A declarative framework for resilient Kubernetes deployment.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

deployment.yaml 11KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247
  1. {{/*
  2. Copyright 2018 The Openstack-Helm Authors.
  3. Licensed under the Apache License, Version 2.0 (the "License");
  4. you may not use this file except in compliance with the License.
  5. You may obtain a copy of the License at
  6. http://www.apache.org/licenses/LICENSE-2.0
  7. Unless required by applicable law or agreed to in writing, software
  8. distributed under the License is distributed on an "AS IS" BASIS,
  9. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  10. See the License for the specific language governing permissions and
  11. limitations under the License.
  12. */}}
  13. {{/*
  14. These local.* templates may be moved out of this chart into helm-toolkit
  15. in the future if there is desire to generalize this pattern. Otherwise
  16. in the future they will be moved into a separate helpers file.
  17. */}}
  18. {{- define "local.tls_volume_name" -}}
  19. {{- $group := index . 0 -}}
  20. {{- $type := index . 1 -}}
  21. tls-{{ $group | replace "_" "-" }}-{{ $type | replace "_" "-" }}
  22. {{- end -}}
  23. {{- define "local.attach_all_bundles" }}
  24. {{- $envAll := . }}
  25. {{- range $group, $certs := $envAll.Values.certificates }}
  26. {{- range $type, $bundle := . }}
  27. {{ tuple $group $type $envAll | include "local.attach_cert_bundle" }}
  28. {{- end }}
  29. {{- end }}
  30. {{- end }}
  31. {{- define "local.attach_cert_bundle" }}
  32. {{- $group := index . 0 }}
  33. {{- $type := index . 1 }}
  34. {{- $envAll := index . 2 }}
  35. - name: {{ tuple $group $type | include "local.tls_volume_name" }}
  36. secret:
  37. secretName: {{ tuple $group $type $envAll | include "local.tls_secret_name" }}
  38. defaultMode: 0444
  39. {{ end }}
  40. {{- define "local.mount_all_bundles" }}
  41. {{- $basepath := index . 0 }}
  42. {{- $envAll := index . 1 }}
  43. {{- range $group, $certs := $envAll.Values.certificates }}
  44. {{- range $type, $bundle := . }}
  45. {{ tuple $group $type $basepath $envAll | include "local.mount_cert_bundle" }}
  46. {{- end }}
  47. {{- end }}
  48. {{- end }}
  49. {{- define "local.mount_cert_bundle" }}
  50. {{- $group := index . 0 }}
  51. {{- $type := index . 1 }}
  52. {{- $basepath := index . 2 }}
  53. {{- $envAll := index . 3 }}
  54. {{- $bundle := index $envAll.Values "certificates" $group $type }}
  55. {{- range tuple "ca" "cert" "key" }}
  56. {{- if hasKey $bundle . }}
  57. {{ tuple $group $type . $basepath $envAll | include "local.mount_cert_file" }}
  58. {{- end }}
  59. {{- end }}
  60. {{- end }}
  61. {{- define "local.mount_cert_file" }}
  62. {{- $group := index . 0 }}
  63. {{- $type := index . 1 }}
  64. {{- $member := index . 2 }}
  65. {{- $basepath := index . 3 }}
  66. {{- $envAll := index . 4 }}
  67. - name: {{ tuple $group $type | include "local.tls_volume_name" }}
  68. mountPath: {{ tuple $group $type $basepath $member $envAll | include "local.cert_bundle_path" }}
  69. {{- if eq $member "ca" }}
  70. subPath: ca.crt
  71. {{- else if eq $member "cert" }}
  72. subPath: tls.crt
  73. {{- else if eq $member "key" }}
  74. subPath: tls.key
  75. {{- end }}
  76. readOnly: true
  77. {{- end }}
  78. {{- define "local.cert_bundle_path" -}}
  79. {{- $group := index . 0 -}}
  80. {{- $type := index . 1 -}}
  81. {{- $basepath := index . 2 -}}
  82. {{- $member := index . 3 -}}
  83. {{- $envAll := index . 4 -}}
  84. {{ $basepath }}/{{ $group }}-{{ $type }}-{{ $member }}.pem
  85. {{- end -}}
  86. {{- if .Values.manifests.deployment }}
  87. {{- $envAll := . }}
  88. ---
  89. apiVersion: apps/v1
  90. kind: Deployment
  91. metadata:
  92. name: {{ .Release.Name }}-apiserver-webhook
  93. labels:
  94. {{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
  95. spec:
  96. replicas: {{ $envAll.Values.pod.replicas.api }}
  97. selector:
  98. matchLabels:
  99. {{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
  100. template:
  101. metadata:
  102. labels:
  103. {{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
  104. annotations:
  105. configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
  106. configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
  107. spec:
  108. dnsPolicy: ClusterFirst
  109. containers:
  110. - name: apiserver
  111. image: {{ .Values.images.tags.apiserver }}
  112. {{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
  113. env:
  114. - name: POD_IP
  115. valueFrom:
  116. fieldRef:
  117. fieldPath: status.podIP
  118. - name: NODENAME
  119. valueFrom:
  120. fieldRef:
  121. fieldPath: spec.nodeName
  122. command:
  123. {{- range .Values.command_prefix }}
  124. - {{ . }}
  125. {{- end }}
  126. - --service-cluster-ip-range={{ $envAll.Values.network.service_cidr }}
  127. - --authorization-mode=Webhook
  128. - --advertise-address=$(POD_IP)
  129. - --anonymous-auth=false
  130. - --endpoint-reconciler-type=none
  131. - --bind-address=$(POD_IP)
  132. - --secure-port={{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
  133. - --insecure-port=0
  134. - --tls-cert-file={{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
  135. - --tls-private-key-file={{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
  136. - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
  137. - --kubelet-certificate-authority={{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" }}
  138. - --kubelet-client-certificate={{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
  139. - --kubelet-client-key={{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
  140. - --etcd-servers={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
  141. - --etcd-cafile={{ tuple "etcd" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" }}
  142. - --etcd-certfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }}
  143. - --etcd-keyfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
  144. - --allow-privileged=true
  145. - --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }}
  146. - --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
  147. - --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
  148. readinessProbe:
  149. tcpSocket:
  150. port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
  151. {{ $envAll.Values.pod.probes.readinessProbe | toYaml | indent 12 }}
  152. livenessProbe:
  153. tcpSocket:
  154. port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
  155. {{ $envAll.Values.pod.probes.livenessProbe | toYaml | indent 12 }}
  156. volumeMounts:
  157. - name: etc-apiserver
  158. mountPath: {{ $envAll.Values.conf.paths.base }}
  159. - name: etc-apiserver-pki
  160. mountPath: {{ $envAll.Values.conf.paths.pki }}
  161. - name: configmap-etc
  162. mountPath: {{ $envAll.Values.conf.paths.sapubkey }}
  163. subPath: service-account.pub
  164. readOnly: true
  165. - name: configmap-etc
  166. mountPath: {{ $envAll.Values.conf.paths.conf }}
  167. subPath: webhook.kubeconfig
  168. readOnly: true
  169. {{ tuple "keystone_webhook" "server" "ca" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_file" | indent 12 }}
  170. {{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
  171. {{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
  172. {{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
  173. {{ tuple "etcd" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
  174. {{ tuple "etcd" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
  175. - name: webhook
  176. {{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
  177. {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
  178. command:
  179. - /tmp/webhook_start.sh
  180. env:
  181. {{- with $env := dict "ksUserSecret" .Values.secrets.identity.webhook }}
  182. {{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
  183. {{- end }}
  184. - name: SERVER_CERT_FILE
  185. value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" | quote }}
  186. - name: SERVER_KEY_FILE
  187. value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" | quote }}
  188. - name: POLICY_FILE
  189. value: {{ $envAll.Values.conf.paths.policy | quote }}
  190. - name: SERVER_PORT
  191. value: {{ tuple "webhook_apiserver" "podport" "webhook" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
  192. {{- if hasKey .Values.certificates "keystone" }}
  193. - name: KEYSTONE_CA_FILE
  194. value: {{ tuple "keystone" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" | quote }}
  195. {{- end }}
  196. volumeMounts:
  197. - name: etc-webhook
  198. mountPath: {{ $envAll.Values.conf.paths.base }}
  199. - name: etc-webhook-pki
  200. mountPath: {{ $envAll.Values.conf.paths.pki }}
  201. - name: configmap-etc
  202. mountPath: {{ $envAll.Values.conf.paths.policy }}
  203. subPath: policy.json
  204. readOnly: true
  205. - name: configmap-bin
  206. mountPath: /tmp/webhook_start.sh
  207. subPath: webhook_start.sh
  208. readOnly: true
  209. {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
  210. volumes:
  211. {{- if hasKey .Values.certificates "keystone" }}
  212. {{ tuple "keystone" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }}
  213. {{- end }}
  214. {{ include "local.attach_all_bundles" $envAll | indent 8 }}
  215. - name: etc-apiserver
  216. emptyDir: {}
  217. - name: etc-apiserver-pki
  218. emptyDir: {}
  219. - name: etc-webhook
  220. emptyDir: {}
  221. - name: etc-webhook-pki
  222. emptyDir: {}
  223. - name: configmap-etc
  224. configMap:
  225. name: {{ .Release.Name }}-etc
  226. defaultMode: 0444
  227. - name: configmap-bin
  228. configMap:
  229. name: {{ .Release.Name }}-bin
  230. defaultMode: 0555
  231. - name: tls-apiserver-webhook-public-server
  232. secret:
  233. defaultMode: 292
  234. secretName: {{ .Values.secrets.tls.webhook_apiserver.api.public }}
  235. {{- end }}