Fix the CoreOS Heat templates

This patch follows the CoreOS guidance for kubernetes: https://coreos.com/kubernetes/docs/latest/getting-started.html CoreOS doesn't support multi-part mime user-data, so we cannot pack multiple scripts into one (which we did in Atomic). The major work of this patch is to wrap each cloud-init script with a systemd unit, which will be executed one-by-one at the first boot. Note that this patch only enable a basic CoreOS support. Advanced features (i.e. TLS, Cinder volume, HA, external load balancing) are not included. These features need to be ported from Atomic as a future work. Partially-Implements: blueprint coreos-k8s-bay Change-Id: Ib6fe76718ac9b198e0aae57618d3edd98792f15d
2015-12-30 18:45:28 -05:00 · 2015-12-30 18:45:28 -05:00 · dc1eacee60
parent b4abeeafa7
commit dc1eacee60
20 changed files with 933 additions and 234 deletions
--- a/magnum/templates/kubernetes/fragments/configure-etcd-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/configure-etcd-coreos.yaml
@ -0,0 +1,46 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/configure-etcd.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Configure etcd
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/configure-etcd.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/configure-etcd.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+      myip=$(ip addr show eth0 |
+             awk '$1 == "inet" {print $2}' | cut -f1 -d/)
+
+      DROP_IN_FILE=/etc/systemd/system/etcd2.service.d/20-configure-etcd.conf
+      mkdir -p $(dirname $DROP_IN_FILE)
+      cat > $DROP_IN_FILE <<EOF
+      [Service]
+      Environment=ETCD_NAME=$myip
+      Environment=ETCD_DATA_DIR=/var/lib/etcd/default.etcd
+      Environment=ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379
+      Environment=ETCD_LISTEN_PEER_URLS=http://$myip:2380
+
+      Environment=ETCD_ADVERTISE_CLIENT_URLS=http://$myip:2379
+      Environment=ETCD_INITIAL_ADVERTISE_PEER_URLS=http://$myip:2380
+      Environment=ETCD_DISCOVERY=$ETCD_DISCOVERY_URL
+      EOF
+
+      if [ -n "$HTTP_PROXY" ]; then
+          echo "Environment=ETCD_DISCOVERY_PROXY=$HTTP_PROXY" >> $DROP_IN_FILE
+      fi
+
+      systemctl enable etcd2
+      systemctl --no-block start etcd2
--- a/magnum/templates/kubernetes/fragments/coreos.params.yaml
+++ b/magnum/templates/kubernetes/fragments/coreos.params.yaml
@ -1,16 +0,0 @@
-#cloud-config
-
-coreos:
-  etcd:
-    # generate a new token for each cluster from https://discovery.etcd.io/new
-    discovery: https://discovery.etcd.io/$token
-    # multi-region and multi-cloud deployments need to use $public_ipv4
-    addr: $private_ipv4:2379
-    peer-addr: $private_ipv4:2380
-  units:
-    - name: etcd.service
-      command: start
-    - name: fleet.service
-      command: start
-  ssh_authorized_key:
-  - $ssh_authorized_key
--- a/magnum/templates/kubernetes/fragments/create-kube-namespace-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/create-kube-namespace-coreos.yaml
@ -0,0 +1,47 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/create-kube-namespace.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      After=kubelet.service
+      Requires=kubelet.service
+      Description=Create kube-system namespace
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/create-kube-namespace.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/create-kube-namespace.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+      myip=$(ip addr show eth0 |
+             awk '$1 == "inet" {print $2}' | cut -f1 -d/)
+
+      until curl -sf "http://127.0.0.1:8080/healthz"
+      do
+          echo "Waiting for Kubernetes API..."
+          sleep 5
+      done
+
+      KUBE_SYSTEM_JSON=/srv/kubernetes/kube-system-namespace.json
+      mkdir -p $(dirname ${KUBE_SYSTEM_JSON})
+      cat > ${KUBE_SYSTEM_JSON} <<EOF
+      {
+        "apiVersion": "v1",
+        "kind": "Namespace",
+        "metadata": {
+          "name": "kube-system"
+        }
+      }
+      EOF
+
+      curl -XPOST -d@${KUBE_SYSTEM_JSON} "http://127.0.0.1:8080/api/v1/namespaces"
--- a/magnum/templates/kubernetes/fragments/enable-kube-apiserver-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/enable-kube-apiserver-coreos.yaml
@ -0,0 +1,84 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/enable-kube-apiserver.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Configure Kubernetes API Server
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/enable-kube-apiserver.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/enable-kube-apiserver.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+      myip=$(ip addr show eth0 |
+             awk '$1 == "inet" {print $2}' | cut -f1 -d/)
+
+      # TODO(hongbin): enable TLS
+      TLS_CERT_FILE=
+      TLS_PRIVATE_KEY_FILE=
+      CLIENT_CA_FILE=
+      INSECURE_PORT=${KUBE_API_PORT}
+      SECURE_PORT=0
+      BIND_ADDRESS_CMD="--insecure-bind-address=0.0.0.0"
+      KUBE_CERTS_PATH=/etc/kubernetes/ssl
+      HOST_CERTS_PATH=/usr/share/ca-certificates
+
+      TEMPLATE=/etc/kubernetes/manifests/kube-apiserver.yaml
+      mkdir -p $(dirname ${TEMPLATE})
+      cat > $TEMPLATE <<EOF
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: kube-apiserver
+        namespace: kube-system
+      spec:
+        hostNetwork: true
+        containers:
+        - name: kube-apiserver
+          image: gcr.io/google_containers/hyperkube:v1.0.6
+          command:
+          - /hyperkube
+          - apiserver
+          - ${BIND_ADDRESS_CMD}
+          - --etcd_servers=http://127.0.0.1:2379
+          - --allow-privileged=true
+          - --service-cluster-ip-range=${PORTAL_NETWORK_CIDR}
+          - --secure_port=${SECURE_PORT}
+          - --insecure-port=${INSECURE_PORT}
+          - --tls-cert-file=${TLS_CERT_FILE}
+          - --tls-private-key-file=${TLS_PRIVATE_KEY_FILE}
+          - --client-ca-file=${CLIENT_CA_FILE}
+          - --service-account-key-file=${TLS_PRIVATE_KEY_FILE}
+          ports:
+          - containerPort: 6443
+            hostPort: 6443
+            name: https
+          - containerPort: 8080
+            hostPort: 8080
+            name: local
+          volumeMounts:
+          - mountPath: /etc/kubernetes/ssl
+            name: ssl-certs-kubernetes
+            readOnly: true
+          - mountPath: /etc/ssl/certs
+            name: ssl-certs-host
+            readOnly: true
+        volumes:
+        - hostPath:
+            path: ${KUBE_CERTS_PATH}
+          name: ssl-certs-kubernetes
+        - hostPath:
+            path: ${HOST_CERTS_PATH}
+          name: ssl-certs-host
+      EOF
--- a/magnum/templates/kubernetes/fragments/enable-kube-controller-manager-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/enable-kube-controller-manager-coreos.yaml
@ -0,0 +1,70 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/enable-kube-controller-manager.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Enable Kubernetes Controller Manager
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/enable-kube-controller-manager.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/enable-kube-controller-manager.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+
+      # TODO(hongbin): enable TLS
+      KUBE_CERTS_PATH=/etc/kubernetes/ssl
+      HOST_CERTS_PATH=/usr/share/ca-certificates
+
+      TEMPLATE=/srv/kubernetes/manifests/kube-controller-manager.yaml
+      mkdir -p $(dirname ${TEMPLATE})
+
+      cat > ${TEMPLATE} <<EOF
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: kube-controller-manager
+        namespace: kube-system
+      spec:
+        hostNetwork: true
+        containers:
+        - name: kube-controller-manager
+          image: gcr.io/google_containers/hyperkube:v1.0.6
+          command:
+          - /hyperkube
+          - controller-manager
+          - --master=http://127.0.0.1:8080
+          - --service-account-private-key-file=${SERVICE_ACCOUNT_PRIVATE_KEY_FILE}
+          - --root-ca-file=${ROOT_CA_FILE}
+          livenessProbe:
+            httpGet:
+              host: 127.0.0.1
+              path: /healthz
+              port: 10252
+            initialDelaySeconds: 15
+            timeoutSeconds: 1
+          volumeMounts:
+          - mountPath: /etc/kubernetes/ssl
+            name: ssl-certs-kubernetes
+            readOnly: true
+          - mountPath: /etc/ssl/certs
+            name: ssl-certs-host
+            readOnly: true
+        volumes:
+        - hostPath:
+            path: ${KUBE_CERTS_PATH}
+          name: ssl-certs-kubernetes
+        - hostPath:
+            path: ${HOST_CERTS_PATH}
+          name: ssl-certs-host
+      EOF
--- a/magnum/templates/kubernetes/fragments/enable-kube-podmaster-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/enable-kube-podmaster-coreos.yaml
@ -0,0 +1,77 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/enable-kube-podmaster.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Configure Kubernetes Podmaster
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/enable-kube-podmaster.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/enable-kube-podmaster.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+      myip=$(ip addr show eth0 |
+             awk '$1 == "inet" {print $2}' | cut -f1 -d/)
+
+      TEMPLATE=/etc/kubernetes/manifests/kube-podmaster.yaml
+      mkdir -p $(dirname ${TEMPLATE})
+
+      cat > ${TEMPLATE} <<EOF
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: kube-podmaster
+        namespace: kube-system
+      spec:
+        hostNetwork: true
+        containers:
+        - name: scheduler-elector
+          image: gcr.io/google_containers/podmaster:1.1
+          command:
+          - /podmaster
+          - --etcd-servers=http://127.0.0.1:2379
+          - --key=scheduler
+          - --whoami=${ADVERTISE_IP}
+          - --source-file=/src/manifests/kube-scheduler.yaml
+          - --dest-file=/dst/manifests/kube-scheduler.yaml
+          volumeMounts:
+          - mountPath: /src/manifests
+            name: manifest-src
+            readOnly: true
+          - mountPath: /dst/manifests
+            name: manifest-dst
+        - name: controller-manager-elector
+          image: gcr.io/google_containers/podmaster:1.1
+          command:
+          - /podmaster
+          - --etcd-servers=http://127.0.0.1:2379
+          - --key=controller
+          - --whoami=${myip}
+          - --source-file=/src/manifests/kube-controller-manager.yaml
+          - --dest-file=/dst/manifests/kube-controller-manager.yaml
+          terminationMessagePath: /dev/termination-log
+          volumeMounts:
+          - mountPath: /src/manifests
+            name: manifest-src
+            readOnly: true
+          - mountPath: /dst/manifests
+            name: manifest-dst
+        volumes:
+        - hostPath:
+            path: /srv/kubernetes/manifests
+          name: manifest-src
+        - hostPath:
+            path: /etc/kubernetes/manifests
+          name: manifest-dst
+      EOF
--- a/magnum/templates/kubernetes/fragments/enable-kube-proxy-master-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/enable-kube-proxy-master-coreos.yaml
@ -0,0 +1,59 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/enable-kube-proxy.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Configure Kubernetes Proxy
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/enable-kube-proxy-master.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/enable-kube-proxy-master.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+      myip=$(ip addr show eth0 |
+             awk '$1 == "inet" {print $2}' | cut -f1 -d/)
+
+      # TODO(hongbin): enable TLS
+      HOST_CERTS_PATH=/usr/share/ca-certificates
+
+      TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
+      mkdir -p $(dirname ${TEMPLATE})
+      cat > ${TEMPLATE} <<EOF
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: kube-proxy
+        namespace: kube-system
+      spec:
+        hostNetwork: true
+        containers:
+        - name: kube-proxy
+          image: gcr.io/google_containers/hyperkube:v1.0.6
+          command:
+          - /hyperkube
+          - proxy
+          - --master=http://127.0.0.1:8080
+          - --logtostderr=true
+          - --v=0
+          securityContext:
+            privileged: true
+          volumeMounts:
+          - mountPath: /etc/ssl/certs
+            name: ssl-certs-host
+            readOnly: true
+        volumes:
+        - hostPath:
+            path: ${HOST_CERTS_PATH}
+          name: ssl-certs-host
+      EOF
--- a/magnum/templates/kubernetes/fragments/enable-kube-proxy-minion-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/enable-kube-proxy-minion-coreos.yaml
@ -0,0 +1,67 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/enable-kube-proxy.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Configure Kubernetes Proxy
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/enable-kube-proxy-minion.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/enable-kube-proxy-minion.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+      myip=$(ip addr show eth0 |
+             awk '$1 == "inet" {print $2}' | cut -f1 -d/)
+
+      # TODO(hongbin): enable TLS
+      HOST_CERTS_PATH=/usr/share/ca-certificates
+      KUBE_CERTS_PATH=/etc/kubernetes/ssl
+      KUBE_PROTOCOL="http"
+      KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
+
+      TEMPLATE=/etc/kubernetes/manifests/kube-proxy.yaml
+      mkdir -p $(dirname ${TEMPLATE})
+      cat > ${TEMPLATE} <<EOF
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: kube-proxy
+        namespace: kube-system
+      spec:
+        hostNetwork: true
+        containers:
+        - name: kube-proxy
+          image: gcr.io/google_containers/hyperkube:v1.0.6
+          command:
+          - /hyperkube
+          - proxy
+          - --master=${KUBE_MASTER_URI}
+          - --logtostderr=true
+          - --v=0
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - mountPath: /etc/ssl/certs
+              name: "ssl-certs"
+            - mountPath: /etc/kubernetes/ssl
+              name: "etc-kube-ssl"
+              readOnly: true
+        volumes:
+          - name: "ssl-certs"
+            hostPath:
+              path: ${HOST_CERTS_PATH}
+          - name: "etc-kube-ssl"
+            hostPath:
+              path: ${KUBE_CERTS_PATH}
+      EOF
--- a/magnum/templates/kubernetes/fragments/enable-kube-scheduler-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/enable-kube-scheduler-coreos.yaml
@ -0,0 +1,50 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/enable-kube-scheduler.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Enable Kubernetes Scheduler
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/enable-kube-scheduler.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/enable-kube-scheduler.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+
+      TEMPLATE=/srv/kubernetes/manifests/kube-scheduler.yaml
+      mkdir -p $(dirname ${TEMPLATE})
+
+      cat > ${TEMPLATE} <<EOF
+      apiVersion: v1
+      kind: Pod
+      metadata:
+        name: kube-scheduler
+        namespace: kube-system
+      spec:
+        hostNetwork: true
+        containers:
+        - name: kube-scheduler
+          image: gcr.io/google_containers/hyperkube:v1.0.6
+          command:
+          - /hyperkube
+          - scheduler
+          - --master=http://127.0.0.1:8080
+          livenessProbe:
+            httpGet:
+              host: 127.0.0.1
+              path: /healthz
+              port: 10251
+            initialDelaySeconds: 15
+            timeoutSeconds: 1
+      EOF
--- a/magnum/templates/kubernetes/fragments/enable-kubelet-master-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/enable-kubelet-master-coreos.yaml
@ -0,0 +1,46 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/enable-kubelet.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Enable Kubelet
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/enable-kubelet-master.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/enable-kubelet-master.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+      myip=$(ip addr show eth0 |
+             awk '$1 == "inet" {print $2}' | cut -f1 -d/)
+
+      CONF_FILE=/etc/systemd/system/kubelet.service
+      cat > $CONF_FILE <<EOF
+      [Service]
+      ExecStart=/usr/bin/kubelet \
+        --api_servers=http://127.0.0.1:8080 \
+        --address=0.0.0.0 \
+        --register-node=false \
+        --allow-privileged=true \
+        --config=/etc/kubernetes/manifests \
+        --hostname-override=${myip} \
+        --logtostderr=true \
+        --v=0
+      Restart=always
+      RestartSec=10
+      [Install]
+      WantedBy=multi-user.target
+      EOF
+
+      systemctl enable kubelet
+      systemctl --no-block start kubelet
--- a/magnum/templates/kubernetes/fragments/enable-kubelet-minion-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/enable-kubelet-minion-coreos.yaml
@ -0,0 +1,50 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/enable-kubelet.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Enable Kubelet
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/enable-kubelet-minion.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/enable-kubelet-minion.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+      myip=$(ip addr show eth0 |
+             awk '$1 == "inet" {print $2}' | cut -f1 -d/)
+
+      KUBE_PROTOCOL="http"
+      KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
+
+      CONF_FILE=/etc/systemd/system/kubelet.service
+      cat > $CONF_FILE <<EOF
+      [Service]
+      ExecStart=/usr/bin/kubelet \
+        --api_servers=${KUBE_MASTER_URI} \
+        --address=0.0.0.0 \
+        --register-node=true \
+        --allow-privileged=true \
+        --config=/etc/kubernetes/manifests \
+        --hostname-override=${myip} \
+        --logtostderr=true \
+        --v=0
+        --cadvisor-port=4194
+      Restart=always
+      RestartSec=10
+      [Install]
+      WantedBy=multi-user.target
+      EOF
+
+      systemctl enable kubelet
+      systemctl --no-block start kubelet
--- a/magnum/templates/kubernetes/fragments/enable-network-service-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/enable-network-service-coreos.yaml
@ -0,0 +1,55 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/enable-network-service.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Enable Network Service
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/enable-network-service.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/enable-network-service.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+      if [ "$NETWORK_DRIVER" != "flannel" ]; then
+          exit 0
+      fi
+
+      myip=$(ip addr show eth0 |
+             awk '$1 == "inet" {print $2}' | cut -f1 -d/)
+      ETCD_SERVER_IP=${ETCD_SERVER_IP:-127.0.0.1}
+
+      ENV_FILE=/etc/flannel/options.env
+      mkdir -p $(dirname $ENV_FILE)
+      cat > $ENV_FILE <<EOF
+      FLANNELD_IFACE=$myip
+      FLANNELD_ETCD_ENDPOINTS=http://${ETCD_SERVER_IP}:2379
+      EOF
+
+      DROP_IN_FILE=/etc/systemd/system/flanneld.service.d/40-ExecStartPre-symlink.conf
+      mkdir -p $(dirname $DROP_IN_FILE)
+      cat > $DROP_IN_FILE <<EOF
+      [Service]
+      ExecStartPre=/usr/bin/ln -sf /etc/flannel/options.env /run/flannel/options.env
+      EOF
+
+      DOCKER_FLANNEL_CONF=/etc/systemd/system/docker.service.d/40-flannel.conf
+      mkdir -p $(dirname $DOCKER_FLANNEL_CONF)
+      cat > $DOCKER_FLANNEL_CONF <<EOF
+      [Unit]
+      Requires=flanneld.service
+      After=flanneld.service
+      EOF
+
+      systemctl enable flanneld
+      systemctl --no-block start flanneld
--- a/magnum/templates/kubernetes/fragments/wc-notify-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/wc-notify-coreos.yaml
@ -0,0 +1,24 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/wc-notify.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Notify Heat
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/wc-notify.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/wc-notify.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/bash -v
+      . /etc/sysconfig/heat-params
+      command="$WAIT_CURL --data-binary '{\"status\": \"SUCCESS\"}'"
+      eval $(echo "$command")
--- a/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml
+++ b/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml
@ -27,3 +27,4 @@ write_files:
      HTTP_PROXY="$HTTP_PROXY"
      HTTPS_PROXY="$HTTPS_PROXY"
      NO_PROXY="$NO_PROXY"
+      WAIT_CURL="$WAIT_CURL"
--- a/magnum/templates/kubernetes/fragments/write-heat-params.yaml
+++ b/magnum/templates/kubernetes/fragments/write-heat-params.yaml
@ -29,3 +29,4 @@ write_files:
      HTTP_PROXY="$HTTP_PROXY"
      HTTPS_PROXY="$HTTPS_PROXY"
      NO_PROXY="$NO_PROXY"
+      WAIT_CURL="$WAIT_CURL"
--- a/magnum/templates/kubernetes/fragments/write-network-config-coreos.yaml
+++ b/magnum/templates/kubernetes/fragments/write-network-config-coreos.yaml
@ -0,0 +1,50 @@
+#cloud-config
+write_files:
+  - path: /etc/systemd/system/write-network-config.service
+    owner: "root:root"
+    permissions: "0644"
+    content: |
+      [Unit]
+      Description=Write Network Config
+
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/sysconfig/write-network-config.sh
+
+      [Install]
+      WantedBy=multi-user.target
+
+  - path: /etc/sysconfig/write-network-config.sh
+    owner: "root:root"
+    permissions: "0755"
+    content: |
+      #!/bin/sh
+
+      . /etc/sysconfig/heat-params
+      if [ "$NETWORK_DRIVER" != "flannel" ]; then
+          exit 0
+      fi
+
+      backend_type=udp
+      if [ "$FLANNEL_USE_VXLAN" == "true" ]; then
+          backend_type=vxlan
+      fi
+
+      FLANNEL_JSON=/etc/sysconfig/flannel-network.json
+      cat > $FLANNEL_JSON <<EOF
+      {
+          "Network": "$FLANNEL_NETWORK_CIDR",
+          "Subnetlen": $FLANNEL_NETWORK_SUBNETLEN,
+          "Backend": {
+              "Type": "$backend_type"
+          }
+      }
+      EOF
+
+      FLANNEL_ETCD="http://127.0.0.1:2379"
+      FLANNEL_ETCD_KEY="/coreos.com/network"
+      while ! curl -sf -L ${FLANNEL_ETCD}/v2/keys${FLANNEL_ETCD_KEY}/config \
+        -X PUT --data-urlencode value@${FLANNEL_JSON}; do
+          echo "waiting for etcd"
+          sleep 1
+      done
--- a/magnum/templates/kubernetes/kubecluster-coreos.yaml
+++ b/magnum/templates/kubernetes/kubecluster-coreos.yaml
@ -31,19 +31,21 @@ parameters:
    default: m1.small
    description: flavor to use when booting the server

-  token:
+  discovery_url:
    type: string
-    description: token is generated from https://discovery.etcd.io/new
-
-  ssh_authorized_key:
-    type: string
-    description: complete ssh key.
+    description: >
+      Discovery URL used for bootstrapping the etcd cluster.

  dns_nameserver:
    type: string
    description: address of a dns nameserver reachable in your environment
    default: 8.8.8.8

+  number_of_masters:
+    type: number
+    description: how many kubernetes masters to spawn
+    default: 1
+
  number_of_minions:
    type: number
    description: how many kubernetes minions to spawn
@ -87,13 +89,6 @@ parameters:
    constraints:
      - allowed_values: ["true", "false"]

-  docker_volume_size:
-    type: number
-    description: >
-      size of a cinder volume to allocate to docker for container/image
-      storage
-    default: 25
-
  minions_to_remove:
    type: comma_delimited_list
    description: >
@ -103,28 +98,22 @@ parameters:
      be empty when doing a create.
    default: []

-  auth_url:
+  network_driver:
    type: string
-    description: >
-      url for kubernetes to authenticate before sending request to neutron
+    description: network driver to use for instantiating container networks
+    default: flannel

-  username:
-    type: string
-    description: >
-      user account
+  tls_disabled:
+    type: boolean
+    description: whether or not to disable TLS
+    default: False

-  password:
-    type: string
+  kubernetes_port:
+    type: number
    description: >
-      user password, not set in current implementation, only used to
-      fill in for Kubernetes config file
-    default:
-      ChangeMe
-
-  tenant_name:
-    type: string
-    description: >
-      tenant name
+      The port which are used by kube-apiserver to provide Kubernetes
+      service.
+    default: 8080

 resources:

@ -187,12 +176,10 @@ resources:
          portal_network_cidr: {get_param: portal_network_cidr}
          fixed_network: {get_resource: fixed_network}
          fixed_subnet: {get_resource: fixed_subnet}
-          token: {get_param: token}
-          ssh_authorized_key: {get_param: ssh_authorized_key}
-          auth_url: {get_param: auth_url}
-          username: {get_param: username}
-          password: {get_param: password}
-          tenant_name: {get_param: tenant_name}
+          discovery_url: {get_param: discovery_url}
+          network_driver: {get_param: network_driver}
+          kubernetes_port: {get_param: kubernetes_port}
+          tls_disabled: {get_param: tls_disabled}

  ######################################################################
  #
@ -216,17 +203,18 @@ resources:
          minion_flavor: {get_param: minion_flavor}
          fixed_network: {get_resource: fixed_network}
          fixed_subnet: {get_resource: fixed_subnet}
-          kube_master_ip: {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}
+          kube_master_ip: {"Fn::Select": [0, {get_attr: [kube_master, kube_master_ip]}]}
          external_network: {get_param: external_network}
          kube_allow_priv: {get_param: kube_allow_priv}
-          docker_volume_size: {get_param: docker_volume_size}
-          token: {get_param: token}
-          ssh_authorized_key: {get_param: ssh_authorized_key}
+          network_driver: {get_param: network_driver}
+          kubernetes_port: {get_param: kubernetes_port}
+          tls_disabled: {get_param: tls_disabled}
+          etcd_server_ip: {"Fn::Select": [0, {get_attr: [kube_master, kube_master_ip]}]}

 outputs:

  api_address:
-    value: {get_attr: [kube_master, kube_master_external_ip]}
+    value: {"Fn::Select": [0, {get_attr: [kube_master, kube_master_external_ip]}]}

  kube_masters_private:
    value: {get_attr: [kube_master, kube_master_ip]}
--- a/magnum/templates/kubernetes/kubemaster-coreos.yaml
+++ b/magnum/templates/kubernetes/kubemaster-coreos.yaml
@ -25,13 +25,10 @@ parameters:
    description: uuid/name of a network to use for floating ip addresses
    default: public

-  token:
+  discovery_url:
    type: string
-    description: token is generated from https://discovery.etcd.io/new
-
-  ssh_authorized_key:
-    type: string
-    description: complete ssh key.
+    description: >
+      Discovery URL used for bootstrapping the etcd cluster.

  dns_nameserver:
    type: string
@ -85,40 +82,33 @@ parameters:
    description : >
      timeout for the Wait Conditions

-  auth_url:
+  network_driver:
    type: string
-    description: >
-      url for kubernetes to authenticate before sending request to neutron
+    description: network driver to use for instantiating container networks

-  username:
-    type: string
-    description: >
-      user account
+  tls_disabled:
+    type: boolean
+    description: whether or not to enable TLS
+    default: False

-  password:
-    type: string
+  kubernetes_port:
+    type: number
    description: >
-      user password
-
-  tenant_name:
-    type: string
-    description: >
-      tenant name
+      The port which are used by kube-apiserver to provide Kubernetes
+      service.
+    default: 8080

 resources:

  master_wait_handle:
-    type: AWS::CloudFormation::WaitConditionHandle
+    type: OS::Heat::WaitConditionHandle

  master_wait_condition:
-    type: AWS::CloudFormation::WaitCondition
-    depends_on:
-      - kube_master
+    type: OS::Heat::WaitCondition
+    depends_on: kube_master
    properties:
-      Handle:
-        get_resource: master_wait_handle
-      Timeout: {get_param: wait_condition_timeout}
-
+      handle: {get_resource: master_wait_handle}
+      timeout: {get_param: wait_condition_timeout}

  ######################################################################
  #
@ -174,92 +164,135 @@ resources:
            "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
            "$FLANNEL_USE_VXLAN": {get_param: flannel_use_vxlan}
            "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
-            "$AUTH_URL": {get_param: auth_url}
-            "$USERNAME": {get_param: username}
-            "$PASSWORD": {get_param: password}
-            "$TENANT_NAME": {get_param: tenant_name}
            "$CLUSTER_SUBNET": {get_param: fixed_subnet}
+            "$ETCD_DISCOVERY_URL": {get_param: discovery_url}
+            "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}
+            "$NETWORK_DRIVER": {get_param: network_driver}
+            "$KUBE_API_PORT": {get_param: kubernetes_port}
+            "$TLS_DISABLED": {get_param: tls_disabled}

-  write_kube_os_config:
+  configure_etcd:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
-      config: {get_file: fragments/write-kube-os-config.sh}
+      config: {get_file: fragments/configure-etcd-coreos.yaml}

-  configure_kubernetes:
+  write_network_config:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
-      config: {get_file: fragments/configure-kubernetes-master.sh}
+      config: {get_file: fragments/write-network-config-coreos.yaml}

-  write_flannel_config:
+  enable_network_service:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
-      config: {get_file: fragments/write-flannel-config.sh}
+      config: {get_file: fragments/enable-network-service-coreos.yaml}

-  flannel_config_service:
+  enable_kubelet:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
-      config: {get_file: fragments/flannel-config.service.yaml}
+      config: {get_file: fragments/enable-kubelet-master-coreos.yaml}

-  enable_services:
+  enable_kube_apiserver:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
-      config: {get_file: fragments/enable-services-master.sh}
+      config: {get_file: fragments/enable-kube-apiserver-coreos.yaml}

-  kube_user:
+  create_kube_namespace:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
-      config: {get_file: fragments/kube-user.yaml}
+      config: {get_file: fragments/create-kube-namespace-coreos.yaml}

-  kube_examples:
+  enable_kube_proxy:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
-      config: {get_file: fragments/kube-examples.yaml}
+      config: {get_file: fragments/enable-kube-proxy-master-coreos.yaml}

-  cfn_signal:
+  enable_kube_controller_manager:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
-      config: {get_file: fragments/cfn-signal.sh}
+      config: {get_file: fragments/enable-kube-controller-manager-coreos.yaml}

-  disable_selinux:
+  enable_kube_scheduler:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
-      config: {get_file: fragments/disable-selinux.sh}
+      config: {get_file: fragments/enable-kube-scheduler-coreos.yaml}

-  coreos_params:
+  enable_kube_podmaster:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ungrouped
+      config: {get_file: fragments/enable-kube-podmaster-coreos.yaml}
+
+  wc_notify:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ungrouped
+      config: {get_file: fragments/wc-notify-coreos.yaml}
+
+  kube_master_init:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config:
        str_replace:
-          template: {get_file: fragments/coreos.params.yaml}
+          template: |
+            $write_heat_params
+            $configure_etcd
+            $write_network_config
+            $enable_network_service
+            $enable_kubelet
+            $enable_kube_apiserver
+            $create_kube_namespace
+            $enable_kube_proxy
+            $enable_kube_podmaster
+            $enable_kube_controller_manager
+            $enable_kube_scheduler
+            $wc_notify
+            coreos:
+              units:
+                - name: "configure-etcd.service"
+                  command: "start"
+                - name: "write-network-config.service"
+                  command: "start"
+                - name: "enable-network-service.service"
+                  command: "start"
+                - name: "enable-kubelet.service"
+                  command: "start"
+                - name: "enable-kube-apiserver.service"
+                  command: "start"
+                - name: "create-kube-namespace.service"
+                  command: "start"
+                - name: "enable-kube-proxy.service"
+                  command: "start"
+                - name: "enable-kube-controller-manager.service"
+                  command: "start"
+                - name: "enable-kube-scheduler.service"
+                  command: "start"
+                - name: "enable-kube-podmaster.service"
+                  command: "start"
+                - name: "wc-notify.service"
+                  command: "start"
          params:
-            token: {get_param: token}
-            ssh_authorized_key: {get_param: ssh_authorized_key}
-
-  kube_master_init:
-    type: OS::Heat::MultipartMime
-    properties:
-      parts:
-        - config: {get_resource: disable_selinux}
-        - config: {get_resource: write_heat_params}
-        - config: {get_resource: kube_user}
-        - config: {get_resource: write_kube_os_config}
-        - config: {get_resource: configure_kubernetes}
-        - config: {get_resource: enable_services}
-        - config: {get_resource: write_flannel_config}
-        - config: {get_resource: flannel_config_service}
-        - config: {get_resource: kube_examples}
-        - config: {get_resource: cfn_signal}
-        - config: {get_resource: coreos_params}
+            "$write_heat_params": {get_attr: [write_heat_params, config]}
+            "$configure_etcd": {get_attr: [configure_etcd, config]}
+            "$write_network_config": {get_attr: [write_network_config, config]}
+            "$enable_network_service": {get_attr: [enable_network_service, config]}
+            "$enable_kubelet": {get_attr: [enable_kubelet, config]}
+            "$enable_kube_apiserver": {get_attr: [enable_kube_apiserver, config]}
+            "$create_kube_namespace": {get_attr: [create_kube_namespace, config]}
+            "$enable_kube_proxy": {get_attr: [enable_kube_proxy, config]}
+            "$enable_kube_controller_manager": {get_attr: [enable_kube_controller_manager, config]}
+            "$enable_kube_scheduler": {get_attr: [enable_kube_scheduler, config]}
+            "$enable_kube_podmaster": {get_attr: [enable_kube_podmaster, config]}
+            "$wc_notify": {get_attr: [wc_notify, config]}

  ######################################################################
  #
--- a/magnum/templates/kubernetes/kubemaster.yaml
+++ b/magnum/templates/kubernetes/kubemaster.yaml
@ -196,6 +196,7 @@ resources:
            "$HTTP_PROXY": {get_param: http_proxy}
            "$HTTPS_PROXY": {get_param: https_proxy}
            "$NO_PROXY": {get_param: no_proxy}
+            "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}

  make_cert:
    type: OS::Heat::SoftwareConfig
--- a/magnum/templates/kubernetes/kubeminion-coreos.yaml
+++ b/magnum/templates/kubernetes/kubeminion-coreos.yaml
@ -26,14 +26,6 @@ parameters:
    type: string
    description: uuid/name of a network to use for floating ip addresses

-  token:
-    type: string
-    description: token is generated from https://discovery.etcd.io/new
-
-  ssh_authorized_key:
-    type: string
-    description: complete ssh key.
-
  kube_allow_priv:
    type: string
    description: >
@ -42,17 +34,29 @@ parameters:
    constraints:
      - allowed_values: ["true", "false"]

-  docker_volume_size:
+  network_driver:
+    type: string
+    description: network driver to use for instantiating container networks
+
+  tls_disabled:
+    type: boolean
+    description: whether or not to enable TLS
+    default: False
+
+  kubernetes_port:
    type: number
    description: >
-      size of a cinder volume to allocate to docker for container/image
-      storage
-    default: 25
+      The port which are used by kube-apiserver to provide Kubernetes
+      service.
+    default: 8080

  # The following are all generated in the parent template.
  kube_master_ip:
    type: string
    description: IP address of the Kubernetes master server.
+  etcd_server_ip:
+    type: string
+    description: IP address of the Etcd server.
  fixed_network:
    type: string
    description: Network from which to allocate fixed addresses.
@ -63,15 +67,14 @@ parameters:
 resources:

  minion_wait_handle:
-    type: AWS::CloudFormation::WaitConditionHandle
+    type: OS::Heat::WaitConditionHandle

  minion_wait_condition:
-    type: AWS::CloudFormation::WaitCondition
+    type: OS::Heat::WaitCondition
    depends_on: kube-minion
    properties:
-      Handle:
-        get_resource: minion_wait_handle
-      Timeout: 6000
+      handle: {get_resource: minion_wait_handle}
+      timeout: 6000

  ######################################################################
  #
@ -103,89 +106,64 @@ resources:
          params:
            $KUBE_ALLOW_PRIV: {get_param: kube_allow_priv}
            $KUBE_MASTER_IP: {get_param: kube_master_ip}
-            $WAIT_HANDLE: {get_resource: node_wait_handle}
-            $DOCKER_VOLUME: {get_resource: docker_volume}
+            $WAIT_CURL: {get_attr: [minion_wait_handle, curl_cli]}
+            $KUBE_API_PORT: {get_param: kubernetes_port}
+            $TLS_DISABLED: {get_param: tls_disabled}
+            $NETWORK_DRIVER: {get_param: network_driver}
+            $ETCD_SERVER_IP: {get_param: etcd_server_ip}

-  coreos_params:
+  enable_network_service:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ungrouped
+      config: {get_file: fragments/enable-network-service-coreos.yaml}
+
+  enable_kubelet:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ungrouped
+      config: {get_file: fragments/enable-kubelet-minion-coreos.yaml}
+
+  enable_kube_proxy:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ungrouped
+      config: {get_file: fragments/enable-kube-proxy-minion-coreos.yaml}
+
+  wc_notify:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: ungrouped
+      config: {get_file: fragments/wc-notify-coreos.yaml}
+
+  kube_minion_init:
    type: OS::Heat::SoftwareConfig
    properties:
      group: ungrouped
      config:
        str_replace:
-          template: {get_file: fragments/coreos.params.yaml}
+          template: |
+            $write_heat_params
+            $enable_network_service
+            $enable_kubelet
+            $enable_kube_proxy
+            $wc_notify
+            coreos:
+              units:
+                - name: "enable-network-service.service"
+                  command: "start"
+                - name: "enable-kubelet.service"
+                  command: "start"
+                - name: "enable-kube-proxy.service"
+                  command: "start"
+                - name: "wc-notify.service"
+                  command: "start"
          params:
-            token: {get_param: token}
-            ssh_authorized_key: {get_param: ssh_authorized_key}
-
-  add_to_docker_group:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: ungrouped
-      config: {get_file: fragments/add-to-docker-group.sh}
-
-  configure_docker_storage:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: ungrouped
-      config: {get_file: fragments/configure-docker-storage.sh}
-
-  configure_kubernetes_minion:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: ungrouped
-      config: {get_file: fragments/configure-kubernetes-minion.sh}
-
-  kube_user:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: ungrouped
-      config: {get_file: fragments/kube-user.yaml}
-
-  kube_examples:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: ungrouped
-      config: {get_file: fragments/kube-examples.yaml}
-
-  docker_service:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: ungrouped
-      config: {get_file: fragments/docker.service.yaml}
-
-  enable_services:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: ungrouped
-      config: {get_file: fragments/enable-services-minion.sh}
-
-  cfn_signal:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: ungrouped
-      config: {get_file: fragments/cfn-signal.sh}
-
-  disable_selinux:
-    type: OS::Heat::SoftwareConfig
-    properties:
-      group: ungrouped
-      config: {get_file: fragments/disable-selinux.sh}
-
-  kube_minion_init:
-    type: OS::Heat::MultipartMime
-    properties:
-      parts:
-        - config: {get_resource: disable_selinux}
-        - config: {get_resource: write_heat_params}
-        - config: {get_resource: kube_user}
-        - config: {get_resource: kube_examples}
-        - config: {get_resource: add_to_docker_group}
-        - config: {get_resource: configure_docker_storage}
-        - config: {get_resource: configure_kubernetes_minion}
-        - config: {get_resource: docker_service}
-        - config: {get_resource: enable_services}
-        - config: {get_resource: cfn_signal}
-        - config: {get_resource: coreos_params}
+            "$write_heat_params": {get_attr: [write_heat_params, config]}
+            "$enable_network_service": {get_attr: [enable_network_service, config]}
+            "$enable_kubelet": {get_attr: [enable_kubelet, config]}
+            "$enable_kube_proxy": {get_attr: [enable_kube_proxy, config]}
+            "$wc_notify": {get_attr: [wc_notify, config]}

  # Important:  the name for the heat resource kube-minion below must
  # not contain "_" (underscore) because it will be used in the
@ -221,18 +199,6 @@ resources:
      floating_network: {get_param: external_network}
      port_id: {get_resource: kube_minion_eth0}

-  docker_volume:
-    type: OS::Cinder::Volume
-    properties:
-      size: {get_param: docker_volume_size}
-
-  docker_volume_attach:
-    type: OS::Cinder::VolumeAttachment
-    properties:
-      instance_uuid: {get_resource: kube-minion}
-      volume_id: {get_resource: docker_volume}
-      mountpoint: /dev/vdb
-
 outputs:

  kube_minion_ip: