# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

release_group: null

# NOTE(mark-burnett): These values are not really configurable -- they live
# here to keep the templates cleaner.
const:
  command_prefix:
    - /apiserver
    - --advertise-address=$(POD_IP)
    - --allow-privileged=true
    - --anonymous-auth=false
    - --bind-address=0.0.0.0
    - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
    - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
    - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
    - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
    - --etcd-servers=$(ETCD_ENDPOINTS)
    - --insecure-port=0
    - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
    - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
    - --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --secure-port=$(APISERVER_PORT)
    - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
    - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
    - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem

  files_to_copy:
    # NOTE(mark-burnett): These are (host dest): (container source) pairs
    /etc/kubernetes/apiserver/kubeconfig.yaml: /tmp/etc/kubeconfig.yaml
    /etc/kubernetes/apiserver/pki/apiserver-key.pem: /keys/apiserver-key.pem
    /etc/kubernetes/apiserver/pki/apiserver.pem: /certs/apiserver.pem
    /etc/kubernetes/apiserver/pki/cluster-ca.pem: /certs/cluster-ca.pem
    /etc/kubernetes/apiserver/pki/etcd-client-ca.pem: /certs/etcd-client-ca.pem
    /etc/kubernetes/apiserver/pki/etcd-client-key.pem: /keys/etcd-client-key.pem
    /etc/kubernetes/apiserver/pki/etcd-client.pem: /certs/etcd-client.pem
    /etc/kubernetes/apiserver/pki/kubelet-client-ca.pem: /certs/kubelet-client-ca.pem
    /etc/kubernetes/apiserver/pki/kubelet-client-key.pem: /keys/kubelet-client-key.pem
    /etc/kubernetes/apiserver/pki/kubelet-client.pem: /certs/kubelet-client.pem
    /etc/kubernetes/apiserver/pki/service-account.pub: /certs/service-account.pub
    /etc/kubernetes/manifests/kubernetes-apiserver.yaml: /tmp/etc/kubernetes-apiserver.yaml

images:
  tags:
    anchor: gcr.io/google_containers/hyperkube-amd64:v1.10.11
    apiserver: gcr.io/google_containers/hyperkube-amd64:v1.10.11
  pull_policy: "IfNotPresent"

labels:
  kubernetes_apiserver:
    node_selector_key: kubernetes-apiserver
    node_selector_value: enabled

anchor:
  dns_policy: Default
  kubelet:
    manifest_path: /etc/kubernetes/manifests
  period: 15

conf:
# Uncomment any of the below to enable the file placement and associated apiserver
# command line options
#
#  acconfig:
#    file: acconfig.yaml
#    command_options:
#      - '--admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml'
#      - '--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit'
#    content:
#      kind: AdmissionConfiguration
#      apiVersion: apiserver.k8s.io/v1alpha1
#      plugins:
#        - name: EventRateLimit
#          path: eventconfig.yaml
#  eventconfig:
#    file: eventconfig.yaml
#    command_options:
#      - '--experimental-encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml'
#    content:
#      kind: Configuration
#      apiVersion: eventratelimit.admission.k8s.io/v1alpha1
#      limits:
#        - type: Server
#          qps: 1000
#          burst: 10000
#  encryption_provider:
#    file: encryption_provider.yaml
#    command_option: ''
#    content:
#      kind: EncryptionConfig
#      apiVersion: v1
#      resources:
#        - resources:
#            - 'secrets'
#          providers:
#            - identity: {}

apiserver:
  arguments:
    - --authorization-mode=Node,RBAC
    - --service-cluster-ip-range=10.96.0.0/16
    - --endpoint-reconciler-type=lease
    - --feature-gates=PodShareProcessNamespace=true
    # NOTE(mark-burnett): This flag is removed in Kubernetes 1.11
    - --repair-malformed-updates=false
    - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction
    - --v=3
  etcd:
    endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
  host_etc_path: /etc/kubernetes/apiserver

network:
  kubernetes_apiserver:
    ingress:
      public: true
      classes:
        namespace: "nginx-cluster"
        cluster: "nginx-cluster"
      annotations:
        nginx.ingress.kubernetes.io/rewrite-target: /
        nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
        nginx.ingress.kubernetes.io/ssl-redirect: "true"
        nginx.ingress.kubernetes.io/secure-backends: "true"
    name: kubernetes-apiserver
    port: 6443
    node_port:
      enabled: false
      port: 31943

service:
  name: kubernetes-apiserver
  ip: null

secrets:
  tls:
    ca: placeholder
    cert: placeholder
    key: placeholder
  service_account:
    public_key: placeholder
  etcd:
    tls:
      ca: placeholder
      cert: placeholder
      key: placeholder
  kubelet:
    tls:
      ca: null
      cert: null
      key: null

# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
  cluster_domain_suffix: cluster.local
  kubernetes_apiserver:
    name: kubernetes-apiserver
    hosts:
      default: kubernetes-apiserver
    port:
      https:
        default: 6443
        public: 443
    path:
      default: /
    scheme:
      default: https
      public: https
    host_fqdn_override:
      default: null
      # NOTE: this chart supports TLS for fqdn over-ridden public
      # endpoints using the following format:
      # public:
      #   host: null
      #   tls:
      #     crt: null
      #     key: null

pod:
  mounts:
    kubernetes_apiserver:
      init_container: null
      kubernetes_apiserver:
  replicas:
    apiserver: 3
  lifecycle:
    upgrades:
      daemonsets:
        pod_replacement_strategy: RollingUpdate
        kubernetes-apiserver-anchor:
          enabled: false
          min_ready_seconds: 0
          max_unavailable: 1
    termination_grace_period:
      kubernetes_apiserver:
        timeout: 3600
  resources:
    enabled: false
    anchor_pod:
      requests:
        memory: "128Mi"
        cpu: "100m"
      limits:
        memory: "1024Mi"
        cpu: "2000m"
    kubernetes_apiserver:
      requests:
        memory: "128Mi"
        cpu: "100m"
      limits:
        memory: "1024Mi"
        cpu: "2000m"

manifests:
  configmap_bin: true
  configmap_certs: true
  configmap_etc: true
  ingress_api: false
  kubernetes_apiserver: true
  secret: true
  secret_ingress_tls: false
  service: true
  service_ingress: false