examples: Fix Kubelet path and service ordering

* Run k8stls.service to fetch TLS assets if path is missing
* Make Kubelet depend upon a kubelet.path path unit
* Fixes to file mode (octal allowed in YAML)

examples/README.md

@@ -1,7 +1,7 @@
 
 # Examples
 
-These examples show declarative configurations for network booting libvirt VMs into CoreOS clusters (Kubernetes, etcd) using `bootcfg`.
+These examples network boot and provision VMs into CoreOS clusters using `bootcfg`.
 
 | Name       | Description | CoreOS Version | FS | Reference | 
 |------------|-------------|----------------|----|-----------|

examples/ignition/install-shutdown.yaml

@@ -0,0 +1,28 @@
+---
+ignition_version: 1
+systemd:
+  units:
+    - name: install.service
+      enable: true
+      contents: |
+        [Unit]
+        Requires=network-online.target
+        After=network-online.target
+        [Service]
+        Type=oneshot
+        ExecStart=/usr/bin/curl {{.ignition_endpoint}}?{{.query}}&os=installed -o ignition.json
+        ExecStart=/usr/bin/coreos-install -d /dev/sda -C {{.coreos_channel}} -V {{.coreos_version}} -i ignition.json
+        ExecStart=/usr/bin/udevadm settle
+        ExecStart=/usr/bin/systemctl poweroff
+        [Install]
+        WantedBy=multi-user.target
+
+{{ if .ssh_authorized_keys }}
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+        {{ range $element := .ssh_authorized_keys }}
+        - {{$element}}
+        {{end}}
+{{end}}

examples/ignition/k8s-master.yaml

@@ -42,23 +42,32 @@ systemd:
         Description=Acquire Kubernetes TLS CA and Certificate
         Requires=network-online.target
         After=network-online.target
+        ConditionPathExists=!/etc/kubernetes/ssl/ready
         [Service]
         Type=oneshot
         ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/ssl
         ExecStart=/usr/bin/curl {{.k8s_cert_endpoint}}/tls/apiserver.pem -o /etc/kubernetes/ssl/apiserver.pem
         ExecStart=/usr/bin/curl {{.k8s_cert_endpoint}}/tls/apiserver-key.pem -o /etc/kubernetes/ssl/apiserver-key.pem
         ExecStart=/usr/bin/curl {{.k8s_cert_endpoint}}/tls/ca.pem -o /etc/kubernetes/ssl/ca.pem
+        ExecStart=/usr/bin/touch /etc/kubernetes/ssl/ready
         [Install]
         WantedBy=multi-user.target
+    - name: kubelet.path
+      enable: true
+      contents: |
+        [Unit]
+        Description=Watch for Kubelet TLS Assets
+        [Path]
+        PathExists=/etc/kubernetes/ssl/ready
     - name: kubelet.service
       enable: true
       contents: |
         [Unit]
         Description=Kubelet via Hyperkube ACI
-        Requires=k8stls.service
-        After=k8stls.service
         Requires=flanneld.service
         After=flanneld.service
+        Requires=kubelet.path
+        After=kubelet.path
         [Service]
         ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
         Environment=KUBELET_VERSION={{.k8s_version}}
@@ -94,7 +103,6 @@ storage:
       wipe_table: true
       partitions:
         - label: ROOT
-          number: 0
   filesystems:
     - device: "/dev/sda1"
       format: "ext4"
@@ -487,7 +495,7 @@ storage:
               }
             }
         - path: /opt/init-flannel
-          mode: 320
+          mode: 0500
           contents: |
             #!/bin/bash
             function init_flannel {
@@ -514,7 +522,7 @@ storage:
             }
             init_flannel
         - path: /opt/k8s-addons
-          mode: 320
+          mode: 0500
           contents: |
             #!/bin/bash
             echo "Waiting for Kubernetes API..."

examples/ignition/k8s-worker.yaml

@@ -41,21 +41,30 @@ systemd:
         Description=Acquire Kubernetes TLS CA and Certificate
         Requires=network-online.target
         After=network-online.target
+        ConditionPathExists=!/etc/kubernetes/ssl/ready
         [Service]
         Type=oneshot
         ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/ssl
         ExecStart=/usr/bin/curl {{.k8s_cert_endpoint}}/tls/worker.pem -o /etc/kubernetes/ssl/worker.pem
         ExecStart=/usr/bin/curl {{.k8s_cert_endpoint}}/tls/worker-key.pem -o /etc/kubernetes/ssl/worker-key.pem
         ExecStart=/usr/bin/curl {{.k8s_cert_endpoint}}/tls/ca.pem -o /etc/kubernetes/ssl/ca.pem
+        ExecStart=/usr/bin/touch /etc/kubernetes/ssl/ready
         [Install]
         WantedBy=multi-user.target
+    - name: kubelet.path
+      enable: true
+      contents: |
+        [Unit]
+        Description=Watch for Kubelet TLS Assets
+        [Path]
+        PathExists=/etc/kubernetes/ssl/ready
     - name: kubelet.service
       enable: true
       contents: |
         [Unit]
         Description=Kubelet via Hyperkube ACI
-        Requires=k8stls.service
-        After=k8stls.service
+        Requires=kubelet.path
+        After=kubelet.path
         [Service]
         ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
         Environment=KUBELET_VERSION={{.k8s_version}}
@@ -82,7 +91,6 @@ storage:
       wipe_table: true
       partitions:
         - label: ROOT
-          number: 0
   filesystems:
     - device: "/dev/sda1"
       format: "ext4"

examples/profiles/install-shutdown/profile.json

@@ -0,0 +1,15 @@
+{
+  "id": "install-shutdown",
+  "name": "Install CoreOS and Shutdown",
+  "boot": {
+    "kernel": "/assets/coreos/983.0.0/coreos_production_pxe.vmlinuz",
+    "initrd": ["/assets/coreos/983.0.0/coreos_production_pxe_image.cpio.gz"],
+    "cmdline": {
+      "coreos.config.url": "http://bootcfg.foo:8080/ignition?uuid=${uuid}&mac=${net0/mac:hexhyp}",
+      "coreos.autologin": "",
+      "coreos.first_boot": ""
+    }
+  },
+  "cloud_id": "",
+  "ignition_id": "install-shutdown.yaml"
+}