/kubeconfig \
+    --require-kubeconfig \
+    --cni-conf-dir=/etc/cni/net.d \
+    --cni-bin-dir=/opt/cni/bin \
+    --network-plugin=cni \
+    --lock-file=/var/run/lock/kubelet.lock \
+    --exit-on-lock-contention \
+    --pod-manifest-path=/etc/kubernetes/manifests \
+    --allow-privileged \
+    --cluster_dns=192.168.1.70,8.8.8.8,10.3.0.10 \
+    --cluster_domain=cluster.local \
+    --node-labels=node-role.kubernetes.io/canal-node=true,node-role.kubernetes.io/master=  \
+    --hostname-override=${NODE_HOSTNAME} \
+    --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

scripts/common/func.sh

@@ -0,0 +1,64 @@
+# Copyright 2017 The Promenade Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+function validate_environment {
+    local ERRORS=
+
+    if [ "x${NODE_HOSTNAME}" = "x" ]; then
+        echo Error: NODE_HOSTNAME not defined, but required.
+        ERRORS=1
+    fi
+
+    if ! docker info; then
+        cat <<EOS
+Error: Unable to run `docker info`.  You must mount /var/run/docker.sock when
+you run this container, since it is used to launch containers on the host:
+    docker run -v /var/run/docker.sock:/var/run/docker.sock ...
+EOS
+        ERRORS=1
+    fi
+
+    if [ ! -d /target/etc/systemd/system ]; then
+        cat <<EOS
+Error: It appears that the host's root filesystem is not mounted at /target.
+Make sure it is mounted:
+    docker run -v /:/target ...
+EOS
+        ERRORS=1
+    fi
+
+    if [ "x$ERRORS" != "x" ]; then
+        exit 1
+    fi
+}
+
+function install_assets {
+    mkdir /target/etc/kubernetes
+    cp -R ./assets/* /target/etc/kubernetes
+}
+
+function install_cni {
+    mkdir -p /opt/cni/bin
+    tar xf cni.tgz -C /opt/cni/bin/
+}
+
+function install_kubelet {
+    cp ./kubelet /target/usr/local/bin/kubelet
+
+    cat ./kubelet.service.template | envsubst > /target/etc/systemd/system/kubelet.service
+    chown root:root /target/etc/systemd/system/kubelet.service
+    chmod 644 /target/etc/systemd/system/kubelet.service
+
+    chroot --userspec root:root /target /bin/bash < ./scripts/start-kubelet.sh
+}

scripts/common/start-kubelet.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# Copyright 2017 The Promenade Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+systemctl daemon-reload
+systemctl enable kubelet.service
+systemctl start kubelet.service

scripts/entrypoint-genesis.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+#
+# Copyright 2017 The Promenade Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+source ./scripts/env.sh
+source ./scripts/func.sh
+
+validate_environment
+# XXX validate_genesis_assets
+
+docker load -i ./genesis-images.tar
+
+install_assets
+install_cni
+install_kubelet
+
+docker run --rm \
+    -v /etc/kubernetes:/etc/kubernetes \
+    quay.io/coreos/bootkube:${BOOTKUBE_VERSION} \
+    /bootkube start \
+        --asset-dir=/etc/kubernetes

scripts/entrypoint-join.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+#
+# Copyright 2017 The Promenade Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ex
+
+source ./scripts/env.sh
+source ./scripts/func.sh
+
+validate_environment
+# XXX validate_join_assets
+
+install_assets
+install_cni
+install_kubelet

test-install.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -ex
+
+# Setup master
+vagrant ssh n0 <<EOS
+set -ex
+sudo docker load -i /vagrant/promenade-genesis.tar
+sudo docker run -v /:/target -v /var/run/docker.sock:/var/run/docker.sock -e NODE_HOSTNAME=n0 quay.io/attcomdev/promenade-genesis:dev
+EOS
+
+# Join nodes
+for node in n1 n2; do
+  vagrant ssh $node <<EOS
+set -ex
+sudo docker load -i /vagrant/promenade-join.tar
+# Should be: sudo docker run -v /:/target -e NODE_HOSTNAME=$node quay.io/attcomdev/promenade-join:dev
+sudo docker run -v /:/target -v /var/run/docker.sock:/var/run/docker.sock -e NODE_HOSTNAME=$node quay.io/attcomdev/promenade-join:dev
+EOS
+done

vagrant-assets/dnsmasq-kubernetes

@@ -0,0 +1,3 @@
+host-record=kubernetes,192.168.77.10
+host-record=kubernetes,192.168.77.11
+host-record=kubernetes,192.168.77.12

vagrant-assets/docker-daemon.json

@@ -0,0 +1,3 @@
+{
+  "dns": ["172.17.0.1"]
+}