Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge netmaster and auth_proxy #206

Merged
merged 1 commit into from
Jul 11, 2017
Merged

Merge netmaster and auth_proxy #206

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 7 additions & 92 deletions install/k8s/k8s1.6/contiv.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,10 +89,8 @@ metadata:
name: contiv-config
namespace: kube-system
data:
# The location of your cluster store. This is set to the
# avdertise-client value below from the contiv-etcd service.
# Change it to an external etcd/consul instance if required.
cluster_store: "etcd://__NETMASTER_IP__:6666"
vlan_if: "__VLAN_IF__"
# The CNI network configuration to install on each node.
cni_config: |-
{
Expand Down Expand Up @@ -146,10 +144,12 @@ spec:
image: contiv/netplugin:__CONTIV_VERSION__
args:
- -pkubernetes
- -x
env:
- name: VLAN_IF
value: __VLAN_IF__
valueFrom:
configMapKeyRef:
name: contiv-config
key: vlan_if
- name: VTEP_IP
valueFrom:
fieldRef:
Expand Down Expand Up @@ -184,12 +184,6 @@ spec:
- mountPath: /var/contiv
name: var-contiv
readOnly: false
- mountPath: /etc/kubernetes/pki
name: etc-kubernetes-pki
readOnly: false
- mountPath: /etc/kubernetes/ssl
name: etc-kubernetes-ssl
readOnly: false
- mountPath: /opt/cni/bin
name: cni-bin-dir
readOnly: false
Expand All @@ -210,12 +204,6 @@ spec:
- name: var-contiv
hostPath:
path: /var/contiv
- name: etc-kubernetes-pki
hostPath:
path: /etc/kubernetes/pki
- name: etc-kubernetes-ssl
hostPath:
path: /etc/kubernetes/ssl
# Used to install CNI.
- name: cni-bin-dir
hostPath:
Expand Down Expand Up @@ -249,7 +237,6 @@ spec:
# The netmaster must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
hostPID: true
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
Expand All @@ -273,88 +260,17 @@ spec:
configMapKeyRef:
name: contiv-config
key: config
securityContext:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we able to drop the privileged requirement here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

netmaster does not need to be a privileged container. It has k8s 1.6 RBAC to ask for the privileges it needs.

privileged: true
volumeMounts:
- mountPath: /etc/openvswitch
name: etc-openvswitch
readOnly: false
- mountPath: /lib/modules
name: lib-modules
readOnly: false
- mountPath: /var/run
name: var-run
readOnly: false
- mountPath: /var/contiv
name: var-contiv
readOnly: false
- mountPath: /etc/kubernetes/ssl
name: etc-kubernetes-ssl
readOnly: false
- mountPath: /opt/cni/bin
name: cni-bin-dir
readOnly: false
volumes:
# Used by contiv-netmaster
- name: etc-openvswitch
hostPath:
path: /etc/openvswitch
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-run
hostPath:
path: /var/run
- name: var-contiv
hostPath:
path: /var/contiv
- name: etc-kubernetes-ssl
hostPath:
path: /etc/kubernetes/ssl
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
---

# This manifest deploys the Contiv API Proxy Server on Kubernetes.
apiVersion: extensions/v1beta1
kind: ReplicaSet
metadata:
name: contiv-api-proxy
namespace: kube-system
labels:
k8s-app: contiv-api-proxy
spec:
# The API proxy should have 1, 3, 5 nodes of which one is active at any given time.
# More nodes are desired in a production environment for HA.
replicas: 1
template:
metadata:
name: contiv-api-proxy
namespace: kube-system
labels:
k8s-app: contiv-api-proxy
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
# The API proxy must run in the host network namespace so that
# it isn't governed by policy that would prevent it from working.
hostNetwork: true
hostPID: true
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
nodeSelector:
node-role.kubernetes.io/master: ""
serviceAccountName: contiv-netmaster
containers:
- name: contiv-api-proxy
image: contiv/auth_proxy:__CONTIV_VERSION__
args:
- --tls-key-file=/var/contiv/auth_proxy_key.pem
- --tls-certificate=/var/contiv/auth_proxy_cert.pem
- --data-store-address=$(CONTIV_ETCD)
- --netmaster-address=__NETMASTER_IP__:9999
- --netmaster-address=localhost:9999
Copy link
Contributor

@rchirakk rchirakk Jul 11, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

localhost:9999
is it going to work when listen URL is specified for netmaster?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is part of #196 which is in review as well.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

env:
- name: NO_NETMASTER_STARTUP_CHECK
value: "0"
Expand All @@ -370,9 +286,8 @@ spec:
name: var-contiv
readOnly: false
volumes:
# Used by contiv-netmaster
- name: var-contiv
hostPath:
path: /var/contiv

---