From dee0960ed7d0dfcaa39ba1375df5ebfdeaccbab4 Mon Sep 17 00:00:00 2001 From: Anthony Lin Date: Wed, 1 Nov 2017 01:15:42 +0000 Subject: [PATCH] Refactor apiserver Chart Refactor apiserver chart to align with OSH standards Change-Id: I9d168226622d8fc2047a0b71cf390c086d3efe40 --- charts/apiserver/Chart.yaml | 14 ++ charts/apiserver/requirements.yaml | 14 ++ charts/apiserver/templates/bin/_anchor.tpl | 104 ++++-------- charts/apiserver/templates/bin/_pre_stop.tpl | 13 ++ charts/apiserver/templates/configmap-bin.yaml | 20 +++ .../apiserver/templates/configmap-certs.yaml | 32 +++- charts/apiserver/templates/configmap-etc.yaml | 28 ++++ charts/apiserver/templates/daemonset.yaml | 78 ++++++--- .../etc/_kubernetes-apiserver.yaml.tpl | 67 ++++++++ .../apiserver/templates/secret-apiserver.yaml | 23 ++- charts/apiserver/templates/service.yaml | 35 ++++- charts/apiserver/values.yaml | 148 ++++++++++++++---- examples/basic/armada-resources.yaml | 35 +++-- examples/complete/armada-resources.yaml | 35 +++-- .../bootstrap-armada-config.yaml | 35 +++-- 15 files changed, 495 insertions(+), 186 deletions(-) create mode 100644 charts/apiserver/templates/configmap-etc.yaml create mode 100644 charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl diff --git a/charts/apiserver/Chart.yaml b/charts/apiserver/Chart.yaml index bdccdce5..6e608309 100644 --- a/charts/apiserver/Chart.yaml +++ b/charts/apiserver/Chart.yaml @@ -1,3 +1,17 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + apiVersion: v1 description: A chart for Kubernetes API server name: apiserver diff --git a/charts/apiserver/requirements.yaml b/charts/apiserver/requirements.yaml index 4b156320..7496230c 100644 --- a/charts/apiserver/requirements.yaml +++ b/charts/apiserver/requirements.yaml @@ -1,3 +1,17 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + dependencies: - name: helm-toolkit repository: http://localhost:8879/charts diff --git a/charts/apiserver/templates/bin/_anchor.tpl b/charts/apiserver/templates/bin/_anchor.tpl index d36318a4..8f165e2a 100644 --- a/charts/apiserver/templates/bin/_anchor.tpl +++ b/charts/apiserver/templates/bin/_anchor.tpl @@ -1,96 +1,48 @@ #!/bin/sh +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. set -x -export MANIFEST_PATH=/host{{ .Values.anchor.kubelet.manifest_path }}/{{ .Values.service.name }}.yaml -export PKI_PATH=/host{{ .Values.apiserver.host_etc_path }}/pki +compare_copy_files() { -copy_certificates() { - mkdir -p $PKI_PATH - cp /certs/* /keys/* $PKI_PATH -} - -create_manifest() { - mkdir -p $(dirname $MANIFEST_PATH) - cat < $MANIFEST_PATH ---- -apiVersion: v1 -kind: Pod -metadata: - name: {{ .Values.service.name }} - namespace: {{ .Release.Namespace }} - labels: - {{ .Values.service.name }}-service: enabled -spec: - hostNetwork: true - containers: - - name: apiserver - image: {{ .Values.images.apiserver }} - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - command: - - {{ .Values.apiserver.command }} - - --authorization-mode=Node,RBAC - - --advertise-address=\$(POD_IP) - - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds - - --anonymous-auth=false - - --bind-address=0.0.0.0 - - --secure-port={{ .Values.apiserver.port }} - - --insecure-port=0 - - --apiserver-count={{ .Values.apiserver.replicas }} - - - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem - - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem - - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem - - - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem - - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem - - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem - - - --etcd-servers={{ .Values.apiserver.etcd.endpoints }} - - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem - - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem - - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem - - - --allow-privileged=true - - - --service-cluster-ip-range={{ .Values.network.service_cidr }} - - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub - - - --v=5 - - ports: - - containerPort: 443 - volumeMounts: - - name: etc - mountPath: /etc/kubernetes/apiserver - volumes: - - name: etc - hostPath: - path: {{ .Values.apiserver.host_etc_path }} -EODOC + {{range .Values.anchor.files_to_copy}} + if [ ! -e /host{{ .dest }} ] || cmp -s {{ .source }} /host{{ .dest }}; then + mkdir -p $(dirname /host{{ .dest }}) + cp {{ .source }} /host{{ .dest }} + fi + {{end}} } cleanup() { - rm -f $MANIFEST_PATH - rm -rf $PKI_PATH + + {{range .Values.anchor.files_to_copy}} + rm -f /host{{ .dest }} + {{end}} } while true; do + if [ -e /tmp/stop ]; then echo Stopping cleanup break fi - if [ ! -e $MANIFEST_PATH ]; then - copy_certificates - create_manifest - fi + # Compare and replace files on Genesis host if needed + # Copy files to other master nodes + compare_copy_files sleep {{ .Values.anchor.period }} done diff --git a/charts/apiserver/templates/bin/_pre_stop.tpl b/charts/apiserver/templates/bin/_pre_stop.tpl index 37bb5c0f..e58fffe9 100644 --- a/charts/apiserver/templates/bin/_pre_stop.tpl +++ b/charts/apiserver/templates/bin/_pre_stop.tpl @@ -1,4 +1,17 @@ #!/bin/sh +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. set -x diff --git a/charts/apiserver/templates/configmap-bin.yaml b/charts/apiserver/templates/configmap-bin.yaml index e2740643..5205587b 100644 --- a/charts/apiserver/templates/configmap-bin.yaml +++ b/charts/apiserver/templates/configmap-bin.yaml @@ -1,3 +1,22 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} + --- apiVersion: v1 kind: ConfigMap @@ -8,3 +27,4 @@ data: {{ tuple "bin/_anchor.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} pre_stop: |+ {{ tuple "bin/_pre_stop.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/charts/apiserver/templates/configmap-certs.yaml b/charts/apiserver/templates/configmap-certs.yaml index 64bd1570..34d412e0 100644 --- a/charts/apiserver/templates/configmap-certs.yaml +++ b/charts/apiserver/templates/configmap-certs.yaml @@ -1,13 +1,31 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_certs }} +{{- $envAll := . }} + --- apiVersion: v1 kind: ConfigMap metadata: name: {{ .Values.service.name }}-certs data: - cluster-ca.pem: {{ .Values.tls.ca | quote }} - apiserver.pem: {{ .Values.tls.cert | quote }} - - etcd-client-ca.pem: {{ .Values.apiserver.etcd.tls.ca | quote }} - etcd-client.pem: {{ .Values.apiserver.etcd.tls.cert | quote }} - - service-account.pub: {{ .Values.service_account.public_key | quote }} + cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }} + apiserver.pem: {{ .Values.secrets.tls.cert | quote }} + etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }} + etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }} + service-account.pub: {{ .Values.secrets.service_account.public_key | quote }} +{{- end }} diff --git a/charts/apiserver/templates/configmap-etc.yaml b/charts/apiserver/templates/configmap-etc.yaml new file mode 100644 index 00000000..5942bd1f --- /dev/null +++ b/charts/apiserver/templates/configmap-etc.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_etc }} +{{- $envAll := . }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.service.name }}-etc +data: + kubernetes-apiserver.yaml: |+ +{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/charts/apiserver/templates/daemonset.yaml b/charts/apiserver/templates/daemonset.yaml index aec34d95..c370506e 100644 --- a/charts/apiserver/templates/daemonset.yaml +++ b/charts/apiserver/templates/daemonset.yaml @@ -1,37 +1,63 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.kubernetes_apiserver }} +{{- $envAll := . }} +{{- $dependencies := .Values.dependencies.kubernetes_apiserver }} +{{- $mounts_kubernetes_apiserver := .Values.pod.mounts.kubernetes_apiserver.kubernetes_apiserver }} +{{- $mounts_kubernetes_apiserver_init := .Values.pod.mounts.kubernetes_apiserver.init_container }} --- apiVersion: "extensions/v1beta1" kind: DaemonSet metadata: name: {{ .Values.service.name }}-anchor - labels: - application: kubernetes - component: kubernetes-apiserver-anchor spec: - selector: - matchLabels: - {{ .Values.service.name | quote }}: anchor - updateStrategy: - rollingUpdate: - maxUnavailable: 1 +{{ tuple $envAll "kubernetes-apiserver-anchor" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }} template: metadata: + labels: +{{ tuple $envAll "kubernetes" "kubernetes-apiserver-anchor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: scheduler.alpha.kubernetes.io/critical-pod: '' - labels: - {{ .Values.service.name | quote }}: anchor + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-certs-hash: {{ tuple "configmap-certs.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: - hostNetwork: true - dnsPolicy: {{ .Values.anchor.dns_policy }} nodeSelector: - {{ .Values.anchor.node_selector.key }}: {{ .Values.anchor.node_selector.value }} + {{ .Values.labels.kubernetes_apiserver.node_selector_key }}: {{ .Values.labels.kubernetes_apiserver.node_selector_value }} + dnsPolicy: {{ .Values.anchor.dns_policy }} + hostNetwork: true tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule - key: CriticalAddonsOnly operator: Exists + terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.kubernetes_apiserver.timeout }} + initContainers: +{{ tuple $envAll $dependencies $mounts_kubernetes_apiserver_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: anchor - image: {{ .Values.images.anchor }} + image: {{ .Values.images.tags.anchor }} + imagePullPolicy: {{ .Values.images.pull_policy }} + env: + - name: MANIFEST_PATH + value: /host{{ .Values.anchor.kubelet.manifest_path }}/{{ .Values.service.name }}.yaml + - name: PKI_PATH + value: /host{{ .Values.apiserver.host_etc_path }}/pki +{{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} command: - /tmp/bin/anchor lifecycle: @@ -40,28 +66,36 @@ spec: command: - /tmp/bin/pre_stop volumeMounts: - - name: certs + - name: {{ .Values.service.name }}-certs mountPath: /certs - name: host mountPath: /host - - name: keys + - name: {{ .Values.service.name }}-keys mountPath: /keys - - name: bin + - name: {{ .Values.service.name }}-bin mountPath: /tmp/bin - terminationGracePeriodSeconds: {{ .Values.anchor.termination_grace_period }} + - name: {{ .Values.service.name }}-etc + mountPath: /tmp/etc +{{ if $mounts_kubernetes_apiserver.volumeMounts }}{{ toYaml $mounts_kubernetes_apiserver.volumeMounts | indent 12 }}{{ end }} volumes: - - name: bin + - name: {{ .Values.service.name }}-bin configMap: name: {{ .Values.service.name }}-bin defaultMode: 0555 - - name: certs + - name: {{ .Values.service.name }}-certs configMap: name: {{ .Values.service.name }}-certs defaultMode: 0444 - name: host hostPath: path: / - - name: keys + - name: {{ .Values.service.name }}-keys secret: secretName: {{ .Values.service.name }}-keys defaultMode: 0444 + - name: {{ .Values.service.name }}-etc + configMap: + name: {{ .Values.service.name }}-etc + defaultMode: 0444 +{{ if $mounts_kubernetes_apiserver.volumes }}{{ toYaml $mounts_kubernetes_apiserver.volumes | indent 8 }}{{ end }} +{{- end }} diff --git a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl new file mode 100644 index 00000000..75b74253 --- /dev/null +++ b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl @@ -0,0 +1,67 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.manifests.service }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Pod +metadata: + name: {{ .Values.service.name }} + namespace: {{ .Release.Namespace }} + labels: + {{ .Values.service.name }}-service: enabled +spec: + hostNetwork: true + containers: + - name: apiserver + image: {{ .Values.images.tags.apiserver }} + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: + {{- range .Values.command_prefix }} + - {{ . }} + {{- end }} + - --advertise-address=$(POD_IP) + - --anonymous-auth=false + - --bind-address=0.0.0.0 + - --secure-port={{ .Values.network.kubernetes_apiserver.port }} + - --insecure-port=0 + - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem + - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem + - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem + - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem + - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem + - --etcd-servers={{ .Values.apiserver.etcd.endpoints }} + - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem + - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem + - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem + - --allow-privileged=true + - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub + + ports: + - containerPort: {{ .Values.network.kubernetes_apiserver.port }} + volumeMounts: + - name: etc + mountPath: /etc/kubernetes/apiserver + volumes: + - name: etc + hostPath: + path: {{ .Values.apiserver.host_etc_path }} +{{- end }} diff --git a/charts/apiserver/templates/secret-apiserver.yaml b/charts/apiserver/templates/secret-apiserver.yaml index e2fbf779..f32f6bfd 100644 --- a/charts/apiserver/templates/secret-apiserver.yaml +++ b/charts/apiserver/templates/secret-apiserver.yaml @@ -1,3 +1,21 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret }} +{{- $envAll := . }} --- apiVersion: v1 kind: Secret @@ -5,5 +23,6 @@ metadata: name: {{ .Values.service.name }}-keys type: Opaque data: - apiserver-key.pem: {{ .Values.tls.key | b64enc }} - etcd-client-key.pem: {{ .Values.apiserver.etcd.tls.key | b64enc }} + apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }} + etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }} +{{- end }} diff --git a/charts/apiserver/templates/service.yaml b/charts/apiserver/templates/service.yaml index a24a4b2b..11e19a41 100644 --- a/charts/apiserver/templates/service.yaml +++ b/charts/apiserver/templates/service.yaml @@ -1,14 +1,43 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service }} +{{- $envAll := . }} --- apiVersion: v1 kind: Service metadata: name: {{ .Values.service.name }} spec: + ports: + {{ if .Values.network.kubernetes_apiserver.enable_node_port }} + - name: https + nodePort: {{ .Values.network.kubernetes_apiserver.node_port }} + port: {{ .Values.network.kubernetes_apiserver.port }} + protocol: TCP + targetPort: {{ .Values.network.kubernetes_apiserver.port }} + {{ else }} + - name: https + port: {{ .Values.network.kubernetes_apiserver.port }} + protocol: TCP + targetPort: {{ .Values.network.kubernetes_apiserver.port }} + {{ end }} selector: {{ .Values.service.name }}-service: enabled {{- if .Values.service.ip }} clusterIP: {{ .Values.service.ip }} {{- end }} - ports: - - name: https - port: {{ .Values.apiserver.port }} +{{- end }} diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml index 45028c75..958c2334 100644 --- a/charts/apiserver/values.yaml +++ b/charts/apiserver/values.yaml @@ -1,45 +1,137 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +release_group: null + +images: + tags: + anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0 + apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0 + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 + pull_policy: "IfNotPresent" + +labels: + kubernetes_apiserver: + node_selector_key: kubernetes-apiserver + node_selector_value: enabled + anchor: dns_policy: Default kubelet: manifest_path: /etc/kubernetes/manifests - node_selector: - key: kubernetes-apiserver - value: enabled - termination_grace_period: 3600 period: 15 + files_to_copy: + - source: /certs/apiserver.pem + dest: /etc/kubernetes/apiserver/pki/apiserver.pem + - source: /certs/cluster-ca.pem + dest: /etc/kubernetes/apiserver/pki/cluster-ca.pem + - source: /certs/etcd-client-ca.pem + dest: /etc/kubernetes/apiserver/pki/etcd-client-ca.pem + - source: /certs/etcd-client.pem + dest: /etc/kubernetes/apiserver/pki/etcd-client.pem + - source: /certs/service-account.pub + dest: /etc/kubernetes/apiserver/pki/service-account.pub + - source: /keys/apiserver-key.pem + dest: /etc/kubernetes/apiserver/pki/apiserver-key.pem + - source: /keys/etcd-client-key.pem + dest: /etc/kubernetes/apiserver/pki/etcd-client-key.pem + - source: /tmp/etc/kubernetes-apiserver.yaml + dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml + +command_prefix: + - /apiserver + - --authorization-mode=Node,RBAC + - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds + - --apiserver-count=3 + - --service-cluster-ip-range=10.96.0.0/16 + - --v=5 apiserver: - command: /apiserver - + host_etc_path: /etc/kubernetes/apiserver etcd: endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local - tls: - ca: placeholder - cert: placeholder - key: placeholder - - host_etc_path: /etc/kubernetes/apiserver - - port: 6443 - replicas: 3 - -images: - anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0 - apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0 network: - kubernetes_service_ip: 10.96.0.1 - pod_cidr: 10.97.0.0/16 - service_cidr: 10.96.0.0/16 + kubernetes_apiserver: + name: kubernetes-apiserver + port: 6443 + enable_node_port: false service: name: kubernetes-apiserver ip: null -service_account: - public_key: placeholder +secrets: + tls: + ca: placeholder + cert: placeholder + key: placeholder + service_account: + public_key: placeholder + etcd: + tls: + ca: placeholder + cert: placeholder + key: placeholder -tls: - ca: placeholder - cert: placeholder - key: placeholder +dependencies: + kubernetes_apiserver: + +# typically overriden by environmental +# values, but should include all endpoints +# required by this chart +endpoints: + cluster_domain_suffix: cluster.local + kubernetes_apiserver: + name: kubernetes-apiserver + hosts: + default: kubernetes-apiserver + host_fqdn_override: + default: null + +pod: + mounts: + kubernetes_apiserver: + init_container: null + kubernetes_apiserver: + replicas: + apiserver: 3 + lifecycle: + upgrades: + daemonsets: + pod_replacement_strategy: RollingUpdate + kubernetes_apiserver: + enabled: false + min_ready_seconds: 0 + max_unavailable: 1 + termination_grace_period: + kubernetes_apiserver: + timeout: 3600 + resources: + enabled: false + kubernetes_apiserver: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + +manifests: + configmap_bin: true + configmap_certs: true + configmap_etc: true + kubernetes_apiserver: true + secret: true + service: true diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml index 02b88cb7..04388b07 100644 --- a/examples/basic/armada-resources.yaml +++ b/examples/basic/armada-resources.yaml @@ -524,7 +524,7 @@ metadata: name: kubernetes path: $ dest: - path: $.values.tls.ca + path: $.values.secrets.tls.ca - src: @@ -532,42 +532,42 @@ metadata: name: apiserver path: $ dest: - path: $.values.tls.cert + path: $.values.secrets.tls.cert - src: schema: deckhand/CertificateKey/v1 name: apiserver path: $ dest: - path: $.values.tls.key + path: $.values.secrets.tls.key - src: schema: deckhand/CertificateAuthority/v1 name: kubernetes-etcd path: $ dest: - path: $.values.apiserver.etcd.tls.ca + path: $.values.secrets.etcd.tls.ca - src: schema: deckhand/Certificate/v1 name: apiserver-etcd path: $ dest: - path: $.values.apiserver.etcd.tls.cert + path: $.values.secrets.etcd.tls.cert - src: schema: deckhand/CertificateKey/v1 name: apiserver-etcd path: $ dest: - path: $.values.apiserver.etcd.tls.key + path: $.values.secrets.etcd.tls.key - src: schema: deckhand/PublicKey/v1 name: service-account path: $ dest: - path: $.values.service_account.public_key + path: $.values.secrets.service_account.public_key data: chart_name: apiserver @@ -580,19 +580,22 @@ data: apiserver: etcd: endpoints: https://etcd.kubernetes.promenade:2379 + images: + tags: + anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0 + apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0 + secrets: + service_account: + public_key: placeholder + tls: + ca: placeholder + cert: placeholder + key: placeholder + etcd: tls: ca: placeholder cert: placeholder key: placeholder - images: - anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0 - apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0 - service_account: - public_key: placeholder - tls: - ca: placeholder - cert: placeholder - key: placeholder network: kubernetes_service_ip: 10.96.0.1 pod_cidr: 10.97.0.0/16 diff --git a/examples/complete/armada-resources.yaml b/examples/complete/armada-resources.yaml index b40bb011..d0b0fd0f 100644 --- a/examples/complete/armada-resources.yaml +++ b/examples/complete/armada-resources.yaml @@ -553,7 +553,7 @@ metadata: name: kubernetes path: $ dest: - path: $.values.tls.ca + path: $.values.secrets.tls.ca - src: @@ -561,42 +561,42 @@ metadata: name: apiserver path: $ dest: - path: $.values.tls.cert + path: $.values.secrets.tls.cert - src: schema: deckhand/CertificateKey/v1 name: apiserver path: $ dest: - path: $.values.tls.key + path: $.values.secrets.tls.key - src: schema: deckhand/CertificateAuthority/v1 name: kubernetes-etcd path: $ dest: - path: $.values.apiserver.etcd.tls.ca + path: $.values.secrets.etcd.tls.ca - src: schema: deckhand/Certificate/v1 name: apiserver-etcd path: $ dest: - path: $.values.apiserver.etcd.tls.cert + path: $.values.secrets.etcd.tls.cert - src: schema: deckhand/CertificateKey/v1 name: apiserver-etcd path: $ dest: - path: $.values.apiserver.etcd.tls.key + path: $.values.secrets.etcd.tls.key - src: schema: deckhand/PublicKey/v1 name: service-account path: $ dest: - path: $.values.service_account.public_key + path: $.values.secrets.service_account.public_key data: chart_name: apiserver @@ -609,19 +609,22 @@ data: apiserver: etcd: endpoints: https://etcd.kubernetes.promenade:2379 + images: + tags: + anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0 + apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0 + secrets: + service_account: + public_key: placeholder + tls: + ca: placeholder + cert: placeholder + key: placeholder + etcd: tls: ca: placeholder cert: placeholder key: placeholder - images: - anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0 - apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0 - service_account: - public_key: placeholder - tls: - ca: placeholder - cert: placeholder - key: placeholder network: kubernetes_service_ip: 10.96.0.1 pod_cidr: 10.97.0.0/16 diff --git a/tools/gate/config-templates/bootstrap-armada-config.yaml b/tools/gate/config-templates/bootstrap-armada-config.yaml index 3a2e0f72..5d5047c9 100644 --- a/tools/gate/config-templates/bootstrap-armada-config.yaml +++ b/tools/gate/config-templates/bootstrap-armada-config.yaml @@ -540,7 +540,7 @@ metadata: name: kubernetes path: $ dest: - path: $.values.tls.ca + path: $.values.secrets.tls.ca - src: @@ -548,42 +548,42 @@ metadata: name: apiserver path: $ dest: - path: $.values.tls.cert + path: $.values.secrets.tls.cert - src: schema: deckhand/CertificateKey/v1 name: apiserver path: $ dest: - path: $.values.tls.key + path: $.values.secrets.tls.key - src: schema: deckhand/CertificateAuthority/v1 name: kubernetes-etcd path: $ dest: - path: $.values.apiserver.etcd.tls.ca + path: $.values.secrets.etcd.tls.ca - src: schema: deckhand/Certificate/v1 name: apiserver-etcd path: $ dest: - path: $.values.apiserver.etcd.tls.cert + path: $.values.secrets.etcd.tls.cert - src: schema: deckhand/CertificateKey/v1 name: apiserver-etcd path: $ dest: - path: $.values.apiserver.etcd.tls.key + path: $.values.secrets.etcd.tls.key - src: schema: deckhand/PublicKey/v1 name: service-account path: $ dest: - path: $.values.service_account.public_key + path: $.values.secrets.service_account.public_key data: chart_name: apiserver @@ -596,19 +596,22 @@ data: apiserver: etcd: endpoints: https://etcd.kubernetes.promenade:2379 + images: + tags: + anchor: ${IMAGE_HYPERKUBE} + apiserver: ${IMAGE_HYPERKUBE} + secrets: + service_account: + public_key: placeholder + tls: + ca: placeholder + cert: placeholder + key: placeholder + etcd: tls: ca: placeholder cert: placeholder key: placeholder - images: - anchor: ${IMAGE_HYPERKUBE} - apiserver: ${IMAGE_HYPERKUBE} - service_account: - public_key: placeholder - tls: - ca: placeholder - cert: placeholder - key: placeholder network: kubernetes_service_ip: 10.96.0.1 pod_cidr: 10.97.0.0/16