public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleanup pki: addon-manager

Browse Source
This commit is contained in:
Christian Albrecht 2019-03-11 10:44:24 +01:00
parent 154356d820
commit ee9dd4386a
No known key found for this signature in database
GPG Key ID: 866AF4B25DF7EB00
2 changed files with 76 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
nixos/modules/services/cluster/kubernetes/addon-manager.nix
View File

@ -63,24 +63,48 @@ in
}; };
enable = mkEnableOption "Whether to enable Kubernetes addon manager."; enable = mkEnableOption "Whether to enable Kubernetes addon manager.";
kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes addon manager";
bootstrapAddonsKubeconfig = top.lib.mkKubeConfigOptions "Kubernetes addon manager bootstrap";
}; };
###### implementation ###### implementation
config = mkIf cfg.enable { config = let
addonManagerPaths = filter (a: a != null) [
cfg.kubeconfig.caFile
cfg.kubeconfig.certFile
cfg.kubeconfig.keyFile
];
bootstrapAddonsPaths = filter (a: a != null) [
cfg.bootstrapAddonsKubeconfig.caFile
cfg.bootstrapAddonsKubeconfig.certFile
cfg.bootstrapAddonsKubeconfig.keyFile
];
in mkIf cfg.enable {
environment.etc."kubernetes/addons".source = "${addons}/"; environment.etc."kubernetes/addons".source = "${addons}/";
#TODO: Get rid of kube-addon-manager in the future for the following reasons
# - it is basically just a shell script wrapped around kubectl
# - it assumes that it is clusterAdmin or can gain clusterAdmin rights through serviceAccount
# - it is designed to be used with k8s system components only
# - it would be better with a more Nix-oriented way of managing addons
systemd.services.kube-addon-manager = { systemd.services.kube-addon-manager = {
description = "Kubernetes addon manager"; description = "Kubernetes addon manager";
wantedBy = [ "kube-control-plane-online.target" ]; wantedBy = [ "kubernetes.target" ];
after = [ "kube-addon-manager-bootstrap.service" ]; after = [ "kube-node-online.target" ];
before = [ "kube-control-plane-online.target" ]; before = [ "kubernetes.target" ];
environment.ADDON_PATH = "/etc/kubernetes/addons/"; environment = {
path = [ pkgs.gawk ]; ADDON_PATH = "/etc/kubernetes/addons/";
KUBECONFIG = top.lib.mkKubeConfig "kube-addon-manager" cfg.kubeconfig;
};
path = with pkgs; [ gawk kubectl ];
preStart = '' preStart = ''
${top.lib.mkWaitCurl ( with config.systemd.services.kube-addon-manager; { until kubectl -n kube-system get serviceaccounts/default 2>/dev/null; do
path = "/api/v1/namespaces/kube-system/serviceaccounts/default"; echo kubectl -n kube-system get serviceaccounts/default: exit status $?
cacert = top.caFile; sleep 2
} // optionalAttrs (environment ? cert) { inherit (environment) cert key; })} done
''; '';
serviceConfig = { serviceConfig = {
Slice = "kubernetes.slice"; Slice = "kubernetes.slice";
@ -91,27 +115,52 @@ in
Restart = "on-failure"; Restart = "on-failure";
RestartSec = 10; RestartSec = 10;
}; };
unitConfig.ConditionPathExists = addonManagerPaths;
}; };
systemd.paths.kube-addon-manager = {
wantedBy = [ "kube-addon-manager.service" ];
pathConfig = {
PathExists = addonManagerPaths;
PathChanged = addonManagerPaths;
};
};
services.kubernetes.addonManager.kubeconfig.server = mkDefault top.apiserverAddress;
systemd.services.kube-addon-manager-bootstrap = mkIf (top.apiserver.enable && top.addonManager.bootstrapAddons != {}) { systemd.services.kube-addon-manager-bootstrap = mkIf (top.apiserver.enable && top.addonManager.bootstrapAddons != {}) {
wantedBy = [ "kube-control-plane-online.target" ]; wantedBy = [ "kube-control-plane-online.target" ];
after = [ "kube-apiserver.service" ]; after = [ "kube-apiserver.service" ];
before = [ "kube-control-plane-online.target" ]; before = [ "kube-control-plane-online.target" ];
path = [ pkgs.kubectl ]; path = [ pkgs.kubectl ];
environment = {
KUBECONFIG = top.lib.mkKubeConfig "kube-addon-manager-bootstrap" cfg.bootstrapAddonsKubeconfig;
};
preStart = with pkgs; let preStart = with pkgs; let
files = mapAttrsToList (n: v: writeText "${n}.json" (builtins.toJSON v)) files = mapAttrsToList (n: v: writeText "${n}.json" (builtins.toJSON v))
cfg.bootstrapAddons; cfg.bootstrapAddons;
in '' in ''
${top.lib.mkWaitCurl ( with config.systemd.services.kube-addon-manager-bootstrap; { until kubectl auth can-i '*' '*' -q 2>/dev/null; do
path = "/api"; echo kubectl auth can-i '*' '*': exit status $?
cacert = top.caFile; sleep 2
} // optionalAttrs (environment ? cert) { inherit (environment) cert key; })} done
kubectl apply -f ${concatStringsSep " \\\n -f " files} kubectl apply -f ${concatStringsSep " \\\n -f " files}
''; '';
script = "echo Ok"; script = "echo Ok";
unitConfig.ConditionPathExists = bootstrapAddonsPaths;
}; };
systemd.paths.kube-addon-manager-bootstrap = {
wantedBy = [ "kube-addon-manager-bootstrap.service" ];
pathConfig = {
PathExists = bootstrapAddonsPaths;
PathChanged = bootstrapAddonsPaths;
};
};
services.kubernetes.addonManager.bootstrapAddonsKubeconfig.server = mkDefault top.apiserverAddress;
services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled
(let (let
name = system:kube-addon-manager; name = system:kube-addon-manager;

58
nixos/modules/services/cluster/kubernetes/pki.nix
View File

@ -27,12 +27,11 @@ let
certmgrAPITokenPath = "${top.secretsPath}/${cfsslAPITokenBaseName}"; certmgrAPITokenPath = "${top.secretsPath}/${cfsslAPITokenBaseName}";
cfsslAPITokenLength = 32; cfsslAPITokenLength = 32;
clusterAdminKubeconfig = with cfg.certs.clusterAdmin; clusterAdminKubeconfig = with cfg.certs.clusterAdmin; {
top.lib.mkKubeConfig "cluster-admin" { server = top.apiserverAddress;
server = top.apiserverAddress; certFile = cert;
certFile = cert; keyFile = key;
keyFile = key; };
};
remote = with config.services; "https://${kubernetes.masterAddress}:${toString cfssl.port}"; remote = with config.services; "https://${kubernetes.masterAddress}:${toString cfssl.port}";
in in
@ -142,12 +141,6 @@ in
config.services.etcd.keyFile config.services.etcd.keyFile
config.services.etcd.trustedCaFile config.services.etcd.trustedCaFile
]; ];
addonManagerPaths = mkIf top.addonManager.enable [
cfg.certs.addonManager.cert
cfg.certs.addonManager.key
cfg.certs.clusterAdmin.cert
cfg.certs.clusterAdmin.key
];
flannelPaths = [ flannelPaths = [
cfg.certs.flannelClient.cert cfg.certs.flannelClient.cert
cfg.certs.flannelClient.key cfg.certs.flannelClient.key
@ -331,38 +324,6 @@ in
}; };
}; };
systemd.services.kube-addon-manager-bootstrap = mkIf (top.apiserver.enable && top.addonManager.bootstrapAddons != {}) {
environment = {
KUBECONFIG = clusterAdminKubeconfig;
inherit (cfg.certs.clusterAdmin) cert key;
};
};
#TODO: Get rid of kube-addon-manager in the future for the following reasons
# - it is basically just a shell script wrapped around kubectl
# - it assumes that it is clusterAdmin or can gain clusterAdmin rights through serviceAccount
# - it is designed to be used with k8s system components only
# - it would be better with a more Nix-oriented way of managing addons
systemd.services.kube-addon-manager = mkIf top.addonManager.enable {
environment = with cfg.certs.addonManager; {
KUBECONFIG = top.lib.mkKubeConfig "kube-addon-manager" {
server = top.apiserverAddress;
certFile = cert;
keyFile = key;
};
inherit cert key;
};
unitConfig.ConditionPathExists = addonManagerPaths;
};
systemd.paths.kube-addon-manager = mkIf top.addonManager.enable {
wantedBy = [ "kube-addon-manager.service" ];
pathConfig = {
PathExists = addonManagerPaths;
PathChanged = addonManagerPaths;
};
};
systemd.services.kube-controller-manager = mkIf top.controllerManager.enable { systemd.services.kube-controller-manager = mkIf top.controllerManager.enable {
environment = { inherit (cfg.certs.controllerManagerClient) cert key; }; environment = { inherit (cfg.certs.controllerManagerClient) cert key; };
unitConfig.ConditionPathExists = controllerManagerPaths; unitConfig.ConditionPathExists = controllerManagerPaths;
@ -396,7 +357,7 @@ in
}; };
environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (!isNull cfg.etcClusterAdminKubeconfig) environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (!isNull cfg.etcClusterAdminKubeconfig)
clusterAdminKubeconfig; (top.lib.mkKubeConfig "cluster-admin" clusterAdminKubeconfig);
environment.systemPackages = mkIf (top.kubelet.enable || top.proxy.enable) [ environment.systemPackages = mkIf (top.kubelet.enable || top.proxy.enable) [
(pkgs.writeScriptBin "nixos-kubernetes-node-join" '' (pkgs.writeScriptBin "nixos-kubernetes-node-join" ''
@ -538,6 +499,13 @@ in
kubeletClientCertFile = mkDefault cfg.certs.apiserverKubeletClient.cert; kubeletClientCertFile = mkDefault cfg.certs.apiserverKubeletClient.cert;
kubeletClientKeyFile = mkDefault cfg.certs.apiserverKubeletClient.key; kubeletClientKeyFile = mkDefault cfg.certs.apiserverKubeletClient.key;
}); });
addonManager = mkIf top.addonManager.enable {
kubeconfig = with cfg.certs.addonManager; {
certFile = mkDefault cert;
keyFile = mkDefault key;
};
bootstrapAddonsKubeconfig = clusterAdminKubeconfig;
};
controllerManager = mkIf top.controllerManager.enable { controllerManager = mkIf top.controllerManager.enable {
serviceAccountKeyFile = mkDefault cfg.certs.serviceAccount.key; serviceAccountKeyFile = mkDefault cfg.certs.serviceAccount.key;
rootCaFile = cfg.certs.controllerManagerClient.caCert; rootCaFile = cfg.certs.controllerManagerClient.caCert;