diff --git a/charts/etcd/Chart.yaml b/charts/etcd/Chart.yaml index 78b042c7..aa913eb3 100644 --- a/charts/etcd/Chart.yaml +++ b/charts/etcd/Chart.yaml @@ -1,3 +1,17 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: v1 description: A chart for a DaemonSet-based etcd deployment. name: etcd diff --git a/charts/etcd/requirements.yaml b/charts/etcd/requirements.yaml index 4b156320..7496230c 100644 --- a/charts/etcd/requirements.yaml +++ b/charts/etcd/requirements.yaml @@ -1,3 +1,17 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + dependencies: - name: helm-toolkit repository: http://localhost:8879/charts diff --git a/charts/etcd/templates/bin/_etcdctl_anchor.tpl b/charts/etcd/templates/bin/_etcdctl_anchor.tpl index 9c7a696a..7bec05cf 100644 --- a/charts/etcd/templates/bin/_etcdctl_anchor.tpl +++ b/charts/etcd/templates/bin/_etcdctl_anchor.tpl @@ -1,11 +1,20 @@ #!/bin/sh +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. set -x -export CLIENT_ENDPOINT=https://$POD_IP:{{ .Values.service.client.target_port }} -export PEER_ENDPOINT=https://$POD_IP:{{ .Values.service.peer.target_port }} -export MANIFEST_PATH=/manifests/{{ .Values.service.name }}.yaml - function copy_certificates { ETCD_NAME=$1 @@ -28,89 +37,10 @@ function copy_certificates { } function create_manifest { - ETCD_INITIAL_CLUSTER=$1 - ETCD_INITIAL_CLUSTER_STATE=$2 - cat < $MANIFEST_PATH ---- -apiVersion: v1 -kind: Pod -metadata: - name: {{ .Values.service.name }} - namespace: {{ .Release.Namespace }} - labels: - {{ .Values.service.name }}-service: enabled -spec: - hostNetwork: true - containers: - - name: etcd - image: {{ .Values.images.etcd }} - env: - - name: ETCD_NAME - value: $ETCD_NAME - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: ETCD_CLIENT_CERT_AUTH - value: "true" - - name: ETCD_PEER_CLIENT_CERT_AUTH - value: "true" - - name: ETCD_DATA_DIR - value: /var/lib/etcd - - name: ETCD_TRUSTED_CA_FILE - value: /etc/etcd/tls/client-ca.pem - - name: ETCD_CERT_FILE - value: /etc/etcd/tls/etcd-client.pem - - name: ETCD_STRICT_RECONFIG_CHECK - value: "true" - - name: ETCD_KEY_FILE - value: /etc/etcd/tls/etcd-client-key.pem - - name: ETCD_PEER_TRUSTED_CA_FILE - value: /etc/etcd/tls/peer-ca.pem - - name: ETCD_PEER_CERT_FILE - value: /etc/etcd/tls/etcd-peer.pem - - name: ETCD_PEER_KEY_FILE - value: /etc/etcd/tls/etcd-peer-key.pem - - name: ETCD_ADVERTISE_CLIENT_URLS - value: https://\$(POD_IP):{{ .Values.service.client.target_port }} - - name: ETCD_INITIAL_ADVERTISE_PEER_URLS - value: https://\$(POD_IP):{{ .Values.service.peer.target_port }} - - name: ETCD_INITIAL_CLUSTER_TOKEN - value: {{ .Values.service.name }}-init-token - - name: ETCD_LISTEN_CLIENT_URLS - value: https://0.0.0.0:{{ .Values.service.client.target_port }} - - name: ETCD_LISTEN_PEER_URLS - value: https://0.0.0.0:{{ .Values.service.peer.target_port }} - - name: ETCD_INITIAL_CLUSTER_STATE - value: $ETCD_INITIAL_CLUSTER_STATE - - name: ETCD_INITIAL_CLUSTER - value: $ETCD_INITIAL_CLUSTER - - name: ETCDCTL_API - value: '3' - - name: ETCDCTL_DIAL_TIMEOUT - value: 3s - - name: ETCDCTL_ENDPOINTS - value: https://127.0.0.1:{{ .Values.service.client.target_port }} - - name: ETCDCTL_CACERT - value: \$(ETCD_TRUSTED_CA_FILE) - - name: ETCDCTL_CERT - value: \$(ETCD_CERT_FILE) - - name: ETCDCTL_KEY - value: \$(ETCD_KEY_FILE) - volumeMounts: - - name: data - mountPath: /var/lib/etcd - - name: etc - mountPath: /etc/etcd - volumes: - - name: data - hostPath: - path: {{ .Values.etcd.host_data_path }} - - name: etc - hostPath: - path: {{ .Values.etcd.host_etc_path }} -... -EODOC + sed -i -e 's#_ETCD_INITIAL_CLUSTER_STATE_#'$2'#g' /anchor-etcd/{{ .Values.service.name }}.yaml + sed -i -e 's#_ETCD_INITIAL_CLUSTER_#'$1'#g' /anchor-etcd/{{ .Values.service.name }}.yaml + + cp /anchor-etcd/{{ .Values.service.name }}.yaml $MANIFEST_PATH } while true; do @@ -141,7 +71,7 @@ while true; do if [ -e /bootstrapping/{{ .Values.bootstrapping.filename }} ]; then # Bootstrap the first node copy_certificates ${ETCD_NAME} - ETCD_INITIAL_CLUSTER=${ETCD_NAME}=$PEER_ENDPOINT + ETCD_INITIAL_CLUSTER=${ETCD_NAME}=https://\$\(POD_IP\):{{ .Values.network.service_peer.target_port }} ETCD_INITIAL_CLUSTER_STATE=new create_manifest $ETCD_INITIAL_CLUSTER $ETCD_INITIAL_CLUSTER_STATE @@ -188,7 +118,7 @@ while true; do ETCD_INITIAL_CLUSTER=$(grep -v $PEER_ENDPOINT /tmp/members \ | awk -F ', ' '{ print $3 "=" $4 }' \ | tr '\n' ',' \ - | sed "s;\$;$ETCD_NAME=$PEER_ENDPOINT;") + | sed "s;\$;$ETCD_NAME=https://\$\(POD_IP\):{{ .Values.network.service_peer.target_port }};") ETCD_INITIAL_CLUSTER_STATE=existing create_manifest $ETCD_INITIAL_CLUSTER $ETCD_INITIAL_CLUSTER_STATE diff --git a/charts/etcd/templates/bin/_pre_stop.tpl b/charts/etcd/templates/bin/_pre_stop.tpl index d3d476bf..ab73b8cd 100644 --- a/charts/etcd/templates/bin/_pre_stop.tpl +++ b/charts/etcd/templates/bin/_pre_stop.tpl @@ -1,10 +1,20 @@ #!/bin/sh +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. set -x -export PEER_ENDPOINT=https://$POD_IP:{{ .Values.service.peer.target_port }} -export MANIFEST_PATH=/manifests/{{ .Values.service.name }}.yaml - function cleanup_host { rm -f $MANIFEST_PATH rm -rf /etcd-etc/tls/ diff --git a/charts/etcd/templates/bin/_readiness.tpl b/charts/etcd/templates/bin/_readiness.tpl index 028796b2..c156b8c3 100644 --- a/charts/etcd/templates/bin/_readiness.tpl +++ b/charts/etcd/templates/bin/_readiness.tpl @@ -1,7 +1,20 @@ #!/bin/sh +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. set -ex -export ETCDCTL_ENDPOINTS=https://$POD_IP:{{ .Values.service.client.target_port }} +export ETCDCTL_ENDPOINTS=https://$POD_IP:{{ .Values.network.service_client.target_port }} etcdctl endpoint health diff --git a/charts/etcd/templates/configmap-bin.yaml b/charts/etcd/templates/configmap-bin.yaml index fca0a0da..1412aeb5 100644 --- a/charts/etcd/templates/configmap-bin.yaml +++ b/charts/etcd/templates/configmap-bin.yaml @@ -1,3 +1,22 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} + --- apiVersion: v1 kind: ConfigMap @@ -10,3 +29,4 @@ data: {{ tuple "bin/_pre_stop.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} readiness: |+ {{ tuple "bin/_readiness.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/charts/etcd/templates/configmap-certs.yaml b/charts/etcd/templates/configmap-certs.yaml index e3db28e8..c55367d6 100644 --- a/charts/etcd/templates/configmap-certs.yaml +++ b/charts/etcd/templates/configmap-certs.yaml @@ -1,3 +1,20 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_certs }} {{- $envAll := . }} --- apiVersion: v1 @@ -5,12 +22,12 @@ kind: ConfigMap metadata: name: {{ $envAll.Values.service.name }}-certs data: - anchor-etcd-client.pem: {{ $envAll.Values.anchor.tls.cert | quote }} - client-ca.pem: {{ $envAll.Values.tls.client.ca | quote }} - peer-ca.pem: {{ $envAll.Values.tls.peer.ca | quote }} + anchor-etcd-client.pem: {{ $envAll.Values.secrets.anchor.tls.cert | quote }} + client-ca.pem: {{ $envAll.Values.secrets.tls.client.ca | quote }} + peer-ca.pem: {{ $envAll.Values.secrets.tls.peer.ca | quote }} {{- range .Values.nodes }} {{- $node := . }} {{ $node.name }}-etcd-client.pem: {{ $node.tls.client.cert | quote }} {{ $node.name }}-etcd-peer.pem: {{ $node.tls.peer.cert | quote }} {{- end }} -... +{{- end }} diff --git a/charts/etcd/templates/configmap-etc.yaml b/charts/etcd/templates/configmap-etc.yaml new file mode 100644 index 00000000..4019e584 --- /dev/null +++ b/charts/etcd/templates/configmap-etc.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_etc }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $envAll.Values.service.name }}-etc +data: + {{ .Values.service.name }}.yaml: |+ +{{ tuple "etc/_kubernetes-etcd.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/charts/etcd/templates/daemonset-anchor.yaml b/charts/etcd/templates/daemonset-anchor.yaml index 01b33d59..476bd869 100644 --- a/charts/etcd/templates/daemonset-anchor.yaml +++ b/charts/etcd/templates/daemonset-anchor.yaml @@ -1,31 +1,51 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.daemonset_anchor }} +{{- $envAll := . }} +{{- $mounts_daemonset_anchor := .Values.pod.mounts.daemonset_anchor.daemonset_anchor }} --- apiVersion: extensions/v1beta1 kind: DaemonSet metadata: name: {{ .Values.service.name }}-anchor spec: - selector: - matchLabels: - {{ .Values.service.name | quote }}: anchor +{{ tuple $envAll "anchor" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }} template: metadata: annotations: scheduler.alpha.kubernetes.io/critical-pod: '' labels: - {{ .Values.service.name | quote }}: anchor +{{ tuple $envAll "kubernetes" "anchor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: hostNetwork: true dnsPolicy: {{ .Values.anchor.dns_policy }} nodeSelector: - {{ .Values.anchor.node_selector.key }}: {{ .Values.anchor.node_selector.value }} + {{ .Values.labels.anchor.node_selector_key }}: {{ .Values.labels.anchor.node_selector_value }} tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule - key: CriticalAddonsOnly operator: Exists + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.daemonset_anchor.timeout }} containers: - name: etcdctl - image: {{ .Values.images.etcdctl }} + image: {{ .Values.images.tags.etcdctl }} + imagePullPolicy: {{ .Values.images.pull_policy }} +{{ tuple $envAll $envAll.Values.pod.resources.daemonset_anchor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} command: - /tmp/etcdctl_anchor env: @@ -42,13 +62,19 @@ spec: - name: ETCDCTL_DIAL_TIMEOUT value: 3s - name: ETCDCTL_ENDPOINTS - value: https://{{ .Values.anchor.etcdctl_endpoint }}:{{ .Values.service.client.port }} + value: https://{{ .Values.anchor.etcdctl_endpoint }}:{{ .Values.network.service_client.port }} - name: ETCDCTL_CACERT value: /etc/etcd/tls/certs/client-ca.pem - name: ETCDCTL_CERT value: /etc/etcd/tls/certs/anchor-etcd-client.pem - name: ETCDCTL_KEY value: /etc/etcd/tls/keys/anchor-etcd-client-key.pem + - name: CLIENT_ENDPOINT + value: https://$(POD_IP):{{ .Values.network.service_client.target_port }} + - name: PEER_ENDPOINT + value: https://$(POD_IP):{{ .Values.network.service_peer.target_port }} + - name: MANIFEST_PATH + value: /manifests/{{ .Values.service.name }}.yaml readinessProbe: exec: command: @@ -61,13 +87,13 @@ spec: command: - /tmp/pre_stop volumeMounts: - - name: bin + - name: {{ .Values.service.name }}-bin mountPath: /tmp {{- if .Values.bootstrapping.enabled }} - name: bootstrapping mountPath: /bootstrapping {{- end }} - - name: certs + - name: {{ .Values.service.name }}-certs mountPath: /etc/etcd/tls/certs - name: etcd-etc mountPath: /etcd-etc @@ -75,13 +101,15 @@ spec: - name: etcd-data mountPath: /etcd-data {{- end }} - - name: keys + - name: {{ .Values.service.name }}-keys mountPath: /etc/etcd/tls/keys - name: kubelet-manifests mountPath: /manifests - terminationGracePeriodSeconds: {{ .Values.anchor.termination_grace_period }} + - name: {{ .Values.service.name }}-etc + mountPath: /anchor-etcd +{{ if $mounts_daemonset_anchor.volumeMounts }}{{ toYaml $mounts_daemonset_anchor.volumeMounts | indent 12 }}{{ end }} volumes: - - name: bin + - name: {{ .Values.service.name }}-bin configMap: name: {{ .Values.service.name }}-bin defaultMode: 0555 @@ -90,7 +118,7 @@ spec: hostPath: path: {{ .Values.bootstrapping.host_directory }} {{- end }} - - name: certs + - name: {{ .Values.service.name }}-certs configMap: name: {{ .Values.service.name }}-certs defaultMode: 0444 @@ -99,7 +127,7 @@ spec: hostPath: path: {{ .Values.etcd.host_data_path }} {{- end }} - - name: keys + - name: {{ .Values.service.name }}-keys secret: secretName: {{ .Values.service.name }}-keys defaultMode: 0444 @@ -109,3 +137,9 @@ spec: - name: kubelet-manifests hostPath: path: {{ .Values.anchor.kubelet.manifest_path }} + - name: {{ .Values.service.name }}-etc + configMap: + name: {{ .Values.service.name }}-etc + defaultMode: 0444 +{{ if $mounts_daemonset_anchor.volumes }}{{ toYaml $mounts_daemonset_anchor.volumes | indent 8 }}{{ end }} +{{- end }} diff --git a/charts/etcd/templates/etc/_kubernetes-etcd.yaml.tpl b/charts/etcd/templates/etc/_kubernetes-etcd.yaml.tpl new file mode 100644 index 00000000..c2ae0dcd --- /dev/null +++ b/charts/etcd/templates/etc/_kubernetes-etcd.yaml.tpl @@ -0,0 +1,106 @@ +{{/* +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.manifests.service }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Pod +metadata: + name: {{ .Values.service.name }} + namespace: {{ .Release.Namespace }} + labels: + {{ .Values.service.name }}-service: enabled +spec: + hostNetwork: true + containers: + - name: etcd + image: {{ .Values.images.tags.etcd }} + imagePullPolicy: {{ .Values.images.pull_policy }} + env: + - name: ETCD_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ETCD_CLIENT_CERT_AUTH + value: "true" + - name: ETCD_PEER_CLIENT_CERT_AUTH + value: "true" + - name: ETCD_DATA_DIR + value: /var/lib/etcd + - name: ETCD_TRUSTED_CA_FILE + value: /etc/etcd/tls/client-ca.pem + - name: ETCD_CERT_FILE + value: /etc/etcd/tls/etcd-client.pem + - name: ETCD_STRICT_RECONFIG_CHECK + value: "true" + - name: ETCD_KEY_FILE + value: /etc/etcd/tls/etcd-client-key.pem + - name: ETCD_PEER_TRUSTED_CA_FILE + value: /etc/etcd/tls/peer-ca.pem + - name: ETCD_PEER_CERT_FILE + value: /etc/etcd/tls/etcd-peer.pem + - name: ETCD_PEER_KEY_FILE + value: /etc/etcd/tls/etcd-peer-key.pem + - name: ETCD_ADVERTISE_CLIENT_URLS + value: https://$(POD_IP):{{ .Values.network.service_client.target_port }} + - name: ETCD_INITIAL_ADVERTISE_PEER_URLS + value: https://$(POD_IP):{{ .Values.network.service_peer.target_port }} + - name: ETCD_INITIAL_CLUSTER_TOKEN + value: {{ .Values.service.name }}-init-token + - name: ETCD_LISTEN_CLIENT_URLS + value: https://0.0.0.0:{{ .Values.network.service_client.target_port }} + - name: ETCD_LISTEN_PEER_URLS + value: https://0.0.0.0:{{ .Values.network.service_peer.target_port }} + - name: ETCD_INITIAL_CLUSTER_STATE + value: _ETCD_INITIAL_CLUSTER_STATE_ + - name: ETCD_INITIAL_CLUSTER + value: _ETCD_INITIAL_CLUSTER_ + - name: ETCDCTL_API + value: '3' + - name: ETCDCTL_DIAL_TIMEOUT + value: 3s + - name: ETCDCTL_ENDPOINTS + value: https://127.0.0.1:{{ .Values.network.service_client.target_port }} + - name: ETCDCTL_CACERT + value: $(ETCD_TRUSTED_CA_FILE) + - name: ETCDCTL_CERT + value: $(ETCD_CERT_FILE) + - name: ETCDCTL_KEY + value: $(ETCD_KEY_FILE) + - name: CLIENT_ENDPOINT + value: https://$(POD_IP):{{ .Values.network.service_client.target_port }} + - name: PEER_ENDPOINT + value: https://$(POD_IP):{{ .Values.network.service_peer.target_port }} + - name: MANIFEST_PATH + value: /manifests/{{ .Values.service.name }}.yaml + volumeMounts: + - name: data + mountPath: /var/lib/etcd + - name: etc + mountPath: /etc/etcd + volumes: + - name: data + hostPath: + path: {{ .Values.etcd.host_data_path }} + - name: etc + hostPath: + path: {{ .Values.etcd.host_etc_path }} +{{- end }} diff --git a/charts/etcd/templates/secret-keys.yaml b/charts/etcd/templates/secret-keys.yaml index d06614a6..4ae91b49 100644 --- a/charts/etcd/templates/secret-keys.yaml +++ b/charts/etcd/templates/secret-keys.yaml @@ -1,3 +1,20 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret }} {{- $envAll := . }} --- apiVersion: v1 @@ -6,9 +23,10 @@ metadata: name: {{ $envAll.Values.service.name }}-keys type: Opaque data: - anchor-etcd-client-key.pem: {{ $envAll.Values.anchor.tls.key | b64enc }} + anchor-etcd-client-key.pem: {{ $envAll.Values.secrets.anchor.tls.key | b64enc }} {{- range .Values.nodes }} {{- $node := . }} {{ $node.name }}-etcd-client-key.pem: {{ $node.tls.client.key | b64enc }} {{ $node.name }}-etcd-peer-key.pem: {{ $node.tls.peer.key | b64enc }} {{- end }} +{{- end }} diff --git a/charts/etcd/templates/service.yaml b/charts/etcd/templates/service.yaml index 7c3a6213..7bc200ad 100644 --- a/charts/etcd/templates/service.yaml +++ b/charts/etcd/templates/service.yaml @@ -1,3 +1,20 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service }} {{- $envAll := . }} --- apiVersion: v1 @@ -5,12 +22,22 @@ kind: Service metadata: name: {{ $envAll.Values.service.name }} spec: + ports: + {{ if .Values.network.service_client.enable_node_port }} + - name: etcd + nodePort: {{ .Values.network.service_client.node_port }} + port: {{ .Values.network.service_client.port }} + protocol: TCP + targetPort: {{ .Values.network.service_client.target_port }} + {{ else }} + - name: etcd + port: {{ .Values.network.service_client.port }} + protocol: TCP + targetPort: {{ .Values.network.service_client.target_port }} + {{ end }} selector: {{ $envAll.Values.service.name }}-service: enabled {{- if $envAll.Values.service.ip }} clusterIP: {{ $envAll.Values.service.ip }} {{- end }} - ports: - - name: etcd - port: {{ $envAll.Values.service.client.port }} - targetPort: {{ $envAll.Values.service.client.target_port }} +{{- end }} diff --git a/charts/etcd/values.yaml b/charts/etcd/values.yaml index ab4e15cc..a8ecc5df 100644 --- a/charts/etcd/values.yaml +++ b/charts/etcd/values.yaml @@ -1,3 +1,29 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +images: + tags: + etcd: quay.io/coreos/etcd:v3.2.7 + etcdctl: quay.io/coreos/etcd:v3.2.7 + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 + pull_policy: "IfNotPresent" + +labels: + anchor: + node_selector_key: etcd-example + node_selector_value: enabled + anchor: dns_policy: Default etcdctl_endpoint: example-etcd @@ -6,31 +32,28 @@ anchor: kubelet: manifest_path: /etc/kubernetes/manifests - node_selector: - key: etcd-example - value: enabled - - termination_grace_period: 3600 period: 15 - tls: - cert: placeholder - key: placeholder - etcd: host_etc_path: /etc/etcd-example host_data_path: /var/lib/etcd/example cleanup_data: true +network: + service_client: + name: service_client + port: 2379 + target_port: 2379 + enable_node_port: false + service_peer: + name: service_peer + port: 2380 + target_port: 2380 + enable_node_port: false + service: name: example-etcd ip: null - client: - port: 2379 - target_port: 2379 - peer: - port: 2380 - target_port: 2380 bootstrapping: enabled: false @@ -39,11 +62,16 @@ bootstrapping: # XXX Can I just generalize to an anchor timeout? timeout: 300 -tls: - client: - ca: placeholder - peer: - ca: placeholder +secrets: + tls: + client: + ca: placeholder + peer: + ca: placeholder + anchor: + tls: + cert: placeholder + key: placeholder nodes: - name: example-0 @@ -55,6 +83,37 @@ nodes: cert: placeholder key: placeholder -images: - etcd: quay.io/coreos/etcd:v3.2.7 - etcdctl: quay.io/coreos/etcd:v3.2.7 +pod: + mounts: + daemonset_anchor: + daemonset_anchor: + replicas: + apiserver: 3 + lifecycle: + upgrades: + daemonsets: + pod_replacement_strategy: RollingUpdate + anchor: + enabled: false + min_ready_seconds: 0 + max_unavailable: 1 + termination_grace_period: + daemonset_anchor: + timeout: 3600 + resources: + enabled: false + daemonset_anchor: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + +manifests: + configmap_bin: true + configmap_certs: true + configmap_etc: true + daemonset_anchor: true + secret: true + service: true diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml index 818e87e5..9e3ab36b 100644 --- a/examples/basic/armada-resources.yaml +++ b/examples/basic/armada-resources.yaml @@ -182,14 +182,14 @@ metadata: name: calico-etcd path: $ dest: - path: '$.values.tls.client.ca' + path: '$.values.secrets.tls.client.ca' - src: schema: deckhand/CertificateAuthority/v1 name: calico-etcd-peer path: $ dest: - path: '$.values.tls.peer.ca' + path: '$.values.secrets.tls.peer.ca' - src: @@ -197,14 +197,14 @@ metadata: name: calico-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.cert' + path: '$.values.secrets.anchor.tls.cert' - src: schema: deckhand/CertificateKey/v1 name: calico-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.key' + path: '$.values.secrets.anchor.tls.key' - src: @@ -332,12 +332,20 @@ data: values: anchor: etcdctl_endpoint: 10.96.232.136 - node_selector: - key: calico-etcd - value: enabled + labels: + anchor: + node_selector_key: calico-etcd + node_selector_value: enabled + secrets: + anchor: + tls: + cert: placeholder + key: placeholder tls: - cert: placeholder - key: placeholder + client: + ca: placeholder + peer: + ca: placeholder etcd: host_data_path: /var/lib/etcd/calico host_etc_path: /etc/etcd/calico @@ -346,8 +354,9 @@ data: host_directory: /var/lib/anchor filename: calico-etcd-bootstrap images: - etcd: quay.io/coreos/etcd:v3.0.17 - etcdctl: quay.io/coreos/etcd:v3.0.17 + tags: + etcd: quay.io/coreos/etcd:v3.0.17 + etcdctl: quay.io/coreos/etcd:v3.0.17 nodes: - name: n0 tls: @@ -385,17 +394,15 @@ data: service: name: calico-etcd ip: 10.96.232.136 - client: + network: + service_client: + name: service_client port: 6666 target_port: 6666 - peer: + service_peer: + name: service_peer port: 6667 target_port: 6667 - tls: - client: - ca: placeholder - peer: - ca: placeholder source: type: local location: /etc/genesis/armada/assets/charts @@ -781,14 +788,14 @@ metadata: name: kubernetes-etcd path: $ dest: - path: '$.values.tls.client.ca' + path: '$.values.secrets.tls.client.ca' - src: schema: deckhand/CertificateAuthority/v1 name: kubernetes-etcd-peer path: $ dest: - path: '$.values.tls.peer.ca' + path: '$.values.secrets.tls.peer.ca' - src: @@ -796,14 +803,14 @@ metadata: name: kubernetes-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.cert' + path: '$.values.secrets.anchor.tls.cert' - src: schema: deckhand/CertificateKey/v1 name: kubernetes-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.key' + path: '$.values.secrets.anchor.tls.key' - src: @@ -931,18 +938,27 @@ data: values: anchor: etcdctl_endpoint: 10.96.0.2 - node_selector: - key: kubernetes-etcd - value: enabled + labels: + anchor: + node_selector_key: kubernetes-etcd + node_selector_value: enabled + secrets: + anchor: + tls: + cert: placeholder + key: placeholder tls: - cert: placeholder - key: placeholder + client: + ca: placeholder + peer: + ca: placeholder etcd: host_data_path: /var/lib/etcd/kubernetes host_etc_path: /etc/etcd/kubernetes images: - etcd: quay.io/coreos/etcd:v3.0.17 - etcdctl: quay.io/coreos/etcd:v3.0.17 + tags: + etcd: quay.io/coreos/etcd:v3.0.17 + etcdctl: quay.io/coreos/etcd:v3.0.17 nodes: - name: n0 tls: @@ -979,17 +995,15 @@ data: service: name: kubernetes-etcd ip: 10.96.0.2 - client: + network: + service_client: + name: service_client port: 2379 target_port: 2379 - peer: + service_peer: + name: service_peer port: 2380 target_port: 2380 - tls: - client: - ca: placeholder - peer: - ca: placeholder source: type: local location: /etc/genesis/armada/assets/charts diff --git a/examples/complete/armada-resources.yaml b/examples/complete/armada-resources.yaml index 65673a30..2a897f69 100644 --- a/examples/complete/armada-resources.yaml +++ b/examples/complete/armada-resources.yaml @@ -213,14 +213,14 @@ metadata: name: calico-etcd path: $ dest: - path: '$.values.tls.client.ca' + path: '$.values.secrets.tls.client.ca' - src: schema: deckhand/CertificateAuthority/v1 name: calico-etcd-peer path: $ dest: - path: '$.values.tls.peer.ca' + path: '$.values.secrets.tls.peer.ca' - src: @@ -228,14 +228,14 @@ metadata: name: calico-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.cert' + path: '$.values.secrets.anchor.tls.cert' - src: schema: deckhand/CertificateKey/v1 name: calico-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.key' + path: '$.values.secrets.anchor.tls.key' - src: @@ -363,12 +363,20 @@ data: values: anchor: etcdctl_endpoint: 10.96.232.136 - node_selector: - key: calico-etcd - value: enabled + labels: + anchor: + node_selector_key: calico-etcd + node_selector_value: enabled + secrets: + anchor: + tls: + cert: placeholder + key: placeholder tls: - cert: placeholder - key: placeholder + client: + ca: placeholder + peer: + ca: placeholder etcd: host_data_path: /var/lib/etcd/calico host_etc_path: /etc/etcd/calico @@ -377,8 +385,9 @@ data: host_directory: /var/lib/anchor filename: calico-etcd-bootstrap images: - etcd: quay.io/coreos/etcd:v3.0.17 - etcdctl: quay.io/coreos/etcd:v3.0.17 + tags: + etcd: quay.io/coreos/etcd:v3.0.17 + etcdctl: quay.io/coreos/etcd:v3.0.17 nodes: - name: n0 tls: @@ -416,17 +425,15 @@ data: service: name: calico-etcd ip: 10.96.232.136 - client: + network: + service_client: + name: service_client port: 6666 target_port: 6666 - peer: + service_peer: + name: service_peer port: 6667 target_port: 6667 - tls: - client: - ca: placeholder - peer: - ca: placeholder source: type: local location: /etc/genesis/armada/assets/charts @@ -812,14 +819,14 @@ metadata: name: kubernetes-etcd path: $ dest: - path: '$.values.tls.client.ca' + path: '$.values.secrets.tls.client.ca' - src: schema: deckhand/CertificateAuthority/v1 name: kubernetes-etcd-peer path: $ dest: - path: '$.values.tls.peer.ca' + path: '$.values.secrets.tls.peer.ca' - src: @@ -827,14 +834,14 @@ metadata: name: kubernetes-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.cert' + path: '$.values.secrets.anchor.tls.cert' - src: schema: deckhand/CertificateKey/v1 name: kubernetes-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.key' + path: '$.values.secrets.anchor.tls.key' - src: @@ -962,18 +969,27 @@ data: values: anchor: etcdctl_endpoint: 10.96.0.2 - node_selector: - key: kubernetes-etcd - value: enabled + labels: + anchor: + node_selector_key: kubernetes-etcd + node_selector_value: enabled + secrets: + anchor: + tls: + cert: placeholder + key: placeholder tls: - cert: placeholder - key: placeholder + client: + ca: placeholder + peer: + ca: placeholder etcd: host_data_path: /var/lib/etcd/kubernetes host_etc_path: /etc/etcd/kubernetes images: - etcd: quay.io/coreos/etcd:v3.0.17 - etcdctl: quay.io/coreos/etcd:v3.0.17 + tags: + etcd: quay.io/coreos/etcd:v3.0.17 + etcdctl: quay.io/coreos/etcd:v3.0.17 nodes: - name: n0 tls: @@ -1010,17 +1026,15 @@ data: service: name: kubernetes-etcd ip: 10.96.0.2 - client: + network: + service_client: + name: service_client port: 2379 target_port: 2379 - peer: + service_peer: + name: service_peer port: 2380 target_port: 2380 - tls: - client: - ca: placeholder - peer: - ca: placeholder source: type: local location: /etc/genesis/armada/assets/charts diff --git a/tools/gate/config-templates/bootstrap-armada-config.yaml b/tools/gate/config-templates/bootstrap-armada-config.yaml index 716e8295..87775865 100644 --- a/tools/gate/config-templates/bootstrap-armada-config.yaml +++ b/tools/gate/config-templates/bootstrap-armada-config.yaml @@ -182,14 +182,14 @@ metadata: name: calico-etcd path: $ dest: - path: '$.values.tls.client.ca' + path: '$.values.secrets.tls.client.ca' - src: schema: deckhand/CertificateAuthority/v1 name: calico-etcd-peer path: $ dest: - path: '$.values.tls.peer.ca' + path: '$.values.secrets.tls.peer.ca' - src: @@ -197,14 +197,14 @@ metadata: name: calico-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.cert' + path: '$.values.secrets.anchor.tls.cert' - src: schema: deckhand/CertificateKey/v1 name: calico-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.key' + path: '$.values.secrets.anchor.tls.key' - src: @@ -332,12 +332,20 @@ data: values: anchor: etcdctl_endpoint: 10.96.232.136 - node_selector: - key: calico-etcd - value: enabled + labels: + anchor: + node_selector_key: calico-etcd + node_selector_value: enabled + secrets: + anchor: + tls: + cert: placeholder + key: placeholder tls: - cert: placeholder - key: placeholder + client: + ca: placeholder + peer: + ca: placeholder etcd: host_data_path: /var/lib/etcd/calico host_etc_path: /etc/etcd/calico @@ -346,8 +354,9 @@ data: host_directory: /var/lib/anchor filename: calico-etcd-bootstrap images: - etcd: ${IMAGE_ETCD} - etcdctl: ${IMAGE_ETCD} + tags: + etcd: ${IMAGE_ETCD} + etcdctl: ${IMAGE_ETCD} nodes: - name: ${GENESIS_HOSTNAME} tls: @@ -385,17 +394,15 @@ data: service: name: calico-etcd ip: 10.96.232.136 - client: + network: + service_client: + name: service_client port: 6666 target_port: 6666 - peer: + service_peer: + name: service_peer port: 6667 target_port: 6667 - tls: - client: - ca: placeholder - peer: - ca: placeholder source: type: local location: /etc/genesis/armada/assets/charts @@ -781,14 +788,14 @@ metadata: name: kubernetes-etcd path: $ dest: - path: '$.values.tls.client.ca' + path: '$.values.secrets.tls.client.ca' - src: schema: deckhand/CertificateAuthority/v1 name: kubernetes-etcd-peer path: $ dest: - path: '$.values.tls.peer.ca' + path: '$.values.secrets.tls.peer.ca' - src: @@ -796,14 +803,14 @@ metadata: name: kubernetes-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.cert' + path: '$.values.secrets.anchor.tls.cert' - src: schema: deckhand/CertificateKey/v1 name: kubernetes-etcd-anchor path: $ dest: - path: '$.values.anchor.tls.key' + path: '$.values.secrets.anchor.tls.key' - src: @@ -902,18 +909,27 @@ data: values: anchor: etcdctl_endpoint: 10.96.0.2 - node_selector: - key: kubernetes-etcd - value: enabled + labels: + anchor: + node_selector_key: kubernetes-etcd + node_selector_value: enabled + secrets: + anchor: + tls: + cert: placeholder + key: placeholder tls: - cert: placeholder - key: placeholder + client: + ca: placeholder + peer: + ca: placeholder etcd: host_data_path: /var/lib/etcd/kubernetes host_etc_path: /etc/etcd/kubernetes images: - etcd: ${IMAGE_ETCD} - etcdctl: ${IMAGE_ETCD} + tags: + etcd: ${IMAGE_ETCD} + etcdctl: ${IMAGE_ETCD} nodes: - name: ${GENESIS_HOSTNAME} tls: @@ -942,17 +958,15 @@ data: service: name: kubernetes-etcd ip: 10.96.0.2 - client: + network: + service_client: + name: service_client port: 2379 target_port: 2379 - peer: + service_peer: + name: service_peer port: 2380 target_port: 2380 - tls: - client: - ca: placeholder - peer: - ca: placeholder source: type: local location: /etc/genesis/armada/assets/charts