0c5e2c4830
PS provides possibility to use TLS in etcd (for Calico). The ansible scripts were updated as well. Change-Id: I522a78043a125660153aaa60f13d61ba8e325e75
130 lines
5.6 KiB
YAML
130 lines
5.6 KiB
YAML
{{/*
|
|
Copyright 2017 The Openstack-Helm Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/}}
|
|
|
|
{{- if .Values.manifests.daemonset_calico_etcd }}
|
|
{{- $envAll := . }}
|
|
|
|
{{- $serviceAccountName := "calico-etcd" }}
|
|
{{ tuple $envAll "calico-etcd" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
|
|
|
---
|
|
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
|
|
# to force it to run on the master even when the master isn't schedulable, and uses
|
|
# nodeSelector to ensure it only runs on the master.
|
|
apiVersion: extensions/v1beta1
|
|
kind: DaemonSet
|
|
metadata:
|
|
name: calico-etcd
|
|
annotations:
|
|
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
|
labels:
|
|
k8s-app: calico-etcd
|
|
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: calico-etcd
|
|
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
|
|
template:
|
|
metadata:
|
|
labels:
|
|
k8s-app: calico-etcd
|
|
{{ tuple $envAll "calico" "etcd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
|
annotations:
|
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
|
# Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
|
|
# reserves resources for critical add-on pods so that they can be rescheduled after
|
|
# a failure. This annotation works in tandem with the toleration below.
|
|
scheduler.alpha.kubernetes.io/critical-pod: ''
|
|
spec:
|
|
serviceAccountName: {{ $serviceAccountName }}
|
|
tolerations:
|
|
# This taint is set by all kubelets running `--cloud-provider=external`
|
|
# so we should tolerate it to schedule the Calico pods
|
|
- key: node.cloudprovider.kubernetes.io/uninitialized
|
|
value: "true"
|
|
effect: NoSchedule
|
|
# Allow this pod to run on the master.
|
|
- key: node-role.kubernetes.io/master
|
|
effect: NoSchedule
|
|
# Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
|
|
# This, along with the annotation above marks this pod as a critical add-on.
|
|
- key: CriticalAddonsOnly
|
|
operator: Exists
|
|
# Only run this pod on the master.
|
|
nodeSelector:
|
|
node-role.kubernetes.io/master: ""
|
|
hostNetwork: true
|
|
initContainers:
|
|
{{ tuple $envAll "etcd" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
|
containers:
|
|
- name: calico-etcd
|
|
{{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
env:
|
|
- name: CALICO_ETCD_IP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.podIP
|
|
command:
|
|
- /usr/local/bin/etcd
|
|
args:
|
|
- --name=calico
|
|
- --data-dir=/var/etcd/calico-data
|
|
{{ if eq .Values.endpoints.etcd.scheme.default "https" }}
|
|
- --client-cert-auth=True
|
|
- --peer-client-cert-auth=True
|
|
- --trusted-ca-file=/etc/calico-certs/ca.crt
|
|
- --cert-file=/etc/calico-certs/server.crt
|
|
- --key-file=/etc/calico-certs/server.key
|
|
- --peer-trusted-ca-file=/etc/calico-certs/ca.crt
|
|
- --peer-cert-file=/etc/calico-certs/server.crt
|
|
- --peer-key-file=/etc/calico-certs/server.key
|
|
{{ end }}
|
|
- --advertise-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
|
- --listen-client-urls={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
- --listen-peer-urls={{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}://0.0.0.0:{{ tuple "etcd" "internal" "peer" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
|
- --auto-compaction-retention=1
|
|
volumeMounts:
|
|
- name: var-etcd
|
|
mountPath: /var/etcd
|
|
{{ if .Values.conf.etcd.credentials.ca }}
|
|
- name: calico-etcd-secrets
|
|
mountPath: /etc/calico-certs/ca.crt
|
|
subPath: etcd.ca
|
|
readOnly: true
|
|
{{ end }}
|
|
{{ if .Values.conf.etcd.credentials.certificate }}
|
|
- name: calico-etcd-secrets
|
|
mountPath: /etc/calico-certs/server.crt
|
|
subPath: etcd.crt
|
|
readOnly: true
|
|
{{ end }}
|
|
{{ if .Values.conf.etcd.credentials.key }}
|
|
- name: calico-etcd-secrets
|
|
mountPath: /etc/calico-certs/server.key
|
|
subPath: etcd.key
|
|
readOnly: true
|
|
{{ end }}
|
|
volumes:
|
|
- name: var-etcd
|
|
hostPath:
|
|
path: /var/etcd
|
|
- name: calico-etcd-secrets
|
|
secret:
|
|
secretName: calico-etcd-secrets
|
|
{{- end }}
|