212 lines
5.7 KiB
YAML
212 lines
5.7 KiB
YAML
---
|
|
schema: armada/Chart/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: ucp-drydock
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: global
|
|
labels:
|
|
name: ucp-drydock-global
|
|
storagePolicy: cleartext
|
|
substitutions:
|
|
|
|
# Chart source
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .charts.ucp.drydock
|
|
dest:
|
|
path: .source
|
|
|
|
# Images
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .images.ucp.drydock
|
|
dest:
|
|
path: .values.images.tags
|
|
|
|
# Endpoints
|
|
|
|
- src:
|
|
schema: pegleg/EndpointCatalogue/v1
|
|
name: ucp_endpoints
|
|
path: .ucp.identity
|
|
dest:
|
|
path: .values.endpoints.identity
|
|
- src:
|
|
schema: pegleg/EndpointCatalogue/v1
|
|
name: ucp_endpoints
|
|
path: .ucp.postgresql
|
|
dest:
|
|
path: .values.endpoints.postgresql
|
|
- src:
|
|
schema: pegleg/EndpointCatalogue/v1
|
|
name: ucp_endpoints
|
|
path: .ucp.physicalprovisioner
|
|
dest:
|
|
path: .values.endpoints.physicalprovisioner
|
|
- src:
|
|
schema: pegleg/EndpointCatalogue/v1
|
|
name: ucp_endpoints
|
|
path: .ucp.maas_region
|
|
dest:
|
|
path: .values.endpoints.maas_region
|
|
|
|
# Drydock log level
|
|
- src:
|
|
schema: nc/CorridorConfig/v1
|
|
name: corridor-config
|
|
path: .airship.log_level
|
|
dest:
|
|
path: .values.conf.drydock.logging.log_level
|
|
|
|
# Credentials
|
|
|
|
- src:
|
|
schema: pegleg/AccountCatalogue/v1
|
|
name: ucp_service_accounts
|
|
path: .ucp.postgres.admin
|
|
dest:
|
|
path: .values.endpoints.postgresql.auth.admin
|
|
- src:
|
|
schema: pegleg/AccountCatalogue/v1
|
|
name: ucp_service_accounts
|
|
path: .ucp.drydock.postgres
|
|
dest:
|
|
path: .values.endpoints.postgresql.auth.user
|
|
- src:
|
|
schema: pegleg/AccountCatalogue/v1
|
|
name: ucp_service_accounts
|
|
path: .ucp.drydock.postgres.database
|
|
dest:
|
|
path: .values.endpoints.postgresql.path
|
|
pattern: DB_NAME
|
|
- src:
|
|
schema: pegleg/AccountCatalogue/v1
|
|
name: ucp_service_accounts
|
|
path: .ucp.drydock.keystone
|
|
dest:
|
|
path: .values.endpoints.identity.drydock.user
|
|
|
|
# Secrets
|
|
- dest:
|
|
path: .values.endpoints.identity.auth.admin.password
|
|
src:
|
|
schema: deckhand/Passphrase/v1
|
|
name: ucp_keystone_admin_password
|
|
path: .
|
|
- dest:
|
|
path: .values.endpoints.postgresql.auth.admin.password
|
|
src:
|
|
schema: deckhand/Passphrase/v1
|
|
name: ucp_postgres_admin_password
|
|
path: .
|
|
- dest:
|
|
path: .values.endpoints.identity.auth.drydock.password
|
|
src:
|
|
schema: deckhand/Passphrase/v1
|
|
name: ucp_drydock_keystone_password
|
|
path: .
|
|
- dest:
|
|
path: .values.endpoints.postgresql.auth.user.password
|
|
src:
|
|
schema: deckhand/Passphrase/v1
|
|
name: ucp_drydock_postgres_password
|
|
path: .
|
|
|
|
data:
|
|
chart_name: drydock
|
|
release: drydock
|
|
namespace: ucp
|
|
wait:
|
|
timeout: 1800
|
|
labels:
|
|
release_group: clcp-drydock
|
|
test:
|
|
enabled: true
|
|
install:
|
|
no_hooks: false
|
|
upgrade:
|
|
no_hooks: false
|
|
pre:
|
|
delete:
|
|
- type: job
|
|
labels:
|
|
release_group: clcp-drydock
|
|
values:
|
|
replicas:
|
|
drydock: 2
|
|
labels:
|
|
node_selector_key: ucp-control-plane
|
|
node_selector_value: enabled
|
|
# TODO(sh8121): Refactor chart to support stricter security
|
|
# but still support libvirt+ssh for virtual testing
|
|
pod:
|
|
mandatory_access_control:
|
|
type: apparmor
|
|
drydock-api:
|
|
init: runtime/default
|
|
drydock-api: runtime/default
|
|
drydock-db-init:
|
|
init: runtime/default
|
|
drydock-db-init: runtime/default
|
|
drydock-db-sync:
|
|
init: runtime/default
|
|
drydock-db-sync: runtime/default
|
|
drydock-api-test:
|
|
drydock-api-test: runtime/default
|
|
drydock-auth-test:
|
|
drydock-auth-test: runtime/default
|
|
security_context:
|
|
drydock:
|
|
pod:
|
|
runAsUser: 0
|
|
container:
|
|
drydock_api:
|
|
readOnlyRootFilesystem: false
|
|
network:
|
|
api:
|
|
ingress:
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
|
|
nginx.ingress.kubernetes.io/configuration-snippet: |
|
|
more_set_headers "X-XSS-Protection: 1; mode=block";
|
|
more_set_headers "X-Frame-Options: deny";
|
|
drydock:
|
|
node_port:
|
|
enabled: false
|
|
conf:
|
|
uwsgi:
|
|
threads: 1
|
|
workers: 1
|
|
drydock:
|
|
DEFAULT:
|
|
poll_interval: 30
|
|
database:
|
|
pool_size: 200
|
|
plugins:
|
|
ingester: drydock_provisioner.ingester.plugins.deckhand.DeckhandIngester
|
|
policy.override:
|
|
admin_api: role:admin or role:admin_ucp
|
|
admin_viewer: role:admin_ucp_viewer or rule:admin_api
|
|
drydock:read_task: rule:admin_viewer
|
|
drydock:create_task: rule:admin_api
|
|
drydock:validate_design: rule:admin_viewer
|
|
drydock:verify_site: rule:admin_viewer
|
|
drydock:prepare_site: rule:admin_api
|
|
drydock:verify_node: rule:admin_viewer
|
|
drydock:prepare_node: rule:admin_api
|
|
drydock:deploy_node: rule:admin_api
|
|
drydock:destroy_node: rule:admin_api
|
|
drydock:relabel_node: rule:admin_api
|
|
drydock:read_build_data: rule:admin_viewer
|
|
drydockd:read_data: rule:admin_viewer
|
|
drydock:ingest_data: rule:admin_api
|
|
drydock:health_data: rule:admin_api
|
|
drydock:validate_site_design: rule:admin_viewer
|
|
dependencies:
|
|
- drydock-htk
|
|
...
|