airship/promenade
Code Issues Proposed changes
promenade/charts/apiserver/values.yaml
SPEARS, DUSTIN (ds443n) 70dd0c8599 Remove deprecated controller-manager flag 
Additionally update all images from k8s.gcr.io to registry.k8s.io

Change-Id: I0240ee0bf5d23d035126a81318f57b240f5af402
2023-04-18 15:02:30 -04:00

391 lines
12 KiB
YAML
Raw Blame History

# Copyright 2017 AT&T Intellectual Property. All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
release_group: null
# NOTE(mark-burnett): These values are not really configurable -- they live
# here to keep the templates cleaner.
const:
encryption_annotation: "airshipit.org/encryption_key"
command_prefix:
- kube-apiserver
- --advertise-address=$(POD_IP)
- --allow-privileged=true
- --anonymous-auth=true
- --bind-address=0.0.0.0
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
- --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem
- --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem
- --etcd-servers=$(ETCD_ENDPOINTS)
- --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
- --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --secure-port=$(APISERVER_PORT)
- --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
- --service-account-signing-key-file=/etc/kubernetes/apiserver/pki/service-account.key
- --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
- --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
files_to_copy:
# NOTE(mark-burnett): These are (host dest): (container source) pairs
/etc/kubernetes/apiserver/kubeconfig.yaml: /tmp/etc/kubeconfig.yaml
/etc/kubernetes/apiserver/pki/apiserver-key.pem: /keys/apiserver-key.pem
/etc/kubernetes/apiserver/pki/apiserver.pem: /certs/apiserver.pem
/etc/kubernetes/apiserver/pki/cluster-ca.pem: /certs/cluster-ca.pem
/etc/kubernetes/apiserver/pki/etcd-client-ca.pem: /certs/etcd-client-ca.pem
/etc/kubernetes/apiserver/pki/etcd-client-key.pem: /keys/etcd-client-key.pem
/etc/kubernetes/apiserver/pki/etcd-client.pem: /certs/etcd-client.pem
/etc/kubernetes/apiserver/pki/kubelet-client-ca.pem: /certs/kubelet-client-ca.pem
/etc/kubernetes/apiserver/pki/kubelet-client-key.pem: /keys/kubelet-client-key.pem
/etc/kubernetes/apiserver/pki/kubelet-client.pem: /certs/kubelet-client.pem
/etc/kubernetes/apiserver/pki/service-account.pub: /certs/service-account.pub
/etc/kubernetes/apiserver/pki/service-account.key: /keys/service-account.key
/etc/kubernetes/manifests/kubernetes-apiserver.yaml: /tmp/etc/kubernetes-apiserver.yaml
images:
tags:
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
anchor: quay.io/airshipit/porthole-compute-utility:master-ubuntu_focal
apiserver: registry.k8s.io/kube-apiserver-amd64:v1.26.0
key_rotate: quay.io/airshipit/porthole-compute-utility:master-ubuntu_focal
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
kubernetes_apiserver:
node_selector_key: kubernetes-apiserver
node_selector_value: enabled
job:
node_selector_key: kubernetes-apiserver
node_selector_value: enabled
anchor:
dns_policy: Default
enable_cleanup: true
kubelet:
manifest_path: /etc/kubernetes/manifests
period: 15
# TODO(sh8121att): Add dynamic rendering of the admission controller list allowing a base list
# and each conf entry to enable additional AC plugins
conf:
# Uncomment any of the below to enable the file placement and associated apiserver
# command line options
#
acconfig:
file: acconfig.yaml
command_options:
- '--admission-control-config-file=/etc/kubernetes/apiserver/acconfig.yaml'
- '--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,NodeRestriction,EventRateLimit'
content:
kind: AdmissionConfiguration
apiVersion: apiserver.k8s.io/v1alpha1
plugins:
- name: EventRateLimit
path: eventconfig.yaml
eventconfig:
file: eventconfig.yaml
content:
kind: Configuration
apiVersion: eventratelimit.admission.k8s.io/v1alpha1
limits:
- type: Server
qps: 1000
burst: 10000
# agg_api_ca:
# file: agg-api-ca.pem
# command_options:
# - '--requestheader-client-ca-file=/etc/kubernetes/apiserver/agg-api-ca.pem'
# - '--requestheader-extra-headers-prefix=X-Remote-Extra-'
# - '--requestheader-group-headers=X-Remote-Group'
# - '--requestheader-username-headers=X-Remote-User'
# - '--requestheader-allowed-names="aggregator"'
# content: |
# -----SOME CA-----
# apiserver_proxy_cert:
# file: 'apiserver-proxy-cert.pem'
# command_options:
# - '--proxy-client-cert-file=/etc/kubernetes/apiserver/apiserver-proxy-cert.pem'
# content: |
# ------SOME CERT-----
# apiserver_proxy_key:
# file: 'apiserver-proxy-key.pem'
# command_options:
# - '--proxy-client-key-file=/etc/kubernetes/apiserver/apiserver-proxy-key.pem'
# content: |
# -----SOME KEY-----
# Uncomment any of the below to enable enhanced Audit Logging command line options.
# Note: To use the Log backend, ensure that the hostPath of the log file is mounted.
# (Refer to .pod.mounts.apiserver.apiserver)
#
# auditpolicy:
# file: audit_policy.yaml
# command_options:
# - '--audit-policy-file=/etc/kubernetes/apiserver/audit_policy.yaml'
# - '--audit-log-maxsize=10'
# - '--audit-log-maxbackup=3'
# - '--audit-log-path=/var/log/audit/audit.log'
# content:
# kind: Policy
# apiVersion: apiserver.k8s.io/v1
# rules:
# - level: Metadata
#
encryption_provider:
file: encryption_provider.yaml
command_options:
- '--encryption-provider-config=/etc/kubernetes/apiserver/encryption_provider.yaml'
content:
kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
- resources:
- 'secrets'
providers:
- secretbox:
keys:
- name: key1
secret: Xw2UcbjILTJM6QiFZ0WPSbUvjtoT8OJC/Nl8qqYWjGk=
- identity: {}
service_account_issuer:
command_options:
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
apiserver:
arguments:
- --authorization-mode=Node,RBAC
- --service-cluster-ip-range=10.96.0.0/16
- --endpoint-reconciler-type=lease
- --v=3
etcd:
endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
host_etc_path: /etc/kubernetes/apiserver
logging:
# Which messages to log.
# Valid values include any number from 0 to 9.
# Default 5(Trace level verbosity).
log_level: 5
#XXX another possible configuration
# tls:
# tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
# # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
# #Possible values: VersionTLS10, VersionTLS11, VersionTLS12
# tls-min-version: 'VersionTLS12'
network:
kubernetes_apiserver:
ingress:
public: true
classes:
namespace: "nginx-cluster"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
name: kubernetes-apiserver
port: 6443
node_port:
enabled: false
port: 31943
service:
name: kubernetes-apiserver
ip: null
secrets:
tls:
ca: placeholder
cert: placeholder
key: placeholder
service_account:
public_key: placeholder
private_key: placeholder
etcd:
tls:
ca: placeholder
cert: placeholder
key: placeholder
kubelet:
tls:
ca: null
cert: null
key: null
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- apiserver-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
key_rotate: {}
# typically overriden by environmental
# values, but should include all endpoints
# required by this chart
endpoints:
cluster_domain_suffix: cluster.local
kubernetes_apiserver:
name: kubernetes-apiserver
hosts:
default: kubernetes-apiserver
port:
https:
default: 6443
public: 443
path:
default: /
scheme:
default: https
public: https
host_fqdn_override:
default: null
# NOTE: this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
pod:
mandatory_access_control:
type: apparmor
kubernetes_apiserver_anchor:
anchor: runtime/default
kube-apiserver:
init: runtime/default
apiserver-key-rotate: runtime/default
apiserver:
apiserver: runtime/default
security_context:
kubernetes_apiserver_anchor:
pod:
runAsUser: 65534
container:
anchor:
runAsUser: 0
readOnlyRootFilesystem: false
key_rotate:
pod:
runAsUser: 65534
container:
apiserver_key_rotate:
runAsUser: 0
readOnlyRootFilesystem: false
apiserver:
pod:
runAsUser: 65534
container:
apiserver:
runAsUser: 0
readOnlyRootFilesystem: false
mounts:
# .pod.mounts.kubernetes_apiserver is for the anchor daemonset
kubernetes_apiserver:
init_container: null
kubernetes_apiserver:
# .pod.mounts.apiserver is for the apiserver static pod
apiserver:
apiserver:
# Example mounts for audit logging, refer to .conf.auditpolicy above.
# volumeMounts:
# - name: audit-logs
# mountPath: /var/log/audit
# mountPropagation: HostToContainer
# readOnly: false
# volumes:
# - name: audit-logs
# hostPath:
# path: /var/log/audit
# type: DirectoryOrCreate
replicas:
apiserver: 3
lifecycle:
upgrades:
daemonsets:
pod_replacement_strategy: RollingUpdate
kubernetes-apiserver-anchor:
enabled: false
min_ready_seconds: 0
max_unavailable: 1
termination_grace_period:
kubernetes_apiserver:
timeout: 3600
resources:
enabled: false
anchor_pod:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
key_rotate:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
kubernetes_apiserver:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
probes:
apiserver:
apiserver:
liveness:
enabled: true
params:
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
readiness:
enabled: true
params:
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 5
env:
apiserver:
manifests:
configmap_bin: true
configmap_certs: true
configmap_etc: true
ingress_api: false
kubernetes_apiserver: true
secret: true
secret_ingress_tls: false
service: true
service_ingress: false
job_key_rotate: true
View Git Blame Copy Permalink