Change AWS Fedora module to fedora-atomic
This commit is contained in:
parent
4e43b2ff48
commit
9969c357da
|
@ -11,7 +11,7 @@ Typhoon distributes upstream Kubernetes, architectural conventions, and cluster
|
||||||
|
|
||||||
## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
|
## Features <a href="https://www.cncf.io/certification/software-conformance/"><img align="right" src="https://storage.googleapis.com/poseidon/certified-kubernetes.png"></a>
|
||||||
|
|
||||||
* Kubernetes v1.9.6 (upstream, via [kubernetes-incubator/bootkube](https://github.com/kubernetes-incubator/bootkube))
|
* Kubernetes v1.10.0 (upstream, via [kubernetes-incubator/bootkube](https://github.com/kubernetes-incubator/bootkube))
|
||||||
* Single or multi-master, workloads isolated on workers, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
|
* Single or multi-master, workloads isolated on workers, [Calico](https://www.projectcalico.org/) or [flannel](https://github.com/coreos/flannel) networking
|
||||||
* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
|
* On-cluster etcd with TLS, [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/)-enabled, [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
|
||||||
* Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/)
|
* Advanced features like [worker pools](https://typhoon.psdn.io/advanced/worker-pools/)
|
|
@ -14,6 +14,6 @@ data "aws_ami" "fedora" {
|
||||||
|
|
||||||
filter {
|
filter {
|
||||||
name = "name"
|
name = "name"
|
||||||
values = ["Fedora-Cloud-Base-27*-gp2-0"]
|
values = ["Fedora-Atomic-27*-gp2-0"]
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -1,6 +1,6 @@
|
||||||
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
# Self-hosted Kubernetes assets (kubeconfig, manifests)
|
||||||
module "bootkube" {
|
module "bootkube" {
|
||||||
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=5f3546b66ffb9946b36e612537bb6a1830ae7746"
|
source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=61fb176647e15d4d0e72fdccb34d27e47430407c"
|
||||||
|
|
||||||
cluster_name = "${var.cluster_name}"
|
cluster_name = "${var.cluster_name}"
|
||||||
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
api_servers = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
|
||||||
|
@ -11,4 +11,7 @@ module "bootkube" {
|
||||||
pod_cidr = "${var.pod_cidr}"
|
pod_cidr = "${var.pod_cidr}"
|
||||||
service_cidr = "${var.service_cidr}"
|
service_cidr = "${var.service_cidr}"
|
||||||
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
||||||
|
|
||||||
|
# Fedora
|
||||||
|
trusted_certs_dir = "/etc/pki/tls/certs"
|
||||||
}
|
}
|
|
@ -1,15 +1,4 @@
|
||||||
#cloud-config
|
#cloud-config
|
||||||
yum_repos:
|
|
||||||
kubernetes:
|
|
||||||
name: kubernetes
|
|
||||||
baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
|
|
||||||
enabled: true
|
|
||||||
gpgcheck: true
|
|
||||||
gpgkey: https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
|
|
||||||
packages:
|
|
||||||
- [docker, 1.13.1]
|
|
||||||
- [kubelet, 1.10.0]
|
|
||||||
- nfs-utils
|
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/systemd/system/etcd-member.service
|
- path: /etc/systemd/system/etcd-member.service
|
||||||
content: |
|
content: |
|
||||||
|
@ -25,7 +14,7 @@ write_files:
|
||||||
ExecStartPre=/bin/mkdir -p /var/lib/etcd
|
ExecStartPre=/bin/mkdir -p /var/lib/etcd
|
||||||
ExecStart=/usr/bin/docker run --rm --name etcd-member \
|
ExecStart=/usr/bin/docker run --rm --name etcd-member \
|
||||||
--net=host \
|
--net=host \
|
||||||
-v /usr/share/ca-certificates:/usr/share/ca-certificates:ro,z \
|
-v /etc/pki/tls/certs:/usr/share/ca-certificates:ro,z \
|
||||||
-v /etc/ssl/etcd:/etc/ssl/certs:ro,Z \
|
-v /etc/ssl/etcd:/etc/ssl/certs:ro,Z \
|
||||||
-v /var/lib/etcd:/var/lib/etcd:Z \
|
-v /var/lib/etcd:/var/lib/etcd:Z \
|
||||||
--env-file=/etc/etcd/etcd.conf \
|
--env-file=/etc/etcd/etcd.conf \
|
||||||
|
@ -55,12 +44,13 @@ write_files:
|
||||||
ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt
|
ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt
|
||||||
ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key
|
ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key
|
||||||
ETCD_PEER_CLIENT_CERT_AUTH=true
|
ETCD_PEER_CLIENT_CERT_AUTH=true
|
||||||
- path: /etc/systemd/system/kubelet.service.d/10-typhoon.conf
|
- path: /etc/systemd/system/kubelet.service
|
||||||
content: |
|
content: |
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Kubelet
|
Description=Kubelet
|
||||||
Wants=rpc-statd.service
|
Wants=rpc-statd.service
|
||||||
[Service]
|
[Service]
|
||||||
|
WorkingDirectory=/etc/kubernetes
|
||||||
ExecStartPre=/bin/mkdir -p /opt/cni/bin
|
ExecStartPre=/bin/mkdir -p /opt/cni/bin
|
||||||
ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
|
ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
|
||||||
ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
|
ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
|
||||||
|
@ -69,8 +59,11 @@ write_files:
|
||||||
ExecStartPre=/bin/mkdir -p /var/lib/cni
|
ExecStartPre=/bin/mkdir -p /var/lib/cni
|
||||||
ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
|
ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
|
||||||
ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt"
|
ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt"
|
||||||
|
# Atomic's system containers and RPMs are old and unfriendly. Use this.
|
||||||
|
ExecStartPre=/usr/bin/curl -L https://dl.k8s.io/v1.10.0/kubernetes-node-linux-amd64.tar.gz -o kubernetes-node-linux-amd64.tar.gz
|
||||||
|
ExecStartPre=/usr/bin/tar xzf kubernetes-node-linux-amd64.tar.gz -C /usr/local/bin --strip-components=3 kubernetes/node/bin/kubelet
|
||||||
ExecStart=
|
ExecStart=
|
||||||
ExecStart=/usr/bin/kubelet \
|
ExecStart=/usr/local/bin/kubelet \
|
||||||
--allow-privileged \
|
--allow-privileged \
|
||||||
--anonymous-auth=false \
|
--anonymous-auth=false \
|
||||||
--cgroup-driver=systemd \
|
--cgroup-driver=systemd \
|
||||||
|
@ -91,43 +84,59 @@ write_files:
|
||||||
RestartSec=10
|
RestartSec=10
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
- path: /etc/systemd/system/kubelet.path
|
||||||
|
content: |
|
||||||
|
[Unit]
|
||||||
|
Description=Watch for kubeconfig
|
||||||
|
[Path]
|
||||||
|
PathExists=/etc/kubernetes/kubeconfig
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
- path: /etc/systemd/system/bootkube.service
|
||||||
|
content: |
|
||||||
|
[Unit]
|
||||||
|
Description=Bootstrap a Kubernetes cluster
|
||||||
|
ConditionPathExists=!/var/bootkube/init_bootkube.done
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=true
|
||||||
|
WorkingDirectory=/var/bootkube
|
||||||
|
ExecStartPre=/bin/mkdir -p /var/bootkube
|
||||||
|
ExecStart=/usr/local/bin/bootkube-start
|
||||||
|
ExecStartPost=/bin/touch /var/bootkube/init_bootkube.done
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
- path: /etc/kubernetes/.keep
|
||||||
- path: /etc/kubernetes/kubeconfig
|
- path: /etc/kubernetes/kubeconfig
|
||||||
permissions: '0644'
|
permissions: '0644'
|
||||||
content: |
|
content: |
|
||||||
${kubeconfig}
|
${kubeconfig}
|
||||||
- path: /etc/selinux/config
|
- path: /etc/selinux/config
|
||||||
|
owner: root:root
|
||||||
|
permissions: '0644'
|
||||||
content: |
|
content: |
|
||||||
SELINUX=permissive
|
SELINUX=permissive
|
||||||
- path: /etc/systemd/system/bootkube.service
|
SELINUXTYPE=targeted
|
||||||
content: |
|
- path: /var/bootkube/.keep
|
||||||
[Unit]
|
- path: /usr/local/bin/bootkube-start
|
||||||
Description=Bootstrap a Kubernetes cluster
|
permissions: '0755'
|
||||||
ConditionPathExists=!/opt/bootkube/init_bootkube.done
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
RemainAfterExit=true
|
|
||||||
WorkingDirectory=/opt/bootkube
|
|
||||||
ExecStart=/opt/bootkube/bootkube-start
|
|
||||||
ExecStartPost=/bin/touch /opt/bootkube/init_bootkube.done
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
- path: /opt/bootkube/bootkube-start
|
|
||||||
permissions: '0544'
|
|
||||||
content: |
|
content: |
|
||||||
#!/bin/bash -e
|
#!/bin/bash -e
|
||||||
# Wrapper for bootkube start
|
# Wrapper for bootkube start
|
||||||
[ -n "$(ls /opt/bootkube/assets/manifests-*/* 2>/dev/null)" ] && mv /opt/bootkube/assets/manifests-*/* /opt/bootkube/assets/manifests && rm -rf /opt/bootkube/assets/manifests-*
|
[ -n "$(ls /var/bootkube/assets/manifests-*/* 2>/dev/null)" ] && mv /var/bootkube/assets/manifests-*/* /var/bootkube/assets/manifests && rm -rf /var/bootkube/assets/manifests-*
|
||||||
/usr/bin/docker run --rm --name bootkube \
|
/usr/bin/docker run --rm --name bootkube \
|
||||||
|
--net=host \
|
||||||
--volume /etc/kubernetes:/etc/kubernetes:Z \
|
--volume /etc/kubernetes:/etc/kubernetes:Z \
|
||||||
--volume /opt/bootkube/assets:/assets:Z \
|
--volume /var/bootkube/assets:/assets:Z \
|
||||||
--entrypoint=/bootkube \
|
--entrypoint=/bootkube \
|
||||||
quay.io/coreos/bootkube:v0.11.0 start --asset-dir=/assets
|
quay.io/coreos/bootkube:v0.11.0 start --asset-dir=/assets
|
||||||
|
bootcmd:
|
||||||
|
- [setenforce, Permissive]
|
||||||
runcmd:
|
runcmd:
|
||||||
- [systemctl, daemon-reload]
|
- [systemctl, daemon-reload]
|
||||||
- [systemctl, enable, docker.service]
|
|
||||||
- [systemctl, start, --no-block, docker.service]
|
|
||||||
- [systemctl, enable, etcd-member.service]
|
- [systemctl, enable, etcd-member.service]
|
||||||
- [systemctl, start, --no-block, etcd-member.service]
|
- [systemctl, start, --no-block, etcd-member.service]
|
||||||
|
- [systemctl, disable, firewalld, --now]
|
||||||
- [systemctl, enable, kubelet.service]
|
- [systemctl, enable, kubelet.service]
|
||||||
- [systemctl, start, --no-block, kubelet.service]
|
- [systemctl, start, --no-block, kubelet.service]
|
||||||
users:
|
users:
|
|
@ -82,7 +82,7 @@ resource "null_resource" "bootkube-start" {
|
||||||
provisioner "remote-exec" {
|
provisioner "remote-exec" {
|
||||||
inline = [
|
inline = [
|
||||||
"while [ ! -f /var/lib/cloud/instance/boot-finished ]; do sleep 4; done",
|
"while [ ! -f /var/lib/cloud/instance/boot-finished ]; do sleep 4; done",
|
||||||
"sudo mv $HOME/assets /opt/bootkube",
|
"sudo mv $HOME/assets /var/bootkube",
|
||||||
"sudo systemctl start bootkube",
|
"sudo systemctl start bootkube",
|
||||||
]
|
]
|
||||||
}
|
}
|
|
@ -14,6 +14,6 @@ data "aws_ami" "fedora" {
|
||||||
|
|
||||||
filter {
|
filter {
|
||||||
name = "name"
|
name = "name"
|
||||||
values = ["Fedora-Cloud-Base-27*-gp2-0"]
|
values = ["Fedora-Atomic-27*-gp2-0"]
|
||||||
}
|
}
|
||||||
}
|
}
|
|
@ -1,22 +1,12 @@
|
||||||
#cloud-config
|
#cloud-config
|
||||||
yum_repos:
|
|
||||||
kubernetes:
|
|
||||||
name: kubernetes
|
|
||||||
baseurl: https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
|
|
||||||
enabled: true
|
|
||||||
gpgcheck: true
|
|
||||||
gpgkey: https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
|
|
||||||
packages:
|
|
||||||
- [docker, 1.13.1]
|
|
||||||
- [kubelet, 1.10.0]
|
|
||||||
- nfs-utils
|
|
||||||
write_files:
|
write_files:
|
||||||
- path: /etc/systemd/system/kubelet.service.d/10-typhoon.conf
|
- path: /etc/systemd/system/kubelet.service
|
||||||
content: |
|
content: |
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Kubelet
|
Description=Kubelet
|
||||||
Wants=rpc-statd.service
|
Wants=rpc-statd.service
|
||||||
[Service]
|
[Service]
|
||||||
|
WorkingDirectory=/etc/kubernetes
|
||||||
ExecStartPre=/bin/mkdir -p /opt/cni/bin
|
ExecStartPre=/bin/mkdir -p /opt/cni/bin
|
||||||
ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
|
ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
|
||||||
ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
|
ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
|
||||||
|
@ -25,8 +15,11 @@ write_files:
|
||||||
ExecStartPre=/bin/mkdir -p /var/lib/cni
|
ExecStartPre=/bin/mkdir -p /var/lib/cni
|
||||||
ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
|
ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
|
||||||
ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt"
|
ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt"
|
||||||
|
# Atomic's system containers and RPMs are old and unfriendly. Use this.
|
||||||
|
ExecStartPre=/usr/bin/curl -L https://dl.k8s.io/v1.10.0/kubernetes-node-linux-amd64.tar.gz -o kubernetes-node-linux-amd64.tar.gz
|
||||||
|
ExecStartPre=/usr/bin/tar xzf kubernetes-node-linux-amd64.tar.gz -C /usr/local/bin --strip-components=3 kubernetes/node/bin/kubelet
|
||||||
ExecStart=
|
ExecStart=
|
||||||
ExecStart=/usr/bin/kubelet \
|
ExecStart=/usr/local/bin/kubelet \
|
||||||
--allow-privileged \
|
--allow-privileged \
|
||||||
--anonymous-auth=false \
|
--anonymous-auth=false \
|
||||||
--cgroup-driver=systemd \
|
--cgroup-driver=systemd \
|
||||||
|
@ -45,19 +38,31 @@ write_files:
|
||||||
RestartSec=10
|
RestartSec=10
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
- path: /etc/systemd/system/kubelet.path
|
||||||
|
content: |
|
||||||
|
[Unit]
|
||||||
|
Description=Watch for kubeconfig
|
||||||
|
[Path]
|
||||||
|
PathExists=/etc/kubernetes/kubeconfig
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
- path: /etc/kubernetes/.keep
|
||||||
- path: /etc/kubernetes/kubeconfig
|
- path: /etc/kubernetes/kubeconfig
|
||||||
permissions: '0644'
|
permissions: '0644'
|
||||||
content: |
|
content: |
|
||||||
${kubeconfig}
|
${kubeconfig}
|
||||||
- path: /etc/selinux/config
|
- path: /etc/selinux/config
|
||||||
|
owner: root:root
|
||||||
|
permissions: '0644'
|
||||||
content: |
|
content: |
|
||||||
SELINUX=permissive
|
SELINUX=permissive
|
||||||
|
SELINUXTYPE=targeted
|
||||||
|
bootcmd:
|
||||||
|
- [setenforce, Permissive]
|
||||||
runcmd:
|
runcmd:
|
||||||
- [systemctl, daemon-reload]
|
- [systemctl, daemon-reload]
|
||||||
- [systemctl, enable, docker.service]
|
- [systemctl, disable, firewalld, --now]
|
||||||
- [systemctl, start, --no-block, docker.service]
|
- [systemctl, enable, kubelet.service, --now]
|
||||||
- [systemctl, enable, kubelet.service]
|
|
||||||
- [systemctl, start, --no-block, kubelet.service]
|
|
||||||
users:
|
users:
|
||||||
- default
|
- default
|
||||||
- name: fedora
|
- name: fedora
|
Loading…
Reference in New Issue