[MediaWiki-commits] [Gerrit] operations/puppet[production]: k8s::apiserver: Amend to support more than labs

Alexandros Kosiaris (Code Review) Mon, 12 Dec 2016 07:24:40 -0800

Alexandros Kosiaris has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/326441 )


Change subject: k8s::apiserver: Amend to support more than labs
......................................................................

k8s::apiserver: Amend to support more than labs

* Allow using packages, still supporting labs via symlink
* Use /etc/default/kube-apiserver
* parameterize: kube API port, kubelet_port, service cluster IPs,
admission controllers
* Have systemd unit notify systemd of startup readiness

Change-Id: Ic1d5a1cee782696e1f81a55cc8ba09b2b3059670
---
M modules/k8s/manifests/apiserver.pp
M modules/k8s/templates/initscripts/kube-apiserver.systemd.erb
A modules/k8s/templates/kube-apiserver.default.erb
3 files changed, 89 insertions(+), 13 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/41/326441/1

diff --git a/modules/k8s/manifests/apiserver.pp 
b/modules/k8s/manifests/apiserver.pp
index 60c386e..fe2cc1e 100644
--- a/modules/k8s/manifests/apiserver.pp
+++ b/modules/k8s/manifests/apiserver.pp
@@ -3,9 +3,22 @@
     $master_host,
     $docker_registry,
     $ssl_certificate_name,
+    $kube_api_port = undef,
+    $kubelet_port = undef,
+    $service_cluster_ip_range = '192.168.0.0/24',
+    $admission_controllers = [
+        'NamespaceLifecycle',
+        'ResourceQuota',
+        'LimitRanger',
+        'UidEnforcer',
+        'RegistryEnforcer',
+        'HostAutomounter',
+        'HostPathEnforcer',
+    ],
     $host_automounts = [],
     $host_paths_allowed = [],
     $host_path_prefixes_allowed = [],
+    $use_package = false,
 ) {
     include k8s::users
 
@@ -16,9 +29,19 @@
         mode   => '0700',
     }
 
+    if $use_package {
+        require('kubernetes-master')
+    } else {
+        file { '/usr/bin/kube-apiserver':
+            ensure => link,
+            target => '/usr/local/bin/kube-apiserver',
+        }
+    }
+
     $host_automounts_string = join($host_automounts, ',')
     $host_paths_allowed_string = join(concat($host_paths_allowed, 
$host_automounts), ',')
     $host_path_prefixes_allowed_string = join($host_path_prefixes_allowed, ',')
+    $admission_control = join($admission_controllers, ',')
 
     $users = hiera('k8s_infrastructure_users')
     file { '/etc/kubernetes/infrastructure-users':
@@ -28,6 +51,14 @@
         mode    => '0400',
     }
 
+    file { '/etc/default/kube-apiserver':
+        ensure  => file,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0444',
+        content => template('k8s/kube-apiserver.default.erb'),
+    }
+
     base::service_unit { 'kube-apiserver':
         systemd => true,
     }
diff --git a/modules/k8s/templates/initscripts/kube-apiserver.systemd.erb 
b/modules/k8s/templates/initscripts/kube-apiserver.systemd.erb
index 530c87b..d113273 100644
--- a/modules/k8s/templates/initscripts/kube-apiserver.systemd.erb
+++ b/modules/k8s/templates/initscripts/kube-apiserver.systemd.erb
@@ -1,26 +1,34 @@
 [Unit]
 Description=Kubernetes API Server
+Documentation=https://github.com/kubernetes/kubernetes
+Documentation=man:kube-apiserver
+After=network.target
 
 [Service]
+EnvironmentFile=-/etc/kubernetes/config
+EnvironmentFile=-/etc/default/%p
 User=kubernetes
 Group=kubernetes
-ExecStart=/usr/local/bin/kube-apiserver \
-    --etcd-servers=<%= @etcd_servers %> \
-    --service-cluster-ip-range=192.168.0.0/24 \
-    --token-auth-file=/etc/kubernetes/tokenauth \
-    
--admission-control=NamespaceLifecycle,ResourceQuota,LimitRanger,UidEnforcer,RegistryEnforcer,HostAutomounter,HostPathEnforcer
 \
-    --authorization-mode=ABAC \
-    --authorization-policy-file=/etc/kubernetes/abac \
-    --tls-private-key-file=/etc/ssl/private/<%= @ssl_certificate_name %>.key \
-    --tls-cert-file=/etc/ssl/localcerts/<%= @ssl_certificate_name 
%>.chained.crt \
-    --enforced-docker-registry=<%= @docker_registry %> \
-    --host-automounts=<%= @host_automounts_string %> \
-    --host-paths-allowed=<%= @host_paths_allowed_string %> \
-    --host-path-prefixes-allowed=<%= @host_path_prefixes_allowed_string %>
+ExecStart=/usr/bin/kube-apiserver \
+    $KUBE_LOGTOSTDERR \
+    $KUBE_LOG_LEVEL \
+    $KUBE_ALLOW_PRIV \
+        $KUBE_API_ADDRESS \
+        $KUBE_API_PORT \
+        $KUBELET_PORT \
+        $KUBE_ETCD_SERVERS \
+        $KUBE_SERVICE_ADDRESSES \
+        $KUBE_ADMISSION_CONTROL \
+        $DAEMON_ARGS
+
+# Reevaluate Restart=always
 Restart=on-failure
 # Really large limit - defaults to 1024 otherwise for some reason?
 # That runs out pretty quickly, so we do 1024 * 1024
 LimitNOFILE=1048576
+# Allow apiserver to opportunistically notify systemd of startup.
+# See https://github.com/kubernetes/kubernetes/issues/8311
+Type=notify
 
 [Install]
 WantedBy=multi-user.target
diff --git a/modules/k8s/templates/kube-apiserver.default.erb 
b/modules/k8s/templates/kube-apiserver.default.erb
new file mode 100644
index 0000000..07c61f9
--- /dev/null
+++ b/modules/k8s/templates/kube-apiserver.default.erb
@@ -0,0 +1,37 @@
+###
+## kubernetes system config
+##
+## The following values are used to configure the kube-apiserver
+##
+#
+<%- if @kube_api_port -%>
+## The port on the local server to listen on.
+KUBE_API_PORT="--port=<%= @kube_api_port %>"
+<%- end -%>
+#
+<%- if @kubelet_port -%>
+## Port minions listen on
+KUBELET_PORT="--kubelet-port=<%= @kubelet_port %>"
+<%- end -%>
+#
+## Comma separated list of nodes in the etcd cluster
+KUBE_ETCD_SERVERS="--etcd-servers=<%= @etcd_servers %>"
+#
+## Address range to use for services
+<%- if @service_cluster_ip_range %>
+KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=<%= 
@service_cluster_ip_range %>"
+<%- end -%>
+#
+<%- if @service_cluster_ip_range %>
+KUBE_ADMISSION_CONTROL="--admission-control=<%= @admission_control %>"
+<%- end -%>
+
+DAEMON_ARGS="--token-auth-file=/etc/kubernetes/tokenauth \
+--authorization-mode=ABAC \
+--authorization-policy-file=/etc/kubernetes/abac \
+--tls-private-key-file=/etc/ssl/private/<%= @ssl_certificate_name %>.key \
+--tls-cert-file=/etc/ssl/localcerts/<%= @ssl_certificate_name %>.chained.crt \
+--enforced-docker-registry=<%= @docker_registry %> \
+--host-automounts=<%= @host_automounts_string %> \
+--host-paths-allowed=<%= @host_paths_allowed_string %> \
+--host-path-prefixes-allowed=<%= @host_path_prefixes_allowed_string %>"

-- 
To view, visit https://gerrit.wikimedia.org/r/326441
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic1d5a1cee782696e1f81a55cc8ba09b2b3059670
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: k8s::apiserver: Amend to support more than labs

Reply via email to