From 4e74ae657cb02abb44f342b94c69f30ec9cb3e85 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Mon, 1 Feb 2016 23:24:17 -0800 Subject: [PATCH] examples: Combine etcd, k8s, docker, and rkt examples * Different sets of examples subfolders are not needed --- Documentation/physical-hardware.md | 2 +- Documentation/rkt.md | 2 +- Documentation/virtual-hardware.md | 9 +-- examples/README.md | 61 ++++++++++++++++--- .../master.sh => cloud/kubernetes-master.sh} | 22 +++---- .../worker.sh => cloud/kubernetes-worker.sh} | 18 +++--- examples/dev/cloud/default.yaml | 13 ---- examples/dev/cloud/node1.yaml | 13 ---- examples/dev/cloud/node2.yaml | 13 ---- examples/dev/config.yaml | 26 -------- examples/dev/ignition/node1.json | 1 - examples/dev/ignition/node1.yaml | 39 ------------ examples/dev/ignition/node2.json | 1 - examples/dev/ignition/node2.yaml | 26 -------- examples/dev/specs/default/spec.json | 13 ---- examples/dev/specs/node1/spec.json | 15 ----- examples/dev/specs/node2/spec.json | 15 ----- examples/{etcd-large => }/etcd-docker.yaml | 0 examples/{etcd-large => }/etcd-rkt.yaml | 0 examples/etcd-small/cloud/etcd.yaml | 12 ---- examples/etcd-small/cloud/worker.yaml | 13 ---- examples/etcd-small/config.yaml | 10 --- examples/etcd-small/ignition/etcd.json | 11 ---- examples/etcd-small/specs/etcd/spec.json | 15 ----- examples/etcd-small/specs/worker/spec.json | 13 ---- examples/{etcd-large => }/ignition/etcd.json | 0 examples/{etcd-large => }/ignition/etcd.yaml | 0 .../{etcd-large => }/ignition/etcd_proxy.json | 0 .../{etcd-large => }/ignition/etcd_proxy.yaml | 0 .../{kubernetes => }/ignition/network.json | 0 .../{kubernetes => }/ignition/network.yaml | 0 .../config.yaml => k8s-docker.yaml} | 17 ++++++ examples/kubeconfig | 19 ++++++ examples/kubernetes/README.md | 51 ---------------- examples/kubernetes/cloud/etcd.yaml | 18 ------ examples/kubernetes/kubeconfig | 19 ------ examples/kubernetes/scripts/generate-tls | 15 ----- examples/kubernetes/specs/etcd/spec.json | 15 ----- .../{etcd-large => }/specs/etcd/spec.json | 0 .../specs/etcd_proxy/spec.json | 0 .../specs/kubernetes-master/spec.json | 2 +- .../specs/kubernetes-worker/spec.json | 2 +- scripts/tls/generate-kubernetes-secrets | 14 +++++ .../scripts => scripts/tls}/kubernetes-cert | 0 .../scripts => scripts/tls}/root-ca | 0 45 files changed, 131 insertions(+), 404 deletions(-) rename examples/{kubernetes/cloud/master.sh => cloud/kubernetes-master.sh} (97%) rename examples/{kubernetes/cloud/worker.sh => cloud/kubernetes-worker.sh} (91%) delete mode 100644 examples/dev/cloud/default.yaml delete mode 100644 examples/dev/cloud/node1.yaml delete mode 100644 examples/dev/cloud/node2.yaml delete mode 100644 examples/dev/config.yaml delete mode 100644 examples/dev/ignition/node1.json delete mode 100644 examples/dev/ignition/node1.yaml delete mode 100644 examples/dev/ignition/node2.json delete mode 100644 examples/dev/ignition/node2.yaml delete mode 100644 examples/dev/specs/default/spec.json delete mode 100644 examples/dev/specs/node1/spec.json delete mode 100644 examples/dev/specs/node2/spec.json rename examples/{etcd-large => }/etcd-docker.yaml (100%) rename examples/{etcd-large => }/etcd-rkt.yaml (100%) delete mode 100644 examples/etcd-small/cloud/etcd.yaml delete mode 100644 examples/etcd-small/cloud/worker.yaml delete mode 100644 examples/etcd-small/config.yaml delete mode 100644 examples/etcd-small/ignition/etcd.json delete mode 100644 examples/etcd-small/specs/etcd/spec.json delete mode 100644 examples/etcd-small/specs/worker/spec.json rename examples/{etcd-large => }/ignition/etcd.json (100%) rename examples/{etcd-large => }/ignition/etcd.yaml (100%) rename examples/{etcd-large => }/ignition/etcd_proxy.json (100%) rename examples/{etcd-large => }/ignition/etcd_proxy.yaml (100%) rename examples/{kubernetes => }/ignition/network.json (100%) rename examples/{kubernetes => }/ignition/network.yaml (100%) rename examples/{kubernetes/config.yaml => k8s-docker.yaml} (53%) create mode 100644 examples/kubeconfig delete mode 100644 examples/kubernetes/README.md delete mode 100644 examples/kubernetes/cloud/etcd.yaml delete mode 100644 examples/kubernetes/kubeconfig delete mode 100755 examples/kubernetes/scripts/generate-tls delete mode 100644 examples/kubernetes/specs/etcd/spec.json rename examples/{etcd-large => }/specs/etcd/spec.json (100%) rename examples/{etcd-large => }/specs/etcd_proxy/spec.json (100%) rename examples/{kubernetes => }/specs/kubernetes-master/spec.json (93%) rename examples/{kubernetes => }/specs/kubernetes-worker/spec.json (93%) create mode 100755 scripts/tls/generate-kubernetes-secrets rename {examples/kubernetes/scripts => scripts/tls}/kubernetes-cert (100%) rename {examples/kubernetes/scripts => scripts/tls}/root-ca (100%) diff --git a/Documentation/physical-hardware.md b/Documentation/physical-hardware.md index e6845175..e62c7e5f 100644 --- a/Documentation/physical-hardware.md +++ b/Documentation/physical-hardware.md @@ -21,7 +21,7 @@ Set up `coreos/bootcfg` according to the [docs](bootcfg.md). Pull the `coreos/bo Run the `bootcfg` container to serve configs for any of the network environments we'll discuss next. - docker run -p 8080:8080 --net=host --name=bootcfg --rm -v $PWD/examples/dev:/data:Z -v $PWD/assets:/assets:Z coreos/bootcfg:latest -address=0.0.0.0:8080 [-log-level=debug] + docker run -p 8080:8080 --net=host --name=bootcfg --rm -v $PWD/examples:/data:Z -v $PWD/assets:/assets:Z coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug -config /data/etcd-docker.yaml Note, the kernel options in the `Spec` [examples](../examples) reference 172.17.0.2 (the libvirt case). Your kernel cmdline options should reference the IP or DNS name where `bootcfg` runs. diff --git a/Documentation/rkt.md b/Documentation/rkt.md index 93c7b054..716ea89b 100644 --- a/Documentation/rkt.md +++ b/Documentation/rkt.md @@ -43,7 +43,7 @@ Run the config server on `metal0` with the IP address corresponding to the examp The insecure flag is needed because Docker images do not support signature verification. - sudo rkt run --net=metal0:IP=172.15.0.2 --mount volume=assets,target=/assets --volume assets,kind=host,source=$PWD/assets --mount volume=data,target=/data --volume data,kind=host,source=$PWD/examples/etcd-large quay.io/coreos/bootcfg -- -address=0.0.0.0:8080 -log-level=debug + sudo rkt run --net=metal0:IP=172.15.0.2 --mount volume=assets,target=/assets --volume assets,kind=host,source=$PWD/assets --mount volume=data,target=/data --volume data,kind=host,source=$PWD/examples quay.io/coreos/bootcfg -- -address=0.0.0.0:8080 -log-level=debug -config /data/etcd-rkt.yaml If you get an error about the IP being assigned already. diff --git a/Documentation/virtual-hardware.md b/Documentation/virtual-hardware.md index bc6400ef..0e4b4a48 100644 --- a/Documentation/virtual-hardware.md +++ b/Documentation/virtual-hardware.md @@ -10,11 +10,11 @@ Docker containers run on the `docker0` virtual bridge, typically on a subnet 172 ## Config Service -Set up `coreos/bootcfg` according to the [docs](bootcfg.md). Pull the `coreos/bootcfg` image, prepare a data volume with `Machine` definitions, `Spec` definitions and ignition/cloud configs. Optionally, include a volume of downloaded image assets. +Set up `coreos/bootcfg` according to the [docs](bootcfg.md). Pull the `coreos/bootcfg` image, prepare a data volume with `Spec` definitions and ignition/cloud configs. Optionally, include a volume of downloaded image assets. Run the `bootcfg` container to serve configs for any of the network environments we'll discuss next. - docker run -p 8080:8080 --name=bootcfg --rm -v $PWD/examples/dev:/data:Z -v $PWD/assets:/assets:Z coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug + docker run -p 8080:8080 --name=bootcfg --rm -v $PWD/examples:/data:Z -v $PWD/assets:/assets:Z coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug -config /data/etcd-docker.yaml Note, the kernel options in the `Spec` [examples](../examples) reference 172.17.0.2, the first container IP Docker is likely to assign to `bootcfg`. Ensure your kernel options point to where `bootcfg` runs. @@ -91,8 +91,9 @@ Create 5 libvirt VM nodes configured to boot from the network. The `scripts/libv sudo ./scripts/libvirt USAGE: libvirt Commands: - create create 5 libvirt nodes - start start 5 libvirt nodes + create-docker create 5 libvirt nodes on the docker0 bridge + create-rkt create 5 libvirt nodes on a rkt CNI metal0 bridge + start start the 5 libvirt nodes reboot reboot the 5 libvirt nodes shutdown shutdown the 5 libvirt nodes poweroff poweroff the 5 libvirt nodes diff --git a/examples/README.md b/examples/README.md index b4512e9b..159c0760 100644 --- a/examples/README.md +++ b/examples/README.md @@ -5,7 +5,6 @@ Examples contains Config Service data directories showcasing different network-b | Name | Description | Docs | |------------|-------------|----------------| -| etcd-small | Cluster with 1 etcd node, 4 proxies | [reference](https://coreos.com/os/docs/latest/cluster-architectures.html) | | etcd-large | Cluster with 3 etcd nodes, 2 proxies | [reference](https://coreos.com/os/docs/latest/cluster-architectures.html) | | kubernetes | Kubernetes cluster with 1 master, 1 worker, 1 dedicated etcd node | [reference](https://github.com/coreos/coreos-kubernetes) | @@ -49,19 +48,15 @@ Let's run the config service on the virtual network. Run the command for the example you wish to use. -**etcd-small Cluster** +**etcd Cluster** - docker run -p 8080:8080 --name=bootcfg --rm -v $PWD/examples/etcd-small:/data:Z -v $PWD/assets:/assets:Z quay.io/coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug - -**etcd-large Cluster** - - docker run -p 8080:8080 --name=bootcfg --rm -v $PWD/examples/etcd-large:/data:Z -v $PWD/assets:/assets:Z quay.io/coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug + sudo docker run -p 8080:8080 --rm -v $PWD/examples:/data:Z -v $PWD/assets:/assets:Z quay.io/coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug -config /data/etcd-docker.yaml **Kubernetes Cluster** - docker run -p 8080:8080 --name=bootcfg --rm -v $PWD/examples/kubernetes:/data:Z -v $PWD/assets:/assets:Z quay.io/coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug + sudo docker run -p 8080:8080 --rm -v $PWD/examples:/data:Z -v $PWD/assets:/assets:Z quay.io/coreos/bootcfg:latest -address=0.0.0.0:8080 -log-level=debug -config /data/k8s-docker.yaml -The mounted data directory (e.g. `-v $PWD/examples/etcd-small:/data:Z`) depends on the example you wish to run. +The `-config` file describes the desired state of booted machines. ## Assets @@ -98,3 +93,51 @@ If everything works, congratulations! Stay tuned for developments. See the [libvirt guide](../Documentation/virtual-hardware.md) or [baremetal guide](../Documentation/physical-hardware.md) for more information. +# Kubernetes + +This example provisions a Kubernetes cluster with 1 master node, 1 worker node, and a dedicated etcd node. Each node uses a static IP address on the local network. + +## Assets + +Download the required CoreOS Beta image assets. + + ./scripts/get-coreos beta 877.1.0 + +Next, add or generate a root CA and Kubernetes TLS assets for each component. + +### TLS Assets + +Note: In this example, TLS assets are served to any machines which request them. The network and any machines on it cannot be trusted yet, so this example is **not suitable for production**. [Distributed Trusted Computing](https://coreos.com/blog/coreos-trusted-computing.html) work soon let machines with TPMs establish secure channels to improve secret distribution and cluster attestation. + +Use the `generate-tls` script to generate throw-away TLS assets. The script will generate a root CA and `admin`, `apiserver`, and `worker` certificates in `assets/tls`. + + cd coreos-baremetal + ./scripts/tls/generate-kubernetes-secrets + +Alternately, if you have existing Public Key Infrastructure, add your CA certificate, entity certificates, and entity private keys to `assets/tls` (for testing only, not secure yet). + + * ca.pem + * apiserver.pem + * apiserver-key.pem + * worker.pem + * worker-key.pem + * admin.pem + * admin-key.pem + +See the [Cluster TLS OpenSSL Generation](https://coreos.com/kubernetes/docs/latest/openssl.html) document or [Kubernetes Step by Step](https://coreos.com/kubernetes/docs/latest/getting-started.html) for more details. + +Return the the general examples [README](../README). + +## Usage + +Install `kubectl` on your host and use the `examples/kubeconfig` file which references the top level `assets/tls`. + + cd /path/to/coreos-baremetal + kubectl --kubeconfig=examples/kubeconfig get nodes + +Get all pods. + + kubectl --kubeconfig=examples/kubeconfig get pods --all-namespaces + +On my laptop, it takes about 1 minute from boot until the Kubernetes API comes up. Then it takes another 1-2 minutes for all components including DNS to be pulled and started. + diff --git a/examples/kubernetes/cloud/master.sh b/examples/cloud/kubernetes-master.sh similarity index 97% rename from examples/kubernetes/cloud/master.sh rename to examples/cloud/kubernetes-master.sh index 0c02f8c9..11c00a64 100644 --- a/examples/kubernetes/cloud/master.sh +++ b/examples/cloud/kubernetes-master.sh @@ -2,36 +2,36 @@ set -e # List of etcd servers (http://ip:port), comma separated -export ETCD_ENDPOINTS=http://172.17.0.23:2379 +export ETCD_ENDPOINTS={{.k8s_etcd_endpoints}} # Specify the version (vX.Y.Z) of Kubernetes assets to deploy -export K8S_VER=v1.1.2 +export K8S_VER={{.k8s_version}} # The CIDR network to use for pod IPs. # Each pod launched in the cluster will be assigned an IP out of this range. # Each node will be configured such that these IPs will be routable using the flannel overlay network. -export POD_NETWORK=10.2.0.0/16 +export POD_NETWORK={{.k8s_pod_network}} # The CIDR network to use for service cluster IPs. # Each service will be assigned a cluster IP out of this range. # This must not overlap with any IP ranges assigned to the POD_NETWORK, or other existing network infrastructure. # Routing to these IPs is handled by a proxy service local to each node, and are not required to be routable between nodes. -export SERVICE_IP_RANGE=10.3.0.0/24 +export SERVICE_IP_RANGE={{.k8s_service_ip_range}} # The IP address of the Kubernetes API Service # If the SERVICE_IP_RANGE is changed above, this must be set to the first IP in that range. -export K8S_SERVICE_IP=10.3.0.1 +export K8S_SERVICE_IP={{.k8s_service_ip}} # The IP address of the cluster DNS service. # This IP must be in the range of the SERVICE_IP_RANGE and cannot be the first IP in the range. # This same IP must be configured on all worker nodes to enable DNS service discovery. -export DNS_SERVICE_IP=10.3.0.10 +export DNS_SERVICE_IP={{.k8s_dns_service_ip}} # ADVERTISE_IP is the host node's IP. -export ADVERTISE_IP=172.17.0.21 +export ADVERTISE_IP={{.k8s_advertise_ip}} # TLS Certificate assets are hosted by the Config Server -export CERT_ENDPOINT=172.17.0.2:8080/assets +export CERT_ENDPOINT={{.k8s_cert_endpoint}} function init_config { local REQUIRED=('ADVERTISE_IP' 'POD_NETWORK' 'ETCD_ENDPOINTS' 'SERVICE_IP_RANGE' 'K8S_SERVICE_IP' 'DNS_SERVICE_IP' 'K8S_VER' ) @@ -47,9 +47,9 @@ function init_config { function get_certs { DEST=/etc/kubernetes/ssl mkdir -p $DEST - curl http://$CERT_ENDPOINT/tls/apiserver.pem -o $DEST/apiserver.pem - curl http://$CERT_ENDPOINT/tls/apiserver-key.pem -o $DEST/apiserver-key.pem - curl http://$CERT_ENDPOINT/tls/ca.pem -o $DEST/ca.pem + curl $CERT_ENDPOINT/tls/apiserver.pem -o $DEST/apiserver.pem + curl $CERT_ENDPOINT/tls/apiserver-key.pem -o $DEST/apiserver-key.pem + curl $CERT_ENDPOINT/tls/ca.pem -o $DEST/ca.pem } function init_flannel { diff --git a/examples/kubernetes/cloud/worker.sh b/examples/cloud/kubernetes-worker.sh similarity index 91% rename from examples/kubernetes/cloud/worker.sh rename to examples/cloud/kubernetes-worker.sh index d3c5a785..f415e589 100644 --- a/examples/kubernetes/cloud/worker.sh +++ b/examples/cloud/kubernetes-worker.sh @@ -2,25 +2,25 @@ set -e # List of etcd servers (http://ip:port), comma separated -export ETCD_ENDPOINTS=http://172.17.0.23:2379 +export ETCD_ENDPOINTS={{.k8s_etcd_endpoints}} # The endpoint the worker node should use to contact controller nodes (https://ip:port) # In HA configurations this should be an external DNS record or loadbalancer in front of the control nodes. # However, it is also possible to point directly to a single control node. -export CONTROLLER_ENDPOINT=https://172.17.0.21 +export CONTROLLER_ENDPOINT={{.k8s_controller_endpoint}} # Specify the version (vX.Y.Z) of Kubernetes assets to deploy -export K8S_VER=v1.1.2 +export K8S_VER={{.k8s_version}} # The IP address of the cluster DNS service. # This must be the same DNS_SERVICE_IP used when configuring the controller nodes. -export DNS_SERVICE_IP=10.3.0.10 +export DNS_SERVICE_IP={{.k8s_dns_service_ip}} # ADVERTISE_IP is the host node's IP. -export ADVERTISE_IP=172.17.0.22 +export ADVERTISE_IP={{.k8s_advertise_ip}} # TLS Certificate assets are hosted by the Config Server -export CERT_ENDPOINT=172.17.0.2:8080/assets +export CERT_ENDPOINT={{.k8s_cert_endpoint}} function init_config { local REQUIRED=( 'ADVERTISE_IP' 'ETCD_ENDPOINTS' 'CONTROLLER_ENDPOINT' 'DNS_SERVICE_IP' 'K8S_VER' ) @@ -36,9 +36,9 @@ function init_config { function get_certs { DEST=/etc/kubernetes/ssl mkdir -p $DEST - curl http://$CERT_ENDPOINT/tls/worker.pem -o $DEST/worker.pem - curl http://$CERT_ENDPOINT/tls/worker-key.pem -o $DEST/worker-key.pem - curl http://$CERT_ENDPOINT/tls/ca.pem -o $DEST/ca.pem + curl $CERT_ENDPOINT/tls/worker.pem -o $DEST/worker.pem + curl $CERT_ENDPOINT/tls/worker-key.pem -o $DEST/worker-key.pem + curl $CERT_ENDPOINT/tls/ca.pem -o $DEST/ca.pem } function init_templates { diff --git a/examples/dev/cloud/default.yaml b/examples/dev/cloud/default.yaml deleted file mode 100644 index 6f6b45fb..00000000 --- a/examples/dev/cloud/default.yaml +++ /dev/null @@ -1,13 +0,0 @@ -#cloud-config -coreos: - units: - - name: etcd2.service - command: start - - name: fleet.service - command: start -write_files: - - path: "/home/core/cloud" - owner: "core" - permissions: "0644" - content: | - File added by the default cloud config. diff --git a/examples/dev/cloud/node1.yaml b/examples/dev/cloud/node1.yaml deleted file mode 100644 index 886efcc4..00000000 --- a/examples/dev/cloud/node1.yaml +++ /dev/null @@ -1,13 +0,0 @@ -#cloud-config -coreos: - units: - - name: etcd2.service - command: start - - name: fleet.service - command: start -write_files: - - path: "/home/core/cloud" - owner: "core" - permissions: "0644" - content: | - File added by node1.yml. diff --git a/examples/dev/cloud/node2.yaml b/examples/dev/cloud/node2.yaml deleted file mode 100644 index 62b52d7a..00000000 --- a/examples/dev/cloud/node2.yaml +++ /dev/null @@ -1,13 +0,0 @@ -#cloud-config -coreos: - units: - - name: etcd2.service - command: start - - name: fleet.service - command: start -write_files: - - path: "/home/core/cloud" - owner: "core" - permissions: "0644" - content: | - File added by node2.yml. diff --git a/examples/dev/config.yaml b/examples/dev/config.yaml deleted file mode 100644 index e7763b85..00000000 --- a/examples/dev/config.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -api_version: v1alpha1 -groups: - - name: node1 - spec: node1 - require: - uuid: 16e7d8a7-bfa9-428b-9117-363341bb330b - metadata: - greeting: hello - networkd_name: ens3 - networkd_gateway: 172.17.0.1 - networkd_dns: 172.17.0.3 - networkd_address: 172.17.0.21/16 - - - name: node2 - spec: node2 - require: - uuid: 264cd073-ca62-44b3-98c0-50aad5b5f819 - metadata: - networkd_name: ens3 - networkd_gateway: 172.17.0.1 - networkd_dns: 172.17.0.3 - networkd_address: 172.17.0.22/16 - - - name: default - spec: default \ No newline at end of file diff --git a/examples/dev/ignition/node1.json b/examples/dev/ignition/node1.json deleted file mode 100644 index d703e8cd..00000000 --- a/examples/dev/ignition/node1.json +++ /dev/null @@ -1 +0,0 @@ -{"ignitionVersion":1,"storage":{},"systemd":{"units":[{"name":"metadata.service","enable":true,"contents":"[Unit]\nDescription=Bare Metal Metadata Agent\n[Service]\nType=oneshot\nEnvironment=OUTPUT=/run/metadata/bootcfg\nExecStart=/usr/bin/mkdir --parent /run/metadata\nExecStart=/usr/bin/bash -c 'curl --url \"http://bootcfg.foo:8080/metadata?{{.query}}\" --retry 10 --output ${OUTPUT}'\n[Install]\nWantedBy=multi-user.target\n"},{"name":"greeting.service","enable":true,"contents":"[Unit]\nDescription=Greeting using Ignition Metadata\nRequires=metadata.service\nAfter=metadata.service\n[Service]\nType=oneshot\nEnvironmentFile=/run/metadata/bootcfg\nExecStart=/usr/bin/echo ${GREETING}\n[Install]\nWantedBy=multi-user.target\n"}]},"networkd":{"units":[{"name":"00-{{.networkd_name}}.network","contents":"[Match]\nName={{.networkd_name}}\n[Network]\nGateway={{.networkd_gateway}}\nDNS={{.networkd_dns}}\nAddress={{.networkd_address}}\n"}]},"passwd":{}} \ No newline at end of file diff --git a/examples/dev/ignition/node1.yaml b/examples/dev/ignition/node1.yaml deleted file mode 100644 index 49f31580..00000000 --- a/examples/dev/ignition/node1.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -ignition_version: 1 -systemd: - units: - - name: metadata.service - enable: true - contents: | - [Unit] - Description=Bare Metal Metadata Agent - [Service] - Type=oneshot - Environment=OUTPUT=/run/metadata/bootcfg - ExecStart=/usr/bin/mkdir --parent /run/metadata - ExecStart=/usr/bin/bash -c 'curl --url "http://bootcfg.foo:8080/metadata?{{.query}}" --retry 10 --output ${OUTPUT}' - [Install] - WantedBy=multi-user.target - - name: greeting.service - enable: true - contents: | - [Unit] - Description=Greeting using Ignition Metadata - Requires=metadata.service - After=metadata.service - [Service] - Type=oneshot - EnvironmentFile=/run/metadata/bootcfg - ExecStart=/usr/bin/echo ${GREETING} - [Install] - WantedBy=multi-user.target -networkd: - units: - - name: 00-{{.networkd_name}}.network - contents: | - [Match] - Name={{.networkd_name}} - [Network] - Gateway={{.networkd_gateway}} - DNS={{.networkd_dns}} - Address={{.networkd_address}} diff --git a/examples/dev/ignition/node2.json b/examples/dev/ignition/node2.json deleted file mode 100644 index 1056cd70..00000000 --- a/examples/dev/ignition/node2.json +++ /dev/null @@ -1 +0,0 @@ -{"ignitionVersion":1,"storage":{},"systemd":{"units":[{"name":"metadata.service","enable":true,"contents":"[Unit]\nDescription=Bare Metal Metadata Agent\n[Service]\nType=oneshot\nEnvironment=OUTPUT=/run/metadata/bootcfg\nExecStart=/usr/bin/mkdir --parent /run/metadata\nExecStart=/usr/bin/bash -c 'curl --url \"http://bootcfg.foo:8080/metadata?{{.query}}\" --retry 10 --output ${OUTPUT}'\n[Install]\nWantedBy=multi-user.target\n"}]},"networkd":{"units":[{"name":"00-{{.networkd_name}}.network","contents":"[Match]\nName={{.networkd_name}}\n[Network]\nGateway={{.networkd_gateway}}\nDNS={{.networkd_dns}}\nAddress={{.networkd_address}}\n"}]},"passwd":{}} \ No newline at end of file diff --git a/examples/dev/ignition/node2.yaml b/examples/dev/ignition/node2.yaml deleted file mode 100644 index 11a5b106..00000000 --- a/examples/dev/ignition/node2.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -ignition_version: 1 -systemd: - units: - - name: metadata.service - enable: true - contents: | - [Unit] - Description=Bare Metal Metadata Agent - [Service] - Type=oneshot - Environment=OUTPUT=/run/metadata/bootcfg - ExecStart=/usr/bin/mkdir --parent /run/metadata - ExecStart=/usr/bin/bash -c 'curl --url "http://bootcfg.foo:8080/metadata?{{.query}}" --retry 10 --output ${OUTPUT}' - [Install] - WantedBy=multi-user.target -networkd: - units: - - name: 00-{{.networkd_name}}.network - contents: | - [Match] - Name={{.networkd_name}} - [Network] - Gateway={{.networkd_gateway}} - DNS={{.networkd_dns}} - Address={{.networkd_address}} diff --git a/examples/dev/specs/default/spec.json b/examples/dev/specs/default/spec.json deleted file mode 100644 index 1e0277da..00000000 --- a/examples/dev/specs/default/spec.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "id": "default", - "boot": { - "kernel": "/assets/coreos/835.9.0/coreos_production_pxe.vmlinuz", - "initrd": ["/assets/coreos/835.9.0/coreos_production_pxe_image.cpio.gz"], - "cmdline": { - "cloud-config-url": "http://bootcfg.foo:8080/cloud?uuid=${uuid}&mac=${net0/mac:hexhyp}", - "coreos.autologin": "" - } - }, - "cloud_id": "default.yaml", - "ignition_id": "" -} \ No newline at end of file diff --git a/examples/dev/specs/node1/spec.json b/examples/dev/specs/node1/spec.json deleted file mode 100644 index dc661224..00000000 --- a/examples/dev/specs/node1/spec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "id": "node1", - "boot": { - "kernel": "/assets/coreos/835.9.0/coreos_production_pxe.vmlinuz", - "initrd": ["/assets/coreos/835.9.0/coreos_production_pxe_image.cpio.gz"], - "cmdline": { - "cloud-config-url": "http://bootcfg.foo:8080/cloud?uuid=${uuid}&mac=${net0/mac:hexhyp}", - "coreos.config.url": "http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}", - "coreos.autologin": "", - "coreos.first_boot": "" - } - }, - "cloud_id": "node1.yaml", - "ignition_id": "node1.json" -} diff --git a/examples/dev/specs/node2/spec.json b/examples/dev/specs/node2/spec.json deleted file mode 100644 index a3faf121..00000000 --- a/examples/dev/specs/node2/spec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "id": "node2", - "boot": { - "kernel": "/assets/coreos/835.9.0/coreos_production_pxe.vmlinuz", - "initrd": ["/assets/coreos/835.9.0/coreos_production_pxe_image.cpio.gz"], - "cmdline": { - "cloud-config-url": "http://bootcfg.foo:8080/cloud?uuid=${uuid}&mac=${net0/mac:hexhyp}", - "coreos.config.url": "http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}", - "coreos.autologin": "", - "coreos.first_boot": "" - } - }, - "cloud_id": "node2.yaml", - "ignition_id": "node2.json" -} diff --git a/examples/etcd-large/etcd-docker.yaml b/examples/etcd-docker.yaml similarity index 100% rename from examples/etcd-large/etcd-docker.yaml rename to examples/etcd-docker.yaml diff --git a/examples/etcd-large/etcd-rkt.yaml b/examples/etcd-rkt.yaml similarity index 100% rename from examples/etcd-large/etcd-rkt.yaml rename to examples/etcd-rkt.yaml diff --git a/examples/etcd-small/cloud/etcd.yaml b/examples/etcd-small/cloud/etcd.yaml deleted file mode 100644 index 34450180..00000000 --- a/examples/etcd-small/cloud/etcd.yaml +++ /dev/null @@ -1,12 +0,0 @@ -#cloud-config -coreos: - etcd2: - name: etcdserver - initial-cluster: etcdserver=http://172.17.0.21:2380 - initial-advertise-peer-urls: http://172.17.0.21:2380 - advertise-client-urls: http://172.17.0.21:2379 - listen-client-urls: http://0.0.0.0:2379 - listen-peer-urls: http://0.0.0.0:2380 - units: - - name: etcd2.service - command: start diff --git a/examples/etcd-small/cloud/worker.yaml b/examples/etcd-small/cloud/worker.yaml deleted file mode 100644 index 945746f2..00000000 --- a/examples/etcd-small/cloud/worker.yaml +++ /dev/null @@ -1,13 +0,0 @@ -#cloud-config -coreos: - etcd2: - proxy: on - listen-client-urls: http://localhost:2379 - initial-cluster: etcdserver=http://172.17.0.21:2380 - fleet: - etcd_servers: "http://localhost:2379" - units: - - name: etcd2.service - command: start - - name: fleet.service - command: start \ No newline at end of file diff --git a/examples/etcd-small/config.yaml b/examples/etcd-small/config.yaml deleted file mode 100644 index 90aa743c..00000000 --- a/examples/etcd-small/config.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -api_version: v1alpha1 -groups: - - name: node1 - spec: etcd - require: - uuid: 16e7d8a7-bfa9-428b-9117-363341bb330b - - - name: default - spec: worker \ No newline at end of file diff --git a/examples/etcd-small/ignition/etcd.json b/examples/etcd-small/ignition/etcd.json deleted file mode 100644 index db62791f..00000000 --- a/examples/etcd-small/ignition/etcd.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "ignitionVersion": 1, - "networkd": { - "units": [ - { - "name": "00-ens3.network", - "contents": "[Match]\nName=ens3\n\n[Network]\nDNS=8.8.8.8\nGateway=172.17.0.1\nAddress=172.17.0.21" - } - ] - } -} \ No newline at end of file diff --git a/examples/etcd-small/specs/etcd/spec.json b/examples/etcd-small/specs/etcd/spec.json deleted file mode 100644 index 918642e9..00000000 --- a/examples/etcd-small/specs/etcd/spec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "id": "etcd", - "boot": { - "kernel": "/assets/coreos/835.9.0/coreos_production_pxe.vmlinuz", - "initrd": ["/assets/coreos/835.9.0/coreos_production_pxe_image.cpio.gz"], - "cmdline": { - "cloud-config-url": "http://172.17.0.2:8080/cloud?uuid=${uuid}&mac=${net0/mac:hexhyp}", - "coreos.config.url": "http://172.17.0.2:8080/ignition?uuid=${uuid}", - "coreos.autologin": "", - "coreos.first_boot": "" - } - }, - "cloud_id": "etcd.yaml", - "ignition_id": "etcd.json" -} \ No newline at end of file diff --git a/examples/etcd-small/specs/worker/spec.json b/examples/etcd-small/specs/worker/spec.json deleted file mode 100644 index 5c613df0..00000000 --- a/examples/etcd-small/specs/worker/spec.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "id": "worker", - "boot": { - "kernel": "/assets/coreos/835.9.0/coreos_production_pxe.vmlinuz", - "initrd": ["/assets/coreos/835.9.0/coreos_production_pxe_image.cpio.gz"], - "cmdline": { - "cloud-config-url": "http://172.17.0.2:8080/cloud?uuid=${uuid}&mac=${net0/mac:hexhyp}", - "coreos.autologin": "" - } - }, - "cloud_id": "worker.yaml", - "ignition_id": "" -} \ No newline at end of file diff --git a/examples/etcd-large/ignition/etcd.json b/examples/ignition/etcd.json similarity index 100% rename from examples/etcd-large/ignition/etcd.json rename to examples/ignition/etcd.json diff --git a/examples/etcd-large/ignition/etcd.yaml b/examples/ignition/etcd.yaml similarity index 100% rename from examples/etcd-large/ignition/etcd.yaml rename to examples/ignition/etcd.yaml diff --git a/examples/etcd-large/ignition/etcd_proxy.json b/examples/ignition/etcd_proxy.json similarity index 100% rename from examples/etcd-large/ignition/etcd_proxy.json rename to examples/ignition/etcd_proxy.json diff --git a/examples/etcd-large/ignition/etcd_proxy.yaml b/examples/ignition/etcd_proxy.yaml similarity index 100% rename from examples/etcd-large/ignition/etcd_proxy.yaml rename to examples/ignition/etcd_proxy.yaml diff --git a/examples/kubernetes/ignition/network.json b/examples/ignition/network.json similarity index 100% rename from examples/kubernetes/ignition/network.json rename to examples/ignition/network.json diff --git a/examples/kubernetes/ignition/network.yaml b/examples/ignition/network.yaml similarity index 100% rename from examples/kubernetes/ignition/network.yaml rename to examples/ignition/network.yaml diff --git a/examples/kubernetes/config.yaml b/examples/k8s-docker.yaml similarity index 53% rename from examples/kubernetes/config.yaml rename to examples/k8s-docker.yaml index 66bd155d..8f84be7a 100644 --- a/examples/kubernetes/config.yaml +++ b/examples/k8s-docker.yaml @@ -10,6 +10,14 @@ groups: networkd_gateway: 172.17.0.1 networkd_dns: 172.17.0.3 networkd_address: 172.17.0.21/16 + k8s_etcd_endpoints: http://172.17.0.23:2379 + k8s_version: v1.1.2 + k8s_pod_network: 10.2.0.0/16 + k8s_service_ip_range: 10.3.0.0/24 + k8s_service_ip: 10.3.0.1 + k8s_dns_service_ip: 10.3.0.10 + k8s_advertise_ip: 172.17.0.21 + k8s_cert_endpoint: http://bootcfg.foo:8080/assets - name: Worker Node spec: kubernetes-worker @@ -20,6 +28,12 @@ groups: networkd_gateway: 172.17.0.1 networkd_dns: 172.17.0.3 networkd_address: 172.17.0.22/16 + k8s_etcd_endpoints: http://172.17.0.23:2379 + k8s_controller_endpoint: https://172.17.0.21 + k8s_version: v1.1.2 + k8s_dns_service_ip: 10.3.0.1 + k8s_advertise_ip: 172.17.0.22 + k8s_cert_endpoint: http://bootcfg.foo:8080/assets - name: etcd Node spec: etcd @@ -30,4 +44,7 @@ groups: networkd_gateway: 172.17.0.1 networkd_dns: 172.17.0.3 networkd_address: 172.17.0.23/16 + ipv4_address: 172.17.0.23 + etcd_name: solo + etcd_initial_cluster: "solo=http://172.17.0.23:2380" diff --git a/examples/kubeconfig b/examples/kubeconfig new file mode 100644 index 00000000..fa866474 --- /dev/null +++ b/examples/kubeconfig @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Config +clusters: +- cluster: + certificate-authority: ../assets/tls/ca.pem + server: https://172.17.0.21:443 + name: k8s-docker +contexts: +- context: + cluster: k8s-docker + namespace: default + user: k8s-docker + name: k8s-docker +current-context: k8s-docker +users: +- name: k8s-docker + user: + client-certificate: ../assets/tls/admin.pem + client-key: ../assets/tls/admin-key.pem \ No newline at end of file diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md deleted file mode 100644 index 65c65341..00000000 --- a/examples/kubernetes/README.md +++ /dev/null @@ -1,51 +0,0 @@ - -# Kubernetes - -This example provisions a Kubernetes cluster with 1 master node, 1 worker node, and a dedicated etcd node. Each node uses a static IP address on the local network. - -## Assets - -Download the required CoreOS Beta image assets. - - ./scripts/get-coreos beta 877.1.0 - -Next, add or generate a root CA and Kubernetes TLS assets for each component. - -### TLS Assets - -Note: In this example, TLS assets are served to any machines which request them. The network and any machines on it cannot be trusted yet, so this example is **not suitable for production**. [Distributed Trusted Computing](https://coreos.com/blog/coreos-trusted-computing.html) work soon let machines with TPMs establish secure channels to improve secret distribution and cluster attestation. - -Use the `generate-tls` script to generate throw-away TLS assets. The script will generate a root CA and `admin`, `apiserver`, and `worker` certificates in `assets/tls`. - - ./examples/kubernetes/scripts/generate-tls - -Alternately, if you have existing Public Key Infrastructure, add your CA certificate, entity certificates, and entity private keys to `assets/tls`. - - * ca.pem - * apiserver.pem - * apiserver-key.pem - * worker.pem - * worker-key.pem - * admin.pem - * admin-key.pem - -See the [Cluster TLS OpenSSL Generation](https://coreos.com/kubernetes/docs/latest/openssl.html) document or [Kubernetes Step by Step](https://coreos.com/kubernetes/docs/latest/getting-started.html) for more details. - -Return the the general examples [README](../README). - -## Usage - -Install `kubectl` on your host and use the `examples/kubernetes/kubeconfig` file which references the top level `assets/tls`. - - cd /path/to/coreos-baremetal - kubectl --kubeconfig=examples/kubernetes/kubeconfig get nodes - -Watch pod events. - - kubectl --kubeconfig=examples/kubernetes/kubeconfig get pods --all-namespaces -w - -Get all pods. - - kubectl --kubeconfig=examples/kubernetes/kubeconfig get pods --all-namespaces - -On my laptop, it takes about 1 minute from boot until the Kubernetes API comes up. Then it takes another 1-2 minutes for all components including DNS to be pulled and started. \ No newline at end of file diff --git a/examples/kubernetes/cloud/etcd.yaml b/examples/kubernetes/cloud/etcd.yaml deleted file mode 100644 index 4d658926..00000000 --- a/examples/kubernetes/cloud/etcd.yaml +++ /dev/null @@ -1,18 +0,0 @@ -#cloud-config -coreos: - etcd2: - name: etcdserver - initial-cluster: etcdserver=http://172.17.0.23:2380 - initial-advertise-peer-urls: http://172.17.0.23:2380 - advertise-client-urls: http://172.17.0.23:2379 - listen-client-urls: http://0.0.0.0:2379 - listen-peer-urls: http://0.0.0.0:2380 - units: - - name: etcd2.service - command: start -write_files: - - path: "/home/core/etcd" - owner: "core" - permissions: "0644" - content: | - File added by etcd.yaml. diff --git a/examples/kubernetes/kubeconfig b/examples/kubernetes/kubeconfig deleted file mode 100644 index 7489212d..00000000 --- a/examples/kubernetes/kubeconfig +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Config -clusters: -- cluster: - certificate-authority: ../../assets/tls/ca.pem - server: https://172.17.0.21:443 - name: baremetal-cluster -contexts: -- context: - cluster: baremetal-cluster - namespace: default - user: baremetal-admin - name: baremetal -current-context: baremetal -users: -- name: baremetal-admin - user: - client-certificate: ../../assets/tls/admin.pem - client-key: ../../assets/tls/admin-key.pem \ No newline at end of file diff --git a/examples/kubernetes/scripts/generate-tls b/examples/kubernetes/scripts/generate-tls deleted file mode 100755 index 9d372090..00000000 --- a/examples/kubernetes/scripts/generate-tls +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -e -# USAGE: ./examples/kubernetes/scripts/generate-tls - -DEST=${1:-"assets/tls"} - -if [ ! -d "$DEST" ]; then - echo "Creating directory $DEST" - mkdir -p $DEST -fi - -./examples/kubernetes/scripts/root-ca $DEST -./examples/kubernetes/scripts/kubernetes-cert $DEST admin kube-admin -./examples/kubernetes/scripts/kubernetes-cert $DEST apiserver kube-apiserver IP.1=10.3.0.1,IP.2=172.17.0.21 -./examples/kubernetes/scripts/kubernetes-cert $DEST worker kube-worker IP.1=172.17.0.22 - diff --git a/examples/kubernetes/specs/etcd/spec.json b/examples/kubernetes/specs/etcd/spec.json deleted file mode 100644 index b576276d..00000000 --- a/examples/kubernetes/specs/etcd/spec.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "id": "etcd", - "boot": { - "kernel": "/assets/coreos/877.1.0/coreos_production_pxe.vmlinuz", - "initrd": ["/assets/coreos/877.1.0/coreos_production_pxe_image.cpio.gz"], - "cmdline": { - "cloud-config-url": "http://bootcfg.foo:8080/cloud?uuid=${uuid}&mac=${net0/mac:hexhyp}", - "coreos.config.url": "http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}", - "coreos.autologin": "", - "coreos.first_boot": "" - } - }, - "cloud_id": "etcd.yaml", - "ignition_id": "network.json" -} \ No newline at end of file diff --git a/examples/etcd-large/specs/etcd/spec.json b/examples/specs/etcd/spec.json similarity index 100% rename from examples/etcd-large/specs/etcd/spec.json rename to examples/specs/etcd/spec.json diff --git a/examples/etcd-large/specs/etcd_proxy/spec.json b/examples/specs/etcd_proxy/spec.json similarity index 100% rename from examples/etcd-large/specs/etcd_proxy/spec.json rename to examples/specs/etcd_proxy/spec.json diff --git a/examples/kubernetes/specs/kubernetes-master/spec.json b/examples/specs/kubernetes-master/spec.json similarity index 93% rename from examples/kubernetes/specs/kubernetes-master/spec.json rename to examples/specs/kubernetes-master/spec.json index acc666f4..919eac2d 100644 --- a/examples/kubernetes/specs/kubernetes-master/spec.json +++ b/examples/specs/kubernetes-master/spec.json @@ -10,6 +10,6 @@ "coreos.first_boot": "" } }, - "cloud_id": "master.sh", + "cloud_id": "kubernetes-master.sh", "ignition_id": "network.json" } \ No newline at end of file diff --git a/examples/kubernetes/specs/kubernetes-worker/spec.json b/examples/specs/kubernetes-worker/spec.json similarity index 93% rename from examples/kubernetes/specs/kubernetes-worker/spec.json rename to examples/specs/kubernetes-worker/spec.json index 01096b4a..620464c1 100644 --- a/examples/kubernetes/specs/kubernetes-worker/spec.json +++ b/examples/specs/kubernetes-worker/spec.json @@ -10,6 +10,6 @@ "coreos.first_boot": "" } }, - "cloud_id": "worker.sh", + "cloud_id": "kubernetes-worker.sh", "ignition_id": "network.json" } \ No newline at end of file diff --git a/scripts/tls/generate-kubernetes-secrets b/scripts/tls/generate-kubernetes-secrets new file mode 100755 index 00000000..597aee24 --- /dev/null +++ b/scripts/tls/generate-kubernetes-secrets @@ -0,0 +1,14 @@ +#!/bin/bash -e +# USAGE: ./scripts/generate-kubernetes-secrets + +DEST=${1:-"assets/tls"} + +if [ ! -d "$DEST" ]; then + echo "Creating directory $DEST" + mkdir -p $DEST +fi + +./scripts/tls/root-ca $DEST +./scripts/tls/kubernetes-cert $DEST admin kube-admin +./scripts/tls/kubernetes-cert $DEST apiserver kube-apiserver IP.1=10.3.0.1,IP.2=172.17.0.21 +./scripts/tls/kubernetes-cert $DEST worker kube-worker IP.1=172.17.0.22 diff --git a/examples/kubernetes/scripts/kubernetes-cert b/scripts/tls/kubernetes-cert similarity index 100% rename from examples/kubernetes/scripts/kubernetes-cert rename to scripts/tls/kubernetes-cert diff --git a/examples/kubernetes/scripts/root-ca b/scripts/tls/root-ca similarity index 100% rename from examples/kubernetes/scripts/root-ca rename to scripts/tls/root-ca