├── README.md ├── increase-disk-tkg.ps1 ├── tkg-add-ca-via-sv.sh ├── tkg-add-ca.sh ├── tkg-insecure-registry.sh ├── tkg-proxy.sh └── tkg-ssh-cluster.sh /README.md: -------------------------------------------------------------------------------- 1 | # Scripts for vSphere 7 with Kubernetes 2 | 3 | These are the scripts that I use for vSphere with Kubernetes. 4 | 5 | # TKG-insecure-registry.sh 6 | 7 | This is a script to add an insecure registry to all the nodes in a Tanzu Kubernetes cluster deployed by the Tanzu Kubernetes Grid service in vSphere 7 (formerly known as guest cluster). This script does: 8 | 9 | 1. Get a Kubernetes API token for the Tanzu Kubernetes cluster 10 | 2. Get the list of the nodes in the cluster 11 | 3. SSH into vCenter to get credentials for the Supervisor Cluster master VMs 12 | 4. Get a Supervisor Cluster Kubernetes API token to get the TKC nodes SSH Password 13 | 5. Get the TKC nodes SSH private key from the Supervisor Cluster (it is stored as a secret in the Supervisor Cluster) 14 | 6. SSH to every node and verify if the registry does not exist in /etc/docker/daemon.json. If it does not exist, it adds it 15 | 7. Restarts the Docker daemon in every node 16 | 17 | The dependencies for this script are curl, jq and sshpass. Usage is as follows: 18 | 19 | `tkg-insecure-registry.sh $name-cluster $namespace $url-registry` 20 | 21 | # TKG-proxy.sh 22 | 23 | This is a script to add a HTTP/HTTPS proxy to the Docker daemon of all the nodes in a Tanzu Kubernetes cluster deployed by the Tanzu Kubernetes Grid service in vSphere 7 (formerly known as guest cluster). To add your proxy server, change the lines HTTP_PROXY, HTTPS_PROXY and NO_PROXY in the script. This script does: 24 | 25 | 1. Get a Kubernetes API token for the Tanzu Kubernetes cluster 26 | 2. Get the list of the nodes in the cluster 27 | 3. SSH into vCenter to get credentials for the Supervisor Cluster master VMs 28 | 4. Get a Supervisor Cluster Kubernetes API token to get the TKC nodes SSH Password 29 | 5. Get the TKC nodes SSH private key from the Supervisor Cluster (it is stored as a secret in the Supervisor Cluster) 30 | 6. SSH to every node and add the proxy server to /etc/systemd/system/docker.service.d/http-proxy.conf. 31 | 7. Reloads the systemd Docker daemon and restarts it in every node 32 | 33 | The dependencies for this script are curl, jq and sshpass. Usage is as follows: 34 | 35 | `tkg-proxy.sh $name-cluster $namespace` 36 | 37 | **These scripts are not meant for production use and changes will be overwritten with any Day-2 operation that involves node replacements** 38 | -------------------------------------------------------------------------------- /increase-disk-tkg.ps1: -------------------------------------------------------------------------------- 1 | # taking the inputs 2 | $Server = Read-Host -Prompt 'Input the vCenter name' 3 | $Cluster = Read-Host -Prompt 'Input the vSphere Cluster name' 4 | $TKGCluster = Read-Host -Prompt 'Input the TKG Cluster Name' 5 | $vcUser = Read-Host -Prompt 'Input the vCenter Username' 6 | $vcPassword = Read-Host -assecurestring "Input the vCenter Password" 7 | $vcPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($vcPassword)) 8 | $esxPassword = Read-Host -assecurestring "Input the ESXi Root Password" 9 | $esxPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($esxPassword)) 10 | $vdisksize = Read-Host -Prompt 'Input the target disk size in GB (>16)' 11 | # set power-cli ssl setting 12 | # Set-PowerCLIConfiguration -InvalidCertificateAction Ignore --confirm:$false 13 | Write-Host "-----------------------------------------------------" 14 | Write-Host "Connecting to vCenter Server to retrieve ESXi host" 15 | # connect to vCenter to retrieve the esxi list 16 | if (connect-viserver -server $Server -user $vcUser -Password $vcPassword) 17 | { 18 | Write-Host "Successfully logged into vCenter $Server" 19 | if ($wcpCluster = get-cluster $Cluster) 20 | { 21 | Write-Host "$Cluster Found" 22 | if ($esxiHosts = $wcpCluster | get-vmhost) 23 | { 24 | foreach ($esxiHost in $esxiHosts) 25 | { 26 | disconnect-viserver * -Confirm:$false -Force 27 | Write-Host "$esxiHost.Name is found" 28 | if (connect-viserver -server $esxiHost.Name -user root -Password $esxPassword) 29 | { 30 | Write-Host "Successfully logged into Host $esxiHost.Name" 31 | Write-Host "Changing all node disk to $vdisksize GB" 32 | get-vm $TKGCluster-* | Get-HardDisk |Set-HardDisk -CapacityGB $vdisksize -Confirm:$false 33 | Write-Host "Restarting all node disk to $vdisksize GB" 34 | get-vm $TKGCluster-* | Restart-VMGuest -Confirm 35 | } 36 | Write-Host "Operation completed! Please check in guest OS" 37 | } 38 | } 39 | } 40 | } 41 | else 42 | { 43 | Write-Host "Fail to login vCenter" 44 | } -------------------------------------------------------------------------------- /tkg-add-ca-via-sv.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # this script can be executed on on any environment where you can access VCenter and Supervisor Cluster VM Network. 4 | # This script is used to add an insecure registry 5 | # to a vSphere with Kubernetes Tanzu Kubernetes 6 | # cluster by executing the 'tkg-add-ca.sh' from Supervisor Master VM. 7 | # the 'tkg-add-ca.sh' will restart the Docker daemon in every node, after adding the registry CA 8 | # 9 | # USAGE: tkg-insecure-registry.sh $name-cluster $namespace $url-registry 10 | # original code from https://github.com/josemzr/vsphere-k8s-scripts 11 | # Author: José Manzaneque (jmanzaneque@vmware.com) 12 | # Dependencies: curl, jq, sshpass 13 | # modified by kminseok 14 | ############################################################################## 15 | ################## Help message ############################################# 16 | ############################################################################## 17 | usage() 18 | { 19 | echo "Usage: [FILE]... [Interactive] 20 | 21 | Mandatory arguments 22 | --vc_ip 23 | --vc_root_password 24 | --vc_admin_passowrd 25 | --vc_admin_user 26 | --sv_ip 27 | -c, --tkg_cluster_name guest_cluster_name 28 | -n, --tkg_cluster_namespace guest_cluster_namespace 29 | --ca_file_path (required) 30 | -h, --help show help. 31 | 32 | Example: 33 | ${BASH_SOURCE[0]} --vc_ip \${vc_ip} --vc_admin_passowrd \${admin_pass} --vc_admin_user \${admin_user} --vc_root_password \${root_pass} -c \${cluster_name} -n \${namespace} --ca_file_path \${ca_file_path}" 34 | ${BASH_SOURCE[0]} --vc_ip pacific-vcsa.haas-455.pez.vmware.com --vc_admin_passowrd secret --vc_admin_user administrator@vsphere.local --vc_root_password secret \ 35 | --sv_ip wcp.haas-455.pez.vmware.com -c ns1-tkg1 -n ns1 --ca_file_path ../harbor-root-ca.crt 36 | 37 | 38 | } 39 | 40 | VC_IP='' #URL for the vCenter 41 | VC_ADMIN_USER='' #'administrator@vsphere.local' #User for the Supervisor Cluster 42 | VC_ADMIN_PASSWORD="" #'VMware1!' #Password for the Supervisor Cluster user 43 | VC_ROOT_PASSWORD="" 44 | SV_IP="" #'192.168.40.129' #VIP for the Supervisor Cluster 45 | TKG_CLUSTER_NAME="" # Name of the TKG cluster 46 | TKG_CLUSTER_NAMESPACE="" # Namespace where the TKG cluster is deployed 47 | CA_FILE_PATH="" # required. put the file path 48 | 49 | # Check if parameter value is empty. 50 | check_if_value_exist() 51 | { 52 | current_param=$1 53 | if [ "$current_param" = "" ] 54 | then 55 | echo "parameter cannot be empty" 56 | exit 1 57 | fi 58 | } 59 | 60 | 61 | check_if_any_argument_supplied() 62 | { 63 | if [ "$#" -eq 0 ] 64 | then 65 | usage 66 | exit 1 67 | fi 68 | } 69 | 70 | 71 | print_current_arg() 72 | { 73 | echo "Debug $1: $2" 74 | } 75 | 76 | define_arguments() 77 | { 78 | check_if_any_argument_supplied $@ 79 | 80 | while [ "$#" -gt 0 ]; do 81 | # while [ "x$1" != "x" ]; do 82 | # while [ "$1" != "" ]; do 83 | case $1 in 84 | --vc_ip ) shift 85 | check_if_value_exist $1 86 | VC_IP=$1 87 | print_current_arg "VC_IP" $1 88 | ;; 89 | 90 | --vc_admin_passowrd ) shift 91 | check_if_value_exist $1 92 | VC_ADMIN_PASSWORD=$1 93 | ;; 94 | --vc_root_password ) shift 95 | check_if_value_exist $1 96 | VC_ROOT_PASSWORD=$1 97 | ;; 98 | --vc_admin_user ) shift 99 | check_if_value_exist $1 100 | VC_ADMIN_USER=$1 101 | print_current_arg "VC_ADMIN_USER" $1 102 | ;; 103 | --sv_ip ) shift 104 | check_if_value_exist $1 105 | SV_IP=$1 106 | print_current_arg "SV_IP" $1 107 | ;; 108 | -c | --tkg_cluster_name ) shift 109 | check_if_value_exist $1 110 | TKG_CLUSTER_NAME=$1 111 | print_current_arg "TKG_CLUSTER_NAME" $1 112 | ;; 113 | -n | --tkg_cluster_namespace ) shift 114 | check_if_value_exist $1 115 | TKG_CLUSTER_NAMESPACE=$1 116 | print_current_arg "TKG_CLUSTER_NAMESPACE" $1 117 | ;; 118 | --ca_file_path ) shift 119 | check_if_value_exist $1 120 | CA_FILE_PATH=$1 121 | print_current_arg "CA_FILE_PATH" $1 122 | ;; 123 | -h | --help ) 124 | usage 125 | exit 126 | ;; 127 | * ) 128 | usage 129 | exit 1 130 | ;; 131 | esac 132 | shift 133 | done 134 | 135 | # check_if_argument_exist 136 | } 137 | 138 | 139 | ############################################################################## 140 | ############################################################################## 141 | ############################################################################## 142 | 143 | define_arguments $@ 144 | 145 | # Logging function that will redirect to stderr with timestamp: 146 | logerr() { echo "$(date) ERROR: $@" 1>&2; } 147 | # Logging function that will redirect to stdout with timestamp 148 | loginfo() { echo "$(date) INFO: $@" ;} 149 | 150 | # Verify if required arguments are met 151 | 152 | if [[ -z "$1" || -z "$2" || -z "$3" ]] 153 | then 154 | logerr "Invalid arguments. Exiting..." 155 | exit 2 156 | fi 157 | 158 | if [[ ! -f "$CA_FILE_PATH" ]]; then 159 | logerr "File Not Found $CA_FILE_PATH"; 160 | exit 1; 161 | fi 162 | 163 | 164 | 165 | #SSH into vCenter to get credentials for the supervisor cluster master VMs 166 | sshpass -p "${VC_ROOT_PASSWORD}" ssh -t -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PubkeyAuthentication=no -q root@"${VC_IP}" com.vmware.shell /usr/lib/vmware-wcp/decryptK8Pwd.py > ./sv-cluster-creds 2>&1 167 | if [ $? -eq 0 ] ; 168 | then 169 | loginfo "Connecting to the vCenter to get the supervisor cluster VM credentials..." 170 | SV_MASTER_IP=$(cat ./sv-cluster-creds | sed -n -e 's/^.*IP: //p') 171 | SV_MASTER_PASSWORD=$(cat ./sv-cluster-creds | sed -n -e 's/^.*PWD: //p') 172 | loginfo "Supervisor cluster master IP is: "${SV_MASTER_IP}"" 173 | else 174 | logerr "There was an error logging into the vCenter. Exiting..." 175 | exit 2 176 | fi 177 | rm -rf ./sv-cluster-creds 178 | export SSHPASS="${SV_MASTER_PASSWORD}" 179 | 180 | 181 | loginfo "" 182 | loginfo "Copying tkg-add-ca.sh, CA file to Supervisor Master VM ..." 183 | _CA_FILE=$(basename $CA_FILE_PATH) 184 | sshpass -p "${SV_MASTER_PASSWORD}" scp -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null $CA_FILE_PATH root@"${SV_MASTER_IP}":/tmp/$_CA_FILE 185 | sshpass -p "${SV_MASTER_PASSWORD}" scp -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ./tkg-add-ca.sh root@"${SV_MASTER_IP}":/tmp/tkg-add-ca.sh 186 | 187 | loginfo "Executing /tmp/tkg-add-ca.sh on Supervisor cluster VM ..." 188 | sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -q -t root@"${SV_MASTER_IP}" chmod +x /tmp/tkg-add-ca.sh 189 | sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -q -t root@"${SV_MASTER_IP}" /tmp/tkg-add-ca.sh "$SV_IP" "$VC_ADMIN_USER" "$VC_ADMIN_PASSWORD" "$VC_ROOT_PASSWORD" "$TKG_CLUSTER_NAME" "$TKG_CLUSTER_NAMESPACE" "/tmp/$_CA_FILE" 190 | 191 | if [ $? -eq 0 ] ; 192 | then 193 | loginfo "Executing /tmp/tkg-add-ca.sh on Supervisor cluster VM successful !" 194 | else 195 | logerr "There was an error Executing /tmp/tkg-add-ca.sh on Supervisor cluster VM. Exiting..." 196 | exit 2 197 | fi 198 | -------------------------------------------------------------------------------- /tkg-add-ca.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script is used to add a CA to the Docker daemon 3 | # in a vSphere with Tanzu Tanzu Kubernetes 4 | # cluster. After adding the CA, it will restart 5 | # the Docker daemon in every node. 6 | # 7 | # USAGE: tkg-add-ca.sh $name-cluster $vsphere-namespace $cafile 8 | # EXAMPLE: ./tkg-add-ca.sh tkg-cluster-1 test-namespace /home/vmware/ca.crt 9 | # 10 | # Author: José Manzaneque (jmanzaneque@vmware.com) 11 | # Dependencies: curl, jq 12 | 13 | SV_IP="$1" #VIP for the Supervisor Cluster 14 | VC_ADMIN_USER="$2" #'administrator@vsphere.local' #User for the Supervisor Cluster 15 | VC_ADMIN_PASSWORD="$3" #Password for the Supervisor Cluster user 16 | VC_ROOT_PASSWORD="$4" #Password for the root VCSA user 17 | 18 | TKG_CLUSTER_NAME="$5" # Name of the TKG cluster 19 | TKG_CLUSTER_NAMESPACE="$6" # Namespace where the TKG cluster is deployed 20 | CA_FILE="$7" # Path for the CA file to be transferred 21 | 22 | # Logging function that will redirect to stderr with timestamp: 23 | logerr() { echo "$(date) ERROR: $@" 1>&2; } 24 | # Logging function that will redirect to stdout with timestamp 25 | loginfo() { echo "$(date) INFO: $@" ;} 26 | 27 | 28 | loginfo "SV_IP:$SV_IP" 29 | loginfo "VC_ADMIN_USER:$VC_ADMIN_USER" 30 | loginfo "VC_ADMIN_PASSWORD:$VC_ADMIN_PASSWORD" 31 | loginfo "VC_ROOT_PASSWORD:$VC_ROOT_PASSWORD" 32 | loginfo "TKG_CLUSTER_NAME:$TKG_CLUSTER_NAME" 33 | loginfo "TKG_CLUSTER_NAMESPACE:$TKG_CLUSTER_NAMESPACE" 34 | loginfo "CA_FILE:$CA_FILE" 35 | 36 | 37 | # Verify if required arguments are met 38 | 39 | if [[ -z "$1" || -z "$2" || -z "$3" ]] 40 | then 41 | logerr "Invalid arguments. Exiting..." 42 | exit 2 43 | fi 44 | 45 | # Exit the script if the supervisor cluster is not up 46 | if [ $(curl -m 15 -k -s -o /dev/null -w "%{http_code}" https://"${SV_IP}") -ne "200" ]; then 47 | logerr "Supervisor cluster not ready. Exiting..." 48 | exit 2 49 | fi 50 | 51 | # If the supervisor cluster is ready, get the token for TKG cluster 52 | loginfo "Supervisor cluster is ready!" 53 | loginfo "Getting TKC Kubernetes API token..." 54 | 55 | # Get the TKG Kubernetes API token by login into the Supervisor Cluster 56 | TKC_API=$(curl -XPOST -s -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -d '{"guest_cluster_name":"'"${TKG_CLUSTER_NAME}"'", "guest_cluster_namespace":"'"${TKG_CLUSTER_NAMESPACE}"'"}' -H "Content-Type: application/json" | jq -r '.guest_cluster_server') 57 | TOKEN=$(curl -XPOST -s -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -d '{"guest_cluster_name":"'"${TKG_CLUSTER_NAME}"'", "guest_cluster_namespace":"'"${TKG_CLUSTER_NAMESPACE}"'"}' -H "Content-Type: application/json" | jq -r '.session_id') 58 | # I'm sure there is a better way to store the JSON in two variables in a single pipe execution. But I can't be bothered to search on StackOverflow right now. 59 | 60 | 61 | 62 | ################################################################################################################################## 63 | # Verify if the token is valid 64 | if [ $(curl -k -s -o /dev/null -w "%{http_code}" https://"${TKC_API}":6443/ --header "Authorization: Bearer "${TOKEN}"") -ne "200" ] 65 | then 66 | logerr "TKC Kubernetes API token is not valid. Exiting..." 67 | exit 2 68 | else 69 | loginfo "TKC Kubernetes API token is valid!" 70 | fi 71 | 72 | #Get the list of nodes in the cluster 73 | curl -XGET -k --fail -s https://"${TKC_API}":6443/api/v1/nodes --header 'Content-Type: application/json' --header "Authorization: Bearer "${TOKEN}"" >> /dev/null 74 | if [ $? -eq 0 ] ; 75 | then 76 | loginfo "Getting the IPs of the nodes in the cluster..." 77 | curl -XGET -k --fail -s https://"${TKC_API}":6443/api/v1/nodes --header 'Content-Type: application/json' --header "Authorization: Bearer "${TOKEN}"" | jq -r '.items[].status.addresses[] | select(.type=="InternalIP").address' > ./ip-nodes-tkg 78 | loginfo "The nodes IPs are: "$(column ./ip-nodes-tkg | sed 's/\t/,/g')"" 79 | else 80 | logerr "There was an error processing the IPs of the nodes. Exiting..." 81 | exit 2 82 | fi 83 | 84 | 85 | #Get Supervisor Cluster token to get the TKC nodes SSH Private Key 86 | loginfo "Getting Supervisor Cluster Kubernetes API token..." 87 | SV_TOKEN=$(curl -XPOST -s --fail -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -H "Content-Type: application/json" | jq -r '.session_id') 88 | 89 | # Verify if the Supervisor Cluster token is valid 90 | # Health check in /api/v1 (Supervisor Cluster forbids accessing / directly (TKC cluster allows it)) 91 | if [ $(curl -k -s -o /dev/null -w "%{http_code}" https://"${SV_IP}":6443/api/v1 --header "Authorization: Bearer "${SV_TOKEN}"") -ne "200" ] 92 | then 93 | logerr "Supervisor Cluster Kubernetes API token is not valid. Exiting..." 94 | exit 2 95 | else 96 | loginfo "Supervisor Cluster Kubernetes API token is valid!" 97 | fi 98 | 99 | # Get the TKC nodes SSH private key from the Supervisor Cluster 100 | curl -XGET -k --fail -s https://"${SV_IP}":6443/api/v1/namespaces/"${TKG_CLUSTER_NAMESPACE}"/secrets/"${TKG_CLUSTER_NAME}"-ssh --header 'Content-Type: application/json' --header "Authorization: Bearer "${SV_TOKEN}"" >> /dev/null 101 | if [ $? -eq 0 ] ; 102 | then 103 | loginfo "Getting the TKC nodes SSH private key from the supervisor cluster..." 104 | curl -XGET -k --fail -s https://"${SV_IP}":6443/api/v1/namespaces/"${TKG_CLUSTER_NAMESPACE}"/secrets/"${TKG_CLUSTER_NAME}"-ssh --header 'Content-Type: application/json' --header "Authorization: Bearer "${SV_TOKEN}"" | jq -r '.data."ssh-privatekey"' | base64 -d > ./tkc-ssh-privatekey 105 | #Set correct permissions for TKC SSH private key 106 | chmod 400 ./tkc-ssh-privatekey 107 | loginfo "TKC SSH private key retrieved successfully!" 108 | else 109 | logerr "There was an error getting the TKC nodes SSH private key. Exiting..." 110 | exit 2 111 | fi 112 | 113 | ######################################################################################################## 114 | # SSH to every node and transfer the CA 115 | 116 | while read -r IPS_NODES_READ; 117 | do 118 | loginfo "Adding CA to the node '"${IPS_NODES_READ}"'..." 119 | scp -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./tkc-ssh-privatekey "${CA_FILE}" vmware-system-user@"${IPS_NODES_READ}":/home/vmware-system-user/registry_ca.crt 120 | ssh -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./tkc-ssh-privatekey vmware-system-user@"${IPS_NODES_READ}" << EOF 121 | sudo bash -c "cat /home/vmware-system-user/registry_ca.crt >> /etc/pki/tls/certs/ca-bundle.crt" 122 | EOF 123 | if [ $? -eq 0 ] ; 124 | then 125 | loginfo "CA added successfully!" 126 | else 127 | logerr "There was an error transferring the CA to the TKC node. Exiting..." 128 | exit 2 129 | fi 130 | done < "./ip-nodes-tkg" 131 | 132 | # Restart the Docker daemon 133 | while read -r IPS_NODES_READ; 134 | do 135 | loginfo "Restarting Docker on node '"${IPS_NODES_READ}"'..." 136 | ssh -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./tkc-ssh-privatekey vmware-system-user@"${IPS_NODES_READ}" << EOF 137 | sudo systemctl restart docker.service 138 | EOF 139 | if [ $? -eq 0 ] ; 140 | then 141 | loginfo "Docker daemon restarted successfully!" 142 | else 143 | logerr "There was an error restarting the Docker daemon. Exiting..." 144 | exit 2 145 | fi 146 | done < "./ip-nodes-tkg" 147 | 148 | # Cleaning up 149 | loginfo "Cleaning up temporary files..." 150 | rm -rf ./tkc-ssh-privatekey 151 | rm -rf ./sv-cluster-creds 152 | rm -rf ./ip-nodes-tkg 153 | -------------------------------------------------------------------------------- /tkg-insecure-registry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script is used to add an insecure registry 3 | # to a vSphere with Kubernetes Tanzu Kubernetes 4 | # cluster. After adding the registry, it will restart 5 | # the Docker daemon in every node. 6 | # 7 | # USAGE: tkg-insecure-registry.sh $name-cluster $namespace $url-registry 8 | # 9 | # Author: José Manzaneque (jmanzaneque@vmware.com) 10 | # Dependencies: curl, jq, sshpass 11 | 12 | ############################################################################## 13 | ################## Help message ############################################# 14 | ############################################################################## 15 | usage() 16 | { 17 | echo "Usage: [FILE]... [Interactive] 18 | 19 | Mandatory arguments 20 | -c, --tkg_cluster_name guest_cluster_name 21 | -n, --tkg_cluster_namespace guest_cluster_namespace 22 | -r, --url_registry 23 | --vc_root_password 24 | --vc_admin_passowrd 25 | --vc_admin_user 26 | --vc_ip 27 | --sv_ip 28 | -h, --help show help. 29 | 30 | Example: 31 | ./tkg-insecure-registry.sh -c \${cluster_name} -n \${namespace} -r \${url_registry} --vc_admin_passowrd \${admin_pass} --vc_admin_user \${admin_user} --vc_ip \${vc_ip} --sv_ip \${supervisor_cliuster_ip} --vc_root_password \${root_pass}" 32 | } 33 | 34 | SV_IP='' #'192.168.40.129' #VIP for the Supervisor Cluster 35 | VC_IP='' #URL for the vCenter 36 | VC_ADMIN_USER='' #'administrator@vsphere.local' #User for the Supervisor Cluster 37 | VC_ADMIN_PASSWORD="" #'VMware1!' #Password for the Supervisor Cluster user 38 | VC_ROOT_PASSWORD="" 39 | TKG_CLUSTER_NAME="" # Name of the TKG cluster 40 | TKG_CLUSTER_NAMESPACE="" # Namespace where the TKG cluster is deployed 41 | URL_REGISTRY="" # URL of the Registry to be added 42 | 43 | # Check if parameter value is empty. 44 | check_if_value_exist() 45 | { 46 | current_param=$1 47 | if [ "$current_param" = "" ] 48 | then 49 | echo "parameter cannot be empty" 50 | exit 1 51 | fi 52 | } 53 | 54 | 55 | check_if_any_argument_supplied() 56 | { 57 | if [ "$#" -eq 0 ] 58 | then 59 | usage 60 | exit 1 61 | fi 62 | } 63 | 64 | 65 | print_current_arg() 66 | { 67 | echo "Debug $1: $2" 68 | } 69 | 70 | define_arguments() 71 | { 72 | check_if_any_argument_supplied $@ 73 | 74 | while [ "$#" -gt 0 ]; do 75 | # while [ "x$1" != "x" ]; do 76 | # while [ "$1" != "" ]; do 77 | case $1 in 78 | -c | --tkg_cluster_name ) shift 79 | check_if_value_exist $1 80 | TKG_CLUSTER_NAME=$1 81 | print_current_arg "TKG_CLUSTER_NAME" $1 82 | ;; 83 | -n | --tkg_cluster_namespace ) shift 84 | check_if_value_exist $1 85 | TKG_CLUSTER_NAMESPACE=$1 86 | print_current_arg "TKG_CLUSTER_NAMESPACE" $1 87 | ;; 88 | -r | --url_registry ) shift 89 | check_if_value_exist $1 90 | URL_REGISTRY=$1 91 | print_current_arg "URL_REGISTRY" $1 92 | ;; 93 | --vc_admin_passowrd ) shift 94 | check_if_value_exist $1 95 | VC_ADMIN_PASSWORD=$1 96 | ;; 97 | --vc_root_password ) shift 98 | check_if_value_exist $1 99 | VC_ROOT_PASSWORD=$1 100 | ;; 101 | --vc_admin_user ) shift 102 | check_if_value_exist $1 103 | VC_ADMIN_USER=$1 104 | print_current_arg "VC_ADMIN_USER" $1 105 | ;; 106 | --vc_ip ) shift 107 | check_if_value_exist $1 108 | VC_IP=$1 109 | print_current_arg "VC_IP" $1 110 | ;; 111 | --sv_ip ) shift 112 | check_if_value_exist $1 113 | SV_IP=$1 114 | print_current_arg "SV_IP" $1 115 | ;; 116 | -h | --help ) 117 | usage 118 | exit 119 | ;; 120 | * ) 121 | usage 122 | exit 1 123 | ;; 124 | esac 125 | shift 126 | done 127 | 128 | # check_if_argument_exist 129 | } 130 | ############################################################################## 131 | ############################################################################## 132 | ############################################################################## 133 | 134 | define_arguments $@ 135 | # SV_IP='192.168.40.129' #VIP for the Supervisor Cluster 136 | # VC_IP='vcsa.pacific.local' #URL for the vCenter 137 | # VC_ADMIN_USER='administrator@vsphere.local' #User for the Supervisor Cluster 138 | # VC_ADMIN_PASSWORD='VMware1!' #Password for the Supervisor Cluster user 139 | 140 | # TKG_CLUSTER_NAME=$1 # Name of the TKG cluster 141 | # TKG_CLUSTER_NAMESPACE=$2 # Namespace where the TKG cluster is deployed 142 | # URL_REGISTRY=$3 # URL of the Registry to be added 143 | URL_REGISTRY_TRIM=$(echo "${URL_REGISTRY}" | sed 's~http[s]*://~~g') # Sanitize registry URL to remove http/https 144 | 145 | # Logging function that will redirect to stderr with timestamp: 146 | logerr() { echo "$(date) ERROR: $@" 1>&2; } 147 | # Logging function that will redirect to stdout with timestamp 148 | loginfo() { echo "$(date) INFO: $@" ;} 149 | 150 | # Verify if required arguments are met 151 | 152 | if [[ -z "$1" || -z "$2" || -z "$3" ]] 153 | then 154 | logerr "Invalid arguments. Exiting..." 155 | exit 2 156 | fi 157 | 158 | # Exit the script if the supervisor cluster is not up 159 | if [ $(curl -m 15 -k -s -o /dev/null -w "%{http_code}" https://"${SV_IP}") -ne "200" ]; then 160 | logerr "Supervisor cluster not ready. Exiting..." 161 | exit 2 162 | fi 163 | 164 | # If the supervisor cluster is ready, get the token for TKG cluster 165 | loginfo "Supervisor cluster is ready!" 166 | loginfo "Getting TKC Kubernetes API token..." 167 | 168 | # Get the TKG Kubernetes API token by login into the Supervisor Cluster 169 | TKC_API=$(curl -XPOST -s -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -d '{"guest_cluster_name":"'"${TKG_CLUSTER_NAME}"'", "guest_cluster_namespace":"'"${TKG_CLUSTER_NAMESPACE}"'"}' -H "Content-Type: application/json" | jq -r '.guest_cluster_server') 170 | TOKEN=$(curl -XPOST -s -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -d '{"guest_cluster_name":"'"${TKG_CLUSTER_NAME}"'", "guest_cluster_namespace":"'"${TKG_CLUSTER_NAMESPACE}"'"}' -H "Content-Type: application/json" | jq -r '.session_id') 171 | # I'm sure there is a better way to store the JSON in two variables in a single pipe execution. But I can't be bothered to search on StackOverflow right now. 172 | 173 | # Verify if the token is valid 174 | if [ $(curl -k -s -o /dev/null -w "%{http_code}" https://"${TKC_API}":6443/ --header "Authorization: Bearer "${TOKEN}"") -ne "200" ] 175 | then 176 | logerr "TKC Kubernetes API token is not valid. Exiting..." 177 | exit 2 178 | else 179 | loginfo "TKC Kubernetes API token is valid!" 180 | fi 181 | 182 | #Get the list of nodes in the cluster 183 | curl -XGET -k --fail -s https://"${TKC_API}":6443/api/v1/nodes --header 'Content-Type: application/json' --header "Authorization: Bearer "${TOKEN}"" >> /dev/null 184 | if [ $? -eq 0 ] ; 185 | then 186 | loginfo "Getting the IPs of the nodes in the cluster..." 187 | curl -XGET -k --fail -s https://"${TKC_API}":6443/api/v1/nodes --header 'Content-Type: application/json' --header "Authorization: Bearer "${TOKEN}"" | jq -r '.items[].status.addresses[] | select(.type=="InternalIP").address' > ./ip-nodes-tkg 188 | loginfo "The nodes IPs are: "$(column ./ip-nodes-tkg | sed 's/\t/,/g')"" 189 | else 190 | logerr "There was an error processing the IPs of the nodes. Exiting..." 191 | exit 2 192 | fi 193 | 194 | #SSH into vCenter to get credentials for the supervisor cluster master VMs 195 | sshpass -p "${VC_ROOT_PASSWORD}" ssh -t -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PubkeyAuthentication=no -q root@"${VC_IP}" com.vmware.shell /usr/lib/vmware-wcp/decryptK8Pwd.py > ./sv-cluster-creds 2>&1 196 | if [ $? -eq 0 ] ; 197 | then 198 | loginfo "Connecting to the vCenter to get the supervisor cluster VM credentials..." 199 | SV_MASTER_IP=$(cat ./sv-cluster-creds | sed -n -e 's/^.*IP: //p') 200 | SV_MASTER_PASSWORD=$(cat ./sv-cluster-creds | sed -n -e 's/^.*PWD: //p') 201 | loginfo "Supervisor cluster master IP is: "${SV_MASTER_IP}"" 202 | else 203 | logerr "There was an error logging into the vCenter. Exiting..." 204 | exit 2 205 | fi 206 | 207 | #Get Supervisor Cluster token to get the TKC nodes SSH Password 208 | loginfo "Getting Supervisor Cluster Kubernetes API token..." 209 | SV_TOKEN=$(curl -XPOST -s --fail -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -H "Content-Type: application/json" | jq -r '.session_id') 210 | 211 | # Verify if the Supervisor Cluster token is valid 212 | # Health check in /api/v1 (Supervisor Cluster forbids accessing / directly (TKC cluster allows it)) 213 | if [ $(curl -k -s -o /dev/null -w "%{http_code}" https://"${SV_IP}":6443/api/v1 --header "Authorization: Bearer "${SV_TOKEN}"") -ne "200" ] 214 | then 215 | logerr "Supervisor Cluster Kubernetes API token is not valid. Exiting..." 216 | exit 2 217 | else 218 | loginfo "Supervisor Cluster Kubernetes API token is valid!" 219 | fi 220 | 221 | # Get the TKC nodes SSH private key from the Supervisor Cluster 222 | curl -XGET -k --fail -s https://"${SV_IP}":6443/api/v1/namespaces/"${TKG_CLUSTER_NAMESPACE}"/secrets/"${TKG_CLUSTER_NAME}"-ssh --header 'Content-Type: application/json' --header "Authorization: Bearer "${SV_TOKEN}"" >> /dev/null 223 | if [ $? -eq 0 ] ; 224 | then 225 | loginfo "Getting the TKC nodes SSH private key from the supervisor cluster..." 226 | curl -XGET -k --fail -s https://"${SV_IP}":6443/api/v1/namespaces/"${TKG_CLUSTER_NAMESPACE}"/secrets/"${TKG_CLUSTER_NAME}"-ssh --header 'Content-Type: application/json' --header "Authorization: Bearer "${SV_TOKEN}"" | jq -r '.data."ssh-privatekey"' | base64 -d > ./tkc-ssh-privatekey 227 | #Set correct permissions for TKC SSH private key 228 | chmod 600 ./tkc-ssh-privatekey 229 | loginfo "TKC SSH private key retrieved successfully!" 230 | else 231 | logerr "There was an error getting the TKC nodes SSH private key. Exiting..." 232 | exit 2 233 | fi 234 | 235 | # Transfer the TKC nodes SSH private key to the Supervisor Cluster Master VM 236 | loginfo "Transferring the TKC nodes SSH private key to the supervisor cluster VM..." 237 | sshpass -p "${SV_MASTER_PASSWORD}" scp -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ./tkc-ssh-privatekey root@"${SV_MASTER_IP}":./tkc-ssh-privatekey >> /dev/null 238 | if [ $? -eq 0 ] ; 239 | then 240 | loginfo "TKC SSH private key transferred successfully!" 241 | else 242 | logerr "There was an error transferring the TKC nodes SSH private key. Exiting..." 243 | exit 2 244 | fi 245 | 246 | # SSH to every node and verify if the registry does not exist in /etc/docker/daemon.json. If it does not exist, add it 247 | export SSHPASS="${SV_MASTER_PASSWORD}" 248 | 249 | while read -r IPS_NODES_READ; 250 | do 251 | loginfo "Adding registry to the node '"${IPS_NODES_READ}"'..." 252 | sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -q -t root@"${SV_MASTER_IP}" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./tkc-ssh-privatekey -t -q vmware-system-user@"${IPS_NODES_READ}" << EOF 253 | sudo -i 254 | cp /etc/docker/daemon.json /etc/docker/daemon.json.bak 255 | cat /etc/docker/daemon.json | jq '. | select(.bridge=="none")."insecure-registries" |= (.+ ["'"${URL_REGISTRY_TRIM}"'"] | unique)' > /etc/docker/daemon.json.new 256 | #Verify that the change was added successfully. If it was, replace daemon.json. If not, exit without copying. 257 | if [[ -s /etc/docker/daemon.json.new ]]; then mv /etc/docker/daemon.json.new /etc/docker/daemon.json ; else exit 2; fi 258 | EOF 259 | if [ $? -eq 0 ] ; 260 | then 261 | loginfo "Registry added successfully!" 262 | else 263 | logerr "There was an error writing the registry to /etc/docker/daemon.json. Exiting..." 264 | exit 2 265 | fi 266 | done < "./ip-nodes-tkg" 267 | 268 | # Restart the Docker daemon 269 | while read -r IPS_NODES_READ; 270 | do 271 | loginfo "Restarting Docker on node '"${IPS_NODES_READ}"'..." 272 | sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -q -t root@"${SV_MASTER_IP}" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./tkc-ssh-privatekey -t -q vmware-system-user@"${IPS_NODES_READ}" << EOF 273 | sudo -i 274 | systemctl stop docker 275 | systemctl start docker 276 | EOF 277 | if [ $? -eq 0 ] ; 278 | then 279 | loginfo "Docker daemon restarted successfully!" 280 | else 281 | logerr "There was an error restarting the Docker daemon. Exiting..." 282 | exit 2 283 | fi 284 | done < "./ip-nodes-tkg" 285 | 286 | # Cleaning up 287 | loginfo "Cleaning up temporary files..." 288 | rm -rf ./tkc-ssh-privatekey 289 | rm -rf ./sv-cluster-creds 290 | rm -rf ./ip-nodes-tkg 291 | -------------------------------------------------------------------------------- /tkg-proxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script is used to add a proxy to the Docker daemon 3 | # in a vSphere with Kubernetes Tanzu Kubernetes 4 | # cluster. After adding the proxy, it will restart 5 | # the Docker daemon in every node. 6 | # 7 | # USAGE: tkg-proxy.sh $name-cluster $namespace 8 | # 9 | # Author: José Manzaneque (jmanzaneque@vmware.com) 10 | # Dependencies: curl, jq, sshpass 11 | 12 | SV_IP='192.168.50.128' #VIP for the Supervisor Cluster 13 | VC_IP='vcsa.corp.local' #URL for the vCenter 14 | VC_ADMIN_USER='administrator@vsphere.local' #User for the Supervisor Cluster 15 | VC_ADMIN_PASSWORD='VMware1!' #Password for the Supervisor Cluster user 16 | VC_ROOT_PASSWORD='VMware1!' #Password for the root VCSA user 17 | 18 | TKG_CLUSTER_NAME=$1 # Name of the TKG cluster 19 | TKG_CLUSTER_NAMESPACE=$2 # Namespace where the TKG cluster is deployed 20 | 21 | # Logging function that will redirect to stderr with timestamp: 22 | logerr() { echo "$(date) ERROR: $@" 1>&2; } 23 | # Logging function that will redirect to stdout with timestamp 24 | loginfo() { echo "$(date) INFO: $@" ;} 25 | 26 | # Verify if required arguments are met 27 | 28 | if [[ -z "$1" || -z "$2" ]] 29 | then 30 | logerr "Invalid arguments. Exiting..." 31 | exit 2 32 | fi 33 | 34 | # Exit the script if the supervisor cluster is not up 35 | if [ $(curl -m 15 -k -s -o /dev/null -w "%{http_code}" https://"${SV_IP}") -ne "200" ]; then 36 | logerr "Supervisor cluster not ready. Exiting..." 37 | exit 2 38 | fi 39 | 40 | # If the supervisor cluster is ready, get the token for TKG cluster 41 | loginfo "Supervisor cluster is ready!" 42 | loginfo "Getting TKC Kubernetes API token..." 43 | 44 | # Get the TKG Kubernetes API token by login into the Supervisor Cluster 45 | TKC_API=$(curl -XPOST -s -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -d '{"guest_cluster_name":"'"${TKG_CLUSTER_NAME}"'", "guest_cluster_namespace":"'"${TKG_CLUSTER_NAMESPACE}"'"}' -H "Content-Type: application/json" | jq -r '.guest_cluster_server') 46 | TOKEN=$(curl -XPOST -s -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -d '{"guest_cluster_name":"'"${TKG_CLUSTER_NAME}"'", "guest_cluster_namespace":"'"${TKG_CLUSTER_NAMESPACE}"'"}' -H "Content-Type: application/json" | jq -r '.session_id') 47 | # I'm sure there is a better way to store the JSON in two variables in a single pipe execution. But I can't be bothered to search on StackOverflow right now. 48 | 49 | # Verify if the token is valid 50 | if [ $(curl -k -s -o /dev/null -w "%{http_code}" https://"${TKC_API}":6443/ --header "Authorization: Bearer "${TOKEN}"") -ne "200" ] 51 | then 52 | logerr "TKC Kubernetes API token is not valid. Exiting..." 53 | exit 2 54 | else 55 | loginfo "TKC Kubernetes API token is valid!" 56 | fi 57 | 58 | #Get the list of nodes in the cluster 59 | curl -XGET -k --fail -s https://"${TKC_API}":6443/api/v1/nodes --header 'Content-Type: application/json' --header "Authorization: Bearer "${TOKEN}"" >> /dev/null 60 | if [ $? -eq 0 ] ; 61 | then 62 | loginfo "Getting the IPs of the nodes in the cluster..." 63 | curl -XGET -k --fail -s https://"${TKC_API}":6443/api/v1/nodes --header 'Content-Type: application/json' --header "Authorization: Bearer "${TOKEN}"" | jq -r '.items[].status.addresses[] | select(.type=="InternalIP").address' > ./ip-nodes-tkg 64 | loginfo "The nodes IPs are: "$(column ./ip-nodes-tkg | sed 's/\t/,/g')"" 65 | else 66 | logerr "There was an error processing the IPs of the nodes. Exiting..." 67 | exit 2 68 | fi 69 | 70 | #SSH into vCenter to get credentials for the supervisor cluster master VMs 71 | sshpass -p "${VC_ROOT_PASSWORD}" ssh -t -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -q root@"${VC_IP}" com.vmware.shell /usr/lib/vmware-wcp/decryptK8Pwd.py > ./sv-cluster-creds 2>&1 72 | if [ $? -eq 0 ] ; 73 | then 74 | loginfo "Connecting to the vCenter to get the supervisor cluster VM credentials..." 75 | SV_MASTER_IP=$(cat ./sv-cluster-creds | sed -n -e 's/^.*IP: //p') 76 | SV_MASTER_PASSWORD=$(cat ./sv-cluster-creds | sed -n -e 's/^.*PWD: //p') 77 | loginfo "Supervisor cluster master IP is: "${SV_MASTER_IP}"" 78 | else 79 | logerr "There was an error logging into the vCenter. Exiting..." 80 | exit 2 81 | fi 82 | 83 | #Get Supervisor Cluster token to get the TKC nodes SSH Password 84 | loginfo "Getting Supervisor Cluster Kubernetes API token..." 85 | SV_TOKEN=$(curl -XPOST -s --fail -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -H "Content-Type: application/json" | jq -r '.session_id') 86 | 87 | # Verify if the Supervisor Cluster token is valid 88 | # Health check in /api/v1 (Supervisor Cluster forbids accessing / directly (TKC cluster allows it)) 89 | if [ $(curl -k -s -o /dev/null -w "%{http_code}" https://"${SV_IP}":6443/api/v1 --header "Authorization: Bearer "${SV_TOKEN}"") -ne "200" ] 90 | then 91 | logerr "Supervisor Cluster Kubernetes API token is not valid. Exiting..." 92 | exit 2 93 | else 94 | loginfo "Supervisor Cluster Kubernetes API token is valid!" 95 | fi 96 | 97 | # Get the TKC nodes SSH private key from the Supervisor Cluster 98 | curl -XGET -k --fail -s https://"${SV_IP}":6443/api/v1/namespaces/"${TKG_CLUSTER_NAMESPACE}"/secrets/"${TKG_CLUSTER_NAME}"-ssh --header 'Content-Type: application/json' --header "Authorization: Bearer "${SV_TOKEN}"" >> /dev/null 99 | if [ $? -eq 0 ] ; 100 | then 101 | loginfo "Getting the TKC nodes SSH private key from the supervisor cluster..." 102 | curl -XGET -k --fail -s https://"${SV_IP}":6443/api/v1/namespaces/"${TKG_CLUSTER_NAMESPACE}"/secrets/"${TKG_CLUSTER_NAME}"-ssh --header 'Content-Type: application/json' --header "Authorization: Bearer "${SV_TOKEN}"" | jq -r '.data."ssh-privatekey"' | base64 -d > ./tkc-ssh-privatekey 103 | #Set correct permissions for TKC SSH private key 104 | chmod 600 ./tkc-ssh-privatekey 105 | loginfo "TKC SSH private key retrieved successfully!" 106 | else 107 | logerr "There was an error getting the TKC nodes SSH private key. Exiting..." 108 | exit 2 109 | fi 110 | 111 | # Transfer the TKC nodes SSH private key to the Supervisor Cluster Master VM 112 | loginfo "Transferring the TKC nodes SSH private key to the supervisor cluster VM..." 113 | sshpass -p "${SV_MASTER_PASSWORD}" scp -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ./tkc-ssh-privatekey root@"${SV_MASTER_IP}":./tkc-ssh-privatekey >> /dev/null 114 | if [ $? -eq 0 ] ; 115 | then 116 | loginfo "TKC SSH private key transferred successfully!" 117 | else 118 | logerr "There was an error transferring the TKC nodes SSH private key. Exiting..." 119 | exit 2 120 | fi 121 | 122 | # SSH to every node and verify if the registry does not exist in /etc/docker/daemon.json. If it does not exist, add it 123 | export SSHPASS="${SV_MASTER_PASSWORD}" 124 | 125 | while read -r IPS_NODES_READ; 126 | do 127 | loginfo "Adding proxy to the node '"${IPS_NODES_READ}"'..." 128 | sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -q -t root@"${SV_MASTER_IP}" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./tkc-ssh-privatekey -t -q vmware-system-user@"${IPS_NODES_READ}" << EOF 129 | sudo -i 130 | mkdir -p /etc/systemd/system/docker.service.d 131 | rm -rf /etc/systemd/system/docker.service.d/http-proxy.conf 132 | cat < /etc/systemd/system/docker.service.d/http-proxy.conf.new 133 | [Service] 134 | Environment="HTTP_PROXY=ADD PROXY HERE" 135 | Environment="HTTPS_PROXY=ADD PROXY HERE" 136 | Environment="NO_PROXY=ADD NOPROXY HOSTS HERE" 137 | EOF1 138 | #Verify that the change was added successfully. If it was, replace daemon.json. If not, exit without copying. 139 | if [[ -s /etc/systemd/system/docker.service.d/http-proxy.conf.new ]]; then mv /etc/systemd/system/docker.service.d/http-proxy.conf.new /etc/systemd/system/docker.service.d/http-proxy.conf ; else exit 2; fi 140 | EOF 141 | if [ $? -eq 0 ] ; 142 | then 143 | loginfo "Proxy added successfully!" 144 | else 145 | logerr "There was an error writing the proxy to /etc/systemd/system/docker.service.d. Exiting..." 146 | exit 2 147 | fi 148 | done < "./ip-nodes-tkg" 149 | 150 | # Restart the Docker daemon 151 | while read -r IPS_NODES_READ; 152 | do 153 | loginfo "Restarting Docker on node '"${IPS_NODES_READ}"'..." 154 | sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -q -t root@"${SV_MASTER_IP}" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./tkc-ssh-privatekey -t -q vmware-system-user@"${IPS_NODES_READ}" << EOF 155 | sudo -i 156 | systemctl daemon-reload 157 | systemctl stop docker 158 | systemctl start docker 159 | EOF 160 | if [ $? -eq 0 ] ; 161 | then 162 | loginfo "Docker daemon restarted successfully!" 163 | else 164 | logerr "There was an error restarting the Docker daemon. Exiting..." 165 | exit 2 166 | fi 167 | done < "./ip-nodes-tkg" 168 | 169 | # Cleaning up 170 | loginfo "Cleaning up temporary files..." 171 | rm -rf ./tkc-ssh-privatekey 172 | rm -rf ./sv-cluster-creds 173 | rm -rf ./ip-nodes-tkg 174 | -------------------------------------------------------------------------------- /tkg-ssh-cluster.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This script is used to get the SSH private key 3 | # in a Tanzu Kubernetes cluster in vSphere with Tanzu. If you 4 | # set the node IP, you'll get automatically logged in. 5 | # 6 | # USAGE: tkg-ssh-cluster.sh $name-cluster $namespace $node_ip 7 | # 8 | # Author: José Manzaneque (jmanzaneque@vmware.com) 9 | # Dependencies: curl, jq, sshpass 10 | 11 | SV_IP='192.168.50.129' #VIP for the Supervisor Cluster 12 | VC_IP='vcsa.corp.local' #URL for the vCenter 13 | VC_ADMIN_USER='administrator@vsphere.local' #User for the Supervisor Cluster 14 | VC_ADMIN_PASSWORD='VMware1!' #Password for the Supervisor Cluster user 15 | VC_ROOT_PASSWORD='VMware1!' #Password for the root VCSA user 16 | 17 | TKG_CLUSTER_NAME=$1 # Name of the TKG cluster 18 | TKG_CLUSTER_NAMESPACE=$2 # Namespace where the TKG cluster is deployed 19 | 20 | # Logging function that will redirect to stderr with timestamp: 21 | logerr() { echo "$(date) ERROR: $@" 1>&2; } 22 | # Logging function that will redirect to stdout with timestamp 23 | loginfo() { echo "$(date) INFO: $@" ;} 24 | 25 | # Verify if required arguments are met 26 | 27 | if [[ -z "$1" || -z "$2" ]] 28 | then 29 | logerr "Invalid arguments. Exiting..." 30 | exit 2 31 | fi 32 | 33 | # Exit the script if the supervisor cluster is not up 34 | if [ $(curl -m 15 -k -s -o /dev/null -w "%{http_code}" https://"${SV_IP}") -ne "200" ]; then 35 | logerr "Supervisor cluster not ready. Exiting..." 36 | exit 2 37 | fi 38 | 39 | # If the supervisor cluster is ready, get the token for TKG cluster 40 | loginfo "Supervisor cluster is ready!" 41 | loginfo "Getting TKC Kubernetes API token..." 42 | 43 | # Get the TKG Kubernetes API token by login into the Supervisor Cluster 44 | TKC_API=$(curl -XPOST -s -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -d '{"guest_cluster_name":"'"${TKG_CLUSTER_NAME}"'", "guest_cluster_namespace":"'"${TKG_CLUSTER_NAMESPACE}"'"}' -H "Content-Type: application/json" | jq -r '.guest_cluster_server') 45 | TOKEN=$(curl -XPOST -s -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -d '{"guest_cluster_name":"'"${TKG_CLUSTER_NAME}"'", "guest_cluster_namespace":"'"${TKG_CLUSTER_NAMESPACE}"'"}' -H "Content-Type: application/json" | jq -r '.session_id') 46 | # I'm sure there is a better way to store the JSON in two variables in a single pipe execution. But I can't be bothered to search on StackOverflow right now. 47 | 48 | # Verify if the token is valid 49 | if [ $(curl -k -s -o /dev/null -w "%{http_code}" https://"${TKC_API}":6443/ --header "Authorization: Bearer "${TOKEN}"") -ne "200" ] 50 | then 51 | logerr "TKC Kubernetes API token is not valid. Exiting..." 52 | exit 2 53 | else 54 | loginfo "TKC Kubernetes API token is valid!" 55 | fi 56 | 57 | #Get the list of nodes in the cluster 58 | curl -XGET -k --fail -s https://"${TKC_API}":6443/api/v1/nodes --header 'Content-Type: application/json' --header "Authorization: Bearer "${TOKEN}"" >> /dev/null 59 | if [ $? -eq 0 ] ; 60 | then 61 | loginfo "Getting the IPs of the nodes in the cluster..." 62 | curl -XGET -k --fail -s https://"${TKC_API}":6443/api/v1/nodes --header 'Content-Type: application/json' --header "Authorization: Bearer "${TOKEN}"" | jq -r '.items[].status.addresses[] | select(.type=="InternalIP").address' > ./ip-nodes-tkg 63 | loginfo "The nodes IPs are: "$(column ./ip-nodes-tkg | sed 's/\t/,/g')"" 64 | else 65 | logerr "There was an error processing the IPs of the nodes. Exiting..." 66 | exit 2 67 | fi 68 | 69 | #SSH into vCenter to get credentials for the supervisor cluster master VMs 70 | sshpass -p "${VC_ROOT_PASSWORD}" ssh -t -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -q root@"${VC_IP}" com.vmware.shell /usr/lib/vmware-wcp/decryptK8Pwd.py > ./sv-cluster-creds 2>&1 71 | if [ $? -eq 0 ] ; 72 | then 73 | loginfo "Connecting to the vCenter to get the supervisor cluster VM credentials..." 74 | SV_MASTER_IP=$(cat ./sv-cluster-creds | sed -n -e 's/^.*IP: //p') 75 | SV_MASTER_PASSWORD=$(cat ./sv-cluster-creds | sed -n -e 's/^.*PWD: //p') 76 | loginfo "Supervisor cluster master IP is: "${SV_MASTER_IP}"" 77 | else 78 | logerr "There was an error logging into the vCenter. Exiting..." 79 | exit 2 80 | fi 81 | 82 | #Get Supervisor Cluster token to get the TKC nodes SSH Password 83 | loginfo "Getting Supervisor Cluster Kubernetes API token..." 84 | SV_TOKEN=$(curl -XPOST -s --fail -u "${VC_ADMIN_USER}":"${VC_ADMIN_PASSWORD}" https://"${SV_IP}":443/wcp/login -k -H "Content-Type: application/json" | jq -r '.session_id') 85 | 86 | # Verify if the Supervisor Cluster token is valid 87 | # Health check in /api/v1 (Supervisor Cluster forbids accessing / directly (TKC cluster allows it)) 88 | if [ $(curl -k -s -o /dev/null -w "%{http_code}" https://"${SV_IP}":6443/api/v1 --header "Authorization: Bearer "${SV_TOKEN}"") -ne "200" ] 89 | then 90 | logerr "Supervisor Cluster Kubernetes API token is not valid. Exiting..." 91 | exit 2 92 | else 93 | loginfo "Supervisor Cluster Kubernetes API token is valid!" 94 | fi 95 | 96 | # Get the TKC nodes SSH private key from the Supervisor Cluster 97 | curl -XGET -k --fail -s https://"${SV_IP}":6443/api/v1/namespaces/"${TKG_CLUSTER_NAMESPACE}"/secrets/"${TKG_CLUSTER_NAME}"-ssh --header 'Content-Type: application/json' --header "Authorization: Bearer "${SV_TOKEN}"" >> /dev/null 98 | if [ $? -eq 0 ] ; 99 | then 100 | loginfo "Getting the TKC nodes SSH private key from the supervisor cluster..." 101 | curl -XGET -k --fail -s https://"${SV_IP}":6443/api/v1/namespaces/"${TKG_CLUSTER_NAMESPACE}"/secrets/"${TKG_CLUSTER_NAME}"-ssh --header 'Content-Type: application/json' --header "Authorization: Bearer "${SV_TOKEN}"" | jq -r '.data."ssh-privatekey"' | base64 -d > ./tkc-ssh-privatekey 102 | #Set correct permissions for TKC SSH private key 103 | chmod 600 ./tkc-ssh-privatekey 104 | loginfo "TKC SSH private key retrieved successfully!" 105 | else 106 | logerr "There was an error getting the TKC nodes SSH private key. Exiting..." 107 | exit 2 108 | fi 109 | 110 | # If the Node IP was set as a parameter, it will jump automatically to that VM 111 | if [[ -z "$3" ]] 112 | then 113 | loginfo "Node IP was not set as a parameter. Exiting..." 114 | exit 2 115 | else 116 | IP_NODE="$3" 117 | # Transfer the TKC nodes SSH private key to the Supervisor Cluster Master VM 118 | loginfo "Node IP set as a parameter. Logging in..." 119 | loginfo "Transferring the TKC nodes SSH private key to the supervisor cluster VM..." 120 | sshpass -p "${SV_MASTER_PASSWORD}" scp -q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ./tkc-ssh-privatekey root@"${SV_MASTER_IP}":./tkc-ssh-privatekey >> /dev/null 121 | if [ $? -eq 0 ] ; 122 | then 123 | loginfo "TKC SSH private key transferred successfully!" 124 | else 125 | logerr "There was an error transferring the TKC nodes SSH private key. Exiting..." 126 | exit 2 127 | fi 128 | 129 | # Jump from the Supervisor Cluster Master VM to the node 130 | export SSHPASS="${SV_MASTER_PASSWORD}" 131 | sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -q -t root@"${SV_MASTER_IP}" ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ./tkc-ssh-privatekey vmware-system-user@"${IP_NODE}" 132 | fi 133 | --------------------------------------------------------------------------------