Commit Graph

21 Commits

Author SHA1 Message Date
Sean Eagan ccadbc05b8 Fix chart yaml indentation issue
Signed-off-by: Sean Eagan <seaneagan1@gmail.com>
Change-Id: I884785942ded0f355b9256263cc23b2e01f35bab
2021-09-30 16:53:26 -05:00
ubuntu 183b977754 Fix deprecated warning in Promenade apiserver chart
Removed PersistentVolumeLabel from apiserver to fix below warning.
Deprecated warning:
1. PersistentVolumeLabel admission controller is deprecated.
   Please remove this controller from your configuration files and scripts.
2. insecure-port has been deprecated, This flag has no effect now
   and will be removed in v1.24.

Change-Id: Iaccff8467b5ed967fa41e85b38c27f7345cd97bb
2021-06-29 16:14:17 +00:00
francisy cb1398496d Add hash annotation to apiserver-webhook deployment
Add a hash of the dynamic-config configmap to the annotations of the apiserver-webhook pod metadata, so that a chart upgrade will trigger a pod restart if the configmap contents change

Change-Id: I9c01b71b128e2bc6a5a07e5aa7ba826a4ffa237e
2021-06-10 17:53:22 -04:00
Zuul 0e8fad3fbc Merge "Add "labels" to apiserver-webhook deployment" 2021-05-14 19:27:49 +00:00
Phil Sphicas 9533be32a1 Add required apiserver serviceaccount flags
In v1.20, TokenRequest and TokenRequestProjection become GA features,
and the following flags are required by the API server:
* --service-account-issuer
* --service-account-key-file
* --service-account-signing-key-file

This change ensures that the flags are set, and that the required keys
are in the right places.

Change-Id: I6606c5b1c9ff005d1943b424e3e7ad4d20b68408
2021-04-30 22:45:43 +00:00
DeJaeger, Darren (dd118r) 774f85248d Add "labels" to apiserver-webhook deployment
Defines a "labels" variable and adds it to the deployment itself. In
addition, reuses said labels variable to replace other parts of the
deployment in which this was repeated. This will clean up the chart
a bit and enable Armada itself to properly wait for certain percentages
of the deployment replicas to be ready prior to proceeding. Prior to
this change, there wasn't a way to select the apiserver-webhook
deployment via labels.

Change-Id: If1ddb4feb8cde414e76a412431222f8f608f3b18
2021-04-30 18:09:46 -04:00
Phil Sphicas c6b62ff414 apiserver(-webhook): Allow volume overrides
The existing apiserver chart supports volume overrides for the anchor
daemonset, but not for the apiserver static pod itself. The feature to
allow volume overrides in the apiserver-webhook chart was never fully
implemented.

This changes allows volume overrides via values.yaml for both charts,
and provides a more complete audit example that includes mounting the
audit log destination as a host path volume.

Change-Id: I27ccf77671a190e8cb6b66d8a9b13c2cde6c9a45
2021-04-21 21:52:29 +00:00
Phil Sphicas de9f8415d7 kube-apiserver: disable http2
There are several kubernetes bugs [0,1,2] involving connection problems
that seem related to the Go net/http2 library, where the stream state
and connection state can get out of sync. This can manifest as a kubelet
issue, where the node status gets stuck in a NotReady state, but can
also happen elsewhere.

In newer versions of the Go libraries some issues are fixed [3,4], but
the fixes are not present in k8s 1.18.

This change disables http2 in kube-apiserver and webhook-apiserver. This
should be sufficient to avoid the majority of the issues, as disabling
on one side of the connection is enough, and apiserver is generally
either the client or the server.

0: https://github.com/kubernetes/kubernetes/issues/87615
1: https://github.com/kubernetes/kubernetes/issues/80313
2: https://github.com/kubernetes/client-go/issues/374
3: https://github.com/golang/go/issues/40423
4: https://github.com/golang/go/issues/40201

Change-Id: Id693a7201acffccbc4b3db8f4e4b96290fd50288
2020-10-23 21:28:51 +00:00
KHIYANI, RAHUL (rk0850) fbaa07a66c Implement helm-toolkit snippet to apiserver and webhook pods/containers
This updates the promenade chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem

Change-Id: I0be613a2617fcc83a8750ece7aae121fae0be839
2020-07-02 14:52:19 +00:00
KHIYANI, RAHUL (rk0850) 8463e61eb7 apiserver-webhook: Add Apparmor runtime default to apiserver-webhook
Change-Id: Ib2376030a2e694c2b359a4bbffdc0bd968ec6310
2020-04-20 21:53:53 +00:00
KHIYANI, RAHUL (rk0850) 1deee87b93 apiserver-webhook: Add container security context
This also adds the container security context to set
readOnlyRootFilesystem flag to true

Change-Id: If61b6f9189a36f069efa80ef1a31b35328a92f1a
2020-02-17 15:06:14 +00:00
Zuul bffa2b0cfd Merge "(fix) add node selector to apiserver-webhook" 2019-09-06 20:40:40 +00:00
Scott Hussey ecfd773506 (charts) Webhook dynamic config
- support a similar dynamic config patter in the apiserver-webhook
  chart as the base apiserver chart

- Update the example values.yaml in apiserver to fully reflect
  configuration of the aggregation API

Change-Id: I85da2512934071fb9d9465ee4b957e18a8e394ad
2019-08-17 13:12:37 -05:00
Crank, Daniel (dc6350) 5c92a11b8a Fixes/updates for webhook-apiserver
a. Adding the same encryption configuration to webhook-apiserver
as is used for kubernetes-apiserver, so it can access secrets
stored in etcd by kubernetes-apiserver.

b. Adding an additional ingress annotation to allow for TLS
access to the Keystone backend.

c. Adding an apt-get clean to Dockerfile as this seems to be
needed to get image building working properly.

This patchset has passed the Promenade resiliency gate.

Change-Id: I7b15779b688458ec0faf2b23700d0c1bc2ede7e6
2019-08-20 09:07:24 -05:00
Luna Das 7f63537f8a Add facility to configure log levels in kubernetes-components
Change-Id: Ib7c481b71818c6673cd0b9c47d282d4a3f42d307
2019-08-14 13:33:21 +05:30
Zuul b417f422e9 Merge "Run apiserver-webhook containers with the 'nobody' user" 2019-07-16 21:58:45 +00:00
Hussey, Scott (sh8121) ca4fb44b97 (fix) add node selector to apiserver-webhook
- Add a nodeSelector stanza to the apiserver-webhook pod
  template
- Add the release_uuid pattern

Change-Id: I2754dffb2931a965335ee0961013e5edd9feee6d
2019-06-21 16:13:33 -05:00
anthony.bellino 90d9601f62 Add pod anti-affinity to apiserver-webhook
This PS adds pod anti-affinity to apiserver-webhook pods,
so that the scheduler can constrain pods against labels on other pods
running on the node. The default soft rule is in place so that if the
scheduler can’t satisfy the requirement, the pod will still
be scheduled.

Change-Id: I8c118410b822d4fed44693b8a0308c8eff103978
2019-05-29 22:11:48 +00:00
BARTRA, RICK 6fcdde451b Run apiserver-webhook containers with the 'nobody' user
The apiserver-webhook containers should run with a non-root user when
possible

Change-Id: Ia56794e4f39423cbb642c3aa518649abc2a51d5c
2019-04-30 20:47:46 +00:00
Scott Hussey 0e813a04b9 Extend webhook-enabled apiserver chart
- Updates to the webhook-enabled apiserver chart to properly
  support certificate trust and allow for fragmented CAs for
  better security.

Change-Id: I56dee9d1ca4e0807d89ce6b0f3ab3fb5d4ea8c67
2018-12-10 18:09:25 +00:00
Gupta, Sangeet (sg774j) ae95ed400e APISERVER for webhook
This commit create an apisever pods with kubernetes keystone webhook
as a side for. The sole purpose of this pods is authentication and
authorization.

Change-Id: I74472576d7dc0da6ac66d7e0a8e1db5fad156952
2018-09-18 15:04:32 -05:00