Extend webhook-enabled apiserver chart
- Updates to the webhook-enabled apiserver chart to properly support certificate trust and allow for fragmented CAs for better security. Change-Id: I56dee9d1ca4e0807d89ce6b0f3ab3fb5d4ea8c67
This commit is contained in:
parent
4018bea1f8
commit
0e813a04b9
@ -18,9 +18,20 @@ limitations under the License.
|
|||||||
|
|
||||||
set -xe
|
set -xe
|
||||||
|
|
||||||
|
SERVER_CERT_FILE=${SERVER_CERT_FILE:-"/etc/webhook_apiserver/pki/tls.crt"}
|
||||||
|
SERVER_KEY_FILE=${SERVER_KEY_FILE:-"/etc/webhook_apiserver/pki/tls.key"}
|
||||||
|
POLICY_FILE=${POLICY_FILE:-"/etc/webhook_apiserver/policy.json"}
|
||||||
|
SERVER_PORT=${SERVER_PORT:-"8443"}
|
||||||
|
KEYSTONE_CA_FILE=${KEYSTONE_CA_FILE:-"/etc/webhook_apiserver/pki/keystone.pem"}
|
||||||
|
|
||||||
exec /bin/k8s-keystone-auth \
|
exec /bin/k8s-keystone-auth \
|
||||||
--tls-cert-file /opt/kubernetes-keystone-webhook/pki/tls.crt \
|
--v 5 \
|
||||||
--tls-private-key-file /opt/kubernetes-keystone-webhook/pki/tls.key \
|
--tls-cert-file "${SERVER_CERT_FILE}" \
|
||||||
--keystone-policy-file /etc/kubernetes-keystone-webhook/policy.json \
|
--tls-private-key-file "${SERVER_KEY_FILE}" \
|
||||||
--listen 127.0.0.1:8443 \
|
--keystone-policy-file "${POLICY_FILE}" \
|
||||||
|
--listen "127.0.0.1:${SERVER_PORT}" \
|
||||||
|
{{- if hasKey .Values.certificates "keystone" }}
|
||||||
|
--keystone-ca-file "${KEYSTONE_CA_FILE}" \
|
||||||
|
{{- end }}
|
||||||
--keystone-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
--keystone-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
||||||
|
|
||||||
|
@ -16,13 +16,15 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.configmap_bin }}
|
{{- if .Values.manifests.configmap_bin }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ .Values.service.name }}-bin
|
name: {{ .Release.Name }}-bin
|
||||||
data:
|
data:
|
||||||
webhook_start.sh: |
|
ks-user.sh: |-
|
||||||
|
{{- include "helm-toolkit.scripts.keystone_user" $envAll | indent 4 }}
|
||||||
|
webhook_start.sh: |-
|
||||||
{{ tuple "bin/_webhook_start.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "bin/_webhook_start.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
|
...
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -1,31 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.configmap_certs }}
|
|
||||||
{{- $envAll := . }}
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: {{ .Values.service.name }}-certs
|
|
||||||
data:
|
|
||||||
cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
|
|
||||||
apiserver.pem: {{ .Values.secrets.tls.cert | quote }}
|
|
||||||
etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }}
|
|
||||||
etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }}
|
|
||||||
service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
|
|
||||||
{{- end }}
|
|
@ -21,8 +21,9 @@ limitations under the License.
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ .Values.service.name }}-etc
|
name: {{ .Release.Name }}-etc
|
||||||
data:
|
data:
|
||||||
|
service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
|
||||||
webhook.kubeconfig: |
|
webhook.kubeconfig: |
|
||||||
{{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
{{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
|
||||||
policy.json: |
|
policy.json: |
|
||||||
|
@ -14,13 +14,94 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
These local.* templates may be moved out of this chart into helm-toolkit
|
||||||
|
in the future if there is desire to generalize this pattern. Otherwise
|
||||||
|
in the future they will be moved into a separate helpers file.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- define "local.tls_volume_name" -}}
|
||||||
|
{{- $group := index . 0 -}}
|
||||||
|
{{- $type := index . 1 -}}
|
||||||
|
tls-{{ $group | replace "_" "-" }}-{{ $type | replace "_" "-" }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "local.attach_all_bundles" }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
{{- range $group, $certs := $envAll.Values.certificates }}
|
||||||
|
{{- range $type, $bundle := . }}
|
||||||
|
{{ tuple $group $type $envAll | include "local.attach_cert_bundle" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "local.attach_cert_bundle" }}
|
||||||
|
{{- $group := index . 0 }}
|
||||||
|
{{- $type := index . 1 }}
|
||||||
|
{{- $envAll := index . 2 }}
|
||||||
|
- name: {{ tuple $group $type | include "local.tls_volume_name" }}
|
||||||
|
secret:
|
||||||
|
secretName: {{ tuple $group $type $envAll | include "local.tls_secret_name" }}
|
||||||
|
defaultMode: 0444
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
|
{{- define "local.mount_all_bundles" }}
|
||||||
|
{{- $basepath := index . 0 }}
|
||||||
|
{{- $envAll := index . 1 }}
|
||||||
|
{{- range $group, $certs := $envAll.Values.certificates }}
|
||||||
|
{{- range $type, $bundle := . }}
|
||||||
|
{{ tuple $group $type $basepath $envAll | include "local.mount_cert_bundle" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "local.mount_cert_bundle" }}
|
||||||
|
{{- $group := index . 0 }}
|
||||||
|
{{- $type := index . 1 }}
|
||||||
|
{{- $basepath := index . 2 }}
|
||||||
|
{{- $envAll := index . 3 }}
|
||||||
|
{{- $bundle := index $envAll.Values "certificates" $group $type }}
|
||||||
|
{{- range tuple "ca" "cert" "key" }}
|
||||||
|
{{- if hasKey $bundle . }}
|
||||||
|
{{ tuple $group $type . $basepath $envAll | include "local.mount_cert_file" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "local.mount_cert_file" }}
|
||||||
|
{{- $group := index . 0 }}
|
||||||
|
{{- $type := index . 1 }}
|
||||||
|
{{- $member := index . 2 }}
|
||||||
|
{{- $basepath := index . 3 }}
|
||||||
|
{{- $envAll := index . 4 }}
|
||||||
|
- name: {{ tuple $group $type | include "local.tls_volume_name" }}
|
||||||
|
mountPath: {{ tuple $group $type $basepath $member $envAll | include "local.cert_bundle_path" }}
|
||||||
|
{{- if eq $member "ca" }}
|
||||||
|
subPath: ca.crt
|
||||||
|
{{- else if eq $member "cert" }}
|
||||||
|
subPath: tls.crt
|
||||||
|
{{- else if eq $member "key" }}
|
||||||
|
subPath: tls.key
|
||||||
|
{{- end }}
|
||||||
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{- define "local.cert_bundle_path" -}}
|
||||||
|
{{- $group := index . 0 -}}
|
||||||
|
{{- $type := index . 1 -}}
|
||||||
|
{{- $basepath := index . 2 -}}
|
||||||
|
{{- $member := index . 3 -}}
|
||||||
|
{{- $envAll := index . 4 -}}
|
||||||
|
{{ $basepath }}/{{ $group }}-{{ $type }}-{{ $member }}.pem
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
{{- if .Values.manifests.deployment }}
|
{{- if .Values.manifests.deployment }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: kubernetes-keystone-webhook
|
name: {{ .Release.Name }}-apiserver-webhook
|
||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
@ -36,7 +117,7 @@ spec:
|
|||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirst
|
||||||
containers:
|
containers:
|
||||||
- name: apiserver
|
- name: apiserver
|
||||||
image: {{ .Values.images.tags.apiserver }}
|
image: {{ .Values.images.tags.apiserver }}
|
||||||
@ -50,93 +131,117 @@ spec:
|
|||||||
valueFrom:
|
valueFrom:
|
||||||
fieldRef:
|
fieldRef:
|
||||||
fieldPath: spec.nodeName
|
fieldPath: spec.nodeName
|
||||||
|
|
||||||
command:
|
command:
|
||||||
{{- range .Values.command_prefix }}
|
{{- range .Values.command_prefix }}
|
||||||
- {{ . }}
|
- {{ . }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
- --service-cluster-ip-range={{ $envAll.Values.network.service_cidr }}
|
||||||
- --authorization-mode=Webhook
|
- --authorization-mode=Webhook
|
||||||
- --advertise-address=$(POD_IP)
|
- --advertise-address=$(POD_IP)
|
||||||
- --anonymous-auth=false
|
- --anonymous-auth=false
|
||||||
- --endpoint-reconciler-type=none
|
- --endpoint-reconciler-type=none
|
||||||
- --bind-address=0.0.0.0
|
- --bind-address=$(POD_IP)
|
||||||
- --secure-port={{ .Values.network.kubernetes_apiserver.port }}
|
- --secure-port={{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
- --insecure-port=0
|
- --insecure-port=0
|
||||||
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --tls-cert-file={{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
|
||||||
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
|
- --tls-private-key-file={{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
|
||||||
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
|
||||||
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
||||||
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
- --kubelet-certificate-authority={{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" }}
|
||||||
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
|
- --kubelet-client-certificate={{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
|
||||||
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
|
- --kubelet-client-key={{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
|
||||||
- --etcd-servers={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
- --etcd-servers={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
||||||
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
- --etcd-cafile={{ tuple "etcd" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" }}
|
||||||
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
|
- --etcd-certfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
|
||||||
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
|
- --etcd-keyfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
|
||||||
- --allow-privileged=true
|
- --allow-privileged=true
|
||||||
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
|
- --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }}
|
||||||
- --authentication-token-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig
|
- --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
|
||||||
- --authorization-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig
|
- --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
|
||||||
ports:
|
|
||||||
- containerPort: {{ .Values.network.kubernetes_apiserver.port }}
|
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
tcpSocket:
|
tcpSocket:
|
||||||
port: 6443
|
port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
initialDelaySeconds: 5
|
{{ $envAll.Values.pod.probes.readinessProbe | toYaml | indent 12 }}
|
||||||
periodSeconds: 10
|
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
tcpSocket:
|
tcpSocket:
|
||||||
port: 6443
|
port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
failureThreshold: 3
|
{{ $envAll.Values.pod.probes.livenessProbe | toYaml | indent 12 }}
|
||||||
initialDelaySeconds: 15
|
|
||||||
periodSeconds: 20
|
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: etc
|
- name: etc-apiserver
|
||||||
mountPath: /etc/kubernetes/apiserver
|
mountPath: {{ $envAll.Values.conf.paths.base }}
|
||||||
- name: {{ .Values.service.name }}-etc
|
- name: etc-apiserver-pki
|
||||||
mountPath: /etc/kubernetes/apiserver/webhook.kubeconfig
|
mountPath: {{ $envAll.Values.conf.paths.pki }}
|
||||||
|
- name: configmap-etc
|
||||||
|
mountPath: {{ $envAll.Values.conf.paths.sapubkey }}
|
||||||
|
subPath: service-account.pub
|
||||||
|
readOnly: true
|
||||||
|
- name: configmap-etc
|
||||||
|
mountPath: {{ $envAll.Values.conf.paths.conf }}
|
||||||
subPath: webhook.kubeconfig
|
subPath: webhook.kubeconfig
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: kubernetes-keystone-webhook
|
{{ tuple "keystone_webhook" "server" "ca" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_file" | indent 12 }}
|
||||||
|
{{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
|
{{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
|
{{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
|
{{ tuple "etcd" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
|
{{ tuple "etcd" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
|
- name: webhook
|
||||||
{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||||
command:
|
command:
|
||||||
- /tmp/webhook_start.sh
|
- /tmp/webhook_start.sh
|
||||||
|
env:
|
||||||
|
{{- with $env := dict "ksUserSecret" .Values.secrets.identity.webhook }}
|
||||||
|
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
|
- name: SERVER_CERT_FILE
|
||||||
|
value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" | quote }}
|
||||||
|
- name: SERVER_KEY_FILE
|
||||||
|
value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" | quote }}
|
||||||
|
- name: POLICY_FILE
|
||||||
|
value: {{ $envAll.Values.conf.paths.policy | quote }}
|
||||||
|
- name: SERVER_PORT
|
||||||
|
value: {{ tuple "webhook_apiserver" "podport" "webhook" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
|
||||||
|
{{- if hasKey .Values.certificates "keystone" }}
|
||||||
|
- name: KEYSTONE_CA_FILE
|
||||||
|
value: {{ tuple "keystone" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" | quote }}
|
||||||
|
{{- end }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: etc-kubernetes-keystone-webhook
|
- name: etc-webhook
|
||||||
mountPath: /etc/kubernetes-keystone-webhook
|
mountPath: {{ $envAll.Values.conf.paths.base }}
|
||||||
- name: key-kubernetes-keystone-webhook
|
- name: etc-webhook-pki
|
||||||
mountPath: /opt/kubernetes-keystone-webhook/pki/tls.crt
|
mountPath: {{ $envAll.Values.conf.paths.pki }}
|
||||||
subPath: tls.crt
|
- name: configmap-etc
|
||||||
readOnly: true
|
mountPath: {{ $envAll.Values.conf.paths.policy }}
|
||||||
- name: key-kubernetes-keystone-webhook
|
|
||||||
mountPath: /opt/kubernetes-keystone-webhook/pki/tls.key
|
|
||||||
subPath: tls.key
|
|
||||||
readOnly: true
|
|
||||||
- name: {{ .Values.service.name }}-etc
|
|
||||||
mountPath: /etc/kubernetes-keystone-webhook/policy.json
|
|
||||||
subPath: policy.json
|
subPath: policy.json
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: {{ .Values.service.name }}-bin
|
- name: configmap-bin
|
||||||
mountPath: /tmp/webhook_start.sh
|
mountPath: /tmp/webhook_start.sh
|
||||||
subPath: webhook_start.sh
|
subPath: webhook_start.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: etc
|
{{- if hasKey .Values.certificates "keystone" }}
|
||||||
hostPath:
|
{{ tuple "keystone" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
|
||||||
path: {{ .Values.apiserver.host_etc_path }}
|
{{- end }}
|
||||||
- name: etc-kubernetes-keystone-webhook
|
{{ include "local.attach_all_bundles" $envAll | indent 8 }}
|
||||||
emptyDir: {}
|
- name: etc-apiserver
|
||||||
- name: key-kubernetes-keystone-webhook
|
emptyDir: {}
|
||||||
secret:
|
- name: etc-apiserver-pki
|
||||||
secretName: {{ $envAll.Values.secrets.certificates.api }}
|
emptyDir: {}
|
||||||
defaultMode: 0444
|
- name: etc-webhook
|
||||||
- name: {{ .Values.service.name }}-etc
|
emptyDir: {}
|
||||||
configMap:
|
- name: etc-webhook-pki
|
||||||
name: {{ .Values.service.name }}-etc
|
emptyDir: {}
|
||||||
defaultMode: 0444
|
- name: configmap-etc
|
||||||
- name: {{ .Values.service.name }}-bin
|
configMap:
|
||||||
configMap:
|
name: {{ .Release.Name }}-etc
|
||||||
name: {{ .Values.service.name }}-bin
|
defaultMode: 0444
|
||||||
defaultMode: 0555
|
- name: configmap-bin
|
||||||
|
configMap:
|
||||||
|
name: {{ .Release.Name }}-bin
|
||||||
|
defaultMode: 0555
|
||||||
|
- name: tls-apiserver-webhook-public-server
|
||||||
|
secret:
|
||||||
|
defaultMode: 292
|
||||||
|
secretName: {{ .Values.secrets.tls.webhook_apiserver.api.public }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -1,34 +0,0 @@
|
|||||||
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
# you may not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
clusters:
|
|
||||||
- cluster:
|
|
||||||
server: https://127.0.0.1:{{ .Values.network.kubernetes_apiserver.port }}
|
|
||||||
certificate-authority: pki/cluster-ca.pem
|
|
||||||
name: kubernetes
|
|
||||||
contexts:
|
|
||||||
- context:
|
|
||||||
cluster: kubernetes
|
|
||||||
user: apiserver
|
|
||||||
name: apiserver@kubernetes
|
|
||||||
current-context: apiserver@kubernetes
|
|
||||||
kind: Config
|
|
||||||
preferences: {}
|
|
||||||
users:
|
|
||||||
- name: apiserver
|
|
||||||
user:
|
|
||||||
client-certificate: pki/apiserver.pem
|
|
||||||
client-key: pki/apiserver-key.pem
|
|
@ -2,7 +2,8 @@ apiVersion: v1
|
|||||||
clusters:
|
clusters:
|
||||||
- cluster:
|
- cluster:
|
||||||
insecure-skip-tls-verify: false
|
insecure-skip-tls-verify: false
|
||||||
server: https://127.0.0.1:8443/webhook
|
server: https://127.0.0.1:{{ tuple "webhook_apiserver" "podport" "webhook" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/webhook
|
||||||
|
certificate-authority: {{ tuple "keystone_webhook" "server" .Values.conf.paths.pki "ca" . | include "local.cert_bundle_path" | quote }}
|
||||||
name: webhook
|
name: webhook
|
||||||
contexts:
|
contexts:
|
||||||
- context:
|
- context:
|
||||||
|
@ -15,7 +15,7 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.ingress_api .Values.network.kubernetes_apiserver.ingress.public }}
|
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
||||||
{{- $ingressOpts := dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" "backendPort" "https" -}}
|
{{- $ingressOpts := dict "envAll" . "backendServiceType" "webhook_apiserver" "backendPort" "https" -}}
|
||||||
{{- $ingressOpts | include "helm-toolkit.manifests.ingress" -}}
|
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
{{/*
|
{{/*
|
||||||
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
Copyright 2018 AT&T Intellectual Property. All other rights reserved.
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
@ -14,15 +14,8 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if .Values.manifests.secret }}
|
{{- if .Values.manifests.job_ks_user }}
|
||||||
{{- $envAll := . }}
|
{{ $cm_name := printf "%s-bin" .Release.Name }}
|
||||||
---
|
{{- $ksUserJob := dict "envAll" . "serviceName" "webhook_apiserver" "configMapBin" $cm_name "serviceUser" "webhook" -}}
|
||||||
apiVersion: v1
|
{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: {{ .Values.service.name }}-keys
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
|
|
||||||
etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
|
|
||||||
{{- end }}
|
{{- end }}
|
@ -1,19 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.secret_ingress_tls }}
|
|
||||||
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" ) }}
|
|
||||||
{{- end }}
|
|
@ -16,7 +16,7 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.secret_keystone }}
|
{{- if .Values.manifests.secret_keystone }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- range $key1, $userClass := tuple "admin" }}
|
{{- range $key1, $userClass := tuple "admin" "webhook" }}
|
||||||
{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
|
{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
|
73
charts/apiserver-webhook/templates/secret-tls.yaml
Normal file
73
charts/apiserver-webhook/templates/secret-tls.yaml
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- define "local.tls_secret_name" -}}
|
||||||
|
{{- $group := index . 0 -}}
|
||||||
|
{{- $type := index . 1 -}}
|
||||||
|
{{- $envAll := index . 2 -}}
|
||||||
|
{{ printf "%s-%s-%s" $envAll.Release.Name $group $type | replace "_" "-" }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "local.tls_secret" }}
|
||||||
|
{{- $group := index . 0 }}
|
||||||
|
{{- $type := index . 1 }}
|
||||||
|
{{- $bundle := index . 2 }}
|
||||||
|
{{- $envAll := index . 3 }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ tuple $group $type $envAll | include "local.tls_secret_name" }}
|
||||||
|
namespace: {{ $envAll.Release.Namespace }}
|
||||||
|
type: opaque
|
||||||
|
data:
|
||||||
|
{{- if hasKey $bundle "ca" }}
|
||||||
|
ca.crt: |-
|
||||||
|
{{ $bundle.ca | b64enc | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if hasKey $bundle "cert" }}
|
||||||
|
tls.crt: |-
|
||||||
|
{{ $bundle.cert | b64enc | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if hasKey $bundle "key" }}
|
||||||
|
tls.key: |-
|
||||||
|
{{ $bundle.key | b64enc | indent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
...
|
||||||
|
{{- end -}}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ .Values.secrets.tls.webhook_apiserver.api.public }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
type: opaque
|
||||||
|
data:
|
||||||
|
ca.crt: |-
|
||||||
|
{{ .Values.secrets.tls.webhook_apiserver.api.server.ca | b64enc | indent 4 }}
|
||||||
|
tls.crt: |-
|
||||||
|
{{ .Values.secrets.tls.webhook_apiserver.api.server.cert | b64enc | indent 4 }}
|
||||||
|
tls.key: |-
|
||||||
|
{{ .Values.secrets.tls.webhook_apiserver.api.server.key | b64enc | indent 4 }}
|
||||||
|
...
|
||||||
|
{{- if .Values.manifests.secret_tls }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
{{- range $group, $certs := .Values.certificates }}
|
||||||
|
{{- range $type, $bundle := $certs }}
|
||||||
|
{{ tuple $group $type $bundle $envAll | include "local.tls_secret" }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
@ -1,28 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2018 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.secret_webhook }}
|
|
||||||
{{- $envAll := . }}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: {{ $envAll.Values.secrets.certificates.api }}
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
tls.crt: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.crt | default "" | b64enc }}
|
|
||||||
tls.key: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.key | default "" | b64enc }}
|
|
||||||
{{- end }}
|
|
@ -1,6 +1,5 @@
|
|||||||
{{/*
|
{{/*
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
you may not use this file except in compliance with the License.
|
you may not use this file except in compliance with the License.
|
||||||
@ -15,7 +14,8 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if and .Values.manifests.service_ingress .Values.network.kubernetes_apiserver.ingress.public }}
|
{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
|
||||||
{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "kubernetes-keystone-webhook" -}}
|
{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "webhook_apiserver" -}}
|
||||||
{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
|
{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
@ -20,15 +20,15 @@ limitations under the License.
|
|||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ .Values.service.name }}
|
name: {{ tuple "webhook_apiserver" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||||
annotations:
|
annotations:
|
||||||
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
|
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
|
||||||
spec:
|
spec:
|
||||||
ports:
|
ports:
|
||||||
- name: https
|
- name: https
|
||||||
port: {{ .Values.network.kubernetes_apiserver.port }}
|
port: {{ tuple "webhook_apiserver" "default" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
targetPort: {{ .Values.network.kubernetes_apiserver.port }}
|
targetPort: {{ tuple "webhook_apiserver" "podport" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||||
selector:
|
selector:
|
||||||
{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -21,6 +21,7 @@ images:
|
|||||||
scripted_test: docker.io/openstackhelm/heat:newton
|
scripted_test: docker.io/openstackhelm/heat:newton
|
||||||
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
||||||
image_repo_sync: docker.io/docker:17.07.0
|
image_repo_sync: docker.io/docker:17.07.0
|
||||||
|
ks_user: docker.io/openstackhelm/heat:ocata
|
||||||
pull_policy: IfNotPresent
|
pull_policy: IfNotPresent
|
||||||
local_registry:
|
local_registry:
|
||||||
active: false
|
active: false
|
||||||
@ -30,80 +31,101 @@ images:
|
|||||||
|
|
||||||
labels:
|
labels:
|
||||||
kubernetes_apiserver:
|
kubernetes_apiserver:
|
||||||
node_selector_key: kubernetes-apiserver
|
node_selector_key: apiserver-webhook
|
||||||
|
node_selector_value: enabled
|
||||||
|
job:
|
||||||
|
node_selector_key: apiserver-webhook
|
||||||
node_selector_value: enabled
|
node_selector_value: enabled
|
||||||
|
|
||||||
command_prefix:
|
command_prefix:
|
||||||
- /apiserver
|
- /apiserver
|
||||||
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
||||||
- --service-cluster-ip-range=10.96.0.0/16
|
|
||||||
- --v=5
|
- --v=5
|
||||||
|
|
||||||
apiserver:
|
|
||||||
host_etc_path: /etc/kubernetes/apiserver
|
|
||||||
|
|
||||||
network:
|
network:
|
||||||
kubernetes_apiserver:
|
pod_cidr: '10.97.0.0/16'
|
||||||
|
service_cidr: '10.96.0.0/16'
|
||||||
|
api:
|
||||||
ingress:
|
ingress:
|
||||||
public: true
|
public: true
|
||||||
classes:
|
classes:
|
||||||
namespace: "nginx-cluster"
|
namespace: "nginx"
|
||||||
cluster: "nginx-cluster"
|
cluster: "nginx-cluster"
|
||||||
annotations:
|
annotations:
|
||||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
|
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
|
||||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||||
nginx.ingress.kubernetes.io/secure-backends: "true"
|
nginx.ingress.kubernetes.io/secure-backends: "true"
|
||||||
name: kubernetes-apiserver
|
name: webhook_apiserver
|
||||||
port: 6443
|
#
|
||||||
node_port:
|
# Insert TLS certificates, keys and CAs
|
||||||
enabled: false
|
# here. Server is for server-terminated TLS (basic)
|
||||||
port: 31943
|
# and client is for mTLS. Each group of certificates
|
||||||
|
# will generate two secrets <groupname>-client and <groupname>-server
|
||||||
service:
|
# built to the kubernetes.io/tls secret type with keys 'tls.crt', 'tls.key'
|
||||||
name: kubernetes-webhook-apiserver
|
# and 'ca.crt'
|
||||||
ip: null
|
#
|
||||||
|
certificates:
|
||||||
|
apiserver_webhook_pod:
|
||||||
|
server:
|
||||||
|
cert: placeholder
|
||||||
|
key: placeholder
|
||||||
|
ca: placeholder
|
||||||
|
keystone_webhook:
|
||||||
|
server:
|
||||||
|
cert: placeholder
|
||||||
|
key: placeholder
|
||||||
|
ca: placeholder
|
||||||
|
kubelet:
|
||||||
|
client:
|
||||||
|
cert: placeholder
|
||||||
|
key: placeholder
|
||||||
|
server:
|
||||||
|
ca: placeholder
|
||||||
|
etcd:
|
||||||
|
client:
|
||||||
|
cert: placeholder
|
||||||
|
key: placeholder
|
||||||
|
server:
|
||||||
|
ca: placeholder
|
||||||
|
|
||||||
secrets:
|
secrets:
|
||||||
tls:
|
|
||||||
ca: placeholder
|
|
||||||
cert: placeholder
|
|
||||||
key: placeholder
|
|
||||||
service_account:
|
service_account:
|
||||||
public_key: placeholder
|
public_key: placeholder
|
||||||
etcd:
|
identity:
|
||||||
|
admin: apiserver-webhook-keystone-creds-admin
|
||||||
|
webhook: apiserver-webhook-keystone-creds-webhook
|
||||||
tls:
|
tls:
|
||||||
ca: placeholder
|
webhook_apiserver:
|
||||||
|
api:
|
||||||
|
public: apiserver-webhook-public
|
||||||
|
server:
|
||||||
cert: placeholder
|
cert: placeholder
|
||||||
key: placeholder
|
key: placeholder
|
||||||
identity:
|
ca: placeholder
|
||||||
admin: kubernetes-keystone-webhook-admin
|
|
||||||
certificates:
|
|
||||||
api: kubernetes-keystone-webhook-certs
|
|
||||||
|
|
||||||
kubernetes_keystone_webhook:
|
|
||||||
port: 8443
|
|
||||||
endpoints: https://k8sksauth-api.kube-system.svc.cluster.local
|
|
||||||
|
|
||||||
# typically overriden by environmental
|
# typically overriden by environmental
|
||||||
# values, but should include all endpoints
|
# values, but should include all endpoints
|
||||||
# required by this chart
|
# required by this chart
|
||||||
endpoints:
|
endpoints:
|
||||||
cluster_domain_suffix: cluster.local
|
cluster_domain_suffix: cluster.local
|
||||||
kubernetes_apiserver:
|
webhook_apiserver:
|
||||||
name: kubernetes-webhook-apiserver
|
name: webhook_apiserver
|
||||||
hosts:
|
hosts:
|
||||||
default: keystone
|
default: apiserver-webhook
|
||||||
internal: keystone-api
|
internal: apiserver-webhook-int
|
||||||
port:
|
port:
|
||||||
https:
|
api:
|
||||||
default: 6443
|
default: 6443
|
||||||
public: 443
|
public: 443
|
||||||
|
webhook:
|
||||||
|
podport: 8443
|
||||||
path:
|
path:
|
||||||
default: /
|
default: /
|
||||||
|
webhook: /webhook
|
||||||
scheme:
|
scheme:
|
||||||
default: http
|
default: https
|
||||||
public: http
|
public: https
|
||||||
host_fqdn_override:
|
host_fqdn_override:
|
||||||
default: null
|
default: null
|
||||||
# NOTE: this chart supports TLS for fqdn over-ridden public
|
# NOTE: this chart supports TLS for fqdn over-ridden public
|
||||||
@ -113,12 +135,6 @@ endpoints:
|
|||||||
# tls:
|
# tls:
|
||||||
# crt: null
|
# crt: null
|
||||||
# key: null
|
# key: null
|
||||||
kubernetes:
|
|
||||||
auth:
|
|
||||||
api:
|
|
||||||
tls:
|
|
||||||
crt: null
|
|
||||||
key: null
|
|
||||||
identity:
|
identity:
|
||||||
name: keystone
|
name: keystone
|
||||||
namespace: null
|
namespace: null
|
||||||
@ -130,6 +146,14 @@ endpoints:
|
|||||||
project_name: admin
|
project_name: admin
|
||||||
user_domain_name: default
|
user_domain_name: default
|
||||||
project_domain_name: default
|
project_domain_name: default
|
||||||
|
webhook:
|
||||||
|
region_name: RegionOne
|
||||||
|
username: webhook
|
||||||
|
password: password
|
||||||
|
project_name: service
|
||||||
|
user_domain_name: default
|
||||||
|
project_domain_name: default
|
||||||
|
role: admin
|
||||||
hosts:
|
hosts:
|
||||||
default: keystone
|
default: keystone
|
||||||
internal: keystone-api
|
internal: keystone-api
|
||||||
@ -143,22 +167,6 @@ endpoints:
|
|||||||
api:
|
api:
|
||||||
default: 80
|
default: 80
|
||||||
internal: 5000
|
internal: 5000
|
||||||
kubernetes_keystone_webhook:
|
|
||||||
namespace: null
|
|
||||||
name: k8sksauth
|
|
||||||
hosts:
|
|
||||||
default: k8sksauth-api
|
|
||||||
public: k8sksauth
|
|
||||||
host_fqdn_override:
|
|
||||||
default: null
|
|
||||||
path:
|
|
||||||
default: /webhook
|
|
||||||
scheme:
|
|
||||||
default: https
|
|
||||||
port:
|
|
||||||
api:
|
|
||||||
default: 8443
|
|
||||||
public: 443
|
|
||||||
etcd:
|
etcd:
|
||||||
name: etcd
|
name: etcd
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
@ -182,6 +190,14 @@ pod:
|
|||||||
replicas:
|
replicas:
|
||||||
apiserver: 1
|
apiserver: 1
|
||||||
api: 1
|
api: 1
|
||||||
|
probes:
|
||||||
|
readinessProbe:
|
||||||
|
initialDelaySeconds: 5
|
||||||
|
periodSeconds: 10
|
||||||
|
livenessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
initialDelaySeconds: 15
|
||||||
|
periodSeconds: 20
|
||||||
lifecycle:
|
lifecycle:
|
||||||
upgrades:
|
upgrades:
|
||||||
daemonsets:
|
daemonsets:
|
||||||
@ -232,6 +248,12 @@ pod:
|
|||||||
init_container: null
|
init_container: null
|
||||||
kubernetes_keystone_webhook_tests: null
|
kubernetes_keystone_webhook_tests: null
|
||||||
conf:
|
conf:
|
||||||
|
paths:
|
||||||
|
base: '/etc/webhook_apiserver/'
|
||||||
|
pki: '/etc/webhook_apiserver/pki'
|
||||||
|
conf: '/etc/webhook_apiserver/webhook.kubeconfig'
|
||||||
|
policy: '/etc/webhook_apiserver/conf/policy.json'
|
||||||
|
sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub'
|
||||||
policy:
|
policy:
|
||||||
- resource:
|
- resource:
|
||||||
verbs:
|
verbs:
|
||||||
@ -273,23 +295,35 @@ conf:
|
|||||||
- "*"
|
- "*"
|
||||||
resources:
|
resources:
|
||||||
- "*"
|
- "*"
|
||||||
namespace: "openstack"
|
namespace: "ucp"
|
||||||
version: "*"
|
version: "*"
|
||||||
match:
|
match:
|
||||||
- type: project
|
- type: project
|
||||||
values:
|
values:
|
||||||
- openstack-system
|
- ucp-admin
|
||||||
|
- airship-admin
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
static:
|
||||||
|
ks_user:
|
||||||
|
services:
|
||||||
|
- service: identity
|
||||||
|
endpoint: internal
|
||||||
|
api:
|
||||||
|
jobs:
|
||||||
|
- webhook-apiserver-ks-user
|
||||||
|
services:
|
||||||
|
- service: identity
|
||||||
|
endpoint: internal
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_certs: true
|
configmap_certs: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
|
job_ks_user: true
|
||||||
deployment: true
|
deployment: true
|
||||||
ingress_api: false
|
ingress_api: true
|
||||||
pod_test: false
|
pod_test: false
|
||||||
kubernetes_apiserver: true
|
secret_keystone: true
|
||||||
secret: true
|
secret_tls: true
|
||||||
secret_ingress_tls: false
|
|
||||||
secret_webhook: true
|
|
||||||
service: true
|
service: true
|
||||||
service_ingress: false
|
|
||||||
|
Loading…
Reference in New Issue
Block a user