#cloud-config coreos: locksmith: endpoint: https://10.0.1.4:2379,https://10.0.1.5:2379,https://10.0.1.6:2379 etcd_cafile: /etc/etcd2/ssl/etcd-ca.pem etcd_certfile: /etc/etcd2/ssl/etcd-client.pem etcd_keyfile: /etc/etcd2/ssl/etcd-client-key.pem update: reboot_strategy: etcd-lock flannel: etcd_endpoints: https://10.0.1.4:2379,https://10.0.1.5:2379,https://10.0.1.6:2379 etcd_cafile: /etc/etcd2/ssl/etcd-ca.pem etcd_certfile: /etc/etcd2/ssl/etcd-client.pem etcd_keyfile: /etc/etcd2/ssl/etcd-client-key.pem interface: $private_ipv4 units: - name: docker.service command: start drop-ins: - name: 40-flannel.conf content: | [Unit] Requires=flanneld.service After=flanneld.service - name: 50-opts.conf content: | [Service] Environment=DOCKER_OPTS='--log-driver=journald' - name: flanneld.service command: start drop-ins: - name: 20-wait-tls.conf content: | [Service] ExecStartPre=/opt/kaws/decrypt-pki - name: 50-network-config.conf content: | [Service] Environment=ETCD_SSL_DIR=/etc/etcd2/ssl - name: kubelet.service command: start drop-ins: - name: 20-wait-docker.conf content: | [Unit] Requires=docker.service After=docker.service content: | [Unit] Description=Kubernetes Kubelet [Service] Environment=KUBELET_IMAGE_TAG=v${version} Environment=KUBELET_IMAGE_URL=docker://gcr.io/google_containers/hyperkube Environment="RKT_RUN_ARGS=--volume resolv,kind=host,source=/etc/resolv.conf --mount volume=resolv,target=/etc/resolv.conf --insecure-options=image" ExecStart=/usr/lib/coreos/kubelet-wrapper \ --allow-privileged=true \ --api-servers=https://${master_ip}:443 \ --cloud-provider=aws \ --cluster-dns=10.3.0.10 \ --cluster-domain=cluster.local \ --hostname-override=$private_ipv4 \ --kubeconfig=/etc/kubernetes/node-kubeconfig.yml \ --logtostderr=true \ --pod-manifest-path=/etc/kubernetes/manifests \ --tls-cert-file=/etc/kubernetes/ssl/node.pem \ --tls-private-key-file=/etc/kubernetes/ssl/node-key.pem Restart=always RestartSec=10 [Install] WantedBy=multi-user.target ssh_authorized_keys: [${ssh_public_keys}] write_files: - path: /etc/kubernetes/manifests/kube-proxy.yml content: | apiVersion: v1 kind: Pod metadata: name: kube-proxy namespace: kube-system spec: hostNetwork: true containers: - name: kube-proxy image: gcr.io/google_containers/hyperkube:v${version} command: - /hyperkube - proxy - --healthz-bind-address=0.0.0.0 - --kubeconfig=/etc/kubernetes/node-kubeconfig.yml - --master=https://${master_ip}:443 - --proxy-mode=iptables securityContext: privileged: true volumeMounts: - mountPath: /etc/ssl/certs name: ssl-certs - mountPath: /etc/kubernetes/node-kubeconfig.yml name: kubeconfig readOnly: true - mountPath: /etc/kubernetes/ssl name: etc-kube-ssl readOnly: true volumes: - name: ssl-certs hostPath: path: /usr/share/ca-certificates - name: kubeconfig hostPath: path: /etc/kubernetes/node-kubeconfig.yml - name: etc-kube-ssl hostPath: path: /etc/kubernetes/ssl - path: /etc/kubernetes/node-kubeconfig.yml content: | apiVersion: v1 kind: Config clusters: - name: local cluster: certificate-authority: /etc/kubernetes/ssl/ca.pem contexts: - context: cluster: local user: node name: node-context current-context: node-context users: - name: node user: client-certificate: /etc/kubernetes/ssl/node.pem client-key: /etc/kubernetes/ssl/node-key.pem - path: /opt/kaws/decrypt-pki permissions: "0500" content: | #!/bin/bash -e for file in $(find /etc/etcd2/ssl/*.binary /etc/kubernetes/ssl/*.binary); do /usr/bin/rkt run \ --net=host \ --volume=dns,kind=host,source=/etc/resolv.conf,readOnly=true \ --mount=volume=dns,target=/etc/resolv.conf \ --volume=etcd-pki,kind=host,source=/etc/etcd2/ssl \ --mount=volume=etcd-pki,target=/etc/etcd2/ssl \ --volume=k8s-pki,kind=host,source=/etc/kubernetes/ssl \ --mount=volume=k8s-pki,target=/etc/kubernetes/ssl \ --trust-keys-from-https \ quay.io/coreos/awscli \ --exec=/bin/bash \ -- \ -c "aws --region ${region} kms decrypt --ciphertext-blob fileb://$file --output text --query Plaintext | base64 -d > $${file/-encrypted.binary/.pem}" done - path: /etc/etcd2/ssl/etcd-ca.pem encoding: "base64" content: "${etcd_ca_cert}" - path: /etc/etcd2/ssl/etcd-client.pem encoding: "base64" content: "${etcd_client_cert}" - path: /etc/etcd2/ssl/etcd-client-key-encrypted.binary encoding: "base64" content: "${etcd_client_key}" - path: /etc/kubernetes/ssl/ca.pem encoding: "base64" content: "${k8s_ca_cert}" - path: /etc/kubernetes/ssl/node.pem encoding: "base64" content: "${k8s_node_cert}" - path: /etc/kubernetes/ssl/node-key-encrypted.binary encoding: "base64" content: "${k8s_node_key}"