Update promenade config for PKICatalog + proxy
Change-Id: I6ee6434823a4bf72335da2e8f534265719ec0505
This commit is contained in:
parent
3e76d16f74
commit
d8f78a7795
|
@ -20,12 +20,15 @@ data:
|
|||
- 8.8.4.4
|
||||
|
||||
kubernetes:
|
||||
apiserver_port: 6443
|
||||
haproxy_port: 6553
|
||||
pod_cidr: 10.97.0.0/16
|
||||
service_cidr: 10.96.0.0/16
|
||||
service_ip: 10.96.0.1
|
||||
|
||||
etcd:
|
||||
service_ip: 10.96.0.2
|
||||
container_port: 2379
|
||||
haproxy_port: 2378
|
||||
|
||||
hosts_entries:
|
||||
- ip: 192.168.77.1
|
||||
|
|
|
@ -0,0 +1,166 @@
|
|||
---
|
||||
schema: promenade/PKICatalog/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: cluster-certificates
|
||||
layeringDefinition:
|
||||
abstract: false
|
||||
layer: site
|
||||
data:
|
||||
certificate_authorities:
|
||||
kubernetes:
|
||||
description: CA for Kubernetes components
|
||||
certificates:
|
||||
- document_name: apiserver
|
||||
description: Service certificate for Kubernetes apiserver
|
||||
common_name: apiserver
|
||||
hosts:
|
||||
- localhost
|
||||
- 127.0.0.1
|
||||
- 10.96.0.1
|
||||
kubernetes_service_names:
|
||||
- kubernetes.default.svc.cluster.local
|
||||
- document_name: kubelet-genesis
|
||||
common_name: system:node:${GENESIS_NODE_NAME}
|
||||
hosts:
|
||||
- ${GENESIS_NODE_NAME}
|
||||
- ${GENESIS_NODE_IP}
|
||||
groups:
|
||||
- system:nodes
|
||||
- document_name: kubelet-${GENESIS_NODE_NAME}
|
||||
common_name: system:node:${GENESIS_NODE_NAME}
|
||||
hosts:
|
||||
- ${GENESIS_NODE_NAME}
|
||||
- ${GENESIS_NODE_IP}
|
||||
groups:
|
||||
- system:nodes
|
||||
- document_name: kubelet-${MASTER_NODE_NAME}
|
||||
common_name: system:node:${MASTER_NODE_NAME}
|
||||
hosts:
|
||||
- ${MASTER_NODE_NAME}
|
||||
- ${MASTER_NODE_IP}
|
||||
groups:
|
||||
- system:nodes
|
||||
- document_name: scheduler
|
||||
description: Service certificate for Kubernetes scheduler
|
||||
common_name: system:kube-scheduler
|
||||
- document_name: controller-manager
|
||||
description: certificate for controller-manager
|
||||
common_name: system:kube-controller-manager
|
||||
- document_name: admin
|
||||
common_name: admin
|
||||
groups:
|
||||
- system:masters
|
||||
- document_name: armada
|
||||
common_name: armada
|
||||
groups:
|
||||
- system:masters
|
||||
kubernetes-etcd:
|
||||
description: Certificates for Kubernetes's etcd servers
|
||||
certificates:
|
||||
- document_name: apiserver-etcd
|
||||
description: etcd client certificate for use by Kubernetes apiserver
|
||||
common_name: apiserver
|
||||
# NOTE(mark-burnett): hosts not required for client certificates
|
||||
- document_name: kubernetes-etcd-anchor
|
||||
description: anchor
|
||||
common_name: anchor
|
||||
- document_name: kubernetes-etcd-genesis
|
||||
common_name: kubernetes-etcd-genesis
|
||||
hosts:
|
||||
- ${GENESIS_NODE_NAME}
|
||||
- ${GENESIS_NODE_IP}
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-${GENESIS_NODE_NAME}
|
||||
common_name: kubernetes-etcd-${GENESIS_NODE_NAME}
|
||||
hosts:
|
||||
- ${GENESIS_NODE_NAME}
|
||||
- ${GENESIS_NODE_IP}
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-${MASTER_NODE_NAME}
|
||||
common_name: kubernetes-etcd-${MASTER_NODE_NAME}
|
||||
hosts:
|
||||
- ${MASTER_NODE_NAME}
|
||||
- ${MASTER_NODE_IP}
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
kubernetes-etcd-peer:
|
||||
certificates:
|
||||
- document_name: kubernetes-etcd-genesis-peer
|
||||
common_name: kubernetes-etcd-genesis-peer
|
||||
hosts:
|
||||
- ${GENESIS_NODE_NAME}
|
||||
- ${GENESIS_NODE_IP}
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-${GENESIS_NODE_NAME}-peer
|
||||
common_name: kubernetes-etcd-${GENESIS_NODE_NAME}-peer
|
||||
hosts:
|
||||
- ${GENESIS_NODE_NAME}
|
||||
- ${GENESIS_NODE_IP}
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
- document_name: kubernetes-etcd-${MASTER_NODE_NAME}-peer
|
||||
common_name: kubernetes-etcd-${MASTER_NODE_NAME}-peer
|
||||
hosts:
|
||||
- ${MASTER_NODE_NAME}
|
||||
- ${MASTER_NODE_IP}
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- kubernetes-etcd.kube-system.svc.cluster.local
|
||||
calico-etcd:
|
||||
description: Certificates for Calico etcd client traffic
|
||||
certificates:
|
||||
- document_name: calico-etcd-anchor
|
||||
description: anchor
|
||||
common_name: anchor
|
||||
- document_name: calico-etcd-${GENESIS_NODE_NAME}
|
||||
common_name: calico-etcd-${GENESIS_NODE_NAME}
|
||||
hosts:
|
||||
- ${GENESIS_NODE_NAME}
|
||||
- ${GENESIS_NODE_IP}
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-etcd-${MASTER_NODE_NAME}
|
||||
common_name: calico-etcd-${MASTER_NODE_NAME}
|
||||
hosts:
|
||||
- ${MASTER_NODE_NAME}
|
||||
- ${MASTER_NODE_IP}
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-node
|
||||
common_name: calcico-node
|
||||
calico-etcd-peer:
|
||||
description: Certificates for Calico etcd clients
|
||||
certificates:
|
||||
- document_name: calico-etcd-${GENESIS_NODE_NAME}-peer
|
||||
common_name: calico-etcd-${GENESIS_NODE_NAME}-peer
|
||||
hosts:
|
||||
- ${GENESIS_NODE_NAME}
|
||||
- ${GENESIS_NODE_IP}
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-etcd-${MASTER_NODE_NAME}-peer
|
||||
common_name: calico-etcd-${MASTER_NODE_NAME}-peer
|
||||
hosts:
|
||||
- ${MASTER_NODE_NAME}
|
||||
- ${MASTER_NODE_IP}
|
||||
- 127.0.0.1
|
||||
- localhost
|
||||
- 10.96.232.136
|
||||
- document_name: calico-node-peer
|
||||
common_name: calcico-node-peer
|
||||
keypairs:
|
||||
- name: service-account
|
||||
description: Service account signing key for use by Kubernetes controller-manager.
|
||||
...
|
|
@ -60,6 +60,7 @@ metadata:
|
|||
data:
|
||||
description: Kubernetes components
|
||||
chart_group:
|
||||
- haproxy
|
||||
- kubernetes-etcd
|
||||
- kubernetes-apiserver
|
||||
- kubernetes-controller-manager
|
||||
|
@ -109,25 +110,6 @@ metadata:
|
|||
layeringDefinition:
|
||||
abstract: false
|
||||
layer: site
|
||||
substitutions:
|
||||
- src:
|
||||
schema: deckhand/CertificateAuthority/v1
|
||||
name: kubernetes
|
||||
path: $
|
||||
dest:
|
||||
path: '$.values.secrets.tls.ca'
|
||||
- src:
|
||||
schema: deckhand/Certificate/v1
|
||||
name: proxy
|
||||
path: $
|
||||
dest:
|
||||
path: '$.values.secrets.tls.cert'
|
||||
- src:
|
||||
schema: deckhand/CertificateKey/v1
|
||||
name: proxy
|
||||
path: $
|
||||
dest:
|
||||
path: '$.values.secrets.tls.key'
|
||||
data:
|
||||
chart_name: proxy
|
||||
release: kubernetes-proxy
|
||||
|
@ -136,16 +118,11 @@ data:
|
|||
upgrade:
|
||||
no_hooks: true
|
||||
values:
|
||||
secrets:
|
||||
tls:
|
||||
ca: placeholder
|
||||
cert: placeholder
|
||||
key: placeholder
|
||||
images:
|
||||
tags:
|
||||
proxy: ${KUBE_PROXY_IMAGE}
|
||||
network:
|
||||
kubernetes_netloc: apiserver.kubernetes.promenade:6443
|
||||
kubernetes_netloc: 127.0.0.1:6553
|
||||
pod_cidr: 10.97.0.0/16
|
||||
source:
|
||||
type: local
|
||||
|
@ -398,37 +375,13 @@ data:
|
|||
no_hooks: true
|
||||
values:
|
||||
coredns:
|
||||
kubernetes_zones:
|
||||
- cluster.local
|
||||
- 10.96.0.0/16
|
||||
- 10.97.0.0/16
|
||||
upstream_nameservers:
|
||||
- 8.8.8.8
|
||||
- 8.8.4.4
|
||||
zones:
|
||||
- name: promenade
|
||||
services:
|
||||
- bind_name: apiserver.kubernetes
|
||||
service:
|
||||
name: kubernetes-apiserver
|
||||
namespace: kube-system
|
||||
- bind_name: etcd.kubernetes
|
||||
service:
|
||||
name: kubernetes-etcd
|
||||
namespace: kube-system
|
||||
- bind_name: etcd.calico
|
||||
service:
|
||||
name: calico-etcd
|
||||
namespace: kube-system
|
||||
images:
|
||||
anchor: ${KUBE_ANCHOR_IMAGE}
|
||||
coredns: ${KUBE_COREDNS_IMAGE}
|
||||
tls:
|
||||
ca: placeholder
|
||||
cert: placeholder
|
||||
key: placeholder
|
||||
network:
|
||||
kubernetes_netloc: apiserver.kubernetes.promenade:6443
|
||||
tags:
|
||||
coredns: ${KUBE_COREDNS_IMAGE}
|
||||
test: ${KUBE_COREDNS_IMAGE}
|
||||
source:
|
||||
type: local
|
||||
location: /etc/genesis/armada/assets/charts
|
||||
|
@ -437,6 +390,62 @@ data:
|
|||
- helm-toolkit
|
||||
---
|
||||
schema: armada/Chart/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: haproxy
|
||||
layeringDefinition:
|
||||
abstract: false
|
||||
layer: site
|
||||
data:
|
||||
chart_name: haproxy
|
||||
release: haproxy
|
||||
namespace: kube-system
|
||||
timeout: 600
|
||||
wait:
|
||||
timeout: 600
|
||||
upgrade:
|
||||
no_hooks: true
|
||||
values:
|
||||
conf:
|
||||
anchor:
|
||||
kubernetes_url: https://kubernetes.default:443
|
||||
services:
|
||||
default:
|
||||
kubernetes:
|
||||
server_opts: "check"
|
||||
conf_parts:
|
||||
frontend:
|
||||
- mode tcp
|
||||
- option tcpka
|
||||
- bind *:6553
|
||||
backend:
|
||||
- mode tcp
|
||||
- option tcpka
|
||||
kube-system:
|
||||
kubernetes-etcd:
|
||||
server_opts: "check"
|
||||
conf_parts:
|
||||
frontend:
|
||||
- mode tcp
|
||||
- option tcpka
|
||||
- bind *:2378
|
||||
backend:
|
||||
- mode tcp
|
||||
- option tcpka
|
||||
|
||||
images:
|
||||
tags:
|
||||
anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.6
|
||||
haproxy: haproxy:1.8.3
|
||||
|
||||
source:
|
||||
type: local
|
||||
location: /etc/genesis/armada/assets/charts
|
||||
subpath: haproxy
|
||||
dependencies:
|
||||
- helm-toolkit
|
||||
---
|
||||
schema: armada/Chart/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: kubernetes-apiserver
|
||||
|
@ -497,7 +506,7 @@ data:
|
|||
values:
|
||||
apiserver:
|
||||
etcd:
|
||||
endpoints: https://etcd.kubernetes.promenade:2379
|
||||
endpoints: https://127.0.0.1:2378
|
||||
images:
|
||||
tags:
|
||||
anchor: ${KUBE_ANCHOR_IMAGE}
|
||||
|
@ -576,7 +585,7 @@ data:
|
|||
cert: placeholder
|
||||
key: placeholder
|
||||
network:
|
||||
kubernetes_netloc: apiserver.kubernetes.promenade:6443
|
||||
kubernetes_netloc: 127.0.0.1:6553
|
||||
pod_cidr: 10.97.0.0/16
|
||||
service_cidr: 10.96.0.0/16
|
||||
|
||||
|
@ -629,7 +638,7 @@ data:
|
|||
key: placeholder
|
||||
|
||||
network:
|
||||
kubernetes_netloc: apiserver.kubernetes.promenade:6443
|
||||
kubernetes_netloc: 127.0.0.1:6553
|
||||
|
||||
images:
|
||||
tags:
|
||||
|
|
|
@ -153,7 +153,7 @@ function genesis {
|
|||
mkdir configs
|
||||
chmod 777 configs
|
||||
|
||||
cat joining-host-config.yaml.sub | envsubst > configs/joining-host-config.yaml
|
||||
cat PKICatalog.yaml.sub | envsubst > configs/PKICatalog.yaml
|
||||
cat armada-resources.yaml.sub | envsubst > configs/armada-resources.yaml
|
||||
cat armada.yaml.sub | envsubst > ${ARMADA_CONFIG}
|
||||
cat Genesis.yaml.sub | envsubst > configs/Genesis.yaml
|
||||
|
|
|
@ -1,48 +0,0 @@
|
|||
---
|
||||
schema: promenade/KubernetesNode/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: ${GENESIS_NODE_NAME}
|
||||
layeringDefinition:
|
||||
abstract: false
|
||||
layer: site
|
||||
data:
|
||||
hostname: ${GENESIS_NODE_NAME}
|
||||
ip: ${GENESIS_NODE_IP}
|
||||
join_ip: ${MASTER_NODE_IP}
|
||||
labels:
|
||||
dynamic:
|
||||
- ucp-control-plane=enabled
|
||||
- ceph-osd=enabled
|
||||
- ceph-mon=enabled
|
||||
- ceph-rgw=enabled
|
||||
- ceph-mds=enabled
|
||||
- ceph-mgr=enabled
|
||||
---
|
||||
schema: promenade/KubernetesNode/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: ${MASTER_NODE_NAME}
|
||||
layeringDefinition:
|
||||
abstract: false
|
||||
layer: site
|
||||
data:
|
||||
hostname: ${MASTER_NODE_NAME}
|
||||
ip: ${MASTER_NODE_IP}
|
||||
join_ip: ${GENESIS_NODE_IP}
|
||||
labels:
|
||||
static:
|
||||
- node-role.kubernetes.io/master=
|
||||
dynamic:
|
||||
- calico-etcd=enabled
|
||||
- kubernetes-apiserver=enabled
|
||||
- kubernetes-controller-manager=enabled
|
||||
- kubernetes-etcd=enabled
|
||||
- kubernetes-scheduler=enabled
|
||||
- ucp-control-plane=enabled
|
||||
- ceph-osd=enabled
|
||||
- ceph-mon=enabled
|
||||
- ceph-rgw=enabled
|
||||
- ceph-mds=enabled
|
||||
- ceph-mgr=enabled
|
||||
...
|
Loading…
Reference in New Issue