fd83ec6526
* Enforce a etcd-proxy role to a k8s-cluster group members. This provides an HA layout for all of the k8s cluster internal clients. * Proxies to be run on each node in the group as a separate etcd instances with a readwrite proxy mode and listen the given endpoint, which is either the access_ip:2379 or the localhost:2379. * A notion for the 'kube_etcd_multiaccess' is: ignore endpoints and loadbalancers and use the etcd members IPs as a comma-separated list. Otherwise, clients shall use the local endpoint provided by a etcd-proxy instances on each etcd node. A Netwroking plugins always use that access mode. * Fix apiserver's etcd servers args to use the etcd_access_endpoint. * Fix networking plugins flannel/calico to use the etcd_endpoint. * Fix name env var for non masters to be set as well. * Fix etcd_client_url was not used anywhere and other etcd_* facts evaluation was duplicated in a few places. * Define proxy modes only in the env file, if not a master. Del an automatic proxy mode decisions for etcd nodes in init/unit scripts. * Use Wants= instead of Requires= as "This is the recommended way to hook start-up of one unit to the start-up of another unit" * Make apiserver/calico Wants= etcd-proxy to keep it always up Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com> Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
52 lines
1.8 KiB
Django/Jinja
52 lines
1.8 KiB
Django/Jinja
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: kube-apiserver
|
|
spec:
|
|
hostNetwork: true
|
|
containers:
|
|
- name: kube-apiserver
|
|
image: {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
|
|
command:
|
|
- /hyperkube
|
|
- apiserver
|
|
- --advertise-address={{ ip | default(ansible_default_ipv4.address) }}
|
|
- --etcd-servers={{ etcd_access_endpoint }}
|
|
- --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
|
|
- --service-cluster-ip-range={{ kube_service_addresses }}
|
|
- --client-ca-file={{ kube_cert_dir }}/ca.pem
|
|
- --basic-auth-file={{ kube_users_dir }}/known_users.csv
|
|
- --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
|
|
- --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
|
- --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
|
|
- --secure-port={{ kube_apiserver_port }}
|
|
- --insecure-port={{ kube_apiserver_insecure_port }}
|
|
{% if kube_api_runtime_config is defined %}
|
|
{% for conf in kube_api_runtime_config %}
|
|
- --runtime-config={{ conf }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
- --token-auth-file={{ kube_token_dir }}/known_tokens.csv
|
|
- --v={{ kube_log_level | default('2') }}
|
|
- --allow-privileged=true
|
|
ports:
|
|
- containerPort: {{ kube_apiserver_port }}
|
|
hostPort: {{ kube_apiserver_port }}
|
|
name: https
|
|
- containerPort: {{ kube_apiserver_insecure_port }}
|
|
hostPort: {{ kube_apiserver_insecure_port }}
|
|
name: local
|
|
volumeMounts:
|
|
- mountPath: {{ kube_config_dir }}
|
|
name: kubernetes-config
|
|
readOnly: true
|
|
- mountPath: /etc/ssl/certs
|
|
name: ssl-certs-host
|
|
readOnly: true
|
|
volumes:
|
|
- hostPath:
|
|
path: {{ kube_config_dir }}
|
|
name: kubernetes-config
|
|
- hostPath:
|
|
path: /etc/ssl/certs/
|
|
name: ssl-certs-host
|