-
Notifications
You must be signed in to change notification settings - Fork 125
/
Copy pathinstall_admin_cluster.sh
315 lines (286 loc) Β· 11.7 KB
/
install_admin_cluster.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
#!/bin/bash
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
if [[ -z "${PROJECT_ID}" ]]; then
printf "π¨ Environment variable PROJECT_ID not set. Set it to the Google Cloud Project you intend to use."
exit 1
fi
if [[ -z "${ZONE}" ]]; then
printf "π¨ Environment variable ZONE not set. Set it to the Google Cloud Zone where the resources must be created."
exit 1
fi
if [[ -z "${ADMIN_CLUSTER_NAME}" ]]; then
printf "π¨ Environment variable ADMIN_CLUSTER_NAME not set.\n"
while true; do
read -rp "π‘ Should the script continue with the default name - 'abm-admin-cluster'? " yn
case $yn in
[Yy]* ) ADMIN_CLUSTER_NAME="abm-admin-cluster"; break;;
[Nn]* ) exit 1;;
* ) echo "Please answer yes or no.";;
esac
done
fi
printf "\nβ
Using Project [%s], Zone [%s] and Cluster name [%s].\n\n" "$PROJECT_ID" "$ZONE" "$ADMIN_CLUSTER_NAME"
# create the GCP Service Account to be used by Anthos on bare metal
printf "π Creating Service Account and Service Account key...\n"
# [START anthos_bm_gcp_bash_admin_create_sa]
gcloud iam service-accounts create baremetal-gcr
gcloud iam service-accounts keys create bm-gcr.json \
--iam-account=baremetal-gcr@"${PROJECT_ID}".iam.gserviceaccount.com
# [END anthos_bm_gcp_bash_admin_create_sa]
printf "β
Successfully created Service Account and downloaded key file.\n\n"
# enable all the required APIs for Anthos on bare metal
printf "π Enabling GCP Service APIs...\n"
# [START anthos_bm_gcp_bash_admin_enable_api]
gcloud services enable \
anthos.googleapis.com \
anthosaudit.googleapis.com \
anthosgke.googleapis.com \
cloudresourcemanager.googleapis.com \
connectgateway.googleapis.com \
container.googleapis.com \
gkeconnect.googleapis.com \
gkehub.googleapis.com \
serviceusage.googleapis.com \
stackdriver.googleapis.com \
monitoring.googleapis.com \
logging.googleapis.com \
opsconfigmonitoring.googleapis.com
# [END anthos_bm_gcp_bash_admin_enable_api]
printf "β
Successfully enabled GCP Service APIs.\n\n"
# add all the required IAM roles to the Service Account
printf "π Adding IAM roles to the Service Account...\n"
# [START anthos_bm_gcp_bash_admin_add_iam_role]
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:baremetal-gcr@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/gkehub.connect" \
--no-user-output-enabled
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:baremetal-gcr@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/gkehub.admin" \
--no-user-output-enabled
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:baremetal-gcr@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/logging.logWriter" \
--no-user-output-enabled
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:baremetal-gcr@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/monitoring.metricWriter" \
--no-user-output-enabled
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:baremetal-gcr@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/monitoring.dashboardEditor" \
--no-user-output-enabled
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:baremetal-gcr@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/stackdriver.resourceMetadata.writer" \
--no-user-output-enabled
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member="serviceAccount:baremetal-gcr@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/opsconfigmonitoring.resourceMetadata.writer" \
--no-user-output-enabled
# [END anthos_bm_gcp_bash_admin_add_iam_role]
printf "β
Successfully added the requires IAM roles to the Service Account.\n\n"
# declare arrays for VM names and IPs
printf "π Setting up array variables for the VM names and IP addresses...\n"
# [START anthos_bm_gcp_bash_admin_vms_array]
MACHINE_TYPE=n1-standard-8
VM_PREFIX=abm
VM_WS=$VM_PREFIX-ws
VM_ADMIN_CP=$VM_PREFIX-admin-cluster-cp
VM_USER_CP=$VM_PREFIX-user-cluster-cp
VM_USER_W1=$VM_PREFIX-user-cluster-w1
VM_USER_W2=$VM_PREFIX-user-cluster-w2
declare -a VMs=("$VM_WS" "$VM_ADMIN_CP" "$VM_USER_CP" "$VM_USER_W1" "$VM_USER_W2")
declare -a IPs=()
# [END anthos_bm_gcp_bash_admin_vms_array]
printf "β
Variables for the VM names and IP addresses setup.\n\n"
# create GCE VMs
printf "π Creating GCE VMs...\n"
# [START anthos_bm_gcp_bash_admin_create_vm]
for vm in "${VMs[@]}"
do
gcloud compute instances create "$vm" \
--image-family=ubuntu-2004-lts --image-project=ubuntu-os-cloud \
--zone="${ZONE}" \
--boot-disk-size 200G \
--boot-disk-type pd-ssd \
--can-ip-forward \
--network default \
--tags http-server,https-server \
--min-cpu-platform "Intel Haswell" \
--scopes cloud-platform \
--machine-type "$MACHINE_TYPE" \
--metadata "cluster_id=${ADMIN_CLUSTER_NAME}"
IP=$(gcloud compute instances describe "$vm" --zone "${ZONE}" \
--format='get(networkInterfaces[0].networkIP)')
IPs+=("$IP")
done
# [END anthos_bm_gcp_bash_admin_create_vm]
printf "β
Successfully created GCE VMs.\n\n"
# verify SSH access to the Google Compute Engine VMs
printf "π Checking SSH access to the GCE VMs...\n"
# [START anthos_bm_gcp_bash_admin_check_ssh]
for vm in "${VMs[@]}"
do
while ! gcloud compute ssh root@"$vm" --zone "${ZONE}" --command "printf SSH to $vm succeeded"
do
printf "Trying to SSH into %s failed. Sleeping for 5 seconds. zzzZZzzZZ" "$vm"
sleep 5
done
done
# [END anthos_bm_gcp_bash_admin_check_ssh]
printf "β
Successfully connected to all the GCE VMs using SSH.\n\n"
# setup VxLAN configurations in all the VMs to enable L2-network connectivity
# between them
printf "π Setting up VxLAN in the GCE VMs...\n"
# [START anthos_bm_gcp_bash_admin_add_vxlan]
i=2 # We start from 10.200.0.2/24
for vm in "${VMs[@]}"
do
gcloud compute ssh root@"$vm" --zone "${ZONE}" << EOF
apt-get -qq update > /dev/null
apt-get -qq install -y jq > /dev/null
set -x
ip link add vxlan0 type vxlan id 42 dev ens4 dstport 0
current_ip=\$(ip --json a show dev ens4 | jq '.[0].addr_info[0].local' -r)
printf "VM IP address is: \$current_ip"
for ip in ${IPs[@]}; do
if [ "\$ip" != "\$current_ip" ]; then
bridge fdb append to 00:00:00:00:00:00 dst \$ip dev vxlan0
fi
done
ip addr add 10.200.0.$i/24 dev vxlan0
ip link set up dev vxlan0
EOF
i=$((i+1))
done
# [END anthos_bm_gcp_bash_admin_add_vxlan]
printf "β
Successfully setup VxLAN in the GCE VMs.\n\n"
# install the necessary tools inside the VMs
printf "π Setting up admin workstation...\n"
# [START anthos_bm_gcp_bash_admin_init_vm]
gcloud compute ssh root@$VM_WS --zone "${ZONE}" << EOF
set -x
export PROJECT_ID=\$(gcloud config get-value project)
gcloud iam service-accounts keys create bm-gcr.json \
--iam-account=baremetal-gcr@\${PROJECT_ID}.iam.gserviceaccount.com
curl -LO "https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x kubectl
mv kubectl /usr/local/sbin/
mkdir baremetal && cd baremetal
gsutil cp gs://anthos-baremetal-release/bmctl/1.13.0/linux-amd64/bmctl .
chmod a+x bmctl
mv bmctl /usr/local/sbin/
cd ~
printf "Installing docker"
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
EOF
# [END anthos_bm_gcp_bash_admin_init_vm]
printf "β
Successfully set up admin workstation.\n\n"
# generate SSH key-pair in the admin workstation VM and copy the public-key
# to all the other (control-plane and worker) VMs
printf "π Setting up SSH access from admin workstation to cluster node VMs...\n"
# [START anthos_bm_gcp_bash_admin_add_ssh_keys]
gcloud compute ssh root@$VM_WS --zone "${ZONE}" << EOF
set -x
ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa
sed 's/ssh-rsa/root:ssh-rsa/' ~/.ssh/id_rsa.pub > ssh-metadata
for vm in ${VMs[@]}
do
gcloud compute instances add-metadata \$vm --zone ${ZONE} --metadata-from-file ssh-keys=ssh-metadata
done
EOF
# [END anthos_bm_gcp_bash_admin_add_ssh_keys]
printf "β
Successfully set up SSH access from admin workstation to cluster node VMs.\n\n"
# initiate Anthos on bare metal installation from the admin workstation
printf "π Installing Anthos on bare metal...\n"
# [START anthos_bm_gcp_bash_admin_install_abm]
gcloud compute ssh root@$VM_WS --zone "${ZONE}" <<EOF
set -x
export PROJECT_ID=\$(gcloud config get-value project)
ADMIN_CLUSTER_NAME=\$(curl http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster_id -H "Metadata-Flavor: Google")
export ADMIN_CLUSTER_NAME
bmctl create config -c \$ADMIN_CLUSTER_NAME
cat > bmctl-workspace/\$ADMIN_CLUSTER_NAME/\$ADMIN_CLUSTER_NAME.yaml << EOB
---
gcrKeyPath: /root/bm-gcr.json
sshPrivateKeyPath: /root/.ssh/id_rsa
gkeConnectAgentServiceAccountKeyPath: /root/bm-gcr.json
gkeConnectRegisterServiceAccountKeyPath: /root/bm-gcr.json
cloudOperationsServiceAccountKeyPath: /root/bm-gcr.json
---
apiVersion: v1
kind: Namespace
metadata:
name: cluster-\$ADMIN_CLUSTER_NAME
---
apiVersion: baremetal.cluster.gke.io/v1
kind: Cluster
metadata:
name: \$ADMIN_CLUSTER_NAME
namespace: cluster-\$ADMIN_CLUSTER_NAME
spec:
type: admin
anthosBareMetalVersion: 1.13.0
gkeConnect:
projectID: \$PROJECT_ID
controlPlane:
nodePoolSpec:
clusterName: \$ADMIN_CLUSTER_NAME
nodes:
- address: 10.200.0.3
clusterNetwork:
pods:
cidrBlocks:
- 192.168.0.0/16
services:
cidrBlocks:
- 172.26.232.0/24
loadBalancer:
mode: bundled
ports:
controlPlaneLBPort: 443
vips:
controlPlaneVIP: 10.200.0.48
clusterOperations:
# might need to be this location
location: us-central1
projectID: \$PROJECT_ID
storage:
lvpNodeMounts:
path: /mnt/localpv-disk
storageClassName: node-disk
lvpShare:
numPVUnderSharedPath: 5
path: /mnt/localpv-share
storageClassName: local-shared
nodeConfig:
podDensity:
maxPodsPerNode: 250
EOB
bmctl create cluster -c \$ADMIN_CLUSTER_NAME
EOF
# [END anthos_bm_gcp_bash_admin_install_abm]
printf "β
Installation complete. Please check the logs for any errors!!!\n\n"
printf "β
If you do not see any errors in the output log, then you now have the following setup:\n\n"
printf "|---------------------------------------------------------------------------------------------------------|\n"
printf "| VM Name | L2 Network IP (VxLAN) | INFO |\n"
printf "|---------------------------------------------------------------------------------------------------------|\n"
printf "| abm-admin-cluster-cp1 | 10.200.0.3 | Has control plane of admin cluster running inside |\n"
printf "| abm-user-cluster-cp1 | 10.200.0.4 | π Ready for use as control plane for the user cluster |\n"
printf "| abm-user-cluster-w1 | 10.200.0.5 | π Ready for use as worker for the user cluster |\n"
printf "| abm-user-cluster-w2 | 10.200.0.6 | π Ready for use as worker for the user cluster |\n"
printf "|---------------------------------------------------------------------------------------------------------|\n\n"