630e504e3e
gcr.io/google_containers/ no longer contains some of the image versions we require, use the new location. Change-Id: I8f9a976a35ca632d785dd4d05f2a55713bde8c3e
409 lines
10 KiB
YAML
409 lines
10 KiB
YAML
# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
release_group: null
|
|
release_uuid: null
|
|
|
|
images:
|
|
tags:
|
|
apiserver: k8s.gcr.io/hyperkube-amd64:v1.18.6
|
|
kubernetes_keystone_webhook: docker.io/k8scloudprovider/k8s-keystone-auth:latest
|
|
scripted_test: docker.io/openstackhelm/heat:newton
|
|
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
|
|
image_repo_sync: docker.io/docker:17.07.0
|
|
ks_user: docker.io/openstackhelm/heat:ocata
|
|
pull_policy: IfNotPresent
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
labels:
|
|
kubernetes_apiserver:
|
|
node_selector_key: apiserver-webhook
|
|
node_selector_value: enabled
|
|
job:
|
|
node_selector_key: apiserver-webhook
|
|
node_selector_value: enabled
|
|
|
|
command_prefix:
|
|
- kube-apiserver
|
|
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
|
|
|
|
apiserver_webhook:
|
|
logging:
|
|
# Which messages to log.
|
|
# Valid values include any number from 0 to 9.
|
|
# Default 5(Trace level verbosity).
|
|
log_level: 5
|
|
|
|
service:
|
|
name: clcp-ucp-apiserver-webhook
|
|
|
|
network:
|
|
pod_cidr: '10.97.0.0/16'
|
|
service_cidr: '10.96.0.0/16'
|
|
api:
|
|
ingress:
|
|
public: true
|
|
classes:
|
|
namespace: "nginx"
|
|
cluster: "nginx-cluster"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
|
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
|
|
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
|
nginx.ingress.kubernetes.io/secure-backends: "true"
|
|
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
|
name: webhook_apiserver
|
|
#
|
|
# Insert TLS certificates, keys and CAs
|
|
# here. Server is for server-terminated TLS (basic)
|
|
# and client is for mTLS. Each group of certificates
|
|
# will generate two secrets <groupname>-client and <groupname>-server
|
|
# built to the kubernetes.io/tls secret type with keys 'tls.crt', 'tls.key'
|
|
# and 'ca.crt'
|
|
#
|
|
certificates:
|
|
apiserver_webhook_pod:
|
|
server:
|
|
cert: placeholder
|
|
key: placeholder
|
|
ca: placeholder
|
|
keystone_webhook:
|
|
server:
|
|
cert: placeholder
|
|
key: placeholder
|
|
ca: placeholder
|
|
kubelet:
|
|
client:
|
|
cert: placeholder
|
|
key: placeholder
|
|
server:
|
|
ca: placeholder
|
|
etcd:
|
|
client:
|
|
cert: placeholder
|
|
key: placeholder
|
|
server:
|
|
ca: placeholder
|
|
|
|
secrets:
|
|
service_account:
|
|
public_key: placeholder
|
|
identity:
|
|
admin: apiserver-webhook-keystone-creds-admin
|
|
webhook: apiserver-webhook-keystone-creds-webhook
|
|
tls:
|
|
webhook_apiserver:
|
|
api:
|
|
public: apiserver-webhook-public
|
|
server:
|
|
cert: placeholder
|
|
key: placeholder
|
|
ca: placeholder
|
|
|
|
# typically overriden by environmental
|
|
# values, but should include all endpoints
|
|
# required by this chart
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
webhook_apiserver:
|
|
name: webhook_apiserver
|
|
hosts:
|
|
default: apiserver-webhook
|
|
internal: apiserver-webhook-int
|
|
port:
|
|
api:
|
|
default: 6443
|
|
public: 443
|
|
webhook:
|
|
podport: 8443
|
|
path:
|
|
default: /
|
|
webhook: /webhook
|
|
scheme:
|
|
default: https
|
|
public: https
|
|
host_fqdn_override:
|
|
default: null
|
|
# NOTE: this chart supports TLS for fqdn over-ridden public
|
|
# endpoints using the following format:
|
|
# public:
|
|
# host: null
|
|
# tls:
|
|
# crt: null
|
|
# key: null
|
|
identity:
|
|
name: keystone
|
|
namespace: null
|
|
auth:
|
|
admin:
|
|
region_name: RegionOne
|
|
username: admin
|
|
password: password
|
|
project_name: admin
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
webhook:
|
|
region_name: RegionOne
|
|
username: webhook
|
|
password: password
|
|
project_name: service
|
|
user_domain_name: default
|
|
project_domain_name: default
|
|
role: admin
|
|
hosts:
|
|
default: keystone
|
|
internal: keystone-api
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: /v3
|
|
scheme:
|
|
default: http
|
|
port:
|
|
api:
|
|
default: 80
|
|
internal: 5000
|
|
etcd:
|
|
name: etcd
|
|
namespace: kube-system
|
|
hosts:
|
|
default: kubernetes-etcd
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: https
|
|
port:
|
|
client:
|
|
default: 2379
|
|
|
|
network_policy:
|
|
kubernetes-keystone-webhook:
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- {}
|
|
|
|
pod:
|
|
mandatory_access_control:
|
|
type: apparmor
|
|
apiserver-webhook:
|
|
apiserver: runtime/default
|
|
webhook: runtime/default
|
|
security_context:
|
|
apiserver_webhook:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
apiserver:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
webhook:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
mounts:
|
|
kubernetes_apiserver:
|
|
init_container: null
|
|
kubernetes_apiserver:
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
replicas:
|
|
apiserver: 1
|
|
api: 1
|
|
probes:
|
|
readinessProbe:
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 20
|
|
env:
|
|
apiserver:
|
|
GODEBUG: http2server=0,http2client=0
|
|
lifecycle:
|
|
upgrades:
|
|
daemonsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
kubernetes_apiserver:
|
|
enabled: false
|
|
min_ready_seconds: 0
|
|
max_unavailable: 1
|
|
termination_grace_period:
|
|
kubernetes_apiserver:
|
|
timeout: 3600
|
|
resources:
|
|
enabled: false
|
|
anchor_pod:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
kubernetes_apiserver:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
api:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "256Mi"
|
|
cpu: "200m"
|
|
jobs:
|
|
tests:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "256Mi"
|
|
cpu: "200m"
|
|
mounts:
|
|
kubernetes_keystone_webhook_api:
|
|
init_container: null
|
|
kubernetes_keystone_webhook_api: null
|
|
kubernetes_keystone_webhook_tests:
|
|
init_container: null
|
|
kubernetes_keystone_webhook_tests: null
|
|
conf:
|
|
paths:
|
|
base: '/etc/webhook_apiserver/'
|
|
pki: '/etc/webhook_apiserver/pki'
|
|
conf: '/etc/webhook_apiserver/webhook.kubeconfig'
|
|
policy: '/etc/webhook_apiserver/conf/policy.json'
|
|
sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub'
|
|
encryption_provider: '/etc/webhook_apiserver/encryption_provider.json'
|
|
# Every key below 'apiserver' yields a dynamic configuration file
|
|
# and can mutate the apiserver command-line args.
|
|
# The files are available under /dynamic in conf.paths.base
|
|
apiserver:
|
|
agg_api_ca:
|
|
file: agg-api-ca.pem
|
|
command_options:
|
|
- '--requestheader-client-ca-file=/etc/webhook_apiserver/dynamic/agg-api-ca.pem'
|
|
- '--requestheader-extra-headers-prefix=X-Remote-Extra-'
|
|
- '--requestheader-group-headers=X-Remote-Group'
|
|
- '--requestheader-username-headers=X-Remote-User'
|
|
- '--requestheader-allowed-names="aggregator"'
|
|
content: |
|
|
-----SOME CA-----
|
|
apiserver_proxy_cert:
|
|
file: 'apiserver-proxy-cert.pem'
|
|
command_options:
|
|
- '--proxy-client-cert-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-cert.pem'
|
|
content: |
|
|
------SOME CERT-----
|
|
apiserver_proxy_key:
|
|
file: 'apiserver-proxy-key.pem'
|
|
command_options:
|
|
- '--proxy-client-key-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-key.pem'
|
|
content: |
|
|
-----SOME KEY-----
|
|
encryption_provider:
|
|
file: 'encryption_provider.yaml'
|
|
command_options:
|
|
- '--encryption-provider-config=/etc/webhook_apiserver/dynamic/encryption_provider.yaml'
|
|
content:
|
|
kind: EncryptionConfiguration
|
|
apiVersion: apiserver.config.k8s.io/v1
|
|
policy:
|
|
- resource:
|
|
verbs:
|
|
- "*"
|
|
resources:
|
|
- "*"
|
|
namespace: "*"
|
|
version: "*"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- admin
|
|
- resource:
|
|
verbs:
|
|
- "*"
|
|
resources:
|
|
- "*"
|
|
namespace: "kube-system"
|
|
version: "*"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- kube-system-admin
|
|
- resource:
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
resources:
|
|
- "*"
|
|
namespace: "kube-system"
|
|
version: "*"
|
|
match:
|
|
- type: role
|
|
values:
|
|
- kube-system-viewer
|
|
- resource:
|
|
verbs:
|
|
- "*"
|
|
resources:
|
|
- "*"
|
|
namespace: "ucp"
|
|
version: "*"
|
|
match:
|
|
- type: project
|
|
values:
|
|
- ucp-admin
|
|
- airship-admin
|
|
|
|
dependencies:
|
|
static:
|
|
ks_user:
|
|
services:
|
|
- service: identity
|
|
endpoint: internal
|
|
api:
|
|
jobs:
|
|
- webhook-apiserver-ks-user
|
|
services:
|
|
- service: identity
|
|
endpoint: internal
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_certs: true
|
|
configmap_etc: true
|
|
configmap_dynamic_config: true
|
|
job_ks_user: true
|
|
deployment: true
|
|
ingress_api: true
|
|
pod_test: false
|
|
secret_keystone: true
|
|
secret_tls: true
|
|
service: true
|
|
network_policy: false
|