promenade/charts/apiserver-webhook/values.yaml

330 lines
7.7 KiB
YAML

# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
release_group: null
images:
tags:
apiserver: gcr.io/google_containers/hyperkube-amd64:v1.11.6
kubernetes_keystone_webhook: docker.io/k8scloudprovider/k8s-keystone-auth:latest
scripted_test: docker.io/openstackhelm/heat:newton
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
image_repo_sync: docker.io/docker:17.07.0
ks_user: docker.io/openstackhelm/heat:ocata
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
kubernetes_apiserver:
node_selector_key: apiserver-webhook
node_selector_value: enabled
job:
node_selector_key: apiserver-webhook
node_selector_value: enabled
command_prefix:
- /apiserver
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds
- --v=5
network:
pod_cidr: '10.97.0.0/16'
service_cidr: '10.96.0.0/16'
api:
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
name: webhook_apiserver
#
# Insert TLS certificates, keys and CAs
# here. Server is for server-terminated TLS (basic)
# and client is for mTLS. Each group of certificates
# will generate two secrets <groupname>-client and <groupname>-server
# built to the kubernetes.io/tls secret type with keys 'tls.crt', 'tls.key'
# and 'ca.crt'
#
certificates:
apiserver_webhook_pod:
server:
cert: placeholder
key: placeholder
ca: placeholder
keystone_webhook:
server:
cert: placeholder
key: placeholder
ca: placeholder
kubelet:
client:
cert: placeholder
key: placeholder
server:
ca: placeholder
etcd:
client:
cert: placeholder
key: placeholder
server:
ca: placeholder
secrets:
service_account:
public_key: placeholder
identity:
admin: apiserver-webhook-keystone-creds-admin
webhook: apiserver-webhook-keystone-creds-webhook
tls:
webhook_apiserver:
api:
public: apiserver-webhook-public
server:
cert: placeholder
key: placeholder
ca: placeholder
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
webhook_apiserver:
name: webhook_apiserver
hosts:
default: apiserver-webhook
internal: apiserver-webhook-int
port:
api:
default: 6443
public: 443
webhook:
podport: 8443
path:
default: /
webhook: /webhook
scheme:
default: https
public: https
host_fqdn_override:
default: null
# NOTE: this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
identity:
name: keystone
namespace: null
auth:
admin:
region_name: RegionOne
username: admin
password: password
project_name: admin
user_domain_name: default
project_domain_name: default
webhook:
region_name: RegionOne
username: webhook
password: password
project_name: service
user_domain_name: default
project_domain_name: default
role: admin
hosts:
default: keystone
internal: keystone-api
host_fqdn_override:
default: null
path:
default: /v3
scheme:
default: http
port:
api:
default: 80
internal: 5000
etcd:
name: etcd
namespace: kube-system
hosts:
default: kubernetes-etcd
host_fqdn_override:
default: null
path:
default: null
scheme:
default: https
port:
client:
default: 2379
pod:
mounts:
kubernetes_apiserver:
init_container: null
kubernetes_apiserver:
replicas:
apiserver: 1
api: 1
probes:
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 15
periodSeconds: 20
lifecycle:
upgrades:
daemonsets:
pod_replacement_strategy: RollingUpdate
kubernetes_apiserver:
enabled: false
min_ready_seconds: 0
max_unavailable: 1
termination_grace_period:
kubernetes_apiserver:
timeout: 3600
resources:
enabled: false
anchor_pod:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
kubernetes_apiserver:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
api:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
jobs:
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "200m"
mounts:
kubernetes_keystone_webhook_api:
init_container: null
kubernetes_keystone_webhook_api: null
kubernetes_keystone_webhook_tests:
init_container: null
kubernetes_keystone_webhook_tests: null
conf:
paths:
base: '/etc/webhook_apiserver/'
pki: '/etc/webhook_apiserver/pki'
conf: '/etc/webhook_apiserver/webhook.kubeconfig'
policy: '/etc/webhook_apiserver/conf/policy.json'
sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub'
policy:
- resource:
verbs:
- "*"
resources:
- "*"
namespace: "*"
version: "*"
match:
- type: role
values:
- admin
- resource:
verbs:
- "*"
resources:
- "*"
namespace: "kube-system"
version: "*"
match:
- type: role
values:
- kube-system-admin
- resource:
verbs:
- get
- list
- watch
resources:
- "*"
namespace: "kube-system"
version: "*"
match:
- type: role
values:
- kube-system-viewer
- resource:
verbs:
- "*"
resources:
- "*"
namespace: "ucp"
version: "*"
match:
- type: project
values:
- ucp-admin
- airship-admin
dependencies:
static:
ks_user:
services:
- service: identity
endpoint: internal
api:
jobs:
- webhook-apiserver-ks-user
services:
- service: identity
endpoint: internal
manifests:
configmap_bin: true
configmap_certs: true
configmap_etc: true
job_ks_user: true
deployment: true
ingress_api: true
pod_test: false
secret_keystone: true
secret_tls: true
service: true