Browse Source

Merge "Extend webhook-enabled apiserver chart"

changes/25/625725/1
Zuul 6 months ago
parent
commit
22c58a5cfc

+ 15
- 4
charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl View File

@@ -18,9 +18,20 @@ limitations under the License.
18 18
 
19 19
 set -xe
20 20
 
21
+SERVER_CERT_FILE=${SERVER_CERT_FILE:-"/etc/webhook_apiserver/pki/tls.crt"}
22
+SERVER_KEY_FILE=${SERVER_KEY_FILE:-"/etc/webhook_apiserver/pki/tls.key"}
23
+POLICY_FILE=${POLICY_FILE:-"/etc/webhook_apiserver/policy.json"}
24
+SERVER_PORT=${SERVER_PORT:-"8443"}
25
+KEYSTONE_CA_FILE=${KEYSTONE_CA_FILE:-"/etc/webhook_apiserver/pki/keystone.pem"}
26
+
21 27
 exec /bin/k8s-keystone-auth \
22
-  --tls-cert-file /opt/kubernetes-keystone-webhook/pki/tls.crt \
23
-  --tls-private-key-file /opt/kubernetes-keystone-webhook/pki/tls.key \
24
-  --keystone-policy-file /etc/kubernetes-keystone-webhook/policy.json \
25
-  --listen 127.0.0.1:8443 \
28
+  --v 5 \
29
+  --tls-cert-file "${SERVER_CERT_FILE}" \
30
+  --tls-private-key-file "${SERVER_KEY_FILE}" \
31
+  --keystone-policy-file "${POLICY_FILE}" \
32
+  --listen "127.0.0.1:${SERVER_PORT}" \
33
+{{- if hasKey .Values.certificates "keystone" }}
34
+  --keystone-ca-file "${KEYSTONE_CA_FILE}" \
35
+{{- end }}
26 36
   --keystone-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
37
+

+ 5
- 3
charts/apiserver-webhook/templates/configmap-bin.yaml View File

@@ -16,13 +16,15 @@ limitations under the License.
16 16
 
17 17
 {{- if .Values.manifests.configmap_bin }}
18 18
 {{- $envAll := . }}
19
-
20 19
 ---
21 20
 apiVersion: v1
22 21
 kind: ConfigMap
23 22
 metadata:
24
-  name: {{ .Values.service.name }}-bin
23
+  name: {{ .Release.Name }}-bin
25 24
 data:
26
-  webhook_start.sh: |
25
+  ks-user.sh: |-
26
+{{- include "helm-toolkit.scripts.keystone_user" $envAll | indent 4 }}
27
+  webhook_start.sh: |-
27 28
 {{ tuple "bin/_webhook_start.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
29
+...
28 30
 {{- end }}

+ 0
- 31
charts/apiserver-webhook/templates/configmap-certs.yaml View File

@@ -1,31 +0,0 @@
1
-{{/*
2
-Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
3
-
4
-Licensed under the Apache License, Version 2.0 (the "License");
5
-you may not use this file except in compliance with the License.
6
-You may obtain a copy of the License at
7
-
8
-   http://www.apache.org/licenses/LICENSE-2.0
9
-
10
-Unless required by applicable law or agreed to in writing, software
11
-distributed under the License is distributed on an "AS IS" BASIS,
12
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
-See the License for the specific language governing permissions and
14
-limitations under the License.
15
-*/}}
16
-
17
-{{- if .Values.manifests.configmap_certs }}
18
-{{- $envAll := . }}
19
-
20
----
21
-apiVersion: v1
22
-kind: ConfigMap
23
-metadata:
24
-  name: {{ .Values.service.name }}-certs
25
-data:
26
-  cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
27
-  apiserver.pem: {{ .Values.secrets.tls.cert | quote }}
28
-  etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }}
29
-  etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }}
30
-  service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
31
-{{- end }}

+ 2
- 1
charts/apiserver-webhook/templates/configmap-etc.yaml View File

@@ -21,8 +21,9 @@ limitations under the License.
21 21
 apiVersion: v1
22 22
 kind: ConfigMap
23 23
 metadata:
24
-  name: {{ .Values.service.name }}-etc
24
+  name: {{ .Release.Name }}-etc
25 25
 data:
26
+  service-account.pub: {{ .Values.secrets.service_account.public_key | quote }}
26 27
   webhook.kubeconfig: |
27 28
 {{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
28 29
   policy.json: |

+ 161
- 56
charts/apiserver-webhook/templates/deployment.yaml View File

@@ -14,13 +14,94 @@ See the License for the specific language governing permissions and
14 14
 limitations under the License.
15 15
 */}}
16 16
 
17
+{{/*
18
+These local.* templates may be moved out of this chart into helm-toolkit
19
+in the future if there is desire to generalize this pattern. Otherwise
20
+in the future they will be moved into a separate helpers file.
21
+*/}}
22
+
23
+{{- define "local.tls_volume_name" -}}
24
+{{- $group := index . 0 -}}
25
+{{- $type := index . 1 -}}
26
+tls-{{ $group | replace "_" "-" }}-{{ $type | replace "_" "-" }}
27
+{{- end -}}
28
+
29
+{{- define "local.attach_all_bundles" }}
30
+{{- $envAll := . }}
31
+{{- range $group, $certs := $envAll.Values.certificates }}
32
+{{- range $type, $bundle := . }}
33
+{{ tuple $group $type $envAll | include "local.attach_cert_bundle" }}
34
+{{- end }}
35
+{{- end }}
36
+{{- end }}
37
+
38
+{{- define "local.attach_cert_bundle" }}
39
+{{- $group := index . 0 }}
40
+{{- $type := index . 1 }}
41
+{{- $envAll := index . 2 }}
42
+- name: {{ tuple $group  $type | include "local.tls_volume_name" }}
43
+  secret:
44
+    secretName: {{ tuple $group $type $envAll | include "local.tls_secret_name" }}
45
+    defaultMode: 0444
46
+{{ end }}
47
+
48
+{{- define "local.mount_all_bundles" }}
49
+{{- $basepath := index . 0 }}
50
+{{- $envAll := index . 1 }}
51
+{{- range $group, $certs := $envAll.Values.certificates }}
52
+{{- range $type, $bundle := . }}
53
+{{ tuple $group $type $basepath $envAll | include "local.mount_cert_bundle" }}
54
+{{- end }}
55
+{{- end }}
56
+{{- end }}
57
+
58
+{{- define "local.mount_cert_bundle" }}
59
+{{- $group := index . 0 }}
60
+{{- $type := index . 1 }}
61
+{{- $basepath := index . 2 }}
62
+{{- $envAll := index . 3 }}
63
+{{- $bundle := index $envAll.Values "certificates" $group $type }}
64
+{{- range tuple "ca" "cert" "key" }}
65
+{{- if hasKey $bundle . }}
66
+{{ tuple $group $type . $basepath $envAll | include "local.mount_cert_file" }}
67
+{{- end }}
68
+{{- end }}
69
+{{- end }}
70
+
71
+{{- define "local.mount_cert_file" }}
72
+{{- $group := index . 0 }}
73
+{{- $type := index . 1 }}
74
+{{- $member := index . 2 }}
75
+{{- $basepath := index . 3 }}
76
+{{- $envAll := index . 4 }}
77
+- name: {{ tuple $group  $type | include "local.tls_volume_name" }}
78
+  mountPath: {{ tuple $group $type $basepath $member $envAll | include "local.cert_bundle_path" }}
79
+{{- if eq $member "ca" }}
80
+  subPath: ca.crt
81
+{{- else if eq $member "cert" }}
82
+  subPath: tls.crt
83
+{{- else if eq $member "key" }}
84
+  subPath: tls.key
85
+{{- end }}
86
+  readOnly: true
87
+{{- end }}
88
+
89
+{{- define "local.cert_bundle_path" -}}
90
+{{- $group := index . 0 -}}
91
+{{- $type := index . 1 -}}
92
+{{- $basepath := index . 2 -}}
93
+{{- $member := index . 3 -}}
94
+{{- $envAll := index . 4 -}}
95
+{{ $basepath }}/{{ $group }}-{{ $type }}-{{ $member }}.pem
96
+{{- end -}}
97
+
17 98
 {{- if .Values.manifests.deployment }}
18 99
 {{- $envAll := . }}
19 100
 ---
20 101
 apiVersion: apps/v1
21 102
 kind: Deployment
22 103
 metadata:
23
-  name: kubernetes-keystone-webhook
104
+  name: {{ .Release.Name }}-apiserver-webhook
24 105
   labels:
25 106
 {{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
26 107
 spec:
@@ -36,7 +117,7 @@ spec:
36 117
         configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
37 118
         configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
38 119
     spec:
39
-      dnsPolicy: ClusterFirstWithHostNet
120
+      dnsPolicy: ClusterFirst
40 121
       containers:
41 122
         - name: apiserver
42 123
           image: {{ .Values.images.tags.apiserver }}
@@ -50,93 +131,117 @@ spec:
50 131
               valueFrom:
51 132
                 fieldRef:
52 133
                   fieldPath: spec.nodeName
53
-
54 134
           command:
55 135
             {{- range .Values.command_prefix }}
56 136
             - {{ . }}
57 137
             {{- end }}
138
+            - --service-cluster-ip-range={{ $envAll.Values.network.service_cidr }}
58 139
             - --authorization-mode=Webhook
59 140
             - --advertise-address=$(POD_IP)
60 141
             - --anonymous-auth=false
61 142
             - --endpoint-reconciler-type=none
62
-            - --bind-address=0.0.0.0
63
-            - --secure-port={{ .Values.network.kubernetes_apiserver.port }}
143
+            - --bind-address=$(POD_IP)
144
+            - --secure-port={{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
64 145
             - --insecure-port=0
65
-            - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
66
-            - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
67
-            - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
146
+            - --tls-cert-file={{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
147
+            - --tls-private-key-file={{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
68 148
             - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
69
-            - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
70
-            - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem
71
-            - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem
149
+            - --kubelet-certificate-authority={{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" }}
150
+            - --kubelet-client-certificate={{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
151
+            - --kubelet-client-key={{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
72 152
             - --etcd-servers={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
73
-            - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
74
-            - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
75
-            - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
153
+            - --etcd-cafile={{ tuple "etcd" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" }}
154
+            - --etcd-certfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
155
+            - --etcd-keyfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
76 156
             - --allow-privileged=true
77
-            - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
78
-            - --authentication-token-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig
79
-            - --authorization-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig
80
-          ports:
81
-            - containerPort: {{ .Values.network.kubernetes_apiserver.port }}
157
+            - --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }}
158
+            - --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
159
+            - --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
82 160
           readinessProbe:
83 161
             tcpSocket:
84
-              port: 6443
85
-            initialDelaySeconds: 5
86
-            periodSeconds: 10
162
+              port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
163
+{{ $envAll.Values.pod.probes.readinessProbe | toYaml | indent 12 }}
87 164
           livenessProbe:
88 165
             tcpSocket:
89
-              port: 6443
90
-            failureThreshold: 3
91
-            initialDelaySeconds: 15
92
-            periodSeconds: 20
166
+              port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
167
+{{ $envAll.Values.pod.probes.livenessProbe | toYaml | indent 12 }}
93 168
           volumeMounts:
94
-            - name: etc
95
-              mountPath: /etc/kubernetes/apiserver
96
-            - name: {{ .Values.service.name }}-etc
97
-              mountPath: /etc/kubernetes/apiserver/webhook.kubeconfig
169
+            - name: etc-apiserver
170
+              mountPath: {{ $envAll.Values.conf.paths.base }}
171
+            - name: etc-apiserver-pki
172
+              mountPath: {{ $envAll.Values.conf.paths.pki }}
173
+            - name: configmap-etc
174
+              mountPath: {{ $envAll.Values.conf.paths.sapubkey }}
175
+              subPath: service-account.pub
176
+              readOnly: true
177
+            - name: configmap-etc
178
+              mountPath: {{ $envAll.Values.conf.paths.conf }}
98 179
               subPath: webhook.kubeconfig
99 180
               readOnly: true
100
-        - name: kubernetes-keystone-webhook
181
+{{ tuple "keystone_webhook" "server" "ca" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_file" | indent 12 }}
182
+{{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
183
+{{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
184
+{{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
185
+{{ tuple "etcd" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
186
+{{ tuple "etcd" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
187
+        - name: webhook
101 188
 {{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
102 189
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
103 190
           command:
104 191
             - /tmp/webhook_start.sh
192
+          env:
193
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.webhook }}
194
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
195
+{{- end }}
196
+            - name: SERVER_CERT_FILE
197
+              value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" | quote }}
198
+            - name: SERVER_KEY_FILE
199
+              value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" | quote }}
200
+            - name: POLICY_FILE
201
+              value: {{ $envAll.Values.conf.paths.policy | quote }}
202
+            - name: SERVER_PORT
203
+              value: {{ tuple "webhook_apiserver" "podport" "webhook" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
204
+{{- if hasKey .Values.certificates "keystone" }}
205
+            - name: KEYSTONE_CA_FILE
206
+              value: {{ tuple "keystone" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" | quote }}
207
+{{- end }}
105 208
           volumeMounts:
106
-            - name: etc-kubernetes-keystone-webhook
107
-              mountPath: /etc/kubernetes-keystone-webhook
108
-            - name: key-kubernetes-keystone-webhook
109
-              mountPath: /opt/kubernetes-keystone-webhook/pki/tls.crt
110
-              subPath: tls.crt
111
-              readOnly: true
112
-            - name: key-kubernetes-keystone-webhook
113
-              mountPath: /opt/kubernetes-keystone-webhook/pki/tls.key
114
-              subPath: tls.key
115
-              readOnly: true
116
-            - name: {{ .Values.service.name }}-etc
117
-              mountPath: /etc/kubernetes-keystone-webhook/policy.json
209
+            - name: etc-webhook
210
+              mountPath: {{ $envAll.Values.conf.paths.base }}
211
+            - name: etc-webhook-pki
212
+              mountPath: {{ $envAll.Values.conf.paths.pki }}
213
+            - name: configmap-etc
214
+              mountPath: {{ $envAll.Values.conf.paths.policy }}
118 215
               subPath: policy.json
119 216
               readOnly: true
120
-            - name: {{ .Values.service.name }}-bin
217
+            - name: configmap-bin
121 218
               mountPath: /tmp/webhook_start.sh
122 219
               subPath: webhook_start.sh
123 220
               readOnly: true
221
+{{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
124 222
       volumes:
125
-        - name: etc
126
-          hostPath:
127
-            path: {{ .Values.apiserver.host_etc_path }}
128
-        - name: etc-kubernetes-keystone-webhook
223
+{{- if hasKey .Values.certificates "keystone" }}
224
+{{ tuple "keystone" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
225
+{{- end }}
226
+{{ include "local.attach_all_bundles" $envAll | indent 8 }}
227
+        - name: etc-apiserver
129 228
           emptyDir: {}
130
-        - name: key-kubernetes-keystone-webhook
131
-          secret:
132
-            secretName: {{ $envAll.Values.secrets.certificates.api }}
133
-            defaultMode: 0444
134
-        - name: {{ .Values.service.name }}-etc
229
+        - name: etc-apiserver-pki
230
+          emptyDir: {}
231
+        - name: etc-webhook
232
+          emptyDir: {}
233
+        - name: etc-webhook-pki
234
+          emptyDir: {}
235
+        - name: configmap-etc
135 236
           configMap:
136
-            name: {{ .Values.service.name }}-etc
237
+            name: {{ .Release.Name }}-etc
137 238
             defaultMode: 0444
138
-        - name: {{ .Values.service.name }}-bin
239
+        - name: configmap-bin
139 240
           configMap:
140
-            name: {{ .Values.service.name }}-bin
241
+            name: {{ .Release.Name }}-bin
141 242
             defaultMode: 0555
243
+        - name: tls-apiserver-webhook-public-server
244
+          secret:
245
+            defaultMode: 292
246
+            secretName: {{ .Values.secrets.tls.webhook_apiserver.api.public }}
142 247
 {{- end }}

+ 0
- 34
charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl View File

@@ -1,34 +0,0 @@
1
-# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
2
-#
3
-# Licensed under the Apache License, Version 2.0 (the "License");
4
-# you may not use this file except in compliance with the License.
5
-# You may obtain a copy of the License at
6
-#
7
-#    http://www.apache.org/licenses/LICENSE-2.0
8
-#
9
-# Unless required by applicable law or agreed to in writing, software
10
-# distributed under the License is distributed on an "AS IS" BASIS,
11
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
-# See the License for the specific language governing permissions and
13
-# limitations under the License.
14
-
15
----
16
-apiVersion: v1
17
-clusters:
18
-- cluster:
19
-    server: https://127.0.0.1:{{ .Values.network.kubernetes_apiserver.port }}
20
-    certificate-authority: pki/cluster-ca.pem
21
-  name: kubernetes
22
-contexts:
23
-- context:
24
-    cluster: kubernetes
25
-    user: apiserver
26
-  name: apiserver@kubernetes
27
-current-context: apiserver@kubernetes
28
-kind: Config
29
-preferences: {}
30
-users:
31
-- name: apiserver
32
-  user:
33
-    client-certificate: pki/apiserver.pem
34
-    client-key: pki/apiserver-key.pem

+ 2
- 1
charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl View File

@@ -2,7 +2,8 @@ apiVersion: v1
2 2
 clusters:
3 3
   - cluster:
4 4
       insecure-skip-tls-verify: false
5
-      server: https://127.0.0.1:8443/webhook
5
+      server: https://127.0.0.1:{{ tuple "webhook_apiserver" "podport" "webhook" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/webhook
6
+      certificate-authority: {{ tuple "keystone_webhook" "server" .Values.conf.paths.pki "ca" . | include "local.cert_bundle_path" | quote }}
6 7
     name: webhook
7 8
 contexts:
8 9
   - context:

+ 3
- 3
charts/apiserver-webhook/templates/ingress-api.yaml View File

@@ -15,7 +15,7 @@ See the License for the specific language governing permissions and
15 15
 limitations under the License.
16 16
 */}}
17 17
 
18
-{{- if and .Values.manifests.ingress_api .Values.network.kubernetes_apiserver.ingress.public }}
19
-{{- $ingressOpts := dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" "backendPort" "https" -}}
20
-{{- $ingressOpts | include "helm-toolkit.manifests.ingress" -}}
18
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
19
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "webhook_apiserver" "backendPort" "https" -}}
20
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
21 21
 {{- end }}

charts/apiserver-webhook/templates/secret-apiserver.yaml → charts/apiserver-webhook/templates/job-ks-user.yaml View File

@@ -1,5 +1,5 @@
1 1
 {{/*
2
-Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
2
+Copyright 2018 AT&T Intellectual Property.  All other rights reserved.
3 3
 
4 4
 Licensed under the Apache License, Version 2.0 (the "License");
5 5
 you may not use this file except in compliance with the License.
@@ -14,15 +14,8 @@ See the License for the specific language governing permissions and
14 14
 limitations under the License.
15 15
 */}}
16 16
 
17
-{{- if .Values.manifests.secret }}
18
-{{- $envAll := . }}
19
----
20
-apiVersion: v1
21
-kind: Secret
22
-metadata:
23
-  name: {{ .Values.service.name }}-keys
24
-type: Opaque
25
-data:
26
-  apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
27
-  etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
17
+{{- if .Values.manifests.job_ks_user }}
18
+{{ $cm_name := printf "%s-bin" .Release.Name }}
19
+{{- $ksUserJob := dict "envAll" . "serviceName" "webhook_apiserver" "configMapBin" $cm_name "serviceUser" "webhook" -}}
20
+{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }}
28 21
 {{- end }}

+ 0
- 19
charts/apiserver-webhook/templates/secret-ingress-tls.yaml View File

@@ -1,19 +0,0 @@
1
-{{/*
2
-Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
3
-
4
-Licensed under the Apache License, Version 2.0 (the "License");
5
-you may not use this file except in compliance with the License.
6
-You may obtain a copy of the License at
7
-
8
-   http://www.apache.org/licenses/LICENSE-2.0
9
-
10
-Unless required by applicable law or agreed to in writing, software
11
-distributed under the License is distributed on an "AS IS" BASIS,
12
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
-See the License for the specific language governing permissions and
14
-limitations under the License.
15
-*/}}
16
-
17
-{{- if .Values.manifests.secret_ingress_tls }}
18
-{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" ) }}
19
-{{- end }}

+ 1
- 1
charts/apiserver-webhook/templates/secret-keystone.yaml View File

@@ -16,7 +16,7 @@ limitations under the License.
16 16
 
17 17
 {{- if .Values.manifests.secret_keystone }}
18 18
 {{- $envAll := . }}
19
-{{- range $key1, $userClass := tuple "admin" }}
19
+{{- range $key1, $userClass := tuple "admin" "webhook" }}
20 20
 {{- $secretName := index $envAll.Values.secrets.identity $userClass }}
21 21
 ---
22 22
 apiVersion: v1

+ 73
- 0
charts/apiserver-webhook/templates/secret-tls.yaml View File

@@ -0,0 +1,73 @@
1
+{{/*
2
+Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
3
+
4
+Licensed under the Apache License, Version 2.0 (the "License");
5
+you may not use this file except in compliance with the License.
6
+You may obtain a copy of the License at
7
+
8
+   http://www.apache.org/licenses/LICENSE-2.0
9
+
10
+Unless required by applicable law or agreed to in writing, software
11
+distributed under the License is distributed on an "AS IS" BASIS,
12
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+See the License for the specific language governing permissions and
14
+limitations under the License.
15
+*/}}
16
+
17
+{{- define "local.tls_secret_name" -}}
18
+{{- $group := index . 0 -}}
19
+{{- $type := index . 1 -}}
20
+{{- $envAll := index . 2 -}}
21
+{{ printf "%s-%s-%s" $envAll.Release.Name $group $type | replace "_" "-" }}
22
+{{- end -}}
23
+
24
+{{- define "local.tls_secret" }}
25
+{{- $group := index . 0 }}
26
+{{- $type := index . 1 }}
27
+{{- $bundle := index . 2 }}
28
+{{- $envAll := index . 3 }}
29
+---
30
+apiVersion: v1
31
+kind: Secret
32
+metadata:
33
+  name: {{ tuple $group $type $envAll | include "local.tls_secret_name" }}
34
+  namespace: {{ $envAll.Release.Namespace }}
35
+type: opaque
36
+data:
37
+  {{- if hasKey $bundle "ca" }}
38
+  ca.crt: |-
39
+{{ $bundle.ca | b64enc | indent 4 }}
40
+  {{- end }}
41
+  {{- if hasKey $bundle "cert" }}
42
+  tls.crt: |-
43
+{{ $bundle.cert | b64enc | indent 4 }}
44
+  {{- end }}
45
+  {{- if hasKey $bundle "key" }}
46
+  tls.key: |-
47
+{{ $bundle.key | b64enc | indent 4 }}
48
+  {{- end }}
49
+...
50
+{{- end -}}
51
+---
52
+apiVersion: v1
53
+kind: Secret
54
+metadata:
55
+  name: {{ .Values.secrets.tls.webhook_apiserver.api.public }}
56
+  namespace: {{ .Release.Namespace }}
57
+type: opaque
58
+data:
59
+  ca.crt: |-
60
+{{ .Values.secrets.tls.webhook_apiserver.api.server.ca | b64enc | indent 4 }}
61
+  tls.crt: |-
62
+{{ .Values.secrets.tls.webhook_apiserver.api.server.cert | b64enc | indent 4 }}
63
+  tls.key: |-
64
+{{ .Values.secrets.tls.webhook_apiserver.api.server.key | b64enc | indent 4 }}
65
+...
66
+{{- if .Values.manifests.secret_tls }}
67
+{{- $envAll := . }}
68
+{{- range $group, $certs := .Values.certificates }}
69
+{{- range $type, $bundle := $certs }}
70
+{{ tuple $group $type $bundle $envAll | include "local.tls_secret" }}
71
+{{- end }}
72
+{{- end }}
73
+{{- end }}

+ 0
- 28
charts/apiserver-webhook/templates/secret-webhook.yaml View File

@@ -1,28 +0,0 @@
1
-{{/*
2
-Copyright 2018 The Openstack-Helm Authors.
3
-
4
-Licensed under the Apache License, Version 2.0 (the "License");
5
-you may not use this file except in compliance with the License.
6
-You may obtain a copy of the License at
7
-
8
-    http://www.apache.org/licenses/LICENSE-2.0
9
-
10
-Unless required by applicable law or agreed to in writing, software
11
-distributed under the License is distributed on an "AS IS" BASIS,
12
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
-See the License for the specific language governing permissions and
14
-limitations under the License.
15
-*/}}
16
-
17
-{{- if .Values.manifests.secret_webhook }}
18
-{{- $envAll := . }}
19
----
20
-apiVersion: v1
21
-kind: Secret
22
-metadata:
23
-  name: {{ $envAll.Values.secrets.certificates.api }}
24
-type: kubernetes.io/tls
25
-data:
26
-  tls.crt: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.crt | default "" | b64enc }}
27
-  tls.key: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.key | default "" | b64enc }}
28
-{{- end }}

charts/apiserver-webhook/templates/service-apiserver-ingress.yaml → charts/apiserver-webhook/templates/service-ingress-api.yaml View File

@@ -1,6 +1,5 @@
1 1
 {{/*
2 2
 Copyright 2017 The Openstack-Helm Authors.
3
-Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
4 3
 
5 4
 Licensed under the Apache License, Version 2.0 (the "License");
6 5
 you may not use this file except in compliance with the License.
@@ -15,7 +14,8 @@ See the License for the specific language governing permissions and
15 14
 limitations under the License.
16 15
 */}}
17 16
 
18
-{{- if and .Values.manifests.service_ingress .Values.network.kubernetes_apiserver.ingress.public }}
19
-{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "kubernetes-keystone-webhook" -}}
17
+{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
18
+{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "webhook_apiserver" -}}
20 19
 {{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
21 20
 {{- end }}
21
+

+ 3
- 3
charts/apiserver-webhook/templates/service.yaml View File

@@ -20,15 +20,15 @@ limitations under the License.
20 20
 apiVersion: v1
21 21
 kind: Service
22 22
 metadata:
23
-  name: {{ .Values.service.name }}
23
+  name: {{ tuple "webhook_apiserver" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
24 24
   annotations:
25 25
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
26 26
 spec:
27 27
   ports:
28 28
     - name: https
29
-      port: {{ .Values.network.kubernetes_apiserver.port }}
29
+      port: {{ tuple "webhook_apiserver" "default" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
30 30
       protocol: TCP
31
-      targetPort: {{ .Values.network.kubernetes_apiserver.port }}
31
+      targetPort: {{ tuple "webhook_apiserver" "podport" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
32 32
   selector:
33 33
 {{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
34 34
 {{- end }}

+ 103
- 69
charts/apiserver-webhook/values.yaml View File

@@ -21,6 +21,7 @@ images:
21 21
     scripted_test: docker.io/openstackhelm/heat:newton
22 22
     dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
23 23
     image_repo_sync: docker.io/docker:17.07.0
24
+    ks_user: docker.io/openstackhelm/heat:ocata
24 25
   pull_policy: IfNotPresent
25 26
   local_registry:
26 27
     active: false
@@ -30,80 +31,101 @@ images:
30 31
 
31 32
 labels:
32 33
   kubernetes_apiserver:
33
-    node_selector_key: kubernetes-apiserver
34
+    node_selector_key: apiserver-webhook
35
+    node_selector_value: enabled
36
+  job:
37
+    node_selector_key: apiserver-webhook
34 38
     node_selector_value: enabled
35 39
 
36 40
 command_prefix:
37 41
   - /apiserver
38 42
   - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
39
-  - --service-cluster-ip-range=10.96.0.0/16
40 43
   - --v=5
41 44
 
42
-apiserver:
43
-  host_etc_path: /etc/kubernetes/apiserver
44
-
45 45
 network:
46
-  kubernetes_apiserver:
46
+  pod_cidr: '10.97.0.0/16'
47
+  service_cidr: '10.96.0.0/16'
48
+  api:
47 49
     ingress:
48 50
       public: true
49 51
       classes:
50
-        namespace: "nginx-cluster"
52
+        namespace: "nginx"
51 53
         cluster: "nginx-cluster"
52 54
       annotations:
53 55
         nginx.ingress.kubernetes.io/rewrite-target: /
54 56
         nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
55 57
         nginx.ingress.kubernetes.io/ssl-redirect: "true"
56 58
         nginx.ingress.kubernetes.io/secure-backends: "true"
57
-    name: kubernetes-apiserver
58
-    port: 6443
59
-    node_port:
60
-      enabled: false
61
-      port: 31943
62
-
63
-service:
64
-  name: kubernetes-webhook-apiserver
65
-  ip: null
59
+    name: webhook_apiserver
60
+#
61
+# Insert TLS certificates, keys and CAs
62
+# here. Server is for server-terminated TLS (basic)
63
+# and client is for mTLS. Each group of certificates
64
+# will generate two secrets <groupname>-client and <groupname>-server
65
+# built to the kubernetes.io/tls secret type with keys 'tls.crt', 'tls.key'
66
+# and 'ca.crt'
67
+#
68
+certificates:
69
+  apiserver_webhook_pod:
70
+    server:
71
+      cert: placeholder
72
+      key: placeholder
73
+      ca: placeholder
74
+  keystone_webhook:
75
+    server:
76
+      cert: placeholder
77
+      key: placeholder
78
+      ca: placeholder
79
+  kubelet:
80
+    client:
81
+      cert: placeholder
82
+      key: placeholder
83
+    server:
84
+      ca: placeholder
85
+  etcd:
86
+    client:
87
+      cert: placeholder
88
+      key: placeholder
89
+    server:
90
+      ca: placeholder
66 91
 
67 92
 secrets:
68
-  tls:
69
-    ca: placeholder
70
-    cert: placeholder
71
-    key: placeholder
72 93
   service_account:
73 94
     public_key: placeholder
74
-  etcd:
75
-    tls:
76
-      ca: placeholder
77
-      cert: placeholder
78
-      key: placeholder
79 95
   identity:
80
-    admin: kubernetes-keystone-webhook-admin
81
-  certificates:
82
-    api: kubernetes-keystone-webhook-certs
83
-
84
-kubernetes_keystone_webhook:
85
-  port: 8443
86
-  endpoints: https://k8sksauth-api.kube-system.svc.cluster.local
96
+    admin: apiserver-webhook-keystone-creds-admin
97
+    webhook: apiserver-webhook-keystone-creds-webhook
98
+  tls:
99
+    webhook_apiserver:
100
+      api:
101
+        public: apiserver-webhook-public
102
+        server:
103
+          cert: placeholder
104
+          key: placeholder
105
+          ca: placeholder
87 106
 
88 107
 # typically overriden by environmental
89 108
 # values, but should include all endpoints
90 109
 # required by this chart
91 110
 endpoints:
92 111
   cluster_domain_suffix: cluster.local
93
-  kubernetes_apiserver:
94
-    name: kubernetes-webhook-apiserver
112
+  webhook_apiserver:
113
+    name: webhook_apiserver
95 114
     hosts:
96
-      default: keystone
97
-      internal: keystone-api
115
+      default: apiserver-webhook
116
+      internal: apiserver-webhook-int
98 117
     port:
99
-      https:
118
+      api:
100 119
         default: 6443
101 120
         public: 443
121
+      webhook:
122
+        podport: 8443
102 123
     path:
103 124
       default: /
125
+      webhook: /webhook
104 126
     scheme:
105
-      default: http
106
-      public: http
127
+      default: https
128
+      public: https
107 129
     host_fqdn_override:
108 130
       default: null
109 131
       # NOTE: this chart supports TLS for fqdn over-ridden public
@@ -113,12 +135,6 @@ endpoints:
113 135
       #   tls:
114 136
       #     crt: null
115 137
       #     key: null
116
-  kubernetes:
117
-    auth:
118
-      api:
119
-        tls:
120
-          crt: null
121
-          key: null
122 138
   identity:
123 139
     name: keystone
124 140
     namespace: null
@@ -130,6 +146,14 @@ endpoints:
130 146
         project_name: admin
131 147
         user_domain_name: default
132 148
         project_domain_name: default
149
+      webhook:
150
+        region_name: RegionOne
151
+        username: webhook
152
+        password: password
153
+        project_name: service
154
+        user_domain_name: default
155
+        project_domain_name: default
156
+        role: admin
133 157
     hosts:
134 158
       default: keystone
135 159
       internal: keystone-api
@@ -143,22 +167,6 @@ endpoints:
143 167
       api:
144 168
         default: 80
145 169
         internal: 5000
146
-  kubernetes_keystone_webhook:
147
-    namespace: null
148
-    name: k8sksauth
149
-    hosts:
150
-      default: k8sksauth-api
151
-      public: k8sksauth
152
-    host_fqdn_override:
153
-      default: null
154
-    path:
155
-      default: /webhook
156
-    scheme:
157
-      default: https
158
-    port:
159
-      api:
160
-        default: 8443
161
-        public: 443
162 170
   etcd:
163 171
     name: etcd
164 172
     namespace: kube-system
@@ -182,6 +190,14 @@ pod:
182 190
   replicas:
183 191
     apiserver: 1
184 192
     api: 1
193
+  probes:
194
+    readinessProbe:
195
+      initialDelaySeconds: 5
196
+      periodSeconds: 10
197
+    livenessProbe:
198
+      failureThreshold: 3
199
+      initialDelaySeconds: 15
200
+      periodSeconds: 20
185 201
   lifecycle:
186 202
     upgrades:
187 203
       daemonsets:
@@ -232,6 +248,12 @@ pod:
232 248
       init_container: null
233 249
       kubernetes_keystone_webhook_tests: null
234 250
 conf:
251
+  paths:
252
+    base: '/etc/webhook_apiserver/'
253
+    pki: '/etc/webhook_apiserver/pki'
254
+    conf: '/etc/webhook_apiserver/webhook.kubeconfig'
255
+    policy: '/etc/webhook_apiserver/conf/policy.json'
256
+    sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub'
235 257
   policy:
236 258
     - resource:
237 259
         verbs:
@@ -273,23 +295,35 @@ conf:
273 295
           - "*"
274 296
         resources:
275 297
           - "*"
276
-        namespace: "openstack"
298
+        namespace: "ucp"
277 299
         version: "*"
278 300
       match:
279 301
         - type: project
280 302
           values:
281
-            - openstack-system
303
+            - ucp-admin
304
+            - airship-admin
305
+
306
+dependencies:
307
+  static:
308
+    ks_user:
309
+      services:
310
+        - service: identity
311
+          endpoint: internal
312
+    api:
313
+      jobs:
314
+        - webhook-apiserver-ks-user
315
+      services:
316
+        - service: identity
317
+          endpoint: internal
282 318
 
283 319
 manifests:
284 320
   configmap_bin: true
285 321
   configmap_certs: true
286 322
   configmap_etc: true
323
+  job_ks_user: true
287 324
   deployment: true
288
-  ingress_api: false
325
+  ingress_api: true
289 326
   pod_test: false
290
-  kubernetes_apiserver: true
291
-  secret: true
292
-  secret_ingress_tls: false
293
-  secret_webhook: true
327
+  secret_keystone: true
328
+  secret_tls: true
294 329
   service: true
295
-  service_ingress: false

Loading…
Cancel
Save