···
Kubernetes apiserver token authentication file. See
108
-
<link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authentication.md"/>
108
+
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/authentication.html"/>
example = literalExample ''
···
authorizationMode = mkOption {
Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC). See
123
-
<link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/>
123
+
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>
type = types.enum ["AlwaysAllow" "AlwaysDeny" "ABAC"];
···
authorizationPolicy = mkOption {
Kubernetes apiserver authorization policy file. See
132
-
<link xlink:href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/authorization.md"/>
132
+
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/authorization.html"/>
example = literalExample ''
···
runtimeConfig = mkOption {
162
-
description = "Api runtime configuration";
163
+
Api runtime configuration. See
164
+
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/cluster-management.html"/>
example = "api/all=false,api/v1=true";
admissionControl = mkOption {
169
-
description = "Kubernetes admission control plugins to use.";
173
+
Kubernetes admission control plugins to use. See
174
+
<link xlink:href="http://kubernetes.io/v1.0/docs/admin/admission-controllers.html"/>
default = ["AlwaysAdmit"];
178
+
"NamespaceLifecycle" "NamespaceExists" "LimitRanger"
179
+
"SecurityContextDeny" "ServiceAccount" "ResourceQuota"
type = types.listOf types.str;
184
+
serviceAccountKey = mkOption {
186
+
Kubernetes apiserver PEM-encoded x509 RSA private or public key file,
187
+
used to verify ServiceAccount tokens.
190
+
type = types.nullOr types.path;
···
257
+
serviceAccountPrivateKey = mkOption {
259
+
Kubernetes controller manager PEM-encoded private RSA key file used to
260
+
sign service account tokens
263
+
type = types.nullOr types.path;
266
+
rootCaFile = mkOption {
268
+
Kubernetes controller manager certificate authority file included in
269
+
service account's token secret.
272
+
type = types.nullOr types.path;
239
-
description = "Kubernetes controller extra command line options.";
276
+
description = "Kubernetes controller manager extra command line options.";
···
297
-
description = "Kubernetes kubelet list of Kubernetes API servers for publishing events, and reading pods and services.";
335
+
Kubernetes kubelet list of Kubernetes API servers for publishing events,
336
+
and reading pods and services.
default = ["${cfg.apiserver.address}:${toString cfg.apiserver.port}"];
type = types.listOf types.str;
···
${optionalString (cfg.apiserver.runtimeConfig!="")
"--runtime-config=${cfg.apiserver.runtimeConfig}"} \
--admission_control=${concatStringsSep "," cfg.apiserver.admissionControl} \
456
+
${optionalString (cfg.apiserver.serviceAccountKey!=null)
457
+
"--service-account-key-file=${cfg.apiserver.serviceAccountKey}"} \
${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
${cfg.apiserver.extraOpts}
423
-
until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.apiserver.address}:${toString cfg.apiserver.port}/'; do
···
--address=${cfg.controllerManager.address} \
--port=${toString cfg.controllerManager.port} \
--master=${cfg.controllerManager.master} \
496
+
${optionalString (cfg.controllerManager.serviceAccountPrivateKey!=null)
497
+
"--service-account-private-key-file=${cfg.controllerManager.serviceAccountPrivateKey}"} \
498
+
${optionalString (cfg.controllerManager.rootCaFile!=null)
499
+
"--root-ca-file=${cfg.controllerManager.rootCaFile}"} \
${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
${cfg.controllerManager.extraOpts}
···
${optionalString cfg.verbose "--v=6 --log-flush-frequency=1s"} \
553
+
Restart = "always"; # Retry connection
pyrox.dev