From eb84e16a981b81c1144c0f6448066cc5b43ab684 Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Tue, 30 May 2017 16:52:53 -0700 Subject: [PATCH] remove openvpn and nginx from salt --- cluster/saltbase/salt/README.md | 3 - cluster/saltbase/salt/kubelet/default | 15 +-- cluster/saltbase/salt/nginx/init.sls | 64 --------- cluster/saltbase/salt/nginx/kubernetes-site | 66 ---------- cluster/saltbase/salt/nginx/nginx.conf | 61 --------- cluster/saltbase/salt/nginx/nginx.json | 60 --------- .../saltbase/salt/openvpn-client/client.conf | 53 -------- cluster/saltbase/salt/openvpn-client/init.sls | 16 --- cluster/saltbase/salt/openvpn/init.sls | 31 ----- cluster/saltbase/salt/openvpn/server.conf | 123 ------------------ cluster/saltbase/salt/top.sls | 7 - 11 files changed, 4 insertions(+), 495 deletions(-) delete mode 100644 cluster/saltbase/salt/nginx/init.sls delete mode 100644 cluster/saltbase/salt/nginx/kubernetes-site delete mode 100644 cluster/saltbase/salt/nginx/nginx.conf delete mode 100644 cluster/saltbase/salt/nginx/nginx.json delete mode 100644 cluster/saltbase/salt/openvpn-client/client.conf delete mode 100644 cluster/saltbase/salt/openvpn-client/init.sls delete mode 100644 cluster/saltbase/salt/openvpn/init.sls delete mode 100644 cluster/saltbase/salt/openvpn/server.conf diff --git a/cluster/saltbase/salt/README.md b/cluster/saltbase/salt/README.md index 4fb805773e6..f4c24c202fb 100644 --- a/cluster/saltbase/salt/README.md +++ b/cluster/saltbase/salt/README.md @@ -22,9 +22,6 @@ Config | GCE | Vagrant | AWS | Az [kubelet](kubelet/) | M n | M n | M n | M n [logrotate](logrotate/) | M n | n | M n | M n [supervisord](supervisor/) | M n | M n | M n | M n -[nginx](nginx/) | | | | M -[openvpn-client](openvpn-client/) | | | | n -[openvpn](openvpn/) | | | | M [base](base.sls) | M n | M n | M n | M n [kube-client-tools](kube-client-tools.sls) | M | M | M | M diff --git a/cluster/saltbase/salt/kubelet/default b/cluster/saltbase/salt/kubelet/default index abf8e4c7b36..1f258139d94 100644 --- a/cluster/saltbase/salt/kubelet/default +++ b/cluster/saltbase/salt/kubelet/default @@ -15,13 +15,6 @@ {% set api_servers = "--api-servers=https://" + ips[0][0] -%} {% endif -%} -# TODO: remove nginx for other cloud providers. -{% if grains['cloud'] is defined and grains.cloud in [ 'aws', 'gce', 'vagrant', 'photon-controller', 'openstack', 'azure-legacy'] %} - {% set api_servers_with_port = api_servers -%} -{% else -%} - {% set api_servers_with_port = api_servers + ":6443" -%} -{% endif -%} - {% set master_kubelet_args = "" %} {% set debugging_handlers = "--enable-debugging-handlers=true" -%} @@ -32,10 +25,10 @@ # Unless given a specific directive, disable registration for the kubelet # running on the master. {% if grains.kubelet_api_servers is defined -%} - {% set api_servers_with_port = "--api-servers=https://" + grains.kubelet_api_servers -%} + {% set api_servers = "--api-servers=https://" + grains.kubelet_api_servers -%} {% set master_kubelet_args = master_kubelet_args + "--register-schedulable=false" -%} {% else -%} - {% set api_servers_with_port = "" -%} + {% set api_servers = "" -%} {% endif -%} # Disable the debugging handlers (/run and /exec) to prevent arbitrary @@ -113,7 +106,7 @@ {% if grains['roles'][0] == 'kubernetes-master' %} {% if grains.get('cbr-cidr') %} {% set pod_cidr = "--pod-cidr=" + grains['cbr-cidr'] %} - {% elif api_servers_with_port == '' and pillar.get('network_provider', '').lower() == 'kubenet' %} + {% elif api_servers == '' and pillar.get('network_provider', '').lower() == 'kubenet' %} # Kubelet standalone mode needs a PodCIDR since there is no controller-manager {% set pod_cidr = "--pod-cidr=10.76.0.0/16" %} {% endif -%} @@ -186,4 +179,4 @@ {% set kubelet_auth = "--anonymous-auth=false --authorization-mode=Webhook --client-ca-file=" + pillar.get('ca_cert_bundle_path', '/var/lib/kubelet/ca.crt') %} # test_args has to be kept at the end, so they'll overwrite any prior configuration -DAEMON_ARGS="{{daemon_args}} {{api_servers_with_port}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{eviction_hard}} {{kubelet_auth}} {{feature_gates}} {{test_args}}" +DAEMON_ARGS="{{daemon_args}} {{api_servers}} {{debugging_handlers}} {{hostname_override}} {{cloud_provider}} {{cloud_config}} {{config}} {{manifest_url}} --allow-privileged={{pillar['allow_privileged']}} {{log_level}} {{cluster_dns}} {{cluster_domain}} {{docker_root}} {{kubelet_root}} {{non_masquerade_cidr}} {{cgroup_root}} {{system_container}} {{pod_cidr}} {{ master_kubelet_args }} {{cpu_cfs_quota}} {{network_plugin}} {{kubelet_port}} {{ hairpin_mode }} {{enable_custom_metrics}} {{runtime_container}} {{kubelet_container}} {{node_labels}} {{eviction_hard}} {{kubelet_auth}} {{feature_gates}} {{test_args}}" diff --git a/cluster/saltbase/salt/nginx/init.sls b/cluster/saltbase/salt/nginx/init.sls deleted file mode 100644 index 201371755df..00000000000 --- a/cluster/saltbase/salt/nginx/init.sls +++ /dev/null @@ -1,64 +0,0 @@ -nginx: - pkg: - - installed - -/etc/nginx/nginx.conf: - file: - - managed - - source: salt://nginx/nginx.conf - - template: jinja - - user: root - - group: root - - mode: 644 - -/etc/nginx/sites-enabled/default: - file: - - managed - - makedirs: true - - source: salt://nginx/kubernetes-site - - user: root - - group: root - - mode: 644 - -/usr/share/nginx/htpasswd: - file: - - managed - - source: salt://nginx/htpasswd - - user: root - - group: root - - mode: 644 - -{% if grains.cloud is defined and grains.cloud in ['gce'] %} -/etc/kubernetes/manifests/nginx.json: - file: - - managed - - source: salt://nginx/nginx.json - - user: root - - group: root - - mode: 644 - - require: - - file: /etc/nginx/nginx.conf - - file: /etc/nginx/sites-enabled/default - - file: /usr/share/nginx/htpasswd - - cmd: kubernetes-cert - - -#stop legacy nginx_service -stop_nginx-service: - service.dead: - - name: nginx - - enable: None - -{% else %} -nginx-service: - service: - - running - - name: nginx - - watch: - - pkg: nginx - - file: /etc/nginx/nginx.conf - - file: /etc/nginx/sites-enabled/default - - file: /usr/share/nginx/htpasswd - - cmd: kubernetes-cert -{% endif %} - diff --git a/cluster/saltbase/salt/nginx/kubernetes-site b/cluster/saltbase/salt/nginx/kubernetes-site deleted file mode 100644 index 818a4871105..00000000000 --- a/cluster/saltbase/salt/nginx/kubernetes-site +++ /dev/null @@ -1,66 +0,0 @@ -#server { - #listen 80; ## listen for ipv4; this line is default and implied - #listen [::]:80 default_server ipv6only=on; ## listen for ipv6 - -# root /usr/share/nginx/www; -# index index.html index.htm; - - # Make site accessible from http://localhost/ -# server_name localhost; -# location / { -# auth_basic "Restricted"; -# auth_basic_user_file /usr/share/nginx/htpasswd; - - # Proxy settings. -# proxy_pass http://localhost:8080/; -# proxy_connect_timeout 159s; -# proxy_send_timeout 600s; -# proxy_read_timeout 600s; -# proxy_buffer_size 64k; -# proxy_buffers 16 32k; -# proxy_busy_buffers_size 64k; -# proxy_temp_file_write_size 64k; -# } -#} - -# HTTPS server -# -server { - listen 443; - server_name localhost; - - root html; - index index.html index.htm; - - ssl on; - ssl_certificate /srv/kubernetes/server.cert; - ssl_certificate_key /srv/kubernetes/server.key; - - ssl_session_timeout 5m; - - # don't use SSLv3 because of POODLE - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; - ssl_prefer_server_ciphers on; - - location / { - auth_basic "Restricted"; - auth_basic_user_file /usr/share/nginx/htpasswd; - - # Proxy settings - # disable buffering so that watch works - proxy_buffering off; - proxy_pass http://127.0.0.1:8080/; - proxy_connect_timeout 159s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - - # Disable retry - proxy_next_upstream off; - - # Support web sockets - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - } -} diff --git a/cluster/saltbase/salt/nginx/nginx.conf b/cluster/saltbase/salt/nginx/nginx.conf deleted file mode 100644 index 00b1961ab61..00000000000 --- a/cluster/saltbase/salt/nginx/nginx.conf +++ /dev/null @@ -1,61 +0,0 @@ -{% if grains['os_family'] == 'RedHat' %} -user nginx; -{% else %} -user www-data; -{% endif %} - -worker_processes 4; -pid /var/run/nginx.pid; - -events { - worker_connections 768; - # multi_accept on; -} - -http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # Logging Settings - ## - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # Virtual Host Configs - ## - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; -} diff --git a/cluster/saltbase/salt/nginx/nginx.json b/cluster/saltbase/salt/nginx/nginx.json deleted file mode 100644 index 44c41c27d18..00000000000 --- a/cluster/saltbase/salt/nginx/nginx.json +++ /dev/null @@ -1,60 +0,0 @@ -{ -"apiVersion": "v1", -"kind": "Pod", -"metadata": {"name":"nginx"}, -"spec":{ -"hostNetwork": true, -"containers":[ - { - "name": "nginx", - "image": "gcr.io/google-containers/nginx:v1", - "resources": { - "limits": { - "cpu": "200m" - } - }, - "command": [ - "nginx", - "-g", - "daemon off;" - ], - "ports":[ - { "name": "https", - "containerPort": 443, - "hostPort": 443} - ], - "volumeMounts": [ - { "name": "nginx", - "mountPath": "/etc/nginx", - "readOnly": true}, - { "name": "k8s", - "mountPath": "/srv/kubernetes", - "readOnly": true}, - { "name": "logs", - "mountPath": "/var/log/nginx", - "readOnly": false}, - { "name": "passwd", - "mountPath": "/usr/share/nginx", - "readOnly": true} - ] - } -], -"volumes":[ - { "name": "nginx", - "hostPath": { - "path": "/etc/nginx"} - }, - { "name": "k8s", - "hostPath": { - "path": "/srv/kubernetes"} - }, - { "name": "passwd", - "hostPath": { - "path": "/usr/share/nginx"} - }, - { "name": "logs", - "hostPath": { - "path": "/var/logs/nginx"} - } -] -}} diff --git a/cluster/saltbase/salt/openvpn-client/client.conf b/cluster/saltbase/salt/openvpn-client/client.conf deleted file mode 100644 index a6207624474..00000000000 --- a/cluster/saltbase/salt/openvpn-client/client.conf +++ /dev/null @@ -1,53 +0,0 @@ -# Specify that we are a client and that we -# will be pulling certain config file directives -# from the server. -client - -# Use the same setting as you are using on -# the server. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -dev tun - -# Are we connecting to a TCP or -# UDP server? Use the same setting as -# on the server. -proto udp - -# The hostname/IP and port of the server. -# You can have multiple remote entries -# to load balance between the servers. -remote {{ salt['mine.get']('roles:kubernetes-master', 'network.ip_addrs', 'grain').keys()[0] }} 1194 - -# Keep trying indefinitely to resolve the -# host name of the OpenVPN server. Very useful -# on machines which are not permanently connected -# to the internet such as laptops. -resolv-retry infinite - -# Most clients don't need to bind to -# a specific local port number. -nobind - -# Try to preserve some state across restarts. -persist-key -persist-tun - -# SSL/TLS parms. -# See the server config file for more -# description. It's best to use -# a separate .crt/.key file pair -# for each client. A single ca -# file can be used for all clients. -ca /etc/openvpn/ca.crt -cert /etc/openvpn/client.crt -key /etc/openvpn/client.key - -# Enable compression on the VPN link. -# Don't enable this unless it is also -# enabled in the server config file. -comp-lzo - -# Set log file verbosity. -verb 3 diff --git a/cluster/saltbase/salt/openvpn-client/init.sls b/cluster/saltbase/salt/openvpn-client/init.sls deleted file mode 100644 index c0dbc04b06a..00000000000 --- a/cluster/saltbase/salt/openvpn-client/init.sls +++ /dev/null @@ -1,16 +0,0 @@ -/etc/openvpn/client.conf: - file.managed: - - source: salt://openvpn-client/client.conf - - template: jinja - - user: root - - group: root - - mode: 644 - - makedirs: True - -openvpn: - pkg: - - latest - service.running: - - enable: True - - watch: - - file: /etc/openvpn/client.conf diff --git a/cluster/saltbase/salt/openvpn/init.sls b/cluster/saltbase/salt/openvpn/init.sls deleted file mode 100644 index ab6bed41980..00000000000 --- a/cluster/saltbase/salt/openvpn/init.sls +++ /dev/null @@ -1,31 +0,0 @@ -/etc/openvpn/server.conf: - file.managed: - - source: salt://openvpn/server.conf - - template: jinja - - user: root - - group: root - - mode: 644 - - makedirs: True - -{% for minion in salt['mine.get']('roles:kubernetes-pool', 'grains.items', expr_form='grain').values() %} -/etc/openvpn/ccd/{{ minion['hostnamef'] }}: - file.managed: - - contents: "iroute {{ minion['cbr-string'] }}\n" - - user: root - - group: root - - mode: 644 - - makedirs: True -{% endfor %} - -openssl dhparam -out /etc/openvpn/dh1024.pem 1024: - cmd.run: - - creates: /etc/openvpn/dh1024.pem - - unless: file /etc/openvpn/dh1024.pem - -openvpn: - pkg: - - latest - service.running: - - enable: True - - watch: - - file: /etc/openvpn/server.conf diff --git a/cluster/saltbase/salt/openvpn/server.conf b/cluster/saltbase/salt/openvpn/server.conf deleted file mode 100644 index 64ae567de86..00000000000 --- a/cluster/saltbase/salt/openvpn/server.conf +++ /dev/null @@ -1,123 +0,0 @@ -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. -port 1194 - -# TCP or UDP server? -proto udp - -# "dev tun" will create a routed IP tunnel, -# "dev tap" will create an ethernet tunnel. -# Use "dev tap0" if you are ethernet bridging -# and have precreated a tap0 virtual interface -# and bridged it with your ethernet interface. -# If you want to control access policies -# over the VPN, you must create firewall -# rules for the the TUN/TAP interface. -# On non-Windows systems, you can give -# an explicit unit number, such as tun0. -# On Windows, use "dev-node" for this. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -dev tun - -# SSL/TLS root certificate (ca), certificate -# (cert), and private key (key). Each client -# and the server must have their own cert and -# key file. The server and all clients will -# use the same ca file. -# -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates -# and private keys. Remember to use -# a unique Common Name for the server -# and each of the client certificates. -# -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). -ca /etc/openvpn/ca.crt -cert /etc/openvpn/server.crt -key /etc/openvpn/server.key # This file should be kept secret - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -dh /etc/openvpn/dh1024.pem - -# Configure server mode and supply a VPN subnet -# for OpenVPN to draw client addresses from. -# The server will take 10.8.0.1 for itself, -# the rest will be made available to clients. -# Each client will be able to reach the server -# on 10.8.0.1. Comment this line out if you are -# ethernet bridging. See the man page for more info. -server 10.8.0.0 255.255.255.0 - -# Maintain a record of client <-> virtual IP address -# associations in this file. If OpenVPN goes down or -# is restarted, reconnecting clients can be assigned -# the same virtual IP address from the pool that was -# previously assigned. -ifconfig-pool-persist ipp.txt - -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). - -client-config-dir /etc/openvpn/ccd - -{% for minion in salt['mine.get']('roles:kubernetes-pool', 'grains.items', expr_form='grain').values() %} -push "route {{ minion['cbr-string'] }}" -route {{ minion['cbr-string'] }} -{% endfor %} - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. -client-to-client - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -keepalive 10 120 - -# Enable compression on the VPN link. -# If you enable it here, you must also -# enable it in the client config file. -comp-lzo - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - -# Output a short status file showing -# current connections, truncated -# and rewritten every minute. -status openvpn-status.log - -# Set the appropriate level of log -# file verbosity. -# -# 0 is silent, except for fatal errors -# 4 is reasonable for general usage -# 5 and 6 can help to debug connection problems -# 9 is extremely verbose -verb 3 diff --git a/cluster/saltbase/salt/top.sls b/cluster/saltbase/salt/top.sls index 3cf3b787502..e517778a77e 100644 --- a/cluster/saltbase/salt/top.sls +++ b/cluster/saltbase/salt/top.sls @@ -19,9 +19,6 @@ base: - cni {% elif pillar.get('network_provider', '').lower() == 'cni' %} - cni -{% endif %} -{% if grains['cloud'] is defined and grains['cloud'] == 'azure-legacy' %} - - openvpn-client {% endif %} - helpers - kube-client-tools @@ -67,10 +64,6 @@ base: - logrotate {% endif %} - kube-addons -{% if grains['cloud'] is defined and grains['cloud'] == 'azure-legacy' %} - - openvpn - - nginx -{% endif %} {% if grains['cloud'] is defined and grains['cloud'] in [ 'vagrant', 'gce', 'aws', 'photon-controller', 'openstack', 'azure-legacy'] %} - docker - kubelet