// NewDefaultImageFormatArgs returns the default image template
func NewDefaultImageFormatArgs() *ImageFormatArgs {
config := &ImageFormatArgs{
ImageTemplate: variable.NewDefaultImageTemplate(),
}
return config
}
// InstallRegistry checks whether a registry is installed and installs one if not already installed
func (h *Helper) InstallRegistry(kubeClient kclient.Interface, f *clientcmd.Factory, configDir, images string, out io.Writer) error {
_, err := kubeClient.Services("default").Get(svcDockerRegistry)
if err == nil {
// If there's no error, the registry already exists
return nil
}
if !apierrors.IsNotFound(err) {
return errors.NewError("error retrieving docker registry service").WithCause(err)
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = images
cfg := ®istry.RegistryConfig{
Name: "registry",
Type: "docker-registry",
ImageTemplate: imageTemplate,
Ports: "5000",
Replicas: 1,
Labels: "docker-registry=default",
Volume: "/registry",
ServiceAccount: "registry",
}
cmd := registry.NewCmdRegistry(f, "", "registry", out)
output := &bytes.Buffer{}
err = registry.RunCmdRegistry(f, cmd, output, cfg, []string{})
glog.V(4).Infof("Registry command output:\n%s", output.String())
return err
}
// NewCmdRouter implements the OpenShift CLI router command.
func NewCmdRouter(f *clientcmd.Factory, parentName, name string, out io.Writer) *cobra.Command {
cfg := &RouterConfig{
ImageTemplate: variable.NewDefaultImageTemplate(),
Labels: defaultLabel,
Ports: defaultPorts,
Replicas: 1,
StatsUsername: "******",
StatsPort: 1936,
HostNetwork: true,
}
cmd := &cobra.Command{
Use: fmt.Sprintf("%s [NAME]", name),
Short: "Install a router",
Long: routerLong,
Example: fmt.Sprintf(routerExample, parentName, name),
Run: func(cmd *cobra.Command, args []string) {
err := RunCmdRouter(f, cmd, out, cfg, args)
if err != errExit {
cmdutil.CheckErr(err)
} else {
os.Exit(1)
}
},
}
cmd.Flags().StringVar(&cfg.Type, "type", "haproxy-router", "The type of router to use - if you specify --images this flag may be ignored.")
cmd.Flags().StringVar(&cfg.ImageTemplate.Format, "images", cfg.ImageTemplate.Format, "The image to base this router on - ${component} will be replaced with --type")
cmd.Flags().BoolVar(&cfg.ImageTemplate.Latest, "latest-images", cfg.ImageTemplate.Latest, "If true, attempt to use the latest images for the router instead of the latest release.")
cmd.Flags().StringVar(&cfg.Ports, "ports", cfg.Ports, "A comma delimited list of ports or port pairs to expose on the router pod. The default is set for HAProxy.")
cmd.Flags().IntVar(&cfg.Replicas, "replicas", cfg.Replicas, "The replication factor of the router; commonly 2 when high availability is desired.")
cmd.Flags().StringVar(&cfg.Labels, "labels", cfg.Labels, "A set of labels to uniquely identify the router and its components.")
cmd.Flags().BoolVar(&cfg.DryRun, "dry-run", cfg.DryRun, "Exit with code 1 if the specified router does not exist.")
cmd.Flags().Bool("create", false, "deprecated; this is now the default behavior")
cmd.Flags().StringVar(&cfg.Credentials, "credentials", "", "Path to a .kubeconfig file that will contain the credentials the router should use to contact the master.")
cmd.Flags().StringVar(&cfg.DefaultCertificate, "default-cert", cfg.DefaultCertificate, "Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate.")
cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run routers on a specific set of nodes.")
cmd.Flags().StringVar(&cfg.ServiceAccount, "service-account", cfg.ServiceAccount, "Name of the service account to use to run the router pod.")
cmd.Flags().IntVar(&cfg.StatsPort, "stats-port", cfg.StatsPort, "If the underlying router implementation can provide statistics this is a hint to expose it on this port. Specify 0 if you want to turn off exposing the statistics.")
cmd.Flags().StringVar(&cfg.StatsPassword, "stats-password", cfg.StatsPassword, "If the underlying router implementation can provide statistics this is the requested password for auth. If not set a password will be generated.")
cmd.Flags().StringVar(&cfg.StatsUsername, "stats-user", cfg.StatsUsername, "If the underlying router implementation can provide statistics this is the requested username for auth.")
cmd.Flags().BoolVar(&cfg.HostNetwork, "host-network", cfg.HostNetwork, "If true (the default), then use host networking rather than using a separate container network stack.")
cmd.Flags().StringVar(&cfg.ExternalHost, "external-host", cfg.ExternalHost, "If the underlying router implementation connects with an external host, this is the external host's hostname.")
cmd.Flags().StringVar(&cfg.ExternalHostUsername, "external-host-username", cfg.ExternalHostUsername, "If the underlying router implementation connects with an external host, this is the username for authenticating with the external host.")
cmd.Flags().StringVar(&cfg.ExternalHostPassword, "external-host-password", cfg.ExternalHostPassword, "If the underlying router implementation connects with an external host, this is the password for authenticating with the external host.")
cmd.Flags().StringVar(&cfg.ExternalHostHttpVserver, "external-host-http-vserver", cfg.ExternalHostHttpVserver, "If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTP connections.")
cmd.Flags().StringVar(&cfg.ExternalHostHttpsVserver, "external-host-https-vserver", cfg.ExternalHostHttpsVserver, "If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTPS connections.")
cmd.Flags().StringVar(&cfg.ExternalHostPrivateKey, "external-host-private-key", cfg.ExternalHostPrivateKey, "If the underlying router implementation requires an SSH private key, this is the path to the private key file.")
cmd.Flags().BoolVar(&cfg.ExternalHostInsecure, "external-host-insecure", cfg.ExternalHostInsecure, "If the underlying router implementation connects with an external host over a secure connection, this causes the router to skip strict certificate verification with the external host.")
cmd.Flags().StringVar(&cfg.ExternalHostPartitionPath, "external-host-partition-path", cfg.ExternalHostPartitionPath, "If the underlying router implementation uses partitions for control boundaries, this is the path to use for that partition.")
cmd.MarkFlagFilename("credentials", "kubeconfig")
cmdutil.AddPrinterFlags(cmd)
return cmd
}
func NewCmdIPFailoverConfig(f *clientcmd.Factory, parentName, name string, out, errout io.Writer) *cobra.Command {
options := &ipfailover.IPFailoverConfigCmdOptions{
Action: configcmd.BulkAction{
Out: out,
ErrOut: errout,
},
ImageTemplate: variable.NewDefaultImageTemplate(),
ServiceAccount: "ipfailover",
Selector: ipfailover.DefaultSelector,
ServicePort: ipfailover.DefaultServicePort,
WatchPort: ipfailover.DefaultWatchPort,
NetworkInterface: ipfailover.DefaultInterface,
VRRPIDOffset: 0,
Replicas: 1,
}
cmd := &cobra.Command{
Use: fmt.Sprintf("%s [NAME]", name),
Short: "Install an IP failover group to a set of nodes",
Long: ipFailover_long,
Example: fmt.Sprintf(ipFailover_example, parentName, name),
Run: func(cmd *cobra.Command, args []string) {
err := Run(f, options, cmd, args)
if err == cmdutil.ErrExit {
os.Exit(1)
}
kcmdutil.CheckErr(err)
},
}
cmd.Flags().StringVar(&options.Type, "type", ipfailover.DefaultType, "The type of IP failover configurator to use.")
cmd.Flags().StringVar(&options.ImageTemplate.Format, "images", options.ImageTemplate.Format, "The image to base this IP failover configurator on - ${component} will be replaced based on --type.")
cmd.Flags().BoolVar(&options.ImageTemplate.Latest, "latest-images", options.ImageTemplate.Latest, "If true, attempt to use the latest images instead of the current release")
cmd.Flags().StringVarP(&options.Selector, "selector", "l", options.Selector, "Selector (label query) to filter nodes on.")
cmd.Flags().StringVar(&options.Credentials, "credentials", "", "Path to a .kubeconfig file that will contain the credentials the router should use to contact the master.")
cmd.Flags().StringVar(&options.ServiceAccount, "service-account", options.ServiceAccount, "Name of the service account to use to run the ipfailover pod.")
cmd.Flags().BoolVar(&options.Create, "create", options.Create, "If true, create the configuration if it does not exist.")
cmd.Flags().StringVar(&options.VirtualIPs, "virtual-ips", "", "A set of virtual IP ranges and/or addresses that the routers bind and serve on and provide IP failover capability for.")
cmd.Flags().StringVar(&options.NotifyScript, "notify-script", "", "Run this script when state changes.")
cmd.Flags().StringVar(&options.CheckScript, "check-script", "", "Run this script at the check-interval to verify service is OK")
cmd.Flags().IntVar(&options.CheckInterval, "check-interval", ipfailover.DefaultCheckInterval, "Run the check-script at this interval (seconds)")
cmd.Flags().StringVar(&options.IptablesChain, "iptables-chain", ipfailover.DefaultIptablesChain, "Add a rule to this iptables chain to accept 224.0.0.28 multicast packets if no rule exists. When iptables-chain is empty do not change iptables.")
cmd.Flags().StringVarP(&options.NetworkInterface, "interface", "i", "", "Network interface bound by VRRP to use for the set of virtual IP ranges/addresses specified.")
cmd.Flags().IntVarP(&options.WatchPort, "watch-port", "w", ipfailover.DefaultWatchPort, "Port to monitor or watch for resource availability.")
cmd.Flags().IntVar(&options.VRRPIDOffset, "vrrp-id-offset", options.VRRPIDOffset, "Offset to use for setting ids of VRRP instances (default offset is 0). This allows multiple ipfailover instances to run within the same cluster.")
cmd.Flags().Int32VarP(&options.Replicas, "replicas", "r", options.Replicas, "The replication factor of this IP failover configuration; commonly 2 when high availability is desired. Please ensure this matches the number of nodes that satisfy the selector (or default selector) specified.")
// autocompletion hints
cmd.MarkFlagFilename("credentials", "kubeconfig")
cmd.Flags().MarkDeprecated("credentials", "use --service-account to specify the service account the ipfailover pod will use to make API calls")
options.Action.BindForOutput(cmd.Flags())
cmd.Flags().String("output-version", "", "The preferred API versions of the output objects")
return cmd
}
// NewCmdRegistry implements the OpenShift cli registry command
func NewCmdRegistry(f *clientcmd.Factory, parentName, name string, out io.Writer) *cobra.Command {
cfg := &RegistryConfig{
ImageTemplate: variable.NewDefaultImageTemplate(),
Name: "registry",
Labels: defaultLabel,
Ports: strconv.Itoa(defaultPort),
Volume: "/registry",
ServiceAccount: "registry",
Replicas: 1,
EnforceQuota: false,
}
cmd := &cobra.Command{
Use: name,
Short: "Install the integrated Docker registry",
Long: registryLong,
Example: fmt.Sprintf(registryExample, parentName, name),
Run: func(cmd *cobra.Command, args []string) {
opts := &RegistryOptions{
Config: cfg,
}
kcmdutil.CheckErr(opts.Complete(f, cmd, out, args))
err := opts.RunCmdRegistry()
if err == cmdutil.ErrExit {
os.Exit(1)
}
kcmdutil.CheckErr(err)
},
}
cmd.Flags().StringVar(&cfg.Type, "type", "docker-registry", "The registry image to use - if you specify --images this flag may be ignored.")
cmd.Flags().StringVar(&cfg.ImageTemplate.Format, "images", cfg.ImageTemplate.Format, "The image to base this registry on - ${component} will be replaced with --type")
cmd.Flags().BoolVar(&cfg.ImageTemplate.Latest, "latest-images", cfg.ImageTemplate.Latest, "If true, attempt to use the latest image for the registry instead of the latest release.")
cmd.Flags().StringVar(&cfg.Ports, "ports", cfg.Ports, fmt.Sprintf("A comma delimited list of ports or port pairs to expose on the registry pod. The default is set for %d.", defaultPort))
cmd.Flags().Int32Var(&cfg.Replicas, "replicas", cfg.Replicas, "The replication factor of the registry; commonly 2 when high availability is desired.")
cmd.Flags().StringVar(&cfg.Labels, "labels", cfg.Labels, "A set of labels to uniquely identify the registry and its components.")
cmd.Flags().StringVar(&cfg.Volume, "volume", cfg.Volume, "The volume path to use for registry storage; defaults to /registry which is the default for origin-docker-registry.")
cmd.Flags().StringVar(&cfg.HostMount, "mount-host", cfg.HostMount, "If set, the registry volume will be created as a host-mount at this path.")
cmd.Flags().Bool("create", false, "deprecated; this is now the default behavior")
cmd.Flags().StringVar(&cfg.Credentials, "credentials", "", "Path to a .kubeconfig file that will contain the credentials the registry should use to contact the master.")
cmd.Flags().StringVar(&cfg.ServiceAccount, "service-account", cfg.ServiceAccount, "Name of the service account to use to run the registry pod.")
cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run registries on a specific set of nodes.")
cmd.Flags().StringVar(&cfg.ServingCertPath, "tls-certificate", cfg.ServingCertPath, "An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS")
cmd.Flags().StringVar(&cfg.ServingKeyPath, "tls-key", cfg.ServingKeyPath, "An optional path to a PEM encoded private key for serving over TLS")
cmd.Flags().BoolVar(&cfg.DaemonSet, "daemonset", cfg.DaemonSet, "Use a daemonset instead of a deployment config.")
cmd.Flags().BoolVar(&cfg.EnforceQuota, "enforce-quota", cfg.EnforceQuota, "If set, the registry will refuse to write blobs if they exceed quota limits")
// autocompletion hints
cmd.MarkFlagFilename("credentials", "kubeconfig")
// Deprecate credentials
cmd.Flags().MarkDeprecated("credentials", "use --service-account to specify the service account the registry will use to make API calls")
cfg.Action.BindForOutput(cmd.Flags())
cmd.Flags().String("output-version", "", "The preferred API versions of the output objects")
return cmd
}
func makeIPFailoverConfigOptions(selector string, replicas int, serviceAccount string) *ipfailover.IPFailoverConfigCmdOptions {
return &ipfailover.IPFailoverConfigCmdOptions{
ImageTemplate: variable.NewDefaultImageTemplate(),
Selector: selector,
VirtualIPs: "",
WatchPort: 80,
NetworkInterface: "eth0",
Replicas: replicas,
ServiceAccount: serviceAccount,
}
}
// NewCmdRouter implements the OpenShift cli router command
func NewCmdRouter(f *clientcmd.Factory, parentName, name string, out io.Writer) *cobra.Command {
cfg := &RouterConfig{
ImageTemplate: variable.NewDefaultImageTemplate(),
Labels: defaultLabel,
Ports: "80:80,443:443",
Replicas: 1,
StatsUsername: "******",
}
cmd := &cobra.Command{
Use: fmt.Sprintf("%s [NAME]", name),
Short: "Install an OpenShift router",
Long: routerLong,
Example: fmt.Sprintf(routerExample, parentName, name),
Run: func(cmd *cobra.Command, args []string) {
err := RunCmdRouter(f, cmd, out, cfg, args)
if err != errExit {
cmdutil.CheckErr(err)
} else {
os.Exit(1)
}
},
}
cmd.Flags().StringVar(&cfg.Type, "type", "haproxy-router", "The type of router to use - if you specify --images this flag may be ignored.")
cmd.Flags().StringVar(&cfg.ImageTemplate.Format, "images", cfg.ImageTemplate.Format, "The image to base this router on - ${component} will be replaced with --type")
cmd.Flags().BoolVar(&cfg.ImageTemplate.Latest, "latest-images", cfg.ImageTemplate.Latest, "If true, attempt to use the latest images for the router instead of the latest release.")
cmd.Flags().StringVar(&cfg.Ports, "ports", cfg.Ports, "A comma delimited list of ports or port pairs to expose on the router pod. The default is set for HAProxy.")
cmd.Flags().IntVar(&cfg.Replicas, "replicas", cfg.Replicas, "The replication factor of the router; commonly 2 when high availability is desired.")
cmd.Flags().StringVar(&cfg.Labels, "labels", cfg.Labels, "A set of labels to uniquely identify the router and its components.")
cmd.Flags().BoolVar(&cfg.DryRun, "dry-run", cfg.DryRun, "Exit with code 1 if the specified router does not exist.")
cmd.Flags().Bool("create", false, "deprecated; this is now the default behavior")
cmd.Flags().StringVar(&cfg.Credentials, "credentials", "", "Path to a .kubeconfig file that will contain the credentials the router should use to contact the master.")
cmd.Flags().StringVar(&cfg.DefaultCertificate, "default-cert", cfg.DefaultCertificate, "Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate.")
cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run routers on a specific set of nodes.")
cmd.Flags().StringVar(&cfg.ServiceAccount, "service-account", cfg.ServiceAccount, "Name of the service account to use to run the router pod.")
cmd.Flags().IntVar(&cfg.StatsPort, "stats-port", 1936, "If the underlying router implementation can provide statistics this is a hint to expose it on this port.")
cmd.Flags().StringVar(&cfg.StatsPassword, "stats-password", cfg.StatsPassword, "If the underlying router implementation can provide statistics this is the requested password for auth. If not set a password will be generated.")
cmd.Flags().StringVar(&cfg.StatsUsername, "stats-user", cfg.StatsUsername, "If the underlying router implementation can provide statistics this is the requested username for auth.")
cmd.MarkFlagFilename("credentials", "kubeconfig")
cmdutil.AddPrinterFlags(cmd)
return cmd
}
func NewDefaultCreateNodeConfigOptions() *CreateNodeConfigOptions {
options := &CreateNodeConfigOptions{SignerCertOptions: NewDefaultSignerCertOptions()}
options.VolumeDir = "openshift.local.volumes"
// TODO: replace me with a proper round trip of config options through decode
options.DNSDomain = "cluster.local"
options.APIServerURL = "https://localhost:8443"
options.APIServerCAFiles = []string{"openshift.local.config/master/ca.crt"}
options.NodeClientCAFile = "openshift.local.config/master/ca.crt"
options.ImageTemplate = variable.NewDefaultImageTemplate()
options.ListenAddr = flagtypes.Addr{Value: "0.0.0.0:10250", DefaultScheme: "https", DefaultPort: 10250, AllowPrefix: true}.Default()
options.NetworkPluginName = ""
return options
}
// NewCmdRegistry implements the OpenShift cli registry command
func NewCmdRegistry(f *clientcmd.Factory, parentName, name string, out io.Writer) *cobra.Command {
cfg := &RegistryConfig{
ImageTemplate: variable.NewDefaultImageTemplate(),
Labels: defaultLabel,
Ports: "5000",
Volume: "/registry",
Replicas: 1,
}
cmd := &cobra.Command{
Use: name,
Short: "Install the OpenShift Docker registry",
Long: registryLong,
Example: fmt.Sprintf(registryExample, parentName, name),
Run: func(cmd *cobra.Command, args []string) {
err := RunCmdRegistry(f, cmd, out, cfg, args)
if err != errExit {
cmdutil.CheckErr(err)
} else {
os.Exit(1)
}
},
}
cmd.Flags().StringVar(&cfg.Type, "type", "docker-registry", "The registry image to use - if you specify --images this flag may be ignored.")
cmd.Flags().StringVar(&cfg.ImageTemplate.Format, "images", cfg.ImageTemplate.Format, "The image to base this registry on - ${component} will be replaced with --type")
cmd.Flags().BoolVar(&cfg.ImageTemplate.Latest, "latest-images", cfg.ImageTemplate.Latest, "If true, attempt to use the latest image for the registry instead of the latest release.")
cmd.Flags().StringVar(&cfg.Ports, "ports", cfg.Ports, "A comma delimited list of ports or port pairs to expose on the registry pod. The default is set for 5000.")
cmd.Flags().IntVar(&cfg.Replicas, "replicas", cfg.Replicas, "The replication factor of the registry; commonly 2 when high availability is desired.")
cmd.Flags().StringVar(&cfg.Labels, "labels", cfg.Labels, "A set of labels to uniquely identify the registry and its components.")
cmd.Flags().StringVar(&cfg.Volume, "volume", cfg.Volume, "The volume path to use for registry storage; defaults to /registry which is the default for origin-docker-registry.")
cmd.Flags().StringVar(&cfg.HostMount, "mount-host", cfg.HostMount, "If set, the registry volume will be created as a host-mount at this path.")
cmd.Flags().BoolVar(&cfg.DryRun, "dry-run", cfg.DryRun, "Check if the registry exists instead of creating.")
cmd.Flags().Bool("create", false, "deprecated; this is now the default behavior")
cmd.Flags().StringVar(&cfg.Credentials, "credentials", "", "Path to a .kubeconfig file that will contain the credentials the registry should use to contact the master.")
cmd.Flags().StringVar(&cfg.ServiceAccount, "service-account", cfg.ServiceAccount, "Name of the service account to use to run the registry pod.")
cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run registries on a specific set of nodes.")
// autocompletion hints
cmd.MarkFlagFilename("credentials", "kubeconfig")
cmdutil.AddPrinterFlags(cmd)
return cmd
}
// NewCmdDiagnostics is the base command for running any diagnostics.
func NewCmdDiagnostics(name string, fullName string, out io.Writer) *cobra.Command {
o := &DiagnosticsOptions{
RequestedDiagnostics: []string{},
LogOptions: &log.LoggerOptions{Out: out},
ImageTemplate: variable.NewDefaultImageTemplate(),
}
cmd := &cobra.Command{
Use: name,
Short: "Diagnose common cluster problems",
Long: fmt.Sprintf(longDescription, fullName, strings.Join(availableDiagnostics().List(), ", ")),
Run: func(c *cobra.Command, args []string) {
kcmdutil.CheckErr(o.Complete(args))
kcmdutil.CheckErr(o.Validate())
failed, err, warnCount, errorCount := o.RunDiagnostics()
o.Logger.Summary(warnCount, errorCount)
kcmdutil.CheckErr(err)
if failed {
os.Exit(255)
}
},
}
cmd.SetOutput(out) // for output re: usage / help
o.ClientFlags = flag.NewFlagSet("client", flag.ContinueOnError) // hide the extensive set of client flags
o.Factory = osclientcmd.New(o.ClientFlags) // that would otherwise be added to this command
cmd.Flags().AddFlag(o.ClientFlags.Lookup(config.OpenShiftConfigFlagName))
cmd.Flags().AddFlag(o.ClientFlags.Lookup("context")) // TODO: find k8s constant
cmd.Flags().StringVar(&o.ClientClusterContext, options.FlagClusterContextName, "", "Client context to use for cluster administrator")
cmd.Flags().StringVar(&o.MasterConfigLocation, options.FlagMasterConfigName, "", "Path to master config file (implies --host)")
cmd.Flags().StringVar(&o.NodeConfigLocation, options.FlagNodeConfigName, "", "Path to node config file (implies --host)")
cmd.Flags().BoolVar(&o.IsHost, options.FlagIsHostName, false, "If true, look for systemd and journald units even without master/node config")
cmd.Flags().StringVar(&o.ImageTemplate.Format, options.FlagImageTemplateName, o.ImageTemplate.Format, "Image template for DiagnosticPod to use in creating a pod")
cmd.Flags().BoolVar(&o.ImageTemplate.Latest, options.FlagLatestImageName, false, "If true, when expanding the image template, use latest version, not release version")
cmd.Flags().BoolVar(&o.PreventModification, options.FlagPreventModificationName, false, "If true, may be set to prevent diagnostics making any changes via the API")
cmd.Flags().StringVar(&o.NetworkDiagLogDir, options.FlagNetworkDiagLogDir, netutil.NetworkDiagDefaultLogDir, "Path to store network diagnostic results in case of errors")
flagtypes.GLog(cmd.Flags())
options.BindLoggerOptionFlags(cmd.Flags(), o.LogOptions, options.RecommendedLoggerOptionFlags())
return cmd
}
func NewCmdIPFailoverConfig(f *clientcmd.Factory, parentName, name string, out io.Writer) *cobra.Command {
options := &ipfailover.IPFailoverConfigCmdOptions{
ImageTemplate: variable.NewDefaultImageTemplate(),
Selector: ipfailover.DefaultSelector,
ServicePort: ipfailover.DefaultServicePort,
WatchPort: ipfailover.DefaultWatchPort,
NetworkInterface: ipfailover.DefaultInterface,
VRRPIDOffset: 0,
Replicas: 1,
}
cmd := &cobra.Command{
Use: fmt.Sprintf("%s [NAME]", name),
Short: "Install an IP failover group to a set of nodes",
Long: ipFailover_long,
Example: fmt.Sprintf(ipFailover_example, parentName, name),
Run: func(cmd *cobra.Command, args []string) {
options.ShortOutput = cmdutil.GetFlagString(cmd, "output") == "name"
err := processCommand(f, options, cmd, args, out)
cmdutil.CheckErr(err)
},
}
cmd.Flags().StringVar(&options.Type, "type", ipfailover.DefaultType, "The type of IP failover configurator to use.")
cmd.Flags().StringVar(&options.ImageTemplate.Format, "images", options.ImageTemplate.Format, "The image to base this IP failover configurator on - ${component} will be replaced based on --type.")
cmd.Flags().BoolVar(&options.ImageTemplate.Latest, "latest-images", options.ImageTemplate.Latest, "If true, attempt to use the latest images instead of the current release")
cmd.Flags().StringVarP(&options.Selector, "selector", "l", options.Selector, "Selector (label query) to filter nodes on.")
cmd.Flags().StringVar(&options.Credentials, "credentials", "", "Path to a .kubeconfig file that will contain the credentials the router should use to contact the master.")
cmd.Flags().StringVar(&options.ServiceAccount, "service-account", options.ServiceAccount, "Name of the service account to use to run the ipfailover pod.")
cmd.Flags().BoolVar(&options.Create, "create", options.Create, "Create the configuration if it does not exist.")
cmd.Flags().StringVar(&options.VirtualIPs, "virtual-ips", "", "A set of virtual IP ranges and/or addresses that the routers bind and serve on and provide IP failover capability for.")
cmd.Flags().StringVarP(&options.NetworkInterface, "interface", "i", "", "Network interface bound by VRRP to use for the set of virtual IP ranges/addresses specified.")
cmd.Flags().IntVarP(&options.WatchPort, "watch-port", "w", ipfailover.DefaultWatchPort, "Port to monitor or watch for resource availability.")
cmd.Flags().IntVar(&options.VRRPIDOffset, "vrrp-id-offset", options.VRRPIDOffset, "Offset to use for setting ids of VRRP instances (default offset is 0). This allows multiple ipfailover instances to run within the same cluster.")
cmd.Flags().IntVarP(&options.Replicas, "replicas", "r", options.Replicas, "The replication factor of this IP failover configuration; commonly 2 when high availability is desired. Please ensure this matches the number of nodes that satisfy the selector (or default selector) specified.")
// autocompletion hints
cmd.MarkFlagFilename("credentials", "kubeconfig")
cmdutil.AddPrinterFlags(cmd)
return cmd
}
// InstallRegistry checks whether a registry is installed and installs one if not already installed
func (h *Helper) InstallRegistry(kubeClient kclientset.Interface, f *clientcmd.Factory, configDir, images string, out, errout io.Writer) error {
_, err := kubeClient.Core().Services(DefaultNamespace).Get(SvcDockerRegistry)
if err == nil {
// If there's no error, the registry already exists
return nil
}
if !apierrors.IsNotFound(err) {
return errors.NewError("error retrieving docker registry service").WithCause(err).WithDetails(h.OriginLog())
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = images
opts := ®istry.RegistryOptions{
Config: ®istry.RegistryConfig{
Name: "registry",
Type: "docker-registry",
ImageTemplate: imageTemplate,
Ports: "5000",
Replicas: 1,
Labels: "docker-registry=default",
Volume: "/registry",
ServiceAccount: "registry",
},
}
cmd := registry.NewCmdRegistry(f, "", "registry", out, errout)
output := &bytes.Buffer{}
err = opts.Complete(f, cmd, output, output, []string{})
if err != nil {
return errors.NewError("error completing the registry configuration").WithCause(err)
}
err = opts.RunCmdRegistry()
glog.V(4).Infof("Registry command output:\n%s", output.String())
if err != nil {
return errors.NewError("cannot install registry").WithCause(err).WithDetails(h.OriginLog())
}
return nil
}
// InstallRouter installs a default router on the OpenShift server
func (h *Helper) InstallRouter(kubeClient kclient.Interface, f *clientcmd.Factory, configDir, images, hostIP string, portForwarding bool, out io.Writer) error {
_, err := kubeClient.Services(DefaultNamespace).Get(SvcRouter)
if err == nil {
// Router service already exists, nothing to do
return nil
}
if !apierrors.IsNotFound(err) {
return errors.NewError("error retrieving router service").WithCause(err).WithDetails(h.OriginLog())
}
masterDir := filepath.Join(configDir, "master")
// Create service account for router
routerSA := &kapi.ServiceAccount{}
routerSA.Name = "router"
_, err = kubeClient.ServiceAccounts("default").Create(routerSA)
if err != nil {
return errors.NewError("cannot create router service account").WithCause(err).WithDetails(h.OriginLog())
}
// Add router SA to privileged SCC
privilegedSCC, err := kubeClient.SecurityContextConstraints().Get("privileged")
if err != nil {
return errors.NewError("cannot retrieve privileged SCC").WithCause(err).WithDetails(h.OriginLog())
}
privilegedSCC.Users = append(privilegedSCC.Users, serviceaccount.MakeUsername("default", "router"))
_, err = kubeClient.SecurityContextConstraints().Update(privilegedSCC)
if err != nil {
return errors.NewError("cannot update privileged SCC").WithCause(err).WithDetails(h.OriginLog())
}
// Create router cert
cmdOutput := &bytes.Buffer{}
createCertOptions := &admin.CreateServerCertOptions{
SignerCertOptions: &admin.SignerCertOptions{
CertFile: filepath.Join(masterDir, "ca.crt"),
KeyFile: filepath.Join(masterDir, "ca.key"),
SerialFile: filepath.Join(masterDir, "ca.serial.txt"),
},
Overwrite: true,
Hostnames: []string{fmt.Sprintf("%s.xip.io", hostIP)},
CertFile: filepath.Join(masterDir, "router.crt"),
KeyFile: filepath.Join(masterDir, "router.key"),
Output: cmdOutput,
}
_, err = createCertOptions.CreateServerCert()
if err != nil {
return errors.NewError("cannot create router cert").WithCause(err)
}
err = catFiles(filepath.Join(masterDir, "router.pem"),
filepath.Join(masterDir, "router.crt"),
filepath.Join(masterDir, "router.key"),
filepath.Join(masterDir, "ca.crt"))
if err != nil {
return err
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = images
cfg := &router.RouterConfig{
Name: "router",
Type: "haproxy-router",
ImageTemplate: imageTemplate,
Ports: "80:80,443:443",
Replicas: 1,
Labels: "router=<name>",
Credentials: filepath.Join(masterDir, "admin.kubeconfig"),
DefaultCertificate: filepath.Join(masterDir, "router.pem"),
StatsPort: 1936,
StatsUsername: "******",
HostNetwork: !portForwarding,
HostPorts: true,
ServiceAccount: "router",
}
output := &bytes.Buffer{}
cmd := router.NewCmdRouter(f, "", "router", out)
cmd.SetOutput(output)
err = router.RunCmdRouter(f, cmd, output, cfg, []string{})
glog.V(4).Infof("Router command output:\n%s", output.String())
if err != nil {
return errors.NewError("cannot install router").WithCause(err).WithDetails(h.OriginLog())
}
return nil
}
func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {
client, err := etcd.EtcdClient(options.EtcdClientInfo)
if err != nil {
return nil, err
}
etcdHelper, err := NewEtcdStorage(client, options.EtcdStorageConfig.OpenShiftStorageVersion, options.EtcdStorageConfig.OpenShiftStoragePrefix)
if err != nil {
return nil, fmt.Errorf("Error setting up server storage: %v", err)
}
clientCAs, err := configapi.GetClientCertCAPool(options)
if err != nil {
return nil, err
}
apiClientCAs, err := configapi.GetAPIClientCertCAPool(options)
if err != nil {
return nil, err
}
privilegedLoopbackKubeClient, _, err := configapi.GetKubeClient(options.MasterClients.OpenShiftLoopbackKubeConfig)
if err != nil {
return nil, err
}
privilegedLoopbackOpenShiftClient, privilegedLoopbackClientConfig, err := configapi.GetOpenShiftClient(options.MasterClients.OpenShiftLoopbackKubeConfig)
if err != nil {
return nil, err
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = options.ImageConfig.Format
imageTemplate.Latest = options.ImageConfig.Latest
policyCache, policyClient := newReadOnlyCacheAndClient(etcdHelper)
requestContextMapper := kapi.NewRequestContextMapper()
groupCache := usercache.NewGroupCache(groupregistry.NewRegistry(groupstorage.NewREST(etcdHelper)))
kubeletClientConfig := configapi.GetKubeletClientConfig(options)
// in-order list of plug-ins that should intercept admission decisions (origin only intercepts)
admissionControlPluginNames := []string{"OriginNamespaceLifecycle", "BuildByStrategy"}
admissionClient := admissionControlClient(privilegedLoopbackKubeClient, privilegedLoopbackOpenShiftClient)
admissionController := admission.NewFromPlugins(admissionClient, admissionControlPluginNames, "")
serviceAccountTokenGetter, err := newServiceAccountTokenGetter(options, client)
if err != nil {
return nil, err
}
plug, plugStart := newControllerPlug(options, client)
config := &MasterConfig{
Options: options,
Authenticator: newAuthenticator(options, etcdHelper, serviceAccountTokenGetter, apiClientCAs, groupCache),
Authorizer: newAuthorizer(policyClient, options.ProjectConfig.ProjectRequestMessage),
AuthorizationAttributeBuilder: newAuthorizationAttributeBuilder(requestContextMapper),
PolicyCache: policyCache,
GroupCache: groupCache,
ProjectAuthorizationCache: newProjectAuthorizationCache(privilegedLoopbackOpenShiftClient, privilegedLoopbackKubeClient, policyClient),
RequestContextMapper: requestContextMapper,
AdmissionControl: admissionController,
TLS: configapi.UseTLS(options.ServingInfo.ServingInfo),
ControllerPlug: plug,
ControllerPlugStart: plugStart,
ImageFor: imageTemplate.ExpandOrDie,
EtcdHelper: etcdHelper,
EtcdClient: client,
KubeletClientConfig: kubeletClientConfig,
ClientCAs: clientCAs,
APIClientCAs: apiClientCAs,
PrivilegedLoopbackClientConfig: *privilegedLoopbackClientConfig,
PrivilegedLoopbackOpenShiftClient: privilegedLoopbackOpenShiftClient,
PrivilegedLoopbackKubernetesClient: privilegedLoopbackKubeClient,
BuildControllerServiceAccount: bootstrappolicy.InfraBuildControllerServiceAccountName,
DeploymentControllerServiceAccount: bootstrappolicy.InfraDeploymentControllerServiceAccountName,
ReplicationControllerServiceAccount: bootstrappolicy.InfraReplicationControllerServiceAccountName,
}
return config, nil
}
func BuildKubernetesNodeConfig(options configapi.NodeConfig) (*NodeConfig, error) {
originClient, osClientConfig, err := configapi.GetOpenShiftClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
kubeClient, _, err := configapi.GetKubeClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
// Make a separate client for event reporting, to avoid event QPS blocking node calls
eventClient, _, err := configapi.GetKubeClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
if options.NodeName == "localhost" {
glog.Warningf(`Using "localhost" as node name will not resolve from all locations`)
}
clientCAs, err := kcrypto.CertPoolFromFile(options.ServingInfo.ClientCA)
if err != nil {
return nil, err
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = options.ImageConfig.Format
imageTemplate.Latest = options.ImageConfig.Latest
var path string
var fileCheckInterval int64
if options.PodManifestConfig != nil {
path = options.PodManifestConfig.Path
fileCheckInterval = options.PodManifestConfig.FileCheckIntervalSeconds
}
var dockerExecHandler dockertools.ExecHandler
switch options.DockerConfig.ExecHandlerName {
case configapi.DockerExecHandlerNative:
dockerExecHandler = &dockertools.NativeExecHandler{}
case configapi.DockerExecHandlerNsenter:
dockerExecHandler = &dockertools.NsenterExecHandler{}
}
kubeAddressStr, kubePortStr, err := net.SplitHostPort(options.ServingInfo.BindAddress)
if err != nil {
return nil, fmt.Errorf("cannot parse node address: %v", err)
}
kubePort, err := strconv.Atoi(kubePortStr)
if err != nil {
return nil, fmt.Errorf("cannot parse node port: %v", err)
}
// Defaults are tested in TestKubeletDefaults
server := kubeletoptions.NewKubeletServer()
// Adjust defaults
server.Config = path
server.RootDirectory = options.VolumeDirectory
server.NodeIP = options.NodeIP
server.HostnameOverride = options.NodeName
server.AllowPrivileged = true
server.RegisterNode = true
server.Address = kubeAddressStr
server.Port = uint(kubePort)
server.ReadOnlyPort = 0 // no read only access
server.CAdvisorPort = 0 // no unsecured cadvisor access
server.HealthzPort = 0 // no unsecured healthz access
server.HealthzBindAddress = "" // no unsecured healthz access
server.ClusterDNS = options.DNSIP
server.ClusterDomain = options.DNSDomain
server.NetworkPluginName = options.NetworkConfig.NetworkPluginName
server.HostNetworkSources = strings.Join([]string{kubelettypes.ApiserverSource, kubelettypes.FileSource}, ",")
server.HostPIDSources = strings.Join([]string{kubelettypes.ApiserverSource, kubelettypes.FileSource}, ",")
server.HostIPCSources = strings.Join([]string{kubelettypes.ApiserverSource, kubelettypes.FileSource}, ",")
server.HTTPCheckFrequency = unversioned.Duration{Duration: time.Duration(0)} // no remote HTTP pod creation access
server.FileCheckFrequency = unversioned.Duration{Duration: time.Duration(fileCheckInterval) * time.Second}
server.PodInfraContainerImage = imageTemplate.ExpandOrDie("pod")
server.CPUCFSQuota = true // enable cpu cfs quota enforcement by default
server.MaxPods = 110
server.SerializeImagePulls = false // disable serial image pulls by default
switch server.NetworkPluginName {
case ovs.SingleTenantPluginName, ovs.MultiTenantPluginName:
// set defaults for openshift-sdn
server.HairpinMode = componentconfig.HairpinNone
server.ConfigureCBR0 = false
}
// prevents kube from generating certs
server.TLSCertFile = options.ServingInfo.ServerCert.CertFile
server.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile
containerized := cmdutil.Env("OPENSHIFT_CONTAINERIZED", "") == "true"
server.Containerized = containerized
// resolve extended arguments
// TODO: this should be done in config validation (along with the above) so we can provide
// proper errors
if err := cmdflags.Resolve(options.KubeletArguments, server.AddFlags); len(err) > 0 {
return nil, kerrors.NewAggregate(err)
}
proxyconfig, err := buildKubeProxyConfig(options)
if err != nil {
return nil, err
}
cfg, err := kubeletapp.UnsecuredKubeletConfig(server)
if err != nil {
return nil, err
}
// provide any config overrides
cfg.NodeName = options.NodeName
cfg.KubeClient = clientadapter.FromUnversionedClient(kubeClient)
cfg.EventClient = clientadapter.FromUnversionedClient(eventClient)
cfg.DockerExecHandler = dockerExecHandler
// Setup auth
authnTTL, err := time.ParseDuration(options.AuthConfig.AuthenticationCacheTTL)
if err != nil {
return nil, err
}
authn, err := newAuthenticator(clientCAs, clientcmd.AnonymousClientConfig(osClientConfig), authnTTL, options.AuthConfig.AuthenticationCacheSize)
if err != nil {
return nil, err
}
authzAttr, err := newAuthorizerAttributesGetter(options.NodeName)
if err != nil {
return nil, err
}
authzTTL, err := time.ParseDuration(options.AuthConfig.AuthorizationCacheTTL)
if err != nil {
return nil, err
}
authz, err := newAuthorizer(originClient, authzTTL, options.AuthConfig.AuthorizationCacheSize)
if err != nil {
return nil, err
}
cfg.Auth = kubeletserver.NewKubeletAuth(authn, authzAttr, authz)
// Make sure the node doesn't think it is in standalone mode
// This is required for the node to enforce nodeSelectors on pods, to set hostIP on pod status updates, etc
cfg.StandaloneMode = false
// TODO: could be cleaner
if configapi.UseTLS(options.ServingInfo) {
extraCerts, err := configapi.GetNamedCertificateMap(options.ServingInfo.NamedCertificates)
if err != nil {
return nil, err
}
cfg.TLSOptions = &kubeletserver.TLSOptions{
Config: crypto.SecureTLSConfig(&tls.Config{
// RequestClientCert lets us request certs, but allow requests without client certs
// Verification is done by the authn layer
ClientAuth: tls.RequestClientCert,
ClientCAs: clientCAs,
// Set SNI certificate func
// Do not use NameToCertificate, since that requires certificates be included in the server's tlsConfig.Certificates list,
// which we do not control when running with http.Server#ListenAndServeTLS
GetCertificate: cmdutil.GetCertificateFunc(extraCerts),
}),
CertFile: options.ServingInfo.ServerCert.CertFile,
KeyFile: options.ServingInfo.ServerCert.KeyFile,
}
} else {
cfg.TLSOptions = nil
}
// Prepare cloud provider
cloud, err := cloudprovider.InitCloudProvider(server.CloudProvider, server.CloudConfigFile)
if err != nil {
return nil, err
}
if cloud != nil {
glog.V(2).Infof("Successfully initialized cloud provider: %q from the config file: %q\n", server.CloudProvider, server.CloudConfigFile)
}
cfg.Cloud = cloud
sdnPlugin, err := factory.NewNodePlugin(options.NetworkConfig.NetworkPluginName, originClient, kubeClient, options.NodeName, options.NodeIP)
if err != nil {
return nil, fmt.Errorf("SDN initialization failed: %v", err)
}
if sdnPlugin != nil {
cfg.NetworkPlugins = append(cfg.NetworkPlugins, sdnPlugin)
}
endpointFilter, err := factory.NewProxyPlugin(options.NetworkConfig.NetworkPluginName, originClient, kubeClient)
if err != nil {
return nil, fmt.Errorf("SDN proxy initialization failed: %v", err)
}
config := &NodeConfig{
BindAddress: options.ServingInfo.BindAddress,
AllowDisabledDocker: options.AllowDisabledDocker,
Containerized: containerized,
Client: kubeClient,
VolumeDir: options.VolumeDirectory,
KubeletServer: server,
KubeletConfig: cfg,
ProxyConfig: proxyconfig,
MTU: options.NetworkConfig.MTU,
SDNPlugin: sdnPlugin,
FilteringEndpointsHandler: endpointFilter,
}
return config, nil
}
// BuildMasterConfig builds and returns the OpenShift master configuration based on the
// provided options
func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {
client, err := etcd.EtcdClient(options.EtcdClientInfo)
if err != nil {
return nil, err
}
etcdClient, err := etcd.MakeNewEtcdClient(options.EtcdClientInfo)
if err != nil {
return nil, err
}
groupVersion := unversioned.GroupVersion{Group: "", Version: options.EtcdStorageConfig.OpenShiftStorageVersion}
etcdHelper, err := NewEtcdStorage(etcdClient, groupVersion, options.EtcdStorageConfig.OpenShiftStoragePrefix)
if err != nil {
return nil, fmt.Errorf("Error setting up server storage: %v", err)
}
clientCAs, err := configapi.GetClientCertCAPool(options)
if err != nil {
return nil, err
}
apiClientCAs, err := configapi.GetAPIClientCertCAPool(options)
if err != nil {
return nil, err
}
privilegedLoopbackKubeClient, _, err := configapi.GetKubeClient(options.MasterClients.OpenShiftLoopbackKubeConfig)
if err != nil {
return nil, err
}
privilegedLoopbackOpenShiftClient, privilegedLoopbackClientConfig, err := configapi.GetOpenShiftClient(options.MasterClients.OpenShiftLoopbackKubeConfig)
if err != nil {
return nil, err
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = options.ImageConfig.Format
imageTemplate.Latest = options.ImageConfig.Latest
policyCache, policyClient := newReadOnlyCacheAndClient(etcdHelper)
requestContextMapper := kapi.NewRequestContextMapper()
groupCache := usercache.NewGroupCache(groupregistry.NewRegistry(groupstorage.NewREST(etcdHelper)))
projectCache := projectcache.NewProjectCache(privilegedLoopbackKubeClient.Namespaces(), options.ProjectConfig.DefaultNodeSelector)
kubeletClientConfig := configapi.GetKubeletClientConfig(options)
// in-order list of plug-ins that should intercept admission decisions (origin only intercepts)
admissionControlPluginNames := []string{"OriginNamespaceLifecycle", "BuildByStrategy"}
if len(options.AdmissionConfig.PluginOrderOverride) > 0 {
admissionControlPluginNames = options.AdmissionConfig.PluginOrderOverride
}
pluginInitializer := oadmission.PluginInitializer{
OpenshiftClient: privilegedLoopbackOpenShiftClient,
ProjectCache: projectCache,
}
plugins := []admission.Interface{}
for _, pluginName := range admissionControlPluginNames {
configFile, err := pluginconfig.GetPluginConfig(options.AdmissionConfig.PluginConfig[pluginName])
if err != nil {
return nil, err
}
plugin := admission.InitPlugin(pluginName, privilegedLoopbackKubeClient, configFile)
if plugin != nil {
plugins = append(plugins, plugin)
}
}
pluginInitializer.Initialize(plugins)
// ensure that plugins have been properly initialized
if err := oadmission.Validate(plugins); err != nil {
return nil, err
}
admissionController := admission.NewChainHandler(plugins...)
serviceAccountTokenGetter, err := newServiceAccountTokenGetter(options, etcdClient)
if err != nil {
return nil, err
}
plug, plugStart := newControllerPlug(options, client)
authorizer := newAuthorizer(policyClient, options.ProjectConfig.ProjectRequestMessage)
config := &MasterConfig{
Options: options,
Authenticator: newAuthenticator(options, etcdHelper, serviceAccountTokenGetter, apiClientCAs, groupCache),
Authorizer: authorizer,
AuthorizationAttributeBuilder: newAuthorizationAttributeBuilder(requestContextMapper),
PolicyCache: policyCache,
GroupCache: groupCache,
ProjectAuthorizationCache: newProjectAuthorizationCache(authorizer, privilegedLoopbackKubeClient, policyClient),
ProjectCache: projectCache,
RequestContextMapper: requestContextMapper,
AdmissionControl: admissionController,
TLS: configapi.UseTLS(options.ServingInfo.ServingInfo),
ControllerPlug: plug,
ControllerPlugStart: plugStart,
ImageFor: imageTemplate.ExpandOrDie,
EtcdHelper: etcdHelper,
KubeletClientConfig: kubeletClientConfig,
ClientCAs: clientCAs,
APIClientCAs: apiClientCAs,
PrivilegedLoopbackClientConfig: *privilegedLoopbackClientConfig,
PrivilegedLoopbackOpenShiftClient: privilegedLoopbackOpenShiftClient,
PrivilegedLoopbackKubernetesClient: privilegedLoopbackKubeClient,
}
return config, nil
}
func BuildKubernetesNodeConfig(options configapi.NodeConfig) (*NodeConfig, error) {
kubeClient, _, err := configapi.GetKubeClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
if options.NodeName == "localhost" {
glog.Warningf(`Using "localhost" as node name will not resolve from all locations`)
}
var dnsIP net.IP
if len(options.DNSIP) > 0 {
dnsIP = net.ParseIP(options.DNSIP)
if dnsIP == nil {
return nil, fmt.Errorf("Invalid DNS IP: %s", options.DNSIP)
}
}
clientCAs, err := util.CertPoolFromFile(options.ServingInfo.ClientCA)
if err != nil {
return nil, err
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = options.ImageConfig.Format
imageTemplate.Latest = options.ImageConfig.Latest
var path string
var fileCheckInterval int64
if options.PodManifestConfig != nil {
path = options.PodManifestConfig.Path
fileCheckInterval = options.PodManifestConfig.FileCheckIntervalSeconds
}
var dockerExecHandler dockertools.ExecHandler
switch options.DockerConfig.ExecHandlerName {
case configapi.DockerExecHandlerNative:
dockerExecHandler = &dockertools.NativeExecHandler{}
case configapi.DockerExecHandlerNsenter:
dockerExecHandler = &dockertools.NsenterExecHandler{}
}
kubeAddress, kubePortStr, err := net.SplitHostPort(options.ServingInfo.BindAddress)
if err != nil {
return nil, fmt.Errorf("cannot parse node address: %v", err)
}
kubePort, err := strconv.Atoi(kubePortStr)
if err != nil {
return nil, fmt.Errorf("cannot parse node port: %v", err)
}
address := util.IP{}
if err := address.Set(kubeAddress); err != nil {
return nil, err
}
// declare the OpenShift defaults from config
server := kapp.NewKubeletServer()
server.Config = path
server.RootDirectory = options.VolumeDirectory
server.HostnameOverride = options.NodeName
server.AllowPrivileged = true
server.RegisterNode = true
server.Address = address
server.Port = uint(kubePort)
server.ReadOnlyPort = 0 // no read only access
server.ClusterDNS = util.IP(dnsIP)
server.ClusterDomain = options.DNSDomain
server.NetworkPluginName = options.NetworkPluginName
server.HostNetworkSources = strings.Join([]string{kubelet.ApiserverSource, kubelet.FileSource}, ",")
server.HTTPCheckFrequency = 0 // no remote HTTP pod creation access
server.FileCheckFrequency = time.Duration(fileCheckInterval) * time.Second
server.PodInfraContainerImage = imageTemplate.ExpandOrDie("pod")
// prevents kube from generating certs
server.TLSCertFile = options.ServingInfo.ServerCert.CertFile
server.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile
if value := cmdutil.Env("OPENSHIFT_CONTAINERIZED", ""); len(value) > 0 {
server.Containerized = value == "true"
}
// resolve extended arguments
// TODO: this should be done in config validation (along with the above) so we can provide
// proper errors
if err := cmdflags.Resolve(options.KubeletArguments, server.AddFlags); len(err) > 0 {
return nil, errors.NewAggregate(err)
}
cfg, err := server.KubeletConfig()
if err != nil {
return nil, err
}
// provide any config overrides
cfg.StreamingConnectionIdleTimeout = 5 * time.Minute // TODO: should be set
cfg.KubeClient = kubeClient
cfg.DockerExecHandler = dockerExecHandler
// TODO: could be cleaner
if configapi.UseTLS(options.ServingInfo) {
cfg.TLSOptions = &kubelet.TLSOptions{
Config: &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10,
// RequireAndVerifyClientCert lets us limit requests to ones with a valid client certificate
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: clientCAs,
},
CertFile: options.ServingInfo.ServerCert.CertFile,
KeyFile: options.ServingInfo.ServerCert.KeyFile,
}
} else {
cfg.TLSOptions = nil
}
config := &NodeConfig{
BindAddress: options.ServingInfo.BindAddress,
AllowDisabledDocker: options.AllowDisabledDocker,
Client: kubeClient,
VolumeDir: options.VolumeDirectory,
KubeletServer: server,
KubeletConfig: cfg,
}
return config, nil
}
func BuildKubernetesNodeConfig(options configapi.NodeConfig) (*NodeConfig, error) {
originClient, _, err := configapi.GetOpenShiftClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
kubeClient, _, err := configapi.GetKubeClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
// Make a separate client for event reporting, to avoid event QPS blocking node calls
eventClient, _, err := configapi.GetKubeClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
if options.NodeName == "localhost" {
glog.Warningf(`Using "localhost" as node name will not resolve from all locations`)
}
clientCAs, err := util.CertPoolFromFile(options.ServingInfo.ClientCA)
if err != nil {
return nil, err
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = options.ImageConfig.Format
imageTemplate.Latest = options.ImageConfig.Latest
var path string
var fileCheckInterval int64
if options.PodManifestConfig != nil {
path = options.PodManifestConfig.Path
fileCheckInterval = options.PodManifestConfig.FileCheckIntervalSeconds
}
var dockerExecHandler dockertools.ExecHandler
switch options.DockerConfig.ExecHandlerName {
case configapi.DockerExecHandlerNative:
dockerExecHandler = &dockertools.NativeExecHandler{}
case configapi.DockerExecHandlerNsenter:
dockerExecHandler = &dockertools.NsenterExecHandler{}
}
kubeAddressStr, kubePortStr, err := net.SplitHostPort(options.ServingInfo.BindAddress)
if err != nil {
return nil, fmt.Errorf("cannot parse node address: %v", err)
}
kubePort, err := strconv.Atoi(kubePortStr)
if err != nil {
return nil, fmt.Errorf("cannot parse node port: %v", err)
}
// declare the OpenShift defaults from config
server := kubeletoptions.NewKubeletServer()
server.Config = path
server.RootDirectory = options.VolumeDirectory
server.NodeIP = options.NodeIP
server.HostnameOverride = options.NodeName
server.AllowPrivileged = true
server.RegisterNode = true
server.Address = kubeAddressStr
server.Port = uint(kubePort)
server.ReadOnlyPort = 0 // no read only access
server.CAdvisorPort = 0 // no unsecured cadvisor access
server.HealthzPort = 0 // no unsecured healthz access
server.ClusterDNS = options.DNSIP
server.ClusterDomain = options.DNSDomain
server.NetworkPluginName = options.NetworkConfig.NetworkPluginName
server.HostNetworkSources = strings.Join([]string{kubelettypes.ApiserverSource, kubelettypes.FileSource}, ",")
server.HostPIDSources = strings.Join([]string{kubelettypes.ApiserverSource, kubelettypes.FileSource}, ",")
server.HostIPCSources = strings.Join([]string{kubelettypes.ApiserverSource, kubelettypes.FileSource}, ",")
server.HTTPCheckFrequency = unversioned.Duration{Duration: time.Duration(0)} // no remote HTTP pod creation access
server.FileCheckFrequency = unversioned.Duration{Duration: time.Duration(fileCheckInterval) * time.Second}
server.PodInfraContainerImage = imageTemplate.ExpandOrDie("pod")
server.CPUCFSQuota = true // enable cpu cfs quota enforcement by default
server.MaxPods = 110
// prevents kube from generating certs
server.TLSCertFile = options.ServingInfo.ServerCert.CertFile
server.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile
containerized := cmdutil.Env("OPENSHIFT_CONTAINERIZED", "") == "true"
server.Containerized = containerized
// resolve extended arguments
// TODO: this should be done in config validation (along with the above) so we can provide
// proper errors
if err := cmdflags.Resolve(options.KubeletArguments, server.AddFlags); len(err) > 0 {
return nil, kerrors.NewAggregate(err)
}
proxyconfig, err := buildKubeProxyConfig(options)
if err != nil {
return nil, err
}
cfg, err := kubeletapp.UnsecuredKubeletConfig(server)
if err != nil {
return nil, err
}
// Replace the standard k8s emptyDir volume plugin with a wrapper version
// which offers XFS quota functionality, but only if the node config
// specifies an empty dir quota to apply to projects:
if options.VolumeConfig.LocalQuota.PerFSGroup != nil {
glog.V(2).Info("Replacing empty-dir volume plugin with quota wrapper")
wrappedEmptyDirPlugin := false
quotaApplicator, err := empty_dir.NewQuotaApplicator(options.VolumeDirectory)
if err != nil {
return nil, err
}
// Create a volume spec with emptyDir we can use to search for the
// emptyDir plugin with CanSupport:
emptyDirSpec := &volume.Spec{
Volume: &kapi.Volume{
VolumeSource: kapi.VolumeSource{
EmptyDir: &kapi.EmptyDirVolumeSource{},
},
},
}
for idx, plugin := range cfg.VolumePlugins {
// Can't really do type checking or use a constant here as they are not exported:
if plugin.CanSupport(emptyDirSpec) {
wrapper := empty_dir.EmptyDirQuotaPlugin{
Wrapped: plugin,
Quota: *options.VolumeConfig.LocalQuota.PerFSGroup,
QuotaApplicator: quotaApplicator,
}
cfg.VolumePlugins[idx] = &wrapper
wrappedEmptyDirPlugin = true
}
}
// Because we can't look for the k8s emptyDir plugin by any means that would
// survive a refactor, error out if we couldn't find it:
if !wrappedEmptyDirPlugin {
return nil, errors.New("unable to wrap emptyDir volume plugin for quota support")
}
} else {
glog.V(2).Info("Skipping replacement of empty-dir volume plugin with quota wrapper, no local fsGroup quota specified")
}
// provide any config overrides
cfg.NodeName = options.NodeName
cfg.KubeClient = internalclientset.FromUnversionedClient(kubeClient)
cfg.EventClient = internalclientset.FromUnversionedClient(eventClient)
cfg.DockerExecHandler = dockerExecHandler
// docker-in-docker (dind) deployments are used for testing
// networking plugins. Running openshift under dind won't work
// with the real oom adjuster due to the state of the cgroups path
// in a dind container that uses systemd for init. Similarly,
// cgroup manipulation of the nested docker daemon doesn't work
// properly under centos/rhel and should be disabled by setting
// the name of the container to an empty string.
//
// This workaround should become unnecessary once user namespaces
if value := cmdutil.Env("OPENSHIFT_DIND", ""); value == "true" {
glog.Warningf("Using FakeOOMAdjuster for docker-in-docker compatibility")
cfg.OOMAdjuster = oom.NewFakeOOMAdjuster()
}
// Setup auth
osClient, osClientConfig, err := configapi.GetOpenShiftClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
authnTTL, err := time.ParseDuration(options.AuthConfig.AuthenticationCacheTTL)
if err != nil {
return nil, err
}
authn, err := newAuthenticator(clientCAs, clientcmd.AnonymousClientConfig(osClientConfig), authnTTL, options.AuthConfig.AuthenticationCacheSize)
if err != nil {
return nil, err
}
authzAttr, err := newAuthorizerAttributesGetter(options.NodeName)
if err != nil {
return nil, err
}
authzTTL, err := time.ParseDuration(options.AuthConfig.AuthorizationCacheTTL)
if err != nil {
return nil, err
}
authz, err := newAuthorizer(osClient, authzTTL, options.AuthConfig.AuthorizationCacheSize)
if err != nil {
return nil, err
}
cfg.Auth = kubeletserver.NewKubeletAuth(authn, authzAttr, authz)
// Make sure the node doesn't think it is in standalone mode
// This is required for the node to enforce nodeSelectors on pods, to set hostIP on pod status updates, etc
cfg.StandaloneMode = false
// TODO: could be cleaner
if configapi.UseTLS(options.ServingInfo) {
extraCerts, err := configapi.GetNamedCertificateMap(options.ServingInfo.NamedCertificates)
if err != nil {
return nil, err
}
cfg.TLSOptions = &kubeletserver.TLSOptions{
Config: crypto.SecureTLSConfig(&tls.Config{
// RequestClientCert lets us request certs, but allow requests without client certs
// Verification is done by the authn layer
ClientAuth: tls.RequestClientCert,
ClientCAs: clientCAs,
// Set SNI certificate func
// Do not use NameToCertificate, since that requires certificates be included in the server's tlsConfig.Certificates list,
// which we do not control when running with http.Server#ListenAndServeTLS
GetCertificate: cmdutil.GetCertificateFunc(extraCerts),
}),
CertFile: options.ServingInfo.ServerCert.CertFile,
KeyFile: options.ServingInfo.ServerCert.KeyFile,
}
} else {
cfg.TLSOptions = nil
}
// Prepare cloud provider
cloud, err := cloudprovider.InitCloudProvider(server.CloudProvider, server.CloudConfigFile)
if err != nil {
return nil, err
}
if cloud != nil {
glog.V(2).Infof("Successfully initialized cloud provider: %q from the config file: %q\n", server.CloudProvider, server.CloudConfigFile)
}
cfg.Cloud = cloud
sdnPlugin, endpointFilter, err := factory.NewPlugin(options.NetworkConfig.NetworkPluginName, originClient, kubeClient, options.NodeName, options.NodeIP)
if err != nil {
return nil, fmt.Errorf("SDN initialization failed: %v", err)
}
if sdnPlugin != nil {
cfg.NetworkPlugins = append(cfg.NetworkPlugins, sdnPlugin)
}
config := &NodeConfig{
BindAddress: options.ServingInfo.BindAddress,
AllowDisabledDocker: options.AllowDisabledDocker,
Containerized: containerized,
Client: kubeClient,
VolumeDir: options.VolumeDirectory,
KubeletServer: server,
KubeletConfig: cfg,
ProxyConfig: proxyconfig,
MTU: options.NetworkConfig.MTU,
SDNPlugin: sdnPlugin,
FilteringEndpointsHandler: endpointFilter,
}
return config, nil
}
// BuildMasterConfig builds and returns the OpenShift master configuration based on the
// provided options
func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {
client, err := etcd.EtcdClient(options.EtcdClientInfo)
if err != nil {
return nil, err
}
etcdClient, err := etcd.MakeNewEtcdClient(options.EtcdClientInfo)
if err != nil {
return nil, err
}
groupVersion := unversioned.GroupVersion{Group: "", Version: options.EtcdStorageConfig.OpenShiftStorageVersion}
etcdHelper, err := NewEtcdStorage(etcdClient, groupVersion, options.EtcdStorageConfig.OpenShiftStoragePrefix)
if err != nil {
return nil, fmt.Errorf("Error setting up server storage: %v", err)
}
restOptsGetter := restoptions.NewConfigGetter(options)
clientCAs, err := configapi.GetClientCertCAPool(options)
if err != nil {
return nil, err
}
apiClientCAs, err := configapi.GetAPIClientCertCAPool(options)
if err != nil {
return nil, err
}
privilegedLoopbackKubeClient, _, err := configapi.GetKubeClient(options.MasterClients.OpenShiftLoopbackKubeConfig)
if err != nil {
return nil, err
}
privilegedLoopbackOpenShiftClient, privilegedLoopbackClientConfig, err := configapi.GetOpenShiftClient(options.MasterClients.OpenShiftLoopbackKubeConfig)
if err != nil {
return nil, err
}
customListerWatchers := shared.DefaultListerWatcherOverrides{}
if err := addAuthorizationListerWatchers(customListerWatchers, restOptsGetter); err != nil {
return nil, err
}
informerFactory := shared.NewInformerFactory(privilegedLoopbackKubeClient, privilegedLoopbackOpenShiftClient, customListerWatchers, 10*time.Minute)
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = options.ImageConfig.Format
imageTemplate.Latest = options.ImageConfig.Latest
requestContextMapper := kapi.NewRequestContextMapper()
groupStorage, err := groupstorage.NewREST(restOptsGetter)
if err != nil {
return nil, err
}
groupCache := usercache.NewGroupCache(groupregistry.NewRegistry(groupStorage))
projectCache := projectcache.NewProjectCache(privilegedLoopbackKubeClient.Namespaces(), options.ProjectConfig.DefaultNodeSelector)
clusterQuotaMappingController := clusterquotamapping.NewClusterQuotaMappingController(informerFactory.Namespaces(), informerFactory.ClusterResourceQuotas())
kubeletClientConfig := configapi.GetKubeletClientConfig(options)
// in-order list of plug-ins that should intercept admission decisions (origin only intercepts)
admissionControlPluginNames := []string{
"ProjectRequestLimit",
"OriginNamespaceLifecycle",
"PodNodeConstraints",
"JenkinsBootstrapper",
"BuildByStrategy",
imageadmission.PluginName,
quotaadmission.PluginName,
}
if len(options.AdmissionConfig.PluginOrderOverride) > 0 {
admissionControlPluginNames = options.AdmissionConfig.PluginOrderOverride
}
quotaRegistry := quota.NewOriginQuotaRegistry(privilegedLoopbackOpenShiftClient)
ruleResolver := rulevalidation.NewDefaultRuleResolver(
informerFactory.Policies().Lister(),
informerFactory.PolicyBindings().Lister(),
informerFactory.ClusterPolicies().Lister().ClusterPolicies(),
informerFactory.ClusterPolicyBindings().Lister().ClusterPolicyBindings(),
)
authorizer := newAuthorizer(ruleResolver, informerFactory, options.ProjectConfig.ProjectRequestMessage)
pluginInitializer := oadmission.PluginInitializer{
OpenshiftClient: privilegedLoopbackOpenShiftClient,
ProjectCache: projectCache,
OriginQuotaRegistry: quotaRegistry,
Authorizer: authorizer,
JenkinsPipelineConfig: options.JenkinsPipelineConfig,
RESTClientConfig: *privilegedLoopbackClientConfig,
}
plugins := []admission.Interface{}
clientsetClient := clientadapter.FromUnversionedClient(privilegedLoopbackKubeClient)
for _, pluginName := range admissionControlPluginNames {
configFile, err := pluginconfig.GetPluginConfig(options.AdmissionConfig.PluginConfig[pluginName])
if err != nil {
return nil, err
}
plugin := admission.InitPlugin(pluginName, clientsetClient, configFile)
if plugin != nil {
plugins = append(plugins, plugin)
}
}
pluginInitializer.Initialize(plugins)
// ensure that plugins have been properly initialized
if err := oadmission.Validate(plugins); err != nil {
return nil, err
}
admissionController := admission.NewChainHandler(plugins...)
// TODO: look up storage by resource
serviceAccountTokenGetter, err := newServiceAccountTokenGetter(options, etcdClient)
if err != nil {
return nil, err
}
authenticator, err := newAuthenticator(options, restOptsGetter, serviceAccountTokenGetter, apiClientCAs, groupCache)
if err != nil {
return nil, err
}
plug, plugStart := newControllerPlug(options, client)
config := &MasterConfig{
Options: options,
RESTOptionsGetter: restOptsGetter,
RuleResolver: ruleResolver,
Authenticator: authenticator,
Authorizer: authorizer,
AuthorizationAttributeBuilder: newAuthorizationAttributeBuilder(requestContextMapper),
GroupCache: groupCache,
ProjectAuthorizationCache: newProjectAuthorizationCache(authorizer, privilegedLoopbackKubeClient, informerFactory),
ProjectCache: projectCache,
ClusterQuotaMappingController: clusterQuotaMappingController,
RequestContextMapper: requestContextMapper,
AdmissionControl: admissionController,
TLS: configapi.UseTLS(options.ServingInfo.ServingInfo),
ControllerPlug: plug,
ControllerPlugStart: plugStart,
ImageFor: imageTemplate.ExpandOrDie,
EtcdHelper: etcdHelper,
KubeletClientConfig: kubeletClientConfig,
ClientCAs: clientCAs,
APIClientCAs: apiClientCAs,
PluginInitializer: pluginInitializer,
PrivilegedLoopbackClientConfig: *privilegedLoopbackClientConfig,
PrivilegedLoopbackOpenShiftClient: privilegedLoopbackOpenShiftClient,
PrivilegedLoopbackKubernetesClient: privilegedLoopbackKubeClient,
Informers: informerFactory,
}
return config, nil
}
func BuildKubernetesNodeConfig(options configapi.NodeConfig, enableProxy, enableDNS bool) (*NodeConfig, error) {
originClient, _, err := configapi.GetOpenShiftClient(options.MasterKubeConfig, options.MasterClientConnectionOverrides)
if err != nil {
return nil, err
}
_, kubeClient, _, err := configapi.GetKubeClient(options.MasterKubeConfig, options.MasterClientConnectionOverrides)
if err != nil {
return nil, err
}
// Make a separate client for event reporting, to avoid event QPS blocking node calls
_, eventClient, _, err := configapi.GetKubeClient(options.MasterKubeConfig, options.MasterClientConnectionOverrides)
if err != nil {
return nil, err
}
if options.NodeName == "localhost" {
glog.Warningf(`Using "localhost" as node name will not resolve from all locations`)
}
clientCAs, err := kcrypto.CertPoolFromFile(options.ServingInfo.ClientCA)
if err != nil {
return nil, err
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = options.ImageConfig.Format
imageTemplate.Latest = options.ImageConfig.Latest
var path string
var fileCheckInterval int64
if options.PodManifestConfig != nil {
path = options.PodManifestConfig.Path
fileCheckInterval = options.PodManifestConfig.FileCheckIntervalSeconds
}
kubeAddressStr, kubePortStr, err := net.SplitHostPort(options.ServingInfo.BindAddress)
if err != nil {
return nil, fmt.Errorf("cannot parse node address: %v", err)
}
kubePort, err := strconv.Atoi(kubePortStr)
if err != nil {
return nil, fmt.Errorf("cannot parse node port: %v", err)
}
if err = validateNetworkPluginName(originClient, options.NetworkConfig.NetworkPluginName); err != nil {
return nil, err
}
// Defaults are tested in TestKubeletDefaults
server := kubeletoptions.NewKubeletServer()
// Adjust defaults
server.RequireKubeConfig = true
server.PodManifestPath = path
server.RootDirectory = options.VolumeDirectory
server.NodeIP = options.NodeIP
server.HostnameOverride = options.NodeName
server.AllowPrivileged = true
server.RegisterNode = true
server.Address = kubeAddressStr
server.Port = int32(kubePort)
server.ReadOnlyPort = 0 // no read only access
server.CAdvisorPort = 0 // no unsecured cadvisor access
server.HealthzPort = 0 // no unsecured healthz access
server.HealthzBindAddress = "" // no unsecured healthz access
server.ClusterDNS = options.DNSIP
server.ClusterDomain = options.DNSDomain
server.NetworkPluginName = options.NetworkConfig.NetworkPluginName
server.HostNetworkSources = []string{kubelettypes.ApiserverSource, kubelettypes.FileSource}
server.HostPIDSources = []string{kubelettypes.ApiserverSource, kubelettypes.FileSource}
server.HostIPCSources = []string{kubelettypes.ApiserverSource, kubelettypes.FileSource}
server.HTTPCheckFrequency = unversioned.Duration{Duration: time.Duration(0)} // no remote HTTP pod creation access
server.FileCheckFrequency = unversioned.Duration{Duration: time.Duration(fileCheckInterval) * time.Second}
server.PodInfraContainerImage = imageTemplate.ExpandOrDie("pod")
server.CPUCFSQuota = true // enable cpu cfs quota enforcement by default
server.MaxPods = 250
server.PodsPerCore = 10
server.SerializeImagePulls = false // disable serialized image pulls by default
server.EnableControllerAttachDetach = false // stay consistent with existing config, but admins should enable it
if enableDNS {
// if we are running local DNS, skydns will load the default recursive nameservers for us
server.ResolverConfig = ""
}
server.DockerExecHandlerName = string(options.DockerConfig.ExecHandlerName)
if sdnapi.IsOpenShiftNetworkPlugin(server.NetworkPluginName) {
// set defaults for openshift-sdn
server.HairpinMode = componentconfig.HairpinNone
server.ConfigureCBR0 = false
}
// prevents kube from generating certs
server.TLSCertFile = options.ServingInfo.ServerCert.CertFile
server.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile
containerized := cmdutil.Env("OPENSHIFT_CONTAINERIZED", "") == "true"
server.Containerized = containerized
// resolve extended arguments
// TODO: this should be done in config validation (along with the above) so we can provide
// proper errors
if err := cmdflags.Resolve(options.KubeletArguments, server.AddFlags); len(err) > 0 {
return nil, kerrors.NewAggregate(err)
}
proxyconfig, err := buildKubeProxyConfig(options)
if err != nil {
return nil, err
}
// Initialize SDN before building kubelet config so it can modify options
iptablesSyncPeriod, err := time.ParseDuration(options.IPTablesSyncPeriod)
if err != nil {
return nil, fmt.Errorf("Cannot parse the provided ip-tables sync period (%s) : %v", options.IPTablesSyncPeriod, err)
}
sdnPlugin, err := sdnplugin.NewNodePlugin(options.NetworkConfig.NetworkPluginName, originClient, kubeClient, options.NodeName, options.NodeIP, iptablesSyncPeriod, options.NetworkConfig.MTU)
if err != nil {
return nil, fmt.Errorf("SDN initialization failed: %v", err)
}
if sdnPlugin != nil {
// SDN plugin pod setup/teardown is implemented as a CNI plugin
server.NetworkPluginName = kubeletcni.CNIPluginName
server.NetworkPluginDir = kubeletcni.DefaultNetDir
server.HairpinMode = componentconfig.HairpinNone
server.ConfigureCBR0 = false
}
deps, err := kubeletapp.UnsecuredKubeletDeps(server)
if err != nil {
return nil, err
}
// Initialize cloud provider
cloud, err := buildCloudProvider(server)
if err != nil {
return nil, err
}
deps.Cloud = cloud
// Replace the kubelet-created CNI plugin with the SDN plugin
// Kubelet must be initialized with NetworkPluginName="cni" but
// the SDN plugin (if available) needs to be the only one used
if sdnPlugin != nil {
deps.NetworkPlugins = []kubeletnetwork.NetworkPlugin{sdnPlugin}
}
// provide any config overrides
//deps.NodeName = options.NodeName
deps.KubeClient = kubeClient
deps.EventClient = eventClient
// Setup auth
authnTTL, err := time.ParseDuration(options.AuthConfig.AuthenticationCacheTTL)
if err != nil {
return nil, err
}
authn, err := newAuthenticator(kubeClient.Authentication(), clientCAs, authnTTL, options.AuthConfig.AuthenticationCacheSize)
if err != nil {
return nil, err
}
authzAttr, err := newAuthorizerAttributesGetter(options.NodeName)
if err != nil {
return nil, err
}
authzTTL, err := time.ParseDuration(options.AuthConfig.AuthorizationCacheTTL)
if err != nil {
return nil, err
}
authz, err := newAuthorizer(originClient, authzTTL, options.AuthConfig.AuthorizationCacheSize)
if err != nil {
return nil, err
}
deps.Auth = kubeletserver.NewKubeletAuth(authn, authzAttr, authz)
// TODO: could be cleaner
if configapi.UseTLS(options.ServingInfo) {
extraCerts, err := configapi.GetNamedCertificateMap(options.ServingInfo.NamedCertificates)
if err != nil {
return nil, err
}
deps.TLSOptions = &kubeletserver.TLSOptions{
Config: crypto.SecureTLSConfig(&tls.Config{
// RequestClientCert lets us request certs, but allow requests without client certs
// Verification is done by the authn layer
ClientAuth: tls.RequestClientCert,
ClientCAs: clientCAs,
// Set SNI certificate func
// Do not use NameToCertificate, since that requires certificates be included in the server's tlsConfig.Certificates list,
// which we do not control when running with http.Server#ListenAndServeTLS
GetCertificate: cmdutil.GetCertificateFunc(extraCerts),
}),
CertFile: options.ServingInfo.ServerCert.CertFile,
KeyFile: options.ServingInfo.ServerCert.KeyFile,
}
} else {
deps.TLSOptions = nil
}
sdnProxy, err := sdnplugin.NewProxyPlugin(options.NetworkConfig.NetworkPluginName, originClient, kubeClient)
if err != nil {
return nil, fmt.Errorf("SDN proxy initialization failed: %v", err)
}
config := &NodeConfig{
BindAddress: options.ServingInfo.BindAddress,
AllowDisabledDocker: options.AllowDisabledDocker,
Containerized: containerized,
Client: kubeClient,
VolumeDir: options.VolumeDirectory,
KubeletServer: server,
KubeletDeps: deps,
ServicesReady: make(chan struct{}),
ProxyConfig: proxyconfig,
EnableUnidling: options.EnableUnidling,
SDNPlugin: sdnPlugin,
SDNProxy: sdnProxy,
}
if enableDNS {
dnsConfig, err := dns.NewServerDefaults()
if err != nil {
return nil, fmt.Errorf("DNS configuration was not possible: %v", err)
}
if len(options.DNSIP) > 0 {
dnsConfig.DnsAddr = options.DNSIP + ":53"
}
dnsConfig.Domain = server.ClusterDomain + "."
dnsConfig.Local = "openshift.default.svc." + dnsConfig.Domain
services, serviceStore := dns.NewCachedServiceAccessorAndStore()
endpoints, endpointsStore := dns.NewCachedEndpointsAccessorAndStore()
if !enableProxy {
endpoints = deps.KubeClient
endpointsStore = nil
}
// TODO: use kubeletConfig.ResolverConfig as an argument to etcd in the event the
// user sets it, instead of passing it to the kubelet.
config.ServiceStore = serviceStore
config.EndpointsStore = endpointsStore
config.DNSServer = &dns.Server{
Config: dnsConfig,
Services: services,
Endpoints: endpoints,
MetricsName: "node",
}
}
return config, nil
}
func BuildKubernetesNodeConfig(options configapi.NodeConfig) (*NodeConfig, error) {
kubeClient, _, err := configapi.GetKubeClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
if options.NodeName == "localhost" {
glog.Warningf(`Using "localhost" as node name will not resolve from all locations`)
}
var dnsIP net.IP
if len(options.DNSIP) > 0 {
dnsIP = net.ParseIP(options.DNSIP)
if dnsIP == nil {
return nil, fmt.Errorf("Invalid DNS IP: %s", options.DNSIP)
}
}
clientCAs, err := util.CertPoolFromFile(options.ServingInfo.ClientCA)
if err != nil {
return nil, err
}
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = options.ImageConfig.Format
imageTemplate.Latest = options.ImageConfig.Latest
var path string
var fileCheckInterval int64
if options.PodManifestConfig != nil {
path = options.PodManifestConfig.Path
fileCheckInterval = options.PodManifestConfig.FileCheckIntervalSeconds
}
var dockerExecHandler dockertools.ExecHandler
switch options.DockerConfig.ExecHandlerName {
case configapi.DockerExecHandlerNative:
dockerExecHandler = &dockertools.NativeExecHandler{}
case configapi.DockerExecHandlerNsenter:
dockerExecHandler = &dockertools.NsenterExecHandler{}
}
kubeAddressStr, kubePortStr, err := net.SplitHostPort(options.ServingInfo.BindAddress)
if err != nil {
return nil, fmt.Errorf("cannot parse node address: %v", err)
}
kubePort, err := strconv.Atoi(kubePortStr)
if err != nil {
return nil, fmt.Errorf("cannot parse node port: %v", err)
}
kubeAddress := net.ParseIP(kubeAddressStr)
if kubeAddress == nil {
return nil, fmt.Errorf("Invalid DNS IP: %s", kubeAddressStr)
}
// declare the OpenShift defaults from config
server := kapp.NewKubeletServer()
server.Config = path
server.RootDirectory = options.VolumeDirectory
// kubelet finds the node IP address by doing net.ParseIP(hostname) and if that fails,
// it does net.LookupIP(NodeName) and picks the first non-loopback address.
// Pass node IP as hostname to make kubelet use the desired IP address.
if len(options.NodeIP) > 0 {
server.HostnameOverride = options.NodeIP
} else {
server.HostnameOverride = options.NodeName
}
server.AllowPrivileged = true
server.RegisterNode = true
server.Address = kubeAddress
server.Port = uint(kubePort)
server.ReadOnlyPort = 0 // no read only access
server.CAdvisorPort = 0 // no unsecured cadvisor access
server.HealthzPort = 0 // no unsecured healthz access
server.ClusterDNS = dnsIP
server.ClusterDomain = options.DNSDomain
server.NetworkPluginName = options.NetworkConfig.NetworkPluginName
server.HostNetworkSources = strings.Join([]string{kubelettypes.ApiserverSource, kubelettypes.FileSource}, ",")
server.HostPIDSources = strings.Join([]string{kubelettypes.ApiserverSource, kubelettypes.FileSource}, ",")
server.HostIPCSources = strings.Join([]string{kubelettypes.ApiserverSource, kubelettypes.FileSource}, ",")
server.HTTPCheckFrequency = 0 // no remote HTTP pod creation access
server.FileCheckFrequency = time.Duration(fileCheckInterval) * time.Second
server.PodInfraContainerImage = imageTemplate.ExpandOrDie("pod")
server.CPUCFSQuota = true // enable cpu cfs quota enforcement by default
// prevents kube from generating certs
server.TLSCertFile = options.ServingInfo.ServerCert.CertFile
server.TLSPrivateKeyFile = options.ServingInfo.ServerCert.KeyFile
if value := cmdutil.Env("OPENSHIFT_CONTAINERIZED", ""); len(value) > 0 {
server.Containerized = value == "true"
}
// resolve extended arguments
// TODO: this should be done in config validation (along with the above) so we can provide
// proper errors
if err := cmdflags.Resolve(options.KubeletArguments, server.AddFlags); len(err) > 0 {
return nil, errors.NewAggregate(err)
}
cfg, err := server.UnsecuredKubeletConfig()
if err != nil {
return nil, err
}
// provide any config overrides
cfg.NodeName = options.NodeName
cfg.StreamingConnectionIdleTimeout = 5 * time.Minute // TODO: should be set
cfg.KubeClient = kubeClient
cfg.DockerExecHandler = dockerExecHandler
// Setup auth
osClient, osClientConfig, err := configapi.GetOpenShiftClient(options.MasterKubeConfig)
if err != nil {
return nil, err
}
authnTTL, err := time.ParseDuration(options.AuthConfig.AuthenticationCacheTTL)
if err != nil {
return nil, err
}
authn, err := newAuthenticator(clientCAs, clientcmd.AnonymousClientConfig(*osClientConfig), authnTTL, options.AuthConfig.AuthenticationCacheSize)
if err != nil {
return nil, err
}
authzAttr, err := newAuthorizerAttributesGetter(options.NodeName)
if err != nil {
return nil, err
}
authzTTL, err := time.ParseDuration(options.AuthConfig.AuthorizationCacheTTL)
if err != nil {
return nil, err
}
authz, err := newAuthorizer(osClient, authzTTL, options.AuthConfig.AuthorizationCacheSize)
if err != nil {
return nil, err
}
cfg.Auth = kubelet.NewKubeletAuth(authn, authzAttr, authz)
// Make sure the node doesn't think it is in standalone mode
// This is required for the node to enforce nodeSelectors on pods, to set hostIP on pod status updates, etc
cfg.StandaloneMode = false
// TODO: could be cleaner
if configapi.UseTLS(options.ServingInfo) {
extraCerts, err := configapi.GetNamedCertificateMap(options.ServingInfo.NamedCertificates)
if err != nil {
return nil, err
}
cfg.TLSOptions = &kubelet.TLSOptions{
Config: crypto.SecureTLSConfig(&tls.Config{
// RequestClientCert lets us request certs, but allow requests without client certs
// Verification is done by the authn layer
ClientAuth: tls.RequestClientCert,
ClientCAs: clientCAs,
// Set SNI certificate func
// Do not use NameToCertificate, since that requires certificates be included in the server's tlsConfig.Certificates list,
// which we do not control when running with http.Server#ListenAndServeTLS
GetCertificate: cmdutil.GetCertificateFunc(extraCerts),
}),
CertFile: options.ServingInfo.ServerCert.CertFile,
KeyFile: options.ServingInfo.ServerCert.KeyFile,
}
} else {
cfg.TLSOptions = nil
}
// Prepare cloud provider
cloud, err := cloudprovider.InitCloudProvider(server.CloudProvider, server.CloudConfigFile)
if err != nil {
return nil, err
}
if cloud != nil {
glog.V(2).Infof("Successfully initialized cloud provider: %q from the config file: %q\n", server.CloudProvider, server.CloudConfigFile)
}
cfg.Cloud = cloud
config := &NodeConfig{
BindAddress: options.ServingInfo.BindAddress,
AllowDisabledDocker: options.AllowDisabledDocker,
Client: kubeClient,
VolumeDir: options.VolumeDirectory,
KubeletServer: server,
KubeletConfig: cfg,
IPTablesSyncPeriod: options.IPTablesSyncPeriod,
}
return config, nil
}
// BuildMasterConfig builds and returns the OpenShift master configuration based on the
// provided options
func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {
client, err := etcd.EtcdClient(options.EtcdClientInfo)
if err != nil {
return nil, err
}
etcdClient, err := etcd.MakeNewEtcdClient(options.EtcdClientInfo)
if err != nil {
return nil, err
}
groupVersion := unversioned.GroupVersion{Group: "", Version: options.EtcdStorageConfig.OpenShiftStorageVersion}
etcdHelper, err := NewEtcdStorage(etcdClient, groupVersion, options.EtcdStorageConfig.OpenShiftStoragePrefix)
if err != nil {
return nil, fmt.Errorf("Error setting up server storage: %v", err)
}
restOptsGetter := restoptions.NewConfigGetter(options)
clientCAs, err := configapi.GetClientCertCAPool(options)
if err != nil {
return nil, err
}
apiClientCAs, err := configapi.GetAPIClientCertCAPool(options)
if err != nil {
return nil, err
}
privilegedLoopbackKubeClient, _, err := configapi.GetKubeClient(options.MasterClients.OpenShiftLoopbackKubeConfig)
if err != nil {
return nil, err
}
privilegedLoopbackOpenShiftClient, privilegedLoopbackClientConfig, err := configapi.GetOpenShiftClient(options.MasterClients.OpenShiftLoopbackKubeConfig)
if err != nil {
return nil, err
}
customListerWatchers := shared.DefaultListerWatcherOverrides{}
if err := addAuthorizationListerWatchers(customListerWatchers, restOptsGetter); err != nil {
return nil, err
}
informerFactory := shared.NewInformerFactory(privilegedLoopbackKubeClient, privilegedLoopbackOpenShiftClient, customListerWatchers, 10*time.Minute)
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = options.ImageConfig.Format
imageTemplate.Latest = options.ImageConfig.Latest
requestContextMapper := kapi.NewRequestContextMapper()
groupStorage, err := groupstorage.NewREST(restOptsGetter)
if err != nil {
return nil, err
}
groupCache := usercache.NewGroupCache(groupregistry.NewRegistry(groupStorage))
projectCache := projectcache.NewProjectCache(privilegedLoopbackKubeClient.Namespaces(), options.ProjectConfig.DefaultNodeSelector)
clusterQuotaMappingController := clusterquotamapping.NewClusterQuotaMappingController(informerFactory.Namespaces(), informerFactory.ClusterResourceQuotas())
kubeletClientConfig := configapi.GetKubeletClientConfig(options)
kubeClientSet := clientadapter.FromUnversionedClient(privilegedLoopbackKubeClient)
quotaRegistry := quota.NewAllResourceQuotaRegistry(privilegedLoopbackOpenShiftClient, kubeClientSet)
ruleResolver := rulevalidation.NewDefaultRuleResolver(
informerFactory.Policies().Lister(),
informerFactory.PolicyBindings().Lister(),
informerFactory.ClusterPolicies().Lister().ClusterPolicies(),
informerFactory.ClusterPolicyBindings().Lister().ClusterPolicyBindings(),
)
authorizer := newAuthorizer(ruleResolver, informerFactory, options.ProjectConfig.ProjectRequestMessage)
pluginInitializer := oadmission.PluginInitializer{
OpenshiftClient: privilegedLoopbackOpenShiftClient,
ProjectCache: projectCache,
OriginQuotaRegistry: quotaRegistry,
Authorizer: authorizer,
JenkinsPipelineConfig: options.JenkinsPipelineConfig,
RESTClientConfig: *privilegedLoopbackClientConfig,
Informers: informerFactory,
ClusterQuotaMapper: clusterQuotaMappingController.GetClusterQuotaMapper(),
}
originAdmission, kubeAdmission, err := buildAdmissionChains(options, kubeClientSet, pluginInitializer)
// TODO: look up storage by resource
serviceAccountTokenGetter, err := newServiceAccountTokenGetter(options, etcdClient)
if err != nil {
return nil, err
}
authenticator, err := newAuthenticator(options, restOptsGetter, serviceAccountTokenGetter, apiClientCAs, groupCache)
if err != nil {
return nil, err
}
plug, plugStart := newControllerPlug(options, client)
config := &MasterConfig{
Options: options,
RESTOptionsGetter: restOptsGetter,
RuleResolver: ruleResolver,
Authenticator: authenticator,
Authorizer: authorizer,
AuthorizationAttributeBuilder: newAuthorizationAttributeBuilder(requestContextMapper),
GroupCache: groupCache,
ProjectAuthorizationCache: newProjectAuthorizationCache(authorizer, privilegedLoopbackKubeClient, informerFactory),
ProjectCache: projectCache,
ClusterQuotaMappingController: clusterQuotaMappingController,
RequestContextMapper: requestContextMapper,
AdmissionControl: originAdmission,
KubeAdmissionControl: kubeAdmission,
TLS: configapi.UseTLS(options.ServingInfo.ServingInfo),
ControllerPlug: plug,
ControllerPlugStart: plugStart,
ImageFor: imageTemplate.ExpandOrDie,
EtcdHelper: etcdHelper,
KubeletClientConfig: kubeletClientConfig,
ClientCAs: clientCAs,
APIClientCAs: apiClientCAs,
PrivilegedLoopbackClientConfig: *privilegedLoopbackClientConfig,
PrivilegedLoopbackOpenShiftClient: privilegedLoopbackOpenShiftClient,
PrivilegedLoopbackKubernetesClient: privilegedLoopbackKubeClient,
Informers: informerFactory,
}
return config, nil
}
// BuildMasterConfig builds and returns the OpenShift master configuration based on the
// provided options
func BuildMasterConfig(options configapi.MasterConfig) (*MasterConfig, error) {
client, err := etcd.MakeEtcdClient(options.EtcdClientInfo)
if err != nil {
return nil, err
}
restOptsGetter := originrest.StorageOptions(options)
clientCAs, err := configapi.GetClientCertCAPool(options)
if err != nil {
return nil, err
}
apiClientCAs, err := configapi.GetAPIClientCertCAPool(options)
if err != nil {
return nil, err
}
privilegedLoopbackKubeClient, _, err := configapi.GetKubeClient(options.MasterClients.OpenShiftLoopbackKubeConfig, options.MasterClients.OpenShiftLoopbackClientConnectionOverrides)
if err != nil {
return nil, err
}
privilegedLoopbackOpenShiftClient, privilegedLoopbackClientConfig, err := configapi.GetOpenShiftClient(options.MasterClients.OpenShiftLoopbackKubeConfig, options.MasterClients.OpenShiftLoopbackClientConnectionOverrides)
if err != nil {
return nil, err
}
customListerWatchers := shared.DefaultListerWatcherOverrides{}
if err := addAuthorizationListerWatchers(customListerWatchers, restOptsGetter); err != nil {
return nil, err
}
informerFactory := shared.NewInformerFactory(privilegedLoopbackKubeClient, privilegedLoopbackOpenShiftClient, customListerWatchers, 10*time.Minute)
imageTemplate := variable.NewDefaultImageTemplate()
imageTemplate.Format = options.ImageConfig.Format
imageTemplate.Latest = options.ImageConfig.Latest
defaultRegistry := env("OPENSHIFT_DEFAULT_REGISTRY", "${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT}")
svcCache := service.NewServiceResolverCache(privilegedLoopbackKubeClient.Services(kapi.NamespaceDefault).Get)
defaultRegistryFunc, err := svcCache.Defer(defaultRegistry)
if err != nil {
return nil, fmt.Errorf("OPENSHIFT_DEFAULT_REGISTRY variable is invalid %q: %v", defaultRegistry, err)
}
requestContextMapper := kapi.NewRequestContextMapper()
groupStorage, err := groupstorage.NewREST(restOptsGetter)
if err != nil {
return nil, err
}
groupCache := usercache.NewGroupCache(groupregistry.NewRegistry(groupStorage))
projectCache := projectcache.NewProjectCache(privilegedLoopbackKubeClient.Namespaces(), options.ProjectConfig.DefaultNodeSelector)
clusterQuotaMappingController := clusterquotamapping.NewClusterQuotaMappingController(informerFactory.Namespaces(), informerFactory.ClusterResourceQuotas())
kubeletClientConfig := configapi.GetKubeletClientConfig(options)
kubeClientSet := clientadapter.FromUnversionedClient(privilegedLoopbackKubeClient)
quotaRegistry := quota.NewAllResourceQuotaRegistry(privilegedLoopbackOpenShiftClient, kubeClientSet)
ruleResolver := rulevalidation.NewDefaultRuleResolver(
informerFactory.Policies().Lister(),
informerFactory.PolicyBindings().Lister(),
informerFactory.ClusterPolicies().Lister().ClusterPolicies(),
informerFactory.ClusterPolicyBindings().Lister().ClusterPolicyBindings(),
)
authorizer := newAuthorizer(ruleResolver, informerFactory, options.ProjectConfig.ProjectRequestMessage)
pluginInitializer := oadmission.PluginInitializer{
OpenshiftClient: privilegedLoopbackOpenShiftClient,
ProjectCache: projectCache,
OriginQuotaRegistry: quotaRegistry,
Authorizer: authorizer,
JenkinsPipelineConfig: options.JenkinsPipelineConfig,
RESTClientConfig: *privilegedLoopbackClientConfig,
Informers: informerFactory,
ClusterQuotaMapper: clusterQuotaMappingController.GetClusterQuotaMapper(),
DefaultRegistryFn: imageapi.DefaultRegistryFunc(defaultRegistryFunc),
}
originAdmission, kubeAdmission, err := buildAdmissionChains(options, kubeClientSet, pluginInitializer)
if err != nil {
return nil, err
}
serviceAccountTokenGetter, err := newServiceAccountTokenGetter(options)
if err != nil {
return nil, err
}
authenticator, err := newAuthenticator(options, restOptsGetter, serviceAccountTokenGetter, apiClientCAs, groupCache)
if err != nil {
return nil, err
}
plug, plugStart := newControllerPlug(options, client)
config := &MasterConfig{
Options: options,
RESTOptionsGetter: restOptsGetter,
RuleResolver: ruleResolver,
Authenticator: authenticator,
Authorizer: authorizer,
AuthorizationAttributeBuilder: newAuthorizationAttributeBuilder(requestContextMapper),
GroupCache: groupCache,
ProjectAuthorizationCache: newProjectAuthorizationCache(authorizer, privilegedLoopbackKubeClient, informerFactory),
ProjectCache: projectCache,
ClusterQuotaMappingController: clusterQuotaMappingController,
RequestContextMapper: requestContextMapper,
AdmissionControl: originAdmission,
KubeAdmissionControl: kubeAdmission,
TLS: configapi.UseTLS(options.ServingInfo.ServingInfo),
ControllerPlug: plug,
ControllerPlugStart: plugStart,
ImageFor: imageTemplate.ExpandOrDie,
RegistryNameFn: imageapi.DefaultRegistryFunc(defaultRegistryFunc),
// TODO: migration of versions of resources stored in annotations must be sorted out
ExternalVersionCodec: kapi.Codecs.LegacyCodec(unversioned.GroupVersion{Group: "", Version: "v1"}),
KubeletClientConfig: kubeletClientConfig,
ClientCAs: clientCAs,
APIClientCAs: apiClientCAs,
PrivilegedLoopbackClientConfig: *privilegedLoopbackClientConfig,
PrivilegedLoopbackOpenShiftClient: privilegedLoopbackOpenShiftClient,
PrivilegedLoopbackKubernetesClient: privilegedLoopbackKubeClient,
Informers: informerFactory,
}
// ensure that the limit range informer will be started
informer := config.Informers.LimitRanges().Informer()
config.LimitVerifier = imageadmission.NewLimitVerifier(imageadmission.LimitRangesForNamespaceFunc(func(ns string) ([]*kapi.LimitRange, error) {
list, err := config.Informers.LimitRanges().Lister().LimitRanges(ns).List(labels.Everything())
if err != nil {
return nil, err
}
// the verifier must return an error
if len(list) == 0 && len(informer.LastSyncResourceVersion()) == 0 {
glog.V(4).Infof("LimitVerifier still waiting for ranges to load: %#v", informer)
forbiddenErr := kapierrors.NewForbidden(unversioned.GroupResource{Resource: "limitranges"}, "", fmt.Errorf("the server is still loading limit information"))
forbiddenErr.ErrStatus.Details.RetryAfterSeconds = 1
return nil, forbiddenErr
}
return list, nil
}))
return config, nil
}
// NewCmdRouter implements the OpenShift CLI router command.
func NewCmdRouter(f *clientcmd.Factory, parentName, name string, out, errout io.Writer) *cobra.Command {
cfg := &RouterConfig{
Name: "router",
ImageTemplate: variable.NewDefaultImageTemplate(),
ServiceAccount: "router",
Labels: defaultLabel,
Ports: defaultPorts,
Replicas: 1,
StatsUsername: "******",
StatsPort: defaultStatsPort,
HostNetwork: true,
HostPorts: true,
}
cmd := &cobra.Command{
Use: fmt.Sprintf("%s [NAME]", name),
Short: "Install a router",
Long: routerLong,
Example: fmt.Sprintf(routerExample, parentName, name),
Run: func(cmd *cobra.Command, args []string) {
err := RunCmdRouter(f, cmd, out, errout, cfg, args)
if err != cmdutil.ErrExit {
kcmdutil.CheckErr(err)
} else {
os.Exit(1)
}
},
}
cmd.Flags().StringVar(&cfg.Type, "type", "haproxy-router", "The type of router to use - if you specify --images this flag may be ignored.")
cmd.Flags().StringVar(&cfg.Subdomain, "subdomain", "", "The template for the route subdomain exposed by this router, used for routes that are not externally specified. E.g. '${name}-${namespace}.apps.mycompany.com'")
cmd.Flags().StringVar(&cfg.ForceSubdomain, "force-subdomain", "", "A router path format to force on all routes used by this router (will ignore the route host value)")
cmd.Flags().StringVar(&cfg.ImageTemplate.Format, "images", cfg.ImageTemplate.Format, "The image to base this router on - ${component} will be replaced with --type")
cmd.Flags().BoolVar(&cfg.ImageTemplate.Latest, "latest-images", cfg.ImageTemplate.Latest, "If true, attempt to use the latest images for the router instead of the latest release.")
cmd.Flags().StringVar(&cfg.Ports, "ports", cfg.Ports, "A comma delimited list of ports or port pairs to expose on the router pod. The default is set for HAProxy. Port pairs are applied to the service and to host ports (if specified).")
cmd.Flags().Int32Var(&cfg.Replicas, "replicas", cfg.Replicas, "The replication factor of the router; commonly 2 when high availability is desired.")
cmd.Flags().StringVar(&cfg.Labels, "labels", cfg.Labels, "A set of labels to uniquely identify the router and its components.")
cmd.Flags().BoolVar(&cfg.SecretsAsEnv, "secrets-as-env", cfg.SecretsAsEnv, "Use environment variables for master secrets.")
cmd.Flags().Bool("create", false, "deprecated; this is now the default behavior")
cmd.Flags().StringVar(&cfg.Credentials, "credentials", "", "Path to a .kubeconfig file that will contain the credentials the router should use to contact the master.")
cmd.Flags().StringVar(&cfg.DefaultCertificate, "default-cert", cfg.DefaultCertificate, "Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate.")
cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run routers on a specific set of nodes.")
cmd.Flags().StringVar(&cfg.ServiceAccount, "service-account", cfg.ServiceAccount, "Name of the service account to use to run the router pod.")
cmd.Flags().IntVar(&cfg.StatsPort, "stats-port", cfg.StatsPort, "If the underlying router implementation can provide statistics this is a hint to expose it on this port. Specify 0 if you want to turn off exposing the statistics.")
cmd.Flags().StringVar(&cfg.StatsPassword, "stats-password", cfg.StatsPassword, "If the underlying router implementation can provide statistics this is the requested password for auth. If not set a password will be generated.")
cmd.Flags().StringVar(&cfg.StatsUsername, "stats-user", cfg.StatsUsername, "If the underlying router implementation can provide statistics this is the requested username for auth.")
cmd.Flags().BoolVar(&cfg.ExposeMetrics, "expose-metrics", cfg.ExposeMetrics, "This is a hint to run an extra container in the pod to expose metrics - the image will either be set depending on the router implementation or provided with --metrics-image.")
cmd.Flags().StringVar(&cfg.MetricsImage, "metrics-image", cfg.MetricsImage, "If --expose-metrics is specified this is the image to use to run a sidecar container in the pod exposing metrics. If not set and --expose-metrics is true the image will depend on router implementation.")
cmd.Flags().BoolVar(&cfg.HostNetwork, "host-network", cfg.HostNetwork, "If true (the default), then use host networking rather than using a separate container network stack.")
cmd.Flags().BoolVar(&cfg.HostPorts, "host-ports", cfg.HostPorts, "If true (the default), when not using host networking host ports will be exposed.")
cmd.Flags().StringVar(&cfg.ExternalHost, "external-host", cfg.ExternalHost, "If the underlying router implementation connects with an external host, this is the external host's hostname.")
cmd.Flags().StringVar(&cfg.ExternalHostUsername, "external-host-username", cfg.ExternalHostUsername, "If the underlying router implementation connects with an external host, this is the username for authenticating with the external host.")
cmd.Flags().StringVar(&cfg.ExternalHostPassword, "external-host-password", cfg.ExternalHostPassword, "If the underlying router implementation connects with an external host, this is the password for authenticating with the external host.")
cmd.Flags().StringVar(&cfg.ExternalHostHttpVserver, "external-host-http-vserver", cfg.ExternalHostHttpVserver, "If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTP connections.")
cmd.Flags().StringVar(&cfg.ExternalHostHttpsVserver, "external-host-https-vserver", cfg.ExternalHostHttpsVserver, "If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTPS connections.")
cmd.Flags().StringVar(&cfg.ExternalHostPrivateKey, "external-host-private-key", cfg.ExternalHostPrivateKey, "If the underlying router implementation requires an SSH private key, this is the path to the private key file.")
cmd.Flags().StringVar(&cfg.ExternalHostInternalIP, "external-host-internal-ip", cfg.ExternalHostInternalIP, "If the underlying router implementation requires the use of a specific network interface to connect to the pod network, this is the IP address of that internal interface.")
cmd.Flags().StringVar(&cfg.ExternalHostVxLANGateway, "external-host-vxlan-gw", cfg.ExternalHostVxLANGateway, "If the underlying router implementation requires VxLAN access to the pod network, this is the gateway address that should be used in cidr format.")
cmd.Flags().BoolVar(&cfg.ExternalHostInsecure, "external-host-insecure", cfg.ExternalHostInsecure, "If the underlying router implementation connects with an external host over a secure connection, this causes the router to skip strict certificate verification with the external host.")
cmd.Flags().StringVar(&cfg.ExternalHostPartitionPath, "external-host-partition-path", cfg.ExternalHostPartitionPath, "If the underlying router implementation uses partitions for control boundaries, this is the path to use for that partition.")
cmd.MarkFlagFilename("credentials", "kubeconfig")
cmd.Flags().MarkDeprecated("credentials", "use --service-account to specify the service account the router will use to make API calls")
// Deprecate credentials
cmd.Flags().MarkDeprecated("credentials", "use --service-account to specify the service account the router will use to make API calls")
cfg.Action.BindForOutput(cmd.Flags())
cmd.Flags().String("output-version", "", "The preferred API versions of the output objects")
return cmd
}