JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #37218 from cstrahan/kube-test-fix

Browse Source 
nixos: kubernetes fixes
This commit is contained in:
Charles Strahan 2018-04-04 19:14:48 -04:00 committed by GitHub
commit 5c066e2bba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 95 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/modules/services/cluster/kubernetes/default.nix
View File

@ -766,7 +766,7 @@ in {
rm /opt/cni/bin/* || true rm /opt/cni/bin/* || true
${concatMapStrings (package: '' ${concatMapStrings (package: ''
echo "Linking cni package: ${package}" echo "Linking cni package: ${package}"
ln -fs ${package.plugins}/* /opt/cni/bin ln -fs ${package}/bin/* /opt/cni/bin
'') cfg.kubelet.cni.packages} '') cfg.kubelet.cni.packages}
''; '';
serviceConfig = { serviceConfig = {
@ -828,7 +828,7 @@ in {
}; };
# Allways include cni plugins # Allways include cni plugins
services.kubernetes.kubelet.cni.packages = [pkgs.cni]; services.kubernetes.kubelet.cni.packages = [pkgs.cni-plugins];
boot.kernelModules = ["br_netfilter"]; boot.kernelModules = ["br_netfilter"];

5
nixos/release.nix
View File

@ -311,7 +311,10 @@ in rec {
tests.kernel-copperhead = callTest tests/kernel-copperhead.nix {}; tests.kernel-copperhead = callTest tests/kernel-copperhead.nix {};
tests.kernel-latest = callTest tests/kernel-latest.nix {}; tests.kernel-latest = callTest tests/kernel-latest.nix {};
tests.kernel-lts = callTest tests/kernel-lts.nix {}; tests.kernel-lts = callTest tests/kernel-lts.nix {};
tests.kubernetes = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/kubernetes/default.nix {}; tests.kubernetes.dns = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/kubernetes/dns.nix {};
## kubernetes.e2e should eventually replace kubernetes.rbac when it works
#tests.kubernetes.e2e = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/kubernetes/e2e.nix {};
tests.kubernetes.rbac = callSubTestsOnMatchingSystems ["x86_64-linux"] tests/kubernetes/rbac.nix {};
tests.latestKernel.login = callTest tests/login.nix { latestKernel = true; }; tests.latestKernel.login = callTest tests/login.nix { latestKernel = true; };
tests.ldap = callTest tests/ldap.nix {}; tests.ldap = callTest tests/ldap.nix {};
#tests.lightdm = callTest tests/lightdm.nix {}; #tests.lightdm = callTest tests/lightdm.nix {};

69
nixos/tests/kubernetes/certs.nix
View File

@ -6,29 +6,62 @@
kubelets kubelets
}: }:
let let
runWithCFSSL = name: cmd: runWithCFSSL = name: cmd:
builtins.fromJSON (builtins.readFile ( let secrets = pkgs.runCommand "${name}-cfss.json" {
pkgs.runCommand "${name}-cfss.json" { buildInputs = [ pkgs.cfssl pkgs.jq ];
buildInputs = [ pkgs.cfssl ]; outputs = [ "out" "cert" "key" "csr" ];
} "cfssl ${cmd} > $out" }
)); ''
(
echo "${cmd}"
cfssl ${cmd} > tmp
cat tmp | jq -r .key > $key
cat tmp | jq -r .cert > $cert
cat tmp | jq -r .csr > $csr
writeCFSSL = content: touch $out
pkgs.runCommand content.name { ) 2>&1 | fold -w 80 -s
buildInputs = [ pkgs.cfssl ]; '';
} '' in {
mkdir -p $out key = secrets.key;
cd $out cert = secrets.cert;
cat ${writeFile content} | cfssljson -bare ${content.name} csr = secrets.csr;
''; };
writeCFSSL = content:
pkgs.runCommand content.name {
buildInputs = [ pkgs.cfssl pkgs.jq ];
} ''
mkdir -p $out
cd $out
json=${pkgs.lib.escapeShellArg (builtins.toJSON content)}
# for a given $field in the $json, treat the associated value as a
# file path and substitute the contents thereof into the $json
# object.
expandFileField() {
local field=$1
if jq -e --arg field "$field" 'has($field)'; then
local path="$(echo "$json" | jq -r ".$field")"
json="$(echo "$json" | jq --arg val "$(cat "$path")" ".$field = \$val")"
fi
}
expandFileField key
expandFileField ca
expandFileField cert
echo "$json" | cfssljson -bare ${content.name}
'';
noCSR = content: pkgs.lib.filterAttrs (n: v: n != "csr") content; noCSR = content: pkgs.lib.filterAttrs (n: v: n != "csr") content;
noKey = content: pkgs.lib.filterAttrs (n: v: n != "key") content; noKey = content: pkgs.lib.filterAttrs (n: v: n != "key") content;
writeFile = content: pkgs.writeText "content" ( writeFile = content:
if pkgs.lib.isAttrs content then builtins.toJSON content if pkgs.lib.isDerivation content
else toString content then content
); else pkgs.writeText "content" (builtins.toJSON content);
createServingCertKey = { ca, cn, hosts? [], size ? 2048, name ? cn }: createServingCertKey = { ca, cn, hosts? [], size ? 2048, name ? cn }:
noCSR ( noCSR (

2
nixos/tests/kubernetes/e2e.nix
View File

@ -2,7 +2,7 @@
with import ./base.nix { inherit system; }; with import ./base.nix { inherit system; };
let let
domain = "my.zyx"; domain = "my.zyx";
certs = import ./certs.nix { externalDomain = domain; }; certs = import ./certs.nix { externalDomain = domain; kubelets = ["machine1" "machine2"]; };
kubeconfig = pkgs.writeText "kubeconfig.json" (builtins.toJSON { kubeconfig = pkgs.writeText "kubeconfig.json" (builtins.toJSON {
apiVersion = "v1"; apiVersion = "v1";
kind = "Config"; kind = "Config";

4
nixos/tests/kubernetes/rbac.nix
View File

@ -12,7 +12,7 @@ let
}); });
roRoleBinding = pkgs.writeText "ro-role-binding.json" (builtins.toJSON { roRoleBinding = pkgs.writeText "ro-role-binding.json" (builtins.toJSON {
apiVersion = "rbac.authorization.k8s.io/v1beta1"; apiVersion = "rbac.authorization.k8s.io/v1";
kind = "RoleBinding"; kind = "RoleBinding";
metadata = { metadata = {
name = "read-pods"; name = "read-pods";
@ -31,7 +31,7 @@ let
}); });
roRole = pkgs.writeText "ro-role.json" (builtins.toJSON { roRole = pkgs.writeText "ro-role.json" (builtins.toJSON {
apiVersion = "rbac.authorization.k8s.io/v1beta1"; apiVersion = "rbac.authorization.k8s.io/v1";
kind = "Role"; kind = "Role";
metadata = { metadata = {
name = "pod-reader"; name = "pod-reader";

5
pkgs/applications/networking/cluster/cni/default.nix
View File

@ -13,17 +13,14 @@ stdenv.mkDerivation rec {
buildInputs = [ go ]; buildInputs = [ go ];
outputs = ["out" "plugins"];
buildPhase = '' buildPhase = ''
patchShebangs build.sh patchShebangs build.sh
./build.sh ./build.sh
''; '';
installPhase = '' installPhase = ''
mkdir -p $out/bin $plugins mkdir -p $out/bin
mv bin/cnitool $out/bin mv bin/cnitool $out/bin
mv bin/* $plugins/
''; '';
meta = with stdenv.lib; { meta = with stdenv.lib; {

33
pkgs/applications/networking/cluster/cni/plugins.nix Normal file
View File

@ -0,0 +1,33 @@
{ stdenv, lib, fetchFromGitHub, go }:
stdenv.mkDerivation rec {
name = "cni-plugins-${version}";
version = "0.7.0";
src = fetchFromGitHub {
owner = "containernetworking";
repo = "plugins";
rev = "v${version}";
sha256 = "0m885v76azs7lrk6m6n53rwh0xadwvdcr90h0l3bxpdv87sj2mnf";
};
buildInputs = [ go ];
buildPhase = ''
patchShebangs build.sh
./build.sh
'';
installPhase = ''
mkdir -p $out/bin
mv bin/* $out/bin
'';
meta = with lib; {
description = "Some standard networking plugins, maintained by the CNI team";
homepage = https://github.com/containernetworking/plugins;
license = licenses.asl20;
platforms = [ "x86_64-linux" ];
maintainers = with maintainers; [ cstrahan ];
};
}

1
pkgs/top-level/all-packages.nix
View File

@ -15041,6 +15041,7 @@ with pkgs;
}; };
cni = callPackage ../applications/networking/cluster/cni {}; cni = callPackage ../applications/networking/cluster/cni {};
cni-plugins = callPackage ../applications/networking/cluster/cni/plugins.nix {};
communi = libsForQt5.callPackage ../applications/networking/irc/communi { }; communi = libsForQt5.callPackage ../applications/networking/irc/communi { };