From 3b0a731550bc817037ba1ebb3b1ed876690b884c Mon Sep 17 00:00:00 2001 From: Aylei Date: Wed, 30 Oct 2019 21:14:47 +0800 Subject: [PATCH] Install tidb-apiserver in tidb-operator chart Signed-off-by: Aylei --- Makefile | 5 +- .../templates/apiserver-deployment.yaml | 62 +++++++++++++++++ .../templates/apiserver-rbac.yaml | 68 +++++++++++++++++++ .../templates/apiserver-registration.yaml | 15 ++++ .../templates/apiserver-secret.yaml | 15 ++++ .../templates/apiserver-service.yaml | 21 ++++++ charts/tidb-operator/values.yaml | 37 +++++++++- cmd/apiserver/main.go | 11 ++- hack/aa-codegen.sh | 0 images/tidb-operator/Dockerfile | 1 + 10 files changed, 230 insertions(+), 5 deletions(-) create mode 100644 charts/tidb-operator/templates/apiserver-deployment.yaml create mode 100644 charts/tidb-operator/templates/apiserver-rbac.yaml create mode 100644 charts/tidb-operator/templates/apiserver-registration.yaml create mode 100644 charts/tidb-operator/templates/apiserver-secret.yaml create mode 100644 charts/tidb-operator/templates/apiserver-service.yaml mode change 100644 => 100755 hack/aa-codegen.sh diff --git a/Makefile b/Makefile index 995f6845c7..10313efe4c 100644 --- a/Makefile +++ b/Makefile @@ -34,7 +34,7 @@ docker-push: docker backup-docker docker: build docker build --tag "${DOCKER_REGISTRY}/pingcap/tidb-operator:latest" images/tidb-operator -build: controller-manager scheduler discovery admission-controller +build: controller-manager scheduler discovery admission-controller apiserver controller-manager: $(GO) -ldflags '$(LDFLAGS)' -o images/tidb-operator/bin/tidb-controller-manager cmd/controller-manager/main.go @@ -48,6 +48,9 @@ discovery: admission-controller: $(GO) -ldflags '$(LDFLAGS)' -o images/tidb-operator/bin/tidb-admission-controller cmd/admission-controller/main.go +apiserver: + $(GO) -ldflags '$(LDFLAGS)' -o images/tidb-operator/bin/tidb-apiserver cmd/apiserver/main.go + backup-manager: $(GO) -ldflags '$(LDFLAGS)' -o images/backup-manager/bin/tidb-backup-manager cmd/backup-manager/main.go diff --git a/charts/tidb-operator/templates/apiserver-deployment.yaml b/charts/tidb-operator/templates/apiserver-deployment.yaml new file mode 100644 index 0000000000..7ff3a749ca --- /dev/null +++ b/charts/tidb-operator/templates/apiserver-deployment.yaml @@ -0,0 +1,62 @@ +{{- if .Values.apiserver.create }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tidb-apiserver + labels: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: apiserver + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +spec: + replicas: {{ .Values.apiserver.replicas }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: apiserver + template: + metadata: + labels: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: apiserver + spec: + {{- if .Values.apiserver.serviceAccount }} + serviceAccountName: {{ .Values.apiserver.serviceAccount }} + {{- end }} + containers: + - name: tidb-operator + image: {{ .Values.operatorImage }} + imagePullPolicy: {{ .Values.imagePullPolicy | default "IfNotPresent" }} + resources: +{{ toYaml .Values.apiserver.resources | indent 12 }} + command: + - /usr/local/bin/tidb-apiserver + - --tls-cert-file=/apiserver.local.config/certificates/tls.crt + - --tls-private-key-file=/apiserver.local.config/certificates/tls.key + env: + - name: TZ + value: {{ .Values.timezone | default "UTC" }} + volumeMounts: + - mountPath: /apiserver.local.config/certificates + name: certs + readOnly: true + volumes: + - name: certs + secret: + secretName: tidb-apiserver-certs + {{- with .Values.apiserver.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.apiserver.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.apiserver.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- end }} diff --git a/charts/tidb-operator/templates/apiserver-rbac.yaml b/charts/tidb-operator/templates/apiserver-rbac.yaml new file mode 100644 index 0000000000..d6c1502b57 --- /dev/null +++ b/charts/tidb-operator/templates/apiserver-rbac.yaml @@ -0,0 +1,68 @@ +{{- if .Values.apiserver.create }} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ .Values.apiserver.serviceAccount }} + labels: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: apiserver + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: {{ .Release.Name }}:tidb-apiserver-reader + labels: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: apiserver + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +rules: +- apiGroups: [""] + resources: ["namespace", "configmaps"] + verbs: ["list", "get", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["*"] + verbs: ["list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: {{ .Release.Name }}:tidb-apiserver-reader + labels: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: apiserver + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +subjects: + - kind: ServiceAccount + name: {{ .Values.apiserver.serviceAccount }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}:tidb-apiserver-reader + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: {{ .Release.Name }}:tidb-apiserver-auth-delegator + labels: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: apiserver + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +subjects: + - kind: ServiceAccount + name: {{ .Values.apiserver.serviceAccount }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: system:auth-delegator + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/tidb-operator/templates/apiserver-registration.yaml b/charts/tidb-operator/templates/apiserver-registration.yaml new file mode 100644 index 0000000000..81bd6a3c05 --- /dev/null +++ b/charts/tidb-operator/templates/apiserver-registration.yaml @@ -0,0 +1,15 @@ +{{- if .Values.apiserver.create }} +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.tidb.pingcap.com +spec: + group: tidb.pingcap.com + version: v1alpha1 + groupPriorityMinimum: 2000 + versionPriority: 200 + service: + namespace: {{ .Release.Namespace }} + name: tidb-apiserver + caBundle: {{ .Values.apiserver.caBundle | b64enc }} +{{- end }} diff --git a/charts/tidb-operator/templates/apiserver-secret.yaml b/charts/tidb-operator/templates/apiserver-secret.yaml new file mode 100644 index 0000000000..db3bfa3e75 --- /dev/null +++ b/charts/tidb-operator/templates/apiserver-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.apiserver.create }} +apiVersion: v1 +kind: Secret +metadata: + name: tidb-apiserver-certs + labels: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: apiserver + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +data: + tls.crt: {{ .Values.apiserver.certificate | b64enc }} + tls.key: {{ .Values.apiserver.key | b64enc }} +{{- end }} diff --git a/charts/tidb-operator/templates/apiserver-service.yaml b/charts/tidb-operator/templates/apiserver-service.yaml new file mode 100644 index 0000000000..4b52204a23 --- /dev/null +++ b/charts/tidb-operator/templates/apiserver-service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.apiserver.create }} +apiVersion: v1 +kind: Service +metadata: + name: tidb-apiserver + labels: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: apiserver + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +spec: + ports: + - protocol: TCP + port: 443 + targetPort: 443 + selector: + app.kubernetes.io/name: {{ template "chart.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: apiserver +{{- end }} diff --git a/charts/tidb-operator/values.yaml b/charts/tidb-operator/values.yaml index 3845f440ca..96d92625a6 100644 --- a/charts/tidb-operator/values.yaml +++ b/charts/tidb-operator/values.yaml @@ -88,4 +88,39 @@ scheduler: # - key: node-role # operator: Equal # value: tidb-operator - # effect: "NoSchedule" \ No newline at end of file + # effect: "NoSchedule" + +apiserver: + # leave the creation of apiserver CA cert/key to user for now + # TODO: adopt advanced cert management strategy after #1040 (webhook) merged + certificate: "" + key: "" + caBundle: "" + + create: false + replicas: 1 + serviceAccount: tidb-apiserver + resources: + limits: + cpu: 500m + memory: 300Mi + requests: + cpu: 200m + memory: 50Mi + # This will default to matching your kubernetes version + # kubeSchedulerImageTag: + ## affinity defines pod scheduling rules,affinity default settings is empty. + ## please read the affinity document before set your scheduling rule: + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + affinity: {} + ## nodeSelector ensure pods only assigning to nodes which have each of the indicated key-value pairs as labels + ## ref:https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + nodeSelector: {} + ## Tolerations are applied to pods, and allow pods to schedule onto nodes with matching taints. + ## refer to https://kubernetes.io/docs/concepts/configuration/taint-and-toleration + tolerations: [] + # - key: node-role + # operator: Equal + # value: tidb-operator + # effect: "NoSchedule" + diff --git a/cmd/apiserver/main.go b/cmd/apiserver/main.go index 35cf95c784..173c609edd 100644 --- a/cmd/apiserver/main.go +++ b/cmd/apiserver/main.go @@ -18,13 +18,18 @@ package main import ( _ "github.com/go-openapi/loads" - _ "github.com/ugorji/go/codec" - "github.com/pingcap/tidb-operator/pkg/apiserver/cmd" "github.com/pingcap/tidb-operator/pkg/version" + _ "github.com/ugorji/go/codec" _ "k8s.io/client-go/plugin/pkg/client/auth" // Enable cloud provider auth + "k8s.io/kube-openapi/pkg/common" ) +var emptyOpenAPIDefinitions = func(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition { + return map[string]common.OpenAPIDefinition{} +} + func main() { - cmd.StartApiServer(nil, nil, "Api", version.Get().GitVersion) + + cmd.StartApiServer(nil, emptyOpenAPIDefinitions, "TiDB ApiServer API", version.Get().GitVersion) } diff --git a/hack/aa-codegen.sh b/hack/aa-codegen.sh old mode 100644 new mode 100755 diff --git a/images/tidb-operator/Dockerfile b/images/tidb-operator/Dockerfile index 50e575f1db..4cf7cfdc45 100644 --- a/images/tidb-operator/Dockerfile +++ b/images/tidb-operator/Dockerfile @@ -5,3 +5,4 @@ ADD bin/tidb-scheduler /usr/local/bin/tidb-scheduler ADD bin/tidb-discovery /usr/local/bin/tidb-discovery ADD bin/tidb-admission-controller /usr/local/bin/tidb-admission-controller ADD bin/tidb-controller-manager /usr/local/bin/tidb-controller-manager +ADD bin/tidb-apiserver /usr/local/bin/tidb-apiserver