commit eaaad0deea37f659af606abe7a594a4ed95f4dbd · pyrox.dev/nixpkgs

+55 -12

nixos/modules/services/cluster/kubernetes.nix

···

       105
        
             tokenAuth = mkOption {

     

       106
        
               description = ''

     

       107
        
                 Kubernetes apiserver token authentication file. See

     

       108
       -
                 <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md"/>

     

       109
        
               '';

     

       110
        
               default = {};

     

       111
        
               example = literalExample ''

     
···

       120
        
             authorizationMode = mkOption {

     

       121
        
               description = ''

     

       122
        
                 Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See

     

       123
       -
                 <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/>

     

       124
        
               '';

     

       125
        
               default = "AlwaysAllow";

     

       126
        
               type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"];

     
···

       129
        
             authorizationPolicy = mkOption {

     

       130
        
               description = ''

     

       131
        
                 Kubernetes apiserver authorization policy file. See

     

       132
       -
                 <link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/>

     

       133
        
               '';

     

       134
        
               default = [];

     

       135
        
               example = literalExample ''

     
···

       159
        
             };

     

       160
        
       

     

       161
        
             runtimeConfig = mkOption {

     

       162
       -
               description = "Api runtime configuration";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       163
        
               default = "";

     

       164
        
               example = "api/all=false,api/v1=true";

     

       165
        
               type = types.str;

     

       166
        
             };

     

       167
        
       

     

       168
        
             admissionControl = mkOption {

     

       169
       -
               description = "Kubernetes admission control plugins to use.";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       170
        
               default = ["AlwaysAdmit"];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       171
        
               type = types.listOf types.str;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       172
        
             };

     

       173
        
       

     

       174
        
             extraOpts = mkOption {

     
···

       235
        
               type = types.str;

     

       236
        
             };

     

       237
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       238
        
             extraOpts = mkOption {

     

       239
       -
               description = "Kubernetes controller extra command line options.";

     

       240
        
               default = "";

     

       241
        
               type = types.str;

     

       242
        
             };

     
···

       294
        
             };

     

       295
        
       

     

       296
        
             apiServers = mkOption {

     

       297
       -
               description = "Kubernetes kubelet list of Kubernetes API servers for publishing events, and reading pods and services.";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       298
        
               default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"];

     

       299
        
               type = types.listOf types.str;

     

       300
        
             };

     
···

       413
        
                   ${optionalString (cfg.apiserver.runtimeConfig!="")

     

       414
        
                     "--runtime-config=${cfg.apiserver.runtimeConfig}"} \

     

       415
        
                   --admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \

     

       0
        
       
     

       0
        
       
     

       416
        
                   --logtostderr=true \

     

       417
        
                   ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \

     

       418
        
                   ${cfg.apiserver.extraOpts}

     

       419
        
                 '';

     

       420
        
                 User = "kubernetes";

     

       421
        
               };

     

       422
       -
               postStart = ''

     

       423
       -
                 until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.apiserver.address}:${toString cfg.apiserver.port}/'; do

     

       424
       -
                   sleep 1;

     

       425
       -
                 done

     

       426
       -
               '';

     

       427
        
             };

     

       428
        
           })

     

       429
        
       

     
···

       456
        
                   --address=${cfg.controllerManager.address} \

     

       457
        
                   --port=${toString cfg.controllerManager.port} \

     

       458
        
                   --master=${cfg.controllerManager.master} \

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       459
        
                   --logtostderr=true \

     

       460
        
                   ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \

     

       461
        
                   ${cfg.controllerManager.extraOpts}

     
···

       509
        
                   ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \

     

       510
        
                   ${cfg.proxy.extraOpts}

     

       511
        
                 '';

     

       0
        
       
     

       0
        
       
     

       512
        
               };

     

       513
        
             };

     

       514
        
           })

···

       105
        
             tokenAuth = mkOption {

     

       106
        
               description = ''

     

       107
        
                 Kubernetes apiserver token authentication file. See

     

       108
       +
                 <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authentication.html"/>

     

       109
        
               '';

     

       110
        
               default = {};

     

       111
        
               example = literalExample ''

     
···

       120
        
             authorizationMode = mkOption {

     

       121
        
               description = ''

     

       122
        
                 Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See

     

       123
       +
                 <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>

     

       124
        
               '';

     

       125
        
               default = "AlwaysAllow";

     

       126
        
               type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"];

     
···

       129
        
             authorizationPolicy = mkOption {

     

       130
        
               description = ''

     

       131
        
                 Kubernetes apiserver authorization policy file. See

     

       132
       +
                 <link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>

     

       133
        
               '';

     

       134
        
               default = [];

     

       135
        
               example = literalExample ''

     
···

       159
        
             };

     

       160
        
       

     

       161
        
             runtimeConfig = mkOption {

     

       162
       +
               description = ''

     

       163
       +
                 Api runtime configuration. See

     

       164
       +
                 <link xlink:href="http://kubernetes.io/v1.0/docs/admin/cluster-management.html"/>

     

       165
       +
               '';

     

       166
        
               default = "";

     

       167
        
               example = "api/all=false,api/v1=true";

     

       168
        
               type = types.str;

     

       169
        
             };

     

       170
        
       

     

       171
        
             admissionControl = mkOption {

     

       172
       +
               description = ''

     

       173
       +
                 Kubernetes admission control plugins to use. See

     

       174
       +
                 <link xlink:href="http://kubernetes.io/v1.0/docs/admin/admission-controllers.html"/>

     

       175
       +
               '';

     

       176
        
               default = ["AlwaysAdmit"];

     

       177
       +
               example = [

     

       178
       +
                 "NamespaceLifecycle" "NamespaceExists" "LimitRanger"

     

       179
       +
                 "SecurityContextDeny" "ServiceAccount" "ResourceQuota"

     

       180
       +
               ];

     

       181
        
               type = types.listOf types.str;

     

       182
       +
             };

     

       183
       +
       

     

       184
       +
             serviceAccountKey = mkOption {

     

       185
       +
               description = ''

     

       186
       +
                 Kubernetes apiserver PEM-encoded x509 RSA private or public key file,

     

       187
       +
                 used to verify ServiceAccount tokens.

     

       188
       +
               '';

     

       189
       +
               default = null;

     

       190
       +
               type = types.nullOr types.path;

     

       191
        
             };

     

       192
        
       

     

       193
        
             extraOpts = mkOption {

     
···

       254
        
               type = types.str;

     

       255
        
             };

     

       256
        
       

     

       257
       +
             serviceAccountPrivateKey = mkOption {

     

       258
       +
               description = ''

     

       259
       +
                 Kubernetes controller manager PEM-encoded private RSA key file used to

     

       260
       +
                 sign service account tokens

     

       261
       +
               '';

     

       262
       +
               default = null;

     

       263
       +
               type = types.nullOr types.path;

     

       264
       +
             };

     

       265
       +
       

     

       266
       +
             rootCaFile = mkOption {

     

       267
       +
               description = ''

     

       268
       +
                 Kubernetes controller manager certificate authority file included in

     

       269
       +
                 service account's token secret.

     

       270
       +
               '';

     

       271
       +
               default = null;

     

       272
       +
               type = types.nullOr types.path;

     

       273
       +
             };

     

       274
       +
       

     

       275
        
             extraOpts = mkOption {

     

       276
       +
               description = "Kubernetes controller manager extra command line options.";

     

       277
        
               default = "";

     

       278
        
               type = types.str;

     

       279
        
             };

     
···

       331
        
             };

     

       332
        
       

     

       333
        
             apiServers = mkOption {

     

       334
       +
               description = ''

     

       335
       +
                 Kubernetes kubelet list of Kubernetes API servers for publishing events,

     

       336
       +
                 and reading pods and services.

     

       337
       +
               '';

     

       338
        
               default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"];

     

       339
        
               type = types.listOf types.str;

     

       340
        
             };

     
···

       453
        
                   ${optionalString (cfg.apiserver.runtimeConfig!="")

     

       454
        
                     "--runtime-config=${cfg.apiserver.runtimeConfig}"} \

     

       455
        
                   --admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \

     

       456
       +
                   ${optionalString (cfg.apiserver.serviceAccountKey!=null)

     

       457
       +
                     "--service-account-key-file=${cfg.apiserver.serviceAccountKey}"} \

     

       458
        
                   --logtostderr=true \

     

       459
        
                   ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \

     

       460
        
                   ${cfg.apiserver.extraOpts}

     

       461
        
                 '';

     

       462
        
                 User = "kubernetes";

     

       463
        
               };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       464
        
             };

     

       465
        
           })

     

       466
        
       

     
···

       493
        
                   --address=${cfg.controllerManager.address} \

     

       494
        
                   --port=${toString cfg.controllerManager.port} \

     

       495
        
                   --master=${cfg.controllerManager.master} \

     

       496
       +
                   ${optionalString (cfg.controllerManager.serviceAccountPrivateKey!=null)

     

       497
       +
                     "--service-account-private-key-file=${cfg.controllerManager.serviceAccountPrivateKey}"} \

     

       498
       +
                   ${optionalString (cfg.controllerManager.rootCaFile!=null)

     

       499
       +
                     "--root-ca-file=${cfg.controllerManager.rootCaFile}"} \

     

       500
        
                   --logtostderr=true \

     

       501
        
                   ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \

     

       502
        
                   ${cfg.controllerManager.extraOpts}

     
···

       550
        
                   ${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \

     

       551
        
                   ${cfg.proxy.extraOpts}

     

       552
        
                 '';

     

       553
       +
                 Restart = "always"; # Retry connection

     

       554
       +
                 RestartSec = "5s";

     

       555
        
               };

     

       556
        
             };

     

       557
        
           })