# Copyright 2017 AT&T Intellectual Property. All other rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. release_group: null release_uuid: null images: tags: apiserver: k8s.gcr.io/kube-apiserver-amd64:v1.26.0 kubernetes_keystone_webhook: docker.io/k8scloudprovider/k8s-keystone-auth:latest scripted_test: docker.io/openstackhelm/heat:newton dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 image_repo_sync: docker.io/docker:17.07.0 ks_user: docker.io/openstackhelm/heat:ocata pull_policy: IfNotPresent local_registry: active: false exclude: - dep_check - image_repo_sync labels: kubernetes_apiserver: node_selector_key: apiserver-webhook node_selector_value: enabled job: node_selector_key: apiserver-webhook node_selector_value: enabled command_prefix: - kube-apiserver - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds apiserver_webhook: logging: # Which messages to log. # Valid values include any number from 0 to 9. # Default 5(Trace level verbosity). log_level: 5 service: name: clcp-ucp-apiserver-webhook network: pod_cidr: '10.97.0.0/16' service_cidr: '10.96.0.0/16' api: ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/proxy-read-timeout: "120" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/secure-backends: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" name: webhook_apiserver # # Insert TLS certificates, keys and CAs # here. Server is for server-terminated TLS (basic) # and client is for mTLS. Each group of certificates # will generate two secrets -client and -server # built to the kubernetes.io/tls secret type with keys 'tls.crt', 'tls.key' # and 'ca.crt' # certificates: apiserver_webhook_pod: server: cert: placeholder key: placeholder ca: placeholder keystone_webhook: server: cert: placeholder key: placeholder ca: placeholder kubelet: client: cert: placeholder key: placeholder server: ca: placeholder etcd: client: cert: placeholder key: placeholder server: ca: placeholder secrets: service_account: public_key: placeholder private_key: placeholder identity: admin: apiserver-webhook-keystone-creds-admin webhook: apiserver-webhook-keystone-creds-webhook tls: webhook_apiserver: api: public: apiserver-webhook-public server: cert: placeholder key: placeholder ca: placeholder # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: cluster_domain_suffix: cluster.local webhook_apiserver: name: webhook_apiserver hosts: default: apiserver-webhook internal: apiserver-webhook-int port: api: default: 6443 public: 443 webhook: podport: 8443 path: default: / webhook: /webhook scheme: default: https public: https host_fqdn_override: default: null # NOTE: this chart supports TLS for fqdn over-ridden public # endpoints using the following format: # public: # host: null # tls: # crt: null # key: null identity: name: keystone namespace: null auth: admin: region_name: RegionOne username: admin password: password project_name: admin user_domain_name: default project_domain_name: default webhook: region_name: RegionOne username: webhook password: password project_name: service user_domain_name: default project_domain_name: default role: admin hosts: default: keystone internal: keystone-api host_fqdn_override: default: null path: default: /v3 scheme: default: http port: api: default: 80 internal: 5000 etcd: name: etcd namespace: kube-system hosts: default: kubernetes-etcd host_fqdn_override: default: null path: default: null scheme: default: https port: client: default: 2379 network_policy: kubernetes-keystone-webhook: ingress: - {} egress: - {} pod: mandatory_access_control: type: apparmor apiserver-webhook: apiserver: runtime/default webhook: runtime/default security_context: apiserver_webhook: pod: runAsUser: 65534 container: apiserver: allowPrivilegeEscalation: false readOnlyRootFilesystem: true # explicitly setting the runAsUser may be required to write audit logs to the host # runAsUser: 0 webhook: allowPrivilegeEscalation: false readOnlyRootFilesystem: true mounts: apiserver_webhook: apiserver: # Example mounts for audit logging, refer to .conf.apiserver.auditpolicy below. # volumeMounts: # - name: audit-logs # mountPath: /var/log/audit # mountPropagation: HostToContainer # readOnly: false # volumes: # - name: audit-logs # hostPath: # path: /var/log/audit # type: DirectoryOrCreate webhook: null affinity: anti: type: default: preferredDuringSchedulingIgnoredDuringExecution topologyKey: default: kubernetes.io/hostname replicas: apiserver: 1 api: 1 probes: readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: failureThreshold: 3 initialDelaySeconds: 15 periodSeconds: 20 env: apiserver: lifecycle: upgrades: daemonsets: pod_replacement_strategy: RollingUpdate kubernetes_apiserver: enabled: false min_ready_seconds: 0 max_unavailable: 1 termination_grace_period: kubernetes_apiserver: timeout: 3600 resources: enabled: false anchor_pod: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" kubernetes_apiserver: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" api: requests: memory: "128Mi" cpu: "100m" limits: memory: "256Mi" cpu: "200m" jobs: tests: requests: memory: "128Mi" cpu: "100m" limits: memory: "256Mi" cpu: "200m" conf: paths: base: '/etc/webhook_apiserver/' pki: '/etc/webhook_apiserver/pki' conf: '/etc/webhook_apiserver/webhook.kubeconfig' policy: '/etc/webhook_apiserver/conf/policy.json' sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub' saprivkey: '/etc/webhook_apiserver/pki/service-accounts.key' encryption_provider: '/etc/webhook_apiserver/encryption_provider.json' # Every key below 'apiserver' yields a dynamic configuration file # and can mutate the apiserver command-line args. # The files are available under /dynamic in conf.paths.base apiserver: agg_api_ca: file: agg-api-ca.pem command_options: - '--requestheader-client-ca-file=/etc/webhook_apiserver/dynamic/agg-api-ca.pem' - '--requestheader-extra-headers-prefix=X-Remote-Extra-' - '--requestheader-group-headers=X-Remote-Group' - '--requestheader-username-headers=X-Remote-User' - '--requestheader-allowed-names="aggregator"' content: | -----SOME CA----- apiserver_proxy_cert: file: 'apiserver-proxy-cert.pem' command_options: - '--proxy-client-cert-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-cert.pem' content: | ------SOME CERT----- apiserver_proxy_key: file: 'apiserver-proxy-key.pem' command_options: - '--proxy-client-key-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-key.pem' content: | -----SOME KEY----- encryption_provider: file: 'encryption_provider.yaml' command_options: - '--encryption-provider-config=/etc/webhook_apiserver/dynamic/encryption_provider.yaml' content: kind: EncryptionConfiguration apiVersion: apiserver.config.k8s.io/v1 # Uncomment any of the below to enable enhanced Audit Logging command line options. # Note: To use the Log backend, ensure that the hostPath of the log file is mounted, # and that the runAsUser for the apiserver container can write to it. # (Refer to .pod.mounts.apiserver.apiserver) # # auditpolicy: # file: audit_policy.yaml # command_options: # - '--audit-policy-file=/etc/kubernetes/apiserver/audit_policy.yaml' # - '--audit-log-maxsize=10' # - '--audit-log-maxbackup=3' # - '--audit-log-path=/var/log/audit/webhook-audit.log' # content: # kind: Policy # apiVersion: apiserver.k8s.io/v1 # rules: # - level: Metadata # service_account_issuer: command_options: - --service-account-issuer=https://kubernetes.default.svc.cluster.local policy: - resource: verbs: - "*" resources: - "*" namespace: "*" version: "*" match: - type: role values: - admin - resource: verbs: - "*" resources: - "*" namespace: "kube-system" version: "*" match: - type: role values: - kube-system-admin - resource: verbs: - get - list - watch resources: - "*" namespace: "kube-system" version: "*" match: - type: role values: - kube-system-viewer - resource: verbs: - "*" resources: - "*" namespace: "ucp" version: "*" match: - type: project values: - ucp-admin - airship-admin dependencies: static: ks_user: services: - service: identity endpoint: internal api: jobs: - webhook-apiserver-ks-user services: - service: identity endpoint: internal manifests: configmap_bin: true configmap_certs: true configmap_etc: true configmap_dynamic_config: true job_ks_user: true deployment: true ingress_api: true pod_test: false secret_keystone: true secret_tls: true secret_keys: true service: true network_policy: false