Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / ef3aab6a149b2a347e751e736e6d146b61026e24 / . / cluster / machines / modules / vendor / controller-manager.nix
blob: cd0dc03406b2b2f5c5deda345ef1c67531971b39 [file] [log] [blame]
Serge Bazanskief3aab62022-11-18 14:39:45 +0000[diff] [blame^]1# Vendored from nixpkgs git 44ad80ab1036c5cc83ada4bfa451dac9939f2a10
2# Copyright (c) 2003-2023 Eelco Dolstra and the Nixpkgs/NixOS contributors
3# SPDX-License-Identifier: MIT
4
5{ config, lib, pkgs, ... }:
6
7with lib;
8
9let
10 top = config.services.kubernetes;
11 cfg = top.controllerManager;
12in
13{
14 imports = [
15 (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "address" ] ["services" "kubernetes" "controllerManager" "bindAddress"])
16 (mkRenamedOptionModule [ "services" "kubernetes" "controllerManager" "port" ] ["services" "kubernetes" "controllerManager" "insecurePort"])
17 ];
18
19 ###### interface
20 options.services.kubernetes.controllerManager = with lib.types; {
21
22 allocateNodeCIDRs = mkOption {
23 description = "Whether to automatically allocate CIDR ranges for cluster nodes.";
24 default = true;
25 type = bool;
26 };
27
28 bindAddress = mkOption {
29 description = "Kubernetes controller manager listening address.";
30 default = "127.0.0.1";
31 type = str;
32 };
33
34 clusterCidr = mkOption {
35 description = "Kubernetes CIDR Range for Pods in cluster.";
36 default = top.clusterCidr;
37 type = str;
38 };
39
40 enable = mkEnableOption "Kubernetes controller manager";
41
42 extraOpts = mkOption {
43 description = "Kubernetes controller manager extra command line options.";
44 default = "";
45 type = str;
46 };
47
48 featureGates = mkOption {
49 description = "List set of feature gates";
50 default = top.featureGates;
51 type = listOf str;
52 };
53
54 insecurePort = mkOption {
55 description = "Kubernetes controller manager insecure listening port.";
56 default = 0;
57 type = int;
58 };
59
60 kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes controller manager";
61
62 leaderElect = mkOption {
63 description = "Whether to start leader election before executing main loop.";
64 type = bool;
65 default = true;
66 };
67
68 rootCaFile = mkOption {
69 description = ''
70 Kubernetes controller manager certificate authority file included in
71 service account's token secret.
72 '';
73 default = top.caFile;
74 type = nullOr path;
75 };
76
77 securePort = mkOption {
78 description = "Kubernetes controller manager secure listening port.";
79 default = 10252;
80 type = int;
81 };
82
83 serviceAccountKeyFile = mkOption {
84 description = ''
85 Kubernetes controller manager PEM-encoded private RSA key file used to
86 sign service account tokens
87 '';
88 default = null;
89 type = nullOr path;
90 };
91
92 tlsCertFile = mkOption {
93 description = "Kubernetes controller-manager certificate file.";
94 default = null;
95 type = nullOr path;
96 };
97
98 tlsKeyFile = mkOption {
99 description = "Kubernetes controller-manager private key file.";
100 default = null;
101 type = nullOr path;
102 };
103
104 verbosity = mkOption {
105 description = ''
106 Optional glog verbosity level for logging statements. See
107 <link xlink:href="https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md"/>
108 '';
109 default = null;
110 type = nullOr int;
111 };
112
113 };
114
115 ###### implementation
116 config = mkIf cfg.enable {
117 systemd.services.kube-controller-manager = {
118 description = "Kubernetes Controller Manager Service";
119 wantedBy = [ "kubernetes.target" ];
120 after = [ "kube-apiserver.service" ];
121 serviceConfig = {
122 RestartSec = "30s";
123 Restart = "on-failure";
124 Slice = "kubernetes.slice";
125 ExecStart = ''${top.package}/bin/kube-controller-manager \
126 --allocate-node-cidrs=${boolToString cfg.allocateNodeCIDRs} \
127 --bind-address=${cfg.bindAddress} \
128 ${optionalString (cfg.clusterCidr!=null)
129 "--cluster-cidr=${cfg.clusterCidr}"} \
130 ${optionalString (cfg.featureGates != [])
131 "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
132 --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \
133 --leader-elect=${boolToString cfg.leaderElect} \
134 ${optionalString (cfg.rootCaFile!=null)
135 "--root-ca-file=${cfg.rootCaFile}"} \
136 --port=${toString cfg.insecurePort} \
137 --secure-port=${toString cfg.securePort} \
138 ${optionalString (cfg.serviceAccountKeyFile!=null)
139 "--service-account-private-key-file=${cfg.serviceAccountKeyFile}"} \
140 ${optionalString (cfg.tlsCertFile!=null)
141 "--tls-cert-file=${cfg.tlsCertFile}"} \
142 ${optionalString (cfg.tlsKeyFile!=null)
143 "--tls-private-key-file=${cfg.tlsKeyFile}"} \
144 ${optionalString (elem "RBAC" top.apiserver.authorizationMode)
145 "--use-service-account-credentials"} \
146 ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
147 ${cfg.extraOpts}
148 '';
149 WorkingDirectory = top.dataDir;
150 User = "kubernetes";
151 Group = "kubernetes";
152 };
153 path = top.path;
154 };
155
156 services.kubernetes.pki.certs = with top.lib; {
157 controllerManager = mkCert {
158 name = "kube-controller-manager";
159 CN = "kube-controller-manager";
160 action = "systemctl restart kube-controller-manager.service";
161 };
162 controllerManagerClient = mkCert {
163 name = "kube-controller-manager-client";
164 CN = "system:kube-controller-manager";
165 action = "systemctl restart kube-controller-manager.service";
166 };
167 };
168
169 services.kubernetes.controllerManager.kubeconfig.server = mkDefault top.apiserverAddress;
170 };
171}