# Copyright 2017 AT&T Intellectual Property. All other rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. release_group: null images: tags: apiserver: gcr.io/google_containers/hyperkube-amd64:v1.11.6 kubernetes_keystone_webhook: docker.io/k8scloudprovider/k8s-keystone-auth:latest scripted_test: docker.io/openstackhelm/heat:newton dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 image_repo_sync: docker.io/docker:17.07.0 ks_user: docker.io/openstackhelm/heat:ocata pull_policy: IfNotPresent local_registry: active: false exclude: - dep_check - image_repo_sync labels: kubernetes_apiserver: node_selector_key: apiserver-webhook node_selector_value: enabled job: node_selector_key: apiserver-webhook node_selector_value: enabled command_prefix: - /apiserver - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds - --v=5 network: pod_cidr: '10.97.0.0/16' service_cidr: '10.96.0.0/16' api: ingress: public: true classes: namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/proxy-read-timeout: "120" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/secure-backends: "true" name: webhook_apiserver # # Insert TLS certificates, keys and CAs # here. Server is for server-terminated TLS (basic) # and client is for mTLS. Each group of certificates # will generate two secrets -client and -server # built to the kubernetes.io/tls secret type with keys 'tls.crt', 'tls.key' # and 'ca.crt' # certificates: apiserver_webhook_pod: server: cert: placeholder key: placeholder ca: placeholder keystone_webhook: server: cert: placeholder key: placeholder ca: placeholder kubelet: client: cert: placeholder key: placeholder server: ca: placeholder etcd: client: cert: placeholder key: placeholder server: ca: placeholder secrets: service_account: public_key: placeholder identity: admin: apiserver-webhook-keystone-creds-admin webhook: apiserver-webhook-keystone-creds-webhook tls: webhook_apiserver: api: public: apiserver-webhook-public server: cert: placeholder key: placeholder ca: placeholder # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: cluster_domain_suffix: cluster.local webhook_apiserver: name: webhook_apiserver hosts: default: apiserver-webhook internal: apiserver-webhook-int port: api: default: 6443 public: 443 webhook: podport: 8443 path: default: / webhook: /webhook scheme: default: https public: https host_fqdn_override: default: null # NOTE: this chart supports TLS for fqdn over-ridden public # endpoints using the following format: # public: # host: null # tls: # crt: null # key: null identity: name: keystone namespace: null auth: admin: region_name: RegionOne username: admin password: password project_name: admin user_domain_name: default project_domain_name: default webhook: region_name: RegionOne username: webhook password: password project_name: service user_domain_name: default project_domain_name: default role: admin hosts: default: keystone internal: keystone-api host_fqdn_override: default: null path: default: /v3 scheme: default: http port: api: default: 80 internal: 5000 etcd: name: etcd namespace: kube-system hosts: default: kubernetes-etcd host_fqdn_override: default: null path: default: null scheme: default: https port: client: default: 2379 pod: mounts: kubernetes_apiserver: init_container: null kubernetes_apiserver: replicas: apiserver: 1 api: 1 probes: readinessProbe: initialDelaySeconds: 5 periodSeconds: 10 livenessProbe: failureThreshold: 3 initialDelaySeconds: 15 periodSeconds: 20 lifecycle: upgrades: daemonsets: pod_replacement_strategy: RollingUpdate kubernetes_apiserver: enabled: false min_ready_seconds: 0 max_unavailable: 1 termination_grace_period: kubernetes_apiserver: timeout: 3600 resources: enabled: false anchor_pod: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" kubernetes_apiserver: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" api: requests: memory: "128Mi" cpu: "100m" limits: memory: "256Mi" cpu: "200m" jobs: tests: requests: memory: "128Mi" cpu: "100m" limits: memory: "256Mi" cpu: "200m" mounts: kubernetes_keystone_webhook_api: init_container: null kubernetes_keystone_webhook_api: null kubernetes_keystone_webhook_tests: init_container: null kubernetes_keystone_webhook_tests: null conf: paths: base: '/etc/webhook_apiserver/' pki: '/etc/webhook_apiserver/pki' conf: '/etc/webhook_apiserver/webhook.kubeconfig' policy: '/etc/webhook_apiserver/conf/policy.json' sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub' policy: - resource: verbs: - "*" resources: - "*" namespace: "*" version: "*" match: - type: role values: - admin - resource: verbs: - "*" resources: - "*" namespace: "kube-system" version: "*" match: - type: role values: - kube-system-admin - resource: verbs: - get - list - watch resources: - "*" namespace: "kube-system" version: "*" match: - type: role values: - kube-system-viewer - resource: verbs: - "*" resources: - "*" namespace: "ucp" version: "*" match: - type: project values: - ucp-admin - airship-admin dependencies: static: ks_user: services: - service: identity endpoint: internal api: jobs: - webhook-apiserver-ks-user services: - service: identity endpoint: internal manifests: configmap_bin: true configmap_certs: true configmap_etc: true job_ks_user: true deployment: true ingress_api: true pod_test: false secret_keystone: true secret_tls: true service: true