-
Notifications
You must be signed in to change notification settings - Fork 230
/
configure-etcd.sh
156 lines (118 loc) · 3.91 KB
/
configure-etcd.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
#!/bin/sh
. /etc/sysconfig/heat-params
set -x
ssh_cmd="ssh -F /srv/magnum/.ssh/config root@localhost"
if [ ! -z "$HTTP_PROXY" ]; then
export HTTP_PROXY
fi
if [ ! -z "$HTTPS_PROXY" ]; then
export HTTPS_PROXY
fi
if [ ! -z "$NO_PROXY" ]; then
export NO_PROXY
fi
if [ -n "$ETCD_VOLUME_SIZE" ] && [ "$ETCD_VOLUME_SIZE" -gt 0 ]; then
attempts=60
while [ ${attempts} -gt 0 ]; do
device_name=$($ssh_cmd ls /dev/disk/by-id | grep ${ETCD_VOLUME:0:20}$)
if [ -n "${device_name}" ]; then
break
fi
echo "waiting for disk device"
sleep 0.5
$ssh_cmd udevadm trigger
let attempts--
done
if [ -z "${device_name}" ]; then
echo "ERROR: disk device does not exist" >&2
exit 1
fi
device_path=/dev/disk/by-id/${device_name}
fstype=$($ssh_cmd blkid -s TYPE -o value ${device_path} || echo "")
if [ "${fstype}" != "xfs" ]; then
$ssh_cmd mkfs.xfs -f ${device_path}
fi
$ssh_cmd mkdir -p /var/lib/etcd
echo "${device_path} /var/lib/etcd xfs defaults 0 0" >> /etc/fstab
$ssh_cmd mount -a
$ssh_cmd chown -R etcd.etcd /var/lib/etcd
$ssh_cmd chmod 755 /var/lib/etcd
fi
cat > /etc/systemd/system/etcd.service <<EOF
[Unit]
Description=Etcd server
After=network-online.target
Wants=network-online.target
[Service]
ExecStartPre=mkdir -p /var/lib/etcd
ExecStartPre=-/bin/podman rm etcd
ExecStart=/bin/podman run \\
--name etcd \\
--volume /etc/pki/ca-trust/extracted/pem:/etc/ssl/certs:ro,z \\
--volume /etc/etcd:/etc/etcd:ro,z \\
--volume /var/lib/etcd:/var/lib/etcd:rshared,z \\
--net=host \\
${CONTAINER_INFRA_PREFIX:-"k8s.gcr.io/"}etcd:${ETCD_TAG} \\
/usr/local/bin/etcd \\
--config-file /etc/etcd/etcd.conf.yaml
ExecStop=/bin/podman stop etcd
[Install]
WantedBy=multi-user.target
EOF
if [ -z "$KUBE_NODE_IP" ]; then
# FIXME(yuanying): Set KUBE_NODE_IP correctly
KUBE_NODE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
fi
myip="${KUBE_NODE_IP}"
cert_dir="/etc/etcd/certs"
protocol="https"
if [ "$TLS_DISABLED" = "True" ]; then
protocol="http"
fi
cat > /etc/etcd/etcd.conf.yaml <<EOF
# This is the configuration file for the etcd server.
# Human-readable name for this member.
name: "${INSTANCE_NAME}"
# Path to the data directory.
data-dir: /var/lib/etcd/default.etcd
# List of comma separated URLs to listen on for peer traffic.
listen-peer-urls: "$protocol://$myip:2380"
# List of comma separated URLs to listen on for client traffic.
listen-client-urls: "$protocol://$myip:2379,http://127.0.0.1:2379"
# List of this member's peer URLs to advertise to the rest of the cluster.
# The URLs needed to be a comma-separated list.
initial-advertise-peer-urls: "$protocol://$myip:2380"
# List of this member's client URLs to advertise to the public.
# The URLs needed to be a comma-separated list.
advertise-client-urls: "$protocol://$myip:2379,http://127.0.0.1:2379"
# Discovery URL used to bootstrap the cluster.
discovery: "$ETCD_DISCOVERY_URL"
EOF
if [ -n "$HTTP_PROXY" ]; then
cat >> /etc/etcd/etcd.conf.yaml <<EOF
# HTTP proxy to use for traffic to discovery service.
discovery-proxy: $HTTP_PROXY
EOF
fi
if [ "$TLS_DISABLED" = "False" ]; then
cat >> /etc/etcd/etcd.conf.yaml <<EOF
client-transport-security:
# Path to the client server TLS cert file.
cert-file: $cert_dir/server.crt
# Path to the client server TLS key file.
key-file: $cert_dir/server.key
# Enable client cert authentication.
client-cert-auth: true
# Path to the client server TLS trusted CA cert file.
trusted-ca-file: $cert_dir/ca.crt
peer-transport-security:
# Path to the peer server TLS cert file.
cert-file: $cert_dir/server.crt
# Path to the peer server TLS key file.
key-file: $cert_dir/server.key
# Enable peer client cert authentication.
client-cert-auth: true
# Path to the peer server TLS trusted CA cert file.
trusted-ca-file: $cert_dir/ca.crt
EOF
fi