0107d41fcc
Add serverTLSBootstrap=true to the Kubelet config when doing kubeadm init for initializing a kubernetes cluster. This change will provision signed certs for kubelet instead of self-signed ones. This is a requirement for installing metrics-server.
124 lines
3.2 KiB
Ruby
Executable File
124 lines
3.2 KiB
Ruby
Executable File
#!/bin/env ruby
|
|
# frozen_string_literal: true
|
|
|
|
require "json"
|
|
require "yaml"
|
|
require_relative "../../common/lib/util"
|
|
|
|
params = JSON.parse($stdin.read)
|
|
|
|
begin
|
|
cluster_name = params.fetch("cluster_name")
|
|
lb_hostname = params.fetch("lb_hostname")
|
|
port = params.fetch("port")
|
|
private_subnet_cidr4 = params.fetch("private_subnet_cidr4")
|
|
private_subnet_cidr6 = params.fetch("private_subnet_cidr6")
|
|
node_name = params.fetch("node_name")
|
|
node_ipv4 = params.fetch("node_ipv4")
|
|
node_ipv6 = params.fetch("node_ipv6")
|
|
service_subnet_cidr6 = params.fetch("service_subnet_cidr6")
|
|
rescue KeyError => e
|
|
puts "Needed #{e.key} in parameters"
|
|
exit 1
|
|
end
|
|
service_account_name = "k8s-access"
|
|
secret_name = service_account_name
|
|
|
|
init_config = {
|
|
"apiVersion" => "kubeadm.k8s.io/v1beta4",
|
|
"kind" => "InitConfiguration",
|
|
"nodeRegistration" => {
|
|
"name" => node_name,
|
|
"kubeletExtraArgs" => [
|
|
{
|
|
"name" => "node-ip",
|
|
"value" => "#{node_ipv4},#{node_ipv6}"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
|
|
cluster_config = {
|
|
"apiVersion" => "kubeadm.k8s.io/v1beta4",
|
|
"kind" => "ClusterConfiguration",
|
|
"clusterName" => cluster_name,
|
|
"controlPlaneEndpoint" => "#{lb_hostname}:#{port}",
|
|
"apiServer" => {
|
|
"certSANs" => [lb_hostname],
|
|
"extraArgs" => [
|
|
{
|
|
"name" => "bind-address",
|
|
"value" => "::"
|
|
},
|
|
{
|
|
"name" => "advertise-address",
|
|
"value" => node_ipv4
|
|
}
|
|
]
|
|
},
|
|
"networking" => {
|
|
"podSubnet" => "#{private_subnet_cidr4},#{private_subnet_cidr6}",
|
|
"serviceSubnet" => "10.96.0.0/12,#{service_subnet_cidr6}"
|
|
},
|
|
"controllerManager" => {
|
|
"extraArgs" => [
|
|
{
|
|
"name" => "allocate-node-cidrs",
|
|
"value" => "false"
|
|
}
|
|
]
|
|
},
|
|
"etcd" => {
|
|
"local" => {
|
|
"dataDir" => "/var/lib/etcd"
|
|
}
|
|
}
|
|
}
|
|
|
|
kubelet_config = {
|
|
"apiVersion" => "kubelet.config.k8s.io/v1beta1",
|
|
"kind" => "KubeletConfiguration",
|
|
"serverTLSBootstrap" => true
|
|
}
|
|
|
|
config_path = "/tmp/kubeadm-config.yaml"
|
|
File.open(config_path, "w") do |file|
|
|
file.write(init_config.to_yaml)
|
|
file.write("---\n")
|
|
file.write(cluster_config.to_yaml)
|
|
file.write("---\n")
|
|
file.write(kubelet_config.to_yaml)
|
|
end
|
|
|
|
r("sudo kubeadm init --config #{config_path} --node-name #{node_name}")
|
|
r("sudo /home/ubi/kubernetes/bin/setup-cni")
|
|
|
|
api_server_up = false
|
|
5.times do
|
|
r("kubectl --kubeconfig=/etc/kubernetes/admin.conf get --raw='/healthz'")
|
|
api_server_up = true
|
|
break
|
|
rescue CommandFail
|
|
puts "API server is not up yet, retrying in 5 seconds..."
|
|
sleep 5
|
|
end
|
|
|
|
unless api_server_up
|
|
puts "API server is not healthy. Could not create customer credentials."
|
|
exit 1
|
|
end
|
|
|
|
r "kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-system create serviceaccount #{service_account_name}"
|
|
r "kubectl --kubeconfig /etc/kubernetes/admin.conf -n kube-system create clusterrolebinding #{service_account_name}-binding --clusterrole=cluster-admin --serviceaccount=kube-system:#{service_account_name}"
|
|
r "kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f - <<EOF
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: #{secret_name}
|
|
namespace: kube-system
|
|
annotations:
|
|
kubernetes.io/service-account.name: #{service_account_name}
|
|
type: kubernetes.io/service-account-token
|
|
EOF
|
|
"
|