airship/promenade
Code Issues Proposed changes

Merge "(charts) Webhook dynamic config"

Browse Source
This commit is contained in:
Zuul 2019-08-21 21:15:44 +00:00 committed by Gerrit Code Review
commit b9ea53d277
5 changed files with 100 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
charts/apiserver-webhook/templates/config-dynamic-config.yaml Normal file
View File

@ -0,0 +1,32 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.configmap_dynamic_config }}
{{- $envAll := . }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-dynamic-config
data:
{{- range $key, $val := .Values.conf.apiserver }}
{{ $val.file }}: |
{{- if kindIs "string" $val.content }}
{{ indent 4 $val.content }}
{{- else }}
{{ toYaml $val.content | indent 4 }}
{{- end }}
{{- end -}}
{{- end }}

2
charts/apiserver-webhook/templates/configmap-etc.yaml
View File

@ -28,6 +28,4 @@ data:
{{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
policy.json: | policy.json: |
{{ toPrettyJson $envAll.Values.conf.policy | indent 4 }} {{ toPrettyJson $envAll.Values.conf.policy | indent 4 }}
encryption_provider.json: |
{{ toPrettyJson $envAll.Values.conf.encryption_provider.content | indent 4 }}
{{- end }} {{- end }}

15
charts/apiserver-webhook/templates/deployment.yaml
View File

@ -163,7 +163,13 @@ spec:
- --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }} - --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }}
- --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }} - --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
- --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }} - --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
- --experimental-encryption-provider-config={{ $envAll.Values.conf.paths.encryption_provider }} {{- range $key, $val := .Values.conf.apiserver }}
{{- if hasKey $val "command_options" }}
{{- range $val.command_options }}
- {{ . }}
{{- end }}
{{- end }}
{{- end }}
readinessProbe: readinessProbe:
tcpSocket: tcpSocket:
port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
@ -175,6 +181,9 @@ spec:
volumeMounts: volumeMounts:
- name: etc-apiserver - name: etc-apiserver
mountPath: {{ $envAll.Values.conf.paths.base }} mountPath: {{ $envAll.Values.conf.paths.base }}
- name: apiserver-dynamic-config
mountPath: {{ $envAll.Values.conf.paths.base }}dynamic
readOnly: true
- name: etc-apiserver-pki - name: etc-apiserver-pki
mountPath: {{ $envAll.Values.conf.paths.pki }} mountPath: {{ $envAll.Values.conf.paths.pki }}
- name: configmap-etc - name: configmap-etc
@ -239,6 +248,10 @@ spec:
emptyDir: {} emptyDir: {}
- name: etc-apiserver-pki - name: etc-apiserver-pki
emptyDir: {} emptyDir: {}
- name: apiserver-dynamic-config
configMap:
name: {{ .Release.Name }}-dynamic-config
defaultMode: 0444
- name: etc-webhook - name: etc-webhook
emptyDir: {} emptyDir: {}
- name: etc-webhook-pki - name: etc-webhook-pki

38
charts/apiserver-webhook/values.yaml
View File

@ -275,10 +275,39 @@ conf:
policy: '/etc/webhook_apiserver/conf/policy.json' policy: '/etc/webhook_apiserver/conf/policy.json'
sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub' sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub'
encryption_provider: '/etc/webhook_apiserver/encryption_provider.json' encryption_provider: '/etc/webhook_apiserver/encryption_provider.json'
encryption_provider: # Every key below 'apiserver' yields a dynamic configuration file
content: # and can mutate the apiserver command-line args.
kind: EncryptionConfig # The files are available under /dynamic in conf.paths.base
apiVersion: v1 apiserver:
agg_api_ca:
file: agg-api-ca.pem
command_options:
- '--requestheader-client-ca-file=/etc/webhook_apiserver/dynamic/agg-api-ca.pem'
- '--requestheader-extra-headers-prefix=X-Remote-Extra-'
- '--requestheader-group-headers=X-Remote-Group'
- '--requestheader-username-headers=X-Remote-User'
- '--requestheader-allowed-names="aggregator"'
content: |
-----SOME CA-----
apiserver_proxy_cert:
file: 'apiserver-proxy-cert.pem'
command_options:
- '--proxy-client-cert-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-cert.pem'
content: |
------SOME CERT-----
apiserver_proxy_key:
file: 'apiserver-proxy-key.pem'
command_options:
- '--proxy-client-key-file=/etc/webhook_apiserver/dynamic/apiserver-proxy-key.pem'
content: |
-----SOME KEY-----
encryption_provider:
file: 'encryption_provider.yaml'
command_options:
- '--experimental-encryption-provider-config=/etc/webhook_apiserver/dynamic/encryption_provider.yaml'
content:
kind: EncryptionConfig
apiVersion: v1
policy: policy:
- resource: - resource:
verbs: verbs:
@ -345,6 +374,7 @@ manifests:
configmap_bin: true configmap_bin: true
configmap_certs: true configmap_certs: true
configmap_etc: true configmap_etc: true
configmap_dynamic_config: true
job_ks_user: true job_ks_user: true
deployment: true deployment: true
ingress_api: true ingress_api: true

26
charts/apiserver/values.yaml
View File

@ -108,14 +108,28 @@ conf:
- type: Server - type: Server
qps: 1000 qps: 1000
burst: 10000 burst: 10000
# aggapi: # agg_api_ca:
# file: kube-agg-api-ca.pem # file: agg-api-ca.pem
# command_options: # command_options:
# - '--requestheader-client-ca-file=/etc/kubernetes/apiserver/kube-agg-api-ca.pem' # - '--requestheader-client-ca-file=/etc/kubernetes/apiserver/agg-api-ca.pem'
# - '--requestheader-allowed-names=agg-client' # - '--requestheader-extra-headers-prefix=X-Remote-Extra-'
# - '--requestheader-group-headers=X-Remote-Group'
# - '--requestheader-username-headers=X-Remote-User'
# - '--requestheader-allowed-names="aggregator"'
# content: | # content: |
# -----SOME CA---- # -----SOME CA-----
# # apiserver_proxy_cert:
# file: 'apiserver-proxy-cert.pem'
# command_options:
# - '--proxy-client-cert-file=/etc/kubernetes/apiserver/apiserver-proxy-cert.pem'
# content: |
# ------SOME CERT-----
# apiserver_proxy_key:
# file: 'apiserver-proxy-key.pem'
# command_options:
# - '--proxy-client-key-file=/etc/kubernetes/apiserver/apiserver-proxy-key.pem'
# content: |
# -----SOME KEY-----
# Uncomment any of the below to enable enhanced Audit Logging command line options. # Uncomment any of the below to enable enhanced Audit Logging command line options.
# #
# auditpolicy: # auditpolicy: