2019-01-12 22:31:14 +00:00
|
|
|
// This is primarily based on https://github.com/coreos/coreos-overlay/blob/master/app-admin/kubelet-wrapper/files/kubelet-wrapper
|
|
|
|
resource "docker_container" "kubelet" {
|
|
|
|
image = "${docker_image.image.latest}"
|
|
|
|
name = "kubelet-static"
|
|
|
|
|
2019-01-26 22:32:59 +00:00
|
|
|
upload {
|
|
|
|
file = "/etc/kubernetes/kubeconfig"
|
|
|
|
content = "${var.assets["kubeconfig"]}"
|
2019-01-12 22:31:14 +00:00
|
|
|
}
|
|
|
|
|
2019-01-26 22:32:59 +00:00
|
|
|
upload {
|
|
|
|
file = "/etc/kubernetes/ca.crt"
|
|
|
|
content = "${var.assets["ca_cert"]}"
|
2019-01-12 22:31:14 +00:00
|
|
|
}
|
|
|
|
|
2019-01-26 22:32:59 +00:00
|
|
|
# Make sure that the manifests directory exists
|
|
|
|
upload {
|
|
|
|
file = "/etc/kubernetes/manifests/.empty"
|
|
|
|
content = ""
|
2019-01-12 22:31:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
volumes {
|
|
|
|
container_path = "/etc/ssl/certs"
|
|
|
|
host_path = "/etc/ssl/certs"
|
|
|
|
read_only = true
|
|
|
|
}
|
|
|
|
|
2019-01-27 20:31:46 +00:00
|
|
|
volumes {
|
|
|
|
container_path = "/sys"
|
|
|
|
host_path = "/sys"
|
|
|
|
read_only = true
|
|
|
|
}
|
|
|
|
|
|
|
|
volumes {
|
|
|
|
container_path = "/dev"
|
|
|
|
host_path = "/dev"
|
|
|
|
}
|
|
|
|
|
|
|
|
# volumes {
|
|
|
|
# container_path = "/usr"
|
|
|
|
# host_path = "/usr"
|
|
|
|
# }
|
|
|
|
|
|
|
|
# volumes {
|
|
|
|
# container_path = "/lib64"
|
|
|
|
# host_path = "/lib64"
|
|
|
|
# }
|
2019-01-12 22:31:14 +00:00
|
|
|
volumes {
|
|
|
|
container_path = "/usr/share/ca-certificates"
|
|
|
|
host_path = "/usr/share/ca-certificates"
|
|
|
|
read_only = true
|
|
|
|
}
|
|
|
|
volumes {
|
|
|
|
container_path = "/var/lib/docker"
|
|
|
|
host_path = "/var/lib/docker"
|
|
|
|
}
|
2019-01-26 22:32:59 +00:00
|
|
|
volumes {
|
|
|
|
container_path = "/etc/kubernetes"
|
|
|
|
host_path = "/etc/kubernetes"
|
|
|
|
}
|
2019-01-12 22:31:14 +00:00
|
|
|
volumes {
|
|
|
|
container_path = "/var/lib/kubelet"
|
|
|
|
host_path = "/var/lib/kubelet"
|
|
|
|
}
|
|
|
|
volumes {
|
|
|
|
container_path = "/var/log"
|
|
|
|
host_path = "/var/log"
|
|
|
|
}
|
|
|
|
volumes {
|
|
|
|
container_path = "/run"
|
|
|
|
host_path = "/run"
|
|
|
|
}
|
|
|
|
volumes {
|
|
|
|
container_path = "/lib/modules"
|
|
|
|
host_path = "/lib/modules"
|
|
|
|
read_only = true
|
|
|
|
}
|
|
|
|
volumes {
|
|
|
|
container_path = "/etc/os-release"
|
|
|
|
host_path = "/usr/lib/os-release"
|
|
|
|
read_only = true
|
|
|
|
}
|
|
|
|
volumes {
|
|
|
|
container_path = "/etc/machine-id"
|
|
|
|
host_path = "/etc/machine-id"
|
|
|
|
read_only = true
|
|
|
|
}
|
2019-01-13 08:44:19 +00:00
|
|
|
volumes {
|
|
|
|
container_path = "/rootfs"
|
|
|
|
host_path = "/"
|
|
|
|
read_only = true
|
|
|
|
}
|
|
|
|
|
2019-01-12 22:31:14 +00:00
|
|
|
// Deviates from kubelet-wrapper
|
|
|
|
|
|
|
|
volumes {
|
2019-01-27 13:26:12 +00:00
|
|
|
container_path = "/opt/cni/bin"
|
|
|
|
host_path = "/opt/cni/bin"
|
|
|
|
}
|
|
|
|
volumes {
|
|
|
|
container_path = "/etc/cni/net.d"
|
2019-01-27 20:31:46 +00:00
|
|
|
host_path = "/etc/kubernetes/cni/net.d"
|
2019-01-12 22:31:14 +00:00
|
|
|
}
|
2019-01-26 22:32:59 +00:00
|
|
|
#
|
|
|
|
# "There is no war within the container. Here we are safe. Here we are free."
|
|
|
|
# - Docker Li agent brainwashing Nemo
|
|
|
|
#
|
2019-01-12 22:31:14 +00:00
|
|
|
command = [
|
|
|
|
"kubelet",
|
2019-01-12 23:54:50 +00:00
|
|
|
"--allow-privileged",
|
2019-01-12 22:31:14 +00:00
|
|
|
"--anonymous-auth=false",
|
2019-01-13 07:25:46 +00:00
|
|
|
"--authentication-token-webhook",
|
|
|
|
"--authorization-mode=Webhook",
|
2019-01-27 20:31:46 +00:00
|
|
|
"--cert-dir=/var/lib/kubelet/pki",
|
2019-01-12 23:54:50 +00:00
|
|
|
"--client-ca-file=/etc/kubernetes/ca.crt",
|
2019-01-13 07:25:46 +00:00
|
|
|
"--cluster_dns=${var.dns_ip}",
|
2019-01-13 08:44:19 +00:00
|
|
|
"--cluster_domain=${var.k8s_host}",
|
|
|
|
|
|
|
|
# "--containerized",
|
2019-01-12 23:54:50 +00:00
|
|
|
"--exit-on-lock-contention=true",
|
2019-01-13 08:44:19 +00:00
|
|
|
|
2019-01-12 23:54:50 +00:00
|
|
|
"--hostname-override=${var.host_ip}",
|
|
|
|
"--kubeconfig=/etc/kubernetes/kubeconfig",
|
2019-01-12 22:31:14 +00:00
|
|
|
"--lock-file=/var/run/lock/kubelet.lock",
|
|
|
|
"--minimum-container-ttl-duration=10m0s",
|
2019-01-12 23:54:50 +00:00
|
|
|
"--network-plugin=cni",
|
|
|
|
"--node-labels=node-role.kubernetes.io/master",
|
|
|
|
"--pod-manifest-path=/etc/kubernetes/manifests",
|
2019-01-13 07:25:46 +00:00
|
|
|
"--read-only-port=0",
|
2019-01-27 14:37:52 +00:00
|
|
|
"--register-with-taints=${var.node_taints}",
|
|
|
|
"--node-labels=${var.node_label}",
|
2019-01-12 23:54:50 +00:00
|
|
|
"--rotate-certificates",
|
2019-01-12 22:31:14 +00:00
|
|
|
]
|
2019-01-12 23:54:50 +00:00
|
|
|
host {
|
|
|
|
host = "${var.k8s_host}"
|
|
|
|
ip = "${var.host_ip}"
|
|
|
|
}
|
2019-01-12 22:31:14 +00:00
|
|
|
|
|
|
|
# TODO
|
|
|
|
|
2019-01-12 23:54:50 +00:00
|
|
|
network_mode = "host"
|
|
|
|
privileged = true
|
|
|
|
restart = "no"
|
|
|
|
must_run = false
|
|
|
|
|
|
|
|
# max_retry_count = 1
|
2019-01-12 22:31:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
data "docker_registry_image" "image" {
|
|
|
|
name = "gcr.io/google_containers/hyperkube:v${var.version}"
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "docker_image" "image" {
|
|
|
|
name = "${data.docker_registry_image.image.name}"
|
|
|
|
pull_triggers = ["${data.docker_registry_image.image.sha256_digest}"]
|
|
|
|
}
|