openstack-helm-infra/calico/templates/daemonset-calico-etcd.yaml
Dmitrii Kabanov 0c5e2c4830 [Calico] Update TLS settings for Calico
PS provides possibility to use TLS in etcd (for Calico).
The ansible scripts were updated as well.

Change-Id: I522a78043a125660153aaa60f13d61ba8e325e75
2019-01-18 19:53:46 +00:00

130 lines
5.6 KiB
YAML

{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.daemonset_calico_etcd }}
{{- $envAll := . }}
{{- $serviceAccountName := "calico-etcd" }}
{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
# to force it to run on the master even when the master isn't schedulable, and uses
# nodeSelector to ensure it only runs on the master.
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: calico-etcd
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
template:
metadata:
labels:
k8s-app: calico-etcd
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
# reserves resources for critical add-on pods so that they can be rescheduled after
# a failure. This annotation works in tandem with the toleration below.
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
serviceAccountName: {{ $serviceAccountName }}
tolerations:
# This taint is set by all kubelets running `--cloud-provider=external`
# so we should tolerate it to schedule the Calico pods
- key: node.cloudprovider.kubernetes.io/uninitialized
value: "true"
effect: NoSchedule
# Allow this pod to run on the master.
- key: node-role.kubernetes.io/master
effect: NoSchedule
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
# This, along with the annotation above marks this pod as a critical add-on.
- key: CriticalAddonsOnly
operator: Exists
# Only run this pod on the master.
nodeSelector:
node-role.kubernetes.io/master: ""
hostNetwork: true
initContainers:
{{ tuple $envAll "etcd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: calico-etcd
{{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: CALICO_ETCD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
command:
- /usr/local/bin/etcd
args:
- --name=calico
- --data-dir=/var/etcd/calico-data
{{ if eq .Values.endpoints.etcd.scheme.default "https" }}
- --client-cert-auth=True
- --peer-client-cert-auth=True
- --trusted-ca-file=/etc/calico-certs/ca.crt
- --cert-file=/etc/calico-certs/server.crt
- --key-file=/etc/calico-certs/server.key
- --peer-trusted-ca-file=/etc/calico-certs/ca.crt
- --peer-cert-file=/etc/calico-certs/server.crt
- --peer-key-file=/etc/calico-certs/server.key
{{ end }}
- --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
- --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
- --auto-compaction-retention=1
volumeMounts:
- name: var-etcd
mountPath: /var/etcd
{{ if .Values.conf.etcd.credentials.ca }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/ca.crt
subPath: etcd.ca
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.certificate }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/server.crt
subPath: etcd.crt
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.key }}
- name: calico-etcd-secrets
mountPath: /etc/calico-certs/server.key
subPath: etcd.key
readOnly: true
{{ end }}
volumes:
- name: var-etcd
hostPath:
path: /var/etcd
- name: calico-etcd-secrets
secret:
secretName: calico-etcd-secrets
{{- end }}