public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kubernetes service: add a few options

This commit is contained in:
Jaka Hudoklin 2015-08-29 18:20:24 +02:00
parent 46203a790d
commit c65cdcf722
1 changed files with 55 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
nixos/modules/services/cluster/kubernetes.nix
View File

@ -105,7 +105,7 @@ in {
tokenAuth = mkOption { tokenAuth = mkOption {
description = '' description = ''
Kubernetes apiserver token authentication file. See Kubernetes apiserver token authentication file. See
<link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md"/> <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authentication.html"/>
''; '';
default = {}; default = {};
example = literalExample '' example = literalExample ''
@ -120,7 +120,7 @@ in {
authorizationMode = mkOption { authorizationMode = mkOption {
description = '' description = ''
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See
<link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/> <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>
''; '';
default = "AlwaysAllow"; default = "AlwaysAllow";
type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"]; type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"];
@ -129,7 +129,7 @@ in {
authorizationPolicy = mkOption { authorizationPolicy = mkOption {
description = '' description = ''
Kubernetes apiserver authorization policy file. See Kubernetes apiserver authorization policy file. See
<link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/> <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>
''; '';
default = []; default = [];
example = literalExample '' example = literalExample ''
@ -159,18 +159,37 @@ in {
}; };
runtimeConfig = mkOption { runtimeConfig = mkOption {
description = "Api runtime configuration"; description = ''
Api runtime configuration. See
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/cluster-management.html"/>
'';
default = ""; default = "";
example = "api/all=false,api/v1=true"; example = "api/all=false,api/v1=true";
type = types.str; type = types.str;
}; };
admissionControl = mkOption { admissionControl = mkOption {
description = "Kubernetes admission control plugins to use."; description = ''
Kubernetes admission control plugins to use. See
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/admission-controllers.html"/>
'';
default = ["AlwaysAdmit"]; default = ["AlwaysAdmit"];
example = [
"NamespaceLifecycle" "NamespaceExists" "LimitRanger"
"SecurityContextDeny" "ServiceAccount" "ResourceQuota"
];
type = types.listOf types.str; type = types.listOf types.str;
}; };
serviceAccountKey = mkOption {
description = ''
Kubernetes apiserver PEM-encoded x509 RSA private or public key file,
used to verify ServiceAccount tokens.
'';
default = null;
type = types.nullOr types.path;
};
extraOpts = mkOption { extraOpts = mkOption {
description = "Kubernetes apiserver extra command line options."; description = "Kubernetes apiserver extra command line options.";
default = ""; default = "";
@ -235,8 +254,26 @@ in {
type = types.str; type = types.str;
}; };
serviceAccountPrivateKey = mkOption {
description = ''
Kubernetes controller manager PEM-encoded private RSA key file used to
sign service account tokens
'';
default = null;
type = types.nullOr types.path;
};
rootCaFile = mkOption {
description = ''
Kubernetes controller manager certificate authority file included in
service account's token secret.
'';
default = null;
type = types.nullOr types.path;
};
extraOpts = mkOption { extraOpts = mkOption {
description = "Kubernetes controller extra command line options."; description = "Kubernetes controller manager extra command line options.";
default = ""; default = "";
type = types.str; type = types.str;
}; };
@ -294,7 +331,10 @@ in {
}; };
apiServers = mkOption { apiServers = mkOption {
description = "Kubernetes kubelet list of Kubernetes API servers for publishing events, and reading pods and services."; description = ''
Kubernetes kubelet list of Kubernetes API servers for publishing events,
and reading pods and services.
'';
default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"]; default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"];
type = types.listOf types.str; type = types.listOf types.str;
}; };
@ -413,17 +453,14 @@ in {
${optionalString (cfg.apiserver.runtimeConfig!="") ${optionalString (cfg.apiserver.runtimeConfig!="")
"--runtime-config=${cfg.apiserver.runtimeConfig}"} \ "--runtime-config=${cfg.apiserver.runtimeConfig}"} \
--admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \ --admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \
${optionalString (cfg.apiserver.serviceAccountKey!=null)
"--service-account-key-file=${cfg.apiserver.serviceAccountKey}"} \
--logtostderr=true \ --logtostderr=true \
${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
${cfg.apiserver.extraOpts} ${cfg.apiserver.extraOpts}
''; '';
User = "kubernetes"; User = "kubernetes";
}; };
postStart = ''
until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.apiserver.address}:${toString cfg.apiserver.port}/'; do
sleep 1;
done
'';
}; };
}) })
@ -456,6 +493,10 @@ in {
--address=${cfg.controllerManager.address} \ --address=${cfg.controllerManager.address} \
--port=${toString cfg.controllerManager.port} \ --port=${toString cfg.controllerManager.port} \
--master=${cfg.controllerManager.master} \ --master=${cfg.controllerManager.master} \
${optionalString (cfg.controllerManager.serviceAccountPrivateKey!=null)
"--service-account-private-key-file=${cfg.controllerManager.serviceAccountPrivateKey}"} \
${optionalString (cfg.controllerManager.rootCaFile!=null)
"--root-ca-file=${cfg.controllerManager.rootCaFile}"} \
--logtostderr=true \ --logtostderr=true \
${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
${cfg.controllerManager.extraOpts} ${cfg.controllerManager.extraOpts}
@ -509,6 +550,8 @@ in {
${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
${cfg.proxy.extraOpts} ${cfg.proxy.extraOpts}
''; '';
Restart = "always"; # Retry connection
RestartSec = "5s";
}; };
}; };
}) })