199 lines
5.6 KiB
YAML
199 lines
5.6 KiB
YAML
---
|
|
schema: armada/Chart/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: kubernetes-apiserver
|
|
labels:
|
|
name: kubernetes-apiserver-global
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: global
|
|
storagePolicy: cleartext
|
|
substitutions:
|
|
# Chart source
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .charts.kubernetes.apiserver
|
|
dest:
|
|
path: .source
|
|
|
|
# Images
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .images.kubernetes.apiserver
|
|
dest:
|
|
path: .values.images.tags
|
|
|
|
# IP addresses
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .kubernetes.api_service_ip
|
|
dest:
|
|
path: .values.network.kubernetes_service_ip
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .kubernetes.pod_cidr
|
|
dest:
|
|
path: .values.network.pod_cidr
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .kubernetes.service_cidr
|
|
dest:
|
|
path: .values.apiserver.arguments[1]
|
|
pattern: SERVICE_CIDR
|
|
|
|
# Kubernetes Port Range
|
|
- src:
|
|
schema: pegleg/CommonAddresses/v1
|
|
name: common-addresses
|
|
path: .kubernetes.service_node_port_range
|
|
dest:
|
|
path: .values.apiserver.arguments[2]
|
|
pattern: SERVICE_NODE_PORT_RANGE
|
|
|
|
# CA
|
|
- src:
|
|
schema: deckhand/CertificateAuthority/v1
|
|
name: kubernetes
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.tls.ca
|
|
|
|
# Certificates
|
|
- src:
|
|
schema: deckhand/Certificate/v1
|
|
name: apiserver
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.tls.cert
|
|
- src:
|
|
schema: deckhand/CertificateKey/v1
|
|
name: apiserver
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.tls.key
|
|
- src:
|
|
schema: deckhand/CertificateAuthority/v1
|
|
name: kubernetes-etcd
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.etcd.tls.ca
|
|
- src:
|
|
schema: deckhand/Certificate/v1
|
|
name: apiserver-etcd
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.etcd.tls.cert
|
|
- src:
|
|
schema: deckhand/CertificateKey/v1
|
|
name: apiserver-etcd
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.etcd.tls.key
|
|
- src:
|
|
schema: deckhand/PublicKey/v1
|
|
name: service-account
|
|
path: .
|
|
dest:
|
|
path: .values.secrets.service_account.public_key
|
|
|
|
# Encryption policy
|
|
- src:
|
|
schema: promenade/EncryptionPolicy/v1
|
|
name: encryption-policy
|
|
path: .etcd
|
|
dest:
|
|
path: .values.conf.encryption_provider.content.resources
|
|
|
|
data:
|
|
chart_name: apiserver
|
|
release: kubernetes-apiserver
|
|
namespace: kube-system
|
|
protected:
|
|
continue_processing: true
|
|
wait:
|
|
timeout: 600
|
|
labels:
|
|
release_group: airship-kubernetes-apiserver
|
|
upgrade:
|
|
no_hooks: false
|
|
pre:
|
|
delete:
|
|
- type: job
|
|
labels:
|
|
release_group: airship-kubernetes-apiserver
|
|
values:
|
|
apiserver:
|
|
etcd:
|
|
endpoints: https://127.0.0.1:2378
|
|
tls:
|
|
tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
|
|
# https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
|
|
# Possible values: VersionTLS10, VersionTLS11, VersionTLS12
|
|
tls-min-version: 'VersionTLS12'
|
|
arguments:
|
|
- --authorization-mode=Node,RBAC
|
|
- --service-cluster-ip-range=SERVICE_CIDR
|
|
- --service-node-port-range=SERVICE_NODE_PORT_RANGE
|
|
- --endpoint-reconciler-type=lease
|
|
- --feature-gates=PodShareProcessNamespace=true
|
|
- --v=3
|
|
conf:
|
|
encryption_provider:
|
|
file: encryption_provider.yaml
|
|
command_options:
|
|
- '--encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml'
|
|
content:
|
|
kind: EncryptionConfiguration
|
|
apiVersion: apiserver.config.k8s.io/v1
|
|
eventconfig:
|
|
file: eventconfig.yaml
|
|
content:
|
|
kind: Configuration
|
|
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
|
|
limits:
|
|
- type: Server
|
|
qps: 100
|
|
burst: 1000
|
|
acconfig:
|
|
file: acconfig.yaml
|
|
command_options:
|
|
- '--enable-admission-plugins=PodSecurityPolicy,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit'
|
|
- '--admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml'
|
|
content:
|
|
kind: AdmissionConfiguration
|
|
apiVersion: apiserver.k8s.io/v1
|
|
plugins:
|
|
- name: EventRateLimit
|
|
path: eventconfig.yaml
|
|
dependencies:
|
|
- kubernetes-apiserver-htk
|
|
---
|
|
schema: armada/Chart/v1
|
|
metadata:
|
|
schema: metadata/Document/v1
|
|
name: kubernetes-apiserver-htk
|
|
layeringDefinition:
|
|
abstract: false
|
|
layer: global
|
|
storagePolicy: cleartext
|
|
substitutions:
|
|
- src:
|
|
schema: pegleg/SoftwareVersions/v1
|
|
name: software-versions
|
|
path: .charts.kubernetes.apiserver-htk
|
|
dest:
|
|
path: .source
|
|
data:
|
|
chart_name: kubernetes-apiserver-htk
|
|
release: kubernetes-apiserver-htk
|
|
namespace: kubernetes-apiserver-htk
|
|
values: {}
|
|
dependencies: []
|
|
...
|