promenade/examples/gate/armada-resources.yaml

1000 lines
22 KiB
YAML

---
schema: armada/Manifest/v1
metadata:
schema: metadata/Document/v1
name: cluster-bootstrap
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
release_prefix: ucp
chart_groups:
- kubernetes-proxy
- container-networking
- dns
- kubernetes
- ucp-services
---
schema: armada/ChartGroup/v1
metadata:
schema: metadata/Document/v1
name: kubernetes-proxy
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
description: Kubernetes proxy
sequenced: true
chart_group:
- kubernetes-proxy
---
schema: armada/ChartGroup/v1
metadata:
schema: metadata/Document/v1
name: container-networking
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
description: Container networking via Calico
sequenced: true
chart_group:
- calico-etcd
- calico
---
schema: armada/ChartGroup/v1
metadata:
schema: metadata/Document/v1
name: dns
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
description: Cluster DNS
chart_group:
- coredns
---
schema: armada/ChartGroup/v1
metadata:
schema: metadata/Document/v1
name: kubernetes
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
description: Kubernetes components
sequenced: true
chart_group:
- haproxy
- kubernetes-etcd
- kubernetes-apiserver
- kubernetes-controller-manager
- kubernetes-scheduler
- tiller
---
schema: armada/ChartGroup/v1
metadata:
schema: metadata/Document/v1
name: ucp-services
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
description: Airship platform components
sequenced: true
chart_group:
- promenade
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: helm-toolkit
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
chart_name: helm-toolkit
release: helm-toolkit
namespace: helm-toolkit
wait:
timeout: 600
upgrade:
no_hooks: true
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
subpath: helm-toolkit
reference: 2d1fe882bb751c03ee741a6166c9c8a5fad8f926
dependencies: []
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: infra-helm-toolkit
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
chart_name: infra-helm-toolkit
release: infra-helm-toolkit
namespace: infra-helm-toolkit
wait:
timeout: 600
upgrade:
no_hooks: true
values: {}
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
subpath: helm-toolkit
reference: 2d1fe882bb751c03ee741a6166c9c8a5fad8f926
dependencies: []
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: kubernetes-proxy
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
chart_name: proxy
release: kubernetes-proxy
namespace: kube-system
wait:
timeout: 600
labels:
release_group: ucp-kubernetes-proxy
upgrade:
no_hooks: true
values:
images:
tags:
proxy: k8s.gcr.io/kube-proxy-amd64:v1.20.5
network:
kubernetes_netloc: 127.0.0.1:6553
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: proxy
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: calico-etcd
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
substitutions:
-
src:
schema: deckhand/CertificateAuthority/v1
name: calico-etcd
path: .
dest:
path: '.values.secrets.tls.client.ca'
-
src:
schema: deckhand/CertificateAuthority/v1
name: calico-etcd-peer
path: .
dest:
path: '.values.secrets.tls.peer.ca'
-
src:
schema: deckhand/Certificate/v1
name: calico-etcd-anchor
path: .
dest:
path: '.values.secrets.anchor.tls.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: calico-etcd-anchor
path: .
dest:
path: '.values.secrets.anchor.tls.key'
-
src:
schema: deckhand/Certificate/v1
name: calico-etcd-n0
path: .
dest:
path: '.values.nodes[0].tls.client.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: calico-etcd-n0
path: .
dest:
path: '.values.nodes[0].tls.client.key'
-
src:
schema: deckhand/Certificate/v1
name: calico-etcd-n0-peer
path: .
dest:
path: '.values.nodes[0].tls.peer.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: calico-etcd-n0-peer
path: .
dest:
path: '.values.nodes[0].tls.peer.key'
data:
chart_name: etcd
release: calico-etcd
namespace: kube-system
test:
enabled: false
wait:
timeout: 600
labels:
release_group: ucp-calico-etcd
upgrade:
no_hooks: true
values:
pod:
# Disables AppArmor for calico-etcd
mandatory_access_control:
type: apparmor
example-etcd:
etcd: null
anchor:
etcdctl_endpoint: 10.96.232.136
labels:
anchor:
node_selector_key: calico-etcd
node_selector_value: enabled
secrets:
anchor:
tls:
cert: placeholder
key: placeholder
tls:
client:
ca: placeholder
peer:
ca: placeholder
etcd:
host_data_path: /var/lib/etcd/calico
host_etc_path: /etc/etcd/calico
bootstrapping:
enabled: true
host_directory: /var/lib/anchor
filename: calico-etcd-bootstrap
images:
tags:
etcd: quay.io/coreos/etcd:v3.4.13
etcdctl: quay.io/coreos/etcd:v3.4.13
nodes:
- name: n0
tls:
client:
cert: placeholder
key: placeholder
peer:
cert: placeholder
key: placeholder
service:
name: calico-etcd
ip: 10.96.232.136
network:
service_client:
name: service_client
port: 6666
target_port: 6666
service_peer:
name: service_peer
port: 6667
target_port: 6667
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: etcd
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: calico
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
substitutions:
- src:
schema: deckhand/CertificateAuthority/v1
name: calico-etcd
path: .
dest:
path: '.values.endpoints.etcd.auth.client.tls.ca'
- src:
schema: deckhand/Certificate/v1
name: calico-node
path: .
dest:
path: '.values.endpoints.etcd.auth.client.tls.crt'
- src:
schema: deckhand/CertificateKey/v1
name: calico-node
path: .
dest:
path: '.values.endpoints.etcd.auth.client.tls.key'
- src:
schema: deckhand/CertificateAuthority/v1
name: calico-etcd
path: .
dest:
path: '.values.conf.etcd.credentials.ca'
- src:
schema: deckhand/Certificate/v1
name: calico-node
path: .
dest:
path: '.values.conf.etcd.credentials.certificate'
- src:
schema: deckhand/CertificateKey/v1
name: calico-node
path: .
dest:
path: '.values.conf.etcd.credentials.key'
data:
chart_name: calico
release: calico
namespace: kube-system
wait:
timeout: 600
labels:
release_group: ucp-calico
upgrade:
no_hooks: true
values:
pod:
# Disables AppArmor for calico
mandatory_access_control:
type: apparmor
calico-node:
calico-node: null
conf:
cni_network_config:
name: k8s-pod-network
cniVersion: 0.1.0
type: calico
etcd_endpoints: __ETCD_ENDPOINTS__
etcd_ca_cert_file: /etc/calico/pki/ca
etcd_cert_file: /etc/calico/pki/crt
etcd_key_file: /etc/calico/pki/key
log_level: debug
mtu: 1500
ipam:
type: calico-ipam
policy:
type: k8s
k8s_api_root: https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__
k8s_auth_token: __SERVICEACCOUNT_TOKEN__
policy_controller:
K8S_API: "https://10.96.0.1:443"
node:
CALICO_STARTUP_LOGLEVEL: DEBUG
CLUSTER_TYPE:
- k8s
- bgp
IP_AUTODETECTION_METHOD: interface=ens3
WAIT_FOR_STORAGE: "true"
endpoints:
etcd:
hosts:
default: calico-etcd
host_fqdn_override:
default: 10.96.232.136
scheme:
default: https
networking:
podSubnet: 10.97.0.0/16
mtu: 1500
images:
tags:
calico_etcd: quay.io/coreos/etcd:v3.4.13
calico_node: quay.io/calico/node:v3.4.0
calico_cni: quay.io/calico/cni:v3.4.0
calico_ctl: quay.io/calico/ctl:v3.4.0
calico_settings: quay.io/calico/ctl:v3.4.0
calico_kube_controllers: quay.io/calico/kube-controllers:v3.4.0
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
manifests:
daemonset_calico_etcd: false
job_image_repo_sync: false
service_calico_etcd: false
source:
type: git
location: https://opendev.org/openstack/openstack-helm-infra.git
reference: b50fae62a4ad0992ce877cd632800e1eed5f71a9
subpath: calico
dependencies:
- infra-helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: coredns
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
chart_name: coredns
release: coredns
namespace: kube-system
wait:
timeout: 600
labels:
release_group: ucp-coredns
upgrade:
no_hooks: true
values:
conf:
test:
names_to_resolve:
- att.com
- calico-etcd.kube-system.svc.cluster.local
- google.com
- kubernetes.default.svc.cluster.local
images:
tags:
coredns: coredns/coredns:1.7.0
test: quay.io/airshipit/promenade:master
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: coredns
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: haproxy
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
chart_name: haproxy
release: haproxy
namespace: kube-system
wait:
timeout: 600
labels:
release_group: ucp-haproxy
upgrade:
no_hooks: true
values:
conf:
anchor:
enable_cleanup: false
kubernetes_url: https://10.96.0.1:443
services:
kube-system:
kubernetes-apiserver:
server_opts: "check port 6443"
conf_parts:
global:
- timeout connect 5000ms
- timeout client 30s
- timeout server 30s
frontend:
- mode tcp
- bind *:6553
backend:
- mode tcp
- option tcp-check
- option redispatch
kubernetes-etcd:
server_opts: "check port 2379"
conf_parts:
frontend:
- mode tcp
- bind *:2378
backend:
- mode tcp
- option tcp-check
- option redispatch
images:
tags:
anchor: cwedgwood/kubectl:v1.20.5-1
haproxy: haproxy:1.8.3
test: python:3.6
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: haproxy
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: kubernetes-apiserver
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
substitutions:
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes
path: .
dest:
path: .values.secrets.tls.ca
-
src:
schema: deckhand/Certificate/v1
name: apiserver
path: .
dest:
path: .values.secrets.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: apiserver
path: .
dest:
path: .values.secrets.tls.key
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes-etcd
path: .
dest:
path: .values.secrets.etcd.tls.ca
-
src:
schema: deckhand/Certificate/v1
name: apiserver-etcd
path: .
dest:
path: .values.secrets.etcd.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: apiserver-etcd
path: .
dest:
path: .values.secrets.etcd.tls.key
-
src:
schema: deckhand/PublicKey/v1
name: service-account
path: .
dest:
path: .values.secrets.service_account.public_key
-
src:
schema: deckhand/PrivateKey/v1
name: service-account
path: .
dest:
path: .values.secrets.service_account.private_key
-
src:
schema: promenade/EncryptionPolicy/v1
name: encryption-policy
path: .etcd
dest:
path: .values.conf.encryption_provider.content.resources
data:
chart_name: apiserver
release: kubernetes-apiserver
namespace: kube-system
wait:
timeout: 600
labels:
release_group: ucp-kubernetes-apiserver
upgrade:
no_hooks: true
values:
conf:
encryption_provider:
file: encryption_provider.yaml
command_options:
- '--encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml'
content:
kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
apiserver:
etcd:
endpoints: https://127.0.0.1:2378
images:
tags:
anchor: cwedgwood/kubectl:v1.20.5-1
apiserver: k8s.gcr.io/kube-apiserver-amd64:v1.20.5
network:
kubernetes_service_ip: 10.96.0.1
pod_cidr: 10.97.0.0/16
service_cidr: 10.96.0.0/16
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: apiserver
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: kubernetes-controller-manager
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
substitutions:
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes
path: .
dest:
path: .values.secrets.tls.ca
-
src:
schema: deckhand/Certificate/v1
name: controller-manager
path: .
dest:
path: .values.secrets.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: controller-manager
path: .
dest:
path: .values.secrets.tls.key
-
src:
schema: deckhand/PrivateKey/v1
name: service-account
path: .
dest:
path: .values.secrets.service_account.private_key
data:
chart_name: controller_manager
release: kubernetes-controller-manager
namespace: kube-system
wait:
timeout: 600
labels:
release_group: ucp-kubernetes-controller-manager
upgrade:
no_hooks: true
values:
images:
tags:
anchor: cwedgwood/kubectl:v1.20.5-1
controller_manager: k8s.gcr.io/kube-controller-manager-amd64:v1.20.5
secrets:
service_account:
private_key: placeholder
tls:
ca: placeholder
cert: placeholder
key: placeholder
network:
kubernetes_netloc: 127.0.0.1:6553
pod_cidr: 10.97.0.0/16
service_cidr: 10.96.0.0/16
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: controller_manager
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: kubernetes-scheduler
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
substitutions:
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes
path: .
dest:
path: .values.secrets.tls.ca
-
src:
schema: deckhand/Certificate/v1
name: scheduler
path: .
dest:
path: .values.secrets.tls.cert
-
src:
schema: deckhand/CertificateKey/v1
name: scheduler
path: .
dest:
path: .values.secrets.tls.key
data:
chart_name: scheduler
release: kubernetes-scheduler
namespace: kube-system
wait:
timeout: 600
labels:
release_group: ucp-kubernetes-scheduler
upgrade:
no_hooks: true
values:
secrets:
tls:
ca: placeholder
cert: placeholder
key: placeholder
network:
kubernetes_netloc: 127.0.0.1:6553
images:
tags:
anchor: cwedgwood/kubectl:v1.20.5-1
scheduler: k8s.gcr.io/kube-scheduler-amd64:v1.20.5
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: scheduler
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: kubernetes-etcd
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
substitutions:
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes-etcd
path: .
dest:
path: '.values.secrets.tls.client.ca'
-
src:
schema: deckhand/CertificateAuthority/v1
name: kubernetes-etcd-peer
path: .
dest:
path: '.values.secrets.tls.peer.ca'
-
src:
schema: deckhand/Certificate/v1
name: kubernetes-etcd-anchor
path: .
dest:
path: '.values.secrets.anchor.tls.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-anchor
path: .
dest:
path: '.values.secrets.anchor.tls.key'
-
src:
schema: deckhand/Certificate/v1
name: kubernetes-etcd-n0
path: .
dest:
path: '.values.nodes[0].tls.client.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-n0
path: .
dest:
path: '.values.nodes[0].tls.client.key'
-
src:
schema: deckhand/Certificate/v1
name: kubernetes-etcd-n0-peer
path: .
dest:
path: '.values.nodes[0].tls.peer.cert'
-
src:
schema: deckhand/CertificateKey/v1
name: kubernetes-etcd-n0-peer
path: .
dest:
path: '.values.nodes[0].tls.peer.key'
data:
chart_name: etcd
release: kubernetes-etcd
namespace: kube-system
wait:
timeout: 600
labels:
release_group: ucp-kubernetes-etcd
upgrade:
no_hooks: true
values:
anchor:
etcdctl_endpoint: kubernetes-etcd.kube-system.svc.cluster.local
enable_cleanup: false
labels:
anchor:
node_selector_key: kubernetes-etcd
node_selector_value: enabled
secrets:
anchor:
tls:
cert: placeholder
key: placeholder
tls:
client:
ca: placeholder
peer:
ca: placeholder
etcd:
host_data_path: /var/lib/etcd/kubernetes
host_etc_path: /etc/etcd/kubernetes
images:
tags:
etcd: quay.io/coreos/etcd:v3.4.13
etcdctl: quay.io/coreos/etcd:v3.4.13
nodes:
- name: n0
tls:
client:
cert: placeholder
key: placeholder
peer:
cert: placeholder
key: placeholder
service:
name: kubernetes-etcd
network:
service_client:
name: service_client
port: 2379
target_port: 2379
service_peer:
name: service_peer
port: 2380
target_port: 2380
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: etcd
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: tiller
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
chart_name: tiller
release: tiller
namespace: kube-system
install:
no_hooks: false
upgrade:
no_hooks: false
wait:
timeout: 600
values:
images:
tags:
tiller: gcr.io/kubernetes-helm/tiller:v2.16.1
labels:
node_selector_key: ucp-control-plane
node_selector_value: enabled
source:
type: git
location: https://opendev.org/airship/armada.git
subpath: charts/tiller
reference: master
dependencies:
- helm-toolkit
---
schema: armada/Chart/v1
metadata:
schema: metadata/Document/v1
name: promenade
layeringDefinition:
abstract: false
layer: site
storagePolicy: cleartext
data:
chart_name: promenade
release: promenade
namespace: ucp
wait:
timeout: 600
labels:
release_group: ucp-promenade
values:
pod:
env:
promenade_api:
- name: PROMENADE_DEBUG
value: '1'
conf:
paste:
app:promenade-api:
disable: keystone
pipeline:main:
pipeline: noauth promenade-api
images:
tags:
promenade: quay.io/airshipit/promenade:master
manifests:
job_ks_endpoints: false
job_ks_service: false
job_ks_user: false
secret_keystone: false
upgrade:
no_hooks: true
source:
type: local
location: /etc/genesis/armada/assets/charts
subpath: promenade
dependencies:
- helm-toolkit
...