-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup-linux.sh
executable file
·264 lines (220 loc) · 9.14 KB
/
setup-linux.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
#!/bin/bash
#Makes assumptions for many things such as terraform, ansible and cfssl being
#installed and located in PATH etc.. tread lightly
#init
if [ ! -d ansible/group_vars ]
then
echo -e "Creating ansible/group_vars folder\n----------"
mkdir ansible/group_vars
fi
gsutil mb -l eu gs://terraform-remote-kube
#Assumes ssl folder exists and contains ca config files
cd ssl
#Generate cert assume cfssl is installed
if [ ! -f ca.pem ]
then
echo -e "Generating CA\n----------"
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
UPDATEKUBECERT=1
else
echo -e "CA exists..skipping\n----------"
fi
cd ../terraform
#Check if credentials exist then run Terraform
if [ -f ../creds/account.json ]
then
#set remote state
terraform remote config \
-backend=gcs \
-backend-config="bucket=terraform-remote-kube" \
-backend-config="path=main/terraform.tfstate" \
-backend-config="project=kubernetes"
#Check what changes Terraform will make if any..
echo -e "Running Terraform Plan\n----------"
terraform plan > plannedchanges.log
#Check if anything has changed - not a great way to do this but since the resource order varies in
#terraform plan we cannot use a hash
grep "No changes. Infrastructure is up-to-date" plannedchanges.log > /dev/null
if [ $? -ne 0 ]
then
echo -e "Running Terraform Apply\n----------"
terraform apply
rm -rf ../ssl/kubernetes.pem
rm -rf ../ssl/kubernetes-csr.json
else
echo -e "No Changes detected\n----------"
fi
else
echo "Google service credentials missing, cannot find account.json"
exit
fi
#Create list of servers for ansible and ssl cert gen
ETCD0_IP=`gcloud compute instances list etcd0 --format=yaml | grep " networkIP:" | cut -c 14-100`
ETCD1_IP=`gcloud compute instances list etcd1 --format=yaml | grep " networkIP:" | cut -c 14-100`
ETCD2_IP=`gcloud compute instances list etcd2 --format=yaml | grep " networkIP:" | cut -c 14-100`
CTRL0_IP=`gcloud compute instances list controller0 --format=yaml | grep " networkIP:" | cut -c 14-100`
CTRL1_IP=`gcloud compute instances list controller1 --format=yaml | grep " networkIP:" | cut -c 14-100`
CTRL2_IP=`gcloud compute instances list controller2 --format=yaml | grep " networkIP:" | cut -c 14-100`
WORKER0_IP=`gcloud compute instances list worker0 --format=yaml | grep " networkIP:" | cut -c 14-100`
WORKER1_IP=`gcloud compute instances list worker1 --format=yaml | grep " networkIP:" | cut -c 14-100`
KUBERNETES_PUBLIC_IP_ADDRESS=$(gcloud compute addresses describe kubernetes \
--format 'value(address)')
# cd to working dir
cd ../ssl
# copy over template
if [ ! -f kubernetes-csr.json ] || [ "$UPDATEKUBECERT" == 1 ]
then
cp kubernetes-csr.json.tmpl kubernetes-csr.json
fi
#Get MD5 Hash
OLDHASH=`md5sum kubernetes-csr.json|cut -c 1-32`
#Add ip's' to the kubernetes csr config file assumes terraform was successful
sed -i "s/ETCD0IP/${ETCD0_IP}/g; s/ETCD1IP/${ETCD1_IP}/g; s/ETCD2IP/${ETCD2_IP}/g" kubernetes-csr.json
sed -i "s/CTRL0IP/${CTRL0_IP}/g; s/CTRL1IP/${CTRL1_IP}/g; s/CTRL2IP/${CTRL2_IP}/g" kubernetes-csr.json
sed -i "s/WORKER0IP/${WORKER0_IP}/g; s/WORKER1IP/${WORKER1_IP}/g" kubernetes-csr.json
sed -i "s/KUBERNETES_PUBLIC_IP/${KUBERNETES_PUBLIC_IP_ADDRESS}/g" kubernetes-csr.json
#Get MD5 Hash
NEWHASH=`md5sum kubernetes-csr.json|cut -c 1-32`
#Generate kube cert
if [ "$OLDHASH" != "$NEWHASH" ] || [ ! -f kubernetes.pem ] || [ "$UPDATEKUBECERT" == 1 ]
then
echo "Generatining kubernetes cert and key"
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kubernetes-csr.json | cfssljson -bare kubernetes
fi
#Change to ansible workdir
cd ../ansible
#Apply only if hash is different or host file is missing
if [ "$OLDHASH" != "$NEWHASH" ] || [ ! -f gchosts ]
then
#Copy template file
cp templates/gcehosts.tmpl gcehosts
#Get Nat IP's of all hosts
echo -e "Collecting node IP's from gcloud\n----------"
ETCD0_NAT_IP=`gcloud compute instances list etcd0 --format=yaml | grep " natIP:" | cut -c 12-100`
ETCD1_NAT_IP=`gcloud compute instances list etcd1 --format=yaml | grep " natIP:" | cut -c 12-100`
ETCD2_NAT_IP=`gcloud compute instances list etcd2 --format=yaml | grep " natIP:" | cut -c 12-100`
CTRL0_NAT_IP=`gcloud compute instances list controller0 --format=yaml | grep " natIP:" | cut -c 12-100`
CTRL1_NAT_IP=`gcloud compute instances list controller1 --format=yaml | grep " natIP:" | cut -c 12-100`
CTRL2_NAT_IP=`gcloud compute instances list controller2 --format=yaml | grep " natIP:" | cut -c 12-100`
WORKER0_NAT_IP=`gcloud compute instances list worker0 --format=yaml | grep " natIP:" | cut -c 12-100`
WORKER1_NAT_IP=`gcloud compute instances list worker1 --format=yaml | grep " natIP:" | cut -c 12-100`
#Add ip's' to the ansible inventory file assumes terraform was successful
sed -i "s/ETCD0IP/${ETCD0_NAT_IP}/g; s/ETCD1IP/${ETCD1_NAT_IP}/g; s/ETCD2IP/${ETCD2_NAT_IP}/g" gcehosts
sed -i "s/CTRL0IP/${CTRL0_NAT_IP}/g; s/CTRL1IP/${CTRL1_NAT_IP}/g; s/CTRL2IP/${CTRL2_NAT_IP}/g" gcehosts
sed -i "s/WORKER0IP/${WORKER0_NAT_IP}/g; s/WORKER1IP/${WORKER1_NAT_IP}/g" gcehosts
fi
#Export IP's' to vars file, this file is kept inline due to easy of setting vars without too much sed
echo -e "Exporting IP's to Ansible vars\n----------"
echo "
etcd:
etcd0: $ETCD0_IP
etcd1: $ETCD1_IP
etcd2: $ETCD2_IP
ctrl:
ctrl0: $CTRL0_IP
ctrl1: $CTRL1_IP
ctrl2: $CTRL2_IP
worker:
worker0: $WORKER0_IP
worker1: $WORKER1_IP
ansible_connection: ssh
ansible_ssh_user: shortjay
" > group_vars/all
#Wait for nodes to be ready
echo -e "Sleeping 10s, waiting for nodes to be ready\n----------"
sleep 10
#Configure nodes
echo -e "Starting Ansible\n----------"
export ANSIBLE_HOST_KEY_CHECKING=False && ansible-playbook -i gcehosts site.yml --private-key ~/.ssh/google_compute_1 --tags sslworker
if [ $? -gt 0 ]
then
echo "Ansible Failed to provsion SSL worker"
exit
fi
export ANSIBLE_HOST_KEY_CHECKING=False && ansible-playbook -i gcehosts site.yml --private-key ~/.ssh/google_compute_1 --tags sslctrl
if [ $? -gt 0 ]
then
echo "Ansible Failed to provsion SSL ctrl"
exit
fi
export ANSIBLE_HOST_KEY_CHECKING=False && ansible-playbook -i gcehosts site.yml --private-key ~/.ssh/google_compute_1
if [ $? -gt 0 ]
then
echo "Ansible Failed to provsion main playbook"
exit
fi
cd ..
#Setup local kubectl client
echo -e "Installing kubectl\n----------"
gcloud components install kubectl
echo -e "Configuring kubectl\n----------"
kubectl config set-cluster kubernetes \
--certificate-authority=ssl/ca.pem \
--embed-certs=true \
--server=https://${KUBERNETES_PUBLIC_IP_ADDRESS}:6443
kubectl config set-credentials admin --token chAng3m3
kubectl config set-context default-context \
--cluster=kubernetes \
--user=admin
kubectl config use-context default-context
#Print status
echo -e "Checking cluster status\n----------"
kubectl get componentstatuses
if [ $? -gt 0 ]
then
echo "Could not connect to API"
exit
fi
#----------------------------------------
OUTPUT=`kubectl get nodes --output=jsonpath='{range .items[*]}{.status.addresses[?(@.type=="InternalIP")].address} {.spec.podCIDR} {"\n"}{end}'`
IP1=`echo "$OUTPUT"|cut -d " " -f1|awk 'NR==1{print $1}'`
IP2=`echo "$OUTPUT"|cut -d " " -f1|awk 'NR==2{print $1}'`
DESTNET1=`echo "$OUTPUT"|cut -d " " -f2|awk 'NR==1{print $1}'|cut -d "/" -f1`
DESTNET2=`echo "$OUTPUT"|cut -d " " -f2|awk 'NR==2{print $1}'|cut -d "/" -f1`
cd terraform-routes
cp routes.tf.tmpl routes.tf
sed -i "s/IP1/${IP1}/g; s/IP2/${IP2}/g" routes.tf
sed -i "s/DESTNET1/${DESTNET1}/g; s/DESTNET2/${DESTNET2}/g" routes.tf
echo -e "Creating routes\n----------"
if [ -f ../creds/account.json ]
then
#set remote state
terraform remote config \
-backend=gcs \
-backend-config="bucket=terraform-remote-kube" \
-backend-config="path=routes/terraform.tfstate" \
-backend-config="project=kubernetes"
#Check what changes Terraform will make if any..
echo -e "Running Terraform Plan\n----------"
terraform plan > plannedchanges.log
#Check if anything has changed - not a great way to do this but since the resource order varies in
#terraform plan we cannot use a hash
grep "No changes. Infrastructure is up-to-date" plannedchanges.log > /dev/null
if [ $? -ne 0 ]
then
echo -e "Running Terraform Apply\n----------"
terraform apply
else
echo -e "No Changes detected\n----------"
fi
else
echo "Google service credentials missing, cannot find account.json"
exit
fi
#Assuming everything has worked provision skydns
echo "Installing KubeDNS svc"
echo "Sleeping 15s to wait for Kube to settle.."
sleep 15
kubectl create -f https://raw.githubusercontent.com/kelseyhightower/kubernetes-the-hard-way/master/skydns-svc.yaml
kubectl create -f https://raw.githubusercontent.com/kelseyhightower/kubernetes-the-hard-way/master/skydns-rc.yaml
#Install the webdashboard
echo "Installing kubernetes dashboard"
echo "sleeping 30s waiting for KubeDNS to be ready..."
sleep 30
kubectl create -f https://rawgit.com/kubernetes/dashboard/master/src/deploy/kubernetes-dashboard.yaml
kubectl get pods --namespace=kube-system