underpost 3.2.21 → 3.2.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/ghpkg.ci.yml +1 -1
- package/.github/workflows/gitlab.ci.yml +1 -1
- package/.github/workflows/npmpkg.ci.yml +1 -1
- package/.github/workflows/publish.ci.yml +2 -2
- package/.github/workflows/pwa-microservices-template-page.cd.yml +1 -1
- package/.github/workflows/pwa-microservices-template-test.ci.yml +1 -1
- package/CHANGELOG.md +178 -1
- package/CLI-HELP.md +58 -2
- package/README.md +3 -2
- package/baremetal/commission-workflows.json +1 -0
- package/bin/build.js +13 -1
- package/docker-compose.yml +224 -0
- package/manifests/cronjobs/dd-cron/dd-cron-backup.yaml +1 -1
- package/manifests/cronjobs/dd-cron/dd-cron-dns.yaml +1 -1
- package/manifests/deployment/dd-default-development/deployment.yaml +2 -2
- package/package.json +27 -15
- package/scripts/kubeadm-node-setup.sh +317 -0
- package/scripts/rocky-kickstart.sh +877 -185
- package/scripts/rpmfusion-ffmpeg-setup.sh +26 -50
- package/scripts/test-monitor.sh +242 -78
- package/src/cli/baremetal.js +717 -16
- package/src/cli/cluster.js +3 -1
- package/src/cli/deploy.js +11 -10
- package/src/cli/docker-compose.js +591 -0
- package/src/cli/fs.js +35 -11
- package/src/cli/index.js +83 -0
- package/src/cli/kickstart.js +142 -20
- package/src/cli/monitor.js +114 -29
- package/src/cli/repository.js +75 -11
- package/src/cli/run.js +275 -6
- package/src/cli/ssh.js +190 -0
- package/src/cli/static.js +2 -2
- package/src/client/components/core/PanelForm.js +44 -44
- package/src/{server → client-builder}/client-build-docs.js +15 -5
- package/src/{server → client-builder}/client-build-live.js +3 -3
- package/src/{server → client-builder}/client-build.js +25 -22
- package/src/{server → client-builder}/client-dev-server.js +3 -3
- package/src/{server → client-builder}/client-icons.js +2 -2
- package/src/{server → client-builder}/ssr.js +5 -5
- package/src/client.build.js +1 -1
- package/src/client.dev.js +1 -1
- package/src/index.js +12 -1
- package/src/mailer/EmailRender.js +1 -1
- package/src/{server → projects/underpost}/catalog-underpost.js +1 -2
- package/src/runtime/express/Express.js +2 -2
- package/src/runtime/nginx/Nginx.js +250 -0
- package/src/server/catalog.js +7 -14
- package/src/server/conf.js +61 -12
- package/src/server/start.js +17 -5
- package/src/server.js +1 -1
- package/test/deploy-monitor.test.js +33 -5
- package/typedoc.json +3 -1
- package/src/server/ipfs-client.js +0 -597
- /package/src/client/ssr/{Render.js → RootDocument.js} +0 -0
- /package/src/{server → client-builder}/client-formatted.js +0 -0
|
@@ -0,0 +1,317 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
set -euo pipefail
|
|
3
|
+
|
|
4
|
+
# ---------------------------------------------------------------------------
|
|
5
|
+
# Underpost Kubeadm Node Setup (bare-metal physical node)
|
|
6
|
+
#
|
|
7
|
+
# Mirrors scripts/k3s-node-setup.sh but for kubeadm on real hardware: it runs on
|
|
8
|
+
# the freshly deployed OS (disk-installed Rocky) after first boot, installs NVM +
|
|
9
|
+
# Node.js, ensures the engine source is present, and drives the cluster bring-up
|
|
10
|
+
# through the local engine entrypoint `node bin cluster` (src/cli/cluster.js) —
|
|
11
|
+
# reusing its kubeadm + Contour + host-init logic instead of reimplementing it.
|
|
12
|
+
#
|
|
13
|
+
# Modes:
|
|
14
|
+
# --control Initialize a new kubeadm control-plane (default).
|
|
15
|
+
# --worker Join an existing cluster.
|
|
16
|
+
#
|
|
17
|
+
# Worker join (controller supplies this over SSH; no manual token paste):
|
|
18
|
+
# --join-command="kubeadm join <ip>:6443 --token <t> --discovery-token-ca-cert-hash <h>"
|
|
19
|
+
# or: --control-ip=<ip> --token=<t> --discovery-token-ca-cert-hash=<h>
|
|
20
|
+
#
|
|
21
|
+
# Engine source / options:
|
|
22
|
+
# --engine-root=<path> Engine source path (default /home/dd/engine).
|
|
23
|
+
# --engine-repo=<url> Git repo cloned if the engine source is missing.
|
|
24
|
+
# --engine-branch=<branch> Branch to clone (default: repo default).
|
|
25
|
+
# --no-contour Control mode: skip the Contour ingress install.
|
|
26
|
+
# ---------------------------------------------------------------------------
|
|
27
|
+
|
|
28
|
+
ROLE="control"
|
|
29
|
+
JOIN_COMMAND=""
|
|
30
|
+
CONTROL_IP=""
|
|
31
|
+
CONTROL_ENDPOINT_HOST=""
|
|
32
|
+
TOKEN=""
|
|
33
|
+
CA_CERT_HASH=""
|
|
34
|
+
JOIN_ONLY="0"
|
|
35
|
+
INSTALL_CONTOUR="1"
|
|
36
|
+
ENGINE_ROOT="/home/dd/engine"
|
|
37
|
+
ENGINE_REPO="https://github.com/underpostnet/engine.git"
|
|
38
|
+
ENGINE_BRANCH=""
|
|
39
|
+
# Private repo holding secrets (engine-private/conf/.../.env.production) cloned
|
|
40
|
+
# with a GitHub token. GITHUB_TOKEN/GITHUB_USERNAME come from the environment
|
|
41
|
+
# (passed over SSH by the controller) or the --github-* args.
|
|
42
|
+
ENGINE_PRIVATE_REPO="https://github.com/underpostnet/engine-private.git"
|
|
43
|
+
ENGINE_PRIVATE_BRANCH=""
|
|
44
|
+
GITHUB_TOKEN="${GITHUB_TOKEN:-}"
|
|
45
|
+
GITHUB_USERNAME="${GITHUB_USERNAME:-}"
|
|
46
|
+
CRI_SOCKET="unix:///var/run/crio/crio.sock"
|
|
47
|
+
|
|
48
|
+
for arg in "$@"; do
|
|
49
|
+
case $arg in
|
|
50
|
+
--control) ROLE="control" ;;
|
|
51
|
+
--worker) ROLE="worker" ;;
|
|
52
|
+
--join-command=*) JOIN_COMMAND="${arg#*=}" ;;
|
|
53
|
+
--control-ip=*) CONTROL_IP="${arg#*=}" ;;
|
|
54
|
+
--control-endpoint-host=*) CONTROL_ENDPOINT_HOST="${arg#*=}" ;;
|
|
55
|
+
--token=*) TOKEN="${arg#*=}" ;;
|
|
56
|
+
--discovery-token-ca-cert-hash=*) CA_CERT_HASH="${arg#*=}" ;;
|
|
57
|
+
--join-only) JOIN_ONLY="1" ;;
|
|
58
|
+
--engine-root=*) ENGINE_ROOT="${arg#*=}" ;;
|
|
59
|
+
--engine-repo=*) ENGINE_REPO="${arg#*=}" ;;
|
|
60
|
+
--engine-branch=*) ENGINE_BRANCH="${arg#*=}" ;;
|
|
61
|
+
--engine-private-repo=*) ENGINE_PRIVATE_REPO="${arg#*=}" ;;
|
|
62
|
+
--engine-private-branch=*) ENGINE_PRIVATE_BRANCH="${arg#*=}" ;;
|
|
63
|
+
--github-token=*) GITHUB_TOKEN="${arg#*=}" ;;
|
|
64
|
+
--github-username=*) GITHUB_USERNAME="${arg#*=}" ;;
|
|
65
|
+
--no-contour) INSTALL_CONTOUR="0" ;;
|
|
66
|
+
esac
|
|
67
|
+
done
|
|
68
|
+
|
|
69
|
+
log() { echo "$(date): [kubeadm-setup] $*"; }
|
|
70
|
+
|
|
71
|
+
# worker_join: lightweight, idempotent kubeadm join. Centralizes the join logic
|
|
72
|
+
# used by both the full worker flow and the --join-only short-circuit. Returns
|
|
73
|
+
# non-zero on failure so `set -e` aborts the script (no false-positive success).
|
|
74
|
+
worker_join() {
|
|
75
|
+
if [ -z "$JOIN_COMMAND" ]; then
|
|
76
|
+
if [ -n "$CONTROL_IP" ] && [ -n "$TOKEN" ] && [ -n "$CA_CERT_HASH" ]; then
|
|
77
|
+
JOIN_COMMAND="kubeadm join ${CONTROL_IP}:6443 --token ${TOKEN} --discovery-token-ca-cert-hash ${CA_CERT_HASH}"
|
|
78
|
+
else
|
|
79
|
+
echo "ERROR: worker mode needs --join-command=... OR --control-ip/--token/--discovery-token-ca-cert-hash" >&2
|
|
80
|
+
return 1
|
|
81
|
+
fi
|
|
82
|
+
fi
|
|
83
|
+
|
|
84
|
+
command -v kubeadm >/dev/null 2>&1 || {
|
|
85
|
+
echo "ERROR: kubeadm not found on node. Run a full (non --join-only) setup first." >&2
|
|
86
|
+
return 1
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
# Make the control-plane endpoint hostname resolve to the control IP. kubeadm
|
|
90
|
+
# reads the cluster-info / kubeadm-config ConfigMaps whose server URL is the
|
|
91
|
+
# control-plane endpoint (often 'localhost.localdomain:6443'); without this the
|
|
92
|
+
# worker dials [::1]:6443 and fails with "connection refused".
|
|
93
|
+
if [ -n "$CONTROL_ENDPOINT_HOST" ] && [ -n "$CONTROL_IP" ] && [ "$CONTROL_ENDPOINT_HOST" != "$CONTROL_IP" ]; then
|
|
94
|
+
log "Mapping control-plane endpoint '$CONTROL_ENDPOINT_HOST' -> $CONTROL_IP in /etc/hosts"
|
|
95
|
+
ESC_HOST="$(printf '%s' "$CONTROL_ENDPOINT_HOST" | sed 's/[.]/\\./g')"
|
|
96
|
+
# Strip the endpoint host from any existing (loopback) line so it no longer
|
|
97
|
+
# resolves to 127.0.0.1, then point it at the real control-plane IP.
|
|
98
|
+
sudo sed -i -E "s/[[:space:]]+${ESC_HOST}([[:space:]]|\$)/\1/g" /etc/hosts || true
|
|
99
|
+
if ! grep -qE "^${CONTROL_IP}[[:space:]].*${ESC_HOST}([[:space:]]|\$)" /etc/hosts; then
|
|
100
|
+
echo "${CONTROL_IP} ${CONTROL_ENDPOINT_HOST}" | sudo tee -a /etc/hosts >/dev/null
|
|
101
|
+
fi
|
|
102
|
+
fi
|
|
103
|
+
|
|
104
|
+
# Kernel/sysctl prereqs the kubeadm preflight needs (no engine/node required).
|
|
105
|
+
sudo swapoff -a || true
|
|
106
|
+
sudo sed -i '/swap/d' /etc/fstab || true
|
|
107
|
+
sudo modprobe br_netfilter || true
|
|
108
|
+
printf 'net.bridge.bridge-nf-call-iptables = 1\nnet.bridge.bridge-nf-call-ip6tables = 1\nnet.ipv4.ip_forward = 1\n' \
|
|
109
|
+
| sudo tee /etc/sysctl.d/99-kubernetes.conf >/dev/null
|
|
110
|
+
sudo sysctl --system >/dev/null 2>&1 || true
|
|
111
|
+
|
|
112
|
+
# Replace --discovery-token-ca-cert-hash with --discovery-token-unsafe-skip-ca-verification
|
|
113
|
+
# so token discovery does not depend on the pinned CA hash.
|
|
114
|
+
UNSAFE_JOIN="$(echo "${JOIN_COMMAND}" | sed 's/--discovery-token-ca-cert-hash [^ ]*/--discovery-token-unsafe-skip-ca-verification/')"
|
|
115
|
+
|
|
116
|
+
_do_join() {
|
|
117
|
+
# Reset any stale state from a previous failed join so kubeadm does not
|
|
118
|
+
# reuse cached config that points at an unreachable endpoint.
|
|
119
|
+
sudo kubeadm reset -f --cri-socket="${CRI_SOCKET}" >/dev/null 2>&1 || true
|
|
120
|
+
sudo rm -rf /etc/kubernetes/* /var/lib/kubelet/pki 2>/dev/null || true
|
|
121
|
+
log "Joining cluster: ${UNSAFE_JOIN%% --token*} ..."
|
|
122
|
+
sudo ${UNSAFE_JOIN} --cri-socket="${CRI_SOCKET}"
|
|
123
|
+
}
|
|
124
|
+
|
|
125
|
+
if _do_join; then
|
|
126
|
+
log "Worker joined the cluster."
|
|
127
|
+
return 0
|
|
128
|
+
fi
|
|
129
|
+
log "WARNING: kubeadm join attempt failed; resetting and retrying once..."
|
|
130
|
+
if _do_join; then
|
|
131
|
+
log "Worker joined the cluster."
|
|
132
|
+
return 0
|
|
133
|
+
fi
|
|
134
|
+
log "FATAL: kubeadm join failed after retry"
|
|
135
|
+
return 1
|
|
136
|
+
}
|
|
137
|
+
|
|
138
|
+
# --join-only: skip all prerequisite/engine/host setup and go straight to the
|
|
139
|
+
# join (used by `baremetal --resume-join` on an already-provisioned node).
|
|
140
|
+
if [ "$JOIN_ONLY" = "1" ]; then
|
|
141
|
+
[ "$ROLE" = "worker" ] || { echo "ERROR: --join-only is only valid with --worker" >&2; exit 1; }
|
|
142
|
+
log "--join-only: skipping prerequisites/engine setup; joining cluster directly"
|
|
143
|
+
worker_join
|
|
144
|
+
log "kubeadm worker (join-only) complete."
|
|
145
|
+
exit 0
|
|
146
|
+
fi
|
|
147
|
+
|
|
148
|
+
# ---------------------------------------------------------------------------
|
|
149
|
+
# 0. Base prerequisites — a minimal @core Rocky install lacks tar/xz/git, which
|
|
150
|
+
# NVM needs to extract Node.js and the engine clone needs. Install them first.
|
|
151
|
+
# ---------------------------------------------------------------------------
|
|
152
|
+
log "Installing base prerequisites (tar, xz, gzip, git, curl)..."
|
|
153
|
+
sudo dnf install -y tar xz gzip bzip2 git curl ca-certificates which findutils 2>/dev/null \
|
|
154
|
+
|| dnf install -y tar xz gzip bzip2 git curl ca-certificates which findutils
|
|
155
|
+
|
|
156
|
+
# ---------------------------------------------------------------------------
|
|
157
|
+
# 1. NVM and Node.js — required for the `node bin ...` entrypoints. Idempotent so
|
|
158
|
+
# a retried run does not reinstall Node from scratch.
|
|
159
|
+
# ---------------------------------------------------------------------------
|
|
160
|
+
if command -v node >/dev/null 2>&1 && node --version 2>/dev/null | grep -q '^v24'; then
|
|
161
|
+
log "Node.js $(node --version) already installed; skipping NVM setup"
|
|
162
|
+
else
|
|
163
|
+
log "Installing NVM and Node.js v24.15.0..."
|
|
164
|
+
curl -o- https://cdn.jsdelivr.net/gh/nvm-sh/nvm@v0.40.1/install.sh | bash
|
|
165
|
+
|
|
166
|
+
export NVM_DIR="$([ -z "${XDG_CONFIG_HOME-}" ] && printf %s "${HOME}/.nvm" || printf %s "${XDG_CONFIG_HOME}/nvm")"
|
|
167
|
+
# shellcheck disable=SC1090
|
|
168
|
+
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
|
|
169
|
+
|
|
170
|
+
nvm install 24.15.0
|
|
171
|
+
nvm use 24.15.0
|
|
172
|
+
nvm alias default 24.15.0
|
|
173
|
+
ln -sf "$(command -v node)" /usr/local/bin/node
|
|
174
|
+
ln -sf "$(command -v npm)" /usr/local/bin/npm
|
|
175
|
+
ln -sf "$(command -v npx)" /usr/local/bin/npx
|
|
176
|
+
fi
|
|
177
|
+
|
|
178
|
+
echo "
|
|
179
|
+
██╗░░░██╗███╗░░██╗██████╗░███████╗██████╗░██████╗░░█████╗░░██████╗████████╗
|
|
180
|
+
██║░░░██║████╗░██║██╔══██╗██╔════╝██╔══██╗██╔══██╗██╔══██╗██╔════╝╚══██╔══╝
|
|
181
|
+
██║░░░██║██╔██╗██║██║░░██║█████╗░░██████╔╝██████╔╝██║░░██║╚█████╗░░░░██║░░░
|
|
182
|
+
██║░░░██║██║╚████║██║░░██║██╔══╝░░██╔══██╗██╔═══╝░██║░░██║░╚═══██╗░░░██║░░░
|
|
183
|
+
╚██████╔╝██║░╚███║██████╔╝███████╗██║░░██║██║░░░░░╚█████╔╝██████╔╝░░░██║░░░
|
|
184
|
+
░╚═════╝░╚═╝░░╚══╝╚═════╝░╚══════╝╚═╝░░╚═╝╚═╝░░░░░░╚════╝░╚═════╝░░░░╚═╝░░░
|
|
185
|
+
|
|
186
|
+
Bringing up underpost kubeadm node (role=$ROLE) from $ENGINE_ROOT
|
|
187
|
+
"
|
|
188
|
+
|
|
189
|
+
# ---------------------------------------------------------------------------
|
|
190
|
+
# 2. Engine source — required by `node bin cluster` (manifests + CLI).
|
|
191
|
+
# Normalizes any (custom-named) repo into the canonical paths, mirroring
|
|
192
|
+
# src/server/start.js: clone into a temp dir then copy the contents into the
|
|
193
|
+
# target, so the working tree is always $ENGINE_ROOT regardless of repo name.
|
|
194
|
+
# ---------------------------------------------------------------------------
|
|
195
|
+
command -v git >/dev/null 2>&1 || sudo dnf install -y git
|
|
196
|
+
|
|
197
|
+
# clone_or_pull <repo-url> <branch> <target-dir> <remote-name> [mask-secret]
|
|
198
|
+
# If <target-dir> exists with a git repo, does a git pull (fetch+reset) to
|
|
199
|
+
# update it. Otherwise clones <repo-url> into a temp dir and copies contents
|
|
200
|
+
# to <target-dir> so a custom repo (e.g. engine-test-test) always lands at
|
|
201
|
+
# the canonical path. [mask-secret] is redacted from any logged output.
|
|
202
|
+
clone_or_pull() {
|
|
203
|
+
local url="${1:-}" branch="${2:-}" target="${3:-}" remote="${4:-origin}" mask="${5:-}"
|
|
204
|
+
if [ -d "$target" ] && git -C "$target" rev-parse --git-dir >/dev/null 2>&1; then
|
|
205
|
+
log "$target already present; pulling latest ..."
|
|
206
|
+
if git -C "$target" remote get-url "$remote" >/dev/null 2>&1; then
|
|
207
|
+
# Temporarily set the authenticated URL so the fetch succeeds.
|
|
208
|
+
# The caller strips the token from the remote URL after this returns.
|
|
209
|
+
local saved_url; saved_url="$(git -C "$target" remote get-url "$remote" 2>/dev/null || true)"
|
|
210
|
+
git -C "$target" remote set-url "$remote" "$url" 2>/dev/null || true
|
|
211
|
+
if [ -n "$mask" ]; then
|
|
212
|
+
git -C "$target" fetch --depth 1 "$remote" 2>&1 | sed "s/${mask}/***/g" || true
|
|
213
|
+
else
|
|
214
|
+
git -C "$target" fetch --depth 1 "$remote" 2>&1 || true
|
|
215
|
+
fi
|
|
216
|
+
# Restore the saved (clean) URL immediately so the token is never persisted.
|
|
217
|
+
if [ -n "$saved_url" ]; then
|
|
218
|
+
git -C "$target" remote set-url "$remote" "$saved_url" 2>/dev/null || true
|
|
219
|
+
fi
|
|
220
|
+
if [ -n "$branch" ]; then
|
|
221
|
+
git -C "$target" reset --hard "$remote/$branch" 2>/dev/null || true
|
|
222
|
+
else
|
|
223
|
+
# No branch specified: pull whichever branch is HEAD on remote
|
|
224
|
+
git -C "$target" reset --hard "$remote/$(git -C "$target" rev-parse --abbrev-ref HEAD 2>/dev/null)" 2>/dev/null || true
|
|
225
|
+
fi
|
|
226
|
+
# Clean untracked files so stale artifacts don't accumulate
|
|
227
|
+
git -C "$target" clean -fd 2>/dev/null || true
|
|
228
|
+
log "$target updated via pull"
|
|
229
|
+
return 0
|
|
230
|
+
fi
|
|
231
|
+
fi
|
|
232
|
+
# Full clone + normalize path
|
|
233
|
+
log "Cloning + normalizing $url -> $target ..."
|
|
234
|
+
local tmp; tmp="$(mktemp -d)"
|
|
235
|
+
local ok=0
|
|
236
|
+
if [ -n "$branch" ]; then
|
|
237
|
+
if [ -n "$mask" ]; then git clone --depth 1 --branch "$branch" "$url" "$tmp/repo" 2>&1 | sed "s/${mask}/***/g"; ok=${PIPESTATUS[0]}; else git clone --depth 1 --branch "$branch" "$url" "$tmp/repo"; ok=$?; fi
|
|
238
|
+
else
|
|
239
|
+
if [ -n "$mask" ]; then git clone --depth 1 "$url" "$tmp/repo" 2>&1 | sed "s/${mask}/***/g"; ok=${PIPESTATUS[0]}; else git clone --depth 1 "$url" "$tmp/repo"; ok=$?; fi
|
|
240
|
+
fi
|
|
241
|
+
if [ "$ok" -ne 0 ] || [ ! -d "$tmp/repo" ]; then
|
|
242
|
+
rm -rf "$tmp"
|
|
243
|
+
return 1
|
|
244
|
+
fi
|
|
245
|
+
mkdir -p "$target"
|
|
246
|
+
cp -a "$tmp/repo/." "$target/"
|
|
247
|
+
rm -rf "$tmp"
|
|
248
|
+
}
|
|
249
|
+
|
|
250
|
+
if [ -n "$GITHUB_TOKEN" ]; then
|
|
251
|
+
ENGINE_REPO_URL="https://${GITHUB_USERNAME:-x-access-token}:${GITHUB_TOKEN}@${ENGINE_REPO#https://}"
|
|
252
|
+
# Mask the token in log output by routing through clone_or_pull with mask arg
|
|
253
|
+
clone_or_pull "$ENGINE_REPO_URL" "$ENGINE_BRANCH" "$ENGINE_ROOT" "origin" "$GITHUB_TOKEN" || { log "FATAL: engine clone failed"; exit 1; }
|
|
254
|
+
# Drop the token from the remote URL so it is not persisted on disk.
|
|
255
|
+
git -C "$ENGINE_ROOT" remote set-url origin "$ENGINE_REPO" 2>/dev/null || true
|
|
256
|
+
else
|
|
257
|
+
clone_or_pull "$ENGINE_REPO" "$ENGINE_BRANCH" "$ENGINE_ROOT" "origin" "" || { log "FATAL: engine clone failed"; exit 1; }
|
|
258
|
+
fi
|
|
259
|
+
|
|
260
|
+
cd "$ENGINE_ROOT"
|
|
261
|
+
|
|
262
|
+
# Clone + normalize the private secrets repo into $ENGINE_ROOT/engine-private
|
|
263
|
+
# (where `node bin run secret` reads engine-private/conf/.../.env.production),
|
|
264
|
+
# regardless of the private repo's name. The token is masked in logs and then
|
|
265
|
+
# stripped from the saved remote URL.
|
|
266
|
+
if [ -n "$GITHUB_TOKEN" ]; then
|
|
267
|
+
PRIV_URL="https://${GITHUB_USERNAME:-x-access-token}:${GITHUB_TOKEN}@${ENGINE_PRIVATE_REPO#https://}"
|
|
268
|
+
if clone_or_pull "$PRIV_URL" "$ENGINE_PRIVATE_BRANCH" "$ENGINE_ROOT/engine-private" "origin" "$GITHUB_TOKEN"; then
|
|
269
|
+
# Drop the token from the remote URL so it is not persisted on disk.
|
|
270
|
+
git -C "$ENGINE_ROOT/engine-private" remote set-url origin "$ENGINE_PRIVATE_REPO" 2>/dev/null || true
|
|
271
|
+
else
|
|
272
|
+
log "WARNING: engine-private clone failed — secrets will be unavailable"
|
|
273
|
+
fi
|
|
274
|
+
else
|
|
275
|
+
log "WARNING: GITHUB_TOKEN not provided; engine-private not cloned — secrets will be unavailable"
|
|
276
|
+
fi
|
|
277
|
+
|
|
278
|
+
# Install JS deps and generate secrets using the local engine entrypoint.
|
|
279
|
+
npm install
|
|
280
|
+
npm install -g underpost
|
|
281
|
+
node bin run secret
|
|
282
|
+
|
|
283
|
+
# ---------------------------------------------------------------------------
|
|
284
|
+
# 3. Host prerequisites (Docker, CRI-O, kubelet/kubeadm/kubectl, ...) via cluster.js
|
|
285
|
+
# ---------------------------------------------------------------------------
|
|
286
|
+
log "Installing Kubernetes host prerequisites (underpost cluster --init-host)..."
|
|
287
|
+
# CRI-O is already installed by this point (idempotent dnf). The install-crio
|
|
288
|
+
# runner also tries to install cri-tools (crictl) which is not in Rocky 9 repos.
|
|
289
|
+
# That failure is non-fatal; CRI-O itself works fine without crictl.
|
|
290
|
+
node bin cluster --dev --init-host || log "WARNING: init-host had minor errors (CRI-O is already installed)"
|
|
291
|
+
|
|
292
|
+
# ---------------------------------------------------------------------------
|
|
293
|
+
# 4. Role-specific bring-up, fully delegated to src/cli/cluster.js
|
|
294
|
+
# ---------------------------------------------------------------------------
|
|
295
|
+
if [ "$ROLE" = "control" ]; then
|
|
296
|
+
if [ "$INSTALL_CONTOUR" = "1" ]; then
|
|
297
|
+
log "Initializing kubeadm control-plane + Contour (underpost cluster --kubeadm --contour)..."
|
|
298
|
+
node bin cluster --dev --kubeadm --contour
|
|
299
|
+
else
|
|
300
|
+
log "Initializing kubeadm control-plane (underpost cluster --kubeadm)..."
|
|
301
|
+
node bin cluster --dev --kubeadm
|
|
302
|
+
fi
|
|
303
|
+
|
|
304
|
+
echo ""
|
|
305
|
+
log "Control-plane ready. Join command for workers:"
|
|
306
|
+
sudo kubeadm token create --print-join-command
|
|
307
|
+
|
|
308
|
+
elif [ "$ROLE" = "worker" ]; then
|
|
309
|
+
# Apply the same host configuration cluster.js uses (SELinux, swap, sysctl)
|
|
310
|
+
# before joining; worker_join then handles endpoint mapping + the join itself
|
|
311
|
+
# and fails the script (set -e) if the join does not succeed.
|
|
312
|
+
log "Applying host configuration (underpost cluster --config)..."
|
|
313
|
+
node bin cluster --dev --config
|
|
314
|
+
worker_join
|
|
315
|
+
fi
|
|
316
|
+
|
|
317
|
+
log "kubeadm ${ROLE} setup complete."
|