Skip to content

Commit

Permalink
avoid the virtual cluster apiserver restart we deploy anp
Browse files Browse the repository at this point in the history
Signed-off-by: luoyuanze <[email protected]>
  • Loading branch information
lyzuiui committed Sep 14, 2024
1 parent 61b9ea3 commit f7c8df3
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 105 deletions.
113 changes: 9 additions & 104 deletions pkg/kubenest/manifest/controlplane/apiserver/mainfests_deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ spec:
- matchExpressions:
- key: {{ .VirtualControllerLabel }}
operator: Exists
- key: kubernetes.io/hostname
operator: In
values:
- kubenest-control-plane
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
Expand Down Expand Up @@ -156,7 +160,6 @@ apiVersion: apps/v1
kind: Deployment
metadata:
labels:
virtualCluster-app: apiserver
virtualCluster-anp: apiserver-anp
app.kubernetes.io/managed-by: virtual-cluster-controller
name: {{ .DeploymentName }}
Expand All @@ -167,11 +170,10 @@ spec:
type: Recreate
selector:
matchLabels:
virtualCluster-app: apiserver
virtualCluster-anp: apiserver-anp
template:
metadata:
labels:
virtualCluster-app: apiserver
virtualCluster-anp: apiserver-anp
spec:
automountServiceAccountToken: false
Expand All @@ -190,6 +192,10 @@ spec:
- matchExpressions:
- key: {{ .VirtualControllerLabel }}
operator: Exists
- key: kubernetes.io/hostname
operator: In
values:
- kubenest-control-plane
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
Expand All @@ -202,107 +208,6 @@ spec:
- apiserver
topologyKey: kubernetes.io/hostname
containers:
- name: kube-apiserver
image: {{ .ImageRepository }}/kube-apiserver:{{ .Version }}
imagePullPolicy: IfNotPresent
env:
{{ if .UseApiServerNodePort }}
- name: HOSTIP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
{{ else}}
- name: PODIP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
{{ end }}
command:
- kube-apiserver
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/virtualcluster/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/etcd/pki/etcd-ca.crt
- --etcd-certfile=/etc/etcd/pki/etcd-client.crt
- --etcd-keyfile=/etc/etcd/pki/etcd-client.key
#- --etcd-servers=https://{{ .EtcdClientService }}.{{ .Namespace }}.svc.cluster.local:{{ .EtcdListenClientPort }}
{{ if .IPV6First }}
- --etcd-servers=https://[{{ .EtcdClientService }}]:{{ .EtcdListenClientPort }}
{{ else }}
- --etcd-servers=https://{{ .EtcdClientService }}:{{ .EtcdListenClientPort }}
{{ end }}
- '--bind-address=::'
- --kubelet-client-certificate=/etc/virtualcluster/pki/virtualCluster.crt
- --kubelet-client-key=/etc/virtualcluster/pki/virtualCluster.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --secure-port={{ .ClusterPort }}
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/virtualcluster/pki/virtualCluster.key
- --service-account-signing-key-file=/etc/virtualcluster/pki/virtualCluster.key
- --service-cluster-ip-range={{ .ServiceSubnet }}
- --proxy-client-cert-file=/etc/virtualcluster/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/virtualcluster/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/virtualcluster/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --tls-cert-file=/etc/virtualcluster/pki/apiserver.crt
- --tls-private-key-file=/etc/virtualcluster/pki/apiserver.key
- --tls-min-version=VersionTLS13
- --max-requests-inflight=1500
- --max-mutating-requests-inflight=500
- --v=4
{{ if .UseApiServerNodePort }}
- --advertise-address=$(HOSTIP)
{{ else }}
- --advertise-address=$(PODIP)
{{ end }}
- --egress-selector-config-file=/etc/kubernetes/konnectivity-server-config/{{ .Namespace }}/{{ .Name }}/egress_selector_configuration.yaml
{{ if not .AdmissionPlugins }}
- --disable-admission-plugins=License
{{ end }}
livenessProbe:
failureThreshold: 8
httpGet:
path: /livez
port: {{ .ClusterPort }}
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
readinessProbe:
failureThreshold: 3
httpGet:
path: /readyz
port: {{ .ClusterPort }}
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
ports:
- containerPort: {{ .ClusterPort }}
name: http
protocol: TCP
volumeMounts:
- mountPath: /etc/virtualcluster/pki
name: apiserver-cert
readOnly: true
- mountPath: /etc/etcd/pki
name: etcd-cert
readOnly: true
- mountPath: /etc/kubernetes/konnectivity-server/{{ .Namespace }}/{{ .Name }}
readOnly: false
name: konnectivity-uds
- name: kas-proxy
mountPath: /etc/kubernetes/konnectivity-server-config/{{ .Namespace }}/{{ .Name }}/egress_selector_configuration.yaml
subPath: egress_selector_configuration.yaml
- name: konnectivity-server-container
image: {{ .ImageRepository }}/kas-network-proxy-server:{{ .Version }}
resources:
Expand Down
2 changes: 1 addition & 1 deletion pkg/kubenest/tasks/anp.go
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,7 @@ func installAnpServer(client clientset.Interface, name, namespace string, portMa
IPV6First bool
UseApiServerNodePort bool
}{
DeploymentName: util.GetApiServerName(name),
DeploymentName: util.GetApiServerAnpName(name),
Namespace: namespace,
ImageRepository: imageRepository,
Version: imageVersion,
Expand Down
4 changes: 4 additions & 0 deletions pkg/kubenest/util/name.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,7 @@ func GetAdminConfigSecretName(name string) string {
func GetAdminConfigClusterIPSecretName(name string) string {
return fmt.Sprintf("%s-%s", name, "admin-config-clusterip")
}

func GetApiServerAnpName(name string) string {
return fmt.Sprintf("%s-%s", name, "apiserver-anp")
}

0 comments on commit f7c8df3

Please sign in to comment.