Serge Bazanski | ef3aab6 | 2022-11-18 14:39:45 +0000 | [diff] [blame] | 1 | # Vendored from nixpkgs git 44ad80ab1036c5cc83ada4bfa451dac9939f2a10 |
| 2 | # Copyright (c) 2003-2023 Eelco Dolstra and the Nixpkgs/NixOS contributors |
| 3 | # SPDX-License-Identifier: MIT |
| 4 | |
| 5 | { config, lib, pkgs, ... }: |
| 6 | |
| 7 | with lib; |
| 8 | |
| 9 | let |
| 10 | top = config.services.kubernetes; |
| 11 | cfg = top.controllerManager; |
| 12 | in |
| 13 | { |
| 14 | imports = [ |
| 15 | (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"]) |
| 16 | (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "port" ] ["services" "kubernetes" "controllerManager" "insecurePort"]) |
| 17 | ]; |
| 18 | |
| 19 | ###### interface |
| 20 | options.services.kubernetes.controllerManager = with lib.types; { |
| 21 | |
| 22 | allocateNodeCIDRs = mkOption { |
| 23 | description = "Whether to automatically allocate CIDR ranges for cluster nodes."; |
| 24 | default = true; |
| 25 | type = bool; |
| 26 | }; |
| 27 | |
| 28 | bindAddress = mkOption { |
| 29 | description = "Kubernetes controller manager listening address."; |
| 30 | default = "127.0.0.1"; |
| 31 | type = str; |
| 32 | }; |
| 33 | |
| 34 | clusterCidr = mkOption { |
| 35 | description = "Kubernetes CIDR Range for Pods in cluster."; |
| 36 | default = top.clusterCidr; |
| 37 | type = str; |
| 38 | }; |
| 39 | |
| 40 | enable = mkEnableOption "Kubernetes controller manager"; |
| 41 | |
| 42 | extraOpts = mkOption { |
| 43 | description = "Kubernetes controller manager extra command line options."; |
| 44 | default = ""; |
| 45 | type = str; |
| 46 | }; |
| 47 | |
| 48 | featureGates = mkOption { |
| 49 | description = "List set of feature gates"; |
| 50 | default = top.featureGates; |
| 51 | type = listOf str; |
| 52 | }; |
| 53 | |
| 54 | insecurePort = mkOption { |
| 55 | description = "Kubernetes controller manager insecure listening port."; |
| 56 | default = 0; |
| 57 | type = int; |
| 58 | }; |
| 59 | |
| 60 | kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes controller manager"; |
| 61 | |
| 62 | leaderElect = mkOption { |
| 63 | description = "Whether to start leader election before executing main loop."; |
| 64 | type = bool; |
| 65 | default = true; |
| 66 | }; |
| 67 | |
| 68 | rootCaFile = mkOption { |
| 69 | description = '' |
| 70 | Kubernetes controller manager certificate authority file included in |
| 71 | service account's token secret. |
| 72 | ''; |
| 73 | default = top.caFile; |
| 74 | type = nullOr path; |
| 75 | }; |
| 76 | |
| 77 | securePort = mkOption { |
| 78 | description = "Kubernetes controller manager secure listening port."; |
| 79 | default = 10252; |
| 80 | type = int; |
| 81 | }; |
| 82 | |
| 83 | serviceAccountKeyFile = mkOption { |
| 84 | description = '' |
| 85 | Kubernetes controller manager PEM-encoded private RSA key file used to |
| 86 | sign service account tokens |
| 87 | ''; |
| 88 | default = null; |
| 89 | type = nullOr path; |
| 90 | }; |
| 91 | |
| 92 | tlsCertFile = mkOption { |
| 93 | description = "Kubernetes controller-manager certificate file."; |
| 94 | default = null; |
| 95 | type = nullOr path; |
| 96 | }; |
| 97 | |
| 98 | tlsKeyFile = mkOption { |
| 99 | description = "Kubernetes controller-manager private key file."; |
| 100 | default = null; |
| 101 | type = nullOr path; |
| 102 | }; |
| 103 | |
| 104 | verbosity = mkOption { |
| 105 | description = '' |
| 106 | Optional glog verbosity level for logging statements. See |
| 107 | <link xlink:href="https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md"/> |
| 108 | ''; |
| 109 | default = null; |
| 110 | type = nullOr int; |
| 111 | }; |
| 112 | |
| 113 | }; |
| 114 | |
| 115 | ###### implementation |
| 116 | config = mkIf cfg.enable { |
| 117 | systemd.services.kube-controller-manager = { |
| 118 | description = "Kubernetes Controller Manager Service"; |
| 119 | wantedBy = [ "kubernetes.target" ]; |
| 120 | after = [ "kube-apiserver.service" ]; |
| 121 | serviceConfig = { |
| 122 | RestartSec = "30s"; |
| 123 | Restart = "on-failure"; |
| 124 | Slice = "kubernetes.slice"; |
| 125 | ExecStart = ''${top.package}/bin/kube-controller-manager \ |
| 126 | --allocate-node-cidrs=${boolToString cfg.allocateNodeCIDRs} \ |
| 127 | --bind-address=${cfg.bindAddress} \ |
| 128 | ${optionalString (cfg.clusterCidr!=null) |
| 129 | "--cluster-cidr=${cfg.clusterCidr}"} \ |
| 130 | ${optionalString (cfg.featureGates != []) |
| 131 | "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \ |
| 132 | --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \ |
| 133 | --leader-elect=${boolToString cfg.leaderElect} \ |
| 134 | ${optionalString (cfg.rootCaFile!=null) |
| 135 | "--root-ca-file=${cfg.rootCaFile}"} \ |
| 136 | --port=${toString cfg.insecurePort} \ |
| 137 | --secure-port=${toString cfg.securePort} \ |
| 138 | ${optionalString (cfg.serviceAccountKeyFile!=null) |
| 139 | "--service-account-private-key-file=${cfg.serviceAccountKeyFile}"} \ |
| 140 | ${optionalString (cfg.tlsCertFile!=null) |
| 141 | "--tls-cert-file=${cfg.tlsCertFile}"} \ |
| 142 | ${optionalString (cfg.tlsKeyFile!=null) |
| 143 | "--tls-private-key-file=${cfg.tlsKeyFile}"} \ |
| 144 | ${optionalString (elem "RBAC" top.apiserver.authorizationMode) |
| 145 | "--use-service-account-credentials"} \ |
| 146 | ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \ |
| 147 | ${cfg.extraOpts} |
| 148 | ''; |
| 149 | WorkingDirectory = top.dataDir; |
| 150 | User = "kubernetes"; |
| 151 | Group = "kubernetes"; |
| 152 | }; |
| 153 | path = top.path; |
| 154 | }; |
| 155 | |
| 156 | services.kubernetes.pki.certs = with top.lib; { |
| 157 | controllerManager = mkCert { |
| 158 | name = "kube-controller-manager"; |
| 159 | CN = "kube-controller-manager"; |
| 160 | action = "systemctl restart kube-controller-manager.service"; |
| 161 | }; |
| 162 | controllerManagerClient = mkCert { |
| 163 | name = "kube-controller-manager-client"; |
| 164 | CN = "system:kube-controller-manager"; |
| 165 | action = "systemctl restart kube-controller-manager.service"; |
| 166 | }; |
| 167 | }; |
| 168 | |
| 169 | services.kubernetes.controllerManager.kubeconfig.server = mkDefault top.apiserverAddress; |
| 170 | }; |
| 171 | } |