way too much

Author: bakins

.gitignore

@@ -1,4 +1,5 @@
 *.tfstate
 *.tfstate.backup
 terraform.tfvars
-etcd_discovery_url.txt
+etcd_discovery_url.txt
+kube_token.txt

Makefile

@@ -1,12 +1,16 @@
-plan: etcd_discovery_url.txt
+plan: etcd_discovery_url.txt kube_token.txt
 terraform plan
 
 etcd_discovery_url.txt:
 curl -s https://discovery.etcd.io/new?size=3 > etcd_discovery_url.txt
 
 destroy:
 terraform destroy
-rm etcd_discovery_url.txt
+rm etcd_discovery_url.txt kube_token.txt
 
-apply: etcd_discovery_url.txt
+apply: etcd_discovery_url.txt kube_token.txt
 terraform apply
+
+kube_token.txt:
+openssl rand -base64 8 |md5 |head -c8 > kube_token.txt
+echo >> kube_token.txt

README.md

@@ -45,20 +45,15 @@ When you create a cluster, it will output something like:
 
 ```
 Outputs:
-
- kubernetes-api-server = http://<IP>:8080
-```
-
-You can use this to configure `kubectl`:
-
-```
-kubectl config set-cluster aws-test --insecure-skip-tls-verify=true --server=$kubernetes-api-server
-kubectl config set-context aws-test --cluster=aws-test
-kubectl config use-context aws-test
+ kubernetes-api-server =
+# Use these commands to configure kubectl
+kubectl config set-cluster testing --insecure-skip-tls-verify=true --server=IP
+kubectl config set-credentials admin --token='4c98e411'
+kubectl config set-context testing --cluster= testing --user=admin
+kubectl config use-context testing
 ```
 
-where $kubernetes-api-server is the url from the output.
-
+Run these commands to configure `kubectl`. You can see these commands again by running `terraform output kubernetes-api-server`
 
 Test this by running `kubectl get nodes`
 

kubernetes.tf

@@ -54,12 +54,30 @@ resource "aws_security_group" "kubernetes" {
  }
 }
 
-resource "aws_security_group_rule" "allow_all" {
+resource "aws_security_group_rule" "allow_ssh" {
+ type = "ingress"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ security_group_id = "${aws_security_group.kubernetes.id}"
+}
+
+resource "aws_security_group_rule" "allow_kube_api" {
+ type = "ingress"
+ from_port = 6443
+ to_port = 6443
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ security_group_id = "${aws_security_group.kubernetes.id}"
+}
+
+resource "aws_security_group_rule" "allow_all_cluster" {
  type = "ingress"
  from_port = 0
  to_port = 65535
  protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"]
+ source_security_group_id = "${aws_security_group.kubernetes.id}"
  security_group_id = "${aws_security_group.kubernetes.id}"
 }
 
@@ -76,13 +94,20 @@ resource "template_file" "kubernetes" {
  filename = "templates/kubernetes.sh"
 
  vars = {
- etcd_dicovery_url = "${replace(file("etcd_discovery_url.txt"), "/\n*/", "")}"
+ etcd_dicovery_url = "${replace(file("etcd_discovery_url.txt"), "/\n/", "")}"
  containers_cidr = "${var.containers_cidr}"
  kubernetes_version = "${var.kubernetes_version}"
  portal_net = "${var.portal_net}"
  }
 }
 
+resource "template_file" "tokens" {
+ filename = "templates/tokens.csv"
+
+ vars = {
+ token = "${replace(file("kube_token.txt"), "/\n/", "")}"
+ }
+}
 
 resource "aws_instance" "etcd" {
  ami = "${var.ami}"
@@ -147,6 +172,9 @@ resource "aws_instance" "master" {
 
  provisioner "remote-exec" {
  inline = [
+ "cat <<'EOF' > /tmp/tokens.csv\n${template_file.tokens.rendered}\nEOF",
+ "sudo mkdir -p mkdir /etc/kubernetes",
+ "sudo mv /tmp/tokens.csv /etc/kubernetes/tokens.csv",
  "echo 'PRIVATE_IP=${self.private_ip}' > /tmp/network.env",
  "echo 'PUBLIC_IP=${self.public_ip}' >> /tmp/network.env",
  "sudo mv /tmp/network.env /etc/network.env",
@@ -172,7 +200,7 @@ resource "aws_instance" "worker" {
  }
 
  tags {
- Name = "kubernetes-${var.cluster_name}-master"
+ Name = "kubernetes-${var.cluster_name}-worker"
  Cluster = "${var.cluster_name}"
  Role = "worker"
  }
@@ -195,7 +223,17 @@ resource "aws_instance" "worker" {
  }
 }
 
+resource "template_file" "kubectl-config" {
+ filename = "templates/kubectl-config.sh"
+ vars = {
+ cluster_name = "${var.cluster_name}"
+ token = "${replace(file("kube_token.txt"), "/\n/", "")}"
+ server = "${aws_instance.master.public_ip}"
+ }
+}
 
 output "kubernetes-api-server" {
- value = "http://${aws_instance.master.public_ip}:8080"
+ value = "${template_file.kubectl-config.rendered}"
 }
+
+

scripts/master.sh

@@ -17,9 +17,10 @@ cat <<EOF > /etc/systemd/system/etcd2.service.d/50-etcd.conf
 [Service]
 Environment=ETCD_PROXY=on
 EnvironmentFile=/etc/kubernetes.env
-EOF
 
-start etcd2
+[Install]
+WantedBy=multi-user.target
+EOF
 
 mkdir -p /opt/bin
 
@@ -29,25 +30,6 @@ chmod +x /opt/bin/install-kubernetes
 cp $DIR/wupiao /opt/bin/wupiao
 chmod +x /opt/bin/wupiao
 
-/opt/bin/wupiao http://127.0.0.1:2379/v2/members
-
-mkdir -p /etc/systemd/system/flanneld.service.d
-cat <<EOF > /etc/systemd/system/flanneld.service.d/50-network-config.conf
-[Unit]
-Requires=etcd2.service
-After=etcd2.service
-
-[Service]
-EnvironmentFile=/etc/kubernetes.env
-ExecStartPre=/opt/bin/wupiao http://127.0.0.1:2379/v2/members
-ExecStartPre=/usr/bin/etcdctl --no-sync set /coreos.com/network/config '{ "Network": "${KUBERNETES_CONTAINERS_CIDR}", "Backend":{"Type": "vxlan"} }'
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-start flanneld
-start docker
 
 cat <<EOF > /etc/systemd/system/install-kubernetes.service
 [Unit]
@@ -70,8 +52,8 @@ cat <<EOF > /etc/systemd/system/kube-apiserver.service
 [Unit]
 Description=Kubernetes API Server
 Documentation=https://github.com/GoogleCloudPlatform/kubernetes
-After=install-kubernetes.service
-Requires=install-kubernetes.service
+After=install-kubernetes.service docker.service flanneld.service
+Requires=install-kubernetes.service docker.service flanneld.service
 
 [Service]
 EnvironmentFile=/etc/kubernetes.env
@@ -82,6 +64,7 @@ ExecStart=/opt/bin/kube-apiserver \
  --etcd-servers=http://127.0.0.1:2379 \
  --logtostderr=true \
  --insecure-port=8080 \
+ --token_auth_file=/etc/kubernetes/tokens.csv \
  --v=2 \
  --portal-net=${KUBERNETES_PORTAL_NET}
 Restart=on-failure
@@ -91,7 +74,20 @@ RestartSec=10
 WantedBy=multi-user.target
 EOF
 
-start kube-apiserver
+mkdir -p /etc/systemd/system/flanneld.service.d
+cat <<EOF > /etc/systemd/system/flanneld.service.d/50-network-config.conf
+[Unit]
+Requires=etcd2.service
+After=etcd2.service
+
+[Service]
+EnvironmentFile=/etc/kubernetes.env
+ExecStartPre=/opt/bin/wupiao http://127.0.0.1:2379/v2/members
+ExecStartPre=/usr/bin/etcdctl --no-sync set /coreos.com/network/config '{ "Network": "${KUBERNETES_CONTAINERS_CIDR}", "Backend":{"Type": "vxlan"} }'
+
+[Install]
+WantedBy=multi-user.target
+EOF
 
 cat <<EOF > /etc/systemd/system/kube-scheduler.service
 [Unit]
@@ -114,8 +110,6 @@ RestartSec=10
 WantedBy=multi-user.target
 EOF
 
-start kube-scheduler
-
 cat <<EOF > /etc/systemd/system/kube-controller-manager.service
 [Unit]
 Description=Kubernetes Controller Manager
@@ -138,4 +132,6 @@ RestartSec=10
 WantedBy=multi-user.target
 EOF
 
-start kube-controller-manager
+for S in etcd2 flanneld kube-apiserver kube-scheduler kube-controller-manager; do
+ start $S
+done

templates/kubectl-config.sh

@@ -0,0 +1,7 @@
+
+# Use these commands to configure kubectl
+kubectl config set-cluster ${cluster_name} --insecure-skip-tls-verify=true --server=https://${server}:6443
+kubectl config set-credentials admin --token='${token}'
+kubectl config set-context ${cluster_name} --cluster=${cluster_name} --user=admin
+kubectl config use-context ${cluster_name}
+

templates/tokens.csv

@@ -0,0 +1 @@
+${token},admin,admin