Change Flatcar etcd-member.service container from rkt to docker

* Use docker to run the `etcd-member.service` container
* Use env-file `/etc/etcd/etcd.env` like podman on FCOS
* Background: https://github.com/poseidon/typhoon/pull/855
This commit is contained in:
Dalton Hubble 2020-11-03 16:37:09 -08:00
parent 82e5ac3e7c
commit ad1f59ce91
7 changed files with 242 additions and 126 deletions

View File

@ -15,6 +15,7 @@ Notable changes between versions.
### Flatcar Linux ### Flatcar Linux
* Rename `container-linux` modules to `flatcar-linux` ([#858](https://github.com/poseidon/typhoon/issues/858)) (**action required**) * Rename `container-linux` modules to `flatcar-linux` ([#858](https://github.com/poseidon/typhoon/issues/858)) (**action required**)
* Change `etcd-member.service` container runnner from rkt to docker ([#867](https://github.com/poseidon/typhoon/pull/867))
* Change `kubelet.service` container runner from rkt to docker ([#855](https://github.com/poseidon/typhoon/pull/855)) * Change `kubelet.service` container runner from rkt to docker ([#855](https://github.com/poseidon/typhoon/pull/855))
* Change `delete-node.service` to use docker and an inline ExecStart ([#855](https://github.com/poseidon/typhoon/pull/855)) * Change `delete-node.service` to use docker and an inline ExecStart ([#855](https://github.com/poseidon/typhoon/pull/855))
* Fix local node delete oneshot on node shutdown ([#855](https://github.com/poseidon/typhoon/pull/855)) * Fix local node delete oneshot on node shutdown ([#855](https://github.com/poseidon/typhoon/pull/855))

View File

@ -3,30 +3,31 @@ systemd:
units: units:
- name: etcd-member.service - name: etcd-member.service
enabled: true enabled: true
dropins:
- name: 40-etcd-cluster.conf
contents: | contents: |
[Unit]
Description=etcd (System Container)
Documentation=https://github.com/etcd-io/etcd
Requires=docker.service
After=docker.service
[Service] [Service]
Environment="ETCD_IMAGE_TAG=v3.4.12" Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.4.12
Environment="ETCD_IMAGE_URL=docker://quay.io/coreos/etcd" ExecStartPre=/usr/bin/docker run -d \
Environment="RKT_RUN_ARGS=--insecure-options=image" --name etcd \
Environment="ETCD_NAME=${etcd_name}" --network host \
Environment="ETCD_ADVERTISE_CLIENT_URLS=https://${etcd_domain}:2379" --env-file /etc/etcd/etcd.env \
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${etcd_domain}:2380" --user 232:232 \
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379" --volume /etc/ssl/etcd:/etc/ssl/certs:ro \
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380" --volume /var/lib/etcd:/var/lib/etcd:rw \
Environment="ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381" $${ETCD_IMAGE}
Environment="ETCD_INITIAL_CLUSTER=${etcd_initial_cluster}" ExecStart=docker logs -f etcd
Environment="ETCD_STRICT_RECONFIG_CHECK=true" ExecStop=docker stop etcd
Environment="ETCD_SSL_DIR=/etc/ssl/etcd" ExecStopPost=docker rm etcd
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt" Restart=always
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt" RestartSec=10s
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key" TimeoutStartSec=0
Environment="ETCD_CLIENT_CERT_AUTH=true" LimitNOFILE=40000
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt" [Install]
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt" WantedBy=multi-user.target
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
- name: docker.service - name: docker.service
enabled: true enabled: true
- name: locksmithd.service - name: locksmithd.service
@ -49,7 +50,7 @@ systemd:
enabled: true enabled: true
contents: | contents: |
[Unit] [Unit]
Description=Kubelet Description=Kubelet (System Container)
Requires=docker.service Requires=docker.service
After=docker.service After=docker.service
Wants=rpc-statd.service Wants=rpc-statd.service
@ -187,6 +188,28 @@ storage:
contents: contents:
inline: | inline: |
fs.inotify.max_user_watches=16184 fs.inotify.max_user_watches=16184
- path: /etc/etcd/etcd.env
filesystem: root
mode: 0644
contents:
inline: |
ETCD_NAME=${etcd_name}
ETCD_DATA_DIR=/var/lib/etcd
ETCD_ADVERTISE_CLIENT_URLS=https://${etcd_domain}:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${etcd_domain}:2380
ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380
ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381
ETCD_INITIAL_CLUSTER=${etcd_initial_cluster}
ETCD_STRICT_RECONFIG_CHECK=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt
ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt
ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key
ETCD_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt
ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt
ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key
ETCD_PEER_CLIENT_CERT_AUTH=true
passwd: passwd:
users: users:
- name: core - name: core

View File

@ -3,30 +3,31 @@ systemd:
units: units:
- name: etcd-member.service - name: etcd-member.service
enabled: true enabled: true
dropins:
- name: 40-etcd-cluster.conf
contents: | contents: |
[Unit]
Description=etcd (System Container)
Documentation=https://github.com/etcd-io/etcd
Requires=docker.service
After=docker.service
[Service] [Service]
Environment="ETCD_IMAGE_TAG=v3.4.12" Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.4.12
Environment="ETCD_IMAGE_URL=docker://quay.io/coreos/etcd" ExecStartPre=/usr/bin/docker run -d \
Environment="RKT_RUN_ARGS=--insecure-options=image" --name etcd \
Environment="ETCD_NAME=${etcd_name}" --network host \
Environment="ETCD_ADVERTISE_CLIENT_URLS=https://${etcd_domain}:2379" --env-file /etc/etcd/etcd.env \
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${etcd_domain}:2380" --user 232:232 \
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379" --volume /etc/ssl/etcd:/etc/ssl/certs:ro \
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380" --volume /var/lib/etcd:/var/lib/etcd:rw \
Environment="ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381" $${ETCD_IMAGE}
Environment="ETCD_INITIAL_CLUSTER=${etcd_initial_cluster}" ExecStart=docker logs -f etcd
Environment="ETCD_STRICT_RECONFIG_CHECK=true" ExecStop=docker stop etcd
Environment="ETCD_SSL_DIR=/etc/ssl/etcd" ExecStopPost=docker rm etcd
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt" Restart=always
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt" RestartSec=10s
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key" TimeoutStartSec=0
Environment="ETCD_CLIENT_CERT_AUTH=true" LimitNOFILE=40000
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt" [Install]
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt" WantedBy=multi-user.target
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
- name: docker.service - name: docker.service
enabled: true enabled: true
- name: locksmithd.service - name: locksmithd.service
@ -49,7 +50,7 @@ systemd:
enabled: true enabled: true
contents: | contents: |
[Unit] [Unit]
Description=Kubelet Description=Kubelet (System Container)
Requires=docker.service Requires=docker.service
After=docker.service After=docker.service
Wants=rpc-statd.service Wants=rpc-statd.service
@ -187,6 +188,28 @@ storage:
contents: contents:
inline: | inline: |
fs.inotify.max_user_watches=16184 fs.inotify.max_user_watches=16184
- path: /etc/etcd/etcd.env
filesystem: root
mode: 0644
contents:
inline: |
ETCD_NAME=${etcd_name}
ETCD_DATA_DIR=/var/lib/etcd
ETCD_ADVERTISE_CLIENT_URLS=https://${etcd_domain}:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${etcd_domain}:2380
ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380
ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381
ETCD_INITIAL_CLUSTER=${etcd_initial_cluster}
ETCD_STRICT_RECONFIG_CHECK=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt
ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt
ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key
ETCD_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt
ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt
ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key
ETCD_PEER_CLIENT_CERT_AUTH=true
passwd: passwd:
users: users:
- name: core - name: core

View File

@ -3,30 +3,31 @@ systemd:
units: units:
- name: etcd-member.service - name: etcd-member.service
enabled: true enabled: true
dropins:
- name: 40-etcd-cluster.conf
contents: | contents: |
[Unit]
Description=etcd (System Container)
Documentation=https://github.com/etcd-io/etcd
Requires=docker.service
After=docker.service
[Service] [Service]
Environment="ETCD_IMAGE_TAG=v3.4.12" Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.4.12
Environment="ETCD_IMAGE_URL=docker://quay.io/coreos/etcd" ExecStartPre=/usr/bin/docker run -d \
Environment="RKT_RUN_ARGS=--insecure-options=image" --name etcd \
Environment="ETCD_NAME=${etcd_name}" --network host \
Environment="ETCD_ADVERTISE_CLIENT_URLS=https://${domain_name}:2379" --env-file /etc/etcd/etcd.env \
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${domain_name}:2380" --user 232:232 \
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379" --volume /etc/ssl/etcd:/etc/ssl/certs:ro \
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380" --volume /var/lib/etcd:/var/lib/etcd:rw \
Environment="ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381" $${ETCD_IMAGE}
Environment="ETCD_INITIAL_CLUSTER=${etcd_initial_cluster}" ExecStart=docker logs -f etcd
Environment="ETCD_STRICT_RECONFIG_CHECK=true" ExecStop=docker stop etcd
Environment="ETCD_SSL_DIR=/etc/ssl/etcd" ExecStopPost=docker rm etcd
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt" Restart=always
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt" RestartSec=10s
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key" TimeoutStartSec=0
Environment="ETCD_CLIENT_CERT_AUTH=true" LimitNOFILE=40000
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt" [Install]
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt" WantedBy=multi-user.target
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
- name: docker.service - name: docker.service
enabled: true enabled: true
- name: locksmithd.service - name: locksmithd.service
@ -57,7 +58,7 @@ systemd:
- name: kubelet.service - name: kubelet.service
contents: | contents: |
[Unit] [Unit]
Description=Kubelet Description=Kubelet (System Container)
Requires=docker.service Requires=docker.service
After=docker.service After=docker.service
Wants=rpc-statd.service Wants=rpc-statd.service
@ -201,6 +202,28 @@ storage:
contents: contents:
inline: | inline: |
fs.inotify.max_user_watches=16184 fs.inotify.max_user_watches=16184
- path: /etc/etcd/etcd.env
filesystem: root
mode: 0644
contents:
inline: |
ETCD_NAME=${etcd_name}
ETCD_DATA_DIR=/var/lib/etcd
ETCD_ADVERTISE_CLIENT_URLS=https://${domain_name}:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${domain_name}:2380
ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380
ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381
ETCD_INITIAL_CLUSTER=${etcd_initial_cluster}
ETCD_STRICT_RECONFIG_CHECK=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt
ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt
ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key
ETCD_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt
ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt
ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key
ETCD_PEER_CLIENT_CERT_AUTH=true
passwd: passwd:
users: users:
- name: core - name: core

View File

@ -3,30 +3,31 @@ systemd:
units: units:
- name: etcd-member.service - name: etcd-member.service
enabled: true enabled: true
dropins:
- name: 40-etcd-cluster.conf
contents: | contents: |
[Unit]
Description=etcd (System Container)
Documentation=https://github.com/etcd-io/etcd
Requires=docker.service
After=docker.service
[Service] [Service]
Environment="ETCD_IMAGE_TAG=v3.4.12" Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.4.12
Environment="ETCD_IMAGE_URL=docker://quay.io/coreos/etcd" ExecStartPre=/usr/bin/docker run -d \
Environment="RKT_RUN_ARGS=--insecure-options=image" --name etcd \
Environment="ETCD_NAME=${etcd_name}" --network host \
Environment="ETCD_ADVERTISE_CLIENT_URLS=https://${etcd_domain}:2379" --env-file /etc/etcd/etcd.env \
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${etcd_domain}:2380" --user 232:232 \
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379" --volume /etc/ssl/etcd:/etc/ssl/certs:ro \
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380" --volume /var/lib/etcd:/var/lib/etcd:rw \
Environment="ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381" $${ETCD_IMAGE}
Environment="ETCD_INITIAL_CLUSTER=${etcd_initial_cluster}" ExecStart=docker logs -f etcd
Environment="ETCD_STRICT_RECONFIG_CHECK=true" ExecStop=docker stop etcd
Environment="ETCD_SSL_DIR=/etc/ssl/etcd" ExecStopPost=docker rm etcd
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt" Restart=always
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt" RestartSec=10s
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key" TimeoutStartSec=0
Environment="ETCD_CLIENT_CERT_AUTH=true" LimitNOFILE=40000
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt" [Install]
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt" WantedBy=multi-user.target
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
- name: docker.service - name: docker.service
enabled: true enabled: true
- name: locksmithd.service - name: locksmithd.service
@ -57,7 +58,7 @@ systemd:
- name: kubelet.service - name: kubelet.service
contents: | contents: |
[Unit] [Unit]
Description=Kubelet Description=Kubelet(System Container)
Requires=docker.service Requires=docker.service
After=docker.service After=docker.service
Requires=coreos-metadata.service Requires=coreos-metadata.service
@ -194,3 +195,25 @@ storage:
contents: contents:
inline: | inline: |
fs.inotify.max_user_watches=16184 fs.inotify.max_user_watches=16184
- path: /etc/etcd/etcd.env
filesystem: root
mode: 0644
contents:
inline: |
ETCD_NAME=${etcd_name}
ETCD_DATA_DIR=/var/lib/etcd
ETCD_ADVERTISE_CLIENT_URLS=https://${etcd_domain}:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${etcd_domain}:2380
ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380
ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381
ETCD_INITIAL_CLUSTER=${etcd_initial_cluster}
ETCD_STRICT_RECONFIG_CHECK=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt
ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt
ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key
ETCD_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt
ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt
ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key
ETCD_PEER_CLIENT_CERT_AUTH=true

View File

@ -35,7 +35,7 @@ Together, they diversify Typhoon to support a range of container technologies.
| control plane | static pods | static pods | | control plane | static pods | static pods |
| kubelet image | kubelet [image](https://github.com/poseidon/kubelet) with upstream binary | kubelet [image](https://github.com/poseidon/kubelet) with upstream binary | | kubelet image | kubelet [image](https://github.com/poseidon/kubelet) with upstream binary | kubelet [image](https://github.com/poseidon/kubelet) with upstream binary |
| control plane images | upstream images | upstream images | | control plane images | upstream images | upstream images |
| on-host etcd | rkt-fly | podman | | on-host etcd | docker | podman |
| on-host kubelet | docker | podman | | on-host kubelet | docker | podman |
| CNI plugins | calico, cilium, flannel | calico, cilium, flannel | | CNI plugins | calico, cilium, flannel | calico, cilium, flannel |
| coordinated drain & OS update | [FLUO](https://github.com/kinvolk/flatcar-linux-update-operator) addon | [fleetlock](https://github.com/poseidon/fleetlock) | | coordinated drain & OS update | [FLUO](https://github.com/kinvolk/flatcar-linux-update-operator) addon | [fleetlock](https://github.com/poseidon/fleetlock) |

View File

@ -3,30 +3,31 @@ systemd:
units: units:
- name: etcd-member.service - name: etcd-member.service
enabled: true enabled: true
dropins:
- name: 40-etcd-cluster.conf
contents: | contents: |
[Unit]
Description=etcd (System Container)
Documentation=https://github.com/etcd-io/etcd
Requires=docker.service
After=docker.service
[Service] [Service]
Environment="ETCD_IMAGE_TAG=v3.4.12" Environment=ETCD_IMAGE=quay.io/coreos/etcd:v3.4.12
Environment="ETCD_IMAGE_URL=docker://quay.io/coreos/etcd" ExecStartPre=/usr/bin/docker run -d \
Environment="RKT_RUN_ARGS=--insecure-options=image" --name etcd \
Environment="ETCD_NAME=${etcd_name}" --network host \
Environment="ETCD_ADVERTISE_CLIENT_URLS=https://${etcd_domain}:2379" --env-file /etc/etcd/etcd.env \
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${etcd_domain}:2380" --user 232:232 \
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379" --volume /etc/ssl/etcd:/etc/ssl/certs:ro \
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380" --volume /var/lib/etcd:/var/lib/etcd:rw \
Environment="ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381" $${ETCD_IMAGE}
Environment="ETCD_INITIAL_CLUSTER=${etcd_initial_cluster}" ExecStart=docker logs -f etcd
Environment="ETCD_STRICT_RECONFIG_CHECK=true" ExecStop=docker stop etcd
Environment="ETCD_SSL_DIR=/etc/ssl/etcd" ExecStopPost=docker rm etcd
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt" Restart=always
Environment="ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt" RestartSec=10s
Environment="ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key" TimeoutStartSec=0
Environment="ETCD_CLIENT_CERT_AUTH=true" LimitNOFILE=40000
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt" [Install]
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt" WantedBy=multi-user.target
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key"
Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"
- name: docker.service - name: docker.service
enabled: true enabled: true
- name: locksmithd.service - name: locksmithd.service
@ -49,7 +50,7 @@ systemd:
enabled: true enabled: true
contents: | contents: |
[Unit] [Unit]
Description=Kubelet Description=Kubelet (System Container)
Requires=docker.service Requires=docker.service
After=docker.service After=docker.service
Wants=rpc-statd.service Wants=rpc-statd.service
@ -185,6 +186,28 @@ storage:
contents: contents:
inline: | inline: |
fs.inotify.max_user_watches=16184 fs.inotify.max_user_watches=16184
- path: /etc/etcd/etcd.env
filesystem: root
mode: 0644
contents:
inline: |
ETCD_NAME=${etcd_name}
ETCD_DATA_DIR=/var/lib/etcd
ETCD_ADVERTISE_CLIENT_URLS=https://${etcd_domain}:2379
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://${etcd_domain}:2380
ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379
ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380
ETCD_LISTEN_METRICS_URLS=http://0.0.0.0:2381
ETCD_INITIAL_CLUSTER=${etcd_initial_cluster}
ETCD_STRICT_RECONFIG_CHECK=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/server-ca.crt
ETCD_CERT_FILE=/etc/ssl/certs/etcd/server.crt
ETCD_KEY_FILE=/etc/ssl/certs/etcd/server.key
ETCD_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/certs/etcd/peer-ca.crt
ETCD_PEER_CERT_FILE=/etc/ssl/certs/etcd/peer.crt
ETCD_PEER_KEY_FILE=/etc/ssl/certs/etcd/peer.key
ETCD_PEER_CLIENT_CERT_AUTH=true
passwd: passwd:
users: users:
- name: core - name: core