From c9d70104619ce9ea3e1a6a297a5a316adcdf0683 Mon Sep 17 00:00:00 2001 From: Abhishek Shah Date: Thu, 9 Apr 2015 14:35:07 -0700 Subject: [PATCH] kube-apiserver in a pod. --- cluster/saltbase/salt/kube-apiserver/default | 63 ------- cluster/saltbase/salt/kube-apiserver/init.sls | 85 +++------ cluster/saltbase/salt/kube-apiserver/initd | 121 ------------- .../kube-apiserver/kube-apiserver.manifest | 170 ++++++++++++++++++ .../kube-apiserver/kube-apiserver.service | 11 -- 5 files changed, 191 insertions(+), 259 deletions(-) delete mode 100644 cluster/saltbase/salt/kube-apiserver/default delete mode 100644 cluster/saltbase/salt/kube-apiserver/initd create mode 100644 cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest delete mode 100644 cluster/saltbase/salt/kube-apiserver/kube-apiserver.service diff --git a/cluster/saltbase/salt/kube-apiserver/default b/cluster/saltbase/salt/kube-apiserver/default deleted file mode 100644 index d2d13db1742..00000000000 --- a/cluster/saltbase/salt/kube-apiserver/default +++ /dev/null @@ -1,63 +0,0 @@ -{% set daemon_args = "$DAEMON_ARGS" -%} -{% if grains['os_family'] == 'RedHat' -%} - {% set daemon_args = "" -%} -{% endif -%} - -{% set cloud_provider = "" -%} -{% set cloud_config = "" -%} - -{% if grains.cloud is defined -%} -{% set cloud_provider = "--cloud_provider=" + grains.cloud -%} - -{% if grains.cloud == 'gce' -%} - {% if grains.cloud_config is defined -%} - {% set cloud_config = "--cloud_config=" + grains.cloud_config -%} - {% endif -%} - -{% elif grains.cloud == 'aws' -%} - {% set cloud_config = "--cloud_config=/etc/aws.conf" -%} -{% endif -%} - -{% endif -%} # grains.cloud is defined - -{% set address = "--address=127.0.0.1" -%} - -{% if pillar['instance_prefix'] is defined -%} - {% set cluster_name = "--cluster_name=" + pillar['instance_prefix'] -%} -{% endif -%} - -{% set publicAddressOverride = "" -%} -{% if grains.publicAddressOverride is defined -%} - {% set publicAddressOverride = "--public_address_override=" + grains.publicAddressOverride -%} -{% endif -%} - -{% set etcd_servers = "--etcd_servers=http://127.0.0.1:4001" -%} - -{% if pillar['portal_net'] is defined -%} - {% set portal_net = "--portal_net=" + pillar['portal_net'] -%} -{% endif -%} - -{% set cert_file = "--tls_cert_file=/srv/kubernetes/server.cert" -%} -{% set key_file = "--tls_private_key_file=/srv/kubernetes/server.key" -%} - -{% set secure_port = "--secure_port=6443" -%} -{% set token_auth_file = "--token_auth_file=/dev/null" -%} - -{% if grains.cloud is defined -%} -{% if grains.cloud in [ 'aws', 'gce', 'vagrant' ] -%} - # TODO: generate and distribute tokens for other cloud providers. - {% set token_auth_file = "--token_auth_file=/srv/kubernetes/known_tokens.csv" -%} -{% endif -%} -{% endif -%} - -{% set admission_control = "" -%} -{% if pillar['admission_control'] is defined -%} - {% set admission_control = "--admission_control=" + pillar['admission_control'] -%} -{% endif -%} - -{% set runtime_config = "" -%} -{% if grains.runtime_config is defined -%} - {% set runtime_config = "--runtime_config=" + grains.runtime_config -%} -{% endif -%} - -DAEMON_ARGS="{{daemon_args}} {{address}} {{etcd_servers}} {{ cloud_provider }} {{ cloud_config }} {{ runtime_config }} {{admission_control}} --allow_privileged={{pillar['allow_privileged']}} {{portal_net}} {{cluster_name}} {{cert_file}} {{key_file}} {{secure_port}} {{token_auth_file}} {{publicAddressOverride}} {{pillar['log_level']}}" diff --git a/cluster/saltbase/salt/kube-apiserver/init.sls b/cluster/saltbase/salt/kube-apiserver/init.sls index b829d449669..cdcf80bf02f 100644 --- a/cluster/saltbase/salt/kube-apiserver/init.sls +++ b/cluster/saltbase/salt/kube-apiserver/init.sls @@ -1,16 +1,13 @@ -{% if grains['os_family'] == 'RedHat' %} -{% set environment_file = '/etc/sysconfig/kube-apiserver' %} -{% else %} -{% set environment_file = '/etc/default/kube-apiserver' %} -{% endif %} - -{{ environment_file }}: +{% if grains.cloud is defined %} +{% if grains.cloud in ['aws', 'gce', 'vagrant'] %} +# TODO: generate and distribute tokens on other cloud providers. +/srv/kubernetes/known_tokens.csv: file.managed: - - source: salt://kube-apiserver/default - - template: jinja - - user: root - - group: root - - mode: 644 + - source: salt://kube-apiserver/known_tokens.csv +# - watch_in: +# - service: kube-apiserver +{% endif %} +{% endif %} /usr/local/bin/kube-apiserver: file.managed: @@ -19,59 +16,19 @@ - group: root - mode: 755 -{% if grains['os_family'] == 'RedHat' %} - -/usr/lib/systemd/system/kube-apiserver.service: +# Copy kube-apiserver manifest to manifests folder for kubelet. +/etc/kubernetes/manifests/kube-apiserver.manifest: file.managed: - - source: salt://kube-apiserver/kube-apiserver.service + - source: salt://kube-apiserver/kube-apiserver.manifest + - template: jinja - user: root - group: root + - mode: 644 + - makedirs: true + - dir_mode: 755 -{% else %} - -/etc/init.d/kube-apiserver: - file.managed: - - source: salt://kube-apiserver/initd - - user: root - - group: root - - mode: 755 - -{% endif %} - -{% if grains.cloud is defined %} -{% if grains.cloud in ['aws', 'gce', 'vagrant'] %} -# TODO: generate and distribute tokens on other cloud providers. -/srv/kubernetes/known_tokens.csv: - file.managed: - - source: salt://kube-apiserver/known_tokens.csv - - user: kube-apiserver - - group: kube-apiserver - - mode: 400 - - watch: - - user: kube-apiserver - - group: kube-apiserver - - watch_in: - - service: kube-apiserver -{% endif %} -{% endif %} - -kube-apiserver: - group.present: - - system: True - user.present: - - system: True - - gid_from_name: True - - groups: - - kube-cert - - shell: /sbin/nologin - - home: /var/kube-apiserver - - require: - - group: kube-apiserver - service.running: - - enable: True - - watch: - - file: {{ environment_file }} - - file: /usr/local/bin/kube-apiserver -{% if grains['os_family'] != 'RedHat' %} - - file: /etc/init.d/kube-apiserver -{% endif %} +#stop legacy kube-apiserver service +stop_kube-apiserver: + service.dead: + - name: kube-apiserver + - enable: None diff --git a/cluster/saltbase/salt/kube-apiserver/initd b/cluster/saltbase/salt/kube-apiserver/initd deleted file mode 100644 index 9db0f60932d..00000000000 --- a/cluster/saltbase/salt/kube-apiserver/initd +++ /dev/null @@ -1,121 +0,0 @@ -#!/bin/bash -# -### BEGIN INIT INFO -# Provides: kube-apiserver -# Required-Start: $local_fs $network $syslog -# Required-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: The Kubernetes API server -# Description: -# The Kubernetes API server maintains docker state against a state file. -### END INIT INFO - - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="The Kubernetes API server" -NAME=kube-apiserver -DAEMON=/usr/local/bin/kube-apiserver -DAEMON_LOG_FILE=/var/log/$NAME.log -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME -DAEMON_USER=kube-apiserver - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.2-14) to ensure that this file is present -# and status_of_proc is working. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Raise the file descriptor limit - we expect to open a lot of sockets! - ulimit -n 65536 - - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --background --no-close \ - --make-pidfile --pidfile $PIDFILE \ - --exec $DAEMON -c $DAEMON_USER --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --background --no-close \ - --make-pidfile --pidfile $PIDFILE \ - --exec $DAEMON -c $DAEMON_USER -- \ - $DAEMON_ARGS >> $DAEMON_LOG_FILE 2>&1 \ - || return 2 -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - - -case "$1" in - start) - log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) log_end_msg 0 || exit 0 ;; - 2) log_end_msg 1 || exit 1 ;; - esac - ;; - stop) - log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) log_end_msg 0 ;; - 2) exit 1 ;; - esac - ;; - status) - status_of_proc -p $PIDFILE "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - - restart|force-reload) - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac diff --git a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest new file mode 100644 index 00000000000..3acfd47dba2 --- /dev/null +++ b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest @@ -0,0 +1,170 @@ +{% set daemon_args = "$DAEMON_ARGS" -%} +{% if grains['os_family'] == 'RedHat' -%} + {% set daemon_args = "" -%} +{% endif -%} + +{% set cloud_provider = "" -%} +{% set cloud_config = "" -%} + +{% if grains.cloud is defined -%} +{% set cloud_provider = "--cloud_provider=" + grains.cloud -%} + +{% if grains.cloud == 'gce' -%} + {% if grains.cloud_config is defined -%} + {% set cloud_config = "--cloud_config=" + grains.cloud_config -%} + {% endif -%} + +{% elif grains.cloud == 'aws' -%} + {% set cloud_config = "--cloud_config=/etc/aws.conf" -%} +{% endif -%} + +{% endif -%} + +{% set address = "--address=127.0.0.1" -%} + +{% if pillar['instance_prefix'] is defined -%} + {% set cluster_name = "--cluster_name=" + pillar['instance_prefix'] -%} +{% endif -%} + +{% set publicAddressOverride = "" -%} +{% if grains.publicAddressOverride is defined -%} + {% set publicAddressOverride = "--public_address_override=" + grains.publicAddressOverride -%} +{% endif -%} + +{% set etcd_servers = "--etcd_servers=http://127.0.0.1:4001" -%} + +{% if pillar['portal_net'] is defined -%} + {% set portal_net = "--portal_net=" + pillar['portal_net'] -%} +{% endif -%} + +{% set cert_file = "--tls_cert_file=/srv/kubernetes/server.cert" -%} +{% set key_file = "--tls_private_key_file=/srv/kubernetes/server.key" -%} + +{% set secure_port = "--secure_port=6443" -%} +{% set token_auth_file = "--token_auth_file=/dev/null" -%} + +{% if grains.cloud is defined -%} +{% if grains.cloud in [ 'aws', 'gce', 'vagrant' ] -%} + {% set token_auth_file = "--token_auth_file=/srv/kubernetes/known_tokens.csv" -%} +{% endif -%} +{% endif -%} + +{% set admission_control = "" -%} +{% if pillar['admission_control'] is defined -%} + {% set admission_control = "--admission_control=" + pillar['admission_control'] -%} +{% endif -%} + +{% set runtime_config = "" -%} +{% if grains.runtime_config is defined -%} + {% set runtime_config = "--runtime_config=" + grains.runtime_config -%} +{% endif -%} + +{ +"apiVersion": "v1beta3", +"kind": "Pod", +"metadata": {"name":"kube-apiserver"}, +"spec":{ +"hostNetwork": true, +"containers":[ + { + "name": "kube-apiserver", + "image": "gcr.io/google_containers/kube-apiserver:{{pillar['kube-apiserver_docker_tag']}}", + "command": [ + "/kube-apiserver", + "{{address}}", + "{{etcd_servers}}", + "{{ cloud_provider }}", + "{{ cloud_config }}", + "{{ runtime_config }}", + "{{admission_control}}", + "--allow_privileged={{pillar['allow_privileged']}}", + "{{portal_net}}", + "{{cluster_name}}", + "{{cert_file}}", + "{{key_file}}", + "{{secure_port}}", + "{{token_auth_file}}", + "{{publicAddressOverride}}", + "{{pillar['log_level']}}" + ], + "ports":[ + { "name": "https", + "containerPort": 6443, + "hostPort": 6443},{ + "name": "http", + "containerPort": 7080, + "hostPort": 7080},{ + "name": "local", + "containerPort": 8080, + "hostPort": 8080} + ], + "volumeMounts": [ + { "name": "srvkube", + "mountPath": "/srv/kubernetes", + "readOnly": true}, + { "name": "etcssl", + "mountPath": "/etc/ssl", + "readOnly": true}, + { "name": "usrsharessl", + "mountPath": "/usr/share/ssl", + "readOnly": true}, + { "name": "varssl", + "mountPath": "/var/ssl", + "readOnly": true}, + { "name": "usrssl", + "mountPath": "/usr/ssl", + "readOnly": true}, + { "name": "usrlibssl", + "mountPath": "/usr/lib/ssl", + "readOnly": true}, + { "name": "usrlocalopenssl", + "mountPath": "/usr/local/openssl", + "readOnly": true}, + { "name": "etcopenssl", + "mountPath": "/etc/openssl", + "readOnly": true}, + { "name": "etcpkitls", + "mountPath": "/etc/pki/tls", + "readOnly": true} + ] + } +], +"volumes":[ + { "name": "srvkube", + "hostPath": { + "path": "/srv/kubernetes"} + }, + { "name": "etcssl", + "hostPath": { + "path": "/etc/ssl"} + }, + { "name": "usrsharessl", + "hostPath": { + "path": "/usr/share/ssl"} + }, + { "name": "varssl", + "hostPath": { + "path": "/var/ssl"} + }, + { "name": "usrssl", + "hostPath": { + "path": "/usr/ssl"} + }, + { "name": "usrlibssl", + "hostPath": { + "path": "/usr/lib/ssl"} + }, + { "name": "usrlocalopenssl", + "hostPath": { + "path": "/usr/local/openssl"} + }, + { "name": "etcopenssl", + "hostPath": { + "path": "/etc/openssl"} + }, + { "name": "etcpkitls", + "hostPath": { + "path": "/etc/pki/tls"} + } +] +}} diff --git a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.service b/cluster/saltbase/salt/kube-apiserver/kube-apiserver.service deleted file mode 100644 index 80575cafb6c..00000000000 --- a/cluster/saltbase/salt/kube-apiserver/kube-apiserver.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Kubernetes API Server -Documentation=https://github.com/GoogleCloudPlatform/kubernetes - -[Service] -EnvironmentFile=/etc/sysconfig/kube-apiserver -ExecStart=/usr/local/bin/kube-apiserver "$DAEMON_ARGS" -Restart=on-failure - -[Install] -WantedBy=multi-user.target