diff --git a/charts/apiserver-webhook/Chart.yaml b/charts/apiserver-webhook/Chart.yaml new file mode 100644 index 00000000..1d3c16d0 --- /dev/null +++ b/charts/apiserver-webhook/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: vn +description: A chart for Kubernetes keystone webhook API server +name: apiserver-webhook +version: 0.1.0 diff --git a/charts/apiserver-webhook/requirements.yaml b/charts/apiserver-webhook/requirements.yaml new file mode 100644 index 00000000..7496230c --- /dev/null +++ b/charts/apiserver-webhook/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl b/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl new file mode 100644 index 00000000..0fbe3350 --- /dev/null +++ b/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl @@ -0,0 +1,26 @@ +#!/bin/sh + +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +set -xe + +exec /bin/k8s-keystone-auth \ + --tls-cert-file /opt/kubernetes-keystone-webhook/pki/tls.crt \ + --tls-private-key-file /opt/kubernetes-keystone-webhook/pki/tls.key \ + --keystone-policy-file /etc/kubernetes-keystone-webhook/policy.json \ + --listen 127.0.0.1:8443 \ + --keystone-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} diff --git a/charts/apiserver-webhook/templates/configmap-bin.yaml b/charts/apiserver-webhook/templates/configmap-bin.yaml new file mode 100644 index 00000000..6cf5263b --- /dev/null +++ b/charts/apiserver-webhook/templates/configmap-bin.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.service.name }}-bin +data: + webhook_start.sh: | +{{ tuple "bin/_webhook_start.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }} +{{- end }} diff --git a/charts/apiserver-webhook/templates/configmap-certs.yaml b/charts/apiserver-webhook/templates/configmap-certs.yaml new file mode 100644 index 00000000..34d412e0 --- /dev/null +++ b/charts/apiserver-webhook/templates/configmap-certs.yaml @@ -0,0 +1,31 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_certs }} +{{- $envAll := . }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.service.name }}-certs +data: + cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }} + apiserver.pem: {{ .Values.secrets.tls.cert | quote }} + etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }} + etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }} + service-account.pub: {{ .Values.secrets.service_account.public_key | quote }} +{{- end }} diff --git a/charts/apiserver-webhook/templates/configmap-etc.yaml b/charts/apiserver-webhook/templates/configmap-etc.yaml new file mode 100644 index 00000000..f08cdfe7 --- /dev/null +++ b/charts/apiserver-webhook/templates/configmap-etc.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_etc }} +{{- $envAll := . }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.service.name }}-etc +data: + webhook.kubeconfig: | +{{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} + policy.json: | +{{ toPrettyJson $envAll.Values.conf.policy | indent 4 }} +{{- end }} diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml new file mode 100644 index 00000000..091288e4 --- /dev/null +++ b/charts/apiserver-webhook/templates/deployment.yaml @@ -0,0 +1,142 @@ +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment }} +{{- $envAll := . }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kubernetes-keystone-webhook + labels: +{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + replicas: {{ $envAll.Values.pod.replicas.api }} + selector: + matchLabels: +{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }} + template: + metadata: + labels: +{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} + annotations: + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} + spec: + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: apiserver + image: {{ .Values.images.tags.apiserver }} +{{ tuple $envAll $envAll.Values.pod.resources.kubernetes_apiserver | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }} + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + + command: + {{- range .Values.command_prefix }} + - {{ . }} + {{- end }} + - --authorization-mode=Webhook + - --advertise-address=$(POD_IP) + - --anonymous-auth=false + - --endpoint-reconciler-type=none + - --bind-address=0.0.0.0 + - --secure-port={{ .Values.network.kubernetes_apiserver.port }} + - --insecure-port=0 + - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem + - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem + - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem + - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem + - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem + - --etcd-servers={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem + - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem + - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem + - --allow-privileged=true + - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub + - --authentication-token-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig + - --authorization-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig + ports: + - containerPort: {{ .Values.network.kubernetes_apiserver.port }} + readinessProbe: + tcpSocket: + port: 6443 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 6443 + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 20 + volumeMounts: + - name: etc + mountPath: /etc/kubernetes/apiserver + - name: {{ .Values.service.name }}-etc + mountPath: /etc/kubernetes/apiserver/webhook.kubeconfig + subPath: webhook.kubeconfig + readOnly: true + - name: kubernetes-keystone-webhook +{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} + command: + - /tmp/webhook_start.sh + volumeMounts: + - name: etc-kubernetes-keystone-webhook + mountPath: /etc/kubernetes-keystone-webhook + - name: key-kubernetes-keystone-webhook + mountPath: /opt/kubernetes-keystone-webhook/pki/tls.crt + subPath: tls.crt + readOnly: true + - name: key-kubernetes-keystone-webhook + mountPath: /opt/kubernetes-keystone-webhook/pki/tls.key + subPath: tls.key + readOnly: true + - name: {{ .Values.service.name }}-etc + mountPath: /etc/kubernetes-keystone-webhook/policy.json + subPath: policy.json + readOnly: true + - name: {{ .Values.service.name }}-bin + mountPath: /tmp/webhook_start.sh + subPath: webhook_start.sh + readOnly: true + volumes: + - name: etc + hostPath: + path: {{ .Values.apiserver.host_etc_path }} + - name: etc-kubernetes-keystone-webhook + emptyDir: {} + - name: key-kubernetes-keystone-webhook + secret: + secretName: {{ $envAll.Values.secrets.certificates.api }} + defaultMode: 0444 + - name: {{ .Values.service.name }}-etc + configMap: + name: {{ .Values.service.name }}-etc + defaultMode: 0444 + - name: {{ .Values.service.name }}-bin + configMap: + name: {{ .Values.service.name }}-bin + defaultMode: 0555 +{{- end }} diff --git a/charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl b/charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl new file mode 100644 index 00000000..53810a6f --- /dev/null +++ b/charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl @@ -0,0 +1,34 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: v1 +clusters: +- cluster: + server: https://127.0.0.1:{{ .Values.network.kubernetes_apiserver.port }} + certificate-authority: pki/cluster-ca.pem + name: kubernetes +contexts: +- context: + cluster: kubernetes + user: apiserver + name: apiserver@kubernetes +current-context: apiserver@kubernetes +kind: Config +preferences: {} +users: +- name: apiserver + user: + client-certificate: pki/apiserver.pem + client-key: pki/apiserver-key.pem diff --git a/charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl b/charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl new file mode 100644 index 00000000..a834a886 --- /dev/null +++ b/charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl @@ -0,0 +1,16 @@ +apiVersion: v1 +clusters: + - cluster: + insecure-skip-tls-verify: false + server: https://127.0.0.1:8443/webhook + name: webhook +contexts: + - context: + cluster: webhook + user: webhook + name: webhook +current-context: webhook +kind: Config +preferences: {} +users: + - name: webhook diff --git a/charts/apiserver-webhook/templates/ingress-api.yaml b/charts/apiserver-webhook/templates/ingress-api.yaml new file mode 100644 index 00000000..8b9f9bf0 --- /dev/null +++ b/charts/apiserver-webhook/templates/ingress-api.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. +Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.ingress_api .Values.network.kubernetes_apiserver.ingress.public }} +{{- $ingressOpts := dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" "backendPort" "https" -}} +{{- $ingressOpts | include "helm-toolkit.manifests.ingress" -}} +{{- end }} diff --git a/charts/apiserver-webhook/templates/secret-apiserver.yaml b/charts/apiserver-webhook/templates/secret-apiserver.yaml new file mode 100644 index 00000000..f32f6bfd --- /dev/null +++ b/charts/apiserver-webhook/templates/secret-apiserver.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.service.name }}-keys +type: Opaque +data: + apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }} + etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }} +{{- end }} diff --git a/charts/apiserver-webhook/templates/secret-ingress-tls.yaml b/charts/apiserver-webhook/templates/secret-ingress-tls.yaml new file mode 100644 index 00000000..92574bf9 --- /dev/null +++ b/charts/apiserver-webhook/templates/secret-ingress-tls.yaml @@ -0,0 +1,19 @@ +{{/* +Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ingress_tls }} +{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" ) }} +{{- end }} diff --git a/charts/apiserver-webhook/templates/secret-keystone.yaml b/charts/apiserver-webhook/templates/secret-keystone.yaml new file mode 100644 index 00000000..99f1d5b8 --- /dev/null +++ b/charts/apiserver-webhook/templates/secret-keystone.yaml @@ -0,0 +1,30 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_keystone }} +{{- $envAll := . }} +{{- range $key1, $userClass := tuple "admin" }} +{{- $secretName := index $envAll.Values.secrets.identity $userClass }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +type: Opaque +data: +{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}} +{{- end }} +{{- end }} diff --git a/charts/apiserver-webhook/templates/secret-webhook.yaml b/charts/apiserver-webhook/templates/secret-webhook.yaml new file mode 100644 index 00000000..4438a356 --- /dev/null +++ b/charts/apiserver-webhook/templates/secret-webhook.yaml @@ -0,0 +1,28 @@ +{{/* +Copyright 2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_webhook }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $envAll.Values.secrets.certificates.api }} +type: kubernetes.io/tls +data: + tls.crt: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.crt | default "" | b64enc }} + tls.key: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.key | default "" | b64enc }} +{{- end }} diff --git a/charts/apiserver-webhook/templates/service-apiserver-ingress.yaml b/charts/apiserver-webhook/templates/service-apiserver-ingress.yaml new file mode 100644 index 00000000..d4bc7b6b --- /dev/null +++ b/charts/apiserver-webhook/templates/service-apiserver-ingress.yaml @@ -0,0 +1,21 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. +Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.service_ingress .Values.network.kubernetes_apiserver.ingress.public }} +{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "kubernetes-keystone-webhook" -}} +{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }} +{{- end }} diff --git a/charts/apiserver-webhook/templates/service.yaml b/charts/apiserver-webhook/templates/service.yaml new file mode 100644 index 00000000..d0150b0e --- /dev/null +++ b/charts/apiserver-webhook/templates/service.yaml @@ -0,0 +1,34 @@ +{{/* +Copyright 2017 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.service.name }} + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + ports: + - name: https + port: {{ .Values.network.kubernetes_apiserver.port }} + protocol: TCP + targetPort: {{ .Values.network.kubernetes_apiserver.port }} + selector: +{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +{{- end }} diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml new file mode 100644 index 00000000..008c6a9c --- /dev/null +++ b/charts/apiserver-webhook/values.yaml @@ -0,0 +1,295 @@ +# Copyright 2017 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +release_group: null + +images: + tags: + apiserver: gcr.io/google_containers/hyperkube-amd64:v1.10.2 + kubernetes_keystone_webhook: docker.io/k8scloudprovider/k8s-keystone-auth:latest + scripted_test: docker.io/openstackhelm/heat:newton + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 + image_repo_sync: docker.io/docker:17.07.0 + pull_policy: IfNotPresent + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + +labels: + kubernetes_apiserver: + node_selector_key: kubernetes-apiserver + node_selector_value: enabled + +command_prefix: + - /apiserver + - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds + - --service-cluster-ip-range=10.96.0.0/16 + - --v=5 + +apiserver: + host_etc_path: /etc/kubernetes/apiserver + +network: + kubernetes_apiserver: + ingress: + public: true + classes: + namespace: "nginx-cluster" + cluster: "nginx-cluster" + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/proxy-read-timeout: "120" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/secure-backends: "true" + name: kubernetes-apiserver + port: 6443 + node_port: + enabled: false + port: 31943 + +service: + name: kubernetes-webhook-apiserver + ip: null + +secrets: + tls: + ca: placeholder + cert: placeholder + key: placeholder + service_account: + public_key: placeholder + etcd: + tls: + ca: placeholder + cert: placeholder + key: placeholder + identity: + admin: kubernetes-keystone-webhook-admin + certificates: + api: kubernetes-keystone-webhook-certs + +kubernetes_keystone_webhook: + port: 8443 + endpoints: https://k8sksauth-api.kube-system.svc.cluster.local + +# typically overriden by environmental +# values, but should include all endpoints +# required by this chart +endpoints: + cluster_domain_suffix: cluster.local + kubernetes_apiserver: + name: kubernetes-webhook-apiserver + hosts: + default: keystone + internal: keystone-api + port: + https: + default: 6443 + public: 443 + path: + default: / + scheme: + default: http + public: http + host_fqdn_override: + default: null + # NOTE: this chart supports TLS for fqdn over-ridden public + # endpoints using the following format: + # public: + # host: null + # tls: + # crt: null + # key: null + kubernetes: + auth: + api: + tls: + crt: null + key: null + identity: + name: keystone + namespace: null + auth: + admin: + region_name: RegionOne + username: admin + password: password + project_name: admin + user_domain_name: default + project_domain_name: default + hosts: + default: keystone + internal: keystone-api + host_fqdn_override: + default: null + path: + default: /v3 + scheme: + default: http + port: + api: + default: 80 + internal: 5000 + kubernetes_keystone_webhook: + namespace: null + name: k8sksauth + hosts: + default: k8sksauth-api + public: k8sksauth + host_fqdn_override: + default: null + path: + default: /webhook + scheme: + default: https + port: + api: + default: 8443 + public: 443 + etcd: + name: etcd + namespace: kube-system + hosts: + default: kubernetes-etcd + host_fqdn_override: + default: null + path: + default: null + scheme: + default: https + port: + client: + default: 2379 + +pod: + mounts: + kubernetes_apiserver: + init_container: null + kubernetes_apiserver: + replicas: + apiserver: 1 + api: 1 + lifecycle: + upgrades: + daemonsets: + pod_replacement_strategy: RollingUpdate + kubernetes_apiserver: + enabled: false + min_ready_seconds: 0 + max_unavailable: 1 + termination_grace_period: + kubernetes_apiserver: + timeout: 3600 + resources: + enabled: false + anchor_pod: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + kubernetes_apiserver: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + api: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" + jobs: + tests: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "256Mi" + cpu: "200m" + mounts: + kubernetes_keystone_webhook_api: + init_container: null + kubernetes_keystone_webhook_api: null + kubernetes_keystone_webhook_tests: + init_container: null + kubernetes_keystone_webhook_tests: null +conf: + policy: + - resource: + verbs: + - "*" + resources: + - "*" + namespace: "*" + version: "*" + match: + - type: role + values: + - admin + - resource: + verbs: + - "*" + resources: + - "*" + namespace: "kube-system" + version: "*" + match: + - type: role + values: + - kube-system-admin + - resource: + verbs: + - get + - list + - watch + resources: + - "*" + namespace: "kube-system" + version: "*" + match: + - type: role + values: + - kube-system-viewer + - resource: + verbs: + - "*" + resources: + - "*" + namespace: "openstack" + version: "*" + match: + - type: project + values: + - openstack-system + +manifests: + configmap_bin: true + configmap_certs: true + configmap_etc: true + deployment: true + ingress_api: false + pod_test: false + kubernetes_apiserver: true + secret: true + secret_ingress_tls: false + secret_webhook: true + service: true + service_ingress: false