airship
/
promenade
Code Issues Proposed changes

Refactor Kubernetes Proxy Chart 

Refactor of the kubernetes proxy chart to align with OSH standards

Change-Id: I2604eae413090ec1d5dac242eafa4d2a96ce4551
This commit is contained in:
Hassan Kaous 2017-11-17 10:40:04 -06:00 committed by Mark Burnett
parent 2d31f7d595
commit 98561baf80
10 changed files with 205 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
charts/proxy/Chart.yaml
View File

@ -1,4 +1,18 @@
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1 apiVersion: v1
description: A chart for the Kubernetes proxy. description: A chart for the Kubernetes proxy.
name: proxy name: proxy
version: 0.1.0 version: 0.1.0

4
charts/proxy/requirements.yaml Normal file
View File

@ -0,0 +1,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
version: 0.1.0

46
charts/proxy/templates/configmap-etc.yaml Normal file
View File

@ -0,0 +1,46 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kubernetes-proxy-etc
data:
kubeconfig.yaml: |-
---
apiVersion: v1
clusters:
- cluster:
server: https://{{ .Values.network.kubernetes_netloc }}
certificate-authority: pki/cluster-ca.pem
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: proxy
name: proxy@kubernetes
current-context: proxy@kubernetes
kind: Config
preferences: {}
users:
- name: proxy
user:
client-certificate: pki/proxy.pem
client-key: pki/proxy-key.pem
cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
proxy.pem: {{ .Values.secrets.tls.cert | quote }}

30
charts/proxy/templates/configmap.yaml
View File

@ -1,30 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kubernetes-proxy
data:
kubeconfig.yaml: |-
---
apiVersion: v1
clusters:
- cluster:
server: https://{{ .Values.network.kubernetes_netloc }}
certificate-authority: pki/cluster-ca.pem
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: proxy
name: proxy@kubernetes
current-context: proxy@kubernetes
kind: Config
preferences: {}
users:
- name: proxy
user:
client-certificate: pki/proxy.pem
client-key: pki/proxy-key.pem
cluster-ca.pem: {{ .Values.tls.ca | quote }}
proxy.pem: {{ .Values.tls.cert | quote }}

64
charts/proxy/templates/daemonset.yaml
View File

@ -1,25 +1,39 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.daemonset_proxy }}
{{- $envAll := . }}
--- ---
apiVersion: "extensions/v1beta1" apiVersion: "extensions/v1beta1"
kind: DaemonSet kind: DaemonSet
metadata: metadata:
name: kubernetes-proxy name: kubernetes-proxy
labels:
component: k8s-proxy
spec: spec:
{{ tuple $envAll "proxy" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
template: template:
metadata: metadata:
labels: labels:
tier: node {{ tuple $envAll "kubernetes" "proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
component: k8s-proxy
annotations: annotations:
scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/critical-pod: ''
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec: spec:
hostNetwork: true hostNetwork: true
dnsPolicy: {{ .Values.dns_policy }} dnsPolicy: Default
{{- if .Values.node_selector.key }}
nodeSelector:
{{ .Values.node_selector.key }}: {{ .Values.node_selector.value }}
{{- end }}
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: node-role.kubernetes.io/master
effect: NoSchedule effect: NoSchedule
@ -27,13 +41,15 @@ spec:
operator: Exists operator: Exists
containers: containers:
- name: proxy - name: proxy
image: {{ .Values.images.proxy }} image: {{ .Values.images.tags.proxy }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command: command:
- {{ .Values.proxy.command }} {{- range .Values.command_prefix }}
- --cluster-cidr={{ .Values.network.pod_cidr }} - {{ . }}
- --hostname-override=$(NODE_NAME) {{- end }}
- --kubeconfig=/etc/kubernetes/proxy/kubeconfig.yaml - --hostname-override=$(NODE_NAME)
- --proxy-mode=iptables - --kubeconfig=/etc/kubernetes/proxy/kubeconfig.yaml
{{ tuple $envAll $envAll.Values.pod.resources.proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env: env:
- name: NODE_NAME - name: NODE_NAME
valueFrom: valueFrom:
@ -60,28 +76,24 @@ spec:
initialDelaySeconds: 15 initialDelaySeconds: 15
periodSeconds: 15 periodSeconds: 15
volumeMounts: volumeMounts:
- name: proxy-cm - name: kubernetes-proxy-etc
mountPath: /etc/kubernetes/proxy/kubeconfig.yaml mountPath: /etc/kubernetes/proxy/kubeconfig.yaml
subPath: kubeconfig.yaml subPath: kubeconfig.yaml
- name: proxy-cm - name: kubernetes-proxy-etc
mountPath: /etc/kubernetes/proxy/pki/proxy.pem mountPath: /etc/kubernetes/proxy/pki/proxy.pem
subPath: proxy.pem subPath: proxy.pem
- name: proxy-cm - name: kubernetes-proxy-etc
mountPath: /etc/kubernetes/proxy/pki/cluster-ca.pem mountPath: /etc/kubernetes/proxy/pki/cluster-ca.pem
subPath: cluster-ca.pem subPath: cluster-ca.pem
- name: proxy-secret - name: proxy-secret
mountPath: /etc/kubernetes/proxy/pki/proxy-key.pem mountPath: /etc/kubernetes/proxy/pki/proxy-key.pem
subPath: proxy-key.pem subPath: proxy-key.pem
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
volumes: volumes:
- name: proxy-cm - name: kubernetes-proxy-etc
configMap: configMap:
name: kubernetes-proxy name: kubernetes-proxy-etc
defaultMode: 0444
- name: proxy-secret - name: proxy-secret
secret: secret:
secretName: kubernetes-proxy secretName: kubernetes-proxy
{{- end }}

14
charts/proxy/templates/secret.yaml
View File

@ -1,3 +1,15 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@ -5,4 +17,4 @@ metadata:
name: kubernetes-proxy name: kubernetes-proxy
type: Opaque type: Opaque
data: data:
proxy-key.pem: {{ .Values.tls.key | b64enc }} proxy-key.pem: {{ .Values.secrets.tls.key | b64enc }}

65
charts/proxy/values.yaml
View File

@ -1,19 +1,60 @@
dns_policy: Default # Copyright 2017 AT&T Intellectual Property. All other rights reserved.
name: kubernetes-proxy #
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# limitations under the License.
tls: manifests:
ca: placeholder daemonset_proxy: true
cert: placeholder configmap_etc: true
key: placeholder secret: true
proxy: pod:
command: /proxy lifecycle:
upgrades:
daemonsets:
pod_replacement_strategy: RollingUpdate
proxy:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
termination_grace_period:
proxy:
timeout: 30
resources:
enabled: false
proxy:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
images: images:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0 tags:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
pull_policy: "IfNotPresent"
secrets:
tls:
ca: placeholder
cert: placeholder
key: placeholder
command_prefix:
- /proxy
- --proxy-mode=iptables
- --cluster-cidr=10.97.0.0/16
network: network:
kubernetes_netloc: 10.96.0.1 kubernetes_netloc: 10.96.0.1
pod_cidr: 10.97.0.0/16
node_selector: {}

22
examples/basic/armada-resources.yaml
View File

@ -128,21 +128,21 @@ metadata:
name: kubernetes name: kubernetes
path: $ path: $
dest: dest:
path: '$.values.tls.ca' path: '$.values.secrets.tls.ca'
- -
src: src:
schema: deckhand/Certificate/v1 schema: deckhand/Certificate/v1
name: proxy name: proxy
path: $ path: $
dest: dest:
path: '$.values.tls.cert' path: '$.values.secrets.tls.cert'
- -
src: src:
schema: deckhand/CertificateKey/v1 schema: deckhand/CertificateKey/v1
name: proxy name: proxy
path: $ path: $
dest: dest:
path: '$.values.tls.key' path: '$.values.secrets.tls.key'
data: data:
chart_name: proxy chart_name: proxy
release: kubernetes-proxy release: kubernetes-proxy
@ -151,20 +151,22 @@ data:
upgrade: upgrade:
no_hooks: true no_hooks: true
values: values:
tls: secrets:
ca: placeholder tls:
cert: placeholder ca: placeholder
key: placeholder cert: placeholder
key: placeholder
images: images:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0 tags:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
network: network:
kubernetes_netloc: apiserver.kubernetes.promenade:6443 kubernetes_netloc: apiserver.kubernetes.promenade:6443
pod_cidr: 10.97.0.0/16
source: source:
type: local type: local
location: /etc/genesis/armada/assets/charts location: /etc/genesis/armada/assets/charts
subpath: proxy subpath: proxy
dependencies: [] dependencies:
- helm-toolkit
--- ---
schema: armada/Chart/v1 schema: armada/Chart/v1
metadata: metadata:

22
examples/complete/armada-resources.yaml
View File

@ -143,7 +143,8 @@ data:
location: https://git.openstack.org/openstack/openstack-helm location: https://git.openstack.org/openstack/openstack-helm
subpath: helm-toolkit subpath: helm-toolkit
reference: master reference: master
dependencies: [] dependencies:
- helm-toolkit
--- ---
schema: armada/Chart/v1 schema: armada/Chart/v1
metadata: metadata:
@ -159,21 +160,21 @@ metadata:
name: kubernetes name: kubernetes
path: $ path: $
dest: dest:
path: '$.values.tls.ca' path: '$.values.secrets.tls.ca'
- -
src: src:
schema: deckhand/Certificate/v1 schema: deckhand/Certificate/v1
name: proxy name: proxy
path: $ path: $
dest: dest:
path: '$.values.tls.cert' path: '$.values.secrets.tls.cert'
- -
src: src:
schema: deckhand/CertificateKey/v1 schema: deckhand/CertificateKey/v1
name: proxy name: proxy
path: $ path: $
dest: dest:
path: '$.values.tls.key' path: '$.values.secrets.tls.key'
data: data:
chart_name: proxy chart_name: proxy
release: kubernetes-proxy release: kubernetes-proxy
@ -182,15 +183,16 @@ data:
upgrade: upgrade:
no_hooks: true no_hooks: true
values: values:
tls: secrets:
ca: placeholder tls:
cert: placeholder ca: placeholder
key: placeholder cert: placeholder
key: placeholder
images: images:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0 tags:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
network: network:
kubernetes_netloc: apiserver.kubernetes.promenade:6443 kubernetes_netloc: apiserver.kubernetes.promenade:6443
pod_cidr: 10.97.0.0/16
source: source:
type: local type: local
location: /etc/genesis/armada/assets/charts location: /etc/genesis/armada/assets/charts

22
tools/gate/config-templates/bootstrap-armada-config.yaml
View File

@ -128,21 +128,21 @@ metadata:
name: kubernetes name: kubernetes
path: $ path: $
dest: dest:
path: '$.values.tls.ca' path: '$.values.secrets.tls.ca'
- -
src: src:
schema: deckhand/Certificate/v1 schema: deckhand/Certificate/v1
name: proxy name: proxy
path: $ path: $
dest: dest:
path: '$.values.tls.cert' path: '$.values.secrets.tls.cert'
- -
src: src:
schema: deckhand/CertificateKey/v1 schema: deckhand/CertificateKey/v1
name: proxy name: proxy
path: $ path: $
dest: dest:
path: '$.values.tls.key' path: '$.values.secrets.tls.key'
data: data:
chart_name: proxy chart_name: proxy
release: kubernetes-proxy release: kubernetes-proxy
@ -151,20 +151,22 @@ data:
upgrade: upgrade:
no_hooks: true no_hooks: true
values: values:
tls: secrets:
ca: placeholder tls:
cert: placeholder ca: placeholder
key: placeholder cert: placeholder
key: placeholder
images: images:
proxy: ${IMAGE_HYPERKUBE} tags:
proxy: ${IMAGE_HYPERKUBE}
network: network:
kubernetes_netloc: apiserver.kubernetes.promenade:6443 kubernetes_netloc: apiserver.kubernetes.promenade:6443
pod_cidr: 10.97.0.0/16
source: source:
type: local type: local
location: /etc/genesis/armada/assets/charts location: /etc/genesis/armada/assets/charts
subpath: proxy subpath: proxy
dependencies: [] dependencies:
- helm-toolkit
--- ---
schema: armada/Chart/v1 schema: armada/Chart/v1
metadata: metadata: