airship
/
promenade
Code Issues Proposed changes

Merge "Refactor apiserver Chart"

This commit is contained in:
Mark Burnett 2017-11-14 11:10:26 -05:00 committed by Gerrit Code Review
parent 38ea3337e9 dee0960ed7
commit eadd41bcba
15 changed files with 495 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
charts/apiserver/Chart.yaml
View File

@ -1,3 +1,17 @@
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
description: A chart for Kubernetes API server
name: apiserver

14
charts/apiserver/requirements.yaml
View File

@ -1,3 +1,17 @@
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts

104
charts/apiserver/templates/bin/_anchor.tpl
View File

@ -1,96 +1,48 @@
#!/bin/sh
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -x
export MANIFEST_PATH=/host{{ .Values.anchor.kubelet.manifest_path }}/{{ .Values.service.name }}.yaml
export PKI_PATH=/host{{ .Values.apiserver.host_etc_path }}/pki
compare_copy_files() {
copy_certificates() {
mkdir -p $PKI_PATH
cp /certs/* /keys/* $PKI_PATH
}
create_manifest() {
mkdir -p $(dirname $MANIFEST_PATH)
cat <<EODOC > $MANIFEST_PATH
---
apiVersion: v1
kind: Pod
metadata:
name: {{ .Values.service.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ .Values.service.name }}-service: enabled
spec:
hostNetwork: true
containers:
- name: apiserver
image: {{ .Values.images.apiserver }}
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
command:
- {{ .Values.apiserver.command }}
- --authorization-mode=Node,RBAC
- --advertise-address=\$(POD_IP)
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
- --anonymous-auth=false
- --bind-address=0.0.0.0
- --secure-port={{ .Values.apiserver.port }}
- --insecure-port=0
- --apiserver-count={{ .Values.apiserver.replicas }}
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
- --etcd-servers={{ .Values.apiserver.etcd.endpoints }}
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
- --allow-privileged=true
- --service-cluster-ip-range={{ .Values.network.service_cidr }}
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
- --v=5
ports:
- containerPort: 443
volumeMounts:
- name: etc
mountPath: /etc/kubernetes/apiserver
volumes:
- name: etc
hostPath:
path: {{ .Values.apiserver.host_etc_path }}
EODOC
{{range .Values.anchor.files_to_copy}}
if [ ! -e /host{{ .dest }} ] || cmp -s {{ .source }} /host{{ .dest }}; then
mkdir -p $(dirname /host{{ .dest }})
cp {{ .source }} /host{{ .dest }}
fi
{{end}}
}
cleanup() {
rm -f $MANIFEST_PATH
rm -rf $PKI_PATH
{{range .Values.anchor.files_to_copy}}
rm -f /host{{ .dest }}
{{end}}
}
while true; do
if [ -e /tmp/stop ]; then
echo Stopping
cleanup
break
fi
if [ ! -e $MANIFEST_PATH ]; then
copy_certificates
create_manifest
fi
# Compare and replace files on Genesis host if needed
# Copy files to other master nodes
compare_copy_files
sleep {{ .Values.anchor.period }}
done

13
charts/apiserver/templates/bin/_pre_stop.tpl
View File

@ -1,4 +1,17 @@
#!/bin/sh
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -x

20
charts/apiserver/templates/configmap-bin.yaml
View File

@ -1,3 +1,22 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_bin }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
@ -8,3 +27,4 @@ data:
{{ tuple "bin/_anchor.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
pre_stop: |+
{{ tuple "bin/_pre_stop.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

32
charts/apiserver/templates/configmap-certs.yaml
View File

@ -1,13 +1,31 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_certs }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Values.service.name }}-certs
data:
cluster-ca.pem: {{ .Values.tls.ca | quote }}
apiserver.pem: {{ .Values.tls.cert | quote }}
etcd-client-ca.pem: {{ .Values.apiserver.etcd.tls.ca | quote }}
etcd-client.pem: {{ .Values.apiserver.etcd.tls.cert | quote }}
service-account.pub: {{ .Values.service_account.public_key | quote }}
cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
apiserver.pem: {{ .Values.secrets.tls.cert | quote }}
etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }}
etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }}
service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
{{- end }}

28
charts/apiserver/templates/configmap-etc.yaml Normal file
View File

@ -0,0 +1,28 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Values.service.name }}-etc
data:
kubernetes-apiserver.yaml: |+
{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

78
charts/apiserver/templates/daemonset.yaml
View File

@ -1,37 +1,63 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.kubernetes_apiserver }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.kubernetes_apiserver }}
{{- $mounts_kubernetes_apiserver := .Values.pod.mounts.kubernetes_apiserver.kubernetes_apiserver }}
{{- $mounts_kubernetes_apiserver_init := .Values.pod.mounts.kubernetes_apiserver.init_container }}
---
apiVersion: "extensions/v1beta1"
kind: DaemonSet
metadata:
name: {{ .Values.service.name }}-anchor
labels:
application: kubernetes
component: kubernetes-apiserver-anchor
spec:
selector:
matchLabels:
{{ .Values.service.name | quote }}: anchor
updateStrategy:
rollingUpdate:
maxUnavailable: 1
{{ tuple $envAll "kubernetes-apiserver-anchor" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
template:
metadata:
labels:
{{ tuple $envAll "kubernetes" "kubernetes-apiserver-anchor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
labels:
{{ .Values.service.name | quote }}: anchor
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-certs-hash: {{ tuple "configmap-certs.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
hostNetwork: true
dnsPolicy: {{ .Values.anchor.dns_policy }}
nodeSelector:
{{ .Values.anchor.node_selector.key }}: {{ .Values.anchor.node_selector.value }}
{{ .Values.labels.kubernetes_apiserver.node_selector_key }}: {{ .Values.labels.kubernetes_apiserver.node_selector_value }}
dnsPolicy: {{ .Values.anchor.dns_policy }}
hostNetwork: true
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: CriticalAddonsOnly
operator: Exists
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.kubernetes_apiserver.timeout }}
initContainers:
{{ tuple $envAll $dependencies $mounts_kubernetes_apiserver_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: anchor
image: {{ .Values.images.anchor }}
image: {{ .Values.images.tags.anchor }}
imagePullPolicy: {{ .Values.images.pull_policy }}
env:
- name: MANIFEST_PATH
value: /host{{ .Values.anchor.kubelet.manifest_path }}/{{ .Values.service.name }}.yaml
- name: PKI_PATH
value: /host{{ .Values.apiserver.host_etc_path }}/pki
{{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /tmp/bin/anchor
lifecycle:
@ -40,28 +66,36 @@ spec:
command:
- /tmp/bin/pre_stop
volumeMounts:
- name: certs
- name: {{ .Values.service.name }}-certs
mountPath: /certs
- name: host
mountPath: /host
- name: keys
- name: {{ .Values.service.name }}-keys
mountPath: /keys
- name: bin
- name: {{ .Values.service.name }}-bin
mountPath: /tmp/bin
terminationGracePeriodSeconds: {{ .Values.anchor.termination_grace_period }}
- name: {{ .Values.service.name }}-etc
mountPath: /tmp/etc
{{ if $mounts_kubernetes_apiserver.volumeMounts }}{{ toYaml $mounts_kubernetes_apiserver.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: bin
- name: {{ .Values.service.name }}-bin
configMap:
name: {{ .Values.service.name }}-bin
defaultMode: 0555
- name: certs
- name: {{ .Values.service.name }}-certs
configMap:
name: {{ .Values.service.name }}-certs
defaultMode: 0444
- name: host
hostPath:
path: /
- name: keys
- name: {{ .Values.service.name }}-keys
secret:
secretName: {{ .Values.service.name }}-keys
defaultMode: 0444
- name: {{ .Values.service.name }}-etc
configMap:
name: {{ .Values.service.name }}-etc
defaultMode: 0444
{{ if $mounts_kubernetes_apiserver.volumes }}{{ toYaml $mounts_kubernetes_apiserver.volumes | indent 8 }}{{ end }}
{{- end }}

67
charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl Normal file
View File

@ -0,0 +1,67 @@
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.manifests.service }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Pod
metadata:
name: {{ .Values.service.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ .Values.service.name }}-service: enabled
spec:
hostNetwork: true
containers:
- name: apiserver
image: {{ .Values.images.tags.apiserver }}
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
command:
{{- range .Values.command_prefix }}
- {{ . }}
{{- end }}
- --advertise-address=$(POD_IP)
- --anonymous-auth=false
- --bind-address=0.0.0.0
- --secure-port={{ .Values.network.kubernetes_apiserver.port }}
- --insecure-port=0
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
- --etcd-servers={{ .Values.apiserver.etcd.endpoints }}
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
- --allow-privileged=true
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
ports:
- containerPort: {{ .Values.network.kubernetes_apiserver.port }}
volumeMounts:
- name: etc
mountPath: /etc/kubernetes/apiserver
volumes:
- name: etc
hostPath:
path: {{ .Values.apiserver.host_etc_path }}
{{- end }}

23
charts/apiserver/templates/secret-apiserver.yaml
View File

@ -1,3 +1,21 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Secret
@ -5,5 +23,6 @@ metadata:
name: {{ .Values.service.name }}-keys
type: Opaque
data:
apiserver-key.pem: {{ .Values.tls.key | b64enc }}
etcd-client-key.pem: {{ .Values.apiserver.etcd.tls.key | b64enc }}
apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
{{- end }}

35
charts/apiserver/templates/service.yaml
View File

@ -1,14 +1,43 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.service }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.service.name }}
spec:
ports:
{{ if .Values.network.kubernetes_apiserver.enable_node_port }}
- name: https
nodePort: {{ .Values.network.kubernetes_apiserver.node_port }}
port: {{ .Values.network.kubernetes_apiserver.port }}
protocol: TCP
targetPort: {{ .Values.network.kubernetes_apiserver.port }}
{{ else }}
- name: https
port: {{ .Values.network.kubernetes_apiserver.port }}
protocol: TCP
targetPort: {{ .Values.network.kubernetes_apiserver.port }}
{{ end }}
selector:
{{ .Values.service.name }}-service: enabled
{{- if .Values.service.ip }}
clusterIP: {{ .Values.service.ip }}
{{- end }}
ports:
- name: https
port: {{ .Values.apiserver.port }}
{{- end }}

148
charts/apiserver/values.yaml
View File

@ -1,45 +1,137 @@
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
release_group: null
images:
tags:
anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
pull_policy: "IfNotPresent"
labels:
kubernetes_apiserver:
node_selector_key: kubernetes-apiserver
node_selector_value: enabled
anchor:
dns_policy: Default
kubelet:
manifest_path: /etc/kubernetes/manifests
node_selector:
key: kubernetes-apiserver
value: enabled
termination_grace_period: 3600
period: 15
files_to_copy:
- source: /certs/apiserver.pem
dest: /etc/kubernetes/apiserver/pki/apiserver.pem
- source: /certs/cluster-ca.pem
dest: /etc/kubernetes/apiserver/pki/cluster-ca.pem
- source: /certs/etcd-client-ca.pem
dest: /etc/kubernetes/apiserver/pki/etcd-client-ca.pem
- source: /certs/etcd-client.pem
dest: /etc/kubernetes/apiserver/pki/etcd-client.pem
- source: /certs/service-account.pub
dest: /etc/kubernetes/apiserver/pki/service-account.pub
- source: /keys/apiserver-key.pem
dest: /etc/kubernetes/apiserver/pki/apiserver-key.pem
- source: /keys/etcd-client-key.pem
dest: /etc/kubernetes/apiserver/pki/etcd-client-key.pem
- source: /tmp/etc/kubernetes-apiserver.yaml
dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml
command_prefix:
- /apiserver
- --authorization-mode=Node,RBAC
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
- --apiserver-count=3
- --service-cluster-ip-range=10.96.0.0/16
- --v=5
apiserver:
command: /apiserver
host_etc_path: /etc/kubernetes/apiserver
etcd:
endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
tls:
ca: placeholder
cert: placeholder
key: placeholder
host_etc_path: /etc/kubernetes/apiserver
port: 6443
replicas: 3
images:
anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
network:
kubernetes_service_ip: 10.96.0.1
pod_cidr: 10.97.0.0/16
service_cidr: 10.96.0.0/16
kubernetes_apiserver:
name: kubernetes-apiserver
port: 6443
enable_node_port: false
service:
name: kubernetes-apiserver
ip: null
service_account:
public_key: placeholder
secrets:
tls:
ca: placeholder
cert: placeholder
key: placeholder
service_account:
public_key: placeholder
etcd:
tls:
ca: placeholder
cert: placeholder
key: placeholder
tls:
ca: placeholder
cert: placeholder
key: placeholder
dependencies:
kubernetes_apiserver:
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
kubernetes_apiserver:
name: kubernetes-apiserver
hosts:
default: kubernetes-apiserver
host_fqdn_override:
default: null
pod:
mounts:
kubernetes_apiserver:
init_container: null
kubernetes_apiserver:
replicas:
apiserver: 3
lifecycle:
upgrades:
daemonsets:
pod_replacement_strategy: RollingUpdate
kubernetes_apiserver:
enabled: false
min_ready_seconds: 0
max_unavailable: 1
termination_grace_period:
kubernetes_apiserver:
timeout: 3600
resources:
enabled: false
kubernetes_apiserver:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
configmap_bin: true
configmap_certs: true
configmap_etc: true
kubernetes_apiserver: true
secret: true
service: true

35
examples/basic/armada-resources.yaml
View File

@ -524,7 +524,7 @@ metadata:
name: kubernetes
path: $
dest:
path: $.values.tls.ca
path: $.values.secrets.tls.ca
-
src:
@ -532,42 +532,42 @@ metadata:
name: apiserver
path: $
dest:
path: $.values.tls.cert
path: $.values.secrets.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: apiserver
path: $
dest:
path: $.values.tls.key
path: $.values.secrets.tls.key
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes-etcd
path: $
dest:
path: $.values.apiserver.etcd.tls.ca
path: $.values.secrets.etcd.tls.ca
-
src:
schema: deckhand/Certificate/v1
name: apiserver-etcd
path: $
dest:
path: $.values.apiserver.etcd.tls.cert
path: $.values.secrets.etcd.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: apiserver-etcd
path: $
dest:
path: $.values.apiserver.etcd.tls.key
path: $.values.secrets.etcd.tls.key
-
src:
schema: deckhand/PublicKey/v1
name: service-account
path: $
dest:
path: $.values.service_account.public_key
path: $.values.secrets.service_account.public_key
data:
chart_name: apiserver
@ -580,19 +580,22 @@ data:
apiserver:
etcd:
endpoints: https://etcd.kubernetes.promenade:2379
images:
tags:
anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
secrets:
service_account:
public_key: placeholder
tls:
ca: placeholder
cert: placeholder
key: placeholder
etcd:
tls:
ca: placeholder
cert: placeholder
key: placeholder
images:
anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
service_account:
public_key: placeholder
tls:
ca: placeholder
cert: placeholder
key: placeholder
network:
kubernetes_service_ip: 10.96.0.1
pod_cidr: 10.97.0.0/16

35
examples/complete/armada-resources.yaml
View File

@ -553,7 +553,7 @@ metadata:
name: kubernetes
path: $
dest:
path: $.values.tls.ca
path: $.values.secrets.tls.ca
-
src:
@ -561,42 +561,42 @@ metadata:
name: apiserver
path: $
dest:
path: $.values.tls.cert
path: $.values.secrets.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: apiserver
path: $
dest:
path: $.values.tls.key
path: $.values.secrets.tls.key
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes-etcd
path: $
dest:
path: $.values.apiserver.etcd.tls.ca
path: $.values.secrets.etcd.tls.ca
-
src:
schema: deckhand/Certificate/v1
name: apiserver-etcd
path: $
dest:
path: $.values.apiserver.etcd.tls.cert
path: $.values.secrets.etcd.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: apiserver-etcd
path: $
dest:
path: $.values.apiserver.etcd.tls.key
path: $.values.secrets.etcd.tls.key
-
src:
schema: deckhand/PublicKey/v1
name: service-account
path: $
dest:
path: $.values.service_account.public_key
path: $.values.secrets.service_account.public_key
data:
chart_name: apiserver
@ -609,19 +609,22 @@ data:
apiserver:
etcd:
endpoints: https://etcd.kubernetes.promenade:2379
images:
tags:
anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
secrets:
service_account:
public_key: placeholder
tls:
ca: placeholder
cert: placeholder
key: placeholder
etcd:
tls:
ca: placeholder
cert: placeholder
key: placeholder
images:
anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
service_account:
public_key: placeholder
tls:
ca: placeholder
cert: placeholder
key: placeholder
network:
kubernetes_service_ip: 10.96.0.1
pod_cidr: 10.97.0.0/16

35
tools/gate/config-templates/bootstrap-armada-config.yaml
View File

@ -540,7 +540,7 @@ metadata:
name: kubernetes
path: $
dest:
path: $.values.tls.ca
path: $.values.secrets.tls.ca
-
src:
@ -548,42 +548,42 @@ metadata:
name: apiserver
path: $
dest:
path: $.values.tls.cert
path: $.values.secrets.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: apiserver
path: $
dest:
path: $.values.tls.key
path: $.values.secrets.tls.key
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes-etcd
path: $
dest:
path: $.values.apiserver.etcd.tls.ca
path: $.values.secrets.etcd.tls.ca
-
src:
schema: deckhand/Certificate/v1
name: apiserver-etcd
path: $
dest:
path: $.values.apiserver.etcd.tls.cert
path: $.values.secrets.etcd.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: apiserver-etcd
path: $
dest:
path: $.values.apiserver.etcd.tls.key
path: $.values.secrets.etcd.tls.key
-
src:
schema: deckhand/PublicKey/v1
name: service-account
path: $
dest:
path: $.values.service_account.public_key
path: $.values.secrets.service_account.public_key
data:
chart_name: apiserver
@ -596,19 +596,22 @@ data:
apiserver:
etcd:
endpoints: https://etcd.kubernetes.promenade:2379
images:
tags:
anchor: ${IMAGE_HYPERKUBE}
apiserver: ${IMAGE_HYPERKUBE}
secrets:
service_account:
public_key: placeholder
tls:
ca: placeholder
cert: placeholder
key: placeholder
etcd:
tls:
ca: placeholder
cert: placeholder
key: placeholder
images:
anchor: ${IMAGE_HYPERKUBE}
apiserver: ${IMAGE_HYPERKUBE}
service_account:
public_key: placeholder
tls:
ca: placeholder
cert: placeholder
key: placeholder
network:
kubernetes_service_ip: 10.96.0.1
pod_cidr: 10.97.0.0/16