#cloud-config --- hostname: users: - name: core ssh-authorized-keys: - "" groups: - sudo shell: /bin/bash write_files: - path: /etc/cni/net.d/10-calico.conf owner: root permissions: 0755 content: | { "name": "calico-k8s-network", "type": "calico", "etcd_authority": ":6666", "log_level": "info", "ipam": { "type": "calico-ipam" } } - path: /opt/bin/kubernetes-install.sh owner: root permissions: 0755 content: | #! /usr/bin/bash set -e if [ ! -f /opt/bin/kubelet ]; then echo "Kubenetes not installed - installing." # Extract the Kubernetes binaries. sudo wget -N -P /opt/bin http://storage.googleapis.com/kubernetes-release/release/v1.1.3/bin/linux/amd64/kubelet sudo chmod +x /opt/bin/kubelet # Create required folders sudo mkdir -p /etc/kubernetes/manifests/ sudo mkdir -p /etc/kubernetes/ssl/ fi - path: /opt/bin/calico-install.sh owner: root permissions: 0755 content: | #! /usr/bin/bash set -e if [ ! -f /opt/bin/calicoctl ]; then echo "Calico not installed - installing." # Install the `calicoctl` binary wget https://github.com/projectcalico/calico-docker/releases/download/v0.14.0/calicoctl chmod +x calicoctl sudo mv calicoctl /opt/bin # Fetch the calico/node container sudo docker pull calico/node:v0.14.0 # Install the CNI plugin. sudo mkdir -p /opt/cni/bin/ sudo wget -N -P /opt/cni/bin/ https://github.com/projectcalico/calico-cni/releases/download/v1.0.0/calico sudo wget -N -P /opt/cni/bin/ https://github.com/projectcalico/calico-cni/releases/download/v1.0.0/calico-ipam sudo chmod +x /opt/cni/bin/calico /opt/cni/bin/calico-ipam fi - path: /etc/kubernetes/ssl/worker-openssl.cnf owner: root permissions: 0755 content: | [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = $ENV::WORKER_IP - path: /etc/kubernetes/ssl/generate-tls-keys.sh owner: root permissions: 0755 content: | #! /usr/bin/bash # Generates a set of TLS keys for this node to access the API server. set -e if [ ! -f /etc/kubernetes/ssl/worker.pem ]; then echo "Generating TLS keys." cd /etc/kubernetes/ssl openssl genrsa -out worker-key.pem 2048 WORKER_IP=${1} openssl req -new -key worker-key.pem -out worker.csr -subj "/CN=worker" -config worker-openssl.cnf WORKER_IP=${1} openssl x509 -req -in worker.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out worker.pem -days 365 -extensions v3_req -extfile worker-openssl.cnf fi # Set permissions. sudo chmod 600 /etc/kubernetes/ssl/worker-key.pem sudo chown root:root /etc/kubernetes/ssl/worker-key.pem - path: /etc/kubernetes/ssl/ca.pem owner: core permissions: 0644 content: | - path: /etc/kubernetes/ssl/ca-key.pem owner: core permissions: 0644 content: | - path: /etc/kubernetes/worker-kubeconfig.yaml owner: root permissions: 0755 content: | apiVersion: v1 kind: Config clusters: - name: local cluster: certificate-authority: /etc/kubernetes/ssl/ca.pem users: - name: kubelet user: client-certificate: /etc/kubernetes/ssl/worker.pem client-key: /etc/kubernetes/ssl/worker-key.pem contexts: - context: cluster: local user: kubelet name: kubelet-context current-context: kubelet-context - path: /etc/kubernetes/manifests/kube-proxy.manifest owner: root permissions: 0755 content: | apiVersion: v1 kind: Pod metadata: name: kube-proxy spec: hostNetwork: true containers: - name: kube-proxy image: gcr.io/google_containers/hyperkube:v1.1.3 command: - /hyperkube - proxy - --master=https://:443 - --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml - --proxy-mode=iptables securityContext: privileged: true volumeMounts: - mountPath: /etc/ssl/certs name: "ssl-certs" - mountPath: /etc/kubernetes/worker-kubeconfig.yaml name: "kubeconfig" readOnly: true - mountPath: /etc/kubernetes/ssl name: "etc-kube-ssl" readOnly: true volumes: - name: "ssl-certs" hostPath: path: "/usr/share/ca-certificates" - name: "kubeconfig" hostPath: path: "/etc/kubernetes/worker-kubeconfig.yaml" - name: "etc-kube-ssl" hostPath: path: "/etc/kubernetes/ssl" coreos: update: reboot-strategy: off units: - name: setup-network-environment.service runtime: true command: start content: | [Unit] Description=Setup Network Environment Documentation=https://github.com/kelseyhightower/setup-network-environment Requires=network-online.target After=network-online.target [Service] ExecStartPre=-/usr/bin/mkdir -p /opt/bin ExecStartPre=-/usr/bin/wget -N -P /opt/bin https://github.com/kelseyhightower/setup-network-environment/releases/download/1.0.1/setup-network-environment ExecStartPre=-/usr/bin/chmod +x /opt/bin/setup-network-environment ExecStart=/opt/bin/setup-network-environment RemainAfterExit=yes Type=oneshot - name: generate-tls-keys.service runtime: true command: start content: | [Unit] Description=Generates TLS keys for this node After=setup-network-environment.service Requires=setup-network-environment.service [Service] EnvironmentFile=/etc/network-environment ExecStart=/etc/kubernetes/ssl/generate-tls-keys.sh ${DEFAULT_IPV4} RemainAfterExit=yes Type=oneshot - name: kubernetes-install.service runtime: true command: start content: | [Unit] Description=Installs Kubernetes tools After=network-online.target Requires=network-online.target [Service] ExecStart=/opt/bin/kubernetes-install.sh RemainAfterExit=yes Type=oneshot - name: calico-install.service runtime: true command: start content: | [Unit] Description=Installs Calico tools After=kubernetes-install.service Requires=docker.service [Service] ExecStart=/opt/bin/calico-install.sh RemainAfterExit=yes Type=oneshot - name: calico-node.service runtime: true command: start content: | [Unit] Description=Calico per-node agent Documentation=https://github.com/projectcalico/calico-docker After=docker.service Requires=docker.service [Service] User=root EnvironmentFile=/etc/network-environment Environment="ETCD_AUTHORITY=:6666" PermissionsStartOnly=true ExecStart=/opt/bin/calicoctl node --ip=${DEFAULT_IPV4} --detach=false Restart=always RestartSec=10 [Install] WantedBy=multi-user.target - name: kubelet.service runtime: true command: start content: | [Unit] Description=Kubernetes Kubelet Documentation=https://github.com/kubernetes/kubernetes After=calico-node.service generate-tls-keys.service Requires=calico-node.service generate-tls-keys.service [Service] EnvironmentFile=/etc/network-environment ExecStart=/opt/bin/kubelet \ --port=10250 \ --address=0.0.0.0 \ --allow-privileged=true \ --cluster-dns=10.100.0.10 \ --cluster-domain=cluster.local \ --config=/etc/kubernetes/manifests \ --hostname-override=${DEFAULT_IPV4} \ --api-servers=https://:443 \ --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \ --tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem \ --tls-cert-file=/etc/kubernetes/ssl/worker.pem \ --logtostderr=true \ --network-plugin=cni \ --network-plugin-dir=/etc/cni/net.d Restart=always RestartSec=10 [Install] WantedBy=multi-user.target