commit eaaad0deea37f659af606abe7a594a4ed95f4dbd · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #9527 from offlinehacker/nixos/kube/options

kubernetes service: add a few options

Jaka Hudoklin 10 years ago eaaad0de 8ceca44d

+55 -12

1 changed file

expand all

unified split

nixos

modules

services

cluster

kubernetes.nix

+55 -12

nixos/modules/services/cluster/kubernetes.nix

··· 105 105 tokenAuth = mkOption { 106 106 description = '' 107 107 Kubernetes apiserver token authentication file. See 108 - <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md"/> 108 + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authentication.html"/> 109 109 ''; 110 110 default = {}; 111 111 example = literalExample '' ··· 120 120 authorizationMode = mkOption { 121 121 description = '' 122 122 Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See 123 - <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/> 123 + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/> 124 124 ''; 125 125 default = "AlwaysAllow"; 126 126 type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"]; ··· 129 129 authorizationPolicy = mkOption { 130 130 description = '' 131 131 Kubernetes apiserver authorization policy file. See 132 - <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/> 132 + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/> 133 133 ''; 134 134 default = []; 135 135 example = literalExample '' ··· 159 159 }; 160 160 161 161 runtimeConfig = mkOption { 162 - description = "Api runtime configuration"; 162 + description = '' 163 + Api runtime configuration. See 164 + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/cluster-management.html"/> 165 + ''; 163 166 default = ""; 164 167 example = "api/all=false,api/v1=true"; 165 168 type = types.str; 166 169 }; 167 170 168 171 admissionControl = mkOption { 169 - description = "Kubernetes admission control plugins to use."; 172 + description = '' 173 + Kubernetes admission control plugins to use. See 174 + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/admission-controllers.html"/> 175 + ''; 170 176 default = ["AlwaysAdmit"]; 177 + example = [ 178 + "NamespaceLifecycle" "NamespaceExists" "LimitRanger" 179 + "SecurityContextDeny" "ServiceAccount" "ResourceQuota" 180 + ]; 171 181 type = types.listOf types.str; 182 + }; 183 + 184 + serviceAccountKey = mkOption { 185 + description = '' 186 + Kubernetes apiserver PEM-encoded x509 RSA private or public key file, 187 + used to verify ServiceAccount tokens. 188 + ''; 189 + default = null; 190 + type = types.nullOr types.path; 172 191 }; 173 192 174 193 extraOpts = mkOption { ··· 235 254 type = types.str; 236 255 }; 237 256 257 + serviceAccountPrivateKey = mkOption { 258 + description = '' 259 + Kubernetes controller manager PEM-encoded private RSA key file used to 260 + sign service account tokens 261 + ''; 262 + default = null; 263 + type = types.nullOr types.path; 264 + }; 265 + 266 + rootCaFile = mkOption { 267 + description = '' 268 + Kubernetes controller manager certificate authority file included in 269 + service account's token secret. 270 + ''; 271 + default = null; 272 + type = types.nullOr types.path; 273 + }; 274 + 238 275 extraOpts = mkOption { 239 - description = "Kubernetes controller extra command line options."; 276 + description = "Kubernetes controller manager extra command line options."; 240 277 default = ""; 241 278 type = types.str; 242 279 }; ··· 294 331 }; 295 332 296 333 apiServers = mkOption { 297 - description = "Kubernetes kubelet list of Kubernetes API servers for publishing events, and reading pods and services."; 334 + description = '' 335 + Kubernetes kubelet list of Kubernetes API servers for publishing events, 336 + and reading pods and services. 337 + ''; 298 338 default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"]; 299 339 type = types.listOf types.str; 300 340 }; ··· 413 453 ${optionalString (cfg.apiserver.runtimeConfig!="") 414 454 "--runtime-config=${cfg.apiserver.runtimeConfig}"} \ 415 455 --admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \ 456 + ${optionalString (cfg.apiserver.serviceAccountKey!=null) 457 + "--service-account-key-file=${cfg.apiserver.serviceAccountKey}"} \ 416 458 --logtostderr=true \ 417 459 ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ 418 460 ${cfg.apiserver.extraOpts} 419 461 ''; 420 462 User = "kubernetes"; 421 463 }; 422 - postStart = '' 423 - until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.apiserver.address}:${toString cfg.apiserver.port}/'; do 424 - sleep 1; 425 - done 426 - ''; 427 464 }; 428 465 }) 429 466 ··· 456 493 --address=${cfg.controllerManager.address} \ 457 494 --port=${toString cfg.controllerManager.port} \ 458 495 --master=${cfg.controllerManager.master} \ 496 + ${optionalString (cfg.controllerManager.serviceAccountPrivateKey!=null) 497 + "--service-account-private-key-file=${cfg.controllerManager.serviceAccountPrivateKey}"} \ 498 + ${optionalString (cfg.controllerManager.rootCaFile!=null) 499 + "--root-ca-file=${cfg.controllerManager.rootCaFile}"} \ 459 500 --logtostderr=true \ 460 501 ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ 461 502 ${cfg.controllerManager.extraOpts} ··· 509 550 ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ 510 551 ${cfg.proxy.extraOpts} 511 552 ''; 553 + Restart = "always"; # Retry connection 554 + RestartSec = "5s"; 512 555 }; 513 556 }; 514 557 })