219 lines
6.7 KiB
YAML
219 lines
6.7 KiB
YAML
---
|
|
# The purpose of this file is to apply proper labels to Genesis node so the
|
|
# proper services are installed and proper configuration applied. This may
|
|
# need to be changed for a new site if it diverges from a standard deployment
|
|
# that contains Airship, OSH-Infra, OSH.
|
|
schema: promenade/Genesis/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: genesis
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: global
|
|
labels:
|
|
name: genesis-global
|
|
storagePolicy: cleartext
|
|
substitutions:
|
|
# Software versions for bootstrapping phase
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .images.ucp.armada.api
|
|
dest:
|
|
path: .images.armada
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .images.ucp.armada.tiller
|
|
dest:
|
|
path: .images.helm.tiller
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .images.kubernetes.apiserver.apiserver
|
|
dest:
|
|
path: .images.kubernetes.apiserver
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .images.kubernetes.controller-manager.controller_manager
|
|
dest:
|
|
path: .images.kubernetes.controller-manager
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .images.kubernetes.etcd.etcd
|
|
dest:
|
|
path: .images.kubernetes.etcd
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .images.kubernetes.scheduler.scheduler
|
|
dest:
|
|
path: .images.kubernetes.scheduler
|
|
|
|
# Site-specific configuration
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .genesis.hostname
|
|
dest:
|
|
path: .hostname
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .genesis.ip
|
|
dest:
|
|
path: .ip
|
|
- src:
|
|
schema: nc/ControlPlaneAddresses/v1
|
|
name: control-plane-addresses
|
|
path: .genesis.ip.oam
|
|
dest:
|
|
path: .external_ip
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .dns.node_domain
|
|
dest:
|
|
path: .domain
|
|
|
|
# Command prefix
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .kubernetes.service_cidr
|
|
dest:
|
|
path: .apiserver.arguments[2]
|
|
pattern: SERVICE_CIDR
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .kubernetes.service_node_port_range
|
|
dest:
|
|
path: .apiserver.arguments[3]
|
|
pattern: SERVICE_NODE_PORT_RANGE
|
|
|
|
# Set etcd encryption policy
|
|
- src:
|
|
schema: promenade/EncryptionPolicy/v1
|
|
name: encryption-policy
|
|
path: .etcd
|
|
dest:
|
|
path: .apiserver.encryption
|
|
|
|
# Aggregation API configuration
|
|
- src:
|
|
schema: deckhand/CertificateAuthority/v1
|
|
name: kubernetes-agg-api
|
|
path: .
|
|
dest:
|
|
path: .files[2].content
|
|
- src:
|
|
schema: deckhand/Certificate/v1
|
|
name: apiserver-proxy
|
|
path: .
|
|
dest:
|
|
path: .files[3].content
|
|
- src:
|
|
schema: deckhand/CertificateKey/v1
|
|
name: apiserver-proxy
|
|
path: .
|
|
dest:
|
|
path: .files[4].content
|
|
|
|
data:
|
|
apiserver:
|
|
command_prefix:
|
|
- /hyperkube
|
|
- kube-apiserver
|
|
arguments:
|
|
- --authorization-mode=Node,RBAC
|
|
- --enable-admission-plugins=PodSecurityPolicy,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
|
|
- --service-cluster-ip-range=SERVICE_CIDR
|
|
- --service-node-port-range=SERVICE_NODE_PORT_RANGE
|
|
- --feature-gates=PodShareProcessNamespace=true,TaintBasedEvictions=false
|
|
- --v=3
|
|
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
|
|
- --encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml
|
|
- '--requestheader-client-ca-file=/etc/kubernetes/apiserver/agg-api-ca.pem'
|
|
- '--requestheader-extra-headers-prefix=X-Remote-Extra-'
|
|
- '--requestheader-group-headers=X-Remote-Group'
|
|
- '--requestheader-username-headers=X-Remote-User'
|
|
- '--requestheader-allowed-names=aggregator'
|
|
- '--proxy-client-key-file=/etc/kubernetes/apiserver/apiserver-proxy-key.pem'
|
|
- '--proxy-client-cert-file=/etc/kubernetes/apiserver/apiserver-proxy-cert.pem'
|
|
armada:
|
|
target_manifest: cluster-bootstrap
|
|
metrics:
|
|
output_dir: /var/log/node-exporter-textfiles
|
|
tiller:
|
|
storage: secret
|
|
labels:
|
|
dynamic:
|
|
- beta.kubernetes.io/fluentd-ds-ready=true
|
|
- tenant-ceph-control-plane=enabled
|
|
- calico-etcd=enabled
|
|
- tenant-ceph-mon=enabled
|
|
- tenant-ceph-rgw=enabled
|
|
- tenant-ceph-mgr=enabled
|
|
- ceph-mds=enabled
|
|
- ceph-mon=enabled
|
|
- ceph-osd=enabled
|
|
- ceph-rgw=enabled
|
|
- ceph-mgr=enabled
|
|
- kube-dns=enabled
|
|
- kube-ingress=enabled
|
|
- kubernetes-apiserver=enabled
|
|
- kubernetes-controller-manager=enabled
|
|
- kubernetes-etcd=enabled
|
|
- kubernetes-scheduler=enabled
|
|
- promenade-genesis=enabled
|
|
- ucp-control-plane=enabled
|
|
- maas-rack=enabled
|
|
- maas-region=enabled
|
|
- openstack-control-plane=enabled
|
|
- openstack-l3-agent=enabled
|
|
- openstack-dhcp-agent=enabled
|
|
- openstack-metadata-agent=enabled
|
|
- openstack-neutron-server=enabled
|
|
- openvswitch=enabled
|
|
- openstack-l3-agent=enabled
|
|
- node-exporter=enabled
|
|
- fluentd=enabled
|
|
- hosttype=nc-cp-adv
|
|
- sriov=enabled
|
|
- elasticsearch-data=enabled
|
|
- elasticsearch-client=enabled
|
|
- elasticsearch-master=enabled
|
|
- prometheus-server=enabled
|
|
files:
|
|
- path: /etc/genesis/apiserver/acconfig.yaml
|
|
mode: 0444
|
|
content: |
|
|
kind: AdmissionConfiguration
|
|
apiVersion: apiserver.k8s.io/v1alpha1
|
|
plugins:
|
|
- name: EventRateLimit
|
|
path: eventconfig.yaml
|
|
- path: /etc/genesis/apiserver/eventconfig.yaml
|
|
mode: 0444
|
|
content: |
|
|
kind: Configuration
|
|
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
|
|
limits:
|
|
- type: Server
|
|
qps: 1000
|
|
burst: 10000
|
|
- path: /etc/genesis/apiserver/agg-api-ca.pem
|
|
mode: 0400
|
|
- path: /etc/genesis/apiserver/apiserver-proxy-cert.pem
|
|
mode: 0400
|
|
- path: /etc/genesis/apiserver/apiserver-proxy-key.pem
|
|
mode: 0400
|
|
- path: /var/lib/anchor/calico-etcd-bootstrap
|
|
content: "# placeholder for triggering calico etcd bootstrapping"
|
|
mode: 0644
|
|
haproxy:
|
|
run_as_user: "0"
|