airship
/
promenade
Code Issues Proposed changes

(charts) Webhook dynamic config 

- support a similar dynamic config patter in the apiserver-webhook
  chart as the base apiserver chart

- Update the example values.yaml in apiserver to fully reflect
  configuration of the aggregation API

Change-Id: I85da2512934071fb9d9465ee4b957e18a8e394ad
This commit is contained in:
Scott Hussey 2019-08-16 16:43:14 -05:00
parent 5c92a11b8a
commit ecfd773506
5 changed files with 100 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
charts/apiserver-webhook/templates/config-dynamic-config.yaml Normal file
View File

@ -0,0 +1,32 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_dynamic_config }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-dynamic-config
data:
{{- range $key, $val := .Values.conf.apiserver }}
{{ $val.file }}: |
{{- if kindIs "string" $val.content }}
{{ indent 4 $val.content }}
{{- else }}
{{ toYaml $val.content | indent 4 }}
{{- end }}
{{- end -}}
{{- end }}

2
charts/apiserver-webhook/templates/configmap-etc.yaml
View File

@ -28,6 +28,4 @@ data:
{{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
policy.json: |
{{ toPrettyJson $envAll.Values.conf.policy | indent 4 }}
encryption_provider.json: |
{{ toPrettyJson $envAll.Values.conf.encryption_provider.content | indent 4 }}
{{- end }}

15
charts/apiserver-webhook/templates/deployment.yaml
View File

@ -163,7 +163,13 @@ spec:
- --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }}
- --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
- --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
- --experimental-encryption-provider-config={{ $envAll.Values.conf.paths.encryption_provider }}
{{- range $key, $val := .Values.conf.apiserver }}
{{- if hasKey $val "command_options" }}
{{- range $val.command_options }}
- {{ . }}
{{- end }}
{{- end }}
{{- end }}
readinessProbe:
tcpSocket:
port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -175,6 +181,9 @@ spec:
volumeMounts:
- name: etc-apiserver
mountPath: {{ $envAll.Values.conf.paths.base }}
- name: apiserver-dynamic-config
mountPath: {{ $envAll.Values.conf.paths.base }}dynamic
readOnly: true
- name: etc-apiserver-pki
mountPath: {{ $envAll.Values.conf.paths.pki }}
- name: configmap-etc
@ -239,6 +248,10 @@ spec:
emptyDir: {}
- name: etc-apiserver-pki
emptyDir: {}
- name: apiserver-dynamic-config
configMap:
name: {{ .Release.Name }}-dynamic-config
defaultMode: 0444
- name: etc-webhook
emptyDir: {}
- name: etc-webhook-pki

38
charts/apiserver-webhook/values.yaml
View File

@ -275,10 +275,39 @@ conf:
policy: '/etc/webhook_apiserver/conf/policy.json'
sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub'
encryption_provider: '/etc/webhook_apiserver/encryption_provider.json'
encryption_provider:
content:
kind: EncryptionConfig
apiVersion: v1
# Every key below 'apiserver' yields a dynamic configuration file
# and can mutate the apiserver command-line args.
# The files are available under /dynamic in conf.paths.base
apiserver:
agg_api_ca:
file: agg-api-ca.pem
command_options:
- '--requestheader-client-ca-file=/etc/webhook_apiserver/dynamic/agg-api-ca.pem'
- '--requestheader-extra-headers-prefix=X-Remote-Extra-'
- '--requestheader-group-headers=X-Remote-Group'
- '--requestheader-username-headers=X-Remote-User'
- '--requestheader-allowed-names="aggregator"'
content: |
-----SOME CA-----
apiserver_proxy_cert:
file: 'apiserver-proxy-cert.pem'
command_options:
- '--proxy-client-cert-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-cert.pem'
content: |
------SOME CERT-----
apiserver_proxy_key:
file: 'apiserver-proxy-key.pem'
command_options:
- '--proxy-client-key-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-key.pem'
content: |
-----SOME KEY-----
encryption_provider:
file: 'encryption_provider.yaml'
command_options:
- '--experimental-encryption-provider-config=/etc/webhook_apiserver/dynamic/encryption_provider.yaml'
content:
kind: EncryptionConfig
apiVersion: v1
policy:
- resource:
verbs:
@ -345,6 +374,7 @@ manifests:
configmap_bin: true
configmap_certs: true
configmap_etc: true
configmap_dynamic_config: true
job_ks_user: true
deployment: true
ingress_api: true

26
charts/apiserver/values.yaml
View File

@ -108,14 +108,28 @@ conf:
- type: Server
qps: 1000
burst: 10000
# aggapi:
# file: kube-agg-api-ca.pem
# agg_api_ca:
# file: agg-api-ca.pem
# command_options:
# - '--requestheader-client-ca-file=/etc/kubernetes/apiserver/kube-agg-api-ca.pem'
# - '--requestheader-allowed-names=agg-client'
# - '--requestheader-client-ca-file=/etc/kubernetes/apiserver/agg-api-ca.pem'
# - '--requestheader-extra-headers-prefix=X-Remote-Extra-'
# - '--requestheader-group-headers=X-Remote-Group'
# - '--requestheader-username-headers=X-Remote-User'
# - '--requestheader-allowed-names="aggregator"'
# content: |
# -----SOME CA----
#
# -----SOME CA-----
# apiserver_proxy_cert:
# file: 'apiserver-proxy-cert.pem'
# command_options:
# - '--proxy-client-cert-file=/etc/kubernetes/apiserver/apiserver-proxy-cert.pem'
# content: |
# ------SOME CERT-----
# apiserver_proxy_key:
# file: 'apiserver-proxy-key.pem'
# command_options:
# - '--proxy-client-key-file=/etc/kubernetes/apiserver/apiserver-proxy-key.pem'
# content: |
# -----SOME KEY-----
# Uncomment any of the below to enable enhanced Audit Logging command line options.
#
# auditpolicy: