pingcap · aylei · Oct 31, 2019 · Oct 30, 2019 · Oct 30, 2019 · Oct 31, 2019
diff --git a/Makefile b/Makefile
@@ -34,7 +34,7 @@ docker-push: docker backup-docker
 docker: build
 	docker build --tag "${DOCKER_REGISTRY}/pingcap/tidb-operator:latest" images/tidb-operator
 
-build: controller-manager scheduler discovery admission-controller
+build: controller-manager scheduler discovery admission-controller apiserver
 
 controller-manager:
 	$(GO) -ldflags '$(LDFLAGS)' -o images/tidb-operator/bin/tidb-controller-manager cmd/controller-manager/main.go
@@ -48,6 +48,9 @@ discovery:
 admission-controller:
 	$(GO) -ldflags '$(LDFLAGS)' -o images/tidb-operator/bin/tidb-admission-controller cmd/admission-controller/main.go
 
+apiserver:
+	$(GO) -ldflags '$(LDFLAGS)' -o images/tidb-operator/bin/tidb-apiserver cmd/apiserver/main.go
+
 backup-manager:
 	$(GO) -ldflags '$(LDFLAGS)' -o images/backup-manager/bin/tidb-backup-manager cmd/backup-manager/main.go
 

diff --git a/charts/tidb-operator/templates/apiserver-deployment.yaml b/charts/tidb-operator/templates/apiserver-deployment.yaml
@@ -0,0 +1,62 @@
+{{- if .Values.apiserver.create }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tidb-apiserver
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component:  apiserver
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+spec:
+  replicas: {{ .Values.apiserver.replicas }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "chart.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: apiserver
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ template "chart.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: apiserver
+    spec:
+    {{- if .Values.apiserver.serviceAccount }}
+      serviceAccountName: {{ .Values.apiserver.serviceAccount }}
+    {{- end }}
+      containers:
+      - name: tidb-operator
+        image: {{ .Values.operatorImage }}
+        imagePullPolicy: {{ .Values.imagePullPolicy | default "IfNotPresent" }}
+        resources:
+{{ toYaml .Values.apiserver.resources | indent 12 }}
+        command:
+          - /usr/local/bin/tidb-apiserver
+          - --tls-cert-file=/apiserver.local.config/certificates/tls.crt
+          - --tls-private-key-file=/apiserver.local.config/certificates/tls.key
+        env:
+          - name: TZ
+            value: {{ .Values.timezone | default "UTC" }}
+        volumeMounts:
+          - mountPath: /apiserver.local.config/certificates
+            name: certs
+            readOnly: true
+      volumes:
+        - name: certs
+          secret:
+            secretName: tidb-apiserver-certs
+    {{- with .Values.apiserver.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.apiserver.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.apiserver.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+{{- end }}
diff --git a/charts/tidb-operator/templates/apiserver-rbac.yaml b/charts/tidb-operator/templates/apiserver-rbac.yaml
@@ -0,0 +1,68 @@
+{{- if .Values.apiserver.create }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ .Values.apiserver.serviceAccount }}
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: apiserver
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: {{ .Release.Name }}:tidb-apiserver-reader
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: apiserver
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+rules:
+- apiGroups: [""]
+  resources: ["namespace", "configmaps"]
+  verbs: ["list", "get", "watch"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["*"]
+  verbs: ["list"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: {{ .Release.Name }}:tidb-apiserver-reader
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: apiserver
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.apiserver.serviceAccount }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Name }}:tidb-apiserver-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: {{ .Release.Name }}:tidb-apiserver-auth-delegator
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: apiserver
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.apiserver.serviceAccount }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: system:auth-delegator
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/tidb-operator/templates/apiserver-registration.yaml b/charts/tidb-operator/templates/apiserver-registration.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.apiserver.create }}
+apiVersion: apiregistration.k8s.io/v1
+kind: APIService
+metadata:
+  name: v1alpha1.tidb.pingcap.com
+spec:
+  group: tidb.pingcap.com
+  version: v1alpha1
+  groupPriorityMinimum: 2000
+  versionPriority: 200
+  service:
+    namespace: {{ .Release.Namespace }}
+    name: tidb-apiserver
+  caBundle: {{ .Values.apiserver.caBundle | b64enc }}
+{{- end }}
diff --git a/charts/tidb-operator/templates/apiserver-secret.yaml b/charts/tidb-operator/templates/apiserver-secret.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.apiserver.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tidb-apiserver-certs
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: apiserver
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+data:
+  tls.crt: {{ .Values.apiserver.certificate | b64enc }}
+  tls.key: {{ .Values.apiserver.key | b64enc }}
+{{- end }}
diff --git a/charts/tidb-operator/templates/apiserver-service.yaml b/charts/tidb-operator/templates/apiserver-service.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.apiserver.create }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: tidb-apiserver
+  labels:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: apiserver
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+"  "_" }}
+spec:
+  ports:
+  - protocol: TCP
+    port: 443
+    targetPort: 443
+  selector:
+    app.kubernetes.io/name: {{ template "chart.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: apiserver
+{{- end }}
diff --git a/charts/tidb-operator/values.yaml b/charts/tidb-operator/values.yaml
@@ -88,4 +88,39 @@ scheduler:
   # - key: node-role
   #   operator: Equal
   #   value: tidb-operator
-  #   effect: "NoSchedule"
+  #   effect: "NoSchedule"
+
+apiserver:
+  # leave the creation of apiserver CA cert/key to user for now
+  # TODO: adopt advanced cert management strategy after #1040 (webhook) merged
+  certificate: ""
+  key: ""
+  caBundle: ""
+
+  create: false
+  replicas: 1
+  serviceAccount: tidb-apiserver
+  resources:
+    limits:
+      cpu: 500m
+      memory: 300Mi
+    requests:
+      cpu: 200m
+      memory: 50Mi
+  # This will default to matching your kubernetes version
+  # kubeSchedulerImageTag:
+  ## affinity defines pod scheduling rules,affinity default settings is empty.
+  ## please read the affinity document before set your scheduling rule:
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+  ## nodeSelector ensure pods only assigning to nodes which have each of the indicated key-value pairs as labels
+  ## ref:https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+  ## Tolerations are applied to pods, and allow pods to schedule onto nodes with matching taints.
+  ## refer to https://kubernetes.io/docs/concepts/configuration/taint-and-toleration
+  tolerations: []
+  # - key: node-role
+  #   operator: Equal
+  #   value: tidb-operator
+  #   effect: "NoSchedule"
+
diff --git a/cmd/apiserver/main.go b/cmd/apiserver/main.go
@@ -15,13 +15,18 @@ package main
 
 import (
 	_ "github.com/go-openapi/loads"
-	_ "github.com/ugorji/go/codec"
-
 	"github.com/pingcap/tidb-operator/pkg/apiserver/cmd"
 	"github.com/pingcap/tidb-operator/pkg/version"
+	_ "github.com/ugorji/go/codec"
 	_ "k8s.io/client-go/plugin/pkg/client/auth" // Enable cloud provider auth
+	"k8s.io/kube-openapi/pkg/common"
 )
 
+var emptyOpenAPIDefinitions = func(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
+	return map[string]common.OpenAPIDefinition{}
+}
+
 func main() {
-	cmd.StartApiServer(nil, nil, "Api", version.Get().GitVersion)
+
+	cmd.StartApiServer(nil, emptyOpenAPIDefinitions, "TiDB ApiServer API", version.Get().GitVersion)
 }
diff --git a/hack/aa-codegen.sh b/hack/aa-codegen.sh
diff --git a/images/tidb-operator/Dockerfile b/images/tidb-operator/Dockerfile
@@ -5,3 +5,4 @@ ADD bin/tidb-scheduler /usr/local/bin/tidb-scheduler
 ADD bin/tidb-discovery /usr/local/bin/tidb-discovery
 ADD bin/tidb-admission-controller /usr/local/bin/tidb-admission-controller
 ADD bin/tidb-controller-manager /usr/local/bin/tidb-controller-manager
+ADD bin/tidb-apiserver /usr/local/bin/tidb-apiserver