airship
/
promenade
Code Issues Proposed changes

Refactor etcd Chart 

Refactor etcd chart to align with OSH standards

Change-Id: Ie71fcf045b3ec896dcdd03bb3455fb85af8f2e7a
This commit is contained in:
Anthony Lin 2017-11-08 22:07:31 +00:00
parent 5c70bbef58
commit 3b4b4661a4
16 changed files with 578 additions and 247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
charts/etcd/Chart.yaml
View File

@ -1,3 +1,17 @@
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
description: A chart for a DaemonSet-based etcd deployment.
name: etcd

14
charts/etcd/requirements.yaml
View File

@ -1,3 +1,17 @@
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts

108
charts/etcd/templates/bin/_etcdctl_anchor.tpl
View File

@ -1,11 +1,20 @@
#!/bin/sh
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -x
export CLIENT_ENDPOINT=https://$POD_IP:{{ .Values.service.client.target_port }}
export PEER_ENDPOINT=https://$POD_IP:{{ .Values.service.peer.target_port }}
export MANIFEST_PATH=/manifests/{{ .Values.service.name }}.yaml
function copy_certificates {
ETCD_NAME=$1
@ -28,89 +37,10 @@ function copy_certificates {
}
function create_manifest {
ETCD_INITIAL_CLUSTER=$1
ETCD_INITIAL_CLUSTER_STATE=$2
cat <<EODOC > $MANIFEST_PATH
---
apiVersion: v1
kind: Pod
metadata:
name: {{ .Values.service.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ .Values.service.name }}-service: enabled
spec:
hostNetwork: true
containers:
- name: etcd
image: {{ .Values.images.etcd }}
env:
- name: ETCD_NAME
value: $ETCD_NAME
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ETCD_CLIENT_CERT_AUTH
value: "true"
- name: ETCD_PEER_CLIENT_CERT_AUTH
value: "true"
- name: ETCD_DATA_DIR
value: /var/lib/etcd
- name: ETCD_TRUSTED_CA_FILE
value: /etc/etcd/tls/client-ca.pem
- name: ETCD_CERT_FILE
value: /etc/etcd/tls/etcd-client.pem
- name: ETCD_STRICT_RECONFIG_CHECK
value: "true"
- name: ETCD_KEY_FILE
value: /etc/etcd/tls/etcd-client-key.pem
- name: ETCD_PEER_TRUSTED_CA_FILE
value: /etc/etcd/tls/peer-ca.pem
- name: ETCD_PEER_CERT_FILE
value: /etc/etcd/tls/etcd-peer.pem
- name: ETCD_PEER_KEY_FILE
value: /etc/etcd/tls/etcd-peer-key.pem
- name: ETCD_ADVERTISE_CLIENT_URLS
value: https://\$(POD_IP):{{ .Values.service.client.target_port }}
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
value: https://\$(POD_IP):{{ .Values.service.peer.target_port }}
- name: ETCD_INITIAL_CLUSTER_TOKEN
value: {{ .Values.service.name }}-init-token
- name: ETCD_LISTEN_CLIENT_URLS
value: https://0.0.0.0:{{ .Values.service.client.target_port }}
- name: ETCD_LISTEN_PEER_URLS
value: https://0.0.0.0:{{ .Values.service.peer.target_port }}
- name: ETCD_INITIAL_CLUSTER_STATE
value: $ETCD_INITIAL_CLUSTER_STATE
- name: ETCD_INITIAL_CLUSTER
value: $ETCD_INITIAL_CLUSTER
- name: ETCDCTL_API
value: '3'
- name: ETCDCTL_DIAL_TIMEOUT
value: 3s
- name: ETCDCTL_ENDPOINTS
value: https://127.0.0.1:{{ .Values.service.client.target_port }}
- name: ETCDCTL_CACERT
value: \$(ETCD_TRUSTED_CA_FILE)
- name: ETCDCTL_CERT
value: \$(ETCD_CERT_FILE)
- name: ETCDCTL_KEY
value: \$(ETCD_KEY_FILE)
volumeMounts:
- name: data
mountPath: /var/lib/etcd
- name: etc
mountPath: /etc/etcd
volumes:
- name: data
hostPath:
path: {{ .Values.etcd.host_data_path }}
- name: etc
hostPath:
path: {{ .Values.etcd.host_etc_path }}
...
EODOC
sed -i -e 's#_ETCD_INITIAL_CLUSTER_STATE_#'$2'#g' /anchor-etcd/{{ .Values.service.name }}.yaml
sed -i -e 's#_ETCD_INITIAL_CLUSTER_#'$1'#g' /anchor-etcd/{{ .Values.service.name }}.yaml
cp /anchor-etcd/{{ .Values.service.name }}.yaml $MANIFEST_PATH
}
while true; do
@ -141,7 +71,7 @@ while true; do
if [ -e /bootstrapping/{{ .Values.bootstrapping.filename }} ]; then
# Bootstrap the first node
copy_certificates ${ETCD_NAME}
ETCD_INITIAL_CLUSTER=${ETCD_NAME}=$PEER_ENDPOINT
ETCD_INITIAL_CLUSTER=${ETCD_NAME}=https://\$\(POD_IP\):{{ .Values.network.service_peer.target_port }}
ETCD_INITIAL_CLUSTER_STATE=new
create_manifest $ETCD_INITIAL_CLUSTER $ETCD_INITIAL_CLUSTER_STATE
@ -188,7 +118,7 @@ while true; do
ETCD_INITIAL_CLUSTER=$(grep -v $PEER_ENDPOINT /tmp/members \
| awk -F ', ' '{ print $3 "=" $4 }' \
| tr '\n' ',' \
| sed "s;\$;$ETCD_NAME=$PEER_ENDPOINT;")
| sed "s;\$;$ETCD_NAME=https://\$\(POD_IP\):{{ .Values.network.service_peer.target_port }};")
ETCD_INITIAL_CLUSTER_STATE=existing
create_manifest $ETCD_INITIAL_CLUSTER $ETCD_INITIAL_CLUSTER_STATE

16
charts/etcd/templates/bin/_pre_stop.tpl
View File

@ -1,10 +1,20 @@
#!/bin/sh
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -x
export PEER_ENDPOINT=https://$POD_IP:{{ .Values.service.peer.target_port }}
export MANIFEST_PATH=/manifests/{{ .Values.service.name }}.yaml
function cleanup_host {
rm -f $MANIFEST_PATH
rm -rf /etcd-etc/tls/

15
charts/etcd/templates/bin/_readiness.tpl
View File

@ -1,7 +1,20 @@
#!/bin/sh
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ex
export ETCDCTL_ENDPOINTS=https://$POD_IP:{{ .Values.service.client.target_port }}
export ETCDCTL_ENDPOINTS=https://$POD_IP:{{ .Values.network.service_client.target_port }}
etcdctl endpoint health

20
charts/etcd/templates/configmap-bin.yaml
View File

@ -1,3 +1,22 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_bin }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
@ -10,3 +29,4 @@ data:
{{ tuple "bin/_pre_stop.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
readiness: |+
{{ tuple "bin/_readiness.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

25
charts/etcd/templates/configmap-certs.yaml
View File

@ -1,3 +1,20 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_certs }}
{{- $envAll := . }}
---
apiVersion: v1
@ -5,12 +22,12 @@ kind: ConfigMap
metadata:
name: {{ $envAll.Values.service.name }}-certs
data:
anchor-etcd-client.pem: {{ $envAll.Values.anchor.tls.cert | quote }}
client-ca.pem: {{ $envAll.Values.tls.client.ca | quote }}
peer-ca.pem: {{ $envAll.Values.tls.peer.ca | quote }}
anchor-etcd-client.pem: {{ $envAll.Values.secrets.anchor.tls.cert | quote }}
client-ca.pem: {{ $envAll.Values.secrets.tls.client.ca | quote }}
peer-ca.pem: {{ $envAll.Values.secrets.tls.peer.ca | quote }}
{{- range .Values.nodes }}
{{- $node := . }}
{{ $node.name }}-etcd-client.pem: {{ $node.tls.client.cert | quote }}
{{ $node.name }}-etcd-peer.pem: {{ $node.tls.peer.cert | quote }}
{{- end }}
...
{{- end }}

27
charts/etcd/templates/configmap-etc.yaml Normal file
View File

@ -0,0 +1,27 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_etc }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $envAll.Values.service.name }}-etc
data:
{{ .Values.service.name }}.yaml: |+
{{ tuple "etc/_kubernetes-etcd.yaml.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}

62
charts/etcd/templates/daemonset-anchor.yaml
View File

@ -1,31 +1,51 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.daemonset_anchor }}
{{- $envAll := . }}
{{- $mounts_daemonset_anchor := .Values.pod.mounts.daemonset_anchor.daemonset_anchor }}
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: {{ .Values.service.name }}-anchor
spec:
selector:
matchLabels:
{{ .Values.service.name | quote }}: anchor
{{ tuple $envAll "anchor" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
labels:
{{ .Values.service.name | quote }}: anchor
{{ tuple $envAll "kubernetes" "anchor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
hostNetwork: true
dnsPolicy: {{ .Values.anchor.dns_policy }}
nodeSelector:
{{ .Values.anchor.node_selector.key }}: {{ .Values.anchor.node_selector.value }}
{{ .Values.labels.anchor.node_selector_key }}: {{ .Values.labels.anchor.node_selector_value }}
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: CriticalAddonsOnly
operator: Exists
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.daemonset_anchor.timeout }}
containers:
- name: etcdctl
image: {{ .Values.images.etcdctl }}
image: {{ .Values.images.tags.etcdctl }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.daemonset_anchor | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /tmp/etcdctl_anchor
env:
@ -42,13 +62,19 @@ spec:
- name: ETCDCTL_DIAL_TIMEOUT
value: 3s
- name: ETCDCTL_ENDPOINTS
value: https://{{ .Values.anchor.etcdctl_endpoint }}:{{ .Values.service.client.port }}
value: https://{{ .Values.anchor.etcdctl_endpoint }}:{{ .Values.network.service_client.port }}
- name: ETCDCTL_CACERT
value: /etc/etcd/tls/certs/client-ca.pem
- name: ETCDCTL_CERT
value: /etc/etcd/tls/certs/anchor-etcd-client.pem
- name: ETCDCTL_KEY
value: /etc/etcd/tls/keys/anchor-etcd-client-key.pem
- name: CLIENT_ENDPOINT
value: https://$(POD_IP):{{ .Values.network.service_client.target_port }}
- name: PEER_ENDPOINT
value: https://$(POD_IP):{{ .Values.network.service_peer.target_port }}
- name: MANIFEST_PATH
value: /manifests/{{ .Values.service.name }}.yaml
readinessProbe:
exec:
command:
@ -61,13 +87,13 @@ spec:
command:
- /tmp/pre_stop
volumeMounts:
- name: bin
- name: {{ .Values.service.name }}-bin
mountPath: /tmp
{{- if .Values.bootstrapping.enabled }}
- name: bootstrapping
mountPath: /bootstrapping
{{- end }}
- name: certs
- name: {{ .Values.service.name }}-certs
mountPath: /etc/etcd/tls/certs
- name: etcd-etc
mountPath: /etcd-etc
@ -75,13 +101,15 @@ spec:
- name: etcd-data
mountPath: /etcd-data
{{- end }}
- name: keys
- name: {{ .Values.service.name }}-keys
mountPath: /etc/etcd/tls/keys
- name: kubelet-manifests
mountPath: /manifests
terminationGracePeriodSeconds: {{ .Values.anchor.termination_grace_period }}
- name: {{ .Values.service.name }}-etc
mountPath: /anchor-etcd
{{ if $mounts_daemonset_anchor.volumeMounts }}{{ toYaml $mounts_daemonset_anchor.volumeMounts | indent 12 }}{{ end }}
volumes:
- name: bin
- name: {{ .Values.service.name }}-bin
configMap:
name: {{ .Values.service.name }}-bin
defaultMode: 0555
@ -90,7 +118,7 @@ spec:
hostPath:
path: {{ .Values.bootstrapping.host_directory }}
{{- end }}
- name: certs
- name: {{ .Values.service.name }}-certs
configMap:
name: {{ .Values.service.name }}-certs
defaultMode: 0444
@ -99,7 +127,7 @@ spec:
hostPath:
path: {{ .Values.etcd.host_data_path }}
{{- end }}
- name: keys
- name: {{ .Values.service.name }}-keys
secret:
secretName: {{ .Values.service.name }}-keys
defaultMode: 0444
@ -109,3 +137,9 @@ spec:
- name: kubelet-manifests
hostPath:
path: {{ .Values.anchor.kubelet.manifest_path }}
- name: {{ .Values.service.name }}-etc
configMap:
name: {{ .Values.service.name }}-etc
defaultMode: 0444
{{ if $mounts_daemonset_anchor.volumes }}{{ toYaml $mounts_daemonset_anchor.volumes | indent 8 }}{{ end }}
{{- end }}

106
charts/etcd/templates/etc/_kubernetes-etcd.yaml.tpl Normal file
View File

@ -0,0 +1,106 @@
{{/*
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}
{{- if .Values.manifests.service }}
{{- $envAll := . }}
---
apiVersion: v1
kind: Pod
metadata:
name: {{ .Values.service.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ .Values.service.name }}-service: enabled
spec:
hostNetwork: true
containers:
- name: etcd
image: {{ .Values.images.tags.etcd }}
imagePullPolicy: {{ .Values.images.pull_policy }}
env:
- name: ETCD_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: ETCD_CLIENT_CERT_AUTH
value: "true"
- name: ETCD_PEER_CLIENT_CERT_AUTH
value: "true"
- name: ETCD_DATA_DIR
value: /var/lib/etcd
- name: ETCD_TRUSTED_CA_FILE
value: /etc/etcd/tls/client-ca.pem
- name: ETCD_CERT_FILE
value: /etc/etcd/tls/etcd-client.pem
- name: ETCD_STRICT_RECONFIG_CHECK
value: "true"
- name: ETCD_KEY_FILE
value: /etc/etcd/tls/etcd-client-key.pem
- name: ETCD_PEER_TRUSTED_CA_FILE
value: /etc/etcd/tls/peer-ca.pem
- name: ETCD_PEER_CERT_FILE
value: /etc/etcd/tls/etcd-peer.pem
- name: ETCD_PEER_KEY_FILE
value: /etc/etcd/tls/etcd-peer-key.pem
- name: ETCD_ADVERTISE_CLIENT_URLS
value: https://$(POD_IP):{{ .Values.network.service_client.target_port }}
- name: ETCD_INITIAL_ADVERTISE_PEER_URLS
value: https://$(POD_IP):{{ .Values.network.service_peer.target_port }}
- name: ETCD_INITIAL_CLUSTER_TOKEN
value: {{ .Values.service.name }}-init-token
- name: ETCD_LISTEN_CLIENT_URLS
value: https://0.0.0.0:{{ .Values.network.service_client.target_port }}
- name: ETCD_LISTEN_PEER_URLS
value: https://0.0.0.0:{{ .Values.network.service_peer.target_port }}
- name: ETCD_INITIAL_CLUSTER_STATE
value: _ETCD_INITIAL_CLUSTER_STATE_
- name: ETCD_INITIAL_CLUSTER
value: _ETCD_INITIAL_CLUSTER_
- name: ETCDCTL_API
value: '3'
- name: ETCDCTL_DIAL_TIMEOUT
value: 3s
- name: ETCDCTL_ENDPOINTS
value: https://127.0.0.1:{{ .Values.network.service_client.target_port }}
- name: ETCDCTL_CACERT
value: $(ETCD_TRUSTED_CA_FILE)
- name: ETCDCTL_CERT
value: $(ETCD_CERT_FILE)
- name: ETCDCTL_KEY
value: $(ETCD_KEY_FILE)
- name: CLIENT_ENDPOINT
value: https://$(POD_IP):{{ .Values.network.service_client.target_port }}
- name: PEER_ENDPOINT
value: https://$(POD_IP):{{ .Values.network.service_peer.target_port }}
- name: MANIFEST_PATH
value: /manifests/{{ .Values.service.name }}.yaml
volumeMounts:
- name: data
mountPath: /var/lib/etcd
- name: etc
mountPath: /etc/etcd
volumes:
- name: data
hostPath:
path: {{ .Values.etcd.host_data_path }}
- name: etc
hostPath:
path: {{ .Values.etcd.host_etc_path }}
{{- end }}

20
charts/etcd/templates/secret-keys.yaml
View File

@ -1,3 +1,20 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.secret }}
{{- $envAll := . }}
---
apiVersion: v1
@ -6,9 +23,10 @@ metadata:
name: {{ $envAll.Values.service.name }}-keys
type: Opaque
data:
anchor-etcd-client-key.pem: {{ $envAll.Values.anchor.tls.key | b64enc }}
anchor-etcd-client-key.pem: {{ $envAll.Values.secrets.anchor.tls.key | b64enc }}
{{- range .Values.nodes }}
{{- $node := . }}
{{ $node.name }}-etcd-client-key.pem: {{ $node.tls.client.key | b64enc }}
{{ $node.name }}-etcd-peer-key.pem: {{ $node.tls.peer.key | b64enc }}
{{- end }}
{{- end }}

35
charts/etcd/templates/service.yaml
View File

@ -1,3 +1,20 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.service }}
{{- $envAll := . }}
---
apiVersion: v1
@ -5,12 +22,22 @@ kind: Service
metadata:
name: {{ $envAll.Values.service.name }}
spec:
ports:
{{ if .Values.network.service_client.enable_node_port }}
- name: etcd
nodePort: {{ .Values.network.service_client.node_port }}
port: {{ .Values.network.service_client.port }}
protocol: TCP
targetPort: {{ .Values.network.service_client.target_port }}
{{ else }}
- name: etcd
port: {{ .Values.network.service_client.port }}
protocol: TCP
targetPort: {{ .Values.network.service_client.target_port }}
{{ end }}
selector:
{{ $envAll.Values.service.name }}-service: enabled
{{- if $envAll.Values.service.ip }}
clusterIP: {{ $envAll.Values.service.ip }}
{{- end }}
ports:
- name: etcd
port: {{ $envAll.Values.service.client.port }}
targetPort: {{ $envAll.Values.service.client.target_port }}
{{- end }}

105
charts/etcd/values.yaml
View File

@ -1,3 +1,29 @@
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
images:
tags:
etcd: quay.io/coreos/etcd:v3.2.7
etcdctl: quay.io/coreos/etcd:v3.2.7
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
pull_policy: "IfNotPresent"
labels:
anchor:
node_selector_key: etcd-example
node_selector_value: enabled
anchor:
dns_policy: Default
etcdctl_endpoint: example-etcd
@ -6,31 +32,28 @@ anchor:
kubelet:
manifest_path: /etc/kubernetes/manifests
node_selector:
key: etcd-example
value: enabled
termination_grace_period: 3600
period: 15
tls:
cert: placeholder
key: placeholder
etcd:
host_etc_path: /etc/etcd-example
host_data_path: /var/lib/etcd/example
cleanup_data: true
network:
service_client:
name: service_client
port: 2379
target_port: 2379
enable_node_port: false
service_peer:
name: service_peer
port: 2380
target_port: 2380
enable_node_port: false
service:
name: example-etcd
ip: null
client:
port: 2379
target_port: 2379
peer:
port: 2380
target_port: 2380
bootstrapping:
enabled: false
@ -39,11 +62,16 @@ bootstrapping:
# XXX Can I just generalize to an anchor timeout?
timeout: 300
tls:
client:
ca: placeholder
peer:
ca: placeholder
secrets:
tls:
client:
ca: placeholder
peer:
ca: placeholder
anchor:
tls:
cert: placeholder
key: placeholder
nodes:
- name: example-0
@ -55,6 +83,37 @@ nodes:
cert: placeholder
key: placeholder
images:
etcd: quay.io/coreos/etcd:v3.2.7
etcdctl: quay.io/coreos/etcd:v3.2.7
pod:
mounts:
daemonset_anchor:
daemonset_anchor:
replicas:
apiserver: 3
lifecycle:
upgrades:
daemonsets:
pod_replacement_strategy: RollingUpdate
anchor:
enabled: false
min_ready_seconds: 0
max_unavailable: 1
termination_grace_period:
daemonset_anchor:
timeout: 3600
resources:
enabled: false
daemonset_anchor:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
manifests:
configmap_bin: true
configmap_certs: true
configmap_etc: true
daemonset_anchor: true
secret: true
service: true

86
examples/basic/armada-resources.yaml
View File

@ -182,14 +182,14 @@ metadata:
name: calico-etcd
path: $
dest:
path: '$.values.tls.client.ca'
path: '$.values.secrets.tls.client.ca'
-
src:
schema: deckhand/CertificateAuthority/v1
name: calico-etcd-peer
path: $
dest:
path: '$.values.tls.peer.ca'
path: '$.values.secrets.tls.peer.ca'
-
src:
@ -197,14 +197,14 @@ metadata:
name: calico-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.cert'
path: '$.values.secrets.anchor.tls.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: calico-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.key'
path: '$.values.secrets.anchor.tls.key'
-
src:
@ -332,12 +332,20 @@ data:
values:
anchor:
etcdctl_endpoint: 10.96.232.136
node_selector:
key: calico-etcd
value: enabled
labels:
anchor:
node_selector_key: calico-etcd
node_selector_value: enabled
secrets:
anchor:
tls:
cert: placeholder
key: placeholder
tls:
cert: placeholder
key: placeholder
client:
ca: placeholder
peer:
ca: placeholder
etcd:
host_data_path: /var/lib/etcd/calico
host_etc_path: /etc/etcd/calico
@ -346,8 +354,9 @@ data:
host_directory: /var/lib/anchor
filename: calico-etcd-bootstrap
images:
etcd: quay.io/coreos/etcd:v3.0.17
etcdctl: quay.io/coreos/etcd:v3.0.17
tags:
etcd: quay.io/coreos/etcd:v3.0.17
etcdctl: quay.io/coreos/etcd:v3.0.17
nodes:
- name: n0
tls:
@ -385,17 +394,15 @@ data:
service:
name: calico-etcd
ip: 10.96.232.136
client:
network:
service_client:
name: service_client
port: 6666
target_port: 6666
peer:
service_peer:
name: service_peer
port: 6667
target_port: 6667
tls:
client:
ca: placeholder
peer:
ca: placeholder
source:
type: local
location: /etc/genesis/armada/assets/charts
@ -781,14 +788,14 @@ metadata:
name: kubernetes-etcd
path: $
dest:
path: '$.values.tls.client.ca'
path: '$.values.secrets.tls.client.ca'
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes-etcd-peer
path: $
dest:
path: '$.values.tls.peer.ca'
path: '$.values.secrets.tls.peer.ca'
-
src:
@ -796,14 +803,14 @@ metadata:
name: kubernetes-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.cert'
path: '$.values.secrets.anchor.tls.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.key'
path: '$.values.secrets.anchor.tls.key'
-
src:
@ -931,18 +938,27 @@ data:
values:
anchor:
etcdctl_endpoint: 10.96.0.2
node_selector:
key: kubernetes-etcd
value: enabled
labels:
anchor:
node_selector_key: kubernetes-etcd
node_selector_value: enabled
secrets:
anchor:
tls:
cert: placeholder
key: placeholder
tls:
cert: placeholder
key: placeholder
client:
ca: placeholder
peer:
ca: placeholder
etcd:
host_data_path: /var/lib/etcd/kubernetes
host_etc_path: /etc/etcd/kubernetes
images:
etcd: quay.io/coreos/etcd:v3.0.17
etcdctl: quay.io/coreos/etcd:v3.0.17
tags:
etcd: quay.io/coreos/etcd:v3.0.17
etcdctl: quay.io/coreos/etcd:v3.0.17
nodes:
- name: n0
tls:
@ -979,17 +995,15 @@ data:
service:
name: kubernetes-etcd
ip: 10.96.0.2
client:
network:
service_client:
name: service_client
port: 2379
target_port: 2379
peer:
service_peer:
name: service_peer
port: 2380
target_port: 2380
tls:
client:
ca: placeholder
peer:
ca: placeholder
source:
type: local
location: /etc/genesis/armada/assets/charts

86
examples/complete/armada-resources.yaml
View File

@ -213,14 +213,14 @@ metadata:
name: calico-etcd
path: $
dest:
path: '$.values.tls.client.ca'
path: '$.values.secrets.tls.client.ca'
-
src:
schema: deckhand/CertificateAuthority/v1
name: calico-etcd-peer
path: $
dest:
path: '$.values.tls.peer.ca'
path: '$.values.secrets.tls.peer.ca'
-
src:
@ -228,14 +228,14 @@ metadata:
name: calico-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.cert'
path: '$.values.secrets.anchor.tls.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: calico-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.key'
path: '$.values.secrets.anchor.tls.key'
-
src:
@ -363,12 +363,20 @@ data:
values:
anchor:
etcdctl_endpoint: 10.96.232.136
node_selector:
key: calico-etcd
value: enabled
labels:
anchor:
node_selector_key: calico-etcd
node_selector_value: enabled
secrets:
anchor:
tls:
cert: placeholder
key: placeholder
tls:
cert: placeholder
key: placeholder
client:
ca: placeholder
peer:
ca: placeholder
etcd:
host_data_path: /var/lib/etcd/calico
host_etc_path: /etc/etcd/calico
@ -377,8 +385,9 @@ data:
host_directory: /var/lib/anchor
filename: calico-etcd-bootstrap
images:
etcd: quay.io/coreos/etcd:v3.0.17
etcdctl: quay.io/coreos/etcd:v3.0.17
tags:
etcd: quay.io/coreos/etcd:v3.0.17
etcdctl: quay.io/coreos/etcd:v3.0.17
nodes:
- name: n0
tls:
@ -416,17 +425,15 @@ data:
service:
name: calico-etcd
ip: 10.96.232.136
client:
network:
service_client:
name: service_client
port: 6666
target_port: 6666
peer:
service_peer:
name: service_peer
port: 6667
target_port: 6667
tls:
client:
ca: placeholder
peer:
ca: placeholder
source:
type: local
location: /etc/genesis/armada/assets/charts
@ -812,14 +819,14 @@ metadata:
name: kubernetes-etcd
path: $
dest:
path: '$.values.tls.client.ca'
path: '$.values.secrets.tls.client.ca'
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes-etcd-peer
path: $
dest:
path: '$.values.tls.peer.ca'
path: '$.values.secrets.tls.peer.ca'
-
src:
@ -827,14 +834,14 @@ metadata:
name: kubernetes-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.cert'
path: '$.values.secrets.anchor.tls.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.key'
path: '$.values.secrets.anchor.tls.key'
-
src:
@ -962,18 +969,27 @@ data:
values:
anchor:
etcdctl_endpoint: 10.96.0.2
node_selector:
key: kubernetes-etcd
value: enabled
labels:
anchor:
node_selector_key: kubernetes-etcd
node_selector_value: enabled
secrets:
anchor:
tls:
cert: placeholder
key: placeholder
tls:
cert: placeholder
key: placeholder
client:
ca: placeholder
peer:
ca: placeholder
etcd:
host_data_path: /var/lib/etcd/kubernetes
host_etc_path: /etc/etcd/kubernetes
images:
etcd: quay.io/coreos/etcd:v3.0.17
etcdctl: quay.io/coreos/etcd:v3.0.17
tags:
etcd: quay.io/coreos/etcd:v3.0.17
etcdctl: quay.io/coreos/etcd:v3.0.17
nodes:
- name: n0
tls:
@ -1010,17 +1026,15 @@ data:
service:
name: kubernetes-etcd
ip: 10.96.0.2
client:
network:
service_client:
name: service_client
port: 2379
target_port: 2379
peer:
service_peer:
name: service_peer
port: 2380
target_port: 2380
tls:
client:
ca: placeholder
peer:
ca: placeholder
source:
type: local
location: /etc/genesis/armada/assets/charts

86
tools/gate/config-templates/bootstrap-armada-config.yaml
View File

@ -182,14 +182,14 @@ metadata:
name: calico-etcd
path: $
dest:
path: '$.values.tls.client.ca'
path: '$.values.secrets.tls.client.ca'
-
src:
schema: deckhand/CertificateAuthority/v1
name: calico-etcd-peer
path: $
dest:
path: '$.values.tls.peer.ca'
path: '$.values.secrets.tls.peer.ca'
-
src:
@ -197,14 +197,14 @@ metadata:
name: calico-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.cert'
path: '$.values.secrets.anchor.tls.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: calico-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.key'
path: '$.values.secrets.anchor.tls.key'
-
src:
@ -332,12 +332,20 @@ data:
values:
anchor:
etcdctl_endpoint: 10.96.232.136
node_selector:
key: calico-etcd
value: enabled
labels:
anchor:
node_selector_key: calico-etcd
node_selector_value: enabled
secrets:
anchor:
tls:
cert: placeholder
key: placeholder
tls:
cert: placeholder
key: placeholder
client:
ca: placeholder
peer:
ca: placeholder
etcd:
host_data_path: /var/lib/etcd/calico
host_etc_path: /etc/etcd/calico
@ -346,8 +354,9 @@ data:
host_directory: /var/lib/anchor
filename: calico-etcd-bootstrap
images:
etcd: ${IMAGE_ETCD}
etcdctl: ${IMAGE_ETCD}
tags:
etcd: ${IMAGE_ETCD}
etcdctl: ${IMAGE_ETCD}
nodes:
- name: ${GENESIS_HOSTNAME}
tls:
@ -385,17 +394,15 @@ data:
service:
name: calico-etcd
ip: 10.96.232.136
client:
network:
service_client:
name: service_client
port: 6666
target_port: 6666
peer:
service_peer:
name: service_peer
port: 6667
target_port: 6667
tls:
client:
ca: placeholder
peer:
ca: placeholder
source:
type: local
location: /etc/genesis/armada/assets/charts
@ -781,14 +788,14 @@ metadata:
name: kubernetes-etcd
path: $
dest:
path: '$.values.tls.client.ca'
path: '$.values.secrets.tls.client.ca'
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes-etcd-peer
path: $
dest:
path: '$.values.tls.peer.ca'
path: '$.values.secrets.tls.peer.ca'
-
src:
@ -796,14 +803,14 @@ metadata:
name: kubernetes-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.cert'
path: '$.values.secrets.anchor.tls.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-anchor
path: $
dest:
path: '$.values.anchor.tls.key'
path: '$.values.secrets.anchor.tls.key'
-
src:
@ -902,18 +909,27 @@ data:
values:
anchor:
etcdctl_endpoint: 10.96.0.2
node_selector:
key: kubernetes-etcd
value: enabled
labels:
anchor:
node_selector_key: kubernetes-etcd
node_selector_value: enabled
secrets:
anchor:
tls:
cert: placeholder
key: placeholder
tls:
cert: placeholder
key: placeholder
client:
ca: placeholder
peer:
ca: placeholder
etcd:
host_data_path: /var/lib/etcd/kubernetes
host_etc_path: /etc/etcd/kubernetes
images:
etcd: ${IMAGE_ETCD}
etcdctl: ${IMAGE_ETCD}
tags:
etcd: ${IMAGE_ETCD}
etcdctl: ${IMAGE_ETCD}
nodes:
- name: ${GENESIS_HOSTNAME}
tls:
@ -942,17 +958,15 @@ data:
service:
name: kubernetes-etcd
ip: 10.96.0.2
client:
network:
service_client:
name: service_client
port: 2379
target_port: 2379
peer:
service_peer:
name: service_peer
port: 2380
target_port: 2380
tls:
client:
ca: placeholder
peer:
ca: placeholder
source:
type: local
location: /etc/genesis/armada/assets/charts