APISERVER for webhook

This commit create an apisever pods with kubernetes keystone webhook
as a side for. The sole purpose of this pods is authentication and
authorization.

Change-Id: I74472576d7dc0da6ac66d7e0a8e1db5fad156952

charts/apiserver-webhook/Chart.yaml

@@ -0,0 +1,18 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: vn
+description: A chart for Kubernetes keystone webhook API server
+name: apiserver-webhook
+version: 0.1.0

charts/apiserver-webhook/requirements.yaml

@@ -0,0 +1,18 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: http://localhost:8879/charts
+    version: 0.1.0

charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -xe
+
+exec /bin/k8s-keystone-auth \
+  --tls-cert-file /opt/kubernetes-keystone-webhook/pki/tls.crt \
+  --tls-private-key-file /opt/kubernetes-keystone-webhook/pki/tls.key \
+  --keystone-policy-file /etc/kubernetes-keystone-webhook/policy.json \
+  --listen 127.0.0.1:8443 \
+  --keystone-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}

charts/apiserver-webhook/templates/configmap-bin.yaml

@@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.service.name }}-bin
+data:
+  webhook_start.sh: |
+{{ tuple "bin/_webhook_start.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}

charts/apiserver-webhook/templates/configmap-certs.yaml

@@ -0,0 +1,31 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_certs }}
+{{- $envAll := . }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.service.name }}-certs
+data:
+  cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
+  apiserver.pem: {{ .Values.secrets.tls.cert | quote }}
+  etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }}
+  etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }}
+  service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
+{{- end }}

charts/apiserver-webhook/templates/configmap-etc.yaml

@@ -0,0 +1,30 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.service.name }}-etc
+data:
+  webhook.kubeconfig: |
+{{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  policy.json: |
+{{ toPrettyJson $envAll.Values.conf.policy | indent 4 }}
+{{- end }}

charts/apiserver-webhook/templates/deployment.yaml

@@ -0,0 +1,142 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment }}
+{{- $envAll := . }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubernetes-keystone-webhook
+  labels:
+{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  replicas: {{ $envAll.Values.pod.replicas.api }}
+  selector:
+    matchLabels:
+{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+      annotations:
+        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
+        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
+    spec:
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+        - name: apiserver
+          image: {{ .Values.images.tags.apiserver }}
+{{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
+          env:
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+            - name: NODENAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+
+          command:
+            {{- range .Values.command_prefix }}
+            - {{ . }}
+            {{- end }}
+            - --authorization-mode=Webhook
+            - --advertise-address=$(POD_IP)
+            - --anonymous-auth=false
+            - --endpoint-reconciler-type=none
+            - --bind-address=0.0.0.0
+            - --secure-port={{ .Values.network.kubernetes_apiserver.port }}
+            - --insecure-port=0
+            - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
+            - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
+            - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
+            - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+            - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
+            - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
+            - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
+            - --etcd-servers={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
+            - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
+            - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
+            - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
+            - --allow-privileged=true
+            - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
+            - --authentication-token-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig
+            - --authorization-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig
+          ports:
+            - containerPort: {{ .Values.network.kubernetes_apiserver.port }}
+          readinessProbe:
+            tcpSocket:
+              port: 6443
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: 6443
+            failureThreshold: 3
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          volumeMounts:
+            - name: etc
+              mountPath: /etc/kubernetes/apiserver
+            - name: {{ .Values.service.name }}-etc
+              mountPath: /etc/kubernetes/apiserver/webhook.kubeconfig
+              subPath: webhook.kubeconfig
+              readOnly: true
+        - name: kubernetes-keystone-webhook
+{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          command:
+            - /tmp/webhook_start.sh
+          volumeMounts:
+            - name: etc-kubernetes-keystone-webhook
+              mountPath: /etc/kubernetes-keystone-webhook
+            - name: key-kubernetes-keystone-webhook
+              mountPath: /opt/kubernetes-keystone-webhook/pki/tls.crt
+              subPath: tls.crt
+              readOnly: true
+            - name: key-kubernetes-keystone-webhook
+              mountPath: /opt/kubernetes-keystone-webhook/pki/tls.key
+              subPath: tls.key
+              readOnly: true
+            - name: {{ .Values.service.name }}-etc
+              mountPath: /etc/kubernetes-keystone-webhook/policy.json
+              subPath: policy.json
+              readOnly: true
+            - name: {{ .Values.service.name }}-bin
+              mountPath: /tmp/webhook_start.sh
+              subPath: webhook_start.sh
+              readOnly: true
+      volumes:
+        - name: etc
+          hostPath:
+            path: {{ .Values.apiserver.host_etc_path }}
+        - name: etc-kubernetes-keystone-webhook
+          emptyDir: {}
+        - name: key-kubernetes-keystone-webhook
+          secret:
+            secretName: {{ $envAll.Values.secrets.certificates.api }}
+            defaultMode: 0444
+        - name: {{ .Values.service.name }}-etc
+          configMap:
+            name: {{ .Values.service.name }}-etc
+            defaultMode: 0444
+        - name: {{ .Values.service.name }}-bin
+          configMap:
+            name: {{ .Values.service.name }}-bin
+            defaultMode: 0555
+{{- end }}

charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl

@@ -0,0 +1,34 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: v1
+clusters:
+- cluster:
+    server: https://127.0.0.1:{{ .Values.network.kubernetes_apiserver.port }}
+    certificate-authority: pki/cluster-ca.pem
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: apiserver
+  name: apiserver@kubernetes
+current-context: apiserver@kubernetes
+kind: Config
+preferences: {}
+users:
+- name: apiserver
+  user:
+    client-certificate: pki/apiserver.pem
+    client-key: pki/apiserver-key.pem

charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl

@@ -0,0 +1,16 @@
+apiVersion: v1
+clusters:
+  - cluster:
+      insecure-skip-tls-verify: false
+      server: https://127.0.0.1:8443/webhook
+    name: webhook
+contexts:
+  - context:
+      cluster: webhook
+      user: webhook
+    name: webhook
+current-context: webhook
+kind: Config
+preferences: {}
+users:
+  - name: webhook

charts/apiserver-webhook/templates/ingress-api.yaml

@@ -0,0 +1,21 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_api .Values.network.kubernetes_apiserver.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" "backendPort" "https" -}}
+{{- $ingressOpts | include "helm-toolkit.manifests.ingress" -}}
+{{- end }}

charts/apiserver-webhook/templates/secret-apiserver.yaml

@@ -0,0 +1,28 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.service.name }}-keys
+type: Opaque
+data:
+  apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
+  etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
+{{- end }}

charts/apiserver-webhook/templates/secret-ingress-tls.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" ) }}
+{{- end }}

charts/apiserver-webhook/templates/secret-keystone.yaml

@@ -0,0 +1,30 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}

charts/apiserver-webhook/templates/secret-webhook.yaml

@@ -0,0 +1,28 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_webhook }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $envAll.Values.secrets.certificates.api }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.crt | default "" | b64enc }}
+  tls.key: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.key | default "" | b64enc }}
+{{- end }}

charts/apiserver-webhook/templates/service-apiserver-ingress.yaml

@@ -0,0 +1,21 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress .Values.network.kubernetes_apiserver.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "kubernetes-keystone-webhook" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}

charts/apiserver-webhook/templates/service.yaml

@@ -0,0 +1,34 @@
+{{/*
+Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.service.name }}
+  annotations:
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+spec:
+  ports:
+    - name: https
+      port: {{ .Values.network.kubernetes_apiserver.port }}
+      protocol: TCP
+      targetPort: {{ .Values.network.kubernetes_apiserver.port }}
+  selector:
+{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}

charts/apiserver-webhook/values.yaml

@@ -0,0 +1,295 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+release_group: null
+
+images:
+  tags:
+    apiserver: gcr.io/google_containers/hyperkube-amd64:v1.10.2
+    kubernetes_keystone_webhook: docker.io/k8scloudprovider/k8s-keystone-auth:latest
+    scripted_test: docker.io/openstackhelm/heat:newton
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: IfNotPresent
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+labels:
+  kubernetes_apiserver:
+    node_selector_key: kubernetes-apiserver
+    node_selector_value: enabled
+
+command_prefix:
+  - /apiserver
+  - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
+  - --service-cluster-ip-range=10.96.0.0/16
+  - --v=5
+
+apiserver:
+  host_etc_path: /etc/kubernetes/apiserver
+
+network:
+  kubernetes_apiserver:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx-cluster"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
+        nginx.ingress.kubernetes.io/ssl-redirect: "true"
+        nginx.ingress.kubernetes.io/secure-backends: "true"
+    name: kubernetes-apiserver
+    port: 6443
+    node_port:
+      enabled: false
+      port: 31943
+
+service:
+  name: kubernetes-webhook-apiserver
+  ip: null
+
+secrets:
+  tls:
+    ca: placeholder
+    cert: placeholder
+    key: placeholder
+  service_account:
+    public_key: placeholder
+  etcd:
+    tls:
+      ca: placeholder
+      cert: placeholder
+      key: placeholder
+  identity:
+    admin: kubernetes-keystone-webhook-admin
+  certificates:
+    api: kubernetes-keystone-webhook-certs
+
+kubernetes_keystone_webhook:
+  port: 8443
+  endpoints: https://k8sksauth-api.kube-system.svc.cluster.local
+
+# typically overriden by environmental
+# values, but should include all endpoints
+# required by this chart
+endpoints:
+  cluster_domain_suffix: cluster.local
+  kubernetes_apiserver:
+    name: kubernetes-webhook-apiserver
+    hosts:
+      default: keystone
+      internal: keystone-api
+    port:
+      https:
+        default: 6443
+        public: 443
+    path:
+      default: /
+    scheme:
+      default: http
+      public: http
+    host_fqdn_override:
+      default: null
+      # NOTE: this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
+  kubernetes:
+    auth:
+      api:
+        tls:
+          crt: null
+          key: null
+  identity:
+    name: keystone
+    namespace: null
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+    hosts:
+      default: keystone
+      internal: keystone-api
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      api:
+        default: 80
+        internal: 5000
+  kubernetes_keystone_webhook:
+    namespace: null
+    name: k8sksauth
+    hosts:
+      default: k8sksauth-api
+      public: k8sksauth
+    host_fqdn_override:
+      default: null
+    path:
+      default: /webhook
+    scheme:
+      default: https
+    port:
+      api:
+        default: 8443
+        public: 443
+  etcd:
+    name: etcd
+    namespace: kube-system
+    hosts:
+      default: kubernetes-etcd
+    host_fqdn_override:
+      default: null
+    path:
+      default: null
+    scheme:
+      default: https
+    port:
+      client:
+        default: 2379
+
+pod:
+  mounts:
+    kubernetes_apiserver:
+      init_container: null
+      kubernetes_apiserver:
+  replicas:
+    apiserver: 1
+    api: 1
+  lifecycle:
+    upgrades:
+      daemonsets:
+        pod_replacement_strategy: RollingUpdate
+        kubernetes_apiserver:
+          enabled: false
+          min_ready_seconds: 0
+          max_unavailable: 1
+    termination_grace_period:
+      kubernetes_apiserver:
+        timeout: 3600
+  resources:
+    enabled: false
+    anchor_pod:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    kubernetes_apiserver:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "1024Mi"
+        cpu: "2000m"
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "256Mi"
+        cpu: "200m"
+    jobs:
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "256Mi"
+          cpu: "200m"
+  mounts:
+    kubernetes_keystone_webhook_api:
+      init_container: null
+      kubernetes_keystone_webhook_api: null
+    kubernetes_keystone_webhook_tests:
+      init_container: null
+      kubernetes_keystone_webhook_tests: null
+conf:
+  policy:
+    - resource:
+        verbs:
+          - "*"
+        resources:
+          - "*"
+        namespace: "*"
+        version: "*"
+      match:
+        - type: role
+          values:
+            - admin
+    - resource:
+        verbs:
+          - "*"
+        resources:
+          - "*"
+        namespace: "kube-system"
+        version: "*"
+      match:
+        - type: role
+          values:
+            - kube-system-admin
+    - resource:
+        verbs:
+          - get
+          - list
+          - watch
+        resources:
+          - "*"
+        namespace: "kube-system"
+        version: "*"
+      match:
+        - type: role
+          values:
+            - kube-system-viewer
+    - resource:
+        verbs:
+          - "*"
+        resources:
+          - "*"
+        namespace: "openstack"
+        version: "*"
+      match:
+        - type: project
+          values:
+            - openstack-system
+
+manifests:
+  configmap_bin: true
+  configmap_certs: true
+  configmap_etc: true
+  deployment: true
+  ingress_api: false
+  pod_test: false
+  kubernetes_apiserver: true
+  secret: true
+  secret_ingress_tls: false
+  secret_webhook: true
+  service: true
+  service_ingress: false