commit eaaad0deea37f659af606abe7a594a4ed95f4dbd · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #9527 from offlinehacker/nixos/kube/options

kubernetes service: add a few options

Jaka Hudoklin 10 years ago eaaad0de 8ceca44d

+55 -12

1 changed file

expand all

unified split

nixos

modules

services

cluster

kubernetes.nix

+55 -12

nixos/modules/services/cluster/kubernetes.nix

··· 105 tokenAuth = mkOption { 106 description = '' 107 Kubernetes apiserver token authentication file. See 108 - <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md"/> 109 ''; 110 default = {}; 111 example = literalExample '' ··· 120 authorizationMode = mkOption { 121 description = '' 122 Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See 123 - <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/> 124 ''; 125 default = "AlwaysAllow"; 126 type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"]; ··· 129 authorizationPolicy = mkOption { 130 description = '' 131 Kubernetes apiserver authorization policy file. See 132 - <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/> 133 ''; 134 default = []; 135 example = literalExample '' ··· 159 }; 160 161 runtimeConfig = mkOption { 162 - description = "Api runtime configuration"; 163 default = ""; 164 example = "api/all=false,api/v1=true"; 165 type = types.str; 166 }; 167 168 admissionControl = mkOption { 169 - description = "Kubernetes admission control plugins to use."; 170 default = ["AlwaysAdmit"]; 171 type = types.listOf types.str; 172 }; 173 174 extraOpts = mkOption { ··· 235 type = types.str; 236 }; 237 238 extraOpts = mkOption { 239 - description = "Kubernetes controller extra command line options."; 240 default = ""; 241 type = types.str; 242 }; ··· 294 }; 295 296 apiServers = mkOption { 297 - description = "Kubernetes kubelet list of Kubernetes API servers for publishing events, and reading pods and services."; 298 default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"]; 299 type = types.listOf types.str; 300 }; ··· 413 ${optionalString (cfg.apiserver.runtimeConfig!="") 414 "--runtime-config=${cfg.apiserver.runtimeConfig}"} \ 415 --admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \ 416 --logtostderr=true \ 417 ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ 418 ${cfg.apiserver.extraOpts} 419 ''; 420 User = "kubernetes"; 421 }; 422 - postStart = '' 423 - until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.apiserver.address}:${toString cfg.apiserver.port}/'; do 424 - sleep 1; 425 - done 426 - ''; 427 }; 428 }) 429 ··· 456 --address=${cfg.controllerManager.address} \ 457 --port=${toString cfg.controllerManager.port} \ 458 --master=${cfg.controllerManager.master} \ 459 --logtostderr=true \ 460 ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ 461 ${cfg.controllerManager.extraOpts} ··· 509 ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ 510 ${cfg.proxy.extraOpts} 511 ''; 512 }; 513 }; 514 })

··· 105 tokenAuth = mkOption { 106 description = '' 107 Kubernetes apiserver token authentication file. See 108 + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authentication.html"/> 109 ''; 110 default = {}; 111 example = literalExample '' ··· 120 authorizationMode = mkOption { 121 description = '' 122 Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See 123 + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/> 124 ''; 125 default = "AlwaysAllow"; 126 type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"]; ··· 129 authorizationPolicy = mkOption { 130 description = '' 131 Kubernetes apiserver authorization policy file. See 132 + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/> 133 ''; 134 default = []; 135 example = literalExample '' ··· 159 }; 160 161 runtimeConfig = mkOption { 162 + description = '' 163 + Api runtime configuration. See 164 + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/cluster-management.html"/> 165 + ''; 166 default = ""; 167 example = "api/all=false,api/v1=true"; 168 type = types.str; 169 }; 170 171 admissionControl = mkOption { 172 + description = '' 173 + Kubernetes admission control plugins to use. See 174 + <link xlink:href="http://kubernetes.io/v1.0/docs/admin/admission-controllers.html"/> 175 + ''; 176 default = ["AlwaysAdmit"]; 177 + example = [ 178 + "NamespaceLifecycle" "NamespaceExists" "LimitRanger" 179 + "SecurityContextDeny" "ServiceAccount" "ResourceQuota" 180 + ]; 181 type = types.listOf types.str; 182 + }; 183 + 184 + serviceAccountKey = mkOption { 185 + description = '' 186 + Kubernetes apiserver PEM-encoded x509 RSA private or public key file, 187 + used to verify ServiceAccount tokens. 188 + ''; 189 + default = null; 190 + type = types.nullOr types.path; 191 }; 192 193 extraOpts = mkOption { ··· 254 type = types.str; 255 }; 256 257 + serviceAccountPrivateKey = mkOption { 258 + description = '' 259 + Kubernetes controller manager PEM-encoded private RSA key file used to 260 + sign service account tokens 261 + ''; 262 + default = null; 263 + type = types.nullOr types.path; 264 + }; 265 + 266 + rootCaFile = mkOption { 267 + description = '' 268 + Kubernetes controller manager certificate authority file included in 269 + service account's token secret. 270 + ''; 271 + default = null; 272 + type = types.nullOr types.path; 273 + }; 274 + 275 extraOpts = mkOption { 276 + description = "Kubernetes controller manager extra command line options."; 277 default = ""; 278 type = types.str; 279 }; ··· 331 }; 332 333 apiServers = mkOption { 334 + description = '' 335 + Kubernetes kubelet list of Kubernetes API servers for publishing events, 336 + and reading pods and services. 337 + ''; 338 default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"]; 339 type = types.listOf types.str; 340 }; ··· 453 ${optionalString (cfg.apiserver.runtimeConfig!="") 454 "--runtime-config=${cfg.apiserver.runtimeConfig}"} \ 455 --admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \ 456 + ${optionalString (cfg.apiserver.serviceAccountKey!=null) 457 + "--service-account-key-file=${cfg.apiserver.serviceAccountKey}"} \ 458 --logtostderr=true \ 459 ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ 460 ${cfg.apiserver.extraOpts} 461 ''; 462 User = "kubernetes"; 463 }; 464 }; 465 }) 466 ··· 493 --address=${cfg.controllerManager.address} \ 494 --port=${toString cfg.controllerManager.port} \ 495 --master=${cfg.controllerManager.master} \ 496 + ${optionalString (cfg.controllerManager.serviceAccountPrivateKey!=null) 497 + "--service-account-private-key-file=${cfg.controllerManager.serviceAccountPrivateKey}"} \ 498 + ${optionalString (cfg.controllerManager.rootCaFile!=null) 499 + "--root-ca-file=${cfg.controllerManager.rootCaFile}"} \ 500 --logtostderr=true \ 501 ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ 502 ${cfg.controllerManager.extraOpts} ··· 550 ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \ 551 ${cfg.proxy.extraOpts} 552 ''; 553 + Restart = "always"; # Retry connection 554 + RestartSec = "5s"; 555 }; 556 }; 557 })