Merge "Refactor apiserver Chart"

charts/apiserver/Chart.yaml

@@ -1,3 +1,17 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
 description: A chart for Kubernetes API server
 name: apiserver

charts/apiserver/requirements.yaml

@@ -1,3 +1,17 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 dependencies:
   - name: helm-toolkit
     repository: http://localhost:8879/charts

charts/apiserver/templates/bin/_anchor.tpl

@@ -1,96 +1,48 @@
 #!/bin/sh
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 set -x
 
-export MANIFEST_PATH=/host{{ .Values.anchor.kubelet.manifest_path }}/{{ .Values.service.name }}.yaml
+compare_copy_files() {
-export PKI_PATH=/host{{ .Values.apiserver.host_etc_path }}/pki
 
-copy_certificates() {
+    {{range .Values.anchor.files_to_copy}}
-    mkdir -p $PKI_PATH
+    if [ ! -e /host{{ .dest }} ] || cmp -s {{ .source }} /host{{ .dest }}; then
-    cp /certs/* /keys/* $PKI_PATH
+        mkdir -p $(dirname /host{{ .dest }})
-}
+        cp {{ .source }} /host{{ .dest }}
-
+    fi
-create_manifest() {
+    {{end}}
-    mkdir -p $(dirname $MANIFEST_PATH)
-    cat <<EODOC > $MANIFEST_PATH
----
-apiVersion: v1
-kind: Pod
-metadata:
-  name: {{ .Values.service.name }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{ .Values.service.name }}-service: enabled
-spec:
-  hostNetwork: true
-  containers:
-    - name: apiserver
-      image: {{ .Values.images.apiserver }}
-      env:
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-      command:
-        - {{ .Values.apiserver.command }}
-        - --authorization-mode=Node,RBAC
-        - --advertise-address=\$(POD_IP)
-        - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
-        - --anonymous-auth=false
-        - --bind-address=0.0.0.0
-        - --secure-port={{ .Values.apiserver.port }}
-        - --insecure-port=0
-        - --apiserver-count={{ .Values.apiserver.replicas }}
-
-        - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
-        - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
-        - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
-
-        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
-        - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
-        - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
-        - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
-
-        - --etcd-servers={{ .Values.apiserver.etcd.endpoints }}
-        - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
-        - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
-        - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
-
-        - --allow-privileged=true
-
-        - --service-cluster-ip-range={{ .Values.network.service_cidr }}
-        - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
-
-        - --v=5
-
-      ports:
-        - containerPort: 443
-      volumeMounts:
-        - name: etc
-          mountPath: /etc/kubernetes/apiserver
-  volumes:
-    - name: etc
-      hostPath:
-        path: {{ .Values.apiserver.host_etc_path }}
-EODOC
 }
 
 cleanup() {
-    rm -f $MANIFEST_PATH
+
-    rm -rf $PKI_PATH
+    {{range .Values.anchor.files_to_copy}}
+    rm -f /host{{ .dest }}
+    {{end}}
 }
 
 while true; do
+
     if [ -e /tmp/stop ]; then
         echo Stopping
         cleanup
         break
     fi
 
-    if [ ! -e $MANIFEST_PATH ]; then
+    # Compare and replace files on Genesis host if needed
-        copy_certificates
+    # Copy files to other master nodes
-        create_manifest
+    compare_copy_files
-    fi
 
     sleep {{ .Values.anchor.period }}
 done

charts/apiserver/templates/bin/_pre_stop.tpl

@@ -1,4 +1,17 @@
 #!/bin/sh
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 set -x
 

charts/apiserver/templates/configmap-bin.yaml

@@ -1,3 +1,22 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -8,3 +27,4 @@ data:
 {{ tuple "bin/_anchor.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   pre_stop: |+
 {{ tuple "bin/_pre_stop.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}

charts/apiserver/templates/configmap-certs.yaml

@@ -1,13 +1,31 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_certs }}
+{{- $envAll := . }}
+
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ .Values.service.name }}-certs
 data:
-  cluster-ca.pem: {{ .Values.tls.ca | quote }}
+  cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
-  apiserver.pem: {{ .Values.tls.cert | quote }}
+  apiserver.pem: {{ .Values.secrets.tls.cert | quote }}
-
+  etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }}
-  etcd-client-ca.pem: {{ .Values.apiserver.etcd.tls.ca | quote }}
+  etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }}
-  etcd-client.pem: {{ .Values.apiserver.etcd.tls.cert | quote }}
+  service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
-
+{{- end }}
-  service-account.pub: {{ .Values.service_account.public_key | quote }}

charts/apiserver/templates/configmap-etc.yaml

@@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.service.name }}-etc
+data:
+  kubernetes-apiserver.yaml: |+
+{{ tuple "etc/_kubernetes-apiserver.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}

charts/apiserver/templates/daemonset.yaml

@@ -1,37 +1,63 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.kubernetes_apiserver }}
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.kubernetes_apiserver }}
+{{- $mounts_kubernetes_apiserver := .Values.pod.mounts.kubernetes_apiserver.kubernetes_apiserver }}
+{{- $mounts_kubernetes_apiserver_init := .Values.pod.mounts.kubernetes_apiserver.init_container }}
 ---
 apiVersion: "extensions/v1beta1"
 kind: DaemonSet
 metadata:
   name: {{ .Values.service.name }}-anchor
-  labels:
-    application: kubernetes
-    component: kubernetes-apiserver-anchor
 spec:
-  selector:
+{{ tuple $envAll "kubernetes-apiserver-anchor" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
-    matchLabels:
-      {{ .Values.service.name | quote }}: anchor
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 1
   template:
     metadata:
+      labels:
+{{ tuple $envAll "kubernetes" "kubernetes-apiserver-anchor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
-      labels:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
-        {{ .Values.service.name | quote }}: anchor
+        configmap-certs-hash: {{ tuple "configmap-certs.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
     spec:
-      hostNetwork: true
-      dnsPolicy: {{ .Values.anchor.dns_policy }}
       nodeSelector:
-        {{ .Values.anchor.node_selector.key }}: {{ .Values.anchor.node_selector.value }}
+        {{ .Values.labels.kubernetes_apiserver.node_selector_key }}: {{ .Values.labels.kubernetes_apiserver.node_selector_value }}
+      dnsPolicy: {{ .Values.anchor.dns_policy }}
+      hostNetwork: true
       tolerations:
         - key: node-role.kubernetes.io/master
           effect: NoSchedule
         - key: CriticalAddonsOnly
           operator: Exists
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.kubernetes_apiserver.timeout }}
+      initContainers:
+{{ tuple $envAll $dependencies $mounts_kubernetes_apiserver_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
         - name: anchor
-          image: {{ .Values.images.anchor }}
+          image: {{ .Values.images.tags.anchor }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          env:
+          - name: MANIFEST_PATH
+            value: /host{{ .Values.anchor.kubelet.manifest_path }}/{{ .Values.service.name }}.yaml
+          - name: PKI_PATH
+            value: /host{{ .Values.apiserver.host_etc_path }}/pki
+{{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
           command:
             - /tmp/bin/anchor
           lifecycle:
@@ -40,28 +66,36 @@ spec:
                 command:
                   - /tmp/bin/pre_stop
           volumeMounts:
-            - name: certs
+            - name: {{ .Values.service.name }}-certs
               mountPath: /certs
             - name: host
               mountPath: /host
-            - name: keys
+            - name: {{ .Values.service.name }}-keys
               mountPath: /keys
-            - name: bin
+            - name: {{ .Values.service.name }}-bin
               mountPath: /tmp/bin
-      terminationGracePeriodSeconds: {{ .Values.anchor.termination_grace_period }}
+            - name: {{ .Values.service.name }}-etc
+              mountPath: /tmp/etc
+{{ if $mounts_kubernetes_apiserver.volumeMounts }}{{ toYaml $mounts_kubernetes_apiserver.volumeMounts | indent 12 }}{{ end }}
       volumes:
-        - name: bin
+        - name: {{ .Values.service.name }}-bin
           configMap:
             name: {{ .Values.service.name }}-bin
             defaultMode: 0555
-        - name: certs
+        - name: {{ .Values.service.name }}-certs
           configMap:
             name: {{ .Values.service.name }}-certs
             defaultMode: 0444
         - name: host
           hostPath:
             path: /
-        - name: keys
+        - name: {{ .Values.service.name }}-keys
           secret:
             secretName: {{ .Values.service.name }}-keys
             defaultMode: 0444
+        - name: {{ .Values.service.name }}-etc
+          configMap:
+            name: {{ .Values.service.name }}-etc
+            defaultMode: 0444
+{{ if $mounts_kubernetes_apiserver.volumes }}{{ toYaml $mounts_kubernetes_apiserver.volumes | indent 8 }}{{ end }}
+{{- end }}

charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl

@@ -0,0 +1,67 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.manifests.service }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ .Values.service.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ .Values.service.name }}-service: enabled
+spec:
+  hostNetwork: true
+  containers:
+    - name: apiserver
+      image: {{ .Values.images.tags.apiserver }}
+      env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+      command:
+        {{- range .Values.command_prefix }}
+        - {{ . }}
+        {{- end }}
+        - --advertise-address=$(POD_IP)
+        - --anonymous-auth=false
+        - --bind-address=0.0.0.0
+        - --secure-port={{ .Values.network.kubernetes_apiserver.port }}
+        - --insecure-port=0
+        - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
+        - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
+        - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
+        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+        - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
+        - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
+        - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
+        - --etcd-servers={{ .Values.apiserver.etcd.endpoints }}
+        - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
+        - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
+        - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
+        - --allow-privileged=true
+        - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
+
+      ports:
+        - containerPort: {{ .Values.network.kubernetes_apiserver.port }}
+      volumeMounts:
+        - name: etc
+          mountPath: /etc/kubernetes/apiserver
+  volumes:
+    - name: etc
+      hostPath:
+        path: {{ .Values.apiserver.host_etc_path }}
+{{- end }}

charts/apiserver/templates/secret-apiserver.yaml

@@ -1,3 +1,21 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret }}
+{{- $envAll := . }}
 ---
 apiVersion: v1
 kind: Secret
@@ -5,5 +23,6 @@ metadata:
   name: {{ .Values.service.name }}-keys
 type: Opaque
 data:
-  apiserver-key.pem: {{ .Values.tls.key | b64enc }}
+  apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
-  etcd-client-key.pem: {{ .Values.apiserver.etcd.tls.key | b64enc }}
+  etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
+{{- end }}

charts/apiserver/templates/service.yaml

@@ -1,14 +1,43 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service }}
+{{- $envAll := . }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ .Values.service.name }}
 spec:
+  ports:
+    {{ if .Values.network.kubernetes_apiserver.enable_node_port }}
+    - name: https
+      nodePort: {{ .Values.network.kubernetes_apiserver.node_port }}
+      port: {{ .Values.network.kubernetes_apiserver.port }}
+      protocol: TCP
+      targetPort: {{ .Values.network.kubernetes_apiserver.port }}
+    {{ else }}
+    - name: https
+      port: {{ .Values.network.kubernetes_apiserver.port }}
+      protocol: TCP
+      targetPort: {{ .Values.network.kubernetes_apiserver.port }}
+    {{ end }}
   selector:
     {{ .Values.service.name }}-service: enabled
   {{- if .Values.service.ip }}
   clusterIP: {{ .Values.service.ip }}
   {{- end }}
-  ports:
+{{- end }}
-    - name: https
-      port: {{ .Values.apiserver.port }}

charts/apiserver/values.yaml

@@ -1,45 +1,137 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+release_group: null
+
+images:
+  tags:
+    anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
+    apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
+  pull_policy: "IfNotPresent"
+
+labels:
+  kubernetes_apiserver:
+      node_selector_key: kubernetes-apiserver
+      node_selector_value: enabled
+
 anchor:
   dns_policy: Default
   kubelet:
     manifest_path: /etc/kubernetes/manifests
-  node_selector:
-    key: kubernetes-apiserver
-    value: enabled
-  termination_grace_period: 3600
   period: 15
+  files_to_copy:
+    - source: /certs/apiserver.pem
+      dest: /etc/kubernetes/apiserver/pki/apiserver.pem
+    - source: /certs/cluster-ca.pem
+      dest: /etc/kubernetes/apiserver/pki/cluster-ca.pem
+    - source: /certs/etcd-client-ca.pem
+      dest: /etc/kubernetes/apiserver/pki/etcd-client-ca.pem
+    - source: /certs/etcd-client.pem
+      dest: /etc/kubernetes/apiserver/pki/etcd-client.pem
+    - source: /certs/service-account.pub
+      dest: /etc/kubernetes/apiserver/pki/service-account.pub
+    - source: /keys/apiserver-key.pem
+      dest: /etc/kubernetes/apiserver/pki/apiserver-key.pem
+    - source: /keys/etcd-client-key.pem
+      dest: /etc/kubernetes/apiserver/pki/etcd-client-key.pem
+    - source: /tmp/etc/kubernetes-apiserver.yaml
+      dest: /etc/kubernetes/manifests/kubernetes-apiserver.yaml
+
+command_prefix:
+  - /apiserver
+  - --authorization-mode=Node,RBAC
+  - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
+  - --apiserver-count=3
+  - --service-cluster-ip-range=10.96.0.0/16
+  - --v=5
 
 apiserver:
-  command: /apiserver
+  host_etc_path: /etc/kubernetes/apiserver
-
   etcd:
     endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
-    tls:
-      ca: placeholder
-      cert: placeholder
-      key: placeholder
-
-  host_etc_path: /etc/kubernetes/apiserver
-
-  port: 6443
-  replicas: 3
-
-images:
-  anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
-  apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
 
 network:
-  kubernetes_service_ip: 10.96.0.1
+  kubernetes_apiserver:
-  pod_cidr: 10.97.0.0/16
+    name: kubernetes-apiserver
-  service_cidr: 10.96.0.0/16
+    port: 6443
+    enable_node_port: false
 
 service:
   name: kubernetes-apiserver
   ip: null
 
-service_account:
+secrets:
-  public_key: placeholder
+  tls:
+    ca: placeholder
+    cert: placeholder
+    key: placeholder
+  service_account:
+    public_key: placeholder
+  etcd:
+    tls:
+      ca: placeholder
+      cert: placeholder
+      key: placeholder
 
-tls:
+dependencies:
-  ca: placeholder
+  kubernetes_apiserver:
-  cert: placeholder
+
-  key: placeholder
+# typically overriden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  cluster_domain_suffix: cluster.local
+  kubernetes_apiserver:
+    name: kubernetes-apiserver
+    hosts:
+      default: kubernetes-apiserver
+    host_fqdn_override:
+      default: null
+
+pod:
+  mounts:
+    kubernetes_apiserver:
+      init_container: null
+      kubernetes_apiserver:
+  replicas:
+    apiserver: 3
+  lifecycle:
+    upgrades:
+      daemonsets:
+        pod_replacement_strategy: RollingUpdate
+        kubernetes_apiserver:
+          enabled: false
+          min_ready_seconds: 0
+          max_unavailable: 1
+    termination_grace_period:
+      kubernetes_apiserver:
+        timeout: 3600
+  resources:
+    enabled: false
+    kubernetes_apiserver:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+
+manifests:
+  configmap_bin: true
+  configmap_certs: true
+  configmap_etc: true
+  kubernetes_apiserver: true
+  secret: true
+  service: true

examples/basic/armada-resources.yaml

@@ -524,7 +524,7 @@ metadata:
         name: kubernetes
         path: $
       dest:
-        path: $.values.tls.ca
+        path: $.values.secrets.tls.ca
 
     -
       src:
@@ -532,42 +532,42 @@ metadata:
         name: apiserver
         path: $
       dest:
-        path: $.values.tls.cert
+        path: $.values.secrets.tls.cert
     -
       src:
         schema: deckhand/CertificateKey/v1
         name: apiserver
         path: $
       dest:
-        path: $.values.tls.key
+        path: $.values.secrets.tls.key
     -
       src:
         schema: deckhand/CertificateAuthority/v1
         name: kubernetes-etcd
         path: $
       dest:
-        path: $.values.apiserver.etcd.tls.ca
+        path: $.values.secrets.etcd.tls.ca
     -
       src:
         schema: deckhand/Certificate/v1
         name: apiserver-etcd
         path: $
       dest:
-        path: $.values.apiserver.etcd.tls.cert
+        path: $.values.secrets.etcd.tls.cert
     -
       src:
         schema: deckhand/CertificateKey/v1
         name: apiserver-etcd
         path: $
       dest:
-        path: $.values.apiserver.etcd.tls.key
+        path: $.values.secrets.etcd.tls.key
     -
       src:
         schema: deckhand/PublicKey/v1
         name: service-account
         path: $
       dest:
-        path: $.values.service_account.public_key
+        path: $.values.secrets.service_account.public_key
 
 data:
   chart_name: apiserver
@@ -580,19 +580,22 @@ data:
     apiserver:
       etcd:
         endpoints: https://etcd.kubernetes.promenade:2379
+    images:
+      tags:
+        anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
+        apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
+    secrets:
+      service_account:
+        public_key: placeholder
+      tls:
+        ca: placeholder
+        cert: placeholder
+        key: placeholder
+      etcd:
         tls:
           ca: placeholder
           cert: placeholder
           key: placeholder
-    images:
-      anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
-      apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
-    service_account:
-      public_key: placeholder
-    tls:
-      ca: placeholder
-      cert: placeholder
-      key: placeholder
     network:
       kubernetes_service_ip: 10.96.0.1
       pod_cidr: 10.97.0.0/16

examples/complete/armada-resources.yaml

@@ -553,7 +553,7 @@ metadata:
         name: kubernetes
         path: $
       dest:
-        path: $.values.tls.ca
+        path: $.values.secrets.tls.ca
 
     -
       src:
@@ -561,42 +561,42 @@ metadata:
         name: apiserver
         path: $
       dest:
-        path: $.values.tls.cert
+        path: $.values.secrets.tls.cert
     -
       src:
         schema: deckhand/CertificateKey/v1
         name: apiserver
         path: $
       dest:
-        path: $.values.tls.key
+        path: $.values.secrets.tls.key
     -
       src:
         schema: deckhand/CertificateAuthority/v1
         name: kubernetes-etcd
         path: $
       dest:
-        path: $.values.apiserver.etcd.tls.ca
+        path: $.values.secrets.etcd.tls.ca
     -
       src:
         schema: deckhand/Certificate/v1
         name: apiserver-etcd
         path: $
       dest:
-        path: $.values.apiserver.etcd.tls.cert
+        path: $.values.secrets.etcd.tls.cert
     -
       src:
         schema: deckhand/CertificateKey/v1
         name: apiserver-etcd
         path: $
       dest:
-        path: $.values.apiserver.etcd.tls.key
+        path: $.values.secrets.etcd.tls.key
     -
       src:
         schema: deckhand/PublicKey/v1
         name: service-account
         path: $
       dest:
-        path: $.values.service_account.public_key
+        path: $.values.secrets.service_account.public_key
 
 data:
   chart_name: apiserver
@@ -609,19 +609,22 @@ data:
     apiserver:
       etcd:
         endpoints: https://etcd.kubernetes.promenade:2379
+    images:
+      tags:
+        anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
+        apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
+    secrets:
+      service_account:
+        public_key: placeholder
+      tls:
+        ca: placeholder
+        cert: placeholder
+        key: placeholder
+      etcd:
         tls:
           ca: placeholder
           cert: placeholder
           key: placeholder
-    images:
-      anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
-      apiserver: gcr.io/google_containers/hyperkube-amd64:v1.8.0
-    service_account:
-      public_key: placeholder
-    tls:
-      ca: placeholder
-      cert: placeholder
-      key: placeholder
     network:
       kubernetes_service_ip: 10.96.0.1
       pod_cidr: 10.97.0.0/16

tools/gate/config-templates/bootstrap-armada-config.yaml

@@ -540,7 +540,7 @@ metadata:
         name: kubernetes
         path: $
       dest:
-        path: $.values.tls.ca
+        path: $.values.secrets.tls.ca
 
     -
       src:
@@ -548,42 +548,42 @@ metadata:
         name: apiserver
         path: $
       dest:
-        path: $.values.tls.cert
+        path: $.values.secrets.tls.cert
     -
       src:
         schema: deckhand/CertificateKey/v1
         name: apiserver
         path: $
       dest:
-        path: $.values.tls.key
+        path: $.values.secrets.tls.key
     -
       src:
         schema: deckhand/CertificateAuthority/v1
         name: kubernetes-etcd
         path: $
       dest:
-        path: $.values.apiserver.etcd.tls.ca
+        path: $.values.secrets.etcd.tls.ca
     -
       src:
         schema: deckhand/Certificate/v1
         name: apiserver-etcd
         path: $
       dest:
-        path: $.values.apiserver.etcd.tls.cert
+        path: $.values.secrets.etcd.tls.cert
     -
       src:
         schema: deckhand/CertificateKey/v1
         name: apiserver-etcd
         path: $
       dest:
-        path: $.values.apiserver.etcd.tls.key
+        path: $.values.secrets.etcd.tls.key
     -
       src:
         schema: deckhand/PublicKey/v1
         name: service-account
         path: $
       dest:
-        path: $.values.service_account.public_key
+        path: $.values.secrets.service_account.public_key
 
 data:
   chart_name: apiserver
@@ -596,19 +596,22 @@ data:
     apiserver:
       etcd:
         endpoints: https://etcd.kubernetes.promenade:2379
+    images:
+      tags:
+        anchor: ${IMAGE_HYPERKUBE}
+        apiserver: ${IMAGE_HYPERKUBE}
+    secrets:
+      service_account:
+        public_key: placeholder
+      tls:
+        ca: placeholder
+        cert: placeholder
+        key: placeholder
+      etcd:
         tls:
           ca: placeholder
           cert: placeholder
           key: placeholder
-    images:
-      anchor: ${IMAGE_HYPERKUBE}
-      apiserver: ${IMAGE_HYPERKUBE}
-    service_account:
-      public_key: placeholder
-    tls:
-      ca: placeholder
-      cert: placeholder
-      key: placeholder
     network:
       kubernetes_service_ip: 10.96.0.1
       pod_cidr: 10.97.0.0/16