airship
/
airship-in-a-bottle
Code Issues Proposed changes

Update promenade config for PKICatalog + proxy 

Change-Id: I6ee6434823a4bf72335da2e8f534265719ec0505
This commit is contained in:
Mark Burnett 2018-02-13 13:44:48 -06:00
parent 3e76d16f74
commit d8f78a7795
5 changed files with 235 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
manifests/basic_ucp/KubernetesNetwork.yaml.sub
View File

@ -20,12 +20,15 @@ data:
- 8.8.4.4
kubernetes:
apiserver_port: 6443
haproxy_port: 6553
pod_cidr: 10.97.0.0/16
service_cidr: 10.96.0.0/16
service_ip: 10.96.0.1
etcd:
service_ip: 10.96.0.2
container_port: 2379
haproxy_port: 2378
hosts_entries:
- ip: 192.168.77.1

166
manifests/basic_ucp/PKICatalog.yaml.sub Normal file
View File

@ -0,0 +1,166 @@
---
schema: promenade/PKICatalog/v1
metadata:
schema: metadata/Document/v1
name: cluster-certificates
layeringDefinition:
abstract: false
layer: site
data:
certificate_authorities:
kubernetes:
description: CA for Kubernetes components
certificates:
- document_name: apiserver
description: Service certificate for Kubernetes apiserver
common_name: apiserver
hosts:
- localhost
- 127.0.0.1
- 10.96.0.1
kubernetes_service_names:
- kubernetes.default.svc.cluster.local
- document_name: kubelet-genesis
common_name: system:node:${GENESIS_NODE_NAME}
hosts:
- ${GENESIS_NODE_NAME}
- ${GENESIS_NODE_IP}
groups:
- system:nodes
- document_name: kubelet-${GENESIS_NODE_NAME}
common_name: system:node:${GENESIS_NODE_NAME}
hosts:
- ${GENESIS_NODE_NAME}
- ${GENESIS_NODE_IP}
groups:
- system:nodes
- document_name: kubelet-${MASTER_NODE_NAME}
common_name: system:node:${MASTER_NODE_NAME}
hosts:
- ${MASTER_NODE_NAME}
- ${MASTER_NODE_IP}
groups:
- system:nodes
- document_name: scheduler
description: Service certificate for Kubernetes scheduler
common_name: system:kube-scheduler
- document_name: controller-manager
description: certificate for controller-manager
common_name: system:kube-controller-manager
- document_name: admin
common_name: admin
groups:
- system:masters
- document_name: armada
common_name: armada
groups:
- system:masters
kubernetes-etcd:
description: Certificates for Kubernetes's etcd servers
certificates:
- document_name: apiserver-etcd
description: etcd client certificate for use by Kubernetes apiserver
common_name: apiserver
# NOTE(mark-burnett): hosts not required for client certificates
- document_name: kubernetes-etcd-anchor
description: anchor
common_name: anchor
- document_name: kubernetes-etcd-genesis
common_name: kubernetes-etcd-genesis
hosts:
- ${GENESIS_NODE_NAME}
- ${GENESIS_NODE_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${GENESIS_NODE_NAME}
common_name: kubernetes-etcd-${GENESIS_NODE_NAME}
hosts:
- ${GENESIS_NODE_NAME}
- ${GENESIS_NODE_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${MASTER_NODE_NAME}
common_name: kubernetes-etcd-${MASTER_NODE_NAME}
hosts:
- ${MASTER_NODE_NAME}
- ${MASTER_NODE_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
kubernetes-etcd-peer:
certificates:
- document_name: kubernetes-etcd-genesis-peer
common_name: kubernetes-etcd-genesis-peer
hosts:
- ${GENESIS_NODE_NAME}
- ${GENESIS_NODE_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${GENESIS_NODE_NAME}-peer
common_name: kubernetes-etcd-${GENESIS_NODE_NAME}-peer
hosts:
- ${GENESIS_NODE_NAME}
- ${GENESIS_NODE_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
- document_name: kubernetes-etcd-${MASTER_NODE_NAME}-peer
common_name: kubernetes-etcd-${MASTER_NODE_NAME}-peer
hosts:
- ${MASTER_NODE_NAME}
- ${MASTER_NODE_IP}
- 127.0.0.1
- localhost
- kubernetes-etcd.kube-system.svc.cluster.local
calico-etcd:
description: Certificates for Calico etcd client traffic
certificates:
- document_name: calico-etcd-anchor
description: anchor
common_name: anchor
- document_name: calico-etcd-${GENESIS_NODE_NAME}
common_name: calico-etcd-${GENESIS_NODE_NAME}
hosts:
- ${GENESIS_NODE_NAME}
- ${GENESIS_NODE_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-${MASTER_NODE_NAME}
common_name: calico-etcd-${MASTER_NODE_NAME}
hosts:
- ${MASTER_NODE_NAME}
- ${MASTER_NODE_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node
common_name: calcico-node
calico-etcd-peer:
description: Certificates for Calico etcd clients
certificates:
- document_name: calico-etcd-${GENESIS_NODE_NAME}-peer
common_name: calico-etcd-${GENESIS_NODE_NAME}-peer
hosts:
- ${GENESIS_NODE_NAME}
- ${GENESIS_NODE_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-etcd-${MASTER_NODE_NAME}-peer
common_name: calico-etcd-${MASTER_NODE_NAME}-peer
hosts:
- ${MASTER_NODE_NAME}
- ${MASTER_NODE_IP}
- 127.0.0.1
- localhost
- 10.96.232.136
- document_name: calico-node-peer
common_name: calcico-node-peer
keypairs:
- name: service-account
description: Service account signing key for use by Kubernetes controller-manager.
...

119
manifests/basic_ucp/armada-resources.yaml.sub
View File

@ -60,6 +60,7 @@ metadata:
data:
description: Kubernetes components
chart_group:
- haproxy
- kubernetes-etcd
- kubernetes-apiserver
- kubernetes-controller-manager
@ -109,25 +110,6 @@ metadata:
layeringDefinition:
abstract: false
layer: site
substitutions:
- src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes
path: $
dest:
path: '$.values.secrets.tls.ca'
- src:
schema: deckhand/Certificate/v1
name: proxy
path: $
dest:
path: '$.values.secrets.tls.cert'
- src:
schema: deckhand/CertificateKey/v1
name: proxy
path: $
dest:
path: '$.values.secrets.tls.key'
data:
chart_name: proxy
release: kubernetes-proxy
@ -136,16 +118,11 @@ data:
upgrade:
no_hooks: true
values:
secrets:
tls:
ca: placeholder
cert: placeholder
key: placeholder
images:
tags:
proxy: ${KUBE_PROXY_IMAGE}
network:
kubernetes_netloc: apiserver.kubernetes.promenade:6443
kubernetes_netloc: 127.0.0.1:6553
pod_cidr: 10.97.0.0/16
source:
type: local
@ -398,37 +375,13 @@ data:
no_hooks: true
values:
coredns:
kubernetes_zones:
- cluster.local
- 10.96.0.0/16
- 10.97.0.0/16
upstream_nameservers:
- 8.8.8.8
- 8.8.4.4
zones:
- name: promenade
services:
- bind_name: apiserver.kubernetes
service:
name: kubernetes-apiserver
namespace: kube-system
- bind_name: etcd.kubernetes
service:
name: kubernetes-etcd
namespace: kube-system
- bind_name: etcd.calico
service:
name: calico-etcd
namespace: kube-system
images:
anchor: ${KUBE_ANCHOR_IMAGE}
coredns: ${KUBE_COREDNS_IMAGE}
tls:
ca: placeholder
cert: placeholder
key: placeholder
network:
kubernetes_netloc: apiserver.kubernetes.promenade:6443
tags:
coredns: ${KUBE_COREDNS_IMAGE}
test: ${KUBE_COREDNS_IMAGE}
source:
type: local
location: /etc/genesis/armada/assets/charts
@ -437,6 +390,62 @@ data:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: haproxy
layeringDefinition:
abstract: false
layer: site
data:
chart_name: haproxy
release: haproxy
namespace: kube-system
timeout: 600
wait:
timeout: 600
upgrade:
no_hooks: true
values:
conf:
anchor:
kubernetes_url: https://kubernetes.default:443
services:
default:
kubernetes:
server_opts: "check"
conf_parts:
frontend:
- mode tcp
- option tcpka
- bind *:6553
backend:
- mode tcp
- option tcpka
kube-system:
kubernetes-etcd:
server_opts: "check"
conf_parts:
frontend:
- mode tcp
- option tcpka
- bind *:2378
backend:
- mode tcp
- option tcpka
images:
tags:
anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.6
haproxy: haproxy:1.8.3
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: haproxy
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: kubernetes-apiserver
@ -497,7 +506,7 @@ data:
values:
apiserver:
etcd:
endpoints: https://etcd.kubernetes.promenade:2379
endpoints: https://127.0.0.1:2378
images:
tags:
anchor: ${KUBE_ANCHOR_IMAGE}
@ -576,7 +585,7 @@ data:
cert: placeholder
key: placeholder
network:
kubernetes_netloc: apiserver.kubernetes.promenade:6443
kubernetes_netloc: 127.0.0.1:6553
pod_cidr: 10.97.0.0/16
service_cidr: 10.96.0.0/16
@ -629,7 +638,7 @@ data:
key: placeholder
network:
kubernetes_netloc: apiserver.kubernetes.promenade:6443
kubernetes_netloc: 127.0.0.1:6553
images:
tags:

2
manifests/basic_ucp/deploy_ucp.sh
View File

@ -153,7 +153,7 @@ function genesis {
mkdir configs
chmod 777 configs
cat joining-host-config.yaml.sub | envsubst > configs/joining-host-config.yaml
cat PKICatalog.yaml.sub | envsubst > configs/PKICatalog.yaml
cat armada-resources.yaml.sub | envsubst > configs/armada-resources.yaml
cat armada.yaml.sub | envsubst > ${ARMADA_CONFIG}
cat Genesis.yaml.sub | envsubst > configs/Genesis.yaml

48
manifests/basic_ucp/joining-host-config.yaml.sub
View File

@ -1,48 +0,0 @@
---
schema: promenade/KubernetesNode/v1
metadata:
schema: metadata/Document/v1
name: ${GENESIS_NODE_NAME}
layeringDefinition:
abstract: false
layer: site
data:
hostname: ${GENESIS_NODE_NAME}
ip: ${GENESIS_NODE_IP}
join_ip: ${MASTER_NODE_IP}
labels:
dynamic:
- ucp-control-plane=enabled
- ceph-osd=enabled
- ceph-mon=enabled
- ceph-rgw=enabled
- ceph-mds=enabled
- ceph-mgr=enabled
---
schema: promenade/KubernetesNode/v1
metadata:
schema: metadata/Document/v1
name: ${MASTER_NODE_NAME}
layeringDefinition:
abstract: false
layer: site
data:
hostname: ${MASTER_NODE_NAME}
ip: ${MASTER_NODE_IP}
join_ip: ${GENESIS_NODE_IP}
labels:
static:
- node-role.kubernetes.io/master=
dynamic:
- calico-etcd=enabled
- kubernetes-apiserver=enabled
- kubernetes-controller-manager=enabled
- kubernetes-etcd=enabled
- kubernetes-scheduler=enabled
- ucp-control-plane=enabled
- ceph-osd=enabled
- ceph-mon=enabled
- ceph-rgw=enabled
- ceph-mds=enabled
- ceph-mgr=enabled
...