271 lines
8.0 KiB
YAML
271 lines
8.0 KiB
YAML
---
|
|
schema: armada/Chart/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: kubernetes-apiserver
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: global
|
|
storagePolicy: cleartext
|
|
substitutions:
|
|
# Chart source
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .charts.kubernetes.apiserver
|
|
dest:
|
|
path: .source
|
|
|
|
# Images
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .images.kubernetes.apiserver
|
|
dest:
|
|
path: .values.images.tags
|
|
|
|
# Kube-Apiserver Log Level
|
|
- src:
|
|
schema: nc/CorridorConfig/v1
|
|
name: corridor-config
|
|
path: .kubernetes_components.apiserver_log_level
|
|
dest:
|
|
path: .values.apiserver.logging.log_level
|
|
|
|
# IP addresses
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .kubernetes.api_service_ip
|
|
dest:
|
|
path: .values.network.kubernetes_service_ip
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .kubernetes.pod_cidr
|
|
dest:
|
|
path: .values.network.pod_cidr
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .kubernetes.service_cidr
|
|
dest:
|
|
path: .values.apiserver.arguments[1]
|
|
pattern: SERVICE_CIDR
|
|
|
|
# Kubernetes Port Range
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .kubernetes.service_node_port_range
|
|
dest:
|
|
path: .values.apiserver.arguments[2]
|
|
pattern: SERVICE_NODE_PORT_RANGE
|
|
|
|
# CA
|
|
- src:
|
|
schema: deckhand/CertificateAuthority/v1
|
|
name: kubernetes
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.tls.ca
|
|
|
|
# Certificates
|
|
- src:
|
|
schema: deckhand/Certificate/v1
|
|
name: apiserver
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.tls.cert
|
|
- src:
|
|
schema: deckhand/CertificateKey/v1
|
|
name: apiserver
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.tls.key
|
|
- src:
|
|
schema: deckhand/CertificateAuthority/v1
|
|
name: kubernetes-etcd
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.etcd.tls.ca
|
|
- src:
|
|
schema: deckhand/Certificate/v1
|
|
name: apiserver-etcd
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.etcd.tls.cert
|
|
- src:
|
|
schema: deckhand/CertificateKey/v1
|
|
name: apiserver-etcd
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.etcd.tls.key
|
|
- src:
|
|
schema: deckhand/PublicKey/v1
|
|
name: service-account
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.service_account.public_key
|
|
|
|
# Encryption policy
|
|
- src:
|
|
schema: promenade/EncryptionPolicy/v1
|
|
name: encryption-policy
|
|
path: .etcd
|
|
dest:
|
|
path: .values.conf.encryption_provider.content.resources
|
|
|
|
# Aggregation API config
|
|
- src:
|
|
schema: deckhand/CertificateAuthority/v1
|
|
name: kubernetes-agg-api
|
|
path: .
|
|
dest:
|
|
path: .values.conf.agg_api_ca.content
|
|
- src:
|
|
schema: deckhand/Certificate/v1
|
|
name: apiserver-proxy
|
|
path: .
|
|
dest:
|
|
path: .values.conf.apiserver_proxy_cert.content
|
|
- src:
|
|
schema: deckhand/CertificateKey/v1
|
|
name: apiserver-proxy
|
|
path: .
|
|
dest:
|
|
path: .values.conf.apiserver_proxy_key.content
|
|
data:
|
|
chart_name: apiserver
|
|
release: kubernetes-apiserver
|
|
namespace: kube-system
|
|
protected:
|
|
continue_processing: false
|
|
wait:
|
|
timeout: 900
|
|
# Don't want to wait on the keyrotation job during bootstrap
|
|
resources:
|
|
# Wait on the anchor daemonset rolling update in order to
|
|
# allow time for the static pods to start updating, which should then be
|
|
# handled by the below pod wait.
|
|
# If the apiserver static pods are being updated, this should quarantine
|
|
# down time to only affect the armada wait logic, and not any
|
|
# tiller-apiserver interaction, which can cause releases to be marked
|
|
# FAILED, which prevents deployment progress if it affects protected
|
|
# charts.
|
|
- type: daemonset
|
|
- type: pod
|
|
labels:
|
|
release_group: clcp-kubernetes-apiserver
|
|
native:
|
|
enabled: false
|
|
upgrade:
|
|
no_hooks: false
|
|
pre:
|
|
delete:
|
|
- type: job
|
|
labels:
|
|
release_group: clcp-kubernetes-apiserver
|
|
values:
|
|
pod:
|
|
lifecycle:
|
|
upgrades:
|
|
daemonsets:
|
|
pod_replacement_strategy: RollingUpdate
|
|
kubernetes-apiserver-anchor:
|
|
enabled: true
|
|
min_ready_seconds: 0
|
|
max_unavailable: 50%
|
|
apiserver:
|
|
etcd:
|
|
endpoints: https://127.0.0.1:2378
|
|
tls:
|
|
tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
|
|
# https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
|
|
# Possible values: VersionTLS10, VersionTLS11, VersionTLS12
|
|
tls-min-version: 'VersionTLS12'
|
|
arguments:
|
|
- --authorization-mode=Node,RBAC
|
|
- --service-cluster-ip-range=SERVICE_CIDR
|
|
- --service-node-port-range=SERVICE_NODE_PORT_RANGE
|
|
- --feature-gates=PodShareProcessNamespace=true,TaintBasedEvictions=false
|
|
conf:
|
|
encryption_provider:
|
|
file: encryption_provider.yaml
|
|
command_options:
|
|
- '--encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml'
|
|
content:
|
|
kind: EncryptionConfiguration
|
|
apiVersion: apiserver.config.k8s.io/v1
|
|
eventconfig:
|
|
file: eventconfig.yaml
|
|
content:
|
|
kind: Configuration
|
|
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
|
|
limits:
|
|
- type: Server
|
|
qps: 100
|
|
burst: 1000
|
|
acconfig:
|
|
file: acconfig.yaml
|
|
command_options:
|
|
- '--enable-admission-plugins=PodSecurityPolicy,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit'
|
|
- '--admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml'
|
|
content:
|
|
kind: AdmissionConfiguration
|
|
apiVersion: apiserver.k8s.io/v1alpha1
|
|
plugins:
|
|
- name: EventRateLimit
|
|
path: eventconfig.yaml
|
|
agg_api_ca:
|
|
file: agg-api-ca.pem
|
|
command_options:
|
|
- '--requestheader-client-ca-file=/etc/kubernetes/apiserver/agg-api-ca.pem'
|
|
- '--requestheader-extra-headers-prefix=X-Remote-Extra-'
|
|
- '--requestheader-group-headers=X-Remote-Group'
|
|
- '--requestheader-username-headers=X-Remote-User'
|
|
- '--requestheader-allowed-names=aggregator'
|
|
content: null
|
|
apiserver_proxy_cert:
|
|
file: 'apiserver-proxy-cert.pem'
|
|
command_options:
|
|
- '--proxy-client-cert-file=/etc/kubernetes/apiserver/apiserver-proxy-cert.pem'
|
|
content: null
|
|
apiserver_proxy_key:
|
|
file: 'apiserver-proxy-key.pem'
|
|
command_options:
|
|
- '--proxy-client-key-file=/etc/kubernetes/apiserver/apiserver-proxy-key.pem'
|
|
content: null
|
|
dependencies:
|
|
- apiserver-htk
|
|
...
|
|
---
|
|
## Helm toolkit
|
|
schema: armada/Chart/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: apiserver-htk
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: global
|
|
substitutions:
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .charts.kubernetes.apiserver-htk
|
|
dest:
|
|
path: .source
|
|
storagePolicy: cleartext
|
|
data:
|
|
chart_name: apiserver-htk
|
|
release: apiserver-htk
|
|
namespace: apiserver-htk
|
|
timeout: 600
|
|
wait:
|
|
timeout: 600
|
|
upgrade:
|
|
no_hooks: true
|
|
values: {}
|
|
dependencies: []
|
|
...
|