f31cfb2ef9
Based on spec in openstack-helm repo, support-OCI-image-registry-with-authentication-turned-on.rst Each Helm chart can configure an OCI image registry and credentials to use. A Kubernetes secret is then created with these info. Service Accounts then specify an imagePullSecret specifying the Secret with creds for the registry. Then any pod using one of these ServiceAccounts may pull images from an authenticated container registry. Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
355 lines
9.1 KiB
YAML
355 lines
9.1 KiB
YAML
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# Default values for ingress.
|
|
# This is a YAML-formatted file.
|
|
# Declare name/value pairs to be passed into your templates.
|
|
# name: value
|
|
|
|
---
|
|
deployment:
|
|
mode: namespace
|
|
type: Deployment
|
|
cluster:
|
|
class: "nginx-cluster"
|
|
|
|
images:
|
|
tags:
|
|
entrypoint: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
|
ingress: k8s.gcr.io/ingress-nginx/controller:v1.1.3
|
|
ingress_module_init: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
ingress_routed_vip: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
|
|
error_pages: k8s.gcr.io/defaultbackend:1.4
|
|
keepalived: docker.io/osixia/keepalived:1.4.5
|
|
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
|
image_repo_sync: docker.io/library/docker:17.07.0
|
|
pull_policy: "IfNotPresent"
|
|
local_registry:
|
|
active: false
|
|
exclude:
|
|
- dep_check
|
|
- image_repo_sync
|
|
|
|
pod:
|
|
security_context:
|
|
error_pages:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
ingress_error_pages:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
server:
|
|
pod:
|
|
runAsUser: 65534
|
|
container:
|
|
ingress_vip_kernel_modules:
|
|
capabilities:
|
|
add:
|
|
- SYS_MODULE
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 0
|
|
ingress_vip_init:
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 0
|
|
ingress:
|
|
readOnlyRootFilesystem: false
|
|
runAsUser: 101
|
|
ingress_vip:
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
readOnlyRootFilesystem: true
|
|
runAsUser: 0
|
|
affinity:
|
|
anti:
|
|
type:
|
|
default: preferredDuringSchedulingIgnoredDuringExecution
|
|
topologyKey:
|
|
default: kubernetes.io/hostname
|
|
weight:
|
|
default: 10
|
|
tolerations:
|
|
ingress:
|
|
enabled: false
|
|
tolerations:
|
|
- key: node-role.kubernetes.io/master
|
|
operator: Exists
|
|
effect: NoSchedule
|
|
dns_policy: "ClusterFirstWithHostNet"
|
|
replicas:
|
|
ingress: 1
|
|
error_page: 1
|
|
lifecycle:
|
|
upgrades:
|
|
deployments:
|
|
revision_history: 3
|
|
pod_replacement_strategy: RollingUpdate
|
|
rolling_update:
|
|
max_unavailable: 1
|
|
max_surge: 3
|
|
termination_grace_period:
|
|
server:
|
|
timeout: 60
|
|
error_pages:
|
|
timeout: 60
|
|
resources:
|
|
enabled: false
|
|
ingress:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
error_pages:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
jobs:
|
|
image_repo_sync:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1024Mi"
|
|
cpu: "2000m"
|
|
|
|
labels:
|
|
server:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
error_server:
|
|
node_selector_key: openstack-control-plane
|
|
node_selector_value: enabled
|
|
|
|
network:
|
|
host_namespace: false
|
|
vip:
|
|
manage: false
|
|
# what type of vip manage machanism will be used
|
|
# possible options: routed, keepalived
|
|
mode: routed
|
|
interface: ingress-vip
|
|
addr: 172.18.0.1/32
|
|
keepalived_router_id: 100
|
|
# Use .network.vip.addr as an external IP for the service
|
|
# Useful if the CNI or provider can set up routes, etc.
|
|
assign_as_external_ip: false
|
|
ingress:
|
|
annotations:
|
|
# NOTE(portdirect): if left blank this is populated from
|
|
# .deployment.cluster.class
|
|
kubernetes.io/ingress.class: null
|
|
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
|
nginx.ingress.kubernetes.io/configuration-snippet: |
|
|
more_set_headers "X-Content-Type-Options: nosniff";
|
|
more_set_headers "X-Frame-Options: deny";
|
|
more_set_headers "X-Permitted-Cross-Domain-Policies: none";
|
|
more_set_headers "Content-Security-Policy: script-src 'self'";
|
|
external_policy_local: false
|
|
|
|
dependencies:
|
|
dynamic:
|
|
common:
|
|
local_image_registry:
|
|
jobs:
|
|
- ingress-image-repo-sync
|
|
services:
|
|
- endpoint: node
|
|
service: local_image_registry
|
|
static:
|
|
error_pages:
|
|
jobs: null
|
|
ingress:
|
|
jobs: null
|
|
image_repo_sync:
|
|
services:
|
|
- endpoint: internal
|
|
service: local_image_registry
|
|
|
|
monitoring:
|
|
prometheus:
|
|
enabled: true
|
|
ingress_exporter:
|
|
scrape: true
|
|
port: 10254
|
|
|
|
endpoints:
|
|
cluster_domain_suffix: cluster.local
|
|
local_image_registry:
|
|
name: docker-registry
|
|
namespace: docker-registry
|
|
hosts:
|
|
default: localhost
|
|
internal: docker-registry
|
|
node: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
node: 5000
|
|
oci_image_registry:
|
|
name: oci-image-registry
|
|
namespace: oci-image-registry
|
|
auth:
|
|
enabled: false
|
|
ingress:
|
|
username: ingress
|
|
password: password
|
|
hosts:
|
|
default: localhost
|
|
host_fqdn_override:
|
|
default: null
|
|
port:
|
|
registry:
|
|
default: null
|
|
ingress:
|
|
hosts:
|
|
default: ingress
|
|
error_pages: ingress-error-pages
|
|
host_fqdn_override:
|
|
default: null
|
|
# NOTE: The values under .endpoints.ingress.host_fqdn_override.public.tls
|
|
# will be used for the default SSL certificate.
|
|
# See also the .conf.default_ssl_certificate options below.
|
|
public:
|
|
tls:
|
|
crt: ""
|
|
key: ""
|
|
port:
|
|
http:
|
|
default: 80
|
|
https:
|
|
default: 443
|
|
healthz:
|
|
default: 10254
|
|
status:
|
|
default: 10246
|
|
stream:
|
|
default: 10247
|
|
profiler:
|
|
default: 10245
|
|
server:
|
|
default: 8181
|
|
ingress_exporter:
|
|
namespace: null
|
|
hosts:
|
|
default: ingress-exporter
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme:
|
|
default: 'http'
|
|
port:
|
|
metrics:
|
|
default: 10254
|
|
kube_dns:
|
|
namespace: kube-system
|
|
name: kubernetes-dns
|
|
hosts:
|
|
default: kube-dns
|
|
host_fqdn_override:
|
|
default: null
|
|
path:
|
|
default: null
|
|
scheme: http
|
|
port:
|
|
dns_tcp:
|
|
default: 53
|
|
dns:
|
|
default: 53
|
|
protocol: UDP
|
|
|
|
network_policy:
|
|
ingress:
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- {}
|
|
|
|
secrets:
|
|
oci_image_registry:
|
|
ingress: ingress-oci-image-registry-key
|
|
tls:
|
|
ingress:
|
|
api:
|
|
# .secrets.tls.ingress.api.public="name of the TLS secret to create for the default cert"
|
|
# NOTE: The contents of the secret are from .endpoints.ingress.host_fqdn_override.public.tls
|
|
public: default-tls-public
|
|
dhparam:
|
|
secret_dhparam: |
|
|
conf:
|
|
controller:
|
|
# NOTE(portdirect): if left blank this is populated from
|
|
# .deployment.cluster.class in cluster mode, or set to
|
|
# "nginx" in namespace mode
|
|
INGRESS_CLASS: null
|
|
ingress:
|
|
enable-underscores-in-headers: "true"
|
|
# NOTE(portdirect): if left blank this is populated from
|
|
# .network.vip.addr when running in host networking
|
|
# and .network.vip.manage=true, otherwise it is left as
|
|
# an empty string (the default).
|
|
bind-address: null
|
|
enable-vts-status: "true"
|
|
server-tokens: "false"
|
|
ssl-dh-param: openstack/secret-dhparam
|
|
# This block sets the --default-ssl-certificate option
|
|
# https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate
|
|
default_ssl_certificate:
|
|
# .conf.default_ssl_certificate.enabled=true: use a default certificate
|
|
enabled: false
|
|
# If referencing an existing TLS secret with the default cert
|
|
# .conf.default_ssl_certificate.name="name of the secret"
|
|
# (defaults to value of .secrets.tls.ingress.api.public)
|
|
# .conf.default_ssl_certificate.namespace="namespace of the secret"
|
|
# (optional, defaults to release namespace)
|
|
name: ""
|
|
namespace: ""
|
|
# NOTE: To create a new secret to hold the default certificate, leave the
|
|
# above values empty, and specify:
|
|
# .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data"
|
|
# .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data"
|
|
# .manifests.secret_ingress_tls=true
|
|
services:
|
|
tcp: null
|
|
udp: null
|
|
|
|
manifests:
|
|
configmap_bin: true
|
|
configmap_conf: true
|
|
configmap_services_tcp: true
|
|
configmap_services_udp: true
|
|
deployment_error: true
|
|
deployment_ingress: true
|
|
endpoints_ingress: true
|
|
ingress: true
|
|
secret_ingress_tls: false
|
|
secret_dhparam: false
|
|
service_error: true
|
|
service_ingress: true
|
|
job_image_repo_sync: true
|
|
monitoring:
|
|
prometheus:
|
|
service_exporter: true
|
|
network_policy: false
|
|
secret_registry: true
|
|
...
|