Refactor Kubernetes Proxy Chart
Refactor of the kubernetes proxy chart to align with OSH standards Change-Id: I2604eae413090ec1d5dac242eafa4d2a96ce4551
This commit is contained in:
parent
2d31f7d595
commit
98561baf80
|
@ -1,4 +1,18 @@
|
||||||
|
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
description: A chart for the Kubernetes proxy.
|
description: A chart for the Kubernetes proxy.
|
||||||
name: proxy
|
name: proxy
|
||||||
version: 0.1.0
|
version: 0.1.0
|
|
@ -0,0 +1,4 @@
|
||||||
|
dependencies:
|
||||||
|
- name: helm-toolkit
|
||||||
|
repository: http://localhost:8879/charts
|
||||||
|
version: 0.1.0
|
|
@ -0,0 +1,46 @@
|
||||||
|
{{/*
|
||||||
|
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: kubernetes-proxy-etc
|
||||||
|
data:
|
||||||
|
kubeconfig.yaml: |-
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
clusters:
|
||||||
|
- cluster:
|
||||||
|
server: https://{{ .Values.network.kubernetes_netloc }}
|
||||||
|
certificate-authority: pki/cluster-ca.pem
|
||||||
|
name: kubernetes
|
||||||
|
contexts:
|
||||||
|
- context:
|
||||||
|
cluster: kubernetes
|
||||||
|
user: proxy
|
||||||
|
name: proxy@kubernetes
|
||||||
|
current-context: proxy@kubernetes
|
||||||
|
kind: Config
|
||||||
|
preferences: {}
|
||||||
|
users:
|
||||||
|
- name: proxy
|
||||||
|
user:
|
||||||
|
client-certificate: pki/proxy.pem
|
||||||
|
client-key: pki/proxy-key.pem
|
||||||
|
|
||||||
|
cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
|
||||||
|
proxy.pem: {{ .Values.secrets.tls.cert | quote }}
|
|
@ -1,30 +0,0 @@
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: kubernetes-proxy
|
|
||||||
data:
|
|
||||||
kubeconfig.yaml: |-
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
clusters:
|
|
||||||
- cluster:
|
|
||||||
server: https://{{ .Values.network.kubernetes_netloc }}
|
|
||||||
certificate-authority: pki/cluster-ca.pem
|
|
||||||
name: kubernetes
|
|
||||||
contexts:
|
|
||||||
- context:
|
|
||||||
cluster: kubernetes
|
|
||||||
user: proxy
|
|
||||||
name: proxy@kubernetes
|
|
||||||
current-context: proxy@kubernetes
|
|
||||||
kind: Config
|
|
||||||
preferences: {}
|
|
||||||
users:
|
|
||||||
- name: proxy
|
|
||||||
user:
|
|
||||||
client-certificate: pki/proxy.pem
|
|
||||||
client-key: pki/proxy-key.pem
|
|
||||||
|
|
||||||
cluster-ca.pem: {{ .Values.tls.ca | quote }}
|
|
||||||
proxy.pem: {{ .Values.tls.cert | quote }}
|
|
|
@ -1,25 +1,39 @@
|
||||||
|
{{/*
|
||||||
|
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- if .Values.manifests.daemonset_proxy }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: "extensions/v1beta1"
|
apiVersion: "extensions/v1beta1"
|
||||||
kind: DaemonSet
|
kind: DaemonSet
|
||||||
metadata:
|
metadata:
|
||||||
name: kubernetes-proxy
|
name: kubernetes-proxy
|
||||||
labels:
|
|
||||||
component: k8s-proxy
|
|
||||||
spec:
|
spec:
|
||||||
|
{{ tuple $envAll "proxy" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
tier: node
|
{{ tuple $envAll "kubernetes" "proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
component: k8s-proxy
|
|
||||||
annotations:
|
annotations:
|
||||||
scheduler.alpha.kubernetes.io/critical-pod: ''
|
scheduler.alpha.kubernetes.io/critical-pod: ''
|
||||||
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
dnsPolicy: {{ .Values.dns_policy }}
|
dnsPolicy: Default
|
||||||
{{- if .Values.node_selector.key }}
|
|
||||||
nodeSelector:
|
|
||||||
{{ .Values.node_selector.key }}: {{ .Values.node_selector.value }}
|
|
||||||
{{- end }}
|
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
- key: node-role.kubernetes.io/master
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
|
@ -27,13 +41,15 @@ spec:
|
||||||
operator: Exists
|
operator: Exists
|
||||||
containers:
|
containers:
|
||||||
- name: proxy
|
- name: proxy
|
||||||
image: {{ .Values.images.proxy }}
|
image: {{ .Values.images.tags.proxy }}
|
||||||
|
imagePullPolicy: {{ .Values.images.pull_policy }}
|
||||||
command:
|
command:
|
||||||
- {{ .Values.proxy.command }}
|
{{- range .Values.command_prefix }}
|
||||||
- --cluster-cidr={{ .Values.network.pod_cidr }}
|
- {{ . }}
|
||||||
- --hostname-override=$(NODE_NAME)
|
{{- end }}
|
||||||
- --kubeconfig=/etc/kubernetes/proxy/kubeconfig.yaml
|
- --hostname-override=$(NODE_NAME)
|
||||||
- --proxy-mode=iptables
|
- --kubeconfig=/etc/kubernetes/proxy/kubeconfig.yaml
|
||||||
|
{{ tuple $envAll $envAll.Values.pod.resources.proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
env:
|
env:
|
||||||
- name: NODE_NAME
|
- name: NODE_NAME
|
||||||
valueFrom:
|
valueFrom:
|
||||||
|
@ -60,28 +76,24 @@ spec:
|
||||||
initialDelaySeconds: 15
|
initialDelaySeconds: 15
|
||||||
periodSeconds: 15
|
periodSeconds: 15
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: proxy-cm
|
- name: kubernetes-proxy-etc
|
||||||
mountPath: /etc/kubernetes/proxy/kubeconfig.yaml
|
mountPath: /etc/kubernetes/proxy/kubeconfig.yaml
|
||||||
subPath: kubeconfig.yaml
|
subPath: kubeconfig.yaml
|
||||||
- name: proxy-cm
|
- name: kubernetes-proxy-etc
|
||||||
mountPath: /etc/kubernetes/proxy/pki/proxy.pem
|
mountPath: /etc/kubernetes/proxy/pki/proxy.pem
|
||||||
subPath: proxy.pem
|
subPath: proxy.pem
|
||||||
- name: proxy-cm
|
- name: kubernetes-proxy-etc
|
||||||
mountPath: /etc/kubernetes/proxy/pki/cluster-ca.pem
|
mountPath: /etc/kubernetes/proxy/pki/cluster-ca.pem
|
||||||
subPath: cluster-ca.pem
|
subPath: cluster-ca.pem
|
||||||
- name: proxy-secret
|
- name: proxy-secret
|
||||||
mountPath: /etc/kubernetes/proxy/pki/proxy-key.pem
|
mountPath: /etc/kubernetes/proxy/pki/proxy-key.pem
|
||||||
subPath: proxy-key.pem
|
subPath: proxy-key.pem
|
||||||
tolerations:
|
|
||||||
- key: CriticalAddonsOnly
|
|
||||||
operator: Exists
|
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
operator: Exists
|
|
||||||
effect: NoSchedule
|
|
||||||
volumes:
|
volumes:
|
||||||
- name: proxy-cm
|
- name: kubernetes-proxy-etc
|
||||||
configMap:
|
configMap:
|
||||||
name: kubernetes-proxy
|
name: kubernetes-proxy-etc
|
||||||
|
defaultMode: 0444
|
||||||
- name: proxy-secret
|
- name: proxy-secret
|
||||||
secret:
|
secret:
|
||||||
secretName: kubernetes-proxy
|
secretName: kubernetes-proxy
|
||||||
|
{{- end }}
|
||||||
|
|
|
@ -1,3 +1,15 @@
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Secret
|
kind: Secret
|
||||||
|
@ -5,4 +17,4 @@ metadata:
|
||||||
name: kubernetes-proxy
|
name: kubernetes-proxy
|
||||||
type: Opaque
|
type: Opaque
|
||||||
data:
|
data:
|
||||||
proxy-key.pem: {{ .Values.tls.key | b64enc }}
|
proxy-key.pem: {{ .Values.secrets.tls.key | b64enc }}
|
||||||
|
|
|
@ -1,19 +1,60 @@
|
||||||
dns_policy: Default
|
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
||||||
name: kubernetes-proxy
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
tls:
|
manifests:
|
||||||
ca: placeholder
|
daemonset_proxy: true
|
||||||
cert: placeholder
|
configmap_etc: true
|
||||||
key: placeholder
|
secret: true
|
||||||
|
|
||||||
proxy:
|
pod:
|
||||||
command: /proxy
|
lifecycle:
|
||||||
|
upgrades:
|
||||||
|
daemonsets:
|
||||||
|
pod_replacement_strategy: RollingUpdate
|
||||||
|
proxy:
|
||||||
|
enabled: true
|
||||||
|
min_ready_seconds: 0
|
||||||
|
max_unavailable: 1
|
||||||
|
termination_grace_period:
|
||||||
|
proxy:
|
||||||
|
timeout: 30
|
||||||
|
resources:
|
||||||
|
enabled: false
|
||||||
|
proxy:
|
||||||
|
requests:
|
||||||
|
memory: "128Mi"
|
||||||
|
cpu: "100m"
|
||||||
|
limits:
|
||||||
|
memory: "1024Mi"
|
||||||
|
cpu: "2000m"
|
||||||
|
|
||||||
images:
|
images:
|
||||||
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
|
tags:
|
||||||
|
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
|
||||||
|
pull_policy: "IfNotPresent"
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
tls:
|
||||||
|
ca: placeholder
|
||||||
|
cert: placeholder
|
||||||
|
key: placeholder
|
||||||
|
|
||||||
|
command_prefix:
|
||||||
|
- /proxy
|
||||||
|
- --proxy-mode=iptables
|
||||||
|
- --cluster-cidr=10.97.0.0/16
|
||||||
|
|
||||||
network:
|
network:
|
||||||
kubernetes_netloc: 10.96.0.1
|
kubernetes_netloc: 10.96.0.1
|
||||||
pod_cidr: 10.97.0.0/16
|
|
||||||
|
|
||||||
node_selector: {}
|
|
||||||
|
|
|
@ -128,21 +128,21 @@ metadata:
|
||||||
name: kubernetes
|
name: kubernetes
|
||||||
path: $
|
path: $
|
||||||
dest:
|
dest:
|
||||||
path: '$.values.tls.ca'
|
path: '$.values.secrets.tls.ca'
|
||||||
-
|
-
|
||||||
src:
|
src:
|
||||||
schema: deckhand/Certificate/v1
|
schema: deckhand/Certificate/v1
|
||||||
name: proxy
|
name: proxy
|
||||||
path: $
|
path: $
|
||||||
dest:
|
dest:
|
||||||
path: '$.values.tls.cert'
|
path: '$.values.secrets.tls.cert'
|
||||||
-
|
-
|
||||||
src:
|
src:
|
||||||
schema: deckhand/CertificateKey/v1
|
schema: deckhand/CertificateKey/v1
|
||||||
name: proxy
|
name: proxy
|
||||||
path: $
|
path: $
|
||||||
dest:
|
dest:
|
||||||
path: '$.values.tls.key'
|
path: '$.values.secrets.tls.key'
|
||||||
data:
|
data:
|
||||||
chart_name: proxy
|
chart_name: proxy
|
||||||
release: kubernetes-proxy
|
release: kubernetes-proxy
|
||||||
|
@ -151,20 +151,22 @@ data:
|
||||||
upgrade:
|
upgrade:
|
||||||
no_hooks: true
|
no_hooks: true
|
||||||
values:
|
values:
|
||||||
tls:
|
secrets:
|
||||||
ca: placeholder
|
tls:
|
||||||
cert: placeholder
|
ca: placeholder
|
||||||
key: placeholder
|
cert: placeholder
|
||||||
|
key: placeholder
|
||||||
images:
|
images:
|
||||||
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
|
tags:
|
||||||
|
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
|
||||||
network:
|
network:
|
||||||
kubernetes_netloc: apiserver.kubernetes.promenade:6443
|
kubernetes_netloc: apiserver.kubernetes.promenade:6443
|
||||||
pod_cidr: 10.97.0.0/16
|
|
||||||
source:
|
source:
|
||||||
type: local
|
type: local
|
||||||
location: /etc/genesis/armada/assets/charts
|
location: /etc/genesis/armada/assets/charts
|
||||||
subpath: proxy
|
subpath: proxy
|
||||||
dependencies: []
|
dependencies:
|
||||||
|
- helm-toolkit
|
||||||
---
|
---
|
||||||
schema: armada/Chart/v1
|
schema: armada/Chart/v1
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
@ -143,7 +143,8 @@ data:
|
||||||
location: https://git.openstack.org/openstack/openstack-helm
|
location: https://git.openstack.org/openstack/openstack-helm
|
||||||
subpath: helm-toolkit
|
subpath: helm-toolkit
|
||||||
reference: master
|
reference: master
|
||||||
dependencies: []
|
dependencies:
|
||||||
|
- helm-toolkit
|
||||||
---
|
---
|
||||||
schema: armada/Chart/v1
|
schema: armada/Chart/v1
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -159,21 +160,21 @@ metadata:
|
||||||
name: kubernetes
|
name: kubernetes
|
||||||
path: $
|
path: $
|
||||||
dest:
|
dest:
|
||||||
path: '$.values.tls.ca'
|
path: '$.values.secrets.tls.ca'
|
||||||
-
|
-
|
||||||
src:
|
src:
|
||||||
schema: deckhand/Certificate/v1
|
schema: deckhand/Certificate/v1
|
||||||
name: proxy
|
name: proxy
|
||||||
path: $
|
path: $
|
||||||
dest:
|
dest:
|
||||||
path: '$.values.tls.cert'
|
path: '$.values.secrets.tls.cert'
|
||||||
-
|
-
|
||||||
src:
|
src:
|
||||||
schema: deckhand/CertificateKey/v1
|
schema: deckhand/CertificateKey/v1
|
||||||
name: proxy
|
name: proxy
|
||||||
path: $
|
path: $
|
||||||
dest:
|
dest:
|
||||||
path: '$.values.tls.key'
|
path: '$.values.secrets.tls.key'
|
||||||
data:
|
data:
|
||||||
chart_name: proxy
|
chart_name: proxy
|
||||||
release: kubernetes-proxy
|
release: kubernetes-proxy
|
||||||
|
@ -182,15 +183,16 @@ data:
|
||||||
upgrade:
|
upgrade:
|
||||||
no_hooks: true
|
no_hooks: true
|
||||||
values:
|
values:
|
||||||
tls:
|
secrets:
|
||||||
ca: placeholder
|
tls:
|
||||||
cert: placeholder
|
ca: placeholder
|
||||||
key: placeholder
|
cert: placeholder
|
||||||
|
key: placeholder
|
||||||
images:
|
images:
|
||||||
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
|
tags:
|
||||||
|
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
|
||||||
network:
|
network:
|
||||||
kubernetes_netloc: apiserver.kubernetes.promenade:6443
|
kubernetes_netloc: apiserver.kubernetes.promenade:6443
|
||||||
pod_cidr: 10.97.0.0/16
|
|
||||||
source:
|
source:
|
||||||
type: local
|
type: local
|
||||||
location: /etc/genesis/armada/assets/charts
|
location: /etc/genesis/armada/assets/charts
|
||||||
|
|
|
@ -128,21 +128,21 @@ metadata:
|
||||||
name: kubernetes
|
name: kubernetes
|
||||||
path: $
|
path: $
|
||||||
dest:
|
dest:
|
||||||
path: '$.values.tls.ca'
|
path: '$.values.secrets.tls.ca'
|
||||||
-
|
-
|
||||||
src:
|
src:
|
||||||
schema: deckhand/Certificate/v1
|
schema: deckhand/Certificate/v1
|
||||||
name: proxy
|
name: proxy
|
||||||
path: $
|
path: $
|
||||||
dest:
|
dest:
|
||||||
path: '$.values.tls.cert'
|
path: '$.values.secrets.tls.cert'
|
||||||
-
|
-
|
||||||
src:
|
src:
|
||||||
schema: deckhand/CertificateKey/v1
|
schema: deckhand/CertificateKey/v1
|
||||||
name: proxy
|
name: proxy
|
||||||
path: $
|
path: $
|
||||||
dest:
|
dest:
|
||||||
path: '$.values.tls.key'
|
path: '$.values.secrets.tls.key'
|
||||||
data:
|
data:
|
||||||
chart_name: proxy
|
chart_name: proxy
|
||||||
release: kubernetes-proxy
|
release: kubernetes-proxy
|
||||||
|
@ -151,20 +151,22 @@ data:
|
||||||
upgrade:
|
upgrade:
|
||||||
no_hooks: true
|
no_hooks: true
|
||||||
values:
|
values:
|
||||||
tls:
|
secrets:
|
||||||
ca: placeholder
|
tls:
|
||||||
cert: placeholder
|
ca: placeholder
|
||||||
key: placeholder
|
cert: placeholder
|
||||||
|
key: placeholder
|
||||||
images:
|
images:
|
||||||
proxy: ${IMAGE_HYPERKUBE}
|
tags:
|
||||||
|
proxy: ${IMAGE_HYPERKUBE}
|
||||||
network:
|
network:
|
||||||
kubernetes_netloc: apiserver.kubernetes.promenade:6443
|
kubernetes_netloc: apiserver.kubernetes.promenade:6443
|
||||||
pod_cidr: 10.97.0.0/16
|
|
||||||
source:
|
source:
|
||||||
type: local
|
type: local
|
||||||
location: /etc/genesis/armada/assets/charts
|
location: /etc/genesis/armada/assets/charts
|
||||||
subpath: proxy
|
subpath: proxy
|
||||||
dependencies: []
|
dependencies:
|
||||||
|
- helm-toolkit
|
||||||
---
|
---
|
||||||
schema: armada/Chart/v1
|
schema: armada/Chart/v1
|
||||||
metadata:
|
metadata:
|
||||||
|
|
Loading…
Reference in New Issue