m/n/kubernetes: start splitting, run apiproxy
This begins the process to split the Kubernetes service into a
controller and a worker service.
First, we rename the existing service to a Controller, create a Worker
service, and make the Worker service run our new tinylb-based apiserver
loadbalancer.
We also make the roleserver aware of this change by making it spawn both
the controller and worker services according to roles.
We will move services to the Worker in follow up change requests.
Change-Id: I76e98baa0603ad5df30b5892dd69154b895b35fa
Reviewed-on: https://review.monogon.dev/c/monogon/+/1374
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI
diff --git a/metropolis/node/ports.go b/metropolis/node/ports.go
index c90e7dc..f4ffa0b 100644
--- a/metropolis/node/ports.go
+++ b/metropolis/node/ports.go
@@ -40,6 +40,10 @@
// KubernetesAPIWrappedPort is the TCP port on which the Metropolis
// authenticating proxy for the Kubernetes API is exposed.
KubernetesAPIWrappedPort Port = 6444
+ // KubernetesWorkerLocalAPIPort is the TCP port on which Kubernetes worker nodes
+ // run a loadbalancer to access the cluster's API servers before cluster
+ // networking is available. This port is only bound to 127.0.0.1.
+ KubernetesWorkerLocalAPIPort Port = 6445
// DebuggerPort is the port on which the delve debugger runs (on debug
// builds only). Not to be confused with DebugServicePort.
DebuggerPort Port = 2345
@@ -57,6 +61,8 @@
return "wireguard"
case KubernetesAPIPort:
return "kubernetes-api"
+ case KubernetesWorkerLocalAPIPort:
+ return "kubernetes-worker-local-api"
case KubernetesAPIWrappedPort:
return "kubernetes-api-wrapped"
case DebuggerPort: