promenade/charts/apiserver-webhook/values.yaml

438 lines
11 KiB
YAML

# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
release_group: null
release_uuid: null
images:
tags:
apiserver: k8s.gcr.io/kube-apiserver-amd64:v1.20.5
kubernetes_keystone_webhook: docker.io/k8scloudprovider/k8s-keystone-auth:latest
scripted_test: docker.io/openstackhelm/heat:newton
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
image_repo_sync: docker.io/docker:17.07.0
ks_user: docker.io/openstackhelm/heat:ocata
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
kubernetes_apiserver:
node_selector_key: apiserver-webhook
node_selector_value: enabled
job:
node_selector_key: apiserver-webhook
node_selector_value: enabled
command_prefix:
- kube-apiserver
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
apiserver_webhook:
logging:
# Which messages to log.
# Valid values include any number from 0 to 9.
# Default 5(Trace level verbosity).
log_level: 5
service:
name: clcp-ucp-apiserver-webhook
network:
pod_cidr: '10.97.0.0/16'
service_cidr: '10.96.0.0/16'
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
name: webhook_apiserver
#
# Insert TLS certificates, keys and CAs
# here. Server is for server-terminated TLS (basic)
# and client is for mTLS. Each group of certificates
# will generate two secrets <groupname>-client and <groupname>-server
# built to the kubernetes.io/tls secret type with keys 'tls.crt', 'tls.key'
# and 'ca.crt'
#
certificates:
apiserver_webhook_pod:
server:
cert: placeholder
key: placeholder
ca: placeholder
keystone_webhook:
server:
cert: placeholder
key: placeholder
ca: placeholder
kubelet:
client:
cert: placeholder
key: placeholder
server:
ca: placeholder
etcd:
client:
cert: placeholder
key: placeholder
server:
ca: placeholder
secrets:
service_account:
public_key: placeholder
private_key: placeholder
identity:
admin: apiserver-webhook-keystone-creds-admin
webhook: apiserver-webhook-keystone-creds-webhook
tls:
webhook_apiserver:
api:
public: apiserver-webhook-public
server:
cert: placeholder
key: placeholder
ca: placeholder
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
webhook_apiserver:
name: webhook_apiserver
hosts:
default: apiserver-webhook
internal: apiserver-webhook-int
port:
api:
default: 6443
public: 443
webhook:
podport: 8443
path:
default: /
webhook: /webhook
scheme:
default: https
public: https
host_fqdn_override:
default: null
# NOTE: this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
identity:
name: keystone
namespace: null
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
webhook:
region_name: RegionOne
username: webhook
password: password
project_name: service
user_domain_name: default
project_domain_name: default
role: admin
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
api:
default: 80
internal: 5000
etcd:
name: etcd
namespace: kube-system
hosts:
default: kubernetes-etcd
host_fqdn_override:
default: null
path:
default: null
scheme:
default: https
port:
client:
default: 2379
network_policy:
kubernetes-keystone-webhook:
ingress:
- {}
egress:
- {}
pod:
mandatory_access_control:
type: apparmor
apiserver-webhook:
apiserver: runtime/default
webhook: runtime/default
security_context:
apiserver_webhook:
pod:
runAsUser: 65534
container:
apiserver:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
# explicitly setting the runAsUser may be required to write audit logs to the host
# runAsUser: 0
webhook:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
mounts:
apiserver_webhook:
apiserver:
# Example mounts for audit logging, refer to .conf.apiserver.auditpolicy below.
# volumeMounts:
# - name: audit-logs
# mountPath: /var/log/audit
# mountPropagation: HostToContainer
# readOnly: false
# volumes:
# - name: audit-logs
# hostPath:
# path: /var/log/audit
# type: DirectoryOrCreate
webhook: null
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
replicas:
apiserver: 1
api: 1
probes:
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 15
periodSeconds: 20
env:
apiserver:
lifecycle:
upgrades:
daemonsets:
pod_replacement_strategy: RollingUpdate
kubernetes_apiserver:
enabled: false
min_ready_seconds: 0
max_unavailable: 1
termination_grace_period:
kubernetes_apiserver:
timeout: 3600
resources:
enabled: false
anchor_pod:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
kubernetes_apiserver:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
jobs:
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
conf:
paths:
base: '/etc/webhook_apiserver/'
pki: '/etc/webhook_apiserver/pki'
conf: '/etc/webhook_apiserver/webhook.kubeconfig'
policy: '/etc/webhook_apiserver/conf/policy.json'
sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub'
saprivkey: '/etc/webhook_apiserver/pki/service-accounts.key'
encryption_provider: '/etc/webhook_apiserver/encryption_provider.json'
# Every key below 'apiserver' yields a dynamic configuration file
# and can mutate the apiserver command-line args.
# The files are available under /dynamic in conf.paths.base
apiserver:
agg_api_ca:
file: agg-api-ca.pem
command_options:
- '--requestheader-client-ca-file=/etc/webhook_apiserver/dynamic/agg-api-ca.pem'
- '--requestheader-extra-headers-prefix=X-Remote-Extra-'
- '--requestheader-group-headers=X-Remote-Group'
- '--requestheader-username-headers=X-Remote-User'
- '--requestheader-allowed-names="aggregator"'
content: |
-----SOME CA-----
apiserver_proxy_cert:
file: 'apiserver-proxy-cert.pem'
command_options:
- '--proxy-client-cert-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-cert.pem'
content: |
------SOME CERT-----
apiserver_proxy_key:
file: 'apiserver-proxy-key.pem'
command_options:
- '--proxy-client-key-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-key.pem'
content: |
-----SOME KEY-----
encryption_provider:
file: 'encryption_provider.yaml'
command_options:
- '--encryption-provider-config=/etc/webhook_apiserver/dynamic/encryption_provider.yaml'
content:
kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
# Uncomment any of the below to enable enhanced Audit Logging command line options.
# Note: To use the Log backend, ensure that the hostPath of the log file is mounted,
# and that the runAsUser for the apiserver container can write to it.
# (Refer to .pod.mounts.apiserver.apiserver)
#
# auditpolicy:
# file: audit_policy.yaml
# command_options:
# - '--audit-policy-file=/etc/kubernetes/apiserver/audit_policy.yaml'
# - '--audit-log-maxsize=10'
# - '--audit-log-maxbackup=3'
# - '--audit-log-path=/var/log/audit/webhook-audit.log'
# content:
# kind: Policy
# apiVersion: apiserver.k8s.io/v1
# rules:
# - level: Metadata
#
service_account_issuer:
command_options:
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
policy:
- resource:
verbs:
- "*"
resources:
- "*"
namespace: "*"
version: "*"
match:
- type: role
values:
- admin
- resource:
verbs:
- "*"
resources:
- "*"
namespace: "kube-system"
version: "*"
match:
- type: role
values:
- kube-system-admin
- resource:
verbs:
- get
- list
- watch
resources:
- "*"
namespace: "kube-system"
version: "*"
match:
- type: role
values:
- kube-system-viewer
- resource:
verbs:
- "*"
resources:
- "*"
namespace: "ucp"
version: "*"
match:
- type: project
values:
- ucp-admin
- airship-admin
dependencies:
static:
ks_user:
services:
- service: identity
endpoint: internal
api:
jobs:
- webhook-apiserver-ks-user
services:
- service: identity
endpoint: internal
manifests:
configmap_bin: true
configmap_certs: true
configmap_etc: true
configmap_dynamic_config: true
job_ks_user: true
deployment: true
ingress_api: true
pod_test: false
secret_keystone: true
secret_tls: true
secret_keys: true
service: true
network_policy: false