Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / 87be0da83b96a9025d6156c408e568040cabb717 / . / kubernetes / master / controller.sls
blob: 38b170e58ddc73a053d11a8969b0b7506ed748c2 [file] [log] [blame]
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]1{%- from "kubernetes/map.jinja" import master with context %}
Tomáš Kukrálfef5d6a2017-04-10 09:39:44 +0200[diff] [blame]2{%- from "kubernetes/map.jinja" import common with context %}
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]3{%- if master.enabled %}
4
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]5{%- if master.auth.get('token', {}).enabled|default(True) %}
6kubernetes_known_tokens:
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]7 file.managed:
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]8 - name: {{ master.auth.token.file|default("/srv/kubernetes/known_tokens.csv") }}
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]9 - source: salt://kubernetes/files/known_tokens.csv
10 - template: jinja
11 - user: root
12 - group: root
13 - mode: 644
14 - makedirs: true
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]15 {%- if not master.get('container', 'true') %}
16 - watch_in:
17 - service: master_services
18 {%- endif %}
19{%- endif %}
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]20
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]21{%- if master.auth.get('basic', {}).enabled|default(True) %}
22kubernetes_basic_auth:
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]23 file.managed:
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]24 - name: {{ master.auth.basic.file|default("/srv/kubernetes/basic_auth.csv") }}
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]25 - source: salt://kubernetes/files/basic_auth.csv
26 - template: jinja
27 - user: root
28 - group: root
29 - mode: 644
30 - makedirs: true
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]31 {%- if not master.get('container', 'true') %}
32 - watch_in:
33 - service: master_services
34 {%- endif %}
35{%- endif %}
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]36
37{%- if master.get('container', 'true') %}
38
39/var/log/kube-apiserver.log:
40 file.managed:
41 - user: root
42 - group: root
43 - mode: 644
44
45/etc/kubernetes/manifests/kube-apiserver.manifest:
46 file.managed:
47 - source: salt://kubernetes/files/manifest/kube-apiserver.manifest
48 - template: jinja
49 - user: root
50 - group: root
51 - mode: 644
52 - makedirs: true
53 - dir_mode: 755
54
55/etc/kubernetes/manifests/kube-controller-manager.manifest:
56 file.managed:
57 - source: salt://kubernetes/files/manifest/kube-controller-manager.manifest
58 - template: jinja
59 - user: root
60 - group: root
61 - mode: 644
62 - makedirs: true
63 - dir_mode: 755
64
65/var/log/kube-controller-manager.log:
66 file.managed:
67 - user: root
68 - group: root
69 - mode: 644
70
71/etc/kubernetes/manifests/kube-scheduler.manifest:
72 file.managed:
73 - source: salt://kubernetes/files/manifest/kube-scheduler.manifest
74 - template: jinja
75 - user: root
76 - group: root
77 - mode: 644
78 - makedirs: true
79 - dir_mode: 755
80
81/var/log/kube-scheduler.log:
82 file.managed:
83 - user: root
84 - group: root
85 - mode: 644
86
87{%- else %}
88
89/etc/default/kube-apiserver:
90 file.managed:
91 - user: root
92 - group: root
93 - mode: 644
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]94 - contents: >-
95 DAEMON_ARGS="
Yuriy Taraday82c5f222017-09-07 14:47:01 +0400[diff] [blame]96 --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,DefaultStorageClass
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]97 --allow-privileged=True
Filip Pytlouned3e3cd2017-10-18 16:47:58 +0200[diff] [blame]98 {%- if master.auth.get('mode') %}
99 --authorization-mode={{ master.auth.mode }}
100 {%- endif %}
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]101 {%- if master.auth.get('basic', {}).enabled|default(True) %}
102 --basic-auth-file={{ master.auth.basic.file|default("/srv/kubernetes/basic_auth.csv") }}
103 {%- endif %}
Matthew Mosesohnd3a852e2017-08-01 14:34:00 +0300[diff] [blame]104 --bind-address={{ master.apiserver.get('bind_address', master.apiserver.address) }}
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]105 {%- if master.auth.get('ssl', {}).enabled|default(True) %}
106 --client-ca-file={{ master.auth.get('ssl', {}).ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
107 {%- endif %}
108 {%- if master.auth.get('proxy', {}).enabled|default(False) %}
109 --requestheader-username-headers={{ master.auth.proxy.header.user }}
110 --requestheader-group-headers={{ master.auth.proxy.header.group }}
111 --requestheader-extra-headers-prefix={{ master.auth.proxy.header.extra }}
112 --requestheader-client-ca-file={{ master.auth.proxy.ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
113 {%- endif %}
114 {%- if master.auth.get('anonymous', False) %}
115 --anonymous-auth=true
116 {%- endif %}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]117 --etcd-quorum-read=true
118 --insecure-bind-address={{ master.apiserver.insecure_address }}
Matthew Mosesohnac08bbe2017-08-15 16:32:29 +0300[diff] [blame]119 --insecure-port={{ master.apiserver.insecure_port }}
120 --secure-port={{ master.apiserver.secure_port }}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]121 --service-cluster-ip-range={{ master.service_addresses }}
122 --tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
123 --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]124 {%- if master.auth.get('token', {}).enabled|default(True) %}
125 --token-auth-file={{ master.auth.token.file|default("/srv/kubernetes/known_tokens.csv") }}
126 {%- endif %}
Bartosz Kupidura4f221192017-04-14 13:51:22 +0200[diff] [blame]127 --apiserver-count={{ master.apiserver.get('count', 1) }}
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]128 --v={{ master.get('verbosity', 2) }}
Marek Celoud0eb481d2017-10-03 16:05:20 +0200[diff] [blame]129 --advertise-address={{ master.apiserver.address }}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]130 --etcd-servers=
131{%- for member in master.etcd.members -%}
132 http{% if master.etcd.get('ssl', {}).get('enabled') %}s{% endif %}://{{ member.host }}:{{ member.get('port', 4001) }}{% if not loop.last %},{% endif %}
133{%- endfor %}
134{%- if master.etcd.get('ssl', {}).get('enabled') %}
135 --etcd-cafile /var/lib/etcd/ca.pem
136 --etcd-certfile /var/lib/etcd/etcd-client.crt
137 --etcd-keyfile /var/lib/etcd/etcd-client.key
138{%- endif %}
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]139{%- if master.apiserver.node_port_range is defined %}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]140 --service-node-port-range {{ master.apiserver.node_port_range }}
141{%- endif %}
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]142{%- if common.get('cloudprovider', {}).get('enabled') %}
143 --cloud-provider={{ common.cloudprovider.provider }}
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]144{%- if common.get('cloudprovider', {}).get('provider') == 'openstack' %}
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]145 --cloud-config=/etc/kubernetes/cloud-config.conf
146{%- endif %}
147{%- endif %}
148{%- for key, value in master.get('apiserver', {}).get('daemon_opts', {}).iteritems() %}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]149 --{{ key }}={{ value }}
150{%- endfor %}"
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]151
Tomáš Kukrálbae41072017-01-30 12:06:22 +0100[diff] [blame]152{% for component in ['scheduler', 'controller-manager'] %}
153
154/etc/kubernetes/{{ component }}.kubeconfig:
155 file.managed:
156 - source: salt://kubernetes/files/kube-{{ component }}/{{ component }}.kubeconfig
157 - template: jinja
158 - user: root
159 - group: root
160 - mode: 644
161 - makedirs: True
162 - watch_in:
163 - service: master_services
164
165{% endfor %}
166
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]167/etc/default/kube-controller-manager:
168 file.managed:
169 - user: root
170 - group: root
171 - mode: 644
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]172 - contents: >-
173 DAEMON_ARGS="
174 --cluster-name=kubernetes
175 --kubeconfig /etc/kubernetes/controller-manager.kubeconfig
176 --leader-elect=true
177 --root-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
178 --service-account-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
Andrey Shestakovf32d7072017-12-27 22:18:51 +0200[diff] [blame]179 --use-service-account-credentials
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]180{%- if common.get('cloudprovider', {}).get('enabled') %}
181 --cloud-provider={{ common.cloudprovider.provider }}
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]182{%- if common.get('cloudprovider', {}).get('provider') == 'openstack' %}
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]183 --cloud-config=/etc/kubernetes/cloud-config.conf
184{%- endif %}
185{%- endif %}
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]186 --v={{ master.get('verbosity', 2) }}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]187{%- for key, value in master.get('controller_manager', {}).get('daemon_opts', {}).iteritems() %}
188 --{{ key }}={{ value }}
189{% endfor %}"
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]190
191/etc/default/kube-scheduler:
192 file.managed:
193 - user: root
194 - group: root
195 - mode: 644
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]196 - contents: >-
197 DAEMON_ARGS="
198 --kubeconfig /etc/kubernetes/scheduler.kubeconfig
199 --leader-elect=true
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]200 --v={{ master.get('verbosity', 2) }}
Tomáš Kukrál5d33ce92017-03-21 15:15:14 +0100[diff] [blame]201{%- for key, value in master.get('scheduler', {}).get('daemon_opts', {}).iteritems() %}
202 --{{ key }}={{ value }}
203{% endfor %}"
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]204
marco17990732016-09-13 17:07:47 +0200[diff] [blame]205/etc/systemd/system/kube-apiserver.service:
206 file.managed:
207 - source: salt://kubernetes/files/systemd/kube-apiserver.service
208 - template: jinja
209 - user: root
210 - group: root
211 - mode: 644
212
213/etc/systemd/system/kube-scheduler.service:
214 file.managed:
215 - source: salt://kubernetes/files/systemd/kube-scheduler.service
216 - template: jinja
217 - user: root
218 - group: root
219 - mode: 644
220
221/etc/systemd/system/kube-controller-manager.service:
222 file.managed:
223 - source: salt://kubernetes/files/systemd/kube-controller-manager.service
224 - template: jinja
225 - user: root
226 - group: root
227 - mode: 644
228
Tomáš Kukrál02fcc222017-01-26 10:46:00 +0100[diff] [blame]229{% for filename in ['kubernetes-server.crt', 'kubernetes-server.key', 'kubernetes-server.pem'] %}
230
231/etc/kubernetes/ssl/{{ filename }}:
232 file.managed:
Marek Celoud5a8813f2017-01-27 15:50:02 +0100[diff] [blame]233 - source: salt://{{ master.get('cert_source','_certs/kubernetes') }}/{{ filename }}
Tomáš Kukrál02fcc222017-01-26 10:46:00 +0100[diff] [blame]234 - user: root
Tomáš Kukrál6b1dd952017-08-22 14:24:08 +0200[diff] [blame]235 {%- if pillar.get('haproxy', {}).get('proxy', {}).get('enabled') %}
Tomáš Kukrál02fcc222017-01-26 10:46:00 +0100[diff] [blame]236 - group: haproxy
Tomáš Kukrál6b1dd952017-08-22 14:24:08 +0200[diff] [blame]237 {%- else %}
238 - group: root
239 {%- endif %}
Tomáš Kukrál02fcc222017-01-26 10:46:00 +0100[diff] [blame]240 - mode: 640
241 - watch_in:
242 - service: master_services
243
244{% endfor %}
245
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]246master_services:
247 service.running:
248 - names: {{ master.services }}
249 - enable: True
250 - watch:
251 - file: /etc/default/kube-apiserver
252 - file: /etc/default/kube-scheduler
253 - file: /etc/default/kube-controller-manager
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]254 - file: /usr/bin/hyperkube
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]255
256{%- endif %}
257
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]258
259{%- for name,namespace in master.namespace.iteritems() %}
260
261{%- if namespace.enabled %}
262
Marek Celoud3b118ff2017-01-27 15:19:40 +0100[diff] [blame]263{%- set date = salt['cmd.run']('date "+%FT%TZ"') %}
264
Tomáš Kukrál00ceec52017-05-15 17:18:21 +0200[diff] [blame]265kubernetes_namespace_create_{{ name }}:
266 cmd.run:
267 - name: kubectl create ns "{{ name }}"
268 - name: kubectl get ns -o=custom-columns=NAME:.metadata.name | grep -v NAME | grep "{{ name }}" > /dev/null || kubectl create ns "{{ name }}"
Marek Celoud43d293f2017-06-07 12:29:24 +0200[diff] [blame]269 {%- if grains.get('noservices') %}
270 - onlyif: /bin/false
271 {%- endif %}
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]272
273{%- else %}
274
Tomáš Kukrál00ceec52017-05-15 17:18:21 +0200[diff] [blame]275kubernetes_namespace_delete_{{ name }}:
276 cmd.run:
Tomáš Kukrál3f02a6b2017-08-22 10:51:26 +0200[diff] [blame]277 - name: kubectl get ns -o=custom-columns=NAME:.metadata.name | grep -v NAME | grep "{{ name }}" > /dev/null && kubectl delete ns "{{ name }} || true"
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]278
279{%- endif %}
280
281{%- endfor %}
282
283{%- if master.registry.secret is defined %}
284
285{%- for name,registry in master.registry.secret.iteritems() %}
286
287{%- if registry.enabled %}
288
289/registry/secrets/{{ registry.namespace }}/{{ name }}:
290 etcd.set:
291 - value: '{"kind":"Secret","apiVersion":"v1","metadata":{"name":"{{ name }}","namespace":"{{ registry.namespace }}"},"data":{".dockerconfigjson":"{{ registry.key }}"},"type":"kubernetes.io/dockerconfigjson"}'
Marek Celoud43d293f2017-06-07 12:29:24 +0200[diff] [blame]292 {%- if grains.get('noservices') %}
293 - onlyif: /bin/false
294 {%- endif %}
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]295
296{%- else %}
297
298/registry/secrets/{{ registry.namespace }}/{{ name }}:
299 etcd.rm
300
301{%- endif %}
302
303{%- endfor %}
304
305{%- endif %}
306
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]307{%- endif %}