From 45dbb95515563a067ca1bfa3f7474e6503e5f705 Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Tue, 14 Dec 2021 11:03:48 +1000 Subject: [PATCH] nixos/kubernetes: remove dashboard --- .../from_md/release-notes/rl-2205.section.xml | 6 + .../manual/release-notes/rl-2205.section.md | 2 + nixos/modules/module-list.nix | 1 - .../cluster/kubernetes/addon-manager.nix | 2 +- .../cluster/kubernetes/addons/dashboard.nix | 344 ------------------ .../services/cluster/kubernetes/default.nix | 1 + nixos/tests/kubernetes/base.nix | 1 - 7 files changed, 10 insertions(+), 347 deletions(-) delete mode 100644 nixos/modules/services/cluster/kubernetes/addons/dashboard.nix diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 4a68bc941860..517a2e458aae 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -103,6 +103,12 @@ new versions will release. + + + services.kubernetes.addons.dashboard was + removed due to it being an outdated version. + + The wafHook hook now honors diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 556552723100..cfe1130068c7 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -41,6 +41,8 @@ In addition to numerous new and upgraded packages, this release has the followin org-contrib, refer to the ones in `pkgs.emacsPackages.elpaPackages` and `pkgs.emacsPackages.nongnuPackages` where the new versions will release. +- `services.kubernetes.addons.dashboard` was removed due to it being an outdated version. + - The `wafHook` hook now honors `NIX_BUILD_CORES` when `enableParallelBuilding` is not set explicitly. Packages can restore the old behaviour by setting `enableParallelBuilding=false`. - `pkgs.claws-mail-gtk2`, representing Claws Mail's older release version three, was removed in order to get rid of Python 2. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 55de01735024..dd6a74df30cb 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -296,7 +296,6 @@ ./services/cluster/hadoop/default.nix ./services/cluster/k3s/default.nix ./services/cluster/kubernetes/addons/dns.nix - ./services/cluster/kubernetes/addons/dashboard.nix ./services/cluster/kubernetes/addon-manager.nix ./services/cluster/kubernetes/apiserver.nix ./services/cluster/kubernetes/controller-manager.nix diff --git a/nixos/modules/services/cluster/kubernetes/addon-manager.nix b/nixos/modules/services/cluster/kubernetes/addon-manager.nix index 3d988dc2479a..9159d5915eb7 100644 --- a/nixos/modules/services/cluster/kubernetes/addon-manager.nix +++ b/nixos/modules/services/cluster/kubernetes/addon-manager.nix @@ -58,7 +58,7 @@ in "spec" = { ... }; }; } - // import { cfg = config.services.kubernetes; }; + // import { cfg = config.services.kubernetes; }; ''; }; diff --git a/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix b/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix deleted file mode 100644 index 54b1f3859fcb..000000000000 --- a/nixos/modules/services/cluster/kubernetes/addons/dashboard.nix +++ /dev/null @@ -1,344 +0,0 @@ -{ config, options, pkgs, lib, ... }: - -with lib; - -let - cfg = config.services.kubernetes.addons.dashboard; - opt = options.services.kubernetes.addons.dashboard; -in { - imports = [ - (mkRenamedOptionModule [ "services" "kubernetes" "addons" "dashboard" "enableRBAC" ] [ "services" "kubernetes" "addons" "dashboard" "rbac" "enable" ]) - ]; - - options.services.kubernetes.addons.dashboard = { - enable = mkEnableOption "kubernetes dashboard addon"; - - extraArgs = mkOption { - description = "Extra arguments to append to the dashboard cmdline"; - type = types.listOf types.str; - default = []; - example = ["--enable-skip-login"]; - }; - - rbac = mkOption { - description = "Role-based access control (RBAC) options"; - default = {}; - type = types.submodule { - options = { - enable = mkOption { - description = "Whether to enable role based access control is enabled for kubernetes dashboard"; - type = types.bool; - default = elem "RBAC" config.services.kubernetes.apiserver.authorizationMode; - defaultText = literalExpression '' - elem "RBAC" config.${options.services.kubernetes.apiserver.authorizationMode} - ''; - }; - - clusterAdmin = mkOption { - description = "Whether to assign cluster admin rights to the kubernetes dashboard"; - type = types.bool; - default = false; - }; - }; - }; - }; - - version = mkOption { - description = "Which version of the kubernetes dashboard to deploy"; - type = types.str; - default = "v1.10.1"; - }; - - image = mkOption { - description = "Docker image to seed for the kubernetes dashboard container."; - type = types.attrs; - default = { - imageName = "k8s.gcr.io/kubernetes-dashboard-amd64"; - imageDigest = "sha256:0ae6b69432e78069c5ce2bcde0fe409c5c4d6f0f4d9cd50a17974fea38898747"; - finalImageTag = cfg.version; - sha256 = "01xrr4pwgr2hcjrjsi3d14ifpzdfbxzqpzxbk2fkbjb9zkv38zxy"; - }; - defaultText = literalExpression '' - { - imageName = "k8s.gcr.io/kubernetes-dashboard-amd64"; - imageDigest = "sha256:0ae6b69432e78069c5ce2bcde0fe409c5c4d6f0f4d9cd50a17974fea38898747"; - finalImageTag = config.${opt.version}; - sha256 = "01xrr4pwgr2hcjrjsi3d14ifpzdfbxzqpzxbk2fkbjb9zkv38zxy"; - }; - ''; - }; - }; - - config = mkIf cfg.enable { - services.kubernetes.kubelet.seedDockerImages = [(pkgs.dockerTools.pullImage cfg.image)]; - - services.kubernetes.addonManager.addons = { - kubernetes-dashboard-deployment = { - kind = "Deployment"; - apiVersion = "apps/v1"; - metadata = { - labels = { - k8s-addon = "kubernetes-dashboard.addons.k8s.io"; - k8s-app = "kubernetes-dashboard"; - version = cfg.version; - "kubernetes.io/cluster-service" = "true"; - "addonmanager.kubernetes.io/mode" = "Reconcile"; - }; - name = "kubernetes-dashboard"; - namespace = "kube-system"; - }; - spec = { - replicas = 1; - revisionHistoryLimit = 10; - selector.matchLabels.k8s-app = "kubernetes-dashboard"; - template = { - metadata = { - labels = { - k8s-addon = "kubernetes-dashboard.addons.k8s.io"; - k8s-app = "kubernetes-dashboard"; - version = cfg.version; - "kubernetes.io/cluster-service" = "true"; - }; - annotations = { - "scheduler.alpha.kubernetes.io/critical-pod" = ""; - }; - }; - spec = { - priorityClassName = "system-cluster-critical"; - containers = [{ - name = "kubernetes-dashboard"; - image = with cfg.image; "${imageName}:${finalImageTag}"; - ports = [{ - containerPort = 8443; - protocol = "TCP"; - }]; - resources = { - limits = { - cpu = "100m"; - memory = "300Mi"; - }; - requests = { - cpu = "100m"; - memory = "100Mi"; - }; - }; - args = ["--auto-generate-certificates"] ++ cfg.extraArgs; - volumeMounts = [{ - name = "tmp-volume"; - mountPath = "/tmp"; - } { - name = "kubernetes-dashboard-certs"; - mountPath = "/certs"; - }]; - livenessProbe = { - httpGet = { - scheme = "HTTPS"; - path = "/"; - port = 8443; - }; - initialDelaySeconds = 30; - timeoutSeconds = 30; - }; - }]; - volumes = [{ - name = "kubernetes-dashboard-certs"; - secret = { - secretName = "kubernetes-dashboard-certs"; - }; - } { - name = "tmp-volume"; - emptyDir = {}; - }]; - serviceAccountName = "kubernetes-dashboard"; - tolerations = [{ - key = "node-role.kubernetes.io/master"; - effect = "NoSchedule"; - } { - key = "CriticalAddonsOnly"; - operator = "Exists"; - }]; - }; - }; - }; - }; - - kubernetes-dashboard-svc = { - apiVersion = "v1"; - kind = "Service"; - metadata = { - labels = { - k8s-addon = "kubernetes-dashboard.addons.k8s.io"; - k8s-app = "kubernetes-dashboard"; - "kubernetes.io/cluster-service" = "true"; - "kubernetes.io/name" = "KubeDashboard"; - "addonmanager.kubernetes.io/mode" = "Reconcile"; - }; - name = "kubernetes-dashboard"; - namespace = "kube-system"; - }; - spec = { - ports = [{ - port = 443; - targetPort = 8443; - }]; - selector.k8s-app = "kubernetes-dashboard"; - }; - }; - - kubernetes-dashboard-sa = { - apiVersion = "v1"; - kind = "ServiceAccount"; - metadata = { - labels = { - k8s-app = "kubernetes-dashboard"; - k8s-addon = "kubernetes-dashboard.addons.k8s.io"; - "addonmanager.kubernetes.io/mode" = "Reconcile"; - }; - name = "kubernetes-dashboard"; - namespace = "kube-system"; - }; - }; - kubernetes-dashboard-sec-certs = { - apiVersion = "v1"; - kind = "Secret"; - metadata = { - labels = { - k8s-app = "kubernetes-dashboard"; - # Allows editing resource and makes sure it is created first. - "addonmanager.kubernetes.io/mode" = "EnsureExists"; - }; - name = "kubernetes-dashboard-certs"; - namespace = "kube-system"; - }; - type = "Opaque"; - }; - kubernetes-dashboard-sec-kholder = { - apiVersion = "v1"; - kind = "Secret"; - metadata = { - labels = { - k8s-app = "kubernetes-dashboard"; - # Allows editing resource and makes sure it is created first. - "addonmanager.kubernetes.io/mode" = "EnsureExists"; - }; - name = "kubernetes-dashboard-key-holder"; - namespace = "kube-system"; - }; - type = "Opaque"; - }; - kubernetes-dashboard-cm = { - apiVersion = "v1"; - kind = "ConfigMap"; - metadata = { - labels = { - k8s-app = "kubernetes-dashboard"; - # Allows editing resource and makes sure it is created first. - "addonmanager.kubernetes.io/mode" = "EnsureExists"; - }; - name = "kubernetes-dashboard-settings"; - namespace = "kube-system"; - }; - }; - } // (optionalAttrs cfg.rbac.enable - (let - subjects = [{ - kind = "ServiceAccount"; - name = "kubernetes-dashboard"; - namespace = "kube-system"; - }]; - labels = { - k8s-app = "kubernetes-dashboard"; - k8s-addon = "kubernetes-dashboard.addons.k8s.io"; - "addonmanager.kubernetes.io/mode" = "Reconcile"; - }; - in - (if cfg.rbac.clusterAdmin then { - kubernetes-dashboard-crb = { - apiVersion = "rbac.authorization.k8s.io/v1"; - kind = "ClusterRoleBinding"; - metadata = { - name = "kubernetes-dashboard"; - inherit labels; - }; - roleRef = { - apiGroup = "rbac.authorization.k8s.io"; - kind = "ClusterRole"; - name = "cluster-admin"; - }; - inherit subjects; - }; - } - else - { - # Upstream role- and rolebinding as per: - # https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml - kubernetes-dashboard-role = { - apiVersion = "rbac.authorization.k8s.io/v1"; - kind = "Role"; - metadata = { - name = "kubernetes-dashboard-minimal"; - namespace = "kube-system"; - inherit labels; - }; - rules = [ - # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. - { - apiGroups = [""]; - resources = ["secrets"]; - verbs = ["create"]; - } - # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. - { - apiGroups = [""]; - resources = ["configmaps"]; - verbs = ["create"]; - } - # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - { - apiGroups = [""]; - resources = ["secrets"]; - resourceNames = ["kubernetes-dashboard-key-holder"]; - verbs = ["get" "update" "delete"]; - } - # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. - { - apiGroups = [""]; - resources = ["configmaps"]; - resourceNames = ["kubernetes-dashboard-settings"]; - verbs = ["get" "update"]; - } - # Allow Dashboard to get metrics from heapster. - { - apiGroups = [""]; - resources = ["services"]; - resourceNames = ["heapster"]; - verbs = ["proxy"]; - } - { - apiGroups = [""]; - resources = ["services/proxy"]; - resourceNames = ["heapster" "http:heapster:" "https:heapster:"]; - verbs = ["get"]; - } - ]; - }; - - kubernetes-dashboard-rb = { - apiVersion = "rbac.authorization.k8s.io/v1"; - kind = "RoleBinding"; - metadata = { - name = "kubernetes-dashboard-minimal"; - namespace = "kube-system"; - inherit labels; - }; - roleRef = { - apiGroup = "rbac.authorization.k8s.io"; - kind = "Role"; - name = "kubernetes-dashboard-minimal"; - }; - inherit subjects; - }; - }) - )); - }; -} diff --git a/nixos/modules/services/cluster/kubernetes/default.nix b/nixos/modules/services/cluster/kubernetes/default.nix index cf7fcb0a6d73..227c69fec36d 100644 --- a/nixos/modules/services/cluster/kubernetes/default.nix +++ b/nixos/modules/services/cluster/kubernetes/default.nix @@ -106,6 +106,7 @@ let in { imports = [ + (mkRemovedOptionModule [ "services" "kubernetes" "addons" "dashboard" ] "Removed due to it being an outdated version") (mkRemovedOptionModule [ "services" "kubernetes" "verbose" ] "") ]; diff --git a/nixos/tests/kubernetes/base.nix b/nixos/tests/kubernetes/base.nix index 1f23ca55fb23..e1736f6fe172 100644 --- a/nixos/tests/kubernetes/base.nix +++ b/nixos/tests/kubernetes/base.nix @@ -51,7 +51,6 @@ let environment.systemPackages = [ kubectl ]; services.flannel.iface = "eth1"; services.kubernetes = { - addons.dashboard.enable = true; proxy.hostname = "${masterName}.${domain}"; easyCerts = true;