add support to use forward-journald. This should fix SIGPIPE's sent t…

…o the daemon

README.md

@@ -4,25 +4,44 @@
 
 This module installs and configures a kubernetes clutser.
 
-The main class kubernetes it only populates the /etc/kubernetes/config file.
+The main class kubernetes doesn't do anything and is kept for historical reasons.
+
+The class kubernetes::client only populates the /etc/kubernetes/config file: it empties all variables.
+
+The class kubernetes::node only manages the kubernetes-node package.
+
+The class kubernetes::master only manages the kubernetes-master packages.
 
 Because of this, it needs to be forced to execute after the master or node has installed
 any programs (the file is created by both master or node). This is accomplished by forcing
 this in the node and master class.
 
 The class kubernetes::client doesn't do anything now.
 
+## Journald forward:
+
+The class support a parameter called journald_forward_enable.
+
+This was added because of the PIPE signal that is sent to go programs when systemd-journald dies.
+
+For more information read here: https://github.com/projectatomic/forward-journald
+
+### Usage:
+
+	  include ::forward_journald
+	  Class['forward_journald'] -> Class['kubernetes::master']
+
 
-Usage:
+## Usage:
 
-	  include kubernetes
+	  include kubernetes::client
 	  include kubernetes::master
 	  include kubernetes::node
 	  include kubernetes::node::kubelet
 	  include kubernetes::node::kube_proxy
 
 	  class { 'kubernetes::master::apiserver':
-	    admission_control             => [
+	    admission_control => [
 	      'NamespaceLifecycle',
 	      'NamespaceExists',
 	      'LimitRanger',
@@ -31,15 +50,15 @@ Usage:
 	      ],
 	  }
 
-If you want to use you existing network infrastructure, then wou will have to allocate
+If you want to use you existing network infrastructure, then you will have to allocate
 to nodes a subnet from the same ip class. You can self register a node with this information
 by giving  kubelet_register_node = > true and the desired subnet in kubelet_pod_cidr:
 
 		class { 'kubernetes::node::kubelet':
-		  ensure                  => 'latest',
-		  address                 => '0.0.0.0',
-		  api_servers             => 'http://k-api.company.net:8080',
-		  configure_cbr0          => true,
-		  register_node           => true,
-		  pod_cidr                => '10.100.5.0/24',
+		  ensure         => 'latest',
+		  address        => '0.0.0.0',
+		  api_servers    => 'http://k-api.company.net:8080',
+		  configure_cbr0 => true,
+		  register_node  => true,
+		  pod_cidr       => '10.100.5.0/24',
 		}

manifests/master/apiserver.pp

@@ -4,6 +4,10 @@
 #   Whether you want the apiserver daemon to start up
 #   Defaults to running
 #
+# [*journald_forward_enable*]
+#   Fix for SIGPIPE sent to registry daemon during journald restart
+#   Defaults to false
+#
 # [*enable*]
 #   Whether you want the apiserver daemon to start up at boot
 #   Defaults to true
@@ -24,6 +28,10 @@
 #   If true, allow privileged containers.
 #   Defaults to false.
 #
+# [*apiserver_count*]
+#   The number of apiservers running in the cluster
+#   Defaults to 1.
+#
 # [*authorization_mode*]
 #   Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: AlwaysAllow,AlwaysDeny,ABAC
 #   Default AlwaysAllow.
@@ -188,32 +196,35 @@
 #   Default undef
 #
 # [*token_auth_file*]
-#   If set, the file that will be used to secure the secure port of the API server via token
-#      authentication.
+#   If set, the file that will be used to secure the secure port of the API server via token authentication.
 #   Default undef
 #
 # [*watch_cache*]
 #   Enable watch caching in the apiserver
 #   Default true
 #
 # [*watch_cache_sizes*]
-#   List of watch cache sizes for every resource (pods, nodes, etc.), comma separated. The individual override format: resource#size, where size is a number. It takes effect when watch-cache is enabled.
+#   List of watch cache sizes for every resource (pods, nodes, etc.), comma separated. The individual override format: resource#size,
+#   where size is a number. It takes effect when watch-cache is enabled.
 #   Default undef
 #
 # [*repair_malformed_updates*]
-#   If true, server will do its best to fix the update request to pass the validation, e.g., setting empty UID in update request to its existing value. This flag can be turned off after we fix all the clients that send malformed updates.
+#   If true, server will do its best to fix the update request to pass the validation, e.g., setting empty UID in update request
+#   to its existing value. This flag can be turned off after we fix all the clients that send malformed updates.
 #   Default true
 #
 # [*delete_collection_workers*]
 #   Number of workers spawned for DeleteCollection call. These are used to speed up namespace cleanup.
 #   Default 1
 #
 # [*kubernetes_service_node_port*]
-#   If non-zero, the Kubernetes master service (which apiserver creates/maintains) will be of type NodePort, using this as the value of the port. If zero, the Kubernetes master service will be of type ClusterIP.
+#   If non-zero, the Kubernetes master service (which apiserver creates/maintains) will be of type NodePort, using this as
+#   the value of the port. If zero, the Kubernetes master service will be of type ClusterIP.
 #   Default 0
 #
 # [*authorization_webhook_config*]
-#   File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. The API server will query the remote service to determine access on the API server's secure port.
+#   File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. The API server will query
+#   the remote service to determine access on the API server's secure port.
 #   Default undef
 #
 # [*ir_hawkular*]
@@ -228,10 +239,12 @@
 class kubernetes::master::apiserver (
   $service_cluster_ip_range,
   $ensure                        = $kubernetes::master::params::kube_api_service_ensure,
+  $journald_forward_enable       = $kubernetes::master::params::kube_api_journald_forward_enable,
   $enable                        = $kubernetes::master::params::kube_api_service_enable,
   $admission_control             = $kubernetes::master::params::kube_api_admission_control,
   $advertise_address             = $kubernetes::master::params::kube_api_advertise_address,
   $allow_privileged              = $kubernetes::master::params::kube_api_allow_privileged,
+  $apiserver_count               = $kubernetes::master::params::kube_apiserver_count,
   $authorization_mode            = $kubernetes::master::params::kube_api_authorization_mode,
   $bind_address                  = $kubernetes::master::params::kube_api_bind_address,
   $cert_dir                      = $kubernetes::master::params::kube_api_cert_dir,
@@ -291,6 +304,26 @@
     } ~> Service['kube-apiserver']
   }
 
+  if $journald_forward_enable {
+    file { '/etc/systemd/system/kube-apiserver.service.d':
+      ensure => 'directory',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0755',
+    }
+    file { '/etc/systemd/system/kube-apiserver.service.d/journald.conf':
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => template("${module_name}/systemd/apiserver_journald.conf.erb"),
+    } ~>
+    exec { 'reload systemctl daemon for kube-apiserver':
+      command     => '/bin/systemctl daemon-reload',
+      refreshonly => true,
+    } ~> Service['kube-apiserver']
+  }
+
   file { '/etc/kubernetes/apiserver':
     ensure  => 'file',
     force   => true,

manifests/master/controller_manager.pp

@@ -5,6 +5,10 @@
 #   Whether you want the controller-manager daemon to start up
 #   Defaults to running
 #
+# [*journald_forward_enable*]
+#   Fix for SIGPIPE sent to registry daemon during journald restart
+#   Defaults to false
+#
 # [*enable*]
 #   Whether you want the controller-manager daemon to start up at boot
 #   Defaults to true
@@ -126,19 +130,23 @@
 #   Defaults to 0
 #
 # [*concurrent_deployment_syncs*]
-#   The number of deployment objects that are allowed to sync concurrently. Larger number = more responsive deployments, but more CPU (and network) load
+#   The number of deployment objects that are allowed to sync concurrently. Larger number = more responsive deployments,
+#   but more CPU (and network) load
 #   Default 5
 #
 # [*concurrent_namespace_syncs*]
-#   The number of namespace objects that are allowed to sync concurrently. Larger number = more responsive namespace termination, but more CPU (and network) load
+#   The number of namespace objects that are allowed to sync concurrently. Larger number = more responsive namespace
+#   termination, but more CPU (and network) load
 #   Default 2
 #
 # [*concurrent_replicaset_syncs*]
-#   The number of replica sets that are allowed to sync concurrently. Larger number = more responsive replica management, but more CPU (and network) load
+#   The number of replica sets that are allowed to sync concurrently. Larger number = more responsive replica management,
+#   but more CPU (and network) load
 #   Default 5
 #
 # [*concurrent_resource_quota_syncs*]
-#   The number of resource quotas that are allowed to sync concurrently. Larger number = more responsive quota management, but more CPU (and network) load
+#   The number of resource quotas that are allowed to sync concurrently. Larger number = more responsive quota management,
+#   but more CPU (and network) load
 #   Default 5
 #
 # [*daemonset_lookup_cache_size*]
@@ -154,19 +162,24 @@
 #   Default 20
 #
 # [*leader_elect*]
-#   Start a leader election client and gain leadership before executing the main loop. Enable this when running replicated components for high availability.
+#   Start a leader election client and gain leadership before executing the main loop. Enable this when running replicated
+#   components for high availability.
 #   Default undef
 #
 # [*leader_elect_lease_duration*]
-#   The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled.
+#   The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire
+#   leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped
+#   before it is replaced by another candidate. This is only applicable if leader election is enabled.
 #   Default '15s'
 #
 # [*leader_elect_renew_deadline*]
-#   The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled.
+#   The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less
+#   than or equal to the lease duration. This is only applicable if leader election is enabled.
 #   Default '10s'
 #
 # [*leader_elect_retry_period*]
-#   The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled.
+#   The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if
+#   leader election is enabled.
 #   Default '2s'
 #
 # [*replicaset_lookup_cache_size*]
@@ -180,6 +193,7 @@
 #
 class kubernetes::master::controller_manager (
   $ensure                                = $kubernetes::master::params::kube_controller_service_ensure,
+  $journald_forward_enable               = $kubernetes::master::params::kube_controller_journald_forward_enable,
   $enable                                = $kubernetes::master::params::kube_controller_service_enable,
   $address                               = $kubernetes::master::params::kube_controller_address,
   $allocate_node_cidrs                   = $kubernetes::master::params::kube_controller_allocate_node_cidrs,
@@ -230,6 +244,26 @@
 
   validate_bool($allocate_node_cidrs)
 
+  if $journald_forward_enable {
+    file { '/etc/systemd/system/kube-controller-manager.service.d':
+      ensure => 'directory',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0755',
+    }
+    file { '/etc/systemd/system/kube-controller-manager.service.d/journald.conf':
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => template("${module_name}/systemd/controller_manager_journald.conf.erb"),
+    } ~>
+    exec { 'reload systemctl daemon for kube-controller-manager':
+      command     => '/bin/systemctl daemon-reload',
+      refreshonly => true,
+    } ~> Service['kube-controller-manager']
+  }
+
   file { '/etc/kubernetes/controller-manager':
     ensure  => 'file',
     force   => true,

manifests/master/params.pp

@@ -4,6 +4,7 @@
   # api server config
   # http://kubernetes.io/v1.1/docs/admin/kube-apiserver.html
   $kube_api_service_ensure = running
+  $kube_api_journald_forward_enable = false
   $kube_api_service_enable = true
   $kube_api_admission_control = [
     'NamespaceLifecycle',
@@ -15,6 +16,7 @@
     ]
   $kube_api_advertise_address = undef
   $kube_api_allow_privileged = false
+  $kube_apiserver_count = 1
   $kube_api_authorization_mode = 'AlwaysAllow'
   $kube_api_bind_address = '0.0.0.0'
   $kube_api_cert_dir = '/var/run/kubernetes'
@@ -64,6 +66,7 @@
   # controller manager config
   # http://kubernetes.io/v1.1/docs/admin/kube-controller-manager.html
   $kube_controller_service_ensure = running
+  $kube_controller_journald_forward_enable = false
   $kube_controller_service_enable = true
   $kube_controller_address = '127.0.0.1'
   $kube_controller_allocate_node_cidrs = false
@@ -110,6 +113,7 @@
   # scheduler config
   # http://kubernetes.io/v1.1/docs/admin/kube-scheduler.html
   $kube_scheduler_service_ensure = running
+  $kube_scheduler_journald_forward_enable = false
   $kube_scheduler_service_enable = true
   $kube_scheduler_address = '127.0.0.1'
   $kube_scheduler_bind_pods_burst = 100

manifests/master/scheduler.pp

@@ -4,6 +4,10 @@
 #   Whether you want the scheduler daemon to start up
 #   Defaults to running
 #
+# [*journald_forward_enable*]
+#   Fix for SIGPIPE sent to registry daemon during journald restart
+#   Defaults to false
+#
 # [*enable*]
 #   Whether you want the scheduler daemon to start up at boot
 #   Defaults to true
@@ -41,23 +45,29 @@
 #   Defaults to 10251
 #
 # [*leader_elect*]
-#   Start a leader election client and gain leadership before executing the main loop. Enable this when running replicated components for high availability.
+#   Start a leader election client and gain leadership before executing the main loop. Enable this when running
+#   replicated components for high availability.
 #   Defaults to undef
 #
 # [*leader_elect_lease_duration*]
-#   The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled.
+#   The duration that non-leader candidates will wait after observing a leadership renewal until attempting to
+#   acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be
+#   stopped before it is replaced by another candidate. This is only applicable if leader election is enabled.
 #   Defaults to '15s'
 #
 # [*leader_elect_renew_deadline*]
-#   The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled.
+#   The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must
+#   be less than or equal to the lease duration. This is only applicable if leader election is enabled.
 #   Defaults to '10s'
 #
 # [*leader_elect_retry_period*]
-#   The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled.
+#   The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable
+#   if leader election is enabled.
 #   Defaults to '2s"
 #
 # [*scheduler_name*]
-#   Name of the scheduler, used to select which pods will be processed by this scheduler, based on pod's annotation with key 'scheduler.alpha.kubernetes.io/name'
+#   Name of the scheduler, used to select which pods will be processed by this scheduler, based on pod's annotation with
+#   key 'scheduler.alpha.kubernetes.io/name'
 #   Defaults to undef
 #
 # [*minimum_version*]
@@ -67,6 +77,7 @@
 #
 class kubernetes::master::scheduler (
   $ensure                      = $kubernetes::master::params::kube_scheduler_service_ensure,
+  $journald_forward_enable     = $kubernetes::master::params::kube_scheduler_journald_forward_enable,
   $enable                      = $kubernetes::master::params::kube_scheduler_service_enable,
   $address                     = $kubernetes::master::params::kube_scheduler_address,
   $bind_pods_burst             = $kubernetes::master::params::kube_scheduler_bind_pods_burst,
@@ -89,6 +100,26 @@
 
   include ::kubernetes::master
 
+  if $journald_forward_enable {
+    file { '/etc/systemd/system/kube-scheduler.service.d':
+      ensure => 'directory',
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0755',
+    }
+    file { '/etc/systemd/system/kube-scheduler.service.d/journald.conf':
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => template("${module_name}/systemd/scheduler_journald.conf.erb"),
+    } ~>
+    exec { 'reload systemctl daemon for kube-scheduler':
+      command     => '/bin/systemctl daemon-reload',
+      refreshonly => true,
+    } ~> Service['kube-scheduler']
+  }
+
   file { '/etc/kubernetes/scheduler':
     ensure  => 'file',
     force   => true,