a70c3b661e
* Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Add loadbalancer_apiserver_localhost (default false). If enabled, override the external LB and expect localhost:443/8080 to be new internal only frontends. * Add kube_apiserver_multiaccess to ignore loadbalancers, and make clients to access the apiservers as a comma-separated list of access_ip/ip/ansible ip (a default mode). When disabled, allow clients to use the given loadbalancers. * Define connections security mode for kube controllers, schedulers, proxies. It is insecure be default, which is the current deployment choice. * Rework the groups['kube-master'][0] hardcode defining the apiserver endpoints. * Improve grouping of vars and add facts for kube_apiserver. * Define kube_apiserver_insecure_bind_address as a fact, add more facts for ease of use. Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
58 lines
2.5 KiB
Django/Jinja
58 lines
2.5 KiB
Django/Jinja
###
|
|
# kubernetes system config
|
|
#
|
|
# The following values are used to configure the kube-apiserver
|
|
|
|
{% if ansible_service_mgr in ["sysvinit","upstart"] %}
|
|
# Logging directory
|
|
KUBE_LOGGING="--log-dir={{ kube_log_dir }} --logtostderr=true"
|
|
{% else %}
|
|
# logging to stderr means we get it in the systemd journal
|
|
KUBE_LOGGING="--logtostderr=true"
|
|
{% endif %}
|
|
|
|
# Apiserver Log level, 0 is debug
|
|
KUBE_LOG_LEVEL="--v={{ kube_log_level | default('2') }}"
|
|
|
|
# Should this cluster be allowed to run privileged docker containers
|
|
KUBE_ALLOW_PRIV="--allow_privileged=true"
|
|
|
|
# The port on the local server to listen on.
|
|
KUBE_API_PORT="--insecure-port={{kube_apiserver_insecure_port}} --secure-port={{ kube_apiserver_port }}"
|
|
|
|
# Insecure API address (default is localhost)
|
|
KUBE_API_INSECURE_BIND="--insecure-bind-address={{ kube_apiserver_insecure_bind_address }}"
|
|
|
|
# Address range to use for services
|
|
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range={{ kube_service_addresses }}"
|
|
|
|
# Location of the etcd cluster
|
|
KUBE_ETCD_SERVERS="--etcd_servers={{ etcd_access_endpoint }}"
|
|
|
|
# Bind address for secure endpoint
|
|
KUBE_API_ADDRESS="--bind-address={{ ip | default(ansible_default_ipv4.address) }}"
|
|
|
|
# default admission control policies
|
|
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota"
|
|
|
|
# RUNTIME API CONFIGURATION (e.g. enable extensions)
|
|
KUBE_RUNTIME_CONFIG="{% if kube_api_runtime_config is defined %}{% for conf in kube_api_runtime_config %}--runtime-config={{ conf }} {% endfor %}{% endif %}"
|
|
|
|
# TLS CONFIGURATION
|
|
KUBE_TLS_CONFIG="--tls_cert_file={{ kube_cert_dir }}/apiserver.pem --tls_private_key_file={{ kube_cert_dir }}/apiserver-key.pem --client_ca_file={{ kube_cert_dir }}/ca.pem"
|
|
|
|
# Add you own!
|
|
KUBE_API_ARGS="--token_auth_file={{ kube_token_dir }}/known_tokens.csv --basic-auth-file={{ kube_users_dir }}/known_users.csv --service_account_key_file={{ kube_cert_dir }}/apiserver-key.pem --advertise-address={{ kube_apiserver_address }}"
|
|
|
|
{% if cloud_provider is defined and cloud_provider == "openstack" %}
|
|
KUBELET_CLOUDPROVIDER="--cloud-provider={{ cloud_provider }} --cloud-config={{ kube_config_dir }}/cloud_config"
|
|
{% else %}
|
|
{# TODO: gce and aws don't need the cloud provider to be set? #}
|
|
KUBELET_CLOUDPROVIDER=""
|
|
{% endif %}
|
|
|
|
{% if ansible_service_mgr in ["sysvinit","upstart"] %}
|
|
DAEMON_ARGS="$KUBE_LOGGING $KUBE_LOG_LEVEL $KUBE_ALLOW_PRIV $KUBE_API_PORT $KUBE_API_INSECURE_BIND \
|
|
$KUBE_SERVICE_ADDRESSES $KUBE_ETCD_SERVERS $KUBE_ADMISSION_CONTROL $KUBE_RUNTIME_CONFIG \
|
|
$KUBE_TLS_CONFIG $KUBE_API_ARGS $KUBELET_CLOUDPROVIDER"
|
|
{% endif %}
|