-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsetup-microk8s.sh
206 lines (153 loc) · 8.68 KB
/
setup-microk8s.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
#!/usr/bin/env bash
source ./scripts/lib/common.sh
# Trap errors and call abort function if they occur
trap 'abort' 0
# Set to terminate script immediately if any command returns non-zero, the initial microk8s commands may return an error even when successful so we wait til now to enable it
set -e
if [ ! -f ~/.bash_aliases ]; then
# Copy aliases to make life easier in the future, this provides the `kubectl` and `oc` aliases via the microk8s command
cp ./bin/bash_aliases ~/.bash_aliases
source ~/.bash_aliases
fi
if [ -z "$INSTALLER_USER" ]; then
cat << EOF
This script will install MicroK8S and configure it for development with some basic services missing from vanilla MicroK8S.
Press any key to continue, Control-C to abort.
EOF
# Wait for a key press
read -n 1
fi
# The remaining bits of this script require root/superuser, are we the super user?
if [ "$EUID" -ne 0 ]; then
# We are not currently running as the super user, recall ourselves using sudo
# We set INSTALLER_USER to our username so that this script can add the user to the microk8s group later
echo This script must be executed as the super user, using sudo to run as super user ...
# Use exec to call ourselves via sudo, so sudo assumes this process space and this script ceases to execute
exec sudo INSTALLER_USER=$USER $0 $@
echo SHOULD NEVER GET HERE!
exit
fi
# Install MicroK8S using snap (This assumes we're running in Ubuntu 20.04 LTS
echo Installing microk8s
snap install microk8s --classic
# If INSTALLER_USER is set, we need to add the specified user to the microk8s group to allow running microk8s command
# without sudo. INSTALLER_USER is empty, then don't do anything
if [ ! -z "$INSTALLER_USER" ]; then
echo Adding user to microk8s group if needed
sudo usermod -a -G microk8s $INSTALLER_USER
sudo chown -f -R $INSTALLER_USER ~/.kube
fi
# Install NFS common package as we'll need it to mount NFS shares for pods to have storage
echo Installing NFS client on host for NFS PV support later
apt-get install -y nfs-common
# Wait for microk8s to get started and become ready
microk8s status --wait-ready
# Install the rbac, dns and dashboard plugins
echo Enabling the RBAC authorization mode, CoreDNS for internal DNS services and the Kubernetes Dashboard
microk8s enable rbac dns dashboard
# Update the kubernetes api server command line arguments to support OIDC, this requires a restart
echo Injecting OIDC startup arguments for kube-apiserver to allow validation of Google OIDC logins
echo '--oidc-issuer-url=https://accounts.google.com
--oidc-client-id=1041391019449-oa5p8pd37qg006a2hiv9pnp05h2ecen5.apps.googleusercontent.com
--oidc-username-claim=email' >> /var/snap/microk8s/current/args/kube-apiserver
microk8s stop; microk8s start &
# While waiting for microk8s to restart, download the OpenShift client cause we like it
if [ ! -f "/usr/local/bin/oc" ]; then
mkdir t
cd t
## Arm64
#wget https://mirror.openshift.com/pub/openshift-v4/aarch64/clients/ocp-dev-preview/latest/openshift-client-linux.tar.gz
#tar zxf ./openshift-client-linux.tar.gz
# Amd64
wget https://mirror.openshift.com/pub/openshift-v4/aarch64/clients/ocp-dev-preview/latest/openshift-client-linux-amd64.tar.gz
tar zxf ./openshift-client-linux-amd64.tar.gz
mv oc /usr/local/bin/oc
cd ..
rm -rf t
fi
# Wait for microk8s to fully restart
microk8s status --wait-ready
# Retrieve the admin token
#AUTH_TOKEN=$(microk8s config | grep token | cut -f2 -d':' | cut -f2 -d' ')
AUTH_TOKEN=$(oc.exe whoami -t)
# Do we need to create a wrapper script for 'microk8s kubectl' so kubectl-use is happy? This should generally already have been handled by the installation of the `oc` command above
if [ ! -f "/usr/local/bin/kubectl" ]; then
echo Creating kubectl wrapper since it doesn't exist
# Create wrapper in /usr/local/bin/kubectl
echo '#!/usr/bin/env bash' > /usr/local/bin/kubectl
echo 'exec microk8s kubectl $@' >> /usr/local/bin/kubectl
chown root: /usr/local/bin/kubectl
chmod 0755 /usr/local/bin/kubectl
fi
# Create initial basic namespaces for installing 3rd party components considered essential
echo Processing kubernetes objects . . .
process_resource_directory resources/00_namespaces
process_resource_directory resources/00_secrets
# Create critical services: ingress router, storage, ect and wait for them to start
process_resource_directory resources/01_bootstrap
echo -n "Waiting for nfs storage provider pod to start"
wait_for_pod kube-storage k8s-app=nfs-client-provisioner 600
# Create the dashboard route and then wait the dashboard and route to become available
process_resource_directory resources/10_baseservices
echo Patching routes with TLS certificates . . .
kubectl patch route -n kube-system kubernetes-dashboard --patch-file=resources/00_secrets/wimsey_route.json.patch --type merge
kubectl patch route -n default kubernetes-api --patch-file=resources/00_secrets/wimsey_route.json.patch --type merge
kubectl patch route -n kube-oidc k8s-oidc-dash-proxy --patch-file=resources/00_secrets/wimsey_route.json.patch --type merge
kubectl patch route -n kuberos kuberos --patch-file=resources/00_secrets/wimsey_route.json.patch --type merge
kubectl patch route -n vault vault --patch-file=resources/00_secrets/wimsey_route.json.patch --type merge
kubectl patch route -n shackspace webroot --patch-file=resources/00_secrets/wimsey_route.json.patch --type merge
echo -n "Waiting for dashboard pod to start"
wait_for_pod kube-system k8s-app=kubernetes-dashboard 600
echo -n "Waiting for base routes to become available: "
echo -n " API"
while [[ $(microk8s kubectl get route -n default kubernetes-api -o 'jsonpath={..status.ingress[*].conditions[?(@.type=="Admitted")].status}') != "True" ]]; do echo -n . && sleep 1; done
echo -n " Dashboard-Token"
while [[ $(microk8s kubectl get route -n kube-system kubernetes-dashboard -o 'jsonpath={..status.ingress[*].conditions[?(@.type=="Admitted")].status}') != "True" ]]; do echo -n . && sleep 1; done
echo
echo -n " Dashboard-OIDC"
while [[ $(microk8s kubectl get route -n kube-oidc k8s-oidc-dash-proxy -o 'jsonpath={..status.ingress[*].conditions[?(@.type=="Admitted")].status}') != "True" ]]; do echo -n . && sleep 1; done
echo
process_resource_directory resources/50_general
echo -n "Waiting for authentication system (vault pod) to start"
wait_for_pod vault k8s-app=vault 600
echo -n "Waiting for murmur server to start"
wait_for_pod murmur app=murmur 600
kubectl patch route -n dwimsey octoprint --patch-file=resources/50_secrets/wimsey_route.patch.json --type merge
echo Configuring vault authentication and kubernetes integration by logging into vault and running:
echo scripts/config-vault.sh
# Notify the user we're done and provide some basic instructions
cat << EOF
===============================================================================
Done!
===============================================================================
If this is the first time executing this script, you may need to logout and log back in again for all groups and
aliases to take effect.
===============================================================================
Web Dashboard
===============================================================================
To login to the dashboard visit https://k8s.wimsey.us in your browser and login using your @wimsey.us Google accounts
or use the root token to login at https://k8s-token.wimsey.us in your browser and login using the following administrator token:
$AUTH_TOKEN
===============================================================================
Remote oc
===============================================================================
If you have installed the 'oc' binary from an OpenShift distribution, the following command will login to this server:
oc login https://k8s-api.wimsey.us --token=$AUTH_TOKEN
===============================================================================
Remote kubectl
===============================================================================
If you wish to access this system using the oc or kubectl commands remotely, you can export this kubeconfig file using
the following command:
ssh [email protected] microk8s config > ~/.kube/config
kubectl config set-cluster microk8s-cluster --server=https:///k8s-api.wimsey.us
You may now run commands such as:
kubectl get pods --all-namespaces
Baseline services:
https://vault.wimsey.us - Hashicorp vault, Google for authentication, kubernetes integration enabled, all service accounts have basic login access and services by default
https://k8s.wimsey.us - Kubernetes dashboard using OIDC Auth via Google @wimsey.us accounts
https://k8s-token.wimsey.us - Direct route to kubernetes dashboard using token auth
https://kuberos.wimsey.us - OIDC Keys for Kubernetes authentication in kubectl
Murmur - Real time audio conferencing
Enjoy!
EOF
trap : 0