about summary refs log tree commit diff
path: root/nixos/tests/kubernetes/kubernetes-common.nix
diff options
context:
space:
mode:
authorJaka Hudoklin <jakahudoklin@gmail.com>2017-05-26 23:21:17 +0200
committerRobin Gloster <mail@glob.in>2017-09-24 11:44:25 +0200
commit7dfeac88aca9b83d8a4f5815aa4b88b34dd7ea23 (patch)
tree75af6b69a4fa3525ab45ade3b1fdb2f604828574 /nixos/tests/kubernetes/kubernetes-common.nix
parent8e14e978c8965db3378c57450d1177c03865554e (diff)
downloadnixlib-7dfeac88aca9b83d8a4f5815aa4b88b34dd7ea23.tar
nixlib-7dfeac88aca9b83d8a4f5815aa4b88b34dd7ea23.tar.gz
nixlib-7dfeac88aca9b83d8a4f5815aa4b88b34dd7ea23.tar.bz2
nixlib-7dfeac88aca9b83d8a4f5815aa4b88b34dd7ea23.tar.lz
nixlib-7dfeac88aca9b83d8a4f5815aa4b88b34dd7ea23.tar.xz
nixlib-7dfeac88aca9b83d8a4f5815aa4b88b34dd7ea23.tar.zst
nixlib-7dfeac88aca9b83d8a4f5815aa4b88b34dd7ea23.zip
kubernetes module: flannel support, minor fixes
- add flannel support
- remove deprecated authorizationRBACSuperAdmin option
- rename from deprecated poratalNet to serviceClusterIpRange
- add nodeIp option for kubelet
- kubelet, add br_netfilter to kernelModules
- enable firewall by default
- enable dns by default on node and on master
- disable iptables for docker by default on nodes
- dns, restart on failure
- update tests

and other minor changes
Diffstat (limited to 'nixos/tests/kubernetes/kubernetes-common.nix')
-rw-r--r--nixos/tests/kubernetes/kubernetes-common.nix75
1 files changed, 8 insertions, 67 deletions
diff --git a/nixos/tests/kubernetes/kubernetes-common.nix b/nixos/tests/kubernetes/kubernetes-common.nix
index bc28244ad5b4..9f9e730fa655 100644
--- a/nixos/tests/kubernetes/kubernetes-common.nix
+++ b/nixos/tests/kubernetes/kubernetes-common.nix
@@ -1,4 +1,5 @@
 { config, pkgs, certs, servers }:
+
 let
   etcd_key = "${certs}/etcd-key.pem";
   etcd_cert = "${certs}/etcd.pem";
@@ -9,8 +10,6 @@ let
   worker_key = "${certs}/worker-key.pem";
   worker_cert = "${certs}/worker.pem";
 
-  mkDockerOpts = "${pkgs.kubernetes.src}/cluster/centos/node/bin/mk-docker-opts.sh";
-
   rootCaFile = pkgs.writeScript "rootCaFile.pem" ''
     ${pkgs.lib.readFile "${certs}/ca.pem"}
 
@@ -26,16 +25,9 @@ in
   environment.systemPackages = with pkgs; [ netcat bind etcd.bin ];
 
   networking = {
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        10250 80 443
-      ];
-      allowedUDPPorts = [
-        8285  # flannel udp
-        8472  # flannel vxlan
-      ];
-    };
+    firewall.allowedTCPPorts = [
+      10250 # kubelet
+    ];
     extraHosts = ''
       # register "external" domains
       ${servers.master} etcd.kubernetes.nixos.xyz
@@ -43,42 +35,7 @@ in
       ${mkHosts}
     '';
   };
-  virtualisation.docker.extraOptions = ''
-    --iptables=false $DOCKER_OPTS
-  '';
-
-  # lets create environment file for docker startup - network stuff
-  systemd.services."pre-docker" = {
-    description = "Pre-Docker Actions";
-    wantedBy = [ "flannel.service" ];
-    before = [ "docker.service" ];
-    after = [ "flannel.service" ];
-    path = [ pkgs.gawk pkgs.gnugrep ];
-    script = ''
-      mkdir -p /run/flannel
-      # bashInteractive needed for `compgen`
-      ${pkgs.bashInteractive}/bin/bash ${mkDockerOpts} -d /run/flannel/docker
-      cat /run/flannel/docker  # just for debugging
-
-      # allow container to host communication for DNS traffic
-      ${pkgs.iptables}/bin/iptables -I nixos-fw -p tcp -m tcp -i docker0 --dport 53 -j nixos-fw-accept
-      ${pkgs.iptables}/bin/iptables -I nixos-fw -p udp -m udp -i docker0 --dport 53 -j nixos-fw-accept
-    '';
-    serviceConfig.Type = "simple";
-  };
-  systemd.services.docker.serviceConfig.EnvironmentFile = "/run/flannel/docker";
-
-  services.flannel = {
-    enable = true;
-    network = "10.2.0.0/16";
-    iface = "eth1";
-    etcd = {
-      endpoints = ["https://etcd.kubernetes.nixos.xyz:2379"];
-      keyFile = etcd_client_key;
-      certFile = etcd_client_cert;
-      caFile = ca_pem;
-    };
-  };
+  services.flannel.iface = "eth1";
   environment.variables = {
     ETCDCTL_CERT_FILE = "${etcd_client_cert}";
     ETCDCTL_KEY_FILE = "${etcd_client_key}";
@@ -88,20 +45,10 @@ in
 
   services.kubernetes = {
     kubelet = {
-      networkPlugin = "cni";
-      cni.config = [{
-        name = "mynet";
-        type = "flannel";
-        delegate = {
-          isDefaultGateway = true;
-          bridge = "docker0";
-        };
-      }];
       tlsKeyFile = worker_key;
       tlsCertFile = worker_cert;
       hostname = "${config.networking.hostName}.nixos.xyz";
-      extraOpts = "--node-ip ${config.networking.primaryIPAddress}";
-      clusterDns = config.networking.primaryIPAddress;
+      nodeIp = config.networking.primaryIPAddress;
     };
     etcd = {
       servers = ["https://etcd.kubernetes.nixos.xyz:2379"];
@@ -110,22 +57,16 @@ in
       caFile = ca_pem;
     };
     kubeconfig = {
-      server = "https://kubernetes.nixos.xyz:4443";
+      server = "https://kubernetes.nixos.xyz";
       caFile = rootCaFile;
       certFile = worker_cert;
       keyFile = worker_key;
     };
+    flannel.enable = true;
 
-    # make sure you cover kubernetes.apiserver.portalNet and flannel networks
-    clusterCidr = "10.0.0.0/8";
-
-    dns.enable = true;
     dns.port = 4453;
   };
 
   services.dnsmasq.enable = true;
   services.dnsmasq.servers = ["/${config.services.kubernetes.dns.domain}/127.0.0.1#4453"];
-
-  virtualisation.docker.enable = true;
-  virtualisation.docker.storageDriver = "overlay";
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-12 14:29:02 +0000