Refactor controller_manager Chart

Refactor controller_manager chart to align with OSH
standards

Change-Id: I6adfbb23dc6f00a1521168ecf6c062c490947192

charts/controller_manager/Chart.yaml

@@ -1,3 +1,17 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
 description: A chart for Kubernetes controller-manager
 name: controller_manager

charts/controller_manager/requirements.yaml

@@ -1,3 +1,17 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 dependencies:
   - name: helm-toolkit
     repository: http://localhost:8879/charts

charts/controller_manager/templates/bin/_anchor.tpl

@@ -1,79 +1,48 @@
 #!/bin/sh
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 set -x
 
-export MANIFEST_PATH=/host{{ .Values.anchor.kubelet.manifest_path }}/{{ .Values.service.name }}.yaml
-export ETC_PATH=/host{{ .Values.controller_manager.host_etc_path }}
+compare_copy_files() {
 
-copy_etc_files() {
-    mkdir -p $ETC_PATH
-    cp /configmap/* /secret/* $ETC_PATH
-}
-
-create_manifest() {
-    mkdir -p $(dirname $MANIFEST_PATH)
-    cat <<EODOC > $MANIFEST_PATH
----
-apiVersion: v1
-kind: Pod
-metadata:
-  name: {{ .Values.service.name }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{ .Values.service.name }}-service: enabled
-spec:
-  hostNetwork: true
-  containers:
-    - name: controller-manager
-      image: {{ .Values.images.controller_manager }}
-      env:
-        - name: POD_IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-      command:
-        - {{ .Values.controller_manager.command }}
-        - --allocate-node-cidrs=true
-        - --cluster-cidr={{ .Values.network.pod_cidr }}
-        - --configure-cloud-routes=false
-        - --leader-elect=true
-        - --node-monitor-period={{ .Values.controller_manager.node_monitor_period }}
-        - --node-monitor-grace-period={{ .Values.controller_manager.node_monitor_grace_period }}
-        - --pod-eviction-timeout={{ .Values.controller_manager.pod_eviction_timeout }}
-        - --kubeconfig=/etc/kubernetes/controller-manager/kubeconfig.yaml
-        - --root-ca-file=/etc/kubernetes/controller-manager/cluster-ca.pem
-        - --service-account-private-key-file=/etc/kubernetes/controller-manager/service-account.priv
-        - --service-cluster-ip-range={{ .Values.network.service_cidr }}
-        - --use-service-account-credentials=true
-
-        - --v=5
-
-      volumeMounts:
-        - name: etc
-          mountPath: /etc/kubernetes/controller-manager
-  volumes:
-    - name: etc
-      hostPath:
-        path: {{ .Values.controller_manager.host_etc_path }}
-EODOC
+    {{range .Values.anchor.files_to_copy}}
+    if [ ! -e /host{{ .dest }} ] || cmp -s {{ .source }} /host{{ .dest }}; then
+        mkdir -p $(dirname /host{{ .dest }})
+        cp {{ .source }} /host{{ .dest }}
+    fi
+    {{end}}
 }
 
 cleanup() {
-    rm -f $MANIFEST_PATH
-    rm -rf $ETC_PATH
+
+    {{range .Values.anchor.files_to_copy}}
+    rm -f /host{{ .dest }}
+    {{end}}
 }
 
 while true; do
+
     if [ -e /tmp/stop ]; then
         echo Stopping
         cleanup
         break
     fi
 
-    if [ ! -e $MANIFEST_PATH ]; then
-        copy_etc_files
-        create_manifest
-    fi
+    # Compare and replace files on Genesis host if needed
+    # Copy files to other master nodes
+    compare_copy_files
 
     sleep {{ .Values.anchor.period }}
 done

charts/controller_manager/templates/bin/_pre_stop.tpl

@@ -1,4 +1,17 @@
 #!/bin/sh
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 set -x
 

charts/controller_manager/templates/configmap-bin.yaml

@@ -1,3 +1,22 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -8,3 +27,4 @@ data:
 {{ tuple "bin/_anchor.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   pre_stop: |+
 {{ tuple "bin/_pre_stop.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}

charts/controller_manager/templates/configmap-etc.yaml

@@ -1,29 +1,32 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ .Values.service.name }}-etc
 data:
-  cluster-ca.pem: {{ .Values.tls.ca | quote }}
-  controller-manager.pem: {{ .Values.tls.cert | quote }}
+  cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
+  controller-manager.pem: {{ .Values.secrets.tls.cert | quote }}
   kubeconfig.yaml: |+
-    ---
-    apiVersion: v1
-    clusters:
-    - cluster:
-        server: https://{{ .Values.network.kubernetes_netloc }}
-        certificate-authority: cluster-ca.pem
-      name: kubernetes
-    contexts:
-    - context:
-        cluster: kubernetes
-        user: controller-manager
-      name: controller-manager@kubernetes
-    current-context: controller-manager@kubernetes
-    kind: Config
-    preferences: {}
-    users:
-    - name: controller-manager
-      user:
-        client-certificate: controller-manager.pem
-        client-key: controller-manager-key.pem
+{{ tuple "etc/_kubeconfig.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  kubernetes-controller-manager.yaml: |+
+{{ tuple "etc/_kubernetes-controller-manager.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}

charts/controller_manager/templates/daemonset.yaml

@@ -1,39 +1,62 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.controller_manager }}
+{{- $envAll := . }}
+{{- $dependencies := .Values.dependencies.controller_manager }}
+{{- $mounts_controller_manager := .Values.pod.mounts.controller_manager.controller_manager }}
+{{- $mounts_controller_manager_init := .Values.pod.mounts.controller_manager.init_container }}
 ---
 apiVersion: "extensions/v1beta1"
 kind: DaemonSet
 metadata:
   name: {{ .Values.service.name }}-anchor
-  labels:
-    application: kubernetes
-    component: kubernetes-controller-manager-anchor
 spec:
-  selector:
-    matchLabels:
-      {{ .Values.service.name | quote }}: anchor
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 1
+{{ tuple $envAll "controller_manager" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
   template:
     metadata:
+      labels:
+{{ tuple $envAll "kubernetes" "controller-manager-anchor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
-      labels:
-        {{ .Values.service.name | quote }}: anchor
     spec:
-      hostNetwork: true
-      dnsPolicy: {{ .Values.anchor.dns_policy }}
       nodeSelector:
-        {{ .Values.anchor.node_selector.key }}: {{ .Values.anchor.node_selector.value }}
+        {{ .Values.labels.controller_manager.node_selector_key }}: {{ .Values.labels.controller_manager.node_selector_value }}
+      dnsPolicy: {{ .Values.anchor.dns_policy }}
+      hostNetwork: true
       tolerations:
         - key: node-role.kubernetes.io/master
           effect: NoSchedule
         - key: CriticalAddonsOnly
           operator: Exists
+      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.controller_manager.timeout }}
+      initContainers:
+{{ tuple $envAll $dependencies $mounts_controller_manager_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
         - name: anchor
-          image: {{ .Values.images.anchor }}
+          image: {{ .Values.images.tags.anchor }}
+          imagePullPolicy: {{ .Values.images.pull_policy }}
+          env:
+          - name: MANIFEST_PATH
+            value: /host{{ .Values.anchor.kubelet.manifest_path }}/kubernetes-controller-manager.yaml
+          - name: ETC_PATH
+            value: /host{{ .Values.controller_manager.host_etc_path }}
+{{ tuple $envAll $envAll.Values.pod.resources.controller_manager | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
           command:
             - /tmp/bin/anchor
           lifecycle:
@@ -42,21 +65,21 @@ spec:
                 command:
                   - /tmp/bin/pre_stop
           volumeMounts:
-            - name: bin
+            - name: {{ .Values.service.name }}-bin
               mountPath: /tmp/bin
-            - name: etc
+            - name: {{ .Values.service.name }}-etc
               mountPath: /configmap
             - name: host
               mountPath: /host
             - name: secret
               mountPath: /secret
-      terminationGracePeriodSeconds: {{ .Values.anchor.termination_grace_period }}
+{{ if $mounts_controller_manager.volumeMounts }}{{ toYaml $mounts_controller_manager.volumeMounts | indent 12 }}{{ end }}
       volumes:
-        - name: bin
+        - name: {{ .Values.service.name }}-bin
           configMap:
             name: {{ .Values.service.name }}-bin
             defaultMode: 0555
-        - name: etc
+        - name: {{ .Values.service.name }}-etc
           configMap:
             name: {{ .Values.service.name }}-etc
             defaultMode: 0444
@@ -67,3 +90,5 @@ spec:
           secret:
             secretName: {{ .Values.service.name }}
             defaultMode: 0444
+{{ if $mounts_controller_manager.volumes }}{{ toYaml $mounts_controller_manager.volumes | indent 8 }}{{ end }}
+{{- end }}

charts/controller_manager/templates/etc/_kubeconfig.yaml.tpl

@@ -0,0 +1,34 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://{{ .Values.network.kubernetes_netloc }}
+    certificate-authority: cluster-ca.pem
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: controller-manager
+  name: controller-manager@kubernetes
+current-context: controller-manager@kubernetes
+kind: Config
+preferences: {}
+users:
+- name: controller-manager
+  user:
+    client-certificate: controller-manager.pem
+    client-key: controller-manager-key.pem

charts/controller_manager/templates/etc/_kubernetes-controller-manager.yaml.tpl

@@ -0,0 +1,53 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ .Values.service.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ .Values.service.name }}-service: enabled
+spec:
+  hostNetwork: true
+  containers:
+    - name: controller-manager
+      image: {{ .Values.images.tags.controller_manager }}
+      env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+      # NOTE: We will not expose parameters that should take on fixed values
+      # in the values.yaml as these parameters should not be changed by user(s).
+      command:
+        {{- range .Values.command_prefix }}
+        - {{ . }}
+        {{- end }}
+        - --configure-cloud-routes=false
+        - --leader-elect=true
+        - --kubeconfig=/etc/kubernetes/controller-manager/kubeconfig.yaml
+        - --root-ca-file=/etc/kubernetes/controller-manager/cluster-ca.pem
+        - --service-account-private-key-file=/etc/kubernetes/controller-manager/service-account.priv
+        - --use-service-account-credentials=true
+        - --v=5
+
+      volumeMounts:
+        - name: etc
+          mountPath: /etc/kubernetes/controller-manager
+  volumes:
+    - name: etc
+      hostPath:
+        path: {{ .Values.controller_manager.host_etc_path }}

charts/controller_manager/templates/secret.yaml

@@ -1,3 +1,21 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret }}
+{{- $envAll := . }}
 ---
 apiVersion: v1
 kind: Secret
@@ -5,5 +23,6 @@ metadata:
   name: {{ .Values.service.name }}
 type: Opaque
 data:
-  controller-manager-key.pem: {{ .Values.tls.key | b64enc }}
-  service-account.priv: {{ .Values.service_account.private_key | b64enc }}
+  controller-manager-key.pem: {{ .Values.secrets.tls.key | b64enc }}
+  service-account.priv: {{ .Values.secrets.service_account.private_key | b64enc }}
+{{- end }}

charts/controller_manager/values.yaml

@@ -1,31 +1,68 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+release_group: null
+
+images:
+  tags:
+    anchor: quay.io/attcomdev/kube-controller-manager:v1.8.0
+    controller_manager: quay.io/attcomdev/kube-controller-manager:v1.8.0
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
+  pull_policy: "IfNotPresent"
+
+labels:
+  controller_manager:
+      node_selector_key: kubernetes-controller-manager
+      node_selector_value: enabled
+
 anchor:
   dns_policy: Default
   kubelet:
     manifest_path: /etc/kubernetes/manifests
-  node_selector:
-    key: kubernetes-controller-manager
-    value: enabled
   period: 15
-  termination_grace_period: 3600
+  files_to_copy:
+    - source: /configmap/cluster-ca.pem
+      dest: /etc/kubernetes/controller-manager/cluster-ca.pem
+    - source: /configmap/controller-manager.pem
+      dest: /etc/kubernetes/controller-manager/controller-manager.pem
+    - source: /configmap/kubeconfig.yaml
+      dest: /etc/kubernetes/controller-manager/kubeconfig.yaml
+    - source: /secret/controller-manager-key.pem
+      dest: /etc/kubernetes/controller-manager/controller-manager-key.pem
+    - source: /secret/service-account.priv
+      dest: /etc/kubernetes/controller-manager/service-account.priv
+    - source: /configmap/kubernetes-controller-manager.yaml
+      dest: /etc/kubernetes/manifests/kubernetes-controller-manager.yaml
 
 controller_manager:
-  command: /controller-manager
   host_etc_path: /etc/kubernetes/controller-manager
-  node_monitor_period: 5s
-  node_monitor_grace_period: 20s
-  pod_eviction_timeout: 60s
 
-service_account:
-  private_key: placeholder
+command_prefix:
+  - /controller-manager
+  - --cluster-cidr=10.97.0.0/16
+  - --node-monitor-period=5s
+  - --node-monitor-grace-period=20s
+  - --pod-eviction-timeout=60s
+  - --service-cluster-ip-range=10.96.0.0/16
 
-tls:
-  ca: placeholder
-  cert: placeholder
-  key: placeholder
-
-images:
-  anchor: quay.io/attcomdev/kube-controller-manager:v1.8.0
-  controller_manager: quay.io/attcomdev/kube-controller-manager:v1.8.0
+secrets:
+  tls:
+    ca: placeholder
+    cert: placeholder
+    key: placeholder
+  service_account:
+    private_key: placeholder
 
 network:
   kubernetes_netloc: 10.96.0.1
@@ -34,3 +71,38 @@ network:
 
 service:
   name: kubernetes-controller-manager
+
+dependencies:
+  controller_manager:
+
+pod:
+  mounts:
+    controller_manager:
+      init_container: null
+      controller_manager:
+  lifecycle:
+    upgrades:
+      daemonsets:
+        pod_replacement_strategy: RollingUpdate
+        controller_manager:
+          enabled: false
+          min_ready_seconds: 0
+          max_unavailable: 1
+    termination_grace_period:
+      controller_manager:
+        timeout: 3600
+  resources:
+    enabled: false
+    controller_manager:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+
+manifests:
+  configmap_bin: true
+  configmap_etc: true
+  controller_manager: true
+  secret: true

examples/basic/armada-resources.yaml

@@ -619,7 +619,7 @@ metadata:
         name: kubernetes
         path: $
       dest:
-        path: $.values.tls.ca
+        path: $.values.secrets.tls.ca
 
     -
       src:
@@ -627,21 +627,21 @@ metadata:
         name: controller-manager
         path: $
       dest:
-        path: $.values.tls.cert
+        path: $.values.secrets.tls.cert
     -
       src:
         schema: deckhand/CertificateKey/v1
         name: controller-manager
         path: $
       dest:
-        path: $.values.tls.key
+        path: $.values.secrets.tls.key
     -
       src:
         schema: deckhand/PrivateKey/v1
         name: service-account
         path: $
       dest:
-        path: $.values.service_account.private_key
+        path: $.values.secrets.service_account.private_key
 
 data:
   chart_name: controller_manager
@@ -652,14 +652,16 @@ data:
     no_hooks: true
   values:
     images:
-      anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
-      controller_manager: gcr.io/google_containers/hyperkube-amd64:v1.8.0
-    service_account:
-      private_key: placeholder
-    tls:
-      ca: placeholder
-      cert: placeholder
-      key: placeholder
+      tags:
+        anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
+        controller_manager: gcr.io/google_containers/hyperkube-amd64:v1.8.0
+    secrets:
+      service_account:
+        private_key: placeholder
+      tls:
+        ca: placeholder
+        cert: placeholder
+        key: placeholder
     network:
       kubernetes_netloc: apiserver.kubernetes.promenade:6443
       pod_cidr: 10.97.0.0/16

examples/complete/armada-resources.yaml

@@ -648,7 +648,7 @@ metadata:
         name: kubernetes
         path: $
       dest:
-        path: $.values.tls.ca
+        path: $.values.secrets.tls.ca
 
     -
       src:
@@ -656,21 +656,21 @@ metadata:
         name: controller-manager
         path: $
       dest:
-        path: $.values.tls.cert
+        path: $.values.secrets.tls.cert
     -
       src:
         schema: deckhand/CertificateKey/v1
         name: controller-manager
         path: $
       dest:
-        path: $.values.tls.key
+        path: $.values.secrets.tls.key
     -
       src:
         schema: deckhand/PrivateKey/v1
         name: service-account
         path: $
       dest:
-        path: $.values.service_account.private_key
+        path: $.values.secrets.service_account.private_key
 
 data:
   chart_name: controller_manager
@@ -681,14 +681,16 @@ data:
     no_hooks: true
   values:
     images:
-      anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
-      controller_manager: gcr.io/google_containers/hyperkube-amd64:v1.8.0
-    service_account:
-      private_key: placeholder
-    tls:
-      ca: placeholder
-      cert: placeholder
-      key: placeholder
+      tags:
+        anchor: gcr.io/google_containers/hyperkube-amd64:v1.8.0
+        controller_manager: gcr.io/google_containers/hyperkube-amd64:v1.8.0
+    secrets:
+      service_account:
+        private_key: placeholder
+      tls:
+        ca: placeholder
+        cert: placeholder
+        key: placeholder
     network:
       kubernetes_netloc: apiserver.kubernetes.promenade:6443
       pod_cidr: 10.97.0.0/16

tools/gate/config-templates/bootstrap-armada-config.yaml

@@ -632,7 +632,7 @@ metadata:
         name: kubernetes
         path: $
       dest:
-        path: $.values.tls.ca
+        path: $.values.secrets.tls.ca
 
     -
       src:
@@ -640,21 +640,21 @@ metadata:
         name: controller-manager
         path: $
       dest:
-        path: $.values.tls.cert
+        path: $.values.secrets.tls.cert
     -
       src:
         schema: deckhand/CertificateKey/v1
         name: controller-manager
         path: $
       dest:
-        path: $.values.tls.key
+        path: $.values.secrets.tls.key
     -
       src:
         schema: deckhand/PrivateKey/v1
         name: service-account
         path: $
       dest:
-        path: $.values.service_account.private_key
+        path: $.values.secrets.service_account.private_key
 
 data:
   chart_name: controller_manager
@@ -665,14 +665,16 @@ data:
     no_hooks: true
   values:
     images:
-      anchor: ${IMAGE_HYPERKUBE}
-      controller_manager: ${IMAGE_HYPERKUBE}
-    service_account:
-      private_key: placeholder
-    tls:
-      ca: placeholder
-      cert: placeholder
-      key: placeholder
+      tags:
+        anchor: ${IMAGE_HYPERKUBE}
+        controller_manager: ${IMAGE_HYPERKUBE}
+    secrets:
+      service_account:
+        private_key: placeholder
+      tls:
+        ca: placeholder
+        cert: placeholder
+        key: placeholder
     network:
       kubernetes_netloc: apiserver.kubernetes.promenade:6443
       pod_cidr: 10.97.0.0/16