airship
/
treasuremap
Code Issues Proposed changes
treasuremap/global/profiles/genesis.yaml

219 lines
6.7 KiB
YAML
Raw Blame History

---
# The purpose of this file is to apply proper labels to Genesis node so the
# proper services are installed and proper configuration applied. This may
# need to be changed for a new site if it diverges from a standard deployment
# that contains Airship, OSH-Infra, OSH.
schema: promenade/Genesis/v1
metadata:
schema: metadata/Document/v1
name: genesis
layeringDefinition:
abstract: false
layer: global
labels:
name: genesis-global
storagePolicy: cleartext
substitutions:
# Software versions for bootstrapping phase
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .images.ucp.armada.api
dest:
path: .images.armada
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .images.ucp.armada.tiller
dest:
path: .images.helm.tiller
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .images.kubernetes.apiserver.apiserver
dest:
path: .images.kubernetes.apiserver
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .images.kubernetes.controller-manager.controller_manager
dest:
path: .images.kubernetes.controller-manager
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .images.kubernetes.etcd.etcd
dest:
path: .images.kubernetes.etcd
- src:
schema: pegleg/SoftwareVersions/v1
name: software-versions
path: .images.kubernetes.scheduler.scheduler
dest:
path: .images.kubernetes.scheduler
# Site-specific configuration
- src:
schema: pegleg/CommonAddresses/v1
name: common-addresses
path: .genesis.hostname
dest:
path: .hostname
- src:
schema: pegleg/CommonAddresses/v1
name: common-addresses
path: .genesis.ip
dest:
path: .ip
- src:
schema: nc/ControlPlaneAddresses/v1
name: control-plane-addresses
path: .genesis.ip.oam
dest:
path: .external_ip
- src:
schema: pegleg/CommonAddresses/v1
name: common-addresses
path: .dns.node_domain
dest:
path: .domain
# Command prefix
- src:
schema: pegleg/CommonAddresses/v1
name: common-addresses
path: .kubernetes.service_cidr
dest:
path: .apiserver.arguments[2]
pattern: SERVICE_CIDR
- src:
schema: pegleg/CommonAddresses/v1
name: common-addresses
path: .kubernetes.service_node_port_range
dest:
path: .apiserver.arguments[3]
pattern: SERVICE_NODE_PORT_RANGE
# Set etcd encryption policy
- src:
schema: promenade/EncryptionPolicy/v1
name: encryption-policy
path: .etcd
dest:
path: .apiserver.encryption
# Aggregation API configuration
- src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes-agg-api
path: .
dest:
path: .files[2].content
- src:
schema: deckhand/Certificate/v1
name: apiserver-proxy
path: .
dest:
path: .files[3].content
- src:
schema: deckhand/CertificateKey/v1
name: apiserver-proxy
path: .
dest:
path: .files[4].content
data:
apiserver:
command_prefix:
- /hyperkube
- kube-apiserver
arguments:
- --authorization-mode=Node,RBAC
- --enable-admission-plugins=PodSecurityPolicy,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit
- --service-cluster-ip-range=SERVICE_CIDR
- --service-node-port-range=SERVICE_NODE_PORT_RANGE
- --feature-gates=PodShareProcessNamespace=true,TaintBasedEvictions=false
- --v=3
- --admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml
- --encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml
- '--requestheader-client-ca-file=/etc/kubernetes/apiserver/agg-api-ca.pem'
- '--requestheader-extra-headers-prefix=X-Remote-Extra-'
- '--requestheader-group-headers=X-Remote-Group'
- '--requestheader-username-headers=X-Remote-User'
- '--requestheader-allowed-names=aggregator'
- '--proxy-client-key-file=/etc/kubernetes/apiserver/apiserver-proxy-key.pem'
- '--proxy-client-cert-file=/etc/kubernetes/apiserver/apiserver-proxy-cert.pem'
armada:
target_manifest: cluster-bootstrap
metrics:
output_dir: /var/log/node-exporter-textfiles
tiller:
storage: secret
labels:
dynamic:
- beta.kubernetes.io/fluentd-ds-ready=true
- tenant-ceph-control-plane=enabled
- calico-etcd=enabled
- tenant-ceph-mon=enabled
- tenant-ceph-rgw=enabled
- tenant-ceph-mgr=enabled
- ceph-mds=enabled
- ceph-mon=enabled
- ceph-osd=enabled
- ceph-rgw=enabled
- ceph-mgr=enabled
- kube-dns=enabled
- kube-ingress=enabled
- kubernetes-apiserver=enabled
- kubernetes-controller-manager=enabled
- kubernetes-etcd=enabled
- kubernetes-scheduler=enabled
- promenade-genesis=enabled
- ucp-control-plane=enabled
- maas-rack=enabled
- maas-region=enabled
- openstack-control-plane=enabled
- openstack-l3-agent=enabled
- openstack-dhcp-agent=enabled
- openstack-metadata-agent=enabled
- openstack-neutron-server=enabled
- openvswitch=enabled
- openstack-l3-agent=enabled
- node-exporter=enabled
- fluentd=enabled
- hosttype=nc-cp-adv
- sriov=enabled
- elasticsearch-data=enabled
- elasticsearch-client=enabled
- elasticsearch-master=enabled
- prometheus-server=enabled
files:
- path: /etc/genesis/apiserver/acconfig.yaml
mode: 0444
content: |
kind: AdmissionConfiguration
apiVersion: apiserver.k8s.io/v1alpha1
plugins:
- name: EventRateLimit
path: eventconfig.yaml
- path: /etc/genesis/apiserver/eventconfig.yaml
mode: 0444
content: |
kind: Configuration
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
limits:
- type: Server
qps: 1000
burst: 10000
- path: /etc/genesis/apiserver/agg-api-ca.pem
mode: 0400
- path: /etc/genesis/apiserver/apiserver-proxy-cert.pem
mode: 0400
- path: /etc/genesis/apiserver/apiserver-proxy-key.pem
mode: 0400
- path: /var/lib/anchor/calico-etcd-bootstrap
content: "# placeholder for triggering calico etcd bootstrapping"
mode: 0644
haproxy:
run_as_user: "0"
View Git Blame Copy Permalink