airship
/
promenade
Code Issues Proposed changes

Refactor Kubernetes Proxy Chart 

Refactor of the kubernetes proxy chart to align with OSH standards

Change-Id: I2604eae413090ec1d5dac242eafa4d2a96ce4551
This commit is contained in:
Hassan Kaous 2017-11-17 10:40:04 -06:00 committed by Mark Burnett
parent 2d31f7d595
commit 98561baf80
10 changed files with 205 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
charts/proxy/Chart.yaml
View File

@ -1,4 +1,18 @@
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
description: A chart for the Kubernetes proxy.
name: proxy
version: 0.1.0
version: 0.1.0

4
charts/proxy/requirements.yaml Normal file
View File

@ -0,0 +1,4 @@
dependencies:
- name: helm-toolkit
repository: http://localhost:8879/charts
version: 0.1.0

46
charts/proxy/templates/configmap-etc.yaml Normal file
View File

@ -0,0 +1,46 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kubernetes-proxy-etc
data:
kubeconfig.yaml: |-
---
apiVersion: v1
clusters:
- cluster:
server: https://{{ .Values.network.kubernetes_netloc }}
certificate-authority: pki/cluster-ca.pem
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: proxy
name: proxy@kubernetes
current-context: proxy@kubernetes
kind: Config
preferences: {}
users:
- name: proxy
user:
client-certificate: pki/proxy.pem
client-key: pki/proxy-key.pem
cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }}
proxy.pem: {{ .Values.secrets.tls.cert | quote }}

30
charts/proxy/templates/configmap.yaml
View File

@ -1,30 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kubernetes-proxy
data:
kubeconfig.yaml: |-
---
apiVersion: v1
clusters:
- cluster:
server: https://{{ .Values.network.kubernetes_netloc }}
certificate-authority: pki/cluster-ca.pem
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: proxy
name: proxy@kubernetes
current-context: proxy@kubernetes
kind: Config
preferences: {}
users:
- name: proxy
user:
client-certificate: pki/proxy.pem
client-key: pki/proxy-key.pem
cluster-ca.pem: {{ .Values.tls.ca | quote }}
proxy.pem: {{ .Values.tls.cert | quote }}

64
charts/proxy/templates/daemonset.yaml
View File

@ -1,25 +1,39 @@
{{/*
Copyright 2017 AT&T Intellectual Property. All other rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.daemonset_proxy }}
{{- $envAll := . }}
---
apiVersion: "extensions/v1beta1"
kind: DaemonSet
metadata:
name: kubernetes-proxy
labels:
component: k8s-proxy
spec:
{{ tuple $envAll "proxy" | include "helm-toolkit.snippets.kubernetes_upgrades_daemonset" | indent 2 }}
template:
metadata:
labels:
tier: node
component: k8s-proxy
{{ tuple $envAll "kubernetes" "proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
hostNetwork: true
dnsPolicy: {{ .Values.dns_policy }}
{{- if .Values.node_selector.key }}
nodeSelector:
{{ .Values.node_selector.key }}: {{ .Values.node_selector.value }}
{{- end }}
dnsPolicy: Default
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
@ -27,13 +41,15 @@ spec:
operator: Exists
containers:
- name: proxy
image: {{ .Values.images.proxy }}
image: {{ .Values.images.tags.proxy }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- {{ .Values.proxy.command }}
- --cluster-cidr={{ .Values.network.pod_cidr }}
- --hostname-override=$(NODE_NAME)
- --kubeconfig=/etc/kubernetes/proxy/kubeconfig.yaml
- --proxy-mode=iptables
{{- range .Values.command_prefix }}
- {{ . }}
{{- end }}
- --hostname-override=$(NODE_NAME)
- --kubeconfig=/etc/kubernetes/proxy/kubeconfig.yaml
{{ tuple $envAll $envAll.Values.pod.resources.proxy | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: NODE_NAME
valueFrom:
@ -60,28 +76,24 @@ spec:
initialDelaySeconds: 15
periodSeconds: 15
volumeMounts:
- name: proxy-cm
- name: kubernetes-proxy-etc
mountPath: /etc/kubernetes/proxy/kubeconfig.yaml
subPath: kubeconfig.yaml
- name: proxy-cm
- name: kubernetes-proxy-etc
mountPath: /etc/kubernetes/proxy/pki/proxy.pem
subPath: proxy.pem
- name: proxy-cm
- name: kubernetes-proxy-etc
mountPath: /etc/kubernetes/proxy/pki/cluster-ca.pem
subPath: cluster-ca.pem
- name: proxy-secret
mountPath: /etc/kubernetes/proxy/pki/proxy-key.pem
subPath: proxy-key.pem
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
volumes:
- name: proxy-cm
- name: kubernetes-proxy-etc
configMap:
name: kubernetes-proxy
name: kubernetes-proxy-etc
defaultMode: 0444
- name: proxy-secret
secret:
secretName: kubernetes-proxy
{{- end }}

14
charts/proxy/templates/secret.yaml
View File

@ -1,3 +1,15 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
apiVersion: v1
kind: Secret
@ -5,4 +17,4 @@ metadata:
name: kubernetes-proxy
type: Opaque
data:
proxy-key.pem: {{ .Values.tls.key | b64enc }}
proxy-key.pem: {{ .Values.secrets.tls.key | b64enc }}

65
charts/proxy/values.yaml
View File

@ -1,19 +1,60 @@
dns_policy: Default
name: kubernetes-proxy
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# limitations under the License.
tls:
ca: placeholder
cert: placeholder
key: placeholder
manifests:
daemonset_proxy: true
configmap_etc: true
secret: true
proxy:
command: /proxy
pod:
lifecycle:
upgrades:
daemonsets:
pod_replacement_strategy: RollingUpdate
proxy:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
termination_grace_period:
proxy:
timeout: 30
resources:
enabled: false
proxy:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
images:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
tags:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
pull_policy: "IfNotPresent"
secrets:
tls:
ca: placeholder
cert: placeholder
key: placeholder
command_prefix:
- /proxy
- --proxy-mode=iptables
- --cluster-cidr=10.97.0.0/16
network:
kubernetes_netloc: 10.96.0.1
pod_cidr: 10.97.0.0/16
node_selector: {}

22
examples/basic/armada-resources.yaml
View File

@ -128,21 +128,21 @@ metadata:
name: kubernetes
path: $
dest:
path: '$.values.tls.ca'
path: '$.values.secrets.tls.ca'
-
src:
schema: deckhand/Certificate/v1
name: proxy
path: $
dest:
path: '$.values.tls.cert'
path: '$.values.secrets.tls.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: proxy
path: $
dest:
path: '$.values.tls.key'
path: '$.values.secrets.tls.key'
data:
chart_name: proxy
release: kubernetes-proxy
@ -151,20 +151,22 @@ data:
upgrade:
no_hooks: true
values:
tls:
ca: placeholder
cert: placeholder
key: placeholder
secrets:
tls:
ca: placeholder
cert: placeholder
key: placeholder
images:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
tags:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
network:
kubernetes_netloc: apiserver.kubernetes.promenade:6443
pod_cidr: 10.97.0.0/16
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: proxy
dependencies: []
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:

22
examples/complete/armada-resources.yaml
View File

@ -143,7 +143,8 @@ data:
location: https://git.openstack.org/openstack/openstack-helm
subpath: helm-toolkit
reference: master
dependencies: []
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
@ -159,21 +160,21 @@ metadata:
name: kubernetes
path: $
dest:
path: '$.values.tls.ca'
path: '$.values.secrets.tls.ca'
-
src:
schema: deckhand/Certificate/v1
name: proxy
path: $
dest:
path: '$.values.tls.cert'
path: '$.values.secrets.tls.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: proxy
path: $
dest:
path: '$.values.tls.key'
path: '$.values.secrets.tls.key'
data:
chart_name: proxy
release: kubernetes-proxy
@ -182,15 +183,16 @@ data:
upgrade:
no_hooks: true
values:
tls:
ca: placeholder
cert: placeholder
key: placeholder
secrets:
tls:
ca: placeholder
cert: placeholder
key: placeholder
images:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
tags:
proxy: gcr.io/google_containers/hyperkube-amd64:v1.8.0
network:
kubernetes_netloc: apiserver.kubernetes.promenade:6443
pod_cidr: 10.97.0.0/16
source:
type: local
location: /etc/genesis/armada/assets/charts

22
tools/gate/config-templates/bootstrap-armada-config.yaml
View File

@ -128,21 +128,21 @@ metadata:
name: kubernetes
path: $
dest:
path: '$.values.tls.ca'
path: '$.values.secrets.tls.ca'
-
src:
schema: deckhand/Certificate/v1
name: proxy
path: $
dest:
path: '$.values.tls.cert'
path: '$.values.secrets.tls.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: proxy
path: $
dest:
path: '$.values.tls.key'
path: '$.values.secrets.tls.key'
data:
chart_name: proxy
release: kubernetes-proxy
@ -151,20 +151,22 @@ data:
upgrade:
no_hooks: true
values:
tls:
ca: placeholder
cert: placeholder
key: placeholder
secrets:
tls:
ca: placeholder
cert: placeholder
key: placeholder
images:
proxy: ${IMAGE_HYPERKUBE}
tags:
proxy: ${IMAGE_HYPERKUBE}
network:
kubernetes_netloc: apiserver.kubernetes.promenade:6443
pod_cidr: 10.97.0.0/16
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: proxy
dependencies: []
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata: