--- schema: armada/Chart/v1 metadata: schema: metadata/Document/v1 name: kubernetes-apiserver labels: name: kubernetes-apiserver-global layeringDefinition: abstract: false layer: global storagePolicy: cleartext substitutions: # Chart source - src: schema: pegleg/SoftwareVersions/v1 name: software-versions path: .charts.kubernetes.apiserver dest: path: .source # Images - src: schema: pegleg/SoftwareVersions/v1 name: software-versions path: .images.kubernetes.apiserver dest: path: .values.images.tags # IP addresses - src: schema: pegleg/CommonAddresses/v1 name: common-addresses path: .kubernetes.api_service_ip dest: path: .values.network.kubernetes_service_ip - src: schema: pegleg/CommonAddresses/v1 name: common-addresses path: .kubernetes.pod_cidr dest: path: .values.network.pod_cidr - src: schema: pegleg/CommonAddresses/v1 name: common-addresses path: .kubernetes.service_cidr dest: path: .values.apiserver.arguments[1] pattern: SERVICE_CIDR # Kubernetes Port Range - src: schema: pegleg/CommonAddresses/v1 name: common-addresses path: .kubernetes.service_node_port_range dest: path: .values.apiserver.arguments[2] pattern: SERVICE_NODE_PORT_RANGE # CA - src: schema: deckhand/CertificateAuthority/v1 name: kubernetes path: . dest: path: .values.secrets.tls.ca # Certificates - src: schema: deckhand/Certificate/v1 name: apiserver path: . dest: path: .values.secrets.tls.cert - src: schema: deckhand/CertificateKey/v1 name: apiserver path: . dest: path: .values.secrets.tls.key - src: schema: deckhand/CertificateAuthority/v1 name: kubernetes-etcd path: . dest: path: .values.secrets.etcd.tls.ca - src: schema: deckhand/Certificate/v1 name: apiserver-etcd path: . dest: path: .values.secrets.etcd.tls.cert - src: schema: deckhand/CertificateKey/v1 name: apiserver-etcd path: . dest: path: .values.secrets.etcd.tls.key - src: schema: deckhand/PublicKey/v1 name: service-account path: . dest: path: .values.secrets.service_account.public_key # Encryption policy - src: schema: promenade/EncryptionPolicy/v1 name: encryption-policy path: .etcd dest: path: .values.conf.encryption_provider.content.resources data: chart_name: apiserver release: kubernetes-apiserver namespace: kube-system protected: continue_processing: true wait: timeout: 600 labels: release_group: airship-kubernetes-apiserver upgrade: no_hooks: false pre: delete: - type: job labels: release_group: airship-kubernetes-apiserver values: apiserver: etcd: endpoints: https://127.0.0.1:2378 tls: tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ # Possible values: VersionTLS10, VersionTLS11, VersionTLS12 tls-min-version: 'VersionTLS12' arguments: - --authorization-mode=Node,RBAC - --service-cluster-ip-range=SERVICE_CIDR - --service-node-port-range=SERVICE_NODE_PORT_RANGE - --endpoint-reconciler-type=lease - --feature-gates=PodShareProcessNamespace=true - --v=3 conf: encryption_provider: file: encryption_provider.yaml command_options: - '--encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml' content: kind: EncryptionConfiguration apiVersion: apiserver.config.k8s.io/v1 eventconfig: file: eventconfig.yaml content: kind: Configuration apiVersion: eventratelimit.admission.k8s.io/v1alpha1 limits: - type: Server qps: 100 burst: 1000 acconfig: file: acconfig.yaml command_options: - '--enable-admission-plugins=PodSecurityPolicy,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit' - '--admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml' content: kind: AdmissionConfiguration apiVersion: apiserver.k8s.io/v1alpha1 plugins: - name: EventRateLimit path: eventconfig.yaml dependencies: - kubernetes-apiserver-htk --- schema: armada/Chart/v1 metadata: schema: metadata/Document/v1 name: kubernetes-apiserver-htk layeringDefinition: abstract: false layer: global storagePolicy: cleartext substitutions: - src: schema: pegleg/SoftwareVersions/v1 name: software-versions path: .charts.kubernetes.apiserver-htk dest: path: .source data: chart_name: kubernetes-apiserver-htk release: kubernetes-apiserver-htk namespace: kubernetes-apiserver-htk values: {} dependencies: [] ...