refine config.yaml file (#8)

* chore(*): refine config.yaml file and remove nginx push server

* chore(*): fix ntp server address typo

compose.yaml

@@ -8,13 +8,11 @@ services:
     restart: always
     volumes:
       - ./resources/nginx:/usr/share/nginx
-      - ./config/compose/auth.htpasswd:/etc/nginx/conf.d/auth.htpasswd
       - ./config/compose/certs/domain.crt:/etc/nginx/conf.d/domain.crt
       - ./config/compose/certs/domain.key:/etc/nginx/conf.d/domain.key
       - ./config/compose/nginx.conf:/etc/nginx/conf.d/default.conf
     ports:
       - 443:443
-      - 5000:5000
       - 8080:8080
 
   registry:
@@ -23,3 +21,5 @@ services:
     restart: always
     volumes:
       - ./resources/registry:/var/lib/registry
+    ports:
+      - 127.0.0.1:5000:5000

config.yaml

@@ -1,21 +1,10 @@
 compose:
+  # Compose bootstrap node ip, default is local internal ip
+  internal_ip: 172.20.0.25
   # Nginx http server bind port for download files and packages
   nginx_http_port: 8080
-  # For container runtime pull image, use 443 as default
-  registry_https_port: 443
-  # For user push image to this registry, use 5000 as default
-  registry_push_port: 5000
-  # Registry host ip for add to /etc/hosts by domain
-  registry_ip: 172.20.0.25
-  # Registry domain for CRI runtime download image
+  # Registry domain for CRI runtime download images
   registry_domain: kube.registry.local
-  # Auto generate self-signed certificate for registry domain
-  generate_crt: true
-  # User and password for push image to registry
-  registry_auth_user: "Username"
-  registry_auth_password: "Password"
-  # Registry image repo, default library
-  image_repo: library
 
 kubespray:
   # Kubernetes version by default, only support v1.20.6
@@ -24,20 +13,15 @@ kubespray:
   external_apiserver_access_ip: 127.0.0.1
   # Set network plugin to calico with vxlan mode by default
   kube_network_plugin: calico
-  # Set true to download and cache container
-  download_container: false
-  # Use nginx and registry provide all offline resources
-  offline_resources_enabled: true
   #Container runtime, only support containerd if offline deploy
   container_manager: containerd
   # Now only support host if use containerd as CRI runtime
   etcd_deployment_type: host
   # Settings for etcd event server
   etcd_events_cluster_setup: true
   etcd_events_cluster_enabled: true
-  # Kubespray container image for deploy user cluster
-  kubespray_image: ""
 
+# Cluster nodes inventory info
 inventory:
   all:
     vars:
@@ -79,3 +63,29 @@ inventory:
         hosts: {}
       calico_rr:
         hosts: {}
+
+### Default parameters ###
+## This filed not need config, will auto update,
+## if no special requirement, do not modify these parameters.
+default:
+  # NTP server ip address or domain, default is internal_ip
+  ntp_server:
+    - internal_ip
+  # Registry ip address, default is internal_ip
+  registry_ip: internal_ip
+  # Offline resource url for download files, default is internal_ip:nginx_http_port
+  offline_resources_url: internal_ip:nginx_http_port
+  # Use nginx and registry provide all offline resources
+  offline_resources_enabled: true
+  # Image repo in registry
+  image_repository: library
+  # Kubespray container image for deploy user cluster or scale
+  kubespray_image: "kubespray"
+  # Auto generate self-signed certificate for registry domain
+  generate_domain_crt: true
+  # For nodes pull image, use 443 as default
+  registry_https_port: 443
+  # For push image to this registry, use 5000 as default, and only bind at 127.0.0.1
+  registry_push_port: 5000
+  # Set false to disable download all container images on all nodes
+  download_container: false

config/compose/nginx.conf

@@ -75,49 +75,3 @@ server {
         proxy_read_timeout                  900;
     }
 }
-
-# This server listen at 5000 for push image by auth_basic auth
-server {
-    listen       5000 ssl;
-    listen       [::]:5000;
-    server_name  kube.registry.local;
-
-    # SSL
-    ssl_certificate /etc/nginx/conf.d/domain.crt;
-    ssl_certificate_key /etc/nginx/conf.d/domain.key;
-
-    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-    ssl_protocols TLSv1.1 TLSv1.2;
-    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-
-    # disable any limits to avoid HTTP 413 for large image uploads
-    client_max_body_size 0;
-
-    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
-    chunked_transfer_encoding on;
-
-    location /v2/ {
-        # Do not allow connections from docker 1.5 and earlier
-        # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
-        if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
-            return 404;
-        }
-
-        # To add basic authentication to v2 use auth_basic setting.
-        auth_basic "Registry realm";
-        auth_basic_user_file /etc/nginx/conf.d/auth.htpasswd;
-
-        ## If $docker_distribution_api_version is empty, the header is not added.
-        ## See the map directive above where this variable is defined.
-        add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
-
-        proxy_pass                          http://docker-registry;
-        proxy_set_header  Host              $http_host;   # required for docker client's sake
-        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
-        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
-        proxy_set_header  X-Forwarded-Proto $scheme;
-        proxy_read_timeout                  900;
-    }
-}

install.sh

@@ -2,7 +2,7 @@
 INSTALL_TYPE=$1
 : ${INSTALL_TYPE:=all}
 
-# Common utilities, variables and checks for all build scripts.
+# Common utilities, variables and checks for all scripts.
 set -o errexit
 set -o nounset
 set -o pipefail
@@ -12,7 +12,7 @@ USR_BIN_PATH=/usr/local/bin
 export PATH="${PATH}:${USR_BIN_PATH}"
 ARCH=$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
 
-# Define glob vars
+# Define glob variables
 KUBE_ROOT="$(cd "$(dirname "$0")" && pwd)"
 CERTS_DIR="${KUBE_ROOT}/config/certs"
 CONFIG_FILE="${KUBE_ROOT}/config.yaml"
@@ -25,10 +25,10 @@ RESOURCES_NGINX_DIR="${KUBE_ROOT}/resources/nginx"
 KUBESPRAY_CONFIG_DIR="${KUBE_ROOT}/config/kubespray"
 INSTALL_STEPS_FILE="${KUBESPRAY_CONFIG_DIR}/.install_steps"
 
-# Import all functions from scripts/*.sh
-for file in ${KUBE_ROOT}/scripts/*.sh; do source ${file}; done
+# Include all functions from library/*.sh
+for file in ${KUBE_ROOT}/library/*.sh; do source ${file}; done
 
-# Get os release info
+# Gather os-release variables
 if ! source /etc/os-release; then
   errorlog "Every system that we officially support has /etc/os-release"
   exit 1
@@ -39,63 +39,49 @@ if [ ! -f ${CONFIG_FILE} ]; then
   exit 1
 fi
 
-usage(){
-  cat <<EOF
-Usage: install.sh [TYPE] [NODE_NAME]
-  The script is used for install kubernetes cluster
-
-Parameter:
-  [TYPE]\t  this param is used to determine what to do with the kubernetes cluster.
-  Available type as follow:
-    all              deploy compose addon and kubernetes cluster
-    compose          deploy nginx and registry server
-    deploy-cluster   install kubernetes cluster
-    remove-cluster   remove kubernetes cluster
-    add-node         add worker node to kubernetes cluster
-    remove-node      remove worker node to kubernetes cluster
-    debug            run debug mode for install or troubleshooting
-
-  [NODE_NAME] this param to choose node for kubespray to exceute.
-              Note: when [TYPE] is specified [add-node] or [remove-node] this parameter must be set
-              multiple nodes are separated by commas, example: node01,node02,node03
-
-EOF
-  exit 0
-}
-
-deploy_cluster(){
+deploy_compose(){
+  case ${ID} in
+    Debian|debian)
+      system::debian::config_repo
+      ;;
+    CentOS|centos)
+      system::centos::disable_selinux
+      system::centos::config_repo
+      ;;
+    Ubuntu|ubuntu)
+      system::ubuntu::config_repo
+      ;;
+    *)
+      errorlog "Not support system: ${ID}"
+      exit 1
+      ;;
+  esac
+  system::disable_firewalld
+  system::install_pkgs
+  common::install_tools
   common::rudder_config
-  common::push_kubespray_image
-  common::run_kubespray "bash /kubespray/run.sh deploy-cluster"
-}
-
-add_nodes(){
-  common::run_kubespray "bash /kubespray/run.sh add-node $2"
-}
-
-remove_nodes(){
-  common::run_kubespray "bash /kubespray/run.sh remove-node $2"
-}
-
-kubespray_debug(){
-  common::run_kubespray "bash"
-}
-
-install_all(){
-  bootstrap
-  deploy_cluster
+  common::update_hosts
+  common::generate_domain_certs
+  common::load_images
+  common::compose_up
+  common::health_check
+  system::install_chrony
 }
 
 main(){
   case ${INSTALL_TYPE} in
     all)
-      install_all
+      deploy_compose
+      common::push_kubespray_image
+      common::run_kubespray "bash /kubespray/run.sh deploy-cluster"
       ;;
     compose)
-      bootstrap
+      deploy_compose
       ;;
     cluster)
-      deploy_cluster
+      common::rudder_config
+      common::push_kubespray_image
+      common::run_kubespray "bash /kubespray/run.sh deploy-cluster"
       ;;
     remove)
       common::rudder_config
@@ -111,21 +97,23 @@ main(){
       remove::remove_compose
       ;;
     add-nodes)
+      common::run_kubespray "bash /kubespray/run.sh add-node $2"
       ;;
     remove-node)
+      common::run_kubespray "bash /kubespray/run.sh remove-node $2"
       ;;
     health-check)
       common::health_check
       ;;
     debug)
-      kubespray_debug
+      common::run_kubespray "bash"
       ;;
     -h|--help|help)
-      usage
+      common::usage
       ;;
     *)
       echowarn "unknow [TYPE] parameter: ${INSTALL_TYPE}"
-      usage
+      common::usage
       ;;
   esac
 }