github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 22:17:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #90433 from joakimr-axis/joakimr-axis_configure-helper.sh

Browse Source 
Fix shellcheck w/e in cluster/gce/gci/configure-helper.sh
This commit is contained in:
Kubernetes Prow Robot 2020-08-27 19:05:47 -07:00 committed by GitHub
commit fd20de89d9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 149 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

276
cluster/gce/gci/configure-helper.sh
View File

@ -41,7 +41,7 @@ function convert-manifest-params {
for flag in "${FLAGS[@]}"; do for flag in "${FLAGS[@]}"; do
params+="\n\"$flag\"," params+="\n\"$flag\","
done done
if [ ! -z $params ]; then if [ -n "$params" ]; then
echo "${params::-1}" # drop trailing comma echo "${params::-1}" # drop trailing comma
fi fi
} }
@ -118,6 +118,8 @@ function gce-metadata-fw-helper {
;; ;;
esac esac
# Deliberately allow word split here
# shellcheck disable=SC2086
iptables ${command} OUTPUT -p tcp --dport 80 -d ${METADATA_SERVER_IP} -m owner ${invert:-} --uid-owner=${METADATA_SERVER_ALLOWED_UID_RANGE:-0-2999} -j ${action} iptables ${command} OUTPUT -p tcp --dport 80 -d ${METADATA_SERVER_IP} -m owner ${invert:-} --uid-owner=${METADATA_SERVER_ALLOWED_UID_RANGE:-0-2999} -j ${action}
} }
@ -171,7 +173,7 @@ function config-ip-firewall {
# node because we don't expect the daemonset to run on this node. # node because we don't expect the daemonset to run on this node.
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
echo "Add rule for metadata concealment" echo "Add rule for metadata concealment"
iptables -w -t nat -I PREROUTING -p tcp -d ${METADATA_SERVER_IP} --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988 iptables -w -t nat -I PREROUTING -p tcp -d "${METADATA_SERVER_IP}" --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
fi fi
# Log all metadata access not from approved processes. # Log all metadata access not from approved processes.
@ -200,7 +202,7 @@ function get-local-disk-num() {
local format="${2}" local format="${2}"
localdisknum=0 localdisknum=0
if [[ ! -z "${NODE_LOCAL_SSDS_EXT:-}" ]]; then if [[ -n "${NODE_LOCAL_SSDS_EXT:-}" ]]; then
IFS=";" read -r -a ssdgroups <<< "${NODE_LOCAL_SSDS_EXT:-}" IFS=";" read -r -a ssdgroups <<< "${NODE_LOCAL_SSDS_EXT:-}"
for ssdgroup in "${ssdgroups[@]}"; do for ssdgroup in "${ssdgroups[@]}"; do
IFS="," read -r -a ssdopts <<< "${ssdgroup}" IFS="," read -r -a ssdopts <<< "${ssdgroup}"
@ -246,13 +248,13 @@ function get-or-generate-uuid(){
fi fi
# each line of the ssdmap looks like "${device} persistent-uuid" # each line of the ssdmap looks like "${device} persistent-uuid"
if [[ ! -z $(grep ${device} ${ssdmap}) ]]; then local myuuid
if grep -q "${device}" "${ssdmap}"; then
#create symlink based on saved uuid #create symlink based on saved uuid
local myuuid=$(grep ${device} ${ssdmap} | cut -d ' ' -f 2) myuuid=$(grep "${device}" "${ssdmap}" | cut -d ' ' -f 2)
else else
# generate new uuid and add it to the map # generate new uuid and add it to the map
local myuuid=$(uuidgen) if ! myuuid=$(uuidgen); then
if [[ ! ${?} -eq 0 ]]; then
echo "Failed to generate valid UUID with uuidgen" >&2 echo "Failed to generate valid UUID with uuidgen" >&2
exit 2 exit 2
fi fi
@ -270,8 +272,10 @@ function get-or-generate-uuid(){
#Formats the given device ($1) if needed and mounts it at given mount point #Formats the given device ($1) if needed and mounts it at given mount point
# ($2). # ($2).
function safe-format-and-mount() { function safe-format-and-mount() {
local device="${1}" local device
local mountpoint="${2}" local mountpoint
device="$1"
mountpoint="$2"
# Format only if the disk is not already formatted. # Format only if the disk is not already formatted.
if ! tune2fs -l "${device}" ; then if ! tune2fs -l "${device}" ; then
@ -288,16 +292,19 @@ function safe-format-and-mount() {
# Gets a devices UUID and bind mounts the device to mount location in # Gets a devices UUID and bind mounts the device to mount location in
# /mnt/disks/by-id/ # /mnt/disks/by-id/
function unique-uuid-bind-mount(){ function unique-uuid-bind-mount(){
local mountpoint="${1}" local mountpoint
local actual_device="${2}" local actual_device
mountpoint="$1"
actual_device="$2"
# Trigger udev refresh so that newly formatted devices are propagated in by-uuid # Trigger udev refresh so that newly formatted devices are propagated in by-uuid
udevadm control --reload-rules udevadm control --reload-rules
udevadm trigger udevadm trigger
udevadm settle udevadm settle
# grep the exact match of actual device, prevents substring matching # find uuid for actual_device
local myuuid=$(ls -l /dev/disk/by-uuid/ | grep "/${actual_device}$" | tr -s ' ' | cut -d ' ' -f 9) local myuuid
myuuid=$(find -L /dev/disk/by-uuid -maxdepth 1 -samefile /dev/"${actual_device}" -printf '%P')
# myuuid should be the uuid of the device as found in /dev/disk/by-uuid/ # myuuid should be the uuid of the device as found in /dev/disk/by-uuid/
if [[ -z "${myuuid}" ]]; then if [[ -z "${myuuid}" ]]; then
echo "Failed to get a uuid for device ${actual_device} when mounting." >&2 echo "Failed to get a uuid for device ${actual_device} when mounting." >&2
@ -340,7 +347,8 @@ function mount-ext(){
# TODO: Handle partitioned disks. Right now this code just ignores partitions # TODO: Handle partitioned disks. Right now this code just ignores partitions
if [[ "${format}" == "fs" ]]; then if [[ "${format}" == "fs" ]]; then
if [[ "${interface}" == "scsi" ]]; then if [[ "${interface}" == "scsi" ]]; then
local actual_device=$(readlink -f "${ssd}" | cut -d '/' -f 3) local actual_device
actual_device=$(readlink -f "${ssd}" | cut -d '/' -f 3)
# Error checking # Error checking
if [[ "${actual_device}" != sd* ]]; then if [[ "${actual_device}" != sd* ]]; then
echo "'actual_device' is not of the correct format. It must be the kernel name of the device, got ${actual_device} instead" >&2 echo "'actual_device' is not of the correct format. It must be the kernel name of the device, got ${actual_device} instead" >&2
@ -350,7 +358,8 @@ function mount-ext(){
else else
# This path is required because the existing Google images do not # This path is required because the existing Google images do not
# expose NVMe devices in /dev/disk/by-id so we are using the /dev/nvme instead # expose NVMe devices in /dev/disk/by-id so we are using the /dev/nvme instead
local actual_device=$(echo ${ssd} | cut -d '/' -f 3) local actual_device
actual_device=$(echo "${ssd}" | cut -d '/' -f 3)
# Error checking # Error checking
if [[ "${actual_device}" != nvme* ]]; then if [[ "${actual_device}" != nvme* ]]; then
echo "'actual_device' is not of the correct format. It must be the kernel name of the device, got ${actual_device} instead" >&2 echo "'actual_device' is not of the correct format. It must be the kernel name of the device, got ${actual_device} instead" >&2
@ -362,7 +371,7 @@ function mount-ext(){
safe-format-and-mount "${ssd}" "${mountpoint}" safe-format-and-mount "${ssd}" "${mountpoint}"
# We only do the bindmount if users are using the new local ssd request method # We only do the bindmount if users are using the new local ssd request method
# see https://github.com/kubernetes/kubernetes/pull/53466#discussion_r146431894 # see https://github.com/kubernetes/kubernetes/pull/53466#discussion_r146431894
if [[ ! -z "${NODE_LOCAL_SSDS_EXT:-}" ]]; then if [[ -n "${NODE_LOCAL_SSDS_EXT:-}" ]]; then
unique-uuid-bind-mount "${mountpoint}" "${actual_device}" unique-uuid-bind-mount "${mountpoint}" "${actual_device}"
fi fi
elif [[ "${format}" == "block" ]]; then elif [[ "${format}" == "block" ]]; then
@ -381,7 +390,8 @@ function ensure-local-ssds() {
local i=0 local i=0
for ssd in /dev/disk/by-id/google-local-ssd-*; do for ssd in /dev/disk/by-id/google-local-ssd-*; do
if [ -e "${ssd}" ]; then if [ -e "${ssd}" ]; then
local devicenum=`echo ${ssd} | sed -e 's/\/dev\/disk\/by-id\/google-local-ssd-\([0-9]*\)/\1/'` local devicenum
devicenum=$(echo "${ssd}" | sed -e 's/\/dev\/disk\/by-id\/google-local-ssd-\([0-9]*\)/\1/')
if [[ "${i}" -lt "${scsiblocknum}" ]]; then if [[ "${i}" -lt "${scsiblocknum}" ]]; then
mount-ext "${ssd}" "${devicenum}" "scsi" "block" mount-ext "${ssd}" "${devicenum}" "scsi" "block"
else else
@ -410,8 +420,9 @@ function ensure-local-ssds() {
if [ -e "${ssd}" ]; then if [ -e "${ssd}" ]; then
# This workaround to find if the NVMe device is a disk is required because # This workaround to find if the NVMe device is a disk is required because
# the existing Google images does not expose NVMe devices in /dev/disk/by-id # the existing Google images does not expose NVMe devices in /dev/disk/by-id
if [[ `udevadm info --query=property --name=${ssd} | grep DEVTYPE | sed "s/DEVTYPE=//"` == "disk" ]]; then if [[ $(udevadm info --query=property --name="${ssd}" | grep DEVTYPE | sed "s/DEVTYPE=//") == "disk" ]]; then
local devicenum=`echo ${ssd} | sed -e 's/\/dev\/nvme0n\([0-9]*\)/\1/'` # shellcheck disable=SC2155
local devicenum=$(echo "${ssd}" | sed -e 's/\/dev\/nvme0n\([0-9]*\)/\1/')
if [[ "${i}" -lt "${nvmeblocknum}" ]]; then if [[ "${i}" -lt "${nvmeblocknum}" ]]; then
mount-ext "${ssd}" "${devicenum}" "nvme" "block" mount-ext "${ssd}" "${devicenum}" "nvme" "block"
else else
@ -506,7 +517,8 @@ function mount-master-pd {
# locations. # locations.
# Contains all the data stored in etcd. # Contains all the data stored in etcd.
mkdir -m 700 -p "${mount_point}/var/etcd" mkdir -p "${mount_point}/var/etcd"
chmod 700 "${mount_point}/var/etcd"
ln -s -f "${mount_point}/var/etcd" /var/etcd ln -s -f "${mount_point}/var/etcd" /var/etcd
mkdir -p /etc/srv mkdir -p /etc/srv
# Contains the dynamically generated apiserver auth certs and keys. # Contains the dynamically generated apiserver auth certs and keys.
@ -528,8 +540,8 @@ function append_or_replace_prefixed_line {
local -r file="${1:-}" local -r file="${1:-}"
local -r prefix="${2:-}" local -r prefix="${2:-}"
local -r suffix="${3:-}" local -r suffix="${3:-}"
local -r dirname="$(dirname ${file})" local -r dirname=$(dirname "${file}")
local -r tmpfile="$(mktemp -t filtered.XXXX --tmpdir=${dirname})" local -r tmpfile=$(mktemp -t filtered.XXXX --tmpdir="${dirname}")
touch "${file}" touch "${file}"
awk -v pfx="${prefix}" 'substr($0,1,length(pfx)) != pfx { print }' "${file}" > "${tmpfile}" awk -v pfx="${prefix}" 'substr($0,1,length(pfx)) != pfx { print }' "${file}" > "${tmpfile}"
@ -556,7 +568,7 @@ function create-node-pki {
CA_CERT_BUNDLE_PATH="${pki_dir}/ca-certificates.crt" CA_CERT_BUNDLE_PATH="${pki_dir}/ca-certificates.crt"
write-pki-data "${CA_CERT_BUNDLE}" "${CA_CERT_BUNDLE_PATH}" write-pki-data "${CA_CERT_BUNDLE}" "${CA_CERT_BUNDLE_PATH}"
if [[ ! -z "${KUBELET_CERT:-}" && ! -z "${KUBELET_KEY:-}" ]]; then if [[ -n "${KUBELET_CERT:-}" && -n "${KUBELET_KEY:-}" ]]; then
KUBELET_CERT_PATH="${pki_dir}/kubelet.crt" KUBELET_CERT_PATH="${pki_dir}/kubelet.crt"
write-pki-data "${KUBELET_CERT}" "${KUBELET_CERT_PATH}" write-pki-data "${KUBELET_CERT}" "${KUBELET_CERT_PATH}"
@ -575,7 +587,7 @@ function create-master-pki {
write-pki-data "${CA_CERT}" "${CA_CERT_PATH}" write-pki-data "${CA_CERT}" "${CA_CERT_PATH}"
# this is not true on GKE # this is not true on GKE
if [[ ! -z "${CA_KEY:-}" ]]; then if [[ -n "${CA_KEY:-}" ]]; then
CA_KEY_PATH="${pki_dir}/ca.key" CA_KEY_PATH="${pki_dir}/ca.key"
write-pki-data "${CA_KEY}" "${CA_KEY_PATH}" write-pki-data "${CA_KEY}" "${CA_KEY_PATH}"
fi fi
@ -620,7 +632,7 @@ function create-master-pki {
SERVICEACCOUNT_KEY_PATH="${pki_dir}/serviceaccount.key" SERVICEACCOUNT_KEY_PATH="${pki_dir}/serviceaccount.key"
write-pki-data "${SERVICEACCOUNT_KEY}" "${SERVICEACCOUNT_KEY_PATH}" write-pki-data "${SERVICEACCOUNT_KEY}" "${SERVICEACCOUNT_KEY_PATH}"
if [[ ! -z "${REQUESTHEADER_CA_CERT:-}" ]]; then if [[ -n "${REQUESTHEADER_CA_CERT:-}" ]]; then
REQUESTHEADER_CA_CERT_PATH="${pki_dir}/aggr_ca.crt" REQUESTHEADER_CA_CERT_PATH="${pki_dir}/aggr_ca.crt"
write-pki-data "${REQUESTHEADER_CA_CERT}" "${REQUESTHEADER_CA_CERT_PATH}" write-pki-data "${REQUESTHEADER_CA_CERT}" "${REQUESTHEADER_CA_CERT_PATH}"
@ -685,14 +697,15 @@ function create-master-auth {
fi fi
if [[ -n "${KONNECTIVITY_SERVER_TOKEN:-}" ]]; then if [[ -n "${KONNECTIVITY_SERVER_TOKEN:-}" ]]; then
append_or_replace_prefixed_line "${known_tokens_csv}" "${KONNECTIVITY_SERVER_TOKEN}," "system:konnectivity-server,uid:system:konnectivity-server" append_or_replace_prefixed_line "${known_tokens_csv}" "${KONNECTIVITY_SERVER_TOKEN}," "system:konnectivity-server,uid:system:konnectivity-server"
create-kubeconfig "konnectivity-server" ${KONNECTIVITY_SERVER_TOKEN} create-kubeconfig "konnectivity-server" "${KONNECTIVITY_SERVER_TOKEN}"
fi fi
if [[ -n "${EXTRA_STATIC_AUTH_COMPONENTS:-}" ]]; then if [[ -n "${EXTRA_STATIC_AUTH_COMPONENTS:-}" ]]; then
# Create a static Bearer token and kubeconfig for extra, comma-separated components. # Create a static Bearer token and kubeconfig for extra, comma-separated components.
IFS="," read -r -a extra_components <<< "${EXTRA_STATIC_AUTH_COMPONENTS:-}" IFS="," read -r -a extra_components <<< "${EXTRA_STATIC_AUTH_COMPONENTS:-}"
for extra_component in "${extra_components[@]}"; do for extra_component in "${extra_components[@]}"; do
local token="$(secure_random 32)" local token
token="$(secure_random 32)"
append_or_replace_prefixed_line "${known_tokens_csv}" "${token}," "system:${extra_component},uid:system:${extra_component}" append_or_replace_prefixed_line "${known_tokens_csv}" "${token}," "system:${extra_component},uid:system:${extra_component}"
create-kubeconfig "${extra_component}" "${token}" create-kubeconfig "${extra_component}" "${token}"
done done
@ -747,14 +760,14 @@ EOF
use_cloud_config="true" use_cloud_config="true"
if [[ -n "${NODE_TAGS:-}" ]]; then if [[ -n "${NODE_TAGS:-}" ]]; then
# split NODE_TAGS into an array by comma. # split NODE_TAGS into an array by comma.
IFS=',' read -r -a node_tags <<< ${NODE_TAGS} IFS=',' read -r -a node_tags <<< "${NODE_TAGS}"
else else
local -r node_tags="${NODE_INSTANCE_PREFIX}" local -r node_tags=("${NODE_INSTANCE_PREFIX}")
fi fi
cat <<EOF >>/etc/gce.conf cat <<EOF >>/etc/gce.conf
node-instance-prefix = ${NODE_INSTANCE_PREFIX} node-instance-prefix = ${NODE_INSTANCE_PREFIX}
EOF EOF
for tag in ${node_tags[@]}; do for tag in "${node_tags[@]}"; do
cat <<EOF >>/etc/gce.conf cat <<EOF >>/etc/gce.conf
node-tags = ${tag} node-tags = ${tag}
EOF EOF
@ -778,8 +791,8 @@ EOF
if [[ -n "${GCE_ALPHA_FEATURES:-}" ]]; then if [[ -n "${GCE_ALPHA_FEATURES:-}" ]]; then
use_cloud_config="true" use_cloud_config="true"
# split GCE_ALPHA_FEATURES into an array by comma. # split GCE_ALPHA_FEATURES into an array by comma.
IFS=',' read -r -a alpha_features <<< ${GCE_ALPHA_FEATURES} IFS=',' read -r -a alpha_features <<< "${GCE_ALPHA_FEATURES}"
for feature in ${alpha_features[@]}; do for feature in "${alpha_features[@]}"; do
cat <<EOF >>/etc/gce.conf cat <<EOF >>/etc/gce.conf
alpha-features = ${feature} alpha-features = ${feature}
EOF EOF
@ -1182,8 +1195,8 @@ function create-kubeconfig {
local component=$1 local component=$1
local token=$2 local token=$2
echo "Creating kubeconfig file for component ${component}" echo "Creating kubeconfig file for component ${component}"
mkdir -p /etc/srv/kubernetes/${component} mkdir -p "/etc/srv/kubernetes/${component}"
cat <<EOF >/etc/srv/kubernetes/${component}/kubeconfig cat <<EOF >"/etc/srv/kubernetes/${component}/kubeconfig"
apiVersion: v1 apiVersion: v1
kind: Config kind: Config
users: users:
@ -1251,7 +1264,7 @@ function create-master-kubelet-auth {
# set in the environment. # set in the environment.
if [[ -n "${KUBELET_APISERVER:-}" && -n "${KUBELET_CERT:-}" && -n "${KUBELET_KEY:-}" ]]; then if [[ -n "${KUBELET_APISERVER:-}" && -n "${KUBELET_CERT:-}" && -n "${KUBELET_KEY:-}" ]]; then
REGISTER_MASTER_KUBELET="true" REGISTER_MASTER_KUBELET="true"
create-kubelet-kubeconfig ${KUBELET_APISERVER} create-kubelet-kubeconfig "${KUBELET_APISERVER}"
fi fi
} }
@ -1373,12 +1386,10 @@ function assemble-docker-flags {
else else
docker_opts+=" --log-level=warn" docker_opts+=" --log-level=warn"
fi fi
local use_net_plugin="true"
if [[ "${NETWORK_PROVIDER:-}" == "kubenet" || "${NETWORK_PROVIDER:-}" == "cni" ]]; then if [[ "${NETWORK_PROVIDER:-}" == "kubenet" || "${NETWORK_PROVIDER:-}" == "cni" ]]; then
# set docker0 cidr to private ip address range to avoid conflict with cbr0 cidr range # set docker0 cidr to private ip address range to avoid conflict with cbr0 cidr range
docker_opts+=" --bip=169.254.123.1/24" docker_opts+=" --bip=169.254.123.1/24"
else else
use_net_plugin="false"
docker_opts+=" --bridge=cbr0" docker_opts+=" --bridge=cbr0"
fi fi
@ -1523,9 +1534,9 @@ EOF
# $2: the log owner uid to set for the log file. # $2: the log owner uid to set for the log file.
# $3: the log owner gid to set for the log file. # $3: the log owner gid to set for the log file.
function prepare-log-file { function prepare-log-file {
touch $1 touch "$1"
chmod 644 $1 chmod 644 "$1"
chown "${2:-${LOG_OWNER_USER:-root}}":"${3:-${LOG_OWNER_GROUP:-root}}" $1 chown "${2:-${LOG_OWNER_USER:-root}}":"${3:-${LOG_OWNER_GROUP:-root}}" "$1"
} }
# Prepares parameters for kube-proxy manifest. # Prepares parameters for kube-proxy manifest.
@ -1549,13 +1560,11 @@ function prepare-kube-proxy-manifest-variables {
# https://github.com/kubernetes/kubernetes/pull/70398 # https://github.com/kubernetes/kubernetes/pull/70398
local -r kernel_version=$(uname -r | cut -d\. -f1,2) local -r kernel_version=$(uname -r | cut -d\. -f1,2)
local conntrack_module="nf_conntrack" local conntrack_module="nf_conntrack"
if [[ $(printf "${kernel_version}\n4.18\n" | sort -V | tail -1) == "4.18" ]]; then if [[ $(printf '%s\n4.18\n' "${kernel_version}" | sort -V | tail -1) == "4.18" ]]; then
conntrack_module="nf_conntrack_ipv4" conntrack_module="nf_conntrack_ipv4"
fi fi
sudo modprobe -a ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh ${conntrack_module} if sudo modprobe -a ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh ${conntrack_module}; then
if [[ $? -eq 0 ]];
then
params+=" --proxy-mode=ipvs" params+=" --proxy-mode=ipvs"
else else
# If IPVS modules are not present, make sure the node does not come up as # If IPVS modules are not present, make sure the node does not come up as
@ -1575,18 +1584,18 @@ function prepare-kube-proxy-manifest-variables {
kube_cache_mutation_detector_env_name="- name: KUBE_CACHE_MUTATION_DETECTOR" kube_cache_mutation_detector_env_name="- name: KUBE_CACHE_MUTATION_DETECTOR"
kube_cache_mutation_detector_env_value="value: \"${ENABLE_CACHE_MUTATION_DETECTOR}\"" kube_cache_mutation_detector_env_value="value: \"${ENABLE_CACHE_MUTATION_DETECTOR}\""
fi fi
sed -i -e "s@{{kubeconfig}}@${kubeconfig}@g" ${src_file} sed -i -e "s@{{kubeconfig}}@${kubeconfig}@g" "${src_file}"
sed -i -e "s@{{pillar\['kube_docker_registry'\]}}@${kube_docker_registry}@g" ${src_file} sed -i -e "s@{{pillar\['kube_docker_registry'\]}}@${kube_docker_registry}@g" "${src_file}"
sed -i -e "s@{{pillar\['kube-proxy_docker_tag'\]}}@${kube_proxy_docker_tag}@g" ${src_file} sed -i -e "s@{{pillar\['kube-proxy_docker_tag'\]}}@${kube_proxy_docker_tag}@g" "${src_file}"
sed -i -e "s@{{params}}@${params}@g" ${src_file} sed -i -e "s@{{params}}@${params}@g" "${src_file}"
sed -i -e "s@{{container_env}}@${container_env}@g" ${src_file} sed -i -e "s@{{container_env}}@${container_env}@g" "${src_file}"
sed -i -e "s@{{kube_cache_mutation_detector_env_name}}@${kube_cache_mutation_detector_env_name}@g" ${src_file} sed -i -e "s@{{kube_cache_mutation_detector_env_name}}@${kube_cache_mutation_detector_env_name}@g" "${src_file}"
sed -i -e "s@{{kube_cache_mutation_detector_env_value}}@${kube_cache_mutation_detector_env_value}@g" ${src_file} sed -i -e "s@{{kube_cache_mutation_detector_env_value}}@${kube_cache_mutation_detector_env_value}@g" "${src_file}"
sed -i -e "s@{{ cpurequest }}@100m@g" ${src_file} sed -i -e "s@{{ cpurequest }}@100m@g" "${src_file}"
sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" ${src_file} sed -i -e "s@{{api_servers_with_port}}@${api_servers}@g" "${src_file}"
sed -i -e "s@{{kubernetes_service_host_env_value}}@${KUBERNETES_MASTER_NAME}@g" ${src_file} sed -i -e "s@{{kubernetes_service_host_env_value}}@${KUBERNETES_MASTER_NAME}@g" "${src_file}"
if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then
sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" ${src_file} sed -i -e "s@{{cluster_cidr}}@--cluster-cidr=${CLUSTER_IP_RANGE}@g" "${src_file}"
fi fi
} }
@ -1609,7 +1618,7 @@ function start-kube-proxy {
# $5: pod name, which should be either etcd or etcd-events # $5: pod name, which should be either etcd or etcd-events
function prepare-etcd-manifest { function prepare-etcd-manifest {
local host_name=${ETCD_HOSTNAME:-$(hostname -s)} local host_name=${ETCD_HOSTNAME:-$(hostname -s)}
local host_ip=$(${PYTHON} -c "import socket;print(socket.gethostbyname(\"${host_name}\"))") local -r host_ip=$(${PYTHON} -c "import socket;print(socket.gethostbyname(\"${host_name}\"))")
local etcd_cluster="" local etcd_cluster=""
local cluster_state="new" local cluster_state="new"
local etcd_protocol="http" local etcd_protocol="http"
@ -1656,8 +1665,8 @@ function prepare-etcd-manifest {
sed -i -e "s@{{ *liveness_probe_initial_delay *}}@${ETCD_LIVENESS_PROBE_INITIAL_DELAY_SEC:-15}@g" "${temp_file}" sed -i -e "s@{{ *liveness_probe_initial_delay *}}@${ETCD_LIVENESS_PROBE_INITIAL_DELAY_SEC:-15}@g" "${temp_file}"
sed -i -e "s@{{ *listen_client_ip *}}@${ETCD_LISTEN_CLIENT_IP:-127.0.0.1}@g" "${temp_file}" sed -i -e "s@{{ *listen_client_ip *}}@${ETCD_LISTEN_CLIENT_IP:-127.0.0.1}@g" "${temp_file}"
# Get default storage backend from manifest file. # Get default storage backend from manifest file.
local -r default_storage_backend=$(cat "${temp_file}" | \ local -r default_storage_backend=$( \
grep -o "{{ *pillar\.get('storage_backend', '\(.*\)') *}}" | \ grep -o "{{ *pillar\.get('storage_backend', '\(.*\)') *}}" "${temp_file}" | \
sed -e "s@{{ *pillar\.get('storage_backend', '\(.*\)') *}}@\1@g") sed -e "s@{{ *pillar\.get('storage_backend', '\(.*\)') *}}@\1@g")
if [[ -n "${STORAGE_BACKEND:-}" ]]; then if [[ -n "${STORAGE_BACKEND:-}" ]]; then
sed -i -e "s@{{ *pillar\.get('storage_backend', '\(.*\)') *}}@${STORAGE_BACKEND}@g" "${temp_file}" sed -i -e "s@{{ *pillar\.get('storage_backend', '\(.*\)') *}}@${STORAGE_BACKEND}@g" "${temp_file}"
@ -1805,8 +1814,12 @@ function compute-master-manifest-variables {
INSECURE_PORT_MAPPING="" INSECURE_PORT_MAPPING=""
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" == "true" ]]; then if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" == "true" ]]; then
INSECURE_PORT_MAPPING="{ \"name\": \"local\", \"containerPort\": 8080, \"hostPort\": 8080}," # INSECURE_PORT_MAPPING is used by sed
# shellcheck disable=SC2089
INSECURE_PORT_MAPPING='{ "name": "local", "containerPort": 8080, "hostPort": 8080},'
fi fi
# shellcheck disable=SC2090
export INSECURE_PORT_MAPPING
} }
# A helper function that bind mounts kubelet dirs for running mount in a chroot # A helper function that bind mounts kubelet dirs for running mount in a chroot
@ -1854,6 +1867,8 @@ function update-node-label() {
# A helper function that sets file permissions for kube-controller-manager to # A helper function that sets file permissions for kube-controller-manager to
# run as non root. # run as non root.
# User and group should never contain characters that need to be quoted
# shellcheck disable=SC2086
function run-kube-controller-manager-as-non-root { function run-kube-controller-manager-as-non-root {
prepare-log-file /var/log/kube-controller-manager.log ${KUBE_CONTROLLER_MANAGER_RUNASUSER} ${KUBE_CONTROLLER_MANAGER_RUNASGROUP} prepare-log-file /var/log/kube-controller-manager.log ${KUBE_CONTROLLER_MANAGER_RUNASUSER} ${KUBE_CONTROLLER_MANAGER_RUNASGROUP}
setfacl -m u:${KUBE_CONTROLLER_MANAGER_RUNASUSER}:r "${CA_CERT_BUNDLE_PATH}" setfacl -m u:${KUBE_CONTROLLER_MANAGER_RUNASUSER}:r "${CA_CERT_BUNDLE_PATH}"
@ -1873,67 +1888,67 @@ function run-kube-controller-manager-as-non-root {
# DOCKER_REGISTRY # DOCKER_REGISTRY
function start-kube-controller-manager { function start-kube-controller-manager {
echo "Start kubernetes controller-manager" echo "Start kubernetes controller-manager"
create-kubeconfig "kube-controller-manager" ${KUBE_CONTROLLER_MANAGER_TOKEN} create-kubeconfig "kube-controller-manager" "${KUBE_CONTROLLER_MANAGER_TOKEN}"
prepare-log-file /var/log/kube-controller-manager.log prepare-log-file /var/log/kube-controller-manager.log
# Calculate variables and assemble the command line. # Calculate variables and assemble the command line.
local params="${CONTROLLER_MANAGER_TEST_LOG_LEVEL:-"--v=2"} ${CONTROLLER_MANAGER_TEST_ARGS:-} ${CLOUD_CONFIG_OPT}" local params=("${CONTROLLER_MANAGER_TEST_LOG_LEVEL:-"--v=2"}" "${CONTROLLER_MANAGER_TEST_ARGS:-}" "${CLOUD_CONFIG_OPT}")
params+=" --use-service-account-credentials" params+=("--use-service-account-credentials")
params+=" --cloud-provider=gce" params+=("--cloud-provider=gce")
params+=" --kubeconfig=/etc/srv/kubernetes/kube-controller-manager/kubeconfig" params+=("--kubeconfig=/etc/srv/kubernetes/kube-controller-manager/kubeconfig")
params+=" --root-ca-file=${CA_CERT_BUNDLE_PATH}" params+=("--root-ca-file=${CA_CERT_BUNDLE_PATH}")
params+=" --service-account-private-key-file=${SERVICEACCOUNT_KEY_PATH}" params+=("--service-account-private-key-file=${SERVICEACCOUNT_KEY_PATH}")
if [[ -n "${ENABLE_GARBAGE_COLLECTOR:-}" ]]; then if [[ -n "${ENABLE_GARBAGE_COLLECTOR:-}" ]]; then
params+=" --enable-garbage-collector=${ENABLE_GARBAGE_COLLECTOR}" params+=("--enable-garbage-collector=${ENABLE_GARBAGE_COLLECTOR}")
fi fi
if [[ -n "${INSTANCE_PREFIX:-}" ]]; then if [[ -n "${INSTANCE_PREFIX:-}" ]]; then
params+=" --cluster-name=${INSTANCE_PREFIX}" params+=("--cluster-name=${INSTANCE_PREFIX}")
fi fi
if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then if [[ -n "${CLUSTER_IP_RANGE:-}" ]]; then
params+=" --cluster-cidr=${CLUSTER_IP_RANGE}" params+=("--cluster-cidr=${CLUSTER_IP_RANGE}")
fi fi
if [[ -n "${CA_KEY:-}" ]]; then if [[ -n "${CA_KEY:-}" ]]; then
params+=" --cluster-signing-cert-file=${CA_CERT_PATH}" params+=("--cluster-signing-cert-file=${CA_CERT_PATH}")
params+=" --cluster-signing-key-file=${CA_KEY_PATH}" params+=("--cluster-signing-key-file=${CA_KEY_PATH}")
fi fi
if [[ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]]; then if [[ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]]; then
params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" params+=("--service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}")
fi fi
if [[ -n "${CONCURRENT_SERVICE_SYNCS:-}" ]]; then if [[ -n "${CONCURRENT_SERVICE_SYNCS:-}" ]]; then
params+=" --concurrent-service-syncs=${CONCURRENT_SERVICE_SYNCS}" params+=("--concurrent-service-syncs=${CONCURRENT_SERVICE_SYNCS}")
fi fi
if [[ "${NETWORK_PROVIDER:-}" == "kubenet" ]]; then if [[ "${NETWORK_PROVIDER:-}" == "kubenet" ]]; then
params+=" --allocate-node-cidrs=true" params+=("--allocate-node-cidrs=true")
elif [[ -n "${ALLOCATE_NODE_CIDRS:-}" ]]; then elif [[ -n "${ALLOCATE_NODE_CIDRS:-}" ]]; then
params+=" --allocate-node-cidrs=${ALLOCATE_NODE_CIDRS}" params+=("--allocate-node-cidrs=${ALLOCATE_NODE_CIDRS}")
fi fi
if [[ -n "${TERMINATED_POD_GC_THRESHOLD:-}" ]]; then if [[ -n "${TERMINATED_POD_GC_THRESHOLD:-}" ]]; then
params+=" --terminated-pod-gc-threshold=${TERMINATED_POD_GC_THRESHOLD}" params+=("--terminated-pod-gc-threshold=${TERMINATED_POD_GC_THRESHOLD}")
fi fi
if [[ "${ENABLE_IP_ALIASES:-}" == 'true' ]]; then if [[ "${ENABLE_IP_ALIASES:-}" == 'true' ]]; then
params+=" --cidr-allocator-type=${NODE_IPAM_MODE}" params+=("--cidr-allocator-type=${NODE_IPAM_MODE}")
params+=" --configure-cloud-routes=false" params+=("--configure-cloud-routes=false")
fi fi
if [[ -n "${FEATURE_GATES:-}" ]]; then if [[ -n "${FEATURE_GATES:-}" ]]; then
params+=" --feature-gates=${FEATURE_GATES}" params+=("--feature-gates=${FEATURE_GATES}")
fi fi
if [[ -n "${VOLUME_PLUGIN_DIR:-}" ]]; then if [[ -n "${VOLUME_PLUGIN_DIR:-}" ]]; then
params+=" --flex-volume-plugin-dir=${VOLUME_PLUGIN_DIR}" params+=("--flex-volume-plugin-dir=${VOLUME_PLUGIN_DIR}")
fi fi
if [[ -n "${CLUSTER_SIGNING_DURATION:-}" ]]; then if [[ -n "${CLUSTER_SIGNING_DURATION:-}" ]]; then
params+=" --cluster-signing-duration=$CLUSTER_SIGNING_DURATION" params+=("--cluster-signing-duration=$CLUSTER_SIGNING_DURATION")
fi fi
# Disable using HPA metrics REST clients if metrics-server isn't enabled, # Disable using HPA metrics REST clients if metrics-server isn't enabled,
# or if we want to explicitly disable it by setting HPA_USE_REST_CLIENT. # or if we want to explicitly disable it by setting HPA_USE_REST_CLIENT.
if [[ "${ENABLE_METRICS_SERVER:-}" != "true" ]] || if [[ "${ENABLE_METRICS_SERVER:-}" != "true" ]] ||
[[ "${HPA_USE_REST_CLIENTS:-}" == "false" ]]; then [[ "${HPA_USE_REST_CLIENTS:-}" == "false" ]]; then
params+=" --horizontal-pod-autoscaler-use-rest-clients=false" params+=("--horizontal-pod-autoscaler-use-rest-clients=false")
fi fi
if [[ -n "${PV_RECYCLER_OVERRIDE_TEMPLATE:-}" ]]; then if [[ -n "${PV_RECYCLER_OVERRIDE_TEMPLATE:-}" ]]; then
params+=" --pv-recycler-pod-template-filepath-nfs=$PV_RECYCLER_OVERRIDE_TEMPLATE" params+=("--pv-recycler-pod-template-filepath-nfs=$PV_RECYCLER_OVERRIDE_TEMPLATE")
params+=" --pv-recycler-pod-template-filepath-hostpath=$PV_RECYCLER_OVERRIDE_TEMPLATE" params+=("--pv-recycler-pod-template-filepath-hostpath=$PV_RECYCLER_OVERRIDE_TEMPLATE")
fi fi
if [[ -n "${RUN_CONTROLLERS:-}" ]]; then if [[ -n "${RUN_CONTROLLERS:-}" ]]; then
params+=" --controllers=${RUN_CONTROLLERS}" params+=("--controllers=${RUN_CONTROLLERS}")
fi fi
local -r kube_rc_docker_tag=$(cat /home/kubernetes/kube-docker-files/kube-controller-manager.docker_tag) local -r kube_rc_docker_tag=$(cat /home/kubernetes/kube-docker-files/kube-controller-manager.docker_tag)
@ -1942,13 +1957,14 @@ function start-kube-controller-manager {
container_env="\"env\":[{\"name\": \"KUBE_CACHE_MUTATION_DETECTOR\", \"value\": \"${ENABLE_CACHE_MUTATION_DETECTOR}\"}]," container_env="\"env\":[{\"name\": \"KUBE_CACHE_MUTATION_DETECTOR\", \"value\": \"${ENABLE_CACHE_MUTATION_DETECTOR}\"}],"
fi fi
params="$(convert-manifest-params "${params}")" local paramstring
paramstring="$(convert-manifest-params "${params[*]}")"
local -r src_file="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/kube-controller-manager.manifest" local -r src_file="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/kube-controller-manager.manifest"
# Evaluate variables. # Evaluate variables.
sed -i -e "s@{{pillar\['kube_docker_registry'\]}}@${DOCKER_REGISTRY}@g" "${src_file}" sed -i -e "s@{{pillar\['kube_docker_registry'\]}}@${DOCKER_REGISTRY}@g" "${src_file}"
sed -i -e "s@{{pillar\['kube-controller-manager_docker_tag'\]}}@${kube_rc_docker_tag}@g" "${src_file}" sed -i -e "s@{{pillar\['kube-controller-manager_docker_tag'\]}}@${kube_rc_docker_tag}@g" "${src_file}"
sed -i -e "s@{{params}}@${params}@g" "${src_file}" sed -i -e "s@{{params}}@${paramstring}@g" "${src_file}"
sed -i -e "s@{{container_env}}@${container_env}@g" ${src_file} sed -i -e "s@{{container_env}}@${container_env}@g" "${src_file}"
sed -i -e "s@{{cloud_config_mount}}@${CLOUD_CONFIG_MOUNT}@g" "${src_file}" sed -i -e "s@{{cloud_config_mount}}@${CLOUD_CONFIG_MOUNT}@g" "${src_file}"
sed -i -e "s@{{cloud_config_volume}}@${CLOUD_CONFIG_VOLUME}@g" "${src_file}" sed -i -e "s@{{cloud_config_volume}}@${CLOUD_CONFIG_VOLUME}@g" "${src_file}"
sed -i -e "s@{{additional_cloud_config_mount}}@@g" "${src_file}" sed -i -e "s@{{additional_cloud_config_mount}}@@g" "${src_file}"
@ -1979,38 +1995,41 @@ function start-kube-controller-manager {
# DOCKER_REGISTRY # DOCKER_REGISTRY
function start-kube-scheduler { function start-kube-scheduler {
echo "Start kubernetes scheduler" echo "Start kubernetes scheduler"
create-kubeconfig "kube-scheduler" ${KUBE_SCHEDULER_TOKEN} create-kubeconfig "kube-scheduler" "${KUBE_SCHEDULER_TOKEN}"
# User and group should never contain characters that need to be quoted
# shellcheck disable=SC2086
prepare-log-file /var/log/kube-scheduler.log ${KUBE_SCHEDULER_RUNASUSER:-2001} ${KUBE_SCHEDULER_RUNASGROUP:-2001} prepare-log-file /var/log/kube-scheduler.log ${KUBE_SCHEDULER_RUNASUSER:-2001} ${KUBE_SCHEDULER_RUNASGROUP:-2001}
# Calculate variables and set them in the manifest. # Calculate variables and set them in the manifest.
params="${SCHEDULER_TEST_LOG_LEVEL:-"--v=2"} ${SCHEDULER_TEST_ARGS:-}" params=("${SCHEDULER_TEST_LOG_LEVEL:-"--v=2"}" "${SCHEDULER_TEST_ARGS:-}")
if [[ -n "${FEATURE_GATES:-}" ]]; then if [[ -n "${FEATURE_GATES:-}" ]]; then
params+=" --feature-gates=${FEATURE_GATES}" params+=("--feature-gates=${FEATURE_GATES}")
fi fi
# Scheduler Component Config takes precedence over some flags. # Scheduler Component Config takes precedence over some flags.
if [[ -n "${KUBE_SCHEDULER_CONFIG:-}" ]]; then if [[ -n "${KUBE_SCHEDULER_CONFIG:-}" ]]; then
create-kube-scheduler-config create-kube-scheduler-config
params+=" --config=/etc/srv/kubernetes/kube-scheduler/config" params+=("--config=/etc/srv/kubernetes/kube-scheduler/config")
else else
params+=" --kubeconfig=/etc/srv/kubernetes/kube-scheduler/kubeconfig" params+=("--kubeconfig=/etc/srv/kubernetes/kube-scheduler/kubeconfig")
if [[ -n "${SCHEDULING_ALGORITHM_PROVIDER:-}" ]]; then if [[ -n "${SCHEDULING_ALGORITHM_PROVIDER:-}" ]]; then
params+=" --algorithm-provider=${SCHEDULING_ALGORITHM_PROVIDER}" params+=("--algorithm-provider=${SCHEDULING_ALGORITHM_PROVIDER}")
fi fi
if [[ -n "${SCHEDULER_POLICY_CONFIG:-}" ]]; then if [[ -n "${SCHEDULER_POLICY_CONFIG:-}" ]]; then
create-kubescheduler-policy-config create-kubescheduler-policy-config
params+=" --use-legacy-policy-config" params+=("--use-legacy-policy-config")
params+=" --policy-config-file=/etc/srv/kubernetes/kube-scheduler/policy-config" params+=("--policy-config-file=/etc/srv/kubernetes/kube-scheduler/policy-config")
fi fi
fi fi
params="$(convert-manifest-params "${params}")" local paramstring
paramstring="$(convert-manifest-params "${params[*]}")"
local -r kube_scheduler_docker_tag=$(cat "${KUBE_HOME}/kube-docker-files/kube-scheduler.docker_tag") local -r kube_scheduler_docker_tag=$(cat "${KUBE_HOME}/kube-docker-files/kube-scheduler.docker_tag")
# Remove salt comments and replace variables with values. # Remove salt comments and replace variables with values.
local -r src_file="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/kube-scheduler.manifest" local -r src_file="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/kube-scheduler.manifest"
sed -i -e "s@{{params}}@${params}@g" "${src_file}" sed -i -e "s@{{params}}@${paramstring}@g" "${src_file}"
sed -i -e "s@{{pillar\['kube_docker_registry'\]}}@${DOCKER_REGISTRY}@g" "${src_file}" sed -i -e "s@{{pillar\['kube_docker_registry'\]}}@${DOCKER_REGISTRY}@g" "${src_file}"
sed -i -e "s@{{pillar\['kube-scheduler_docker_tag'\]}}@${kube_scheduler_docker_tag}@g" "${src_file}" sed -i -e "s@{{pillar\['kube-scheduler_docker_tag'\]}}@${kube_scheduler_docker_tag}@g" "${src_file}"
sed -i -e "s@{{cpurequest}}@${KUBE_SCHEDULER_CPU_REQUEST}@g" "${src_file}" sed -i -e "s@{{cpurequest}}@${KUBE_SCHEDULER_CPU_REQUEST}@g" "${src_file}"
@ -2028,18 +2047,18 @@ function start-cluster-autoscaler {
if [[ "${ENABLE_CLUSTER_AUTOSCALER:-}" == "true" ]]; then if [[ "${ENABLE_CLUSTER_AUTOSCALER:-}" == "true" ]]; then
echo "Start kubernetes cluster autoscaler" echo "Start kubernetes cluster autoscaler"
setup-addon-manifests "addons" "rbac/cluster-autoscaler" setup-addon-manifests "addons" "rbac/cluster-autoscaler"
create-kubeconfig "cluster-autoscaler" ${KUBE_CLUSTER_AUTOSCALER_TOKEN} create-kubeconfig "cluster-autoscaler" "${KUBE_CLUSTER_AUTOSCALER_TOKEN}"
prepare-log-file /var/log/cluster-autoscaler.log prepare-log-file /var/log/cluster-autoscaler.log
# Remove salt comments and replace variables with values # Remove salt comments and replace variables with values
local -r src_file="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/cluster-autoscaler.manifest" local -r src_file="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/cluster-autoscaler.manifest"
local params="${AUTOSCALER_MIG_CONFIG} ${CLOUD_CONFIG_OPT} ${AUTOSCALER_EXPANDER_CONFIG:---expander=price}" local params=("${AUTOSCALER_MIG_CONFIG}" "${CLOUD_CONFIG_OPT}" "${AUTOSCALER_EXPANDER_CONFIG:---expander=price}")
params+=" --kubeconfig=/etc/srv/kubernetes/cluster-autoscaler/kubeconfig" params+=("--kubeconfig=/etc/srv/kubernetes/cluster-autoscaler/kubeconfig")
# split the params into separate arguments passed to binary # split the params into separate arguments passed to binary
local params_split local params_split
params_split=$(eval "for param in $params; do echo -n \\\"\$param\\\",; done") params_split=$(eval 'for param in "${params[@]}"; do echo -n "$param",; done')
params_split=${params_split%?} params_split=${params_split%?}
sed -i -e "s@{{params}}@${params_split}@g" "${src_file}" sed -i -e "s@{{params}}@${params_split}@g" "${src_file}"
@ -2109,6 +2128,8 @@ function download-extra-addons {
# #
# $1: URL path after /computeMetadata/v1/ (without heading slash). # $1: URL path after /computeMetadata/v1/ (without heading slash).
function get-metadata-value { function get-metadata-value {
# We do not want quotes for CURL_RETRY_CONNREFUSED
# shellcheck disable=SC2086
curl \ curl \
--retry 5 \ --retry 5 \
--retry-delay 3 \ --retry-delay 3 \
@ -2130,16 +2151,13 @@ function copy-manifests {
if [[ ! -d "${dst_dir}" ]]; then if [[ ! -d "${dst_dir}" ]]; then
mkdir -p "${dst_dir}" mkdir -p "${dst_dir}"
fi fi
local files=$(find "${src_dir}" -maxdepth 1 -name "*.yaml") if [[ -n "$(ls "${src_dir}"/*.yaml 2>/dev/null)" ]]; then
if [[ -n "${files}" ]]; then
cp "${src_dir}/"*.yaml "${dst_dir}" cp "${src_dir}/"*.yaml "${dst_dir}"
fi fi
files=$(find "${src_dir}" -maxdepth 1 -name "*.json") if [[ -n "$(ls "${src_dir}"/*.json 2>/dev/null)" ]]; then
if [[ -n "${files}" ]]; then
cp "${src_dir}/"*.json "${dst_dir}" cp "${src_dir}/"*.json "${dst_dir}"
fi fi
files=$(find "${src_dir}" -maxdepth 1 -name "*.yaml.in") if [[ -n "$(ls "${src_dir}"/*.yaml.in 2>/dev/null)" ]]; then
if [[ -n "${files}" ]]; then
cp "${src_dir}/"*.yaml.in "${dst_dir}" cp "${src_dir}/"*.yaml.in "${dst_dir}"
fi fi
chown -R root:root "${dst_dir}" chown -R root:root "${dst_dir}"
@ -2279,7 +2297,7 @@ function update-daemon-set-prometheus-to-sd-parameters {
# Removes all lines between two patterns (throws away prometheus-to-sd) # Removes all lines between two patterns (throws away prometheus-to-sd)
sed -i -e "/# BEGIN_PROMETHEUS_TO_SD/,/# END_PROMETHEUS_TO_SD/d" "$1" sed -i -e "/# BEGIN_PROMETHEUS_TO_SD/,/# END_PROMETHEUS_TO_SD/d" "$1"
else else
update-prometheus-to-sd-parameters $1 update-prometheus-to-sd-parameters "$1"
fi fi
} }
@ -2336,10 +2354,10 @@ function setup-fluentd {
sed -i -e "s@{{ fluentd_gcp_yaml_version }}@${fluentd_gcp_yaml_version}@g" "${fluentd_gcp_scaler_yaml}" sed -i -e "s@{{ fluentd_gcp_yaml_version }}@${fluentd_gcp_yaml_version}@g" "${fluentd_gcp_scaler_yaml}"
fluentd_gcp_version="${FLUENTD_GCP_VERSION:-1.6.17}" fluentd_gcp_version="${FLUENTD_GCP_VERSION:-1.6.17}"
sed -i -e "s@{{ fluentd_gcp_version }}@${fluentd_gcp_version}@g" "${fluentd_gcp_yaml}" sed -i -e "s@{{ fluentd_gcp_version }}@${fluentd_gcp_version}@g" "${fluentd_gcp_yaml}"
update-daemon-set-prometheus-to-sd-parameters ${fluentd_gcp_yaml} update-daemon-set-prometheus-to-sd-parameters "${fluentd_gcp_yaml}"
start-fluentd-resource-update ${fluentd_gcp_yaml} start-fluentd-resource-update "${fluentd_gcp_yaml}"
update-container-runtime ${fluentd_gcp_configmap_yaml} update-container-runtime "${fluentd_gcp_configmap_yaml}"
update-node-journal ${fluentd_gcp_configmap_yaml} update-node-journal "${fluentd_gcp_configmap_yaml}"
} }
# Sets up the manifests of kube-dns for k8s addons. # Sets up the manifests of kube-dns for k8s addons.
@ -2352,7 +2370,7 @@ function setup-kube-dns-manifest {
cat > "${kubedns_file}" <<EOF cat > "${kubedns_file}" <<EOF
$CUSTOM_KUBE_DNS_YAML $CUSTOM_KUBE_DNS_YAML
EOF EOF
update-prometheus-to-sd-parameters ${kubedns_file} update-prometheus-to-sd-parameters "${kubedns_file}"
fi fi
# Replace the salt configurations with variable values. # Replace the salt configurations with variable values.
sed -i -e "s@{{ *pillar\['dns_domain'\] *}}@${DNS_DOMAIN}@g" "${kubedns_file}" sed -i -e "s@{{ *pillar\['dns_domain'\] *}}@${DNS_DOMAIN}@g" "${kubedns_file}"
@ -2415,7 +2433,9 @@ function start-kube-addons {
local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty"
local -r dst_dir="/etc/kubernetes/addons" local -r dst_dir="/etc/kubernetes/addons"
create-kubeconfig "addon-manager" ${ADDON_MANAGER_TOKEN} create-kubeconfig "addon-manager" "${ADDON_MANAGER_TOKEN}"
# User and group should never contain characters that need to be quoted
# shellcheck disable=SC2086
prepare-log-file /var/log/kube-addon-manager.log ${KUBE_ADDON_MANAGER_RUNASUSER:-2002} ${KUBE_ADDON_MANAGER_RUNASGROUP:-2002} prepare-log-file /var/log/kube-addon-manager.log ${KUBE_ADDON_MANAGER_RUNASUSER:-2002} ${KUBE_ADDON_MANAGER_RUNASGROUP:-2002}
# prep addition kube-up specific rbac objects # prep addition kube-up specific rbac objects
@ -2443,8 +2463,8 @@ EOF
prepare-kube-proxy-manifest-variables "$src_dir/kube-proxy/kube-proxy-ds.yaml" prepare-kube-proxy-manifest-variables "$src_dir/kube-proxy/kube-proxy-ds.yaml"
setup-addon-manifests "addons" "kube-proxy" setup-addon-manifests "addons" "kube-proxy"
fi fi
if ([[ "${ENABLE_CLUSTER_LOGGING:-}" == "true" ]] && if [[ "${ENABLE_CLUSTER_LOGGING:-}" == "true" ]] &&
[[ "${LOGGING_DESTINATION:-}" == "gcp" ]]); then [[ "${LOGGING_DESTINATION:-}" == "gcp" ]]; then
if [[ "${ENABLE_METADATA_AGENT:-}" == "stackdriver" ]]; then if [[ "${ENABLE_METADATA_AGENT:-}" == "stackdriver" ]]; then
metadata_agent_cpu_request="${METADATA_AGENT_CPU_REQUEST:-40m}" metadata_agent_cpu_request="${METADATA_AGENT_CPU_REQUEST:-40m}"
metadata_agent_memory_request="${METADATA_AGENT_MEMORY_REQUEST:-50Mi}" metadata_agent_memory_request="${METADATA_AGENT_MEMORY_REQUEST:-50Mi}"
@ -2481,7 +2501,7 @@ EOF
fi fi
if [[ "${ENABLE_NODE_TERMINATION_HANDLER:-}" == "true" ]]; then if [[ "${ENABLE_NODE_TERMINATION_HANDLER:-}" == "true" ]]; then
setup-addon-manifests "addons" "node-termination-handler" setup-addon-manifests "addons" "node-termination-handler"
setup-node-termination-handler-manifest setup-node-termination-handler-manifest ''
fi fi
# Setting up the konnectivity-agent daemonset # Setting up the konnectivity-agent daemonset
if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
@ -2496,7 +2516,7 @@ EOF
BASE_ADDON_DIR=${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty BASE_ADDON_DIR=${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty
BASE_DNS_DIR=${BASE_ADDON_DIR}/dns BASE_DNS_DIR=${BASE_ADDON_DIR}/dns
NEW_DNS_DIR=${BASE_ADDON_DIR}/0-dns NEW_DNS_DIR=${BASE_ADDON_DIR}/0-dns
mkdir ${NEW_DNS_DIR} && mv ${BASE_DNS_DIR}/* ${NEW_DNS_DIR} && rm -r ${BASE_DNS_DIR} mkdir "${NEW_DNS_DIR}" && mv "${BASE_DNS_DIR}"/* "${NEW_DNS_DIR}" && rm -r "${BASE_DNS_DIR}"
if [[ "${CLUSTER_DNS_CORE_DNS:-}" == "true" ]]; then if [[ "${CLUSTER_DNS_CORE_DNS:-}" == "true" ]]; then
setup-coredns-manifest setup-coredns-manifest
else else
@ -2613,7 +2633,7 @@ function start-lb-controller {
prepare-log-file /var/log/glbc.log prepare-log-file /var/log/glbc.log
setup-addon-manifests "addons" "cluster-loadbalancing/glbc" setup-addon-manifests "addons" "cluster-loadbalancing/glbc"
setup-addon-manifests "addons" "rbac/cluster-loadbalancing/glbc" setup-addon-manifests "addons" "rbac/cluster-loadbalancing/glbc"
create-kubeconfig "l7-lb-controller" ${GCE_GLBC_TOKEN} create-kubeconfig "l7-lb-controller" "${GCE_GLBC_TOKEN}"
local -r src_manifest="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/glbc.manifest" local -r src_manifest="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty/glbc.manifest"
local -r dest_manifest="/etc/kubernetes/manifests/glbc.manifest" local -r dest_manifest="/etc/kubernetes/manifests/glbc.manifest"
@ -2656,7 +2676,8 @@ function reset-motd {
local -r version="$("${KUBE_HOME}"/bin/kubelet --version=true | cut -f2 -d " ")" local -r version="$("${KUBE_HOME}"/bin/kubelet --version=true | cut -f2 -d " ")"
# This logic grabs either a release tag (v1.2.1 or v1.2.1-alpha.1), # This logic grabs either a release tag (v1.2.1 or v1.2.1-alpha.1),
# or the git hash that's in the build info. # or the git hash that's in the build info.
local gitref="$(echo "${version}" | sed -r "s/(v[0-9]+\.[0-9]+\.[0-9]+)(-[a-z]+\.[0-9]+)?.*/\1\2/g")" local gitref
gitref="$(echo "${version}" | sed -r "s/(v[0-9]+\.[0-9]+\.[0-9]+)(-[a-z]+\.[0-9]+)?.*/\1\2/g")"
local devel="" local devel=""
if [[ "${gitref}" != "${version}" ]]; then if [[ "${gitref}" != "${version}" ]]; then
devel=" devel="
@ -2693,6 +2714,7 @@ function override-kubectl {
# source the file explicitly otherwise we have # source the file explicitly otherwise we have
# issues on a ubuntu OS image finding the kubectl # issues on a ubuntu OS image finding the kubectl
# shellcheck disable=SC1091
source /etc/profile.d/kube_env.sh source /etc/profile.d/kube_env.sh
# Add ${KUBE_HOME}/bin into sudoer secure path. # Add ${KUBE_HOME}/bin into sudoer secure path.
@ -2716,7 +2738,7 @@ function override-pv-recycler {
PV_RECYCLER_VOLUME="{\"name\": \"pv-recycler-mount\",\"hostPath\": {\"path\": \"${PV_RECYCLER_OVERRIDE_TEMPLATE}\", \"type\": \"FileOrCreate\"}}," PV_RECYCLER_VOLUME="{\"name\": \"pv-recycler-mount\",\"hostPath\": {\"path\": \"${PV_RECYCLER_OVERRIDE_TEMPLATE}\", \"type\": \"FileOrCreate\"}},"
PV_RECYCLER_MOUNT="{\"name\": \"pv-recycler-mount\",\"mountPath\": \"${PV_RECYCLER_OVERRIDE_TEMPLATE}\", \"readOnly\": true}," PV_RECYCLER_MOUNT="{\"name\": \"pv-recycler-mount\",\"mountPath\": \"${PV_RECYCLER_OVERRIDE_TEMPLATE}\", \"readOnly\": true},"
cat > ${PV_RECYCLER_OVERRIDE_TEMPLATE} <<EOF cat > "${PV_RECYCLER_OVERRIDE_TEMPLATE}" <<EOF
version: v1 version: v1
kind: Pod kind: Pod
metadata: metadata:
@ -2824,8 +2846,8 @@ EOF
fi fi
# Reuse docker group for containerd. # Reuse docker group for containerd.
local containerd_gid="$(cat /etc/group | grep ^docker: | cut -d: -f 3)" local -r containerd_gid="$(grep ^docker: /etc/group | cut -d: -f 3)"
if [[ ! -z "${containerd_gid:-}" ]]; then if [[ -n "${containerd_gid:-}" ]]; then
cat >> "${config_path}" <<EOF cat >> "${config_path}" <<EOF
# reuse id of the docker group # reuse id of the docker group
[grpc] [grpc]
@ -2876,7 +2898,7 @@ function main() {
exit 2 exit 2
fi fi
fi fi
echo "Version : " $(${PYTHON} -V 2>&1) echo "Version : $(${PYTHON} -V 2>&1)"
if [[ ! -e "${KUBE_HOME}/kube-env" ]]; then if [[ ! -e "${KUBE_HOME}/kube-env" ]]; then
echo "The ${KUBE_HOME}/kube-env file does not exist!! Terminate cluster initialization." echo "The ${KUBE_HOME}/kube-env file does not exist!! Terminate cluster initialization."
@ -2935,13 +2957,13 @@ function main() {
gke-master-start gke-master-start
else else
create-node-pki create-node-pki
create-kubelet-kubeconfig ${KUBERNETES_MASTER_NAME} create-kubelet-kubeconfig "${KUBERNETES_MASTER_NAME}"
if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]]; then
create-kubeproxy-user-kubeconfig create-kubeproxy-user-kubeconfig
fi fi
if [[ "${ENABLE_NODE_PROBLEM_DETECTOR:-}" == "standalone" ]]; then if [[ "${ENABLE_NODE_PROBLEM_DETECTOR:-}" == "standalone" ]]; then
if [[ -n "${NODE_PROBLEM_DETECTOR_TOKEN:-}" ]]; then if [[ -n "${NODE_PROBLEM_DETECTOR_TOKEN:-}" ]]; then
create-node-problem-detector-kubeconfig ${KUBERNETES_MASTER_NAME} create-node-problem-detector-kubeconfig "${KUBERNETES_MASTER_NAME}"
elif [[ -f "/var/lib/kubelet/kubeconfig" ]]; then elif [[ -f "/var/lib/kubelet/kubeconfig" ]]; then
create-node-problem-detector-kubeconfig-from-kubelet create-node-problem-detector-kubeconfig-from-kubelet
else else

1
hack/.shellcheck_failures
View File

@ -1,4 +1,3 @@
./cluster/gce/gci/configure-helper.sh
./cluster/gce/gci/configure.sh ./cluster/gce/gci/configure.sh
./cluster/gce/gci/master-helper.sh ./cluster/gce/gci/master-helper.sh
./cluster/gce/util.sh ./cluster/gce/util.sh