External etcd support (#68)

* initial external etcd support

add some specs for master config generator

add etcd cert support

use certs for external etcd

* add note why we need the kubeadm beta binary

* make config struct to use schema validation in constructor

* cleanup master config spec

* download kubeadm directly, with possibility to override version

* use collected cpu arch info for downloading kubeadm

* document external etcd details

* add etcd endpoints info

* lowercase etcd

.gitignore

@@ -6,3 +6,5 @@
 /pkg/
 /spec/reports/
 /tmp/
+/examples/vagrant/.vagrant/
+

README.md

@@ -50,6 +50,25 @@ You can view full sample of cluster.yml [here](./cluster.example.yml).
 - `pod_network_cidr` - IP address range for the pod network. (default "10.32.0.0/12")
 - `trusted_subnets` - array of trusted subnets where overlay network can be used without IPSEC.
 
+## Using external etcd
+
+Kupo can spin up Kubernetes using an externally managed etcd. In this case you need to define the external etcd details in your `cluster.yml` file:
+
+```yaml
+etcd:
+  endpoints:
+    - https://etcd-1.example.com:2379
+    - https://etcd-2.example.com:2379
+    - https://etcd-3.example.com:2379
+  certificate: ./etcd_certs/client.pem
+  key: ./etcd_certs/client-key.pem
+  ca_certificate: ./etcd_certs/ca.pem
+```
+
+You need to specify all etcd peer endpoints in the list.
+
+Certificate and corresponding key is used to authenticate the access to etcd. The paths used are relative to the path where the `cluster.yml` file was loaded from.
+
 ## Addons
 
 Kupo includes common functionality as addons. Addons can be enabled by introducing and enabling them in `cluster.yml`.

examples/vagrant/README.md

@@ -13,10 +13,37 @@ $ kubectl get nodes
 
 ## Teardown
 
+Complete teardown:
 ```sh
 $ vagrant destroy
 ```
 
+"Soft" teardown, stops and removes all kube related configs/pods etc.:
+```sh
+ssh -i ~/.vagrant.d/insecure_private_key vagrant@192.168.100.100 sudo kubeadm reset
+ssh -i ~/.vagrant.d/insecure_private_key vagrant@192.168.100.101 sudo kubeadm reset
+ssh -i ~/.vagrant.d/insecure_private_key vagrant@192.168.100.102 sudo kubeadm reset
+```
+
+### Testing etcd with certs
+
+`etcd_certs` dir has suitable certs for local testing, assuming etcd running on the same host as kube master components.
+
+Setup etcd on host-00:
+```sh
+$ vagrant up
+$ ssh -i ~/.vagrant.d/insecure_private_key vagrant@192.168.100.100
+
+vagrant@host-00:~$ sudo docker run -d -v /vagrant/etcd_certs:/certs  -p 2379:2379   -p 2380:2380   -v /tmp/etcd-data.tmp:/etcd-data   --name etcd   gcr.io/etcd-development/etcd:v3.3.2   /usr/local/bin/etcd   --name s1   --data-dir /etcd-data   --listen-client-urls https://0.0.0.0:2379   --advertise-client-urls https://127.0.0.1:2379   --listen-peer-urls http://0.0.0.0:2380   --initial-advertise-peer-urls http://0.0.0.0:2380   --initial-cluster s1=http://0.0.0.0:2380   --initial-cluster-token tkn --cert-file=/certs/server.pem --key-file=/certs/server-key.pem --client-cert-auth --trusted-ca-file=/certs/ca.pem
+```
+
+```
+$ kupo up -c cluster-external-etcd.yml
+$ export KUBECONFIG=~/.kupo/192.168.100.100
+$ kubectl get nodes
+```
+
+
 ## License
 
 Copyright (c) 2018 Kontena, Inc.

examples/vagrant/cluster-external-etcd.yml

@@ -0,0 +1,37 @@
+hosts:
+  - address: 192.168.100.100
+    private_address: 192.168.100.100 # just to advertise correct ip with vagrant
+    user: vagrant
+    role: master
+    ssh_key_path: ~/.vagrant.d/insecure_private_key
+    container_runtime: docker
+  - address: 192.168.100.101
+    user: vagrant
+    role: worker
+    ssh_key_path: ~/.vagrant.d/insecure_private_key
+    container_runtime: docker
+  - address: 192.168.100.102
+    user: vagrant
+    role: worker
+    ssh_key_path: ~/.vagrant.d/insecure_private_key
+    container_runtime: docker
+network:
+  pod_network_cidr: 10.32.0.0/16
+  trusted_subnets:
+    - 192.168.100.0/24
+etcd:
+  endpoints:
+    - https://127.0.0.1:2379
+  certificate: ./etcd_certs/client.pem
+  key: ./etcd_certs/client-key.pem
+  ca_certificate: ./etcd_certs/ca.pem
+addons:
+  ingress-nginx:
+    enabled: false
+    configmap:
+      map-hash-bucket-size: "128"
+  kured:
+    enabled: false
+  host-upgrades:
+    enabled: false
+    interval: 7d

examples/vagrant/etcd_certs/ca-config.json

@@ -0,0 +1,35 @@
+{
+    "signing": {
+        "default": {
+            "expiry": "43800h"
+        },
+        "profiles": {
+            "server": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth",
+                    "client auth"
+                ]
+            },
+            "client": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "client auth"
+                ]
+            },
+            "peer": {
+                "expiry": "43800h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth",
+                    "client auth"
+                ]
+            }
+        }
+    }
+}

examples/vagrant/etcd_certs/ca-csr.json

@@ -0,0 +1,7 @@
+{
+    "CN": "etcd",
+    "key": {
+        "algo": "rsa",
+        "size": 2048
+    }
+}

examples/vagrant/etcd_certs/ca-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEApThaS0tQBtlLoPcAXDie2RSjm53TWyNbRMmXWvAfzDLhoIRd
+cUy41+NX5LUilspYivlUASbpriJ7YPkqQJFlnqsRV9mtaAH/q7vhE5hv/YcjNoso
+bwtwFEjMkkzRIN6fLFlQveKUOyxyPAEXX//d7u0L5dCMBufCN+/C7MYpjb+0k4Cj
+Jjh0NkG785NhwHjEI5yiFw6yxXQ1zWXeILb2VDZLF1Sj4qzekG7I8sJlpj2jrUP3
+kt0kSkS8JQdJfXD5RvYTP7aD1Wzl9K4aPBtQkXk86dVESZAP/tSrz1JqFTcOZekO
+JaLig0T+nHKxjbZgqGRHJR6v+rutI6lCL2K/NQIDAQABAoIBAF2rJC3ZxcYMPX9F
+abPe+deyhsr74E6kLeNCsweAaVaYZihdwqgwSf9DSZpFQxXgI/CuR/zbNdJehDpH
+KLgwdj9NVujKZTA5Kd0QCBvW6W7/xWvv2v2Rq3okh65N1KZg8DbxcAAnS8h8e0sf
+h0QKyKTjSUKCSFDF5etWh9k6w2Yzpqhw9KyPPkShfv7LvCSJoTwcS/5U4E9WHlrp
+9JPJBfrdOO6qDNZuiyq0OIYaocLqKISL6RNXMECZo4XXPCXQe8rBvu9/Hqm8ymAj
+whQebB2ab9UjfUDJ5i5soP5pZM92HslS14NUYMtsm5pkYnBKwI9u7zkp3exxbJh+
+UlC1IYECgYEAwXsXcvvFlum5gwjCJAImeTLydv+nrN/r4e9ah5jp2qCCPUp7LGO3
+z3TQg4tyJdLqNxREMLfIvUJ7/M67i3m7lOXRCzTCcSSJDbeVEA8GnFr6k89w1Vx8
+o2CplDKavs8fae7cCEst51GoY22eSWJpNJmZlUK1zKFGXdANEsasLaECgYEA2puC
+uM5Ldh8J6NbKMW3VWZxePTxJKfw5tRJw5qNEiP/rc4viHgLvAyblBEF/8XYMgj+M
+qs/AKRqi2Cid0RCtna6yBlUXC7umL08LpNvSsFAbshj4gvztyLxT0QQyT3xIejnX
+mTd3cKusVgN/jNcaicEd5QdTdZwBw2yyhilZYRUCgYBTHggS02oszLdvPUH5qhrR
+EjvrNyTXNVLmOqcPfXdo/m802VxU03nRW4OAH1WoPhV0F/a7XxiThY4yKrWS03bs
+HlZRlBa7+FAQXn9g6LOUU9k1ynXUkujQXuQ60Ap+UghSv9Qyk+liaEgIfrzzFZ3Q
+hPPflUr4X4gVIR2cpVCuQQKBgF+CW/2UHAISk4jH9vTbkMAjAkVsxmZyjV/gG7WY
+lYPplBwafIMyMuzEnIBcgaKkOdjaHQIv3DvZKFaagEDsMX5X6e28VWJJ7NR0i5jO
+deGUTlVkdYb9LIJsTY5fb/+sRBoqlVialDOEvbmis6J8BFs1JXN/3OXgcCDKp8DX
+5fX1AoGAGI6DGYq1+bQ2Hj9aUtoPQeb+s4aKU3KdPOjhRzT41Z7LjhkBsVkqwCRN
+c5bVo6AZg6xcHAvhdeAQwTF06f3EpFIYbQDwaE2VIKqbcaynfIcrJC/PqhYpssDu
+n64Tc1qa27JJge4PC6K0ImkSS1Uw9x8m0Pr5tYX7ChzMibdohlc=
+-----END RSA PRIVATE KEY-----

examples/vagrant/etcd_certs/ca.csr

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICVDCCATwCAQAwDzENMAsGA1UEAxMEZXRjZDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAKU4WktLUAbZS6D3AFw4ntkUo5ud01sjW0TJl1rwH8wy4aCE
+XXFMuNfjV+S1IpbKWIr5VAEm6a4ie2D5KkCRZZ6rEVfZrWgB/6u74ROYb/2HIzaL
+KG8LcBRIzJJM0SDenyxZUL3ilDsscjwBF1//3e7tC+XQjAbnwjfvwuzGKY2/tJOA
+oyY4dDZBu/OTYcB4xCOcohcOssV0Nc1l3iC29lQ2SxdUo+Ks3pBuyPLCZaY9o61D
+95LdJEpEvCUHSX1w+Ub2Ez+2g9Vs5fSuGjwbUJF5POnVREmQD/7Uq89SahU3DmXp
+DiWi4oNE/pxysY22YKhkRyUer/q7rSOpQi9ivzUCAwEAAaAAMA0GCSqGSIb3DQEB
+CwUAA4IBAQBbje7Bb5yXGi1UzYgtVucLl6EL676IJ+NTahTU4YEKc81HCi8zQ0B/
+EFFXDafdpwmDExPKlnK4yKGFoobIyFOyZ3j05OVUd6Cpuwoxz9UCL25+TOyWR+OO
+6b4tzf2hB6JizgZJhkfnLWg+uOAdyp50kkpaTiOUl6dLlmVo/9RtrLFyvivp2M+B
+SLEoT853/Jj9JXiWxo+mAU3Xa4cx7VZR4WP7yK+WPTsM3cij8MaDIz0HRjZCOK8L
+3hC+c4dzP1QYjokNTQQHw44Tqnr95+0jm+i41gLRGJY2+80pr8BnwIPfKzoTHvOI
+yhrbXbgGEpWeT7y3bdVntrsyc6zmVEnq
+-----END CERTIFICATE REQUEST-----

examples/vagrant/etcd_certs/ca.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7jCCAdagAwIBAgIUDjOJYLq55ckKIGxWdT3AbAi8NWUwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAxMEZXRjZDAeFw0xODAzMTUwNzM2MDBaFw0yMzAzMTQwNzM2
+MDBaMA8xDTALBgNVBAMTBGV0Y2QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQClOFpLS1AG2Uug9wBcOJ7ZFKObndNbI1tEyZda8B/MMuGghF1xTLjX41fk
+tSKWyliK+VQBJumuIntg+SpAkWWeqxFX2a1oAf+ru+ETmG/9hyM2iyhvC3AUSMyS
+TNEg3p8sWVC94pQ7LHI8ARdf/93u7Qvl0IwG58I378LsximNv7STgKMmOHQ2Qbvz
+k2HAeMQjnKIXDrLFdDXNZd4gtvZUNksXVKPirN6QbsjywmWmPaOtQ/eS3SRKRLwl
+B0l9cPlG9hM/toPVbOX0rho8G1CReTzp1URJkA/+1KvPUmoVNw5l6Q4louKDRP6c
+crGNtmCoZEclHq/6u60jqUIvYr81AgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBT8f31uN+FecEg3rrtaECc82LmLvzAN
+BgkqhkiG9w0BAQsFAAOCAQEAKHJkNwLkY8d6ux/VWQqNWusEUv92pGeKrqSeRvVZ
+x8UjxI1Tg5oaeft2K1P7+uyOQcTulOYF37tlrEcdUAP9GMLzgjLyUQoUujY+CdGn
+Gt9yy0k9lVA536bY+sLcy2reyMgrM0YO8Hvm4oVsLBQdKGHCE9f2qa7Rh1fMTez5
+dH30twNeDuV35ABS1svw0n5Lb1rTxZEw3z/jsJRL9nLWiKJhU60uCGZUrmfH1cqV
+3IH6OV75GIRkRvCmNaWr9LekxwaO5M+SxgO1B02jgP3vs+cyJJ02isgp1a0qXrpH
+y0k1AjC6vE+iXdCcgkzfgaaz0qNK72xXtW/WIrOLbpx1JQ==
+-----END CERTIFICATE-----

examples/vagrant/etcd_certs/client-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFSxEpZ1fota8RayFb6F9EPNH812RswALBD/+6ObGWAcoAoGCCqGSM49
+AwEHoUQDQgAEsbRt+xsQI6vhpePlK0kqxfxhPBy4FztvL9Dkv0L9N/XIfKz5D09J
++rY+ITzk4/cZ/B1v8ulDqvLw8O9IySjnyw==
+-----END EC PRIVATE KEY-----

examples/vagrant/etcd_certs/client.csr

@@ -0,0 +1,7 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIHLMHMCAQAwETEPMA0GA1UEAxMGY2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0D
+AQcDQgAEsbRt+xsQI6vhpePlK0kqxfxhPBy4FztvL9Dkv0L9N/XIfKz5D09J+rY+
+ITzk4/cZ/B1v8ulDqvLw8O9IySjny6AAMAoGCCqGSM49BAMCA0gAMEUCIQCxm7EJ
+6xTgw6XVj8BmwLP6iU4JSELyllIDXfwyZ6Go6QIgS++vFMoy77zYIlzlhcOfyyrG
+b5JKN4Ot2qARVoY5IyY=
+-----END CERTIFICATE REQUEST-----

examples/vagrant/etcd_certs/client.json

@@ -0,0 +1,7 @@
+{
+    "CN": "client",
+    "key": {
+        "algo": "ecdsa",
+        "size": 256
+    }
+}

examples/vagrant/etcd_certs/client.pem

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWDCCAUCgAwIBAgIUCC5owiVgzjD9lpqFdDFpO94j+C4wDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAxMEZXRjZDAeFw0xODAzMTUwNzM3MDBaFw0yMzAzMTQwNzM3
+MDBaMBExDzANBgNVBAMTBmNsaWVudDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BLG0bfsbECOr4aXj5StJKsX8YTwcuBc7by/Q5L9C/Tf1yHys+Q9PSfq2PiE85OP3
+Gfwdb/LpQ6ry8PDvSMko58ujdTBzMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAK
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQv1vpTiEJ68g6PBBrT
+oaoICEPMmzAfBgNVHSMEGDAWgBT8f31uN+FecEg3rrtaECc82LmLvzANBgkqhkiG
+9w0BAQsFAAOCAQEAIuYXD9kNpUe084mx6sp79EwY/BfFdszrpRWXmZw6kwAc3KXM
+D0YPaRWxe1V7DKffU00ByrjFNqdG5WQpNhRjipKQMfvBDXFgHmjhPDwcN3IASNlS
+Q9eLlA9i6njpFGBKeb/LcyjxvD7TH5rTtINFr+nykE1oo5816hgJMPdcWfHtvMcF
+2HIenxLjgYJOILlvkZzxbUr7qq3pJLSud+WtM80l4EleCrR8HM0ieLaVfIPpX1nK
+Z7Zcxg1bP/LF5HlFR6MFK7VFc3SLJN0BYdXaYBKp1wDnI2+i6V0PCu0X7thNAHOs
+FGxVoXTQU/MzGuwuRn3ViEt2ObkCCvRffAfrXw==
+-----END CERTIFICATE-----

examples/vagrant/etcd_certs/config.json

@@ -0,0 +1,13 @@
+{
+    "CN": "127.0.0.1",
+    "hosts": [
+        "127.0.0.1"
+    ],
+    "key": {
+        "algo": "ecdsa",
+        "size": 256
+    },
+    "names": [
+    ]
+}
+

examples/vagrant/etcd_certs/server-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIN/o4L15HcxcnQ2R5paUMLnvAZ77Z5AkBSren0GcGyanoAoGCCqGSM49
+AwEHoUQDQgAE3KxCzMvETrNSoaqvWUmo8McZrrMngbRlo3Kjacs2Inl4n3Ikq3Pg
+CID9lN9Rn+pr7Y34KwbuUYj3KMJ5YVjbyg==
+-----END EC PRIVATE KEY-----

examples/vagrant/etcd_certs/server.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIHyMIGYAgEAMBQxEjAQBgNVBAMTCTEyNy4wLjAuMTBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABNysQszLxE6zUqGqr1lJqPDHGa6zJ4G0ZaNyo2nLNiJ5eJ9yJKtz
+4AiA/ZTfUZ/qa+2N+CsG7lGI9yjCeWFY28qgIjAgBgkqhkiG9w0BCQ4xEzARMA8G
+A1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0EAwIDSQAwRgIhAKNIsF2gZGIwlKLqqiyE
+XJiCxaRcjNglvVy6mfsjDJwrAiEAqYvyLFN9UYuUK1yI/xqlXxITHXtsKBFzzlxh
+y71FdUk=
+-----END CERTIFICATE REQUEST-----

examples/vagrant/etcd_certs/server.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICeDCCAWCgAwIBAgIUE2Il1y7ZmXAYvC6v4n4s4/dBbeowDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAxMEZXRjZDAeFw0xODAzMTUwNzM5MDBaFw0yMzAzMTQwNzM5
+MDBaMBQxEjAQBgNVBAMTCTEyNy4wLjAuMTBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABNysQszLxE6zUqGqr1lJqPDHGa6zJ4G0ZaNyo2nLNiJ5eJ9yJKtz4AiA/ZTf
+UZ/qa+2N+CsG7lGI9yjCeWFY28qjgZEwgY4wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
+JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
+BBQJlHeMI9ro4h5Sj39VvqKJEwpWlzAfBgNVHSMEGDAWgBT8f31uN+FecEg3rrta
+ECc82LmLvzAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQB2w+uV
+MUndF3KalF5b0xe5SfPsMx7ZzU3ycZ0VuYZ81rlaE5yR26KVUXcRLYmRIzuwzdR3
+BektDmXKb9vVH8y+Rh2wLMCZ+UC5TLPWyuI3cmm7MumFDT82cWq8EMlJVDxzbgzD
+vJwR9Ae+TmsT2+8KHDhFLMh1YIKQKcFGhZvd9/kVPdlP0GaBq/8v/c4dGmCJuBkI
+qsS2rBrev72yZZzxFdjYwyqG4Z8Xr0PRMQD/UXb+G8GA8XABByiuyz/0XaDUmpcr
+/WAcYGK5ZFRUNS1ZtH2ndmKBNoN9Mxhh5LvWVBJMWrjUhkbioGbEj23WsrGfjEYR
+2LPO6FgNtVlZ5BO+
+-----END CERTIFICATE-----

lib/kupo/config.rb

@@ -2,14 +2,18 @@
 require_relative 'types'
 require_relative 'configuration/host'
 require_relative 'configuration/network'
+require_relative 'configuration/etcd'
 
 module Kupo
   class Config < Dry::Struct
     HOSTS_PER_DNS_REPLICA = 10
 
+    constructor_type :schema
+
     attribute :hosts, Types::Coercible::Array.of(Kupo::Configuration::Host)
     attribute :network, Kupo::Configuration::Network
     attribute :addons, Kupo::Types::Hash
+    attribute :etcd, Kupo::Configuration::Etcd
 
     # @return [Integer]
     def dns_replicas

lib/kupo/config_schema.rb

@@ -34,6 +34,12 @@ def self.messages
           optional(:pod_network_cidr).filled(:str?)
           optional(:trusted_subnets).each(type?: String)
         end
+        optional(:etcd).maybe.schema do
+          required(:endpoints).each(type?: String)
+          optional(:certificate).filled(:str?)
+          optional(:ca_certificate).filled(:str?)
+          optional(:key).filled(:str?)
+        end
         optional(:addons).value(type?: Hash)
 
         validate(network_dns_replicas: [:network, :hosts]) do |network, hosts|

lib/kupo/configuration/etcd.rb

@@ -0,0 +1,11 @@
+module Kupo::Configuration
+  class Etcd < Dry::Struct
+    constructor_type :schema
+
+    attribute :endpoints, Kupo::Types::Array.member(Kupo::Types::String)
+    attribute :version, Kupo::Types::String
+    attribute :certificate, Kupo::Types::String
+    attribute :key, Kupo::Types::String
+    attribute :ca_certificate, Kupo::Types::String
+  end
+end

lib/kupo/phases/base.rb

@@ -42,5 +42,13 @@ def ssh_exec_file(ssh, file)
         raise Kupo::ScriptExecError, "Script execution failed: #{file}"
       end
     end
+
+    def exec_script(script, vars = {})
+      file = File.realpath(File.join(__dir__, '..', 'scripts', script))
+      parsed_file = Kupo::Erb.new(File.read(file)).render(vars)
+      ssh_exec_file(@ssh, StringIO.new(parsed_file))
+    rescue Kupo::ScriptExecError
+      raise Kupo::ScriptExecError, "Failed to execute #{script}"
+    end
   end
 end

lib/kupo/phases/configure_host.rb

@@ -51,7 +51,9 @@ def call
 
       logger.info { "Configuring Kubernetes packages ..." }
       exec_script('configure-kube.sh', {
-        kube_version: KUBE_VERSION
+        kube_version: KUBE_VERSION,
+        kubeadm_version: ENV['KUBEADM_VERSION'] || KUBE_VERSION,
+        arch: @host.cpu_arch.name
       })
     end
 
@@ -63,14 +65,6 @@ def configure_repos
 
     # @param script [String]
     # @param vars [Hash]
-    def exec_script(script, vars = {})
-      file = File.realpath(File.join(__dir__, '..', 'scripts', script))
-      parsed_file = Kupo::Erb.new(File.read(file)).render(vars)
-      ssh_exec_file(@ssh, StringIO.new(parsed_file))
-    rescue Kupo::ScriptExecError
-      raise Kupo::ScriptExecError, "Failed to execute #{script}"
-    end
-
     def crio?
       @host.container_runtime == 'cri-o'
     end