Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / 0eb481d355423762815cecf4fc05204ab373adbb / . / kubernetes / master / controller.sls
blob: b1123361149100cb493efc0fbea970440e179233 [file] [log] [blame]
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]1{%- from "kubernetes/map.jinja" import master with context %}
Tomáš Kukrálfef5d6a2017-04-10 09:39:44 +0200[diff] [blame]2{%- from "kubernetes/map.jinja" import common with context %}
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]3{%- if master.enabled %}
4
5/srv/kubernetes/known_tokens.csv:
6 file.managed:
7 - source: salt://kubernetes/files/known_tokens.csv
8 - template: jinja
9 - user: root
10 - group: root
11 - mode: 644
12 - makedirs: true
13
14/srv/kubernetes/basic_auth.csv:
15 file.managed:
16 - source: salt://kubernetes/files/basic_auth.csv
17 - template: jinja
18 - user: root
19 - group: root
20 - mode: 644
21 - makedirs: true
22
23{%- if master.get('container', 'true') %}
24
25/var/log/kube-apiserver.log:
26 file.managed:
27 - user: root
28 - group: root
29 - mode: 644
30
31/etc/kubernetes/manifests/kube-apiserver.manifest:
32 file.managed:
33 - source: salt://kubernetes/files/manifest/kube-apiserver.manifest
34 - template: jinja
35 - user: root
36 - group: root
37 - mode: 644
38 - makedirs: true
39 - dir_mode: 755
40
41/etc/kubernetes/manifests/kube-controller-manager.manifest:
42 file.managed:
43 - source: salt://kubernetes/files/manifest/kube-controller-manager.manifest
44 - template: jinja
45 - user: root
46 - group: root
47 - mode: 644
48 - makedirs: true
49 - dir_mode: 755
50
51/var/log/kube-controller-manager.log:
52 file.managed:
53 - user: root
54 - group: root
55 - mode: 644
56
57/etc/kubernetes/manifests/kube-scheduler.manifest:
58 file.managed:
59 - source: salt://kubernetes/files/manifest/kube-scheduler.manifest
60 - template: jinja
61 - user: root
62 - group: root
63 - mode: 644
64 - makedirs: true
65 - dir_mode: 755
66
67/var/log/kube-scheduler.log:
68 file.managed:
69 - user: root
70 - group: root
71 - mode: 644
72
73{%- else %}
74
75/etc/default/kube-apiserver:
76 file.managed:
77 - user: root
78 - group: root
79 - mode: 644
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]80 - contents: >-
81 DAEMON_ARGS="
Yuriy Taraday82c5f222017-09-07 14:47:01 +0400[diff] [blame]82 --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,DefaultStorageClass
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]83 --allow-privileged=True
84 --basic-auth-file=/srv/kubernetes/basic_auth.csv
Matthew Mosesohnd3a852e2017-08-01 14:34:00 +0300[diff] [blame]85 --bind-address={{ master.apiserver.get('bind_address', master.apiserver.address) }}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]86 --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
87 --etcd-quorum-read=true
88 --insecure-bind-address={{ master.apiserver.insecure_address }}
Matthew Mosesohnac08bbe2017-08-15 16:32:29 +0300[diff] [blame]89 --insecure-port={{ master.apiserver.insecure_port }}
90 --secure-port={{ master.apiserver.secure_port }}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]91 --service-cluster-ip-range={{ master.service_addresses }}
92 --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
93 --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
94 --token-auth-file=/srv/kubernetes/known_tokens.csv
Bartosz Kupidura4f221192017-04-14 13:51:22 +0200[diff] [blame]95 --apiserver-count={{ master.apiserver.get('count', 1) }}
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]96 --v={{ master.get('verbosity', 2) }}
Marek Celoud0eb481d2017-10-03 16:05:20 +0200[diff] [blame^]97 --advertise-address={{ master.apiserver.address }}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]98 --etcd-servers=
99{%- for member in master.etcd.members -%}
100 http{% if master.etcd.get('ssl', {}).get('enabled') %}s{% endif %}://{{ member.host }}:{{ member.get('port', 4001) }}{% if not loop.last %},{% endif %}
101{%- endfor %}
102{%- if master.etcd.get('ssl', {}).get('enabled') %}
103 --etcd-cafile /var/lib/etcd/ca.pem
104 --etcd-certfile /var/lib/etcd/etcd-client.crt
105 --etcd-keyfile /var/lib/etcd/etcd-client.key
106{%- endif %}
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]107{%- if master.apiserver.node_port_range is defined %}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]108 --service-node-port-range {{ master.apiserver.node_port_range }}
109{%- endif %}
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]110{%- if common.get('cloudprovider', {}).get('enabled') %}
111 --cloud-provider={{ common.cloudprovider.provider }}
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]112{%- if common.get('cloudprovider', {}).get('provider') == 'openstack' %}
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]113 --cloud-config=/etc/kubernetes/cloud-config.conf
114{%- endif %}
115{%- endif %}
116{%- for key, value in master.get('apiserver', {}).get('daemon_opts', {}).iteritems() %}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]117 --{{ key }}={{ value }}
118{%- endfor %}"
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]119
Tomáš Kukrálbae41072017-01-30 12:06:22 +0100[diff] [blame]120{% for component in ['scheduler', 'controller-manager'] %}
121
122/etc/kubernetes/{{ component }}.kubeconfig:
123 file.managed:
124 - source: salt://kubernetes/files/kube-{{ component }}/{{ component }}.kubeconfig
125 - template: jinja
126 - user: root
127 - group: root
128 - mode: 644
129 - makedirs: True
130 - watch_in:
131 - service: master_services
132
133{% endfor %}
134
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]135/etc/default/kube-controller-manager:
136 file.managed:
137 - user: root
138 - group: root
139 - mode: 644
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]140 - contents: >-
141 DAEMON_ARGS="
142 --cluster-name=kubernetes
143 --kubeconfig /etc/kubernetes/controller-manager.kubeconfig
144 --leader-elect=true
145 --root-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
146 --service-account-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]147{%- if common.get('cloudprovider', {}).get('enabled') %}
148 --cloud-provider={{ common.cloudprovider.provider }}
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]149{%- if common.get('cloudprovider', {}).get('provider') == 'openstack' %}
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]150 --cloud-config=/etc/kubernetes/cloud-config.conf
151{%- endif %}
152{%- endif %}
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]153 --v={{ master.get('verbosity', 2) }}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]154{%- for key, value in master.get('controller_manager', {}).get('daemon_opts', {}).iteritems() %}
155 --{{ key }}={{ value }}
156{% endfor %}"
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]157
158/etc/default/kube-scheduler:
159 file.managed:
160 - user: root
161 - group: root
162 - mode: 644
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]163 - contents: >-
164 DAEMON_ARGS="
165 --kubeconfig /etc/kubernetes/scheduler.kubeconfig
166 --leader-elect=true
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]167 --v={{ master.get('verbosity', 2) }}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]168{%- for key, value in master.get('scheduler', {}).get('daemon_opts', {}).iteritems() %}
169 --{{ key }}={{ value }}
170{% endfor %}"
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]171
marco17990732016-09-13 17:07:47 +0200[diff] [blame]172/etc/systemd/system/kube-apiserver.service:
173 file.managed:
174 - source: salt://kubernetes/files/systemd/kube-apiserver.service
175 - template: jinja
176 - user: root
177 - group: root
178 - mode: 644
179
180/etc/systemd/system/kube-scheduler.service:
181 file.managed:
182 - source: salt://kubernetes/files/systemd/kube-scheduler.service
183 - template: jinja
184 - user: root
185 - group: root
186 - mode: 644
187
188/etc/systemd/system/kube-controller-manager.service:
189 file.managed:
190 - source: salt://kubernetes/files/systemd/kube-controller-manager.service
191 - template: jinja
192 - user: root
193 - group: root
194 - mode: 644
195
Tomáš Kukrál02fcc222017-01-26 10:46:00 +0100[diff] [blame]196{% for filename in ['kubernetes-server.crt', 'kubernetes-server.key', 'kubernetes-server.pem'] %}
197
198/etc/kubernetes/ssl/{{ filename }}:
199 file.managed:
Marek Celoud5a8813f2017-01-27 15:50:02 +0100[diff] [blame]200 - source: salt://{{ master.get('cert_source','_certs/kubernetes') }}/{{ filename }}
Tomáš Kukrál02fcc222017-01-26 10:46:00 +0100[diff] [blame]201 - user: root
Tomáš Kukrál6b1dd952017-08-22 14:24:08 +0200[diff] [blame]202 {%- if pillar.get('haproxy', {}).get('proxy', {}).get('enabled') %}
Tomáš Kukrál02fcc222017-01-26 10:46:00 +0100[diff] [blame]203 - group: haproxy
Tomáš Kukrál6b1dd952017-08-22 14:24:08 +0200[diff] [blame]204 {%- else %}
205 - group: root
206 {%- endif %}
Tomáš Kukrál02fcc222017-01-26 10:46:00 +0100[diff] [blame]207 - mode: 640
208 - watch_in:
209 - service: master_services
210
211{% endfor %}
212
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]213master_services:
214 service.running:
215 - names: {{ master.services }}
216 - enable: True
217 - watch:
218 - file: /etc/default/kube-apiserver
219 - file: /etc/default/kube-scheduler
220 - file: /etc/default/kube-controller-manager
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]221 - file: /usr/bin/hyperkube
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]222
223{%- endif %}
224
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]225
226{%- for name,namespace in master.namespace.iteritems() %}
227
228{%- if namespace.enabled %}
229
Marek Celoud3b118ff2017-01-27 15:19:40 +0100[diff] [blame]230{%- set date = salt['cmd.run']('date "+%FT%TZ"') %}
231
Tomáš Kukrál00ceec52017-05-15 17:18:21 +0200[diff] [blame]232kubernetes_namespace_create_{{ name }}:
233 cmd.run:
234 - name: kubectl create ns "{{ name }}"
235 - name: kubectl get ns -o=custom-columns=NAME:.metadata.name | grep -v NAME | grep "{{ name }}" > /dev/null || kubectl create ns "{{ name }}"
Marek Celoud43d293f2017-06-07 12:29:24 +0200[diff] [blame]236 {%- if grains.get('noservices') %}
237 - onlyif: /bin/false
238 {%- endif %}
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]239
240{%- else %}
241
Tomáš Kukrál00ceec52017-05-15 17:18:21 +0200[diff] [blame]242kubernetes_namespace_delete_{{ name }}:
243 cmd.run:
Tomáš Kukrál3f02a6b2017-08-22 10:51:26 +0200[diff] [blame]244 - name: kubectl get ns -o=custom-columns=NAME:.metadata.name | grep -v NAME | grep "{{ name }}" > /dev/null && kubectl delete ns "{{ name }} || true"
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]245
246{%- endif %}
247
248{%- endfor %}
249
250{%- if master.registry.secret is defined %}
251
252{%- for name,registry in master.registry.secret.iteritems() %}
253
254{%- if registry.enabled %}
255
256/registry/secrets/{{ registry.namespace }}/{{ name }}:
257 etcd.set:
258 - value: '{"kind":"Secret","apiVersion":"v1","metadata":{"name":"{{ name }}","namespace":"{{ registry.namespace }}"},"data":{".dockerconfigjson":"{{ registry.key }}"},"type":"kubernetes.io/dockerconfigjson"}'
Marek Celoud43d293f2017-06-07 12:29:24 +0200[diff] [blame]259 {%- if grains.get('noservices') %}
260 - onlyif: /bin/false
261 {%- endif %}
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]262
263{%- else %}
264
265/registry/secrets/{{ registry.namespace }}/{{ name }}:
266 etcd.rm
267
268{%- endif %}
269
270{%- endfor %}
271
272{%- endif %}
273
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]274{%- endif %}