Skip to content
This repository has been archived by the owner on Sep 30, 2020. It is now read-only.

Bash improvements #217

Merged
merged 5 commits into from
Jan 12, 2017
Merged

Bash improvements #217

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
e0a5284
Safer curl use when POSTing data
redbaron Jan 8, 2017
f2391a8
Dont hide erros in decrypt-tls-assets
redbaron Jan 8, 2017
b7af0c9
Fail on error in bash scripts
redbaron Jan 8, 2017
96bd99f
Fix error and make decrypt-tls-assets atomic
redbaron Jan 10, 2017
5a63386
Remove seemingly unnecessary sudo calls
redbaron Jan 10, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 32 additions & 37 deletions config/templates/cloud-config-controller
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -367,25 +367,23 @@ write_files:
owner: root:root
content: |
#!/bin/bash -e
/usr/bin/curl -H "Content-Type: application/yaml" -XPOST \
-d"$(cat /srv/kubernetes/manifests/kube-dns-de.yaml)" \
"http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/kube-system/deployments"

/usr/bin/curl -H "Content-Type: application/yaml" -XPOST \
-d"$(cat /srv/kubernetes/manifests/kube-dns-autoscaler-de.yaml)" \
"http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/kube-system/deployments"
post_yaml() {
/usr/bin/curl -H "Content-Type: application/yaml" -XPOST \
--data-binary "$1" "$2"
}

/usr/bin/curl -H "Content-Type: application/yaml" -XPOST \
-d"$(cat /srv/kubernetes/manifests/kube-dashboard-rc.yaml)" \
"http://127.0.0.1:8080/api/v1/namespaces/kube-system/replicationcontrollers"
mfdir=/srv/kubernetes/manifests
for manifest in $mfdir/{kube-dns-de,kube-dns-autoscaler-de,heapster-de}.yaml;do
post_yaml "@$mfdir/$manifest" \
"http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/kube-system/deployments"
done

/usr/bin/curl -H "Content-Type: application/yaml" -XPOST \
-d"$(cat /srv/kubernetes/manifests/heapster-de.yaml)" \
"http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/kube-system/deployments"
post_yaml "@$mfdir/kube-dashboard-rc.yaml" \
"http://127.0.0.1:8080/api/v1/namespaces/kube-system/replicationcontrollers"

for manifest in {kube-dns,heapster,kube-dashboard}-svc.yaml;do
/usr/bin/curl -H "Content-Type: application/yaml" -XPOST \
-d"$(cat /srv/kubernetes/manifests/$manifest)" \
post_yaml "@$mfdir/$manifest" \
"http://127.0.0.1:8080/api/v1/namespaces/kube-system/services"
done

Expand Down Expand Up @@ -415,7 +413,7 @@ write_files:
owner: root:root
content: |
#!/bin/bash -e
/usr/bin/curl -H "Content-Type: application/json" -XPOST -d @"/srv/kubernetes/manifests/calico-system.json" "http://127.0.0.1:8080/api/v1/namespaces"
/usr/bin/curl -H "Content-Type: application/json" -XPOST --data-binary @"/srv/kubernetes/manifests/calico-system.json" "http://127.0.0.1:8080/api/v1/namespaces"

/usr/bin/cp /srv/kubernetes/manifests/calico-policy-controller.yaml /etc/kubernetes/manifests
{{ end }}
Expand All @@ -426,34 +424,31 @@ write_files:
content: |
#!/bin/bash -e

sudo rkt run \
rkt run \
--volume=ssl,kind=host,source=/etc/kubernetes/ssl,readOnly=false \
--mount=volume=ssl,target=/etc/kubernetes/ssl \
--uuid-file-save=/var/run/coreos/decrypt-tls-assets.uuid \
--volume=dns,kind=host,source=/etc/resolv.conf,readOnly=true --mount volume=dns,target=/etc/resolv.conf \
--net=host \
--trust-keys-from-https \
{{.AWSCliImageRepo}}:{{.AWSCliTag}} --exec=/bin/bash -- \
-c \
'echo decrypting tls assets; \
for encKey in $(find /etc/kubernetes/ssl/*.pem.enc); do \
echo decrypting $encKey to $encKey.b64; \
-ec \
'echo decrypting tls assets
shopt -s nullglob
for encKey in /etc/kubernetes/ssl/*.pem.enc; do
echo decrypting $encKey
f=$(mktemp $encKey.XXXXXXXX)
/usr/bin/aws \
--region {{.Region}} kms decrypt \
--ciphertext-blob fileb://$encKey \
--output text \
--query Plaintext \
> $encKey.b64; \
done; \
| base64 -d > $f
mv -f $f ${encKey%.enc}
done;
echo done.'

sudo rkt rm --uuid-file=/var/run/coreos/decrypt-tls-assets.uuid

echo base64 decoding decrypted tls assets
for encKey in $(find /etc/kubernetes/ssl/*.pem.enc);do
base64 --decode < $encKey.b64 > ${encKey%.enc}
done
echo done.
rkt rm --uuid-file=/var/run/coreos/decrypt-tls-assets.uuid || :

- path: /opt/bin/taint-and-uncordon
owner: root:root
Expand All @@ -468,14 +463,14 @@ write_files:
-v /etc/resolv.conf:/etc/resolv.conf \
{{.HyperkubeImageRepo}}:{{.K8sVer}} /bin/bash \
-vxec \
'echo "tainting this node."; \
hostname="'${hostname}'"; \
kubectl="/kubectl --server=http://127.0.0.1:8080"; \
taint="$kubectl taint node --overwrite"; \
$taint "$hostname" "node.alpha.kubernetes.io/role=master:NoSchedule"; \
echo "done."; \
echo "uncordoning this node."; \
$kubectl uncordon "$hostname"; \
'echo "tainting this node."
hostname="'${hostname}'"
kubectl="/kubectl --server=http://127.0.0.1:8080"
taint="$kubectl taint node --overwrite"
$taint "$hostname" "node.alpha.kubernetes.io/role=master:NoSchedule"
echo "done."
echo "uncordoning this node."
$kubectl uncordon "$hostname"
echo "done."'

- path: /etc/kubernetes/manifests/kube-proxy.yaml
Expand Down
73 changes: 35 additions & 38 deletions config/templates/cloud-config-worker
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -442,34 +442,31 @@ write_files:
content: |
#!/bin/bash -e

sudo rkt run \
rkt run \
--volume=ssl,kind=host,source=/etc/kubernetes/ssl,readOnly=false \
--mount=volume=ssl,target=/etc/kubernetes/ssl \
--uuid-file-save=/var/run/coreos/decrypt-tls-assets.uuid \
--volume=dns,kind=host,source=/etc/resolv.conf,readOnly=true --mount volume=dns,target=/etc/resolv.conf \
--net=host \
--trust-keys-from-https \
{{.AWSCliImageRepo}}:{{.AWSCliTag}} --exec=/bin/bash -- \
-c \
'echo decrypting tls assets; \
for encKey in $(find /etc/kubernetes/ssl/*.pem.enc); do \
echo decrypting $encKey to $encKey.b64; \
-ec \
'echo decrypting tls assets
shopt -s nullglob
for encKey in /etc/kubernetes/ssl/*.pem.enc; do
echo decrypting $encKey
f=$(mktemp $encKey.XXXXXXXX)
/usr/bin/aws \
--region {{.Region}} kms decrypt \
--ciphertext-blob fileb://$encKey \
--output text \
--query Plaintext \
> $encKey.b64; \
done; \
| base64 -d > $f
mv -f $f ${encKey%.enc}
done;
echo done.'

sudo rkt rm --uuid-file=/var/run/coreos/decrypt-tls-assets.uuid

echo base64 decoding decrypted tls assets
for encKey in $(find /etc/kubernetes/ssl/*.pem.enc);do
base64 --decode < $encKey.b64 > ${encKey%.enc}
done
echo done.
rkt rm --uuid-file=/var/run/coreos/decrypt-tls-assets.uuid || :

{{if .Worker.SpotFleet.Enabled}}
- path: /opt/bin/tag-spot-instance
Expand All @@ -489,13 +486,13 @@ write_files:
--trust-keys-from-https \
--insecure-options=ondisk \
{{.AWSCliImageRepo}}:{{.AWSCliTag}} --exec=/bin/bash -- \
-vxc \
'echo tagging this spot instance; \
instance_id="'$instance_id'"; \
-vxec \
'echo tagging this spot instance
instance_id="'$instance_id'"
/usr/bin/aws \
--region {{.Region}} ec2 create-tags \
--resource $instance_id \
--tags '"'"'Key=KubernetesCluster,Value="{{.ClusterName}}"'"'"' '"'"'Key=Name,Value="{{.StackName}}-kube-aws-worker"'"'"' '"'"'Key="kube-aws:node-pool:name",Value="{{.NodePoolName}}"'"'"'; \
--tags '"'"'Key=KubernetesCluster,Value="{{.ClusterName}}"'"'"' '"'"'Key=Name,Value="{{.StackName}}-kube-aws-worker"'"'"' '"'"'Key="kube-aws:node-pool:name",Value="{{.NodePoolName}}"'"'"'
echo done.'

sudo rkt rm --uuid-file=/var/run/coreos/tag-spot-instance.uuid
Expand All @@ -517,15 +514,15 @@ write_files:
--trust-keys-from-https \
--insecure-options=ondisk \
{{.AWSCliImageRepo}}:{{.AWSCliTag}} --exec=/bin/bash -- \
-vxc \
'echo adding this spot instance to load balancers; \
instance_id="'$instance_id'"; \
lbs=({{range $i, $lb := .Experimental.LoadBalancer.Names}}"{{$lb}}" {{end}}); \
add_to_lb="/usr/bin/aws --region {{.Region}} elb register-instances-with-load-balancer --instances $instance_id --load-balancer-name"; \
for lb in ${lbs[@]}; do \
echo "$lb"; \
$add_to_lb "$lb"; \
done; \
-vxec \
'echo adding this spot instance to load balancers
instance_id="'$instance_id'"
lbs=({{range $i, $lb := .Experimental.LoadBalancer.Names}}"{{$lb}}" {{end}})
add_to_lb="/usr/bin/aws --region {{.Region}} elb register-instances-with-load-balancer --instances $instance_id --load-balancer-name"
for lb in ${lbs[@]}; do
echo "$lb"
$add_to_lb "$lb"
done
echo done.'

sudo rkt rm --uuid-file=/var/run/coreos/add-to-load-balancers.uuid
Expand All @@ -545,17 +542,17 @@ write_files:
-v /etc/resolv.conf:/etc/resolv.conf \
{{.HyperkubeImageRepo}}:{{.K8sVer}} /bin/bash \
-vxec \
'echo "tainting this node."; \
hostname="'${hostname}'"; \
taints=({{range $i, $taint := .Experimental.Taints}}"{{$taint.String}}" {{end}}); \
kubectl="/kubectl --server=https://{{.ExternalDNSName}}:443 --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml"; \
taint="$kubectl taint node --overwrite"; \
for t in ${taints[@]}; do \
$taint "$hostname" "$t"; \
done; \
echo "done."; \
echo "uncordoning this node."; \
$kubectl uncordon $hostname;\
'echo "tainting this node."
hostname="'${hostname}'"
taints=({{range $i, $taint := .Experimental.Taints}}"{{$taint.String}}" {{end}})
kubectl="/kubectl --server=https://{{.ExternalDNSName}}:443 --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml"
taint="$kubectl taint node --overwrite"
for t in ${taints[@]}; do
$taint "$hostname" "$t"
done
echo "done."
echo "uncordoning this node."
$kubectl uncordon $hostname
echo "done."'

- path: /etc/kubernetes/manifests/kube-proxy.yaml
Expand Down