diff options
| author | Jaka Hudoklin <jakahudoklin@gmail.com> | 2015-08-29 19:19:23 +0200 |
|---|---|---|
| committer | Jaka Hudoklin <jakahudoklin@gmail.com> | 2015-08-29 19:19:23 +0200 |
| commit | eaaad0deea37f659af606abe7a594a4ed95f4dbd (patch) | |
| tree | 43a1d056ecec7e2ff16b59d53d60783a36fc9d2b /nixos | |
| parent | 8ceca44dbd77494ac388d495e0ea26a30cb13e45 (diff) | |
| parent | c65cdcf7229e322e6375110078da47455ca53d6d (diff) | |
| download | nixpkgs-eaaad0deea37f659af606abe7a594a4ed95f4dbd.tar nixpkgs-eaaad0deea37f659af606abe7a594a4ed95f4dbd.tar.gz nixpkgs-eaaad0deea37f659af606abe7a594a4ed95f4dbd.tar.bz2 nixpkgs-eaaad0deea37f659af606abe7a594a4ed95f4dbd.tar.lz nixpkgs-eaaad0deea37f659af606abe7a594a4ed95f4dbd.tar.xz nixpkgs-eaaad0deea37f659af606abe7a594a4ed95f4dbd.tar.zst nixpkgs-eaaad0deea37f659af606abe7a594a4ed95f4dbd.zip | |
Merge pull request #9527 from offlinehacker/nixos/kube/options
kubernetes service: add a few options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/cluster/kubernetes.nix | 67 |
1 files changed, 55 insertions, 12 deletions
diff --git a/nixos/modules/services/cluster/kubernetes.nix b/nixos/modules/services/cluster/kubernetes.nix index 99915438f92..ba09f04d502 100644 --- a/nixos/modules/services/cluster/kubernetes.nix +++ b/nixos/modules/services/cluster/kubernetes.nix @@ -105,7 +105,7 @@ in { tokenAuth = mkOption { description = '' Kubernetes apiserver token authentication file. See - <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md"/> + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authentication.html"/> ''; default = {}; example = literalExample '' @@ -120,7 +120,7 @@ in { authorizationMode = mkOption { description = '' Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See - <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/> + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/> ''; default = "AlwaysAllow"; type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"]; @@ -129,7 +129,7 @@ in { authorizationPolicy = mkOption { description = '' Kubernetes apiserver authorization policy file. See - <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/> + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/> ''; default = []; example = literalExample '' @@ -159,18 +159,37 @@ in { }; runtimeConfig = mkOption { - description = "Api runtime configuration"; + description = '' + Api runtime configuration. See + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/cluster-management.html"/> + ''; default = ""; example = "api/all=false,api/v1=true"; type = types.str; }; admissionControl = mkOption { - description = "Kubernetes admission control plugins to use."; + description = '' + Kubernetes admission control plugins to use. See + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/admission-controllers.html"/> + ''; default = ["AlwaysAdmit"]; + example = [ + "NamespaceLifecycle" "NamespaceExists" "LimitRanger" + "SecurityContextDeny" "ServiceAccount" "ResourceQuota" + ]; type = types.listOf types.str; }; + serviceAccountKey = mkOption { + description = '' + Kubernetes apiserver PEM-encoded x509 RSA private or public key file, + used to verify ServiceAccount tokens. + ''; + default = null; + type = types.nullOr types.path; + }; + extraOpts = mkOption { description = "Kubernetes apiserver extra command line options."; default = ""; @@ -235,8 +254,26 @@ in { type = types.str; }; + serviceAccountPrivateKey = mkOption { + description = '' + Kubernetes controller manager PEM-encoded private RSA key file used to + sign service account tokens + ''; + default = null; + type = types.nullOr types.path; + }; + + rootCaFile = mkOption { + description = '' + Kubernetes controller manager certificate authority file included in + service account's token secret. + ''; + default = null; + type = types.nullOr types.path; + }; + extraOpts = mkOption { - description = "Kubernetes controller extra command line options."; + description = "Kubernetes controller manager extra command line options."; default = ""; type = types.str; }; @@ -294,7 +331,10 @@ in { }; apiServers = mkOption { - description = "Kubernetes kubelet list of Kubernetes API servers for publishing events, and reading pods and services."; + description = '' + Kubernetes kubelet list of Kubernetes API servers for publishing events, + and reading pods and services. + ''; default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"]; type = types.listOf types.str; }; @@ -413,17 +453,14 @@ in { ${optionalString (cfg.apiserver.runtimeConfig!="") "--runtime-config=${cfg.apiserver.runtimeConfig}"} \ --admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \ + ${optionalString (cfg.apiserver.serviceAccountKey!=null) + "--service-account-key-file=${cfg.apiserver.serviceAccountKey}"} \ --logtostderr=true \ ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ ${cfg.apiserver.extraOpts} ''; User = "kubernetes"; }; - postStart = '' - until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.apiserver.address}:${toString cfg.apiserver.port}/'; do - sleep 1; - done - ''; }; }) @@ -456,6 +493,10 @@ in { --address=${cfg.controllerManager.address} \ --port=${toString cfg.controllerManager.port} \ --master=${cfg.controllerManager.master} \ + ${optionalString (cfg.controllerManager.serviceAccountPrivateKey!=null) + "--service-account-private-key-file=${cfg.controllerManager.serviceAccountPrivateKey}"} \ + ${optionalString (cfg.controllerManager.rootCaFile!=null) + "--root-ca-file=${cfg.controllerManager.rootCaFile}"} \ --logtostderr=true \ ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ ${cfg.controllerManager.extraOpts} @@ -509,6 +550,8 @@ in { ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ ${cfg.proxy.extraOpts} ''; + Restart = "always"; # Retry connection + RestartSec = "5s"; }; }; }) |