summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZuul <zuul@review.openstack.org>2018-12-16 19:33:54 +0000
committerGerrit Code Review <review@openstack.org>2018-12-16 19:33:54 +0000
commit22c58a5cfc3901031103219fb54608eff4dc77e3 (patch)
treeab18401b9f6bf4d98babd0103f941a012415bcd1
parented56213244efd35fa715f29f99a6a3c71e48167f (diff)
parent0e813a04b989eda317d3f8acb4d8f140f4d00ee7 (diff)
Merge "Extend webhook-enabled apiserver chart"
-rw-r--r--charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl19
-rw-r--r--charts/apiserver-webhook/templates/configmap-bin.yaml8
-rw-r--r--charts/apiserver-webhook/templates/configmap-certs.yaml31
-rw-r--r--charts/apiserver-webhook/templates/configmap-etc.yaml3
-rw-r--r--charts/apiserver-webhook/templates/deployment.yaml217
-rw-r--r--charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl34
-rw-r--r--charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl3
-rw-r--r--charts/apiserver-webhook/templates/ingress-api.yaml6
-rw-r--r--charts/apiserver-webhook/templates/job-ks-user.yaml (renamed from charts/apiserver-webhook/templates/secret-apiserver.yaml)17
-rw-r--r--charts/apiserver-webhook/templates/secret-ingress-tls.yaml19
-rw-r--r--charts/apiserver-webhook/templates/secret-keystone.yaml2
-rw-r--r--charts/apiserver-webhook/templates/secret-tls.yaml73
-rw-r--r--charts/apiserver-webhook/templates/secret-webhook.yaml28
-rw-r--r--charts/apiserver-webhook/templates/service-ingress-api.yaml (renamed from charts/apiserver-webhook/templates/service-apiserver-ingress.yaml)6
-rw-r--r--charts/apiserver-webhook/templates/service.yaml6
-rw-r--r--charts/apiserver-webhook/values.yaml172
16 files changed, 376 insertions, 268 deletions
diff --git a/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl b/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl
index 0fbe335..7357f5c 100644
--- a/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl
+++ b/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl
@@ -18,9 +18,20 @@ limitations under the License.
18 18
19set -xe 19set -xe
20 20
21SERVER_CERT_FILE=${SERVER_CERT_FILE:-"/etc/webhook_apiserver/pki/tls.crt"}
22SERVER_KEY_FILE=${SERVER_KEY_FILE:-"/etc/webhook_apiserver/pki/tls.key"}
23POLICY_FILE=${POLICY_FILE:-"/etc/webhook_apiserver/policy.json"}
24SERVER_PORT=${SERVER_PORT:-"8443"}
25KEYSTONE_CA_FILE=${KEYSTONE_CA_FILE:-"/etc/webhook_apiserver/pki/keystone.pem"}
26
21exec /bin/k8s-keystone-auth \ 27exec /bin/k8s-keystone-auth \
22 --tls-cert-file /opt/kubernetes-keystone-webhook/pki/tls.crt \ 28 --v 5 \
23 --tls-private-key-file /opt/kubernetes-keystone-webhook/pki/tls.key \ 29 --tls-cert-file "${SERVER_CERT_FILE}" \
24 --keystone-policy-file /etc/kubernetes-keystone-webhook/policy.json \ 30 --tls-private-key-file "${SERVER_KEY_FILE}" \
25 --listen 127.0.0.1:8443 \ 31 --keystone-policy-file "${POLICY_FILE}" \
32 --listen "127.0.0.1:${SERVER_PORT}" \
33{{- if hasKey .Values.certificates "keystone" }}
34 --keystone-ca-file "${KEYSTONE_CA_FILE}" \
35{{- end }}
26 --keystone-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} 36 --keystone-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
37
diff --git a/charts/apiserver-webhook/templates/configmap-bin.yaml b/charts/apiserver-webhook/templates/configmap-bin.yaml
index 6cf5263..731cd23 100644
--- a/charts/apiserver-webhook/templates/configmap-bin.yaml
+++ b/charts/apiserver-webhook/templates/configmap-bin.yaml
@@ -16,13 +16,15 @@ limitations under the License.
16 16
17{{- if .Values.manifests.configmap_bin }} 17{{- if .Values.manifests.configmap_bin }}
18{{- $envAll := . }} 18{{- $envAll := . }}
19
20--- 19---
21apiVersion: v1 20apiVersion: v1
22kind: ConfigMap 21kind: ConfigMap
23metadata: 22metadata:
24 name: {{ .Values.service.name }}-bin 23 name: {{ .Release.Name }}-bin
25data: 24data:
26 webhook_start.sh: | 25 ks-user.sh: |-
26{{- include "helm-toolkit.scripts.keystone_user" $envAll | indent 4 }}
27 webhook_start.sh: |-
27{{ tuple "bin/_webhook_start.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }} 28{{ tuple "bin/_webhook_start.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
29...
28{{- end }} 30{{- end }}
diff --git a/charts/apiserver-webhook/templates/configmap-certs.yaml b/charts/apiserver-webhook/templates/configmap-certs.yaml
deleted file mode 100644
index 34d412e..0000000
--- a/charts/apiserver-webhook/templates/configmap-certs.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
1{{/*
2Copyright 2017 AT&T Intellectual Property. All other rights reserved.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/}}
16
17{{- if .Values.manifests.configmap_certs }}
18{{- $envAll := . }}
19
20---
21apiVersion: v1
22kind: ConfigMap
23metadata:
24 name: {{ .Values.service.name }}-certs
25data:
26 cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
27 apiserver.pem: {{ .Values.secrets.tls.cert | quote }}
28 etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }}
29 etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }}
30 service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
31{{- end }}
diff --git a/charts/apiserver-webhook/templates/configmap-etc.yaml b/charts/apiserver-webhook/templates/configmap-etc.yaml
index f08cdfe..cb2b442 100644
--- a/charts/apiserver-webhook/templates/configmap-etc.yaml
+++ b/charts/apiserver-webhook/templates/configmap-etc.yaml
@@ -21,8 +21,9 @@ limitations under the License.
21apiVersion: v1 21apiVersion: v1
22kind: ConfigMap 22kind: ConfigMap
23metadata: 23metadata:
24 name: {{ .Values.service.name }}-etc 24 name: {{ .Release.Name }}-etc
25data: 25data:
26 service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
26 webhook.kubeconfig: | 27 webhook.kubeconfig: |
27{{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} 28{{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
28 policy.json: | 29 policy.json: |
diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml
index 091288e..a9ac0ba 100644
--- a/charts/apiserver-webhook/templates/deployment.yaml
+++ b/charts/apiserver-webhook/templates/deployment.yaml
@@ -14,13 +14,94 @@ See the License for the specific language governing permissions and
14limitations under the License. 14limitations under the License.
15*/}} 15*/}}
16 16
17{{/*
18These local.* templates may be moved out of this chart into helm-toolkit
19in the future if there is desire to generalize this pattern. Otherwise
20in the future they will be moved into a separate helpers file.
21*/}}
22
23{{- define "local.tls_volume_name" -}}
24{{- $group := index . 0 -}}
25{{- $type := index . 1 -}}
26tls-{{ $group | replace "_" "-" }}-{{ $type | replace "_" "-" }}
27{{- end -}}
28
29{{- define "local.attach_all_bundles" }}
30{{- $envAll := . }}
31{{- range $group, $certs := $envAll.Values.certificates }}
32{{- range $type, $bundle := . }}
33{{ tuple $group $type $envAll | include "local.attach_cert_bundle" }}
34{{- end }}
35{{- end }}
36{{- end }}
37
38{{- define "local.attach_cert_bundle" }}
39{{- $group := index . 0 }}
40{{- $type := index . 1 }}
41{{- $envAll := index . 2 }}
42- name: {{ tuple $group $type | include "local.tls_volume_name" }}
43 secret:
44 secretName: {{ tuple $group $type $envAll | include "local.tls_secret_name" }}
45 defaultMode: 0444
46{{ end }}
47
48{{- define "local.mount_all_bundles" }}
49{{- $basepath := index . 0 }}
50{{- $envAll := index . 1 }}
51{{- range $group, $certs := $envAll.Values.certificates }}
52{{- range $type, $bundle := . }}
53{{ tuple $group $type $basepath $envAll | include "local.mount_cert_bundle" }}
54{{- end }}
55{{- end }}
56{{- end }}
57
58{{- define "local.mount_cert_bundle" }}
59{{- $group := index . 0 }}
60{{- $type := index . 1 }}
61{{- $basepath := index . 2 }}
62{{- $envAll := index . 3 }}
63{{- $bundle := index $envAll.Values "certificates" $group $type }}
64{{- range tuple "ca" "cert" "key" }}
65{{- if hasKey $bundle . }}
66{{ tuple $group $type . $basepath $envAll | include "local.mount_cert_file" }}
67{{- end }}
68{{- end }}
69{{- end }}
70
71{{- define "local.mount_cert_file" }}
72{{- $group := index . 0 }}
73{{- $type := index . 1 }}
74{{- $member := index . 2 }}
75{{- $basepath := index . 3 }}
76{{- $envAll := index . 4 }}
77- name: {{ tuple $group $type | include "local.tls_volume_name" }}
78 mountPath: {{ tuple $group $type $basepath $member $envAll | include "local.cert_bundle_path" }}
79{{- if eq $member "ca" }}
80 subPath: ca.crt
81{{- else if eq $member "cert" }}
82 subPath: tls.crt
83{{- else if eq $member "key" }}
84 subPath: tls.key
85{{- end }}
86 readOnly: true
87{{- end }}
88
89{{- define "local.cert_bundle_path" -}}
90{{- $group := index . 0 -}}
91{{- $type := index . 1 -}}
92{{- $basepath := index . 2 -}}
93{{- $member := index . 3 -}}
94{{- $envAll := index . 4 -}}
95{{ $basepath }}/{{ $group }}-{{ $type }}-{{ $member }}.pem
96{{- end -}}
97
17{{- if .Values.manifests.deployment }} 98{{- if .Values.manifests.deployment }}
18{{- $envAll := . }} 99{{- $envAll := . }}
19--- 100---
20apiVersion: apps/v1 101apiVersion: apps/v1
21kind: Deployment 102kind: Deployment
22metadata: 103metadata:
23 name: kubernetes-keystone-webhook 104 name: {{ .Release.Name }}-apiserver-webhook
24 labels: 105 labels:
25{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} 106{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
26spec: 107spec:
@@ -36,7 +117,7 @@ spec:
36 configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} 117 configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
37 configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} 118 configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
38 spec: 119 spec:
39 dnsPolicy: ClusterFirstWithHostNet 120 dnsPolicy: ClusterFirst
40 containers: 121 containers:
41 - name: apiserver 122 - name: apiserver
42 image: {{ .Values.images.tags.apiserver }} 123 image: {{ .Values.images.tags.apiserver }}
@@ -50,93 +131,117 @@ spec:
50 valueFrom: 131 valueFrom:
51 fieldRef: 132 fieldRef:
52 fieldPath: spec.nodeName 133 fieldPath: spec.nodeName
53
54 command: 134 command:
55 {{- range .Values.command_prefix }} 135 {{- range .Values.command_prefix }}
56 - {{ . }} 136 - {{ . }}
57 {{- end }} 137 {{- end }}
138 - --service-cluster-ip-range={{ $envAll.Values.network.service_cidr }}
58 - --authorization-mode=Webhook 139 - --authorization-mode=Webhook
59 - --advertise-address=$(POD_IP) 140 - --advertise-address=$(POD_IP)
60 - --anonymous-auth=false 141 - --anonymous-auth=false
61 - --endpoint-reconciler-type=none 142 - --endpoint-reconciler-type=none
62 - --bind-address=0.0.0.0 143 - --bind-address=$(POD_IP)
63 - --secure-port={{ .Values.network.kubernetes_apiserver.port }} 144 - --secure-port={{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
64 - --insecure-port=0 145 - --insecure-port=0
65 - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem 146 - --tls-cert-file={{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
66 - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem 147 - --tls-private-key-file={{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
67 - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
68 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 148 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
69 - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem 149 - --kubelet-certificate-authority={{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" }}
70 - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem 150 - --kubelet-client-certificate={{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
71 - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem 151 - --kubelet-client-key={{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
72 - --etcd-servers={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} 152 - --etcd-servers={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
73 - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem 153 - --etcd-cafile={{ tuple "etcd" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" }}
74 - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem 154 - --etcd-certfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
75 - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem 155 - --etcd-keyfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
76 - --allow-privileged=true 156 - --allow-privileged=true
77 - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub 157 - --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }}
78 - --authentication-token-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig 158 - --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
79 - --authorization-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig 159 - --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
80 ports:
81 - containerPort: {{ .Values.network.kubernetes_apiserver.port }}
82 readinessProbe: 160 readinessProbe:
83 tcpSocket: 161 tcpSocket:
84 port: 6443 162 port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
85 initialDelaySeconds: 5 163{{ $envAll.Values.pod.probes.readinessProbe | toYaml | indent 12 }}
86 periodSeconds: 10
87 livenessProbe: 164 livenessProbe:
88 tcpSocket: 165 tcpSocket:
89 port: 6443 166 port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
90 failureThreshold: 3 167{{ $envAll.Values.pod.probes.livenessProbe | toYaml | indent 12 }}
91 initialDelaySeconds: 15
92 periodSeconds: 20
93 volumeMounts: 168 volumeMounts:
94 - name: etc 169 - name: etc-apiserver
95 mountPath: /etc/kubernetes/apiserver 170 mountPath: {{ $envAll.Values.conf.paths.base }}
96 - name: {{ .Values.service.name }}-etc 171 - name: etc-apiserver-pki
97 mountPath: /etc/kubernetes/apiserver/webhook.kubeconfig 172 mountPath: {{ $envAll.Values.conf.paths.pki }}
173 - name: configmap-etc
174 mountPath: {{ $envAll.Values.conf.paths.sapubkey }}
175 subPath: service-account.pub
176 readOnly: true
177 - name: configmap-etc
178 mountPath: {{ $envAll.Values.conf.paths.conf }}
98 subPath: webhook.kubeconfig 179 subPath: webhook.kubeconfig
99 readOnly: true 180 readOnly: true
100 - name: kubernetes-keystone-webhook 181{{ tuple "keystone_webhook" "server" "ca" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_file" | indent 12 }}
182{{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
183{{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
184{{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
185{{ tuple "etcd" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
186{{ tuple "etcd" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
187 - name: webhook
101{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }} 188{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
102{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} 189{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
103 command: 190 command:
104 - /tmp/webhook_start.sh 191 - /tmp/webhook_start.sh
192 env:
193{{- with $env := dict "ksUserSecret" .Values.secrets.identity.webhook }}
194{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
195{{- end }}
196 - name: SERVER_CERT_FILE
197 value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" | quote }}
198 - name: SERVER_KEY_FILE
199 value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" | quote }}
200 - name: POLICY_FILE
201 value: {{ $envAll.Values.conf.paths.policy | quote }}
202 - name: SERVER_PORT
203 value: {{ tuple "webhook_apiserver" "podport" "webhook" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
204{{- if hasKey .Values.certificates "keystone" }}
205 - name: KEYSTONE_CA_FILE
206 value: {{ tuple "keystone" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" | quote }}
207{{- end }}
105 volumeMounts: 208 volumeMounts:
106 - name: etc-kubernetes-keystone-webhook 209 - name: etc-webhook
107 mountPath: /etc/kubernetes-keystone-webhook 210 mountPath: {{ $envAll.Values.conf.paths.base }}
108 - name: key-kubernetes-keystone-webhook 211 - name: etc-webhook-pki
109 mountPath: /opt/kubernetes-keystone-webhook/pki/tls.crt 212 mountPath: {{ $envAll.Values.conf.paths.pki }}
110 subPath: tls.crt 213 - name: configmap-etc
111 readOnly: true 214 mountPath: {{ $envAll.Values.conf.paths.policy }}
112 - name: key-kubernetes-keystone-webhook
113 mountPath: /opt/kubernetes-keystone-webhook/pki/tls.key
114 subPath: tls.key
115 readOnly: true
116 - name: {{ .Values.service.name }}-etc
117 mountPath: /etc/kubernetes-keystone-webhook/policy.json
118 subPath: policy.json 215 subPath: policy.json
119 readOnly: true 216 readOnly: true
120 - name: {{ .Values.service.name }}-bin 217 - name: configmap-bin
121 mountPath: /tmp/webhook_start.sh 218 mountPath: /tmp/webhook_start.sh
122 subPath: webhook_start.sh 219 subPath: webhook_start.sh
123 readOnly: true 220 readOnly: true
221{{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
124 volumes: 222 volumes:
125 - name: etc 223{{- if hasKey .Values.certificates "keystone" }}
126 hostPath: 224{{ tuple "keystone" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
127 path: {{ .Values.apiserver.host_etc_path }} 225{{- end }}
128 - name: etc-kubernetes-keystone-webhook 226{{ include "local.attach_all_bundles" $envAll | indent 8 }}
227 - name: etc-apiserver
129 emptyDir: {} 228 emptyDir: {}
130 - name: key-kubernetes-keystone-webhook 229 - name: etc-apiserver-pki
131 secret: 230 emptyDir: {}
132 secretName: {{ $envAll.Values.secrets.certificates.api }} 231 - name: etc-webhook
133 defaultMode: 0444 232 emptyDir: {}
134 - name: {{ .Values.service.name }}-etc 233 - name: etc-webhook-pki
234 emptyDir: {}
235 - name: configmap-etc
135 configMap: 236 configMap:
136 name: {{ .Values.service.name }}-etc 237 name: {{ .Release.Name }}-etc
137 defaultMode: 0444 238 defaultMode: 0444
138 - name: {{ .Values.service.name }}-bin 239 - name: configmap-bin
139 configMap: 240 configMap:
140 name: {{ .Values.service.name }}-bin 241 name: {{ .Release.Name }}-bin
141 defaultMode: 0555 242 defaultMode: 0555
243 - name: tls-apiserver-webhook-public-server
244 secret:
245 defaultMode: 292
246 secretName: {{ .Values.secrets.tls.webhook_apiserver.api.public }}
142{{- end }} 247{{- end }}
diff --git a/charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl b/charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl
deleted file mode 100644
index 53810a6..0000000
--- a/charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl
+++ /dev/null
@@ -1,34 +0,0 @@
1# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15---
16apiVersion: v1
17clusters:
18- cluster:
19 server: https://127.0.0.1:{{ .Values.network.kubernetes_apiserver.port }}
20 certificate-authority: pki/cluster-ca.pem
21 name: kubernetes
22contexts:
23- context:
24 cluster: kubernetes
25 user: apiserver
26 name: apiserver@kubernetes
27current-context: apiserver@kubernetes
28kind: Config
29preferences: {}
30users:
31- name: apiserver
32 user:
33 client-certificate: pki/apiserver.pem
34 client-key: pki/apiserver-key.pem
diff --git a/charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl b/charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl
index a834a88..7e12810 100644
--- a/charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl
+++ b/charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl
@@ -2,7 +2,8 @@ apiVersion: v1
2clusters: 2clusters:
3 - cluster: 3 - cluster:
4 insecure-skip-tls-verify: false 4 insecure-skip-tls-verify: false
5 server: https://127.0.0.1:8443/webhook 5 server: https://127.0.0.1:{{ tuple "webhook_apiserver" "podport" "webhook" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/webhook
6 certificate-authority: {{ tuple "keystone_webhook" "server" .Values.conf.paths.pki "ca" . | include "local.cert_bundle_path" | quote }}
6 name: webhook 7 name: webhook
7contexts: 8contexts:
8 - context: 9 - context:
diff --git a/charts/apiserver-webhook/templates/ingress-api.yaml b/charts/apiserver-webhook/templates/ingress-api.yaml
index 8b9f9bf..e2bc47a 100644
--- a/charts/apiserver-webhook/templates/ingress-api.yaml
+++ b/charts/apiserver-webhook/templates/ingress-api.yaml
@@ -15,7 +15,7 @@ See the License for the specific language governing permissions and
15limitations under the License. 15limitations under the License.
16*/}} 16*/}}
17 17
18{{- if and .Values.manifests.ingress_api .Values.network.kubernetes_apiserver.ingress.public }} 18{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
19{{- $ingressOpts := dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" "backendPort" "https" -}} 19{{- $ingressOpts := dict "envAll" . "backendServiceType" "webhook_apiserver" "backendPort" "https" -}}
20{{- $ingressOpts | include "helm-toolkit.manifests.ingress" -}} 20{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
21{{- end }} 21{{- end }}
diff --git a/charts/apiserver-webhook/templates/secret-apiserver.yaml b/charts/apiserver-webhook/templates/job-ks-user.yaml
index f32f6bf..1471462 100644
--- a/charts/apiserver-webhook/templates/secret-apiserver.yaml
+++ b/charts/apiserver-webhook/templates/job-ks-user.yaml
@@ -1,5 +1,5 @@
1{{/* 1{{/*
2Copyright 2017 AT&T Intellectual Property. All other rights reserved. 2Copyright 2018 AT&T Intellectual Property. All other rights reserved.
3 3
4Licensed under the Apache License, Version 2.0 (the "License"); 4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License. 5you may not use this file except in compliance with the License.
@@ -14,15 +14,8 @@ See the License for the specific language governing permissions and
14limitations under the License. 14limitations under the License.
15*/}} 15*/}}
16 16
17{{- if .Values.manifests.secret }} 17{{- if .Values.manifests.job_ks_user }}
18{{- $envAll := . }} 18{{ $cm_name := printf "%s-bin" .Release.Name }}
19--- 19{{- $ksUserJob := dict "envAll" . "serviceName" "webhook_apiserver" "configMapBin" $cm_name "serviceUser" "webhook" -}}
20apiVersion: v1 20{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
21kind: Secret
22metadata:
23 name: {{ .Values.service.name }}-keys
24type: Opaque
25data:
26 apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
27 etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
28{{- end }} 21{{- end }}
diff --git a/charts/apiserver-webhook/templates/secret-ingress-tls.yaml b/charts/apiserver-webhook/templates/secret-ingress-tls.yaml
deleted file mode 100644
index 92574bf..0000000
--- a/charts/apiserver-webhook/templates/secret-ingress-tls.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
1{{/*
2Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/}}
16
17{{- if .Values.manifests.secret_ingress_tls }}
18{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" ) }}
19{{- end }}
diff --git a/charts/apiserver-webhook/templates/secret-keystone.yaml b/charts/apiserver-webhook/templates/secret-keystone.yaml
index 99f1d5b..4a49e8b 100644
--- a/charts/apiserver-webhook/templates/secret-keystone.yaml
+++ b/charts/apiserver-webhook/templates/secret-keystone.yaml
@@ -16,7 +16,7 @@ limitations under the License.
16 16
17{{- if .Values.manifests.secret_keystone }} 17{{- if .Values.manifests.secret_keystone }}
18{{- $envAll := . }} 18{{- $envAll := . }}
19{{- range $key1, $userClass := tuple "admin" }} 19{{- range $key1, $userClass := tuple "admin" "webhook" }}
20{{- $secretName := index $envAll.Values.secrets.identity $userClass }} 20{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
21--- 21---
22apiVersion: v1 22apiVersion: v1
diff --git a/charts/apiserver-webhook/templates/secret-tls.yaml b/charts/apiserver-webhook/templates/secret-tls.yaml
new file mode 100644
index 0000000..3ad03e4
--- /dev/null
+++ b/charts/apiserver-webhook/templates/secret-tls.yaml
@@ -0,0 +1,73 @@
1{{/*
2Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/}}
16
17{{- define "local.tls_secret_name" -}}
18{{- $group := index . 0 -}}
19{{- $type := index . 1 -}}
20{{- $envAll := index . 2 -}}
21{{ printf "%s-%s-%s" $envAll.Release.Name $group $type | replace "_" "-" }}
22{{- end -}}
23
24{{- define "local.tls_secret" }}
25{{- $group := index . 0 }}
26{{- $type := index . 1 }}
27{{- $bundle := index . 2 }}
28{{- $envAll := index . 3 }}
29---
30apiVersion: v1
31kind: Secret
32metadata:
33 name: {{ tuple $group $type $envAll | include "local.tls_secret_name" }}
34 namespace: {{ $envAll.Release.Namespace }}
35type: opaque
36data:
37 {{- if hasKey $bundle "ca" }}
38 ca.crt: |-
39{{ $bundle.ca | b64enc | indent 4 }}
40 {{- end }}
41 {{- if hasKey $bundle "cert" }}
42 tls.crt: |-
43{{ $bundle.cert | b64enc | indent 4 }}
44 {{- end }}
45 {{- if hasKey $bundle "key" }}
46 tls.key: |-
47{{ $bundle.key | b64enc | indent 4 }}
48 {{- end }}
49...
50{{- end -}}
51---
52apiVersion: v1
53kind: Secret
54metadata:
55 name: {{ .Values.secrets.tls.webhook_apiserver.api.public }}
56 namespace: {{ .Release.Namespace }}
57type: opaque
58data:
59 ca.crt: |-
60{{ .Values.secrets.tls.webhook_apiserver.api.server.ca | b64enc | indent 4 }}
61 tls.crt: |-
62{{ .Values.secrets.tls.webhook_apiserver.api.server.cert | b64enc | indent 4 }}
63 tls.key: |-
64{{ .Values.secrets.tls.webhook_apiserver.api.server.key | b64enc | indent 4 }}
65...
66{{- if .Values.manifests.secret_tls }}
67{{- $envAll := . }}
68{{- range $group, $certs := .Values.certificates }}
69{{- range $type, $bundle := $certs }}
70{{ tuple $group $type $bundle $envAll | include "local.tls_secret" }}
71{{- end }}
72{{- end }}
73{{- end }}
diff --git a/charts/apiserver-webhook/templates/secret-webhook.yaml b/charts/apiserver-webhook/templates/secret-webhook.yaml
deleted file mode 100644
index 4438a35..0000000
--- a/charts/apiserver-webhook/templates/secret-webhook.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
1{{/*
2Copyright 2018 The Openstack-Helm Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/}}
16
17{{- if .Values.manifests.secret_webhook }}
18{{- $envAll := . }}
19---
20apiVersion: v1
21kind: Secret
22metadata:
23 name: {{ $envAll.Values.secrets.certificates.api }}
24type: kubernetes.io/tls
25data:
26 tls.crt: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.crt | default "" | b64enc }}
27 tls.key: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.key | default "" | b64enc }}
28{{- end }}
diff --git a/charts/apiserver-webhook/templates/service-apiserver-ingress.yaml b/charts/apiserver-webhook/templates/service-ingress-api.yaml
index d4bc7b6..256107f 100644
--- a/charts/apiserver-webhook/templates/service-apiserver-ingress.yaml
+++ b/charts/apiserver-webhook/templates/service-ingress-api.yaml
@@ -1,6 +1,5 @@
1{{/* 1{{/*
2Copyright 2017 The Openstack-Helm Authors. 2Copyright 2017 The Openstack-Helm Authors.
3Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
4 3
5Licensed under the Apache License, Version 2.0 (the "License"); 4Licensed under the Apache License, Version 2.0 (the "License");
6you may not use this file except in compliance with the License. 5you may not use this file except in compliance with the License.
@@ -15,7 +14,8 @@ See the License for the specific language governing permissions and
15limitations under the License. 14limitations under the License.
16*/}} 15*/}}
17 16
18{{- if and .Values.manifests.service_ingress .Values.network.kubernetes_apiserver.ingress.public }} 17{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
19{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "kubernetes-keystone-webhook" -}} 18{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "webhook_apiserver" -}}
20{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }} 19{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
21{{- end }} 20{{- end }}
21
diff --git a/charts/apiserver-webhook/templates/service.yaml b/charts/apiserver-webhook/templates/service.yaml
index d0150b0..75939e2 100644
--- a/charts/apiserver-webhook/templates/service.yaml
+++ b/charts/apiserver-webhook/templates/service.yaml
@@ -20,15 +20,15 @@ limitations under the License.
20apiVersion: v1 20apiVersion: v1
21kind: Service 21kind: Service
22metadata: 22metadata:
23 name: {{ .Values.service.name }} 23 name: {{ tuple "webhook_apiserver" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
24 annotations: 24 annotations:
25 service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" 25 service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
26spec: 26spec:
27 ports: 27 ports:
28 - name: https 28 - name: https
29 port: {{ .Values.network.kubernetes_apiserver.port }} 29 port: {{ tuple "webhook_apiserver" "default" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
30 protocol: TCP 30 protocol: TCP
31 targetPort: {{ .Values.network.kubernetes_apiserver.port }} 31 targetPort: {{ tuple "webhook_apiserver" "podport" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
32 selector: 32 selector:
33{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} 33{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
34{{- end }} 34{{- end }}
diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml
index 008c6a9..e83fd71 100644
--- a/charts/apiserver-webhook/values.yaml
+++ b/charts/apiserver-webhook/values.yaml
@@ -21,6 +21,7 @@ images:
21 scripted_test: docker.io/openstackhelm/heat:newton 21 scripted_test: docker.io/openstackhelm/heat:newton
22 dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 22 dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
23 image_repo_sync: docker.io/docker:17.07.0 23 image_repo_sync: docker.io/docker:17.07.0
24 ks_user: docker.io/openstackhelm/heat:ocata
24 pull_policy: IfNotPresent 25 pull_policy: IfNotPresent
25 local_registry: 26 local_registry:
26 active: false 27 active: false
@@ -30,80 +31,101 @@ images:
30 31
31labels: 32labels:
32 kubernetes_apiserver: 33 kubernetes_apiserver:
33 node_selector_key: kubernetes-apiserver 34 node_selector_key: apiserver-webhook
35 node_selector_value: enabled
36 job:
37 node_selector_key: apiserver-webhook
34 node_selector_value: enabled 38 node_selector_value: enabled
35 39
36command_prefix: 40command_prefix:
37 - /apiserver 41 - /apiserver
38 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds 42 - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
39 - --service-cluster-ip-range=10.96.0.0/16
40 - --v=5 43 - --v=5
41 44
42apiserver:
43 host_etc_path: /etc/kubernetes/apiserver
44
45network: 45network:
46 kubernetes_apiserver: 46 pod_cidr: '10.97.0.0/16'
47 service_cidr: '10.96.0.0/16'
48 api:
47 ingress: 49 ingress:
48 public: true 50 public: true
49 classes: 51 classes:
50 namespace: "nginx-cluster" 52 namespace: "nginx"
51 cluster: "nginx-cluster" 53 cluster: "nginx-cluster"
52 annotations: 54 annotations:
53 nginx.ingress.kubernetes.io/rewrite-target: / 55 nginx.ingress.kubernetes.io/rewrite-target: /
54 nginx.ingress.kubernetes.io/proxy-read-timeout: "120" 56 nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
55 nginx.ingress.kubernetes.io/ssl-redirect: "true" 57 nginx.ingress.kubernetes.io/ssl-redirect: "true"
56 nginx.ingress.kubernetes.io/secure-backends: "true" 58 nginx.ingress.kubernetes.io/secure-backends: "true"
57 name: kubernetes-apiserver 59 name: webhook_apiserver
58 port: 6443 60#
59 node_port: 61# Insert TLS certificates, keys and CAs
60 enabled: false 62# here. Server is for server-terminated TLS (basic)
61 port: 31943 63# and client is for mTLS. Each group of certificates
62 64# will generate two secrets <groupname>-client and <groupname>-server
63service: 65# built to the kubernetes.io/tls secret type with keys 'tls.crt', 'tls.key'
64 name: kubernetes-webhook-apiserver 66# and 'ca.crt'
65 ip: null 67#
68certificates:
69 apiserver_webhook_pod:
70 server:
71 cert: placeholder
72 key: placeholder
73 ca: placeholder
74 keystone_webhook:
75 server:
76 cert: placeholder
77 key: placeholder
78 ca: placeholder
79 kubelet:
80 client:
81 cert: placeholder
82 key: placeholder
83 server:
84 ca: placeholder
85 etcd:
86 client:
87 cert: placeholder
88 key: placeholder
89 server:
90 ca: placeholder
66 91
67secrets: 92secrets:
68 tls:
69 ca: placeholder
70 cert: placeholder
71 key: placeholder
72 service_account: 93 service_account:
73 public_key: placeholder 94 public_key: placeholder
74 etcd:
75 tls:
76 ca: placeholder
77 cert: placeholder
78 key: placeholder
79 identity: 95 identity:
80 admin: kubernetes-keystone-webhook-admin 96 admin: apiserver-webhook-keystone-creds-admin
81 certificates: 97 webhook: apiserver-webhook-keystone-creds-webhook
82 api: kubernetes-keystone-webhook-certs 98 tls:
83 99 webhook_apiserver:
84kubernetes_keystone_webhook: 100 api:
85 port: 8443 101 public: apiserver-webhook-public
86 endpoints: https://k8sksauth-api.kube-system.svc.cluster.local 102 server:
103 cert: placeholder
104 key: placeholder
105 ca: placeholder
87 106
88# typically overriden by environmental 107# typically overriden by environmental
89# values, but should include all endpoints 108# values, but should include all endpoints
90# required by this chart 109# required by this chart
91endpoints: 110endpoints:
92 cluster_domain_suffix: cluster.local 111 cluster_domain_suffix: cluster.local
93 kubernetes_apiserver: 112 webhook_apiserver:
94 name: kubernetes-webhook-apiserver 113 name: webhook_apiserver
95 hosts: 114 hosts:
96 default: keystone 115 default: apiserver-webhook
97 internal: keystone-api 116 internal: apiserver-webhook-int
98 port: 117 port:
99 https: 118 api:
100 default: 6443 119 default: 6443
101 public: 443 120 public: 443
121 webhook:
122 podport: 8443
102 path: 123 path:
103 default: / 124 default: /
125 webhook: /webhook
104 scheme: 126 scheme:
105 default: http 127 default: https
106 public: http 128 public: https
107 host_fqdn_override: 129 host_fqdn_override:
108 default: null 130 default: null
109 # NOTE: this chart supports TLS for fqdn over-ridden public 131 # NOTE: this chart supports TLS for fqdn over-ridden public
@@ -113,12 +135,6 @@ endpoints:
113 # tls: 135 # tls:
114 # crt: null 136 # crt: null
115 # key: null 137 # key: null
116 kubernetes:
117 auth:
118 api:
119 tls:
120 crt: null
121 key: null
122 identity: 138 identity:
123 name: keystone 139 name: keystone
124 namespace: null 140 namespace: null
@@ -130,6 +146,14 @@ endpoints:
130 project_name: admin 146 project_name: admin
131 user_domain_name: default 147 user_domain_name: default
132 project_domain_name: default 148 project_domain_name: default
149 webhook:
150 region_name: RegionOne
151 username: webhook
152 password: password
153 project_name: service
154 user_domain_name: default
155 project_domain_name: default
156 role: admin
133 hosts: 157 hosts:
134 default: keystone 158 default: keystone
135 internal: keystone-api 159 internal: keystone-api
@@ -143,22 +167,6 @@ endpoints:
143 api: 167 api:
144 default: 80 168 default: 80
145 internal: 5000 169 internal: 5000
146 kubernetes_keystone_webhook:
147 namespace: null
148 name: k8sksauth
149 hosts:
150 default: k8sksauth-api
151 public: k8sksauth
152 host_fqdn_override:
153 default: null
154 path:
155 default: /webhook
156 scheme:
157 default: https
158 port:
159 api:
160 default: 8443
161 public: 443
162 etcd: 170 etcd:
163 name: etcd 171 name: etcd
164 namespace: kube-system 172 namespace: kube-system
@@ -182,6 +190,14 @@ pod:
182 replicas: 190 replicas:
183 apiserver: 1 191 apiserver: 1
184 api: 1 192 api: 1
193 probes:
194 readinessProbe:
195 initialDelaySeconds: 5
196 periodSeconds: 10
197 livenessProbe:
198 failureThreshold: 3
199 initialDelaySeconds: 15
200 periodSeconds: 20
185 lifecycle: 201 lifecycle:
186 upgrades: 202 upgrades:
187 daemonsets: 203 daemonsets:
@@ -232,6 +248,12 @@ pod:
232 init_container: null 248 init_container: null
233 kubernetes_keystone_webhook_tests: null 249 kubernetes_keystone_webhook_tests: null
234conf: 250conf:
251 paths:
252 base: '/etc/webhook_apiserver/'
253 pki: '/etc/webhook_apiserver/pki'
254 conf: '/etc/webhook_apiserver/webhook.kubeconfig'
255 policy: '/etc/webhook_apiserver/conf/policy.json'
256 sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub'
235 policy: 257 policy:
236 - resource: 258 - resource:
237 verbs: 259 verbs:
@@ -273,23 +295,35 @@ conf:
273 - "*" 295 - "*"
274 resources: 296 resources:
275 - "*" 297 - "*"
276 namespace: "openstack" 298 namespace: "ucp"
277 version: "*" 299 version: "*"
278 match: 300 match:
279 - type: project 301 - type: project
280 values: 302 values:
281 - openstack-system 303 - ucp-admin
304 - airship-admin
305
306dependencies:
307 static:
308 ks_user:
309 services:
310 - service: identity
311 endpoint: internal
312 api:
313 jobs:
314 - webhook-apiserver-ks-user
315 services:
316 - service: identity
317 endpoint: internal
282 318
283manifests: 319manifests:
284 configmap_bin: true 320 configmap_bin: true
285 configmap_certs: true 321 configmap_certs: true
286 configmap_etc: true 322 configmap_etc: true
323 job_ks_user: true
287 deployment: true 324 deployment: true
288 ingress_api: false 325 ingress_api: true
289 pod_test: false 326 pod_test: false
290 kubernetes_apiserver: true 327 secret_keystone: true
291 secret: true 328 secret_tls: true
292 secret_ingress_tls: false
293 secret_webhook: true
294 service: true 329 service: true
295 service_ingress: false