lokomotive/assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/cl/worker.yaml.tmpl at bc916327142e1c861419ba46441609cfd6520d80 · kinvolk/lokomotive · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
---
systemd:
  units:
    - name: docker.service
      enable: true
    - name: locksmithd.service
      mask: true
    - name: kubelet.path
      enable: true
      contents: |
        [Unit]
        Description=Watch for kubeconfig
        [Path]
        PathExists=/etc/kubernetes/kubeconfig
        [Install]
        WantedBy=multi-user.target
    - name: wait-for-dns.service
      enable: true
      contents: |
        [Unit]
        Description=Wait for DNS entries
        Wants=systemd-resolved.service
        Before=kubelet.service
        [Service]
        Type=oneshot
        RemainAfterExit=true
        ExecStart=/bin/sh -c 'while ! /usr/bin/grep '^[^#[:space:]]' /etc/resolv.conf > /dev/null; do sleep 1; done'
        [Install]
        RequiredBy=kubelet.service
    - name: kubelet.service
      contents: |
        [Unit]
        Description=Kubelet
        Wants=rpc-statd.service
        [Service]
        EnvironmentFile=/etc/kubernetes/kubelet.env
        ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
        ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
        ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt"
        ExecStartPre=/etc/kubernetes/configure-kubelet-cgroup-driver
        ExecStartPre=-docker rm -f kubelet
        ExecStartPre=docker run -d \
          --name=kubelet \
          --restart=unless-stopped \
          --log-driver=journald \
          --network=host \
          --pid=host \
          --privileged \
          -v /dev:/dev:rw \
          -v /etc/cni/net.d:/etc/cni/net.d:ro \
          -v /etc/kubernetes:/etc/kubernetes:ro \
          -v /etc/machine-id:/etc/machine-id:ro \
          -v /lib/modules:/lib/modules:ro \
          -v /run:/run:rw \
          -v /sys:/sys:rw \
          -v /opt/cni/bin:/opt/cni/bin:ro \
          -v /usr/lib/os-release:/etc/os-release:ro \
          -v /usr/sbin/iscsiadm:/usr/sbin/iscsiadm:rw \
          -v /var/lib/calico:/var/lib/calico:ro \
          -v /var/lib/cni:/var/lib/cni:rw \
          -v /var/lib/docker:/var/lib/docker:rw \
          -v /var/log/pods:/var/log/pods:rw \
          --mount type=bind,source=/mnt,target=/mnt,bind-propagation=rshared \
          --mount type=bind,source=/var/lib/kubelet,target=/var/lib/kubelet,bind-propagation=rshared \
          $${KUBELET_IMAGE_URL}:$${KUBELET_IMAGE_TAG} \
          --anonymous-auth=false \
          --authentication-token-webhook \
          --authorization-mode=Webhook \
          --client-ca-file=/etc/kubernetes/ca.crt \
          --cluster_dns=${cluster_dns_service_ip} \
          --cluster_domain=${cluster_domain_suffix} \
          --cni-conf-dir=/etc/cni/net.d \
          --config=/etc/kubernetes/kubelet.config \
          --exit-on-lock-contention \
          --hostname-override=${domain_name} \
          %{~ if enable_tls_bootstrap ~}
          --kubeconfig=/var/lib/kubelet/kubeconfig \
          --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
          --rotate-certificates \
          %{~ else ~}
          --kubeconfig=/etc/kubernetes/kubeconfig \
          %{~ endif ~}
          --lock-file=/var/run/lock/kubelet.lock \
          --network-plugin=cni \
          --node-labels=$${NODE_LABELS} \
          --pod-manifest-path=/etc/kubernetes/manifests \
          --read-only-port=0 \
          --volume-plugin-dir=/var/lib/kubelet/volumeplugins
        ExecStart=docker logs -f kubelet
        ExecStop=docker stop kubelet
        ExecStopPost=docker rm kubelet
        Restart=always
        RestartSec=5
        [Install]
        WantedBy=multi-user.target
storage:
  files:
    - path: /etc/kubernetes/kubelet.env
      filesystem: root
      mode: 0644
      contents:
        inline: |
          KUBELET_IMAGE_URL=quay.io/poseidon/kubelet
          KUBELET_IMAGE_TAG=v1.19.4
          NODE_LABELS="${join(",", [for k, v in kubelet_labels : "${k}=${v}"])}"
    - path: /etc/hostname
      filesystem: root
      mode: 0644
      contents:
        inline:
          ${domain_name}
    - path: /etc/sysctl.d/max-user-watches.conf
      filesystem: root
      contents:
        inline: |
          fs.inotify.max_user_watches=16184
    - path: /etc/kubernetes/configure-kubelet-cgroup-driver
      filesystem: root
      mode: 0744
      contents:
        inline: |
          #!/bin/bash
          set -e
          readonly docker_cgroup_driver="$(docker info -f '{{.CgroupDriver}}')"
          cat <<EOF >/etc/kubernetes/kubelet.config
          apiVersion: kubelet.config.k8s.io/v1beta1
          kind: KubeletConfiguration
          cgroupDriver: "$${docker_cgroup_driver}"
          EOF
passwd:
  users:
    - name: core
      ssh_authorized_keys: ${ssh_keys}