diff --git a/manifests/basic_ucp/KubernetesNetwork.yaml.sub b/manifests/basic_ucp/KubernetesNetwork.yaml.sub index b5755010..baa8d6f6 100644 --- a/manifests/basic_ucp/KubernetesNetwork.yaml.sub +++ b/manifests/basic_ucp/KubernetesNetwork.yaml.sub @@ -20,12 +20,15 @@ data: - 8.8.4.4 kubernetes: + apiserver_port: 6443 + haproxy_port: 6553 pod_cidr: 10.97.0.0/16 service_cidr: 10.96.0.0/16 service_ip: 10.96.0.1 etcd: - service_ip: 10.96.0.2 + container_port: 2379 + haproxy_port: 2378 hosts_entries: - ip: 192.168.77.1 diff --git a/manifests/basic_ucp/PKICatalog.yaml.sub b/manifests/basic_ucp/PKICatalog.yaml.sub new file mode 100644 index 00000000..995b562b --- /dev/null +++ b/manifests/basic_ucp/PKICatalog.yaml.sub @@ -0,0 +1,166 @@ +--- +schema: promenade/PKICatalog/v1 +metadata: + schema: metadata/Document/v1 + name: cluster-certificates + layeringDefinition: + abstract: false + layer: site +data: + certificate_authorities: + kubernetes: + description: CA for Kubernetes components + certificates: + - document_name: apiserver + description: Service certificate for Kubernetes apiserver + common_name: apiserver + hosts: + - localhost + - 127.0.0.1 + - 10.96.0.1 + kubernetes_service_names: + - kubernetes.default.svc.cluster.local + - document_name: kubelet-genesis + common_name: system:node:${GENESIS_NODE_NAME} + hosts: + - ${GENESIS_NODE_NAME} + - ${GENESIS_NODE_IP} + groups: + - system:nodes + - document_name: kubelet-${GENESIS_NODE_NAME} + common_name: system:node:${GENESIS_NODE_NAME} + hosts: + - ${GENESIS_NODE_NAME} + - ${GENESIS_NODE_IP} + groups: + - system:nodes + - document_name: kubelet-${MASTER_NODE_NAME} + common_name: system:node:${MASTER_NODE_NAME} + hosts: + - ${MASTER_NODE_NAME} + - ${MASTER_NODE_IP} + groups: + - system:nodes + - document_name: scheduler + description: Service certificate for Kubernetes scheduler + common_name: system:kube-scheduler + - document_name: controller-manager + description: certificate for controller-manager + common_name: system:kube-controller-manager + - document_name: admin + common_name: admin + groups: + - system:masters + - document_name: armada + common_name: armada + groups: + - system:masters + kubernetes-etcd: + description: Certificates for Kubernetes's etcd servers + certificates: + - document_name: apiserver-etcd + description: etcd client certificate for use by Kubernetes apiserver + common_name: apiserver + # NOTE(mark-burnett): hosts not required for client certificates + - document_name: kubernetes-etcd-anchor + description: anchor + common_name: anchor + - document_name: kubernetes-etcd-genesis + common_name: kubernetes-etcd-genesis + hosts: + - ${GENESIS_NODE_NAME} + - ${GENESIS_NODE_IP} + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-${GENESIS_NODE_NAME} + common_name: kubernetes-etcd-${GENESIS_NODE_NAME} + hosts: + - ${GENESIS_NODE_NAME} + - ${GENESIS_NODE_IP} + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-${MASTER_NODE_NAME} + common_name: kubernetes-etcd-${MASTER_NODE_NAME} + hosts: + - ${MASTER_NODE_NAME} + - ${MASTER_NODE_IP} + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + kubernetes-etcd-peer: + certificates: + - document_name: kubernetes-etcd-genesis-peer + common_name: kubernetes-etcd-genesis-peer + hosts: + - ${GENESIS_NODE_NAME} + - ${GENESIS_NODE_IP} + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-${GENESIS_NODE_NAME}-peer + common_name: kubernetes-etcd-${GENESIS_NODE_NAME}-peer + hosts: + - ${GENESIS_NODE_NAME} + - ${GENESIS_NODE_IP} + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + - document_name: kubernetes-etcd-${MASTER_NODE_NAME}-peer + common_name: kubernetes-etcd-${MASTER_NODE_NAME}-peer + hosts: + - ${MASTER_NODE_NAME} + - ${MASTER_NODE_IP} + - 127.0.0.1 + - localhost + - kubernetes-etcd.kube-system.svc.cluster.local + calico-etcd: + description: Certificates for Calico etcd client traffic + certificates: + - document_name: calico-etcd-anchor + description: anchor + common_name: anchor + - document_name: calico-etcd-${GENESIS_NODE_NAME} + common_name: calico-etcd-${GENESIS_NODE_NAME} + hosts: + - ${GENESIS_NODE_NAME} + - ${GENESIS_NODE_IP} + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-${MASTER_NODE_NAME} + common_name: calico-etcd-${MASTER_NODE_NAME} + hosts: + - ${MASTER_NODE_NAME} + - ${MASTER_NODE_IP} + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-node + common_name: calcico-node + calico-etcd-peer: + description: Certificates for Calico etcd clients + certificates: + - document_name: calico-etcd-${GENESIS_NODE_NAME}-peer + common_name: calico-etcd-${GENESIS_NODE_NAME}-peer + hosts: + - ${GENESIS_NODE_NAME} + - ${GENESIS_NODE_IP} + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-etcd-${MASTER_NODE_NAME}-peer + common_name: calico-etcd-${MASTER_NODE_NAME}-peer + hosts: + - ${MASTER_NODE_NAME} + - ${MASTER_NODE_IP} + - 127.0.0.1 + - localhost + - 10.96.232.136 + - document_name: calico-node-peer + common_name: calcico-node-peer + keypairs: + - name: service-account + description: Service account signing key for use by Kubernetes controller-manager. +... diff --git a/manifests/basic_ucp/armada-resources.yaml.sub b/manifests/basic_ucp/armada-resources.yaml.sub index 111aa753..705d71c1 100644 --- a/manifests/basic_ucp/armada-resources.yaml.sub +++ b/manifests/basic_ucp/armada-resources.yaml.sub @@ -60,6 +60,7 @@ metadata: data: description: Kubernetes components chart_group: + - haproxy - kubernetes-etcd - kubernetes-apiserver - kubernetes-controller-manager @@ -109,25 +110,6 @@ metadata: layeringDefinition: abstract: false layer: site - substitutions: - - src: - schema: deckhand/CertificateAuthority/v1 - name: kubernetes - path: $ - dest: - path: '$.values.secrets.tls.ca' - - src: - schema: deckhand/Certificate/v1 - name: proxy - path: $ - dest: - path: '$.values.secrets.tls.cert' - - src: - schema: deckhand/CertificateKey/v1 - name: proxy - path: $ - dest: - path: '$.values.secrets.tls.key' data: chart_name: proxy release: kubernetes-proxy @@ -136,16 +118,11 @@ data: upgrade: no_hooks: true values: - secrets: - tls: - ca: placeholder - cert: placeholder - key: placeholder images: tags: proxy: ${KUBE_PROXY_IMAGE} network: - kubernetes_netloc: apiserver.kubernetes.promenade:6443 + kubernetes_netloc: 127.0.0.1:6553 pod_cidr: 10.97.0.0/16 source: type: local @@ -398,37 +375,13 @@ data: no_hooks: true values: coredns: - kubernetes_zones: - - cluster.local - - 10.96.0.0/16 - - 10.97.0.0/16 upstream_nameservers: - 8.8.8.8 - 8.8.4.4 - zones: - - name: promenade - services: - - bind_name: apiserver.kubernetes - service: - name: kubernetes-apiserver - namespace: kube-system - - bind_name: etcd.kubernetes - service: - name: kubernetes-etcd - namespace: kube-system - - bind_name: etcd.calico - service: - name: calico-etcd - namespace: kube-system images: - anchor: ${KUBE_ANCHOR_IMAGE} - coredns: ${KUBE_COREDNS_IMAGE} - tls: - ca: placeholder - cert: placeholder - key: placeholder - network: - kubernetes_netloc: apiserver.kubernetes.promenade:6443 + tags: + coredns: ${KUBE_COREDNS_IMAGE} + test: ${KUBE_COREDNS_IMAGE} source: type: local location: /etc/genesis/armada/assets/charts @@ -437,6 +390,62 @@ data: - helm-toolkit --- schema: armada/Chart/v1 +metadata: + schema: metadata/Document/v1 + name: haproxy + layeringDefinition: + abstract: false + layer: site +data: + chart_name: haproxy + release: haproxy + namespace: kube-system + timeout: 600 + wait: + timeout: 600 + upgrade: + no_hooks: true + values: + conf: + anchor: + kubernetes_url: https://kubernetes.default:443 + services: + default: + kubernetes: + server_opts: "check" + conf_parts: + frontend: + - mode tcp + - option tcpka + - bind *:6553 + backend: + - mode tcp + - option tcpka + kube-system: + kubernetes-etcd: + server_opts: "check" + conf_parts: + frontend: + - mode tcp + - option tcpka + - bind *:2378 + backend: + - mode tcp + - option tcpka + + images: + tags: + anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.6 + haproxy: haproxy:1.8.3 + + source: + type: local + location: /etc/genesis/armada/assets/charts + subpath: haproxy + dependencies: + - helm-toolkit +--- +schema: armada/Chart/v1 metadata: schema: metadata/Document/v1 name: kubernetes-apiserver @@ -497,7 +506,7 @@ data: values: apiserver: etcd: - endpoints: https://etcd.kubernetes.promenade:2379 + endpoints: https://127.0.0.1:2378 images: tags: anchor: ${KUBE_ANCHOR_IMAGE} @@ -576,7 +585,7 @@ data: cert: placeholder key: placeholder network: - kubernetes_netloc: apiserver.kubernetes.promenade:6443 + kubernetes_netloc: 127.0.0.1:6553 pod_cidr: 10.97.0.0/16 service_cidr: 10.96.0.0/16 @@ -629,7 +638,7 @@ data: key: placeholder network: - kubernetes_netloc: apiserver.kubernetes.promenade:6443 + kubernetes_netloc: 127.0.0.1:6553 images: tags: diff --git a/manifests/basic_ucp/deploy_ucp.sh b/manifests/basic_ucp/deploy_ucp.sh index 10401e0d..33efca86 100755 --- a/manifests/basic_ucp/deploy_ucp.sh +++ b/manifests/basic_ucp/deploy_ucp.sh @@ -153,7 +153,7 @@ function genesis { mkdir configs chmod 777 configs - cat joining-host-config.yaml.sub | envsubst > configs/joining-host-config.yaml + cat PKICatalog.yaml.sub | envsubst > configs/PKICatalog.yaml cat armada-resources.yaml.sub | envsubst > configs/armada-resources.yaml cat armada.yaml.sub | envsubst > ${ARMADA_CONFIG} cat Genesis.yaml.sub | envsubst > configs/Genesis.yaml diff --git a/manifests/basic_ucp/joining-host-config.yaml.sub b/manifests/basic_ucp/joining-host-config.yaml.sub deleted file mode 100644 index 502cf5fd..00000000 --- a/manifests/basic_ucp/joining-host-config.yaml.sub +++ /dev/null @@ -1,48 +0,0 @@ ---- -schema: promenade/KubernetesNode/v1 -metadata: - schema: metadata/Document/v1 - name: ${GENESIS_NODE_NAME} - layeringDefinition: - abstract: false - layer: site -data: - hostname: ${GENESIS_NODE_NAME} - ip: ${GENESIS_NODE_IP} - join_ip: ${MASTER_NODE_IP} - labels: - dynamic: - - ucp-control-plane=enabled - - ceph-osd=enabled - - ceph-mon=enabled - - ceph-rgw=enabled - - ceph-mds=enabled - - ceph-mgr=enabled ---- -schema: promenade/KubernetesNode/v1 -metadata: - schema: metadata/Document/v1 - name: ${MASTER_NODE_NAME} - layeringDefinition: - abstract: false - layer: site -data: - hostname: ${MASTER_NODE_NAME} - ip: ${MASTER_NODE_IP} - join_ip: ${GENESIS_NODE_IP} - labels: - static: - - node-role.kubernetes.io/master= - dynamic: - - calico-etcd=enabled - - kubernetes-apiserver=enabled - - kubernetes-controller-manager=enabled - - kubernetes-etcd=enabled - - kubernetes-scheduler=enabled - - ucp-control-plane=enabled - - ceph-osd=enabled - - ceph-mon=enabled - - ceph-rgw=enabled - - ceph-mds=enabled - - ceph-mgr=enabled -...