-
Notifications
You must be signed in to change notification settings - Fork 0
/
run.sh
executable file
·268 lines (242 loc) · 9.08 KB
/
run.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
#!/bin/bash
set -e
# Logging helper functions
info()
{
echo "INFO:" "$@" 1>&2
}
error()
{
echo "ERROR:" "$@" 1>&2
}
warn()
{
echo "WARN:" "$@" 1>&2
}
# Print all given arguments
if [ $# -ne 0 ]; then
info "Arguments: $(echo $@ | sed -e 's/\(token\s\)\w*/\1REDACTED/')"
fi
if [ "$1" = "--" ]; then
shift 1
exec "$@"
fi
if [ "$CLUSTER_CLEANUP" = true ]; then
exec agent
fi
get_address()
{
local address=$1
# If nothing is given, return empty (it will be automatically determined later if empty)
if [ -z $address ]; then
echo ""
# If given address is a network interface on the system, retrieve configured IP on that interface (only the first configured IP is taken)
elif [ -n "$(find /sys/devices -name $address)" ]; then
echo $(ip addr show dev $address | grep -w inet | awk '{print $2}' | cut -f1 -d/ | head -1)
# Loop through cloud provider options to get IP from metadata, if not found return given value
else
case $address in
awslocal)
echo $(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
;;
awspublic)
echo $(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
;;
doprivate)
echo $(curl -s http://169.254.169.254/metadata/v1/interfaces/private/0/ipv4/address)
;;
dopublic)
echo $(curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address)
;;
azprivate)
echo $(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/privateIpAddress?api-version=2017-08-01&format=text")
;;
azpublic)
echo $(curl -s -H Metadata:true "http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-08-01&format=text")
;;
gceinternal)
echo $(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip)
;;
gceexternal)
echo $(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
;;
packetlocal)
echo $(curl -s https://metadata.packet.net/2009-04-04/meta-data/local-ipv4)
;;
packetpublic)
echo $(curl -s https://metadata.packet.net/2009-04-04/meta-data/public-ipv4)
;;
ipify)
echo $(curl -s https://api.ipify.org)
;;
*)
echo $address
;;
esac
fi
}
check_url()
{
local url=$1
local err
err=$(curl --insecure -sS -fL -o /dev/null --stderr - $url | head -n1 ; exit ${PIPESTATUS[0]})
if [ $? -eq 0 ]
then
echo ""
else
echo ${err} | sed -e 's/^curl: ([0-9]\+) //'
fi
}
check_x509_cert()
{
local cert=$1
local err
err=$(openssl x509 -in $cert -noout 2>&1)
if [ $? -eq 0 ]
then
echo ""
else
echo ${err}
fi
}
export CATTLE_ADDRESS
export CATTLE_AGENT_CONNECT
export CATTLE_INTERNAL_ADDRESS
export CATTLE_NODE_NAME
export CATTLE_ROLE
export CATTLE_SERVER
export CATTLE_TOKEN
export CATTLE_NODE_LABEL
export CATTLE_WRITE_CERT_ONLY
export CATTLE_NODE_TAINTS
while true; do
case "$1" in
-d | --debug) DEBUG=true ;;
-s | --server) shift; CATTLE_SERVER=$1 ;;
-t | --token) shift; CATTLE_TOKEN=$1 ;;
-c | --ca-checksum) shift; CATTLE_CA_CHECKSUM=$1 ;;
-a | --all-roles) ALL=true ;;
-e | --etcd) ETCD=true ;;
-w | --worker) WORKER=true ;;
-p | --controlplane) CONTROL=true ;;
-n | --node-name) shift; CATTLE_NODE_NAME=$1 ;;
-r | --no-register) CATTLE_AGENT_CONNECT=true ;;
-a | --address) shift; CATTLE_ADDRESS=$1 ;;
-i | --internal-address) shift; CATTLE_INTERNAL_ADDRESS=$1 ;;
-l | --label) shift; CATTLE_NODE_LABEL+=",$1" ;;
-o | --only-write-certs) CATTLE_WRITE_CERT_ONLY=true ;;
--taints) shift; CATTLE_NODE_TAINTS+=",$1" ;;
*) break;
esac
shift
done
if [ "$DEBUG" = true ]; then
set -x
fi
if [ "$CATTLE_CLUSTER" != "true" ]; then
if [ ! -w /var/run/docker.sock ] || [ ! -S /var/run/docker.sock ]; then
warn "Docker socket is not available!"
warn "Please bind mount in the docker socket to /var/run/docker.sock if docker errors occur"
warn "example: docker run -v /var/run/docker.sock:/var/run/docker.sock ..."
fi
fi
if [ -z "$CATTLE_NODE_NAME" ]; then
CATTLE_NODE_NAME=$(hostname -s)
fi
export CATTLE_ADDRESS=$(get_address $CATTLE_ADDRESS)
export CATTLE_INTERNAL_ADDRESS=$(get_address $CATTLE_INTERNAL_ADDRESS)
if [ -z "$CATTLE_ADDRESS" ]; then
# Example output: '8.8.8.8 via 10.128.0.1 dev ens4 src 10.128.0.34 uid 0'
CATTLE_ADDRESS=$(ip -o route get 8.8.8.8 | sed -n 's/.*src \([0-9.]\+\).*/\1/p')
fi
if [ "$CATTLE_K8S_MANAGED" != "true" ]; then
if [ -z "$CATTLE_TOKEN" ]; then
error -- --token is a required option
exit 1
fi
if [ -z "$CATTLE_ADDRESS" ]; then
error -- --address is a required option
exit 1
fi
fi
if [ "$ALL" = true ]; then
CATTLE_ROLE="etcd,worker,controlplane"
else
if [ "$ETCD" = true ]; then
CATTLE_ROLE="${CATTLE_ROLE},etcd"
fi
if [ "$WORKER" = true ]; then
CATTLE_ROLE="${CATTLE_ROLE},worker"
fi
if [ "$CONTROL" = true ]; then
CATTLE_ROLE="${CATTLE_ROLE},controlplane"
fi
fi
if [ -z "$CATTLE_DNS_SERVER" ];
then
echo "No DNS Address is set, continue using $CATTLE_SERVER as address"
else
echo "DNS Address was set: $CATTLE_DNS_SERVER"
CATTLE_SERVER=$CATTLE_DNS_SERVER
export CATTLE_SERVER=$CATTLE_DNS_SERVER
fi
if [ -z "$CATTLE_SERVER" ]; then
error -- --server is a required option
exit 1
fi
info "Environment: $(echo $(printenv | grep CATTLE | sort | sed -e 's/\(CATTLE_TOKEN=\).*/\1REDACTED/'))"
info "Using resolv.conf: $(echo $(cat /etc/resolv.conf | grep -v ^#))"
if grep -E -q '^nameserver 127.*.*.*|^nameserver localhost|^nameserver ::1' /etc/resolv.conf; then
warn "Loopback address found in /etc/resolv.conf, please refer to the documentation how to configure your cluster to resolve DNS properly"
fi
CATTLE_SERVER_PING="${CATTLE_SERVER}/ping"
err=$(check_url $CATTLE_SERVER_PING)
if [[ $err ]]; then
error "${CATTLE_SERVER_PING} is not accessible (${err})"
exit 1
else
info "${CATTLE_SERVER_PING} is accessible"
fi
# Extract hostname from URL
CATTLE_SERVER_HOSTNAME=$(echo $CATTLE_SERVER | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/')
CATTLE_SERVER_HOSTNAME_WITH_PORT=$(echo $CATTLE_SERVER | sed -e 's/[^/]*\/\/\([^@]*@\)\?\(.*\).*/\2/')
# Resolve IPv4 address(es) from hostname
RESOLVED_ADDR=$(getent ahostsv4 $CATTLE_SERVER_HOSTNAME | sed -n 's/ *STREAM.*//p')
# If CATTLE_SERVER_HOSTNAME equals RESOLVED_ADDR, its an IP address and there is nothing to resolve
if [ "${CATTLE_SERVER_HOSTNAME}" != "${RESOLVED_ADDR}" ]; then
info "${CATTLE_SERVER_HOSTNAME} resolves to $(echo $RESOLVED_ADDR)"
fi
if [ -n "$CATTLE_CA_CHECKSUM" ]; then
temp=$(mktemp)
curl --insecure -s -fL $CATTLE_SERVER/v3/settings/cacerts | jq -r '.value | select(length > 0)' > $temp
if [ ! -s $temp ]; then
error "The environment variable CATTLE_CA_CHECKSUM is set but there is no CA certificate configured at $CATTLE_SERVER/v3/settings/cacerts"
exit 1
fi
err=$(check_x509_cert $temp)
if [[ $err ]]; then
error "Value from $CATTLE_SERVER/v3/settings/cacerts does not look like an x509 certificate (${err})"
error "Retrieved cacerts:"
cat $temp
exit 1
else
info "Value from $CATTLE_SERVER/v3/settings/cacerts is an x509 certificate"
fi
CATTLE_SERVER_CHECKSUM=$(sha256sum $temp | awk '{print $1}')
if [ $CATTLE_SERVER_CHECKSUM != $CATTLE_CA_CHECKSUM ]; then
rm -f $temp
error "Configured cacerts checksum ($CATTLE_SERVER_CHECKSUM) does not match given --ca-checksum ($CATTLE_CA_CHECKSUM)"
error "Please check if the correct certificate is configured at $CATTLE_SERVER/v3/settings/cacerts"
exit 1
else
mkdir -p /etc/kubernetes/ssl/certs
mv $temp /etc/kubernetes/ssl/certs/serverca
chmod 755 /etc/kubernetes/ssl
chmod 700 /etc/kubernetes/ssl/certs
chmod 600 /etc/kubernetes/ssl/certs/serverca
mkdir -p /etc/docker/certs.d/$CATTLE_SERVER_HOSTNAME_WITH_PORT
cp /etc/kubernetes/ssl/certs/serverca /etc/docker/certs.d/$CATTLE_SERVER_HOSTNAME_WITH_PORT/ca.crt
fi
fi
[ -f /cattle-credentials/token ] && export CATTLE_TOKEN=$(cat /cattle-credentials/token)
exec tini -- agent