108 lines
4.0 KiB
YAML
108 lines
4.0 KiB
YAML
#cloud-config
|
|
write_files:
|
|
- path: /etc/systemd/system/enable-kubelet.service
|
|
owner: "root:root"
|
|
permissions: "0644"
|
|
content: |
|
|
[Unit]
|
|
Description=Enable Kubelet
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
EnvironmentFile=/etc/sysconfig/heat-params
|
|
ExecStart=/etc/sysconfig/enable-kubelet-minion.sh
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
- path: /etc/sysconfig/enable-kubelet-minion.sh
|
|
owner: "root:root"
|
|
permissions: "0755"
|
|
content: |
|
|
#!/bin/sh
|
|
|
|
if [ -z "${KUBE_NODE_IP}" ]; then
|
|
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
|
|
fi
|
|
|
|
if [ -n "${INSECURE_REGISTRY_URL}" ]; then
|
|
INSECURE_REGISTRY_ARGS="--pod-infra-container-image=${INSECURE_REGISTRY_URL}/google_containers/pause\:3.0"
|
|
else
|
|
INSECURE_REGISTRY_ARGS=""
|
|
fi
|
|
|
|
TLS_CERT_FILE=${KUBE_CERTS_PATH}/worker.pem
|
|
TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/worker-key.pem
|
|
KUBE_PROTOCOL="https"
|
|
KUBE_CONFIG="/etc/kubernetes/config/worker-kubeconfig.yaml"
|
|
if [ "$TLS_DISABLED" == "True" ]; then
|
|
TLS_CERT_FILE=
|
|
TLS_PRIVATE_KEY_FILE=
|
|
KUBE_PROTOCOL="http"
|
|
KUBE_CONFIG=
|
|
fi
|
|
KUBE_MASTER_URI="$KUBE_PROTOCOL://$KUBE_MASTER_IP:$KUBE_API_PORT"
|
|
|
|
uuid_file="/var/run/kubelet-pod.uuid"
|
|
CONF_FILE=/etc/systemd/system/kubelet.service
|
|
cat > $CONF_FILE <<EOF
|
|
[Service]
|
|
EnvironmentFile=/etc/environment
|
|
Environment=KUBELET_VERSION=${KUBE_VERSION}
|
|
Environment=KUBELET_ACI=${HYPERKUBE_IMAGE_REPO}
|
|
Environment="RKT_OPTS=--uuid-file-save=${uuid_file} \
|
|
--volume dns,kind=host,source=/etc/resolv.conf \
|
|
--mount volume=dns,target=/etc/resolv.conf \
|
|
--volume rkt,kind=host,source=/opt/bin/host-rkt \
|
|
--mount volume=rkt,target=/usr/bin/rkt \
|
|
--volume var-lib-rkt,kind=host,source=/var/lib/rkt \
|
|
--mount volume=var-lib-rkt,target=/var/lib/rkt \
|
|
--volume stage,kind=host,source=/tmp \
|
|
--mount volume=stage,target=/tmp \
|
|
--volume var-log,kind=host,source=/var/log \
|
|
--mount volume=var-log,target=/var/log"
|
|
ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
|
|
ExecStartPre=/usr/bin/mkdir -p /opt/cni/bin
|
|
ExecStartPre=/usr/bin/mkdir -p /var/log/containers
|
|
ExecStartPre=-/usr/bin/rkt rm --uuid-file=${uuid_file}
|
|
ExecStart=/usr/lib/coreos/kubelet-wrapper \
|
|
--cni-conf-dir=/etc/kubernetes/cni/net.d \
|
|
--network-plugin=cni \
|
|
--hostname-override=${INSTANCE_NAME} \
|
|
--container-runtime=${CONTAINER_RUNTIME} \
|
|
--allow-privileged=true \
|
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
|
--logtostderr=true \
|
|
--v=0 \
|
|
--cadvisor-port=4194 \
|
|
--kubeconfig=${KUBE_CONFIG} \
|
|
--tls-cert-file=${TLS_CERT_FILE} \
|
|
--tls-private-key-file=${TLS_PRIVATE_KEY_FILE} \
|
|
--cluster_dns=${DNS_SERVICE_IP} \
|
|
--cluster_domain=${DNS_CLUSTER_DOMAIN} \
|
|
${INSECURE_REGISTRY_ARGS}
|
|
Restart=always
|
|
RestartSec=10
|
|
ExecStop=-/usr/bin/rkt stop --uuid-file=${uuid_file}
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
|
|
TEMPLATE=/opt/bin/host-rkt
|
|
mkdir -p $(dirname $TEMPLATE)
|
|
cat << EOF > $TEMPLATE
|
|
#!/bin/sh
|
|
# This is bind mounted into the kubelet rootfs and all rkt shell-outs go
|
|
# through this rkt wrapper. It essentially enters the host mount namespace
|
|
# (which it is already in) only for the purpose of breaking out of the chroot
|
|
# before calling rkt. It makes things like rkt gc work and avoids bind mounting
|
|
# in certain rkt filesystem dependancies into the kubelet rootfs. This can
|
|
# eventually be obviated when the write-api stuff gets upstream and rkt gc is
|
|
# through the api-server. Related issue:
|
|
# https://github.com/coreos/rkt/issues/2878
|
|
exec nsenter -m -u -i -n -p -t 1 -- /usr/bin/rkt "\$@"
|
|
EOF
|
|
|
|
systemctl enable kubelet
|
|
systemctl --no-block start kubelet
|