subject:"\[MediaWiki\-commits\] \[Gerrit\] operations\/puppet\[production\]\: k8s\:\:controller\: support service account token signing"

[MediaWiki-commits] [Gerrit] operations/puppet[production]: k8s::controller: support service account token signing

2017-11-01 Thread Alexandros Kosiaris (Code Review)

Alexandros Kosiaris has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/386754 )

Change subject: k8s::controller: support service account token signing
..


k8s::controller: support service account token signing

Allow passing the --service-account-private-key-file parameter to
controller manager, which will make the controller manager create
secrets and tokens for serviceaccounts. Default it to undef so that we
maintain backwards compatibility. The feature is enabled via a hiera
flag

Bug: T177393
Change-Id: Iac29e0b7cabe1f39ee5e49cbc901ce0a2d9c9567
---
M modules/k8s/manifests/controller.pp
M modules/k8s/templates/kube-controller-manager.default.erb
M modules/profile/manifests/kubernetes/master.pp
3 files changed, 14 insertions(+), 4 deletions(-)

Approvals:
  Alexandros Kosiaris: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/k8s/manifests/controller.pp 
b/modules/k8s/manifests/controller.pp
index d84c65d..e8064f1 100644
--- a/modules/k8s/manifests/controller.pp
+++ b/modules/k8s/manifests/controller.pp
@@ -1,4 +1,7 @@
-class k8s::controller {
+class k8s::controller(
+$service_account_private_key_file=undef,
+){
+
 require_package('kubernetes-master')
 
 file { '/etc/default/kube-controller-manager':
diff --git a/modules/k8s/templates/kube-controller-manager.default.erb 
b/modules/k8s/templates/kube-controller-manager.default.erb
index 2bf7270..52a975a 100644
--- a/modules/k8s/templates/kube-controller-manager.default.erb
+++ b/modules/k8s/templates/kube-controller-manager.default.erb
@@ -3,5 +3,9 @@
 #
 ## defaults from config and apiserver should be adequate
 # This is the default anyway in 1.4 at least, but specify to ensure backwards 
compatibility
-DAEMON_ARGS="--leader-elect=true"
-#
+DAEMON_ARGS=" \
+--leader-elect=true \
+<%- if @service_account_private_key_file -%>
+--service_account_private_key_file=<%= @service_account_private_key_file -%> \
+<%- end -%>
+"
diff --git a/modules/profile/manifests/kubernetes/master.pp 
b/modules/profile/manifests/kubernetes/master.pp
index ec99a56..f3a14be 100644
--- a/modules/profile/manifests/kubernetes/master.pp
+++ b/modules/profile/manifests/kubernetes/master.pp
@@ -12,6 +12,7 @@
 $ssl_cert_path=hiera('profile::kubernetes::master::ssl_cert_path'),
 $ssl_key_path=hiera('profile::kubernetes::master::ssl_cert_path'),
 $authz_mode=hiera('profile::kubernetes::master::authz_mode'),
+
$service_account_private_key_file=hiera('profile::kubernetes::master::service_account_private_key_file',
 undef),
 ){
 if $expose_puppet_certs {
 base::expose_puppet_certs { '/etc/kubernetes':
@@ -43,7 +44,9 @@
 }
 
 class { '::k8s::scheduler': }
-class { '::k8s::controller': }
+class { '::k8s::controller':
+service_account_private_key_file => $service_account_private_key_file,
+}
 
 
 if $accessible_to == 'all' {

-- 
To view, visit https://gerrit.wikimedia.org/r/386754
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Iac29e0b7cabe1f39ee5e49cbc901ce0a2d9c9567
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris 
Gerrit-Reviewer: Alexandros Kosiaris 
Gerrit-Reviewer: Gehel 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: k8s::controller: support service account token signing

2017-10-26 Thread Alexandros Kosiaris (Code Review)

Alexandros Kosiaris has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/386754 )

Change subject: k8s::controller: support service account token signing
..

k8s::controller: support service account token signing

Allow passing the --service-account-private-key-file parameter to
controller manager, which will make the controller manager create
secrets and tokens for serviceaccounts. Default it to undef so that we
maintain backwards compatibility. The feature is enabled via a hiera
flag

Bug: T177393
Change-Id: Iac29e0b7cabe1f39ee5e49cbc901ce0a2d9c9567
---
M modules/k8s/manifests/controller.pp
M modules/k8s/templates/kube-controller-manager.default.erb
M modules/profile/manifests/kubernetes/master.pp
3 files changed, 14 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/54/386754/1

diff --git a/modules/k8s/manifests/controller.pp 
b/modules/k8s/manifests/controller.pp
index 8078d8d..af1d03d 100644
--- a/modules/k8s/manifests/controller.pp
+++ b/modules/k8s/manifests/controller.pp
@@ -1,4 +1,7 @@
-class k8s::controller {
+class k8s::controller(
+$service_account_private_key_file=undef,
+){
+
 require_package('kubernetes-master')
 
 file { '/etc/default/kube-controller-manager':
diff --git a/modules/k8s/templates/kube-controller-manager.default.erb 
b/modules/k8s/templates/kube-controller-manager.default.erb
index 2bf7270..52a975a 100644
--- a/modules/k8s/templates/kube-controller-manager.default.erb
+++ b/modules/k8s/templates/kube-controller-manager.default.erb
@@ -3,5 +3,9 @@
 #
 ## defaults from config and apiserver should be adequate
 # This is the default anyway in 1.4 at least, but specify to ensure backwards 
compatibility
-DAEMON_ARGS="--leader-elect=true"
-#
+DAEMON_ARGS=" \
+--leader-elect=true \
+<%- if @service_account_private_key_file -%>
+--service_account_private_key_file=<%= @service_account_private_key_file -%> \
+<%- end -%>
+"
diff --git a/modules/profile/manifests/kubernetes/master.pp 
b/modules/profile/manifests/kubernetes/master.pp
index ec99a56..f3a14be 100644
--- a/modules/profile/manifests/kubernetes/master.pp
+++ b/modules/profile/manifests/kubernetes/master.pp
@@ -12,6 +12,7 @@
 $ssl_cert_path=hiera('profile::kubernetes::master::ssl_cert_path'),
 $ssl_key_path=hiera('profile::kubernetes::master::ssl_cert_path'),
 $authz_mode=hiera('profile::kubernetes::master::authz_mode'),
+
$service_account_private_key_file=hiera('profile::kubernetes::master::service_account_private_key_file',
 undef),
 ){
 if $expose_puppet_certs {
 base::expose_puppet_certs { '/etc/kubernetes':
@@ -43,7 +44,9 @@
 }
 
 class { '::k8s::scheduler': }
-class { '::k8s::controller': }
+class { '::k8s::controller':
+service_account_private_key_file => $service_account_private_key_file,
+}
 
 
 if $accessible_to == 'all' {

-- 
To view, visit https://gerrit.wikimedia.org/r/386754
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iac29e0b7cabe1f39ee5e49cbc901ce0a2d9c9567
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: k8s::controller: support service account token signing

[MediaWiki-commits] [Gerrit] operations/puppet[production]: k8s::controller: support service account token signing

2 matches

Site Navigation

Mail list logo

Footer information