[MediaWiki-commits] [Gerrit] operations/puppet[production]: k8s::controller: support service account token signing
Alexandros Kosiaris has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/386754 ) Change subject: k8s::controller: support service account token signing .. k8s::controller: support service account token signing Allow passing the --service-account-private-key-file parameter to controller manager, which will make the controller manager create secrets and tokens for serviceaccounts. Default it to undef so that we maintain backwards compatibility. The feature is enabled via a hiera flag Bug: T177393 Change-Id: Iac29e0b7cabe1f39ee5e49cbc901ce0a2d9c9567 --- M modules/k8s/manifests/controller.pp M modules/k8s/templates/kube-controller-manager.default.erb M modules/profile/manifests/kubernetes/master.pp 3 files changed, 14 insertions(+), 4 deletions(-) Approvals: Alexandros Kosiaris: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/k8s/manifests/controller.pp b/modules/k8s/manifests/controller.pp index d84c65d..e8064f1 100644 --- a/modules/k8s/manifests/controller.pp +++ b/modules/k8s/manifests/controller.pp @@ -1,4 +1,7 @@ -class k8s::controller { +class k8s::controller( +$service_account_private_key_file=undef, +){ + require_package('kubernetes-master') file { '/etc/default/kube-controller-manager': diff --git a/modules/k8s/templates/kube-controller-manager.default.erb b/modules/k8s/templates/kube-controller-manager.default.erb index 2bf7270..52a975a 100644 --- a/modules/k8s/templates/kube-controller-manager.default.erb +++ b/modules/k8s/templates/kube-controller-manager.default.erb @@ -3,5 +3,9 @@ # ## defaults from config and apiserver should be adequate # This is the default anyway in 1.4 at least, but specify to ensure backwards compatibility -DAEMON_ARGS="--leader-elect=true" -# +DAEMON_ARGS=" \ +--leader-elect=true \ +<%- if @service_account_private_key_file -%> +--service_account_private_key_file=<%= @service_account_private_key_file -%> \ +<%- end -%> +" diff --git a/modules/profile/manifests/kubernetes/master.pp b/modules/profile/manifests/kubernetes/master.pp index ec99a56..f3a14be 100644 --- a/modules/profile/manifests/kubernetes/master.pp +++ b/modules/profile/manifests/kubernetes/master.pp @@ -12,6 +12,7 @@ $ssl_cert_path=hiera('profile::kubernetes::master::ssl_cert_path'), $ssl_key_path=hiera('profile::kubernetes::master::ssl_cert_path'), $authz_mode=hiera('profile::kubernetes::master::authz_mode'), + $service_account_private_key_file=hiera('profile::kubernetes::master::service_account_private_key_file', undef), ){ if $expose_puppet_certs { base::expose_puppet_certs { '/etc/kubernetes': @@ -43,7 +44,9 @@ } class { '::k8s::scheduler': } -class { '::k8s::controller': } +class { '::k8s::controller': +service_account_private_key_file => $service_account_private_key_file, +} if $accessible_to == 'all' { -- To view, visit https://gerrit.wikimedia.org/r/386754 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Iac29e0b7cabe1f39ee5e49cbc901ce0a2d9c9567 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alexandros KosiarisGerrit-Reviewer: Alexandros Kosiaris Gerrit-Reviewer: Gehel Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: k8s::controller: support service account token signing
Alexandros Kosiaris has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/386754 ) Change subject: k8s::controller: support service account token signing .. k8s::controller: support service account token signing Allow passing the --service-account-private-key-file parameter to controller manager, which will make the controller manager create secrets and tokens for serviceaccounts. Default it to undef so that we maintain backwards compatibility. The feature is enabled via a hiera flag Bug: T177393 Change-Id: Iac29e0b7cabe1f39ee5e49cbc901ce0a2d9c9567 --- M modules/k8s/manifests/controller.pp M modules/k8s/templates/kube-controller-manager.default.erb M modules/profile/manifests/kubernetes/master.pp 3 files changed, 14 insertions(+), 4 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/54/386754/1 diff --git a/modules/k8s/manifests/controller.pp b/modules/k8s/manifests/controller.pp index 8078d8d..af1d03d 100644 --- a/modules/k8s/manifests/controller.pp +++ b/modules/k8s/manifests/controller.pp @@ -1,4 +1,7 @@ -class k8s::controller { +class k8s::controller( +$service_account_private_key_file=undef, +){ + require_package('kubernetes-master') file { '/etc/default/kube-controller-manager': diff --git a/modules/k8s/templates/kube-controller-manager.default.erb b/modules/k8s/templates/kube-controller-manager.default.erb index 2bf7270..52a975a 100644 --- a/modules/k8s/templates/kube-controller-manager.default.erb +++ b/modules/k8s/templates/kube-controller-manager.default.erb @@ -3,5 +3,9 @@ # ## defaults from config and apiserver should be adequate # This is the default anyway in 1.4 at least, but specify to ensure backwards compatibility -DAEMON_ARGS="--leader-elect=true" -# +DAEMON_ARGS=" \ +--leader-elect=true \ +<%- if @service_account_private_key_file -%> +--service_account_private_key_file=<%= @service_account_private_key_file -%> \ +<%- end -%> +" diff --git a/modules/profile/manifests/kubernetes/master.pp b/modules/profile/manifests/kubernetes/master.pp index ec99a56..f3a14be 100644 --- a/modules/profile/manifests/kubernetes/master.pp +++ b/modules/profile/manifests/kubernetes/master.pp @@ -12,6 +12,7 @@ $ssl_cert_path=hiera('profile::kubernetes::master::ssl_cert_path'), $ssl_key_path=hiera('profile::kubernetes::master::ssl_cert_path'), $authz_mode=hiera('profile::kubernetes::master::authz_mode'), + $service_account_private_key_file=hiera('profile::kubernetes::master::service_account_private_key_file', undef), ){ if $expose_puppet_certs { base::expose_puppet_certs { '/etc/kubernetes': @@ -43,7 +44,9 @@ } class { '::k8s::scheduler': } -class { '::k8s::controller': } +class { '::k8s::controller': +service_account_private_key_file => $service_account_private_key_file, +} if $accessible_to == 'all' { -- To view, visit https://gerrit.wikimedia.org/r/386754 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iac29e0b7cabe1f39ee5e49cbc901ce0a2d9c9567 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alexandros Kosiaris___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits