├── deploy
    └── helm
    │   └── kubernetes
    │       ├── README.md
    │       ├── templates
    │           ├── selfsigning-issuer.yaml
    │           ├── NOTES.txt
    │           ├── kubeadm-scripts.yaml
    │           ├── kubedns-manifests.yaml
    │           ├── extra-manifests.yaml
    │           ├── konnectivity-manifests.yaml
    │           ├── kubeadm-config.yaml
    │           ├── admin-configmap.yaml
    │           ├── scheduler-configmap.yaml
    │           ├── scheduler-service.yaml
    │           ├── controller-manager-configmap.yaml
    │           ├── konnectivity-server-configmap.yaml
    │           ├── etcd-service.yaml
    │           ├── controller-manager-service.yaml
    │           ├── etcd-backup-persistentvolumeclaim.yaml
    │           ├── apiserver-service.yaml
    │           ├── konnectivity-server-service.yaml
    │           ├── kubeadm-cronjob.yaml
    │           ├── kubernetes-front-proxy-certs.yaml
    │           ├── apiserver-config.yaml
    │           ├── konnectivity-certs.yaml
    │           ├── konnectivity-server-deployment.yaml
    │           ├── kubeadm-job.yaml
    │           ├── etcd-certs.yaml
    │           ├── scheduler-deployment.yaml
    │           ├── admin-deployment.yaml
    │           ├── etcd-backup-cronjob.yaml
    │           ├── controller-manager-deployment.yaml
    │           ├── etcd-statefulset.yaml
    │           ├── _helpers.tpl
    │           ├── kubernetes-certs.yaml
    │           └── apiserver-deployment.yaml
    │       ├── manifests
    │           ├── konnectivity-agent-rbac.yaml
    │           ├── konnectivity-server-rbac.yaml
    │           ├── coredns.yaml
    │           └── konnectivity-agent-deployment.yaml
    │       ├── Chart.yaml
    │       ├── scripts
    │           └── configure-cluster.sh
    │       └── values.yaml
├── docs
    └── README.md
├── hack
    └── version-bump.sh
├── README.md
└── LICENSE


/deploy/helm/kubernetes/README.md:
--------------------------------------------------------------------------------
1 | ../../../README.md


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/selfsigning-issuer.yaml:
--------------------------------------------------------------------------------
1 | {{- $fullName := include "kubernetes.fullname" . -}}
2 | ---
3 | apiVersion: cert-manager.io/v1
4 | kind: Issuer
5 | metadata:
6 |   name: "{{ $fullName }}-selfsigning-issuer"
7 | spec:
8 |   selfSigned: {}
9 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/manifests/konnectivity-agent-rbac.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 |   name: konnectivity-agent
5 |   namespace: kube-system
6 |   labels:
7 |     kubernetes.io/cluster-service: "true"
8 |     addonmanager.kubernetes.io/mode: Reconcile
9 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | {{- $fullName := include "kubernetes.fullname" . -}}
2 | {{- $cmd := printf "kubectl exec -n %s -ti deploy/%s-admin -- sh" .Release.Namespace $fullName -}}
3 | 1. {{ $fullName }} cluster deployed.
4 | 
5 |   Get shell in admin container:
6 |     ┌─{{ "─" | repeat (len $cmd) }}─┐
7 |     │ {{           $cmd          }} │
8 |     └─{{ "─" | repeat (len $cmd) }}─┘
9 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/kubeadm-scripts.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or .Values.admin.enabled .Values.admin.job.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: ConfigMap
 6 | metadata:
 7 |   name: {{ $fullName }}-kubeadm-scripts
 8 | data:
 9 |   configure-cluster.sh: |+
10 |     {{- tpl (.Files.Get "scripts/configure-cluster.sh") . | nindent 4 }}
11 | {{- end }}
12 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/kubedns-manifests.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.coredns.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: ConfigMap
 6 | metadata:
 7 |   name: {{ $fullName }}-coredns-manifests
 8 | data:
 9 |   {{- if .Values.coredns.enabled }}
10 |   coredns.yaml: |
11 |     {{- tpl (.Files.Get "manifests/coredns.yaml") . | nindent 4 }}
12 |   {{- end }}
13 | {{- end }}
14 | 


--------------------------------------------------------------------------------
/docs/README.md:
--------------------------------------------------------------------------------
1 | k edit sts generic-kubernetes-etcd # update: --initial-cluster-state=existing
2 | 
3 | k exec -ti pod/generic-kubernetes-etcd-0 -- etcdctl member list -w table
4 | k exec -ti pod/generic-kubernetes-etcd-0 -- etcdctl member remove 3d7220137a2218ca
5 | 
6 | k exec -ti pod/generic-kubernetes-etcd-0 -- etcdctl member add generic-kubernetes-etcd-2 --peer-urls=https://generic-kubernetes-etcd-2.generic-kubernetes-etcd:2380
7 | k exec -ti pod/generic-kubernetes-etcd-0 -- etcdctl endpoint status -w table
8 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/extra-manifests.yaml:
--------------------------------------------------------------------------------
 1 | {{- $fullName := include "kubernetes.fullname" . -}}
 2 | {{- with .Values.extraManifests }}
 3 | ---
 4 | apiVersion: v1
 5 | kind: Secret
 6 | metadata:
 7 |   name: {{ $fullName }}-extra-manifests
 8 | data:
 9 |   {{- range $key, $value := . }}
10 |   {{- if eq (printf "%T" $value) "string" }}
11 |   {{ $key }}: {{ $value | b64enc }}
12 |   {{- else }}
13 |   {{ $key }}: {{ printf "%s\n" (toYaml $value) | b64enc }}
14 |   {{- end }}
15 |   {{- end }}
16 | {{- end }}
17 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/manifests/konnectivity-server-rbac.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: rbac.authorization.k8s.io/v1
 2 | kind: ClusterRoleBinding
 3 | metadata:
 4 |   name: system:konnectivity-server
 5 |   labels:
 6 |     kubernetes.io/cluster-service: "true"
 7 |     addonmanager.kubernetes.io/mode: Reconcile
 8 | roleRef:
 9 |   apiGroup: rbac.authorization.k8s.io
10 |   kind: ClusterRole
11 |   name: system:auth-delegator
12 | subjects:
13 |   - apiGroup: rbac.authorization.k8s.io
14 |     kind: User
15 |     name: system:konnectivity-server
16 | 


--------------------------------------------------------------------------------
/hack/version-bump.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | EC=0
 3 | 
 4 | version=$1
 5 | [ -z "$version" ] && echo "version is not specified as first argument" && exit 1
 6 | 
 7 | echo "bumping version to $version"
 8 | 
 9 | f=README.md
10 | sed -i "s/\(kubernetes --version\) [0-9]\+\.[0-9]\+\.[0-9]\+/\1 ${version}/" README.md
11 | git diff --exit-code "$f" && echo "$f not changed" && EC=1
12 | 
13 | f=deploy/helm/kubernetes/Chart.yaml
14 | sed -i "s/\(^version:\) [0-9]\+\.[0-9]\+\.[0-9]\+/\1 ${version}/" "$f"
15 | git diff --exit-code "$f" && echo "$f not changed" && EC=1
16 | 
17 | if [ "$EC" != 0 ]; then
18 |   echo
19 |   echo "not all files were changed!"
20 | fi
21 | exit "$EC"
22 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/Chart.yaml:
--------------------------------------------------------------------------------
 1 | name: kubernetes
 2 | description: Production-Grade Container Scheduling and Management
 3 | version: 0.13.5
 4 | appVersion: 1.22.4
 5 | icon: https://upload.wikimedia.org/wikipedia/commons/thumb/3/39/Kubernetes_logo_without_workmark.svg/723px-Kubernetes_logo_without_workmark.svg.png
 6 | keywords:
 7 |   - kubernetes
 8 |   - go
 9 |   - cncf
10 |   - containers
11 | home: https://github.com/kubefarm/kubernetes-in-kubernetes
12 | sources:
13 |   - https://github.com/kubefarm/kubernetes-in-kubernetes
14 |   - https://github.com/kubernetes/kubernetes
15 | maintainers:
16 |   - name: kvaps
17 |     email: kvapss@gmail.com
18 |   - name: krakazyabra
19 |     email: pronin.egor@gmail.com
20 |   - name: mrakopes
21 |     email: dave@mtfbwy.cz
22 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/konnectivity-manifests.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or .Values.konnectivityServer.enabled .Values.konnectivityAgent.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: ConfigMap
 6 | metadata:
 7 |   name: {{ $fullName }}-konnectivity-manifests
 8 | data:
 9 |   {{- if .Values.konnectivityServer.enabled }}
10 |   konnectivity-server-rbac.yaml: |
11 |     {{- tpl (.Files.Get "manifests/konnectivity-server-rbac.yaml") . | nindent 4 }}
12 |   {{- end }}
13 |   {{- if .Values.konnectivityAgent.enabled }}
14 |   konnectivity-agent-deployment.yaml: |
15 |     {{- tpl (.Files.Get "manifests/konnectivity-agent-deployment.yaml") . | nindent 4 }}
16 |   konnectivity-agent-rbac.yaml: |
17 |     {{- tpl (.Files.Get "manifests/konnectivity-agent-rbac.yaml") . | nindent 4 }}
18 |   {{- end }}
19 | {{- end }}
20 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/kubeadm-config.yaml:
--------------------------------------------------------------------------------
 1 | {{- if or .Values.admin.enabled .Values.admin.job.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: ConfigMap
 6 | metadata:
 7 |   name: {{ $fullName }}-kubeadm-config
 8 | data:
 9 |   kubeadmcfg.yaml: |+
10 |     apiVersion: kubeadm.k8s.io/v1beta3
11 |     kind: ClusterConfiguration
12 |     {{- if .Values.controlPlaneEndpoint }}
13 |     controlPlaneEndpoint: {{ .Values.controlPlaneEndpoint }}
14 |     {{- else }}
15 |     controlPlaneEndpoint: {{ $fullName }}-apiserver:{{ .Values.apiServer.service.port }}
16 |     {{- end }}
17 |     {{- with .Values.networking }}
18 |     networking:
19 |       dnsDomain: {{ .dnsDomain }}
20 |       {{- with .podSubnet }}
21 |       podSubnet: {{ . }}
22 |       {{- end }}
23 |       serviceSubnet: {{ .serviceSubnet }}
24 |     {{- end }}
25 | {{- end }}
26 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/admin-configmap.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.admin.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: ConfigMap
 6 | metadata:
 7 |   name: {{ $fullName }}-admin-conf
 8 | data:
 9 |   admin.conf: |
10 |     apiVersion: v1
11 |     clusters:
12 |     - cluster:
13 |         certificate-authority: /pki/admin-client/ca.crt
14 |         server: https://{{ $fullName }}-apiserver:{{ .Values.apiServer.service.port }}
15 |       name: default-cluster
16 |     contexts:
17 |     - context:
18 |         cluster: default-cluster
19 |         namespace: default
20 |         user: default-auth
21 |       name: default-context
22 |     current-context: default-context
23 |     kind: Config
24 |     preferences: {}
25 |     users:
26 |     - name: default-auth
27 |       user:
28 |         client-certificate: /pki/admin-client/tls.crt
29 |         client-key: /pki/admin-client/tls.key
30 | {{- end }}
31 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/scheduler-configmap.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.scheduler.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: ConfigMap
 6 | metadata:
 7 |   name: {{ $fullName }}-scheduler-conf
 8 | data:
 9 |   scheduler.conf: |
10 |     apiVersion: v1
11 |     clusters:
12 |     - cluster:
13 |         certificate-authority: /pki/scheduler-client/ca.crt
14 |         server: https://{{ $fullName }}-apiserver:{{ .Values.apiServer.service.port }}
15 |       name: default-cluster
16 |     contexts:
17 |     - context:
18 |         cluster: default-cluster
19 |         namespace: default
20 |         user: default-auth
21 |       name: default-context
22 |     current-context: default-context
23 |     kind: Config
24 |     preferences: {}
25 |     users:
26 |     - name: default-auth
27 |       user:
28 |         client-certificate: /pki/scheduler-client/tls.crt
29 |         client-key: /pki/scheduler-client/tls.key
30 | {{- end }}
31 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/scheduler-service.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.scheduler.enabled .Values.scheduler.service.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: Service
 6 | metadata:
 7 |   name: {{ $fullName }}-scheduler
 8 |   labels:
 9 |     app: {{ $fullName }}-scheduler
10 |     {{- with .Values.scheduler.service.labels }}
11 |     {{- toYaml . | nindent 4 }}
12 |     {{- end }}
13 |   {{- with .Values.scheduler.service.annotations }}
14 |   annotations:
15 |     {{- toYaml . | nindent 4 }}
16 |   {{- end }}
17 | spec:
18 |   type: {{ .Values.scheduler.service.type }}
19 |   {{- with .Values.scheduler.service.loadBalancerIP }}
20 |   loadBalancerIP: {{ . }}
21 |   {{- end }}
22 |   ports:
23 |   - port: {{ .Values.scheduler.service.port }}
24 |     name: client
25 |     {{- with .Values.scheduler.service.nodePort }}
26 |     nodePort: {{ . }}
27 |     {{- end }}
28 |   selector:
29 |     app: {{ $fullName }}-scheduler
30 | {{- end }}
31 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/controller-manager-configmap.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.controllerManager.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: ConfigMap
 6 | metadata:
 7 |   name: {{ $fullName }}-controller-manager-conf
 8 | data:
 9 |   controller-manager.conf: |
10 |     apiVersion: v1
11 |     clusters:
12 |     - cluster:
13 |         certificate-authority: /pki/controller-manager-client/ca.crt
14 |         server: https://{{ $fullName }}-apiserver:{{ .Values.apiServer.service.port }}
15 |       name: default-cluster
16 |     contexts:
17 |     - context:
18 |         cluster: default-cluster
19 |         namespace: default
20 |         user: default-auth
21 |       name: default-context
22 |     current-context: default-context
23 |     kind: Config
24 |     preferences: {}
25 |     users:
26 |     - name: default-auth
27 |       user:
28 |         client-certificate: /pki/controller-manager-client/tls.crt
29 |         client-key: /pki/controller-manager-client/tls.key
30 | {{- end }}
31 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/konnectivity-server-configmap.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.konnectivityServer.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: ConfigMap
 6 | metadata:
 7 |   name: {{ $fullName }}-konnectivity-server-conf
 8 | data:
 9 |   konnectivity-server.conf: |
10 |     apiVersion: v1
11 |     clusters:
12 |     - cluster:
13 |         certificate-authority: /pki/konnectivity-server-client/ca.crt
14 |         server: https://{{ $fullName }}-apiserver:{{ .Values.apiServer.service.port }}
15 |       name: default-cluster
16 |     contexts:
17 |     - context:
18 |         cluster: default-cluster
19 |         namespace: default
20 |         user: default-auth
21 |       name: default-context
22 |     current-context: default-context
23 |     kind: Config
24 |     preferences: {}
25 |     users:
26 |     - name: default-auth
27 |       user:
28 |         client-certificate: /pki/konnectivity-server-client/tls.crt
29 |         client-key: /pki/konnectivity-server-client/tls.key
30 | {{- end }}
31 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/etcd-service.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.etcd.enabled .Values.etcd.service.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: Service
 6 | metadata:
 7 |   name: {{ $fullName }}-etcd
 8 |   labels:
 9 |     app: {{ $fullName }}-etcd
10 |     {{- with .Values.etcd.service.labels }}
11 |     {{- toYaml . | nindent 4 }}
12 |     {{- end }}
13 |   {{- with .Values.etcd.service.annotations }}
14 |   annotations:
15 |     {{- toYaml . | nindent 4 }}
16 |   {{- end }}
17 | spec:
18 |   type: {{ .Values.etcd.service.type }}
19 |   {{- with .Values.etcd.service.loadBalancerIP }}
20 |   loadBalancerIP: {{ . }}
21 |   {{- end }}
22 |   publishNotReadyAddresses: true
23 |   clusterIP: None
24 |   ports:
25 |   - port: {{ .Values.etcd.service.ports.client }}
26 |     name: client
27 |   - port: {{ .Values.etcd.service.ports.peer }}
28 |     name: peer
29 |   - port: {{ .Values.etcd.service.ports.metrics }}
30 |     name: metrics
31 |   selector:
32 |     app: {{ $fullName }}-etcd
33 | {{- end }}
34 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/controller-manager-service.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.controllerManager.enabled .Values.controllerManager.service.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: Service
 6 | metadata:
 7 |   name: {{ $fullName }}-controller-manager
 8 |   labels:
 9 |     app: {{ $fullName }}-controller-manager
10 |     {{- with .Values.controllerManager.service.labels }}
11 |     {{- toYaml . | nindent 4 }}
12 |     {{- end }}
13 |   {{- with .Values.controllerManager.service.annotations }}
14 |   annotations:
15 |     {{- toYaml . | nindent 4 }}
16 |   {{- end }}
17 | spec:
18 |   type: {{ .Values.controllerManager.service.type }}
19 |   {{- with .Values.controllerManager.service.loadBalancerIP }}
20 |   loadBalancerIP: {{ . }}
21 |   {{- end }}
22 |   ports:
23 |   - port: {{ .Values.controllerManager.service.port }}
24 |     name: client
25 |     {{- with .Values.controllerManager.service.nodePort }}
26 |     nodePort: {{ . }}
27 |     {{- end }}
28 |   selector:
29 |     app: {{ $fullName }}-controller-manager
30 | {{- end }}
31 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/etcd-backup-persistentvolumeclaim.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.etcd.backup.enabled (not .Values.persistence.backup.existingClaim)  }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | kind: PersistentVolumeClaim
 5 | apiVersion: v1
 6 | metadata:
 7 |   name: etcd-backup-{{ $fullName }}-etcd
 8 |   labels:
 9 |     app: {{ $fullName }}-etcd
10 |     {{- if .Values.persistence.backup.labels }}
11 |     {{- toYaml .Values.persistence.backup.labels | nindent 4 }}
12 |     {{- end }}
13 |   annotations:
14 |     helm.sh/resource-policy: keep
15 |     {{- with .Values.persistence.backup.annotations  }}
16 |     {{- toYaml . | nindent 4 }}
17 |     {{- end }}
18 |   {{- with .Values.persistence.backup.finalizers  }}
19 |   finalizers:
20 |     {{- toYaml . | nindent 4 }}
21 |   {{- end }}
22 | spec:
23 |   accessModes:
24 |     {{- range .Values.persistence.backup.accessModes }}
25 |     - {{ . | quote }}
26 |     {{- end }}
27 |   {{- if .Values.persistence.backup.storageClassName }}
28 |   storageClassName: {{ .Values.persistence.backup.storageClassName }}
29 |   {{- end }}
30 |   resources:
31 |     requests:
32 |       storage: {{ .Values.persistence.backup.size | quote }}
33 | {{- end }}
34 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/apiserver-service.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.apiServer.enabled .Values.apiServer.service.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: Service
 6 | metadata:
 7 |   name: {{ $fullName }}-apiserver
 8 |   labels:
 9 |     app: {{ $fullName }}-apiserver
10 |     {{- with .Values.apiServer.service.labels }}
11 |     {{- toYaml . | nindent 4 }}
12 |     {{- end }}
13 |   annotations:
14 |     {{- with .Values.apiServer.service.annotations }}
15 |     {{- toYaml . | nindent 4 }}
16 |     {{- end }}
17 | spec:
18 |   type: {{ .Values.apiServer.service.type }}
19 |   {{- with .Values.apiServer.service.loadBalancerIP }}
20 |   loadBalancerIP: {{ . }}
21 |   {{- end }}
22 |   ports:
23 |   - port: {{ .Values.apiServer.service.port }}
24 |     name: client
25 |     {{- with .Values.apiServer.service.nodePort }}
26 |     nodePort: {{ . }}
27 |     {{- end }}
28 |   {{- if and .Values.konnectivityServer.enabled .Values.konnectivityServer.service.enabled (eq .Values.konnectivityServer.mode "GRPC") }}
29 |   - port: {{ .Values.konnectivityServer.ports.agent }}
30 |     name: agent
31 |     {{- with .Values.konnectivityServer.service.nodePorts.client }}
32 |     nodePort: {{ . }}
33 |     {{- end }}
34 |   {{- end }}
35 |   selector:
36 |     app: {{ $fullName }}-apiserver
37 | {{- end }}
38 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/konnectivity-server-service.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.konnectivityServer.enabled .Values.konnectivityServer.service.enabled (eq .Values.konnectivityServer.mode "HTTPConnect") }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: v1
 5 | kind: Service
 6 | metadata:
 7 |   name: {{ $fullName }}-konnectivity-server
 8 |   labels:
 9 |     app: {{ $fullName }}-konnectivity-server
10 |     {{- with .Values.konnectivityServer.service.labels }}
11 |     {{- toYaml . | nindent 4 }}
12 |     {{- end }}
13 |   annotations:
14 |     {{- with .Values.konnectivityServer.service.annotations }}
15 |     {{- toYaml . | nindent 4 }}
16 |     {{- end }}
17 | spec:
18 |   type: {{ .Values.konnectivityServer.service.type }}
19 |   {{- with .Values.konnectivityServer.service.loadBalancerIP }}
20 |   loadBalancerIP: {{ . }}
21 |   {{- end }}
22 |   ports:
23 |   - port: {{ .Values.konnectivityServer.ports.server }}
24 |     name: server
25 |     {{- with .Values.konnectivityServer.service.nodePorts.server }}
26 |     nodePort: {{ . }}
27 |     {{- end }}
28 |   - port: {{ .Values.konnectivityServer.ports.agent }}
29 |     name: agent
30 |     {{- with .Values.konnectivityServer.service.nodePorts.client }}
31 |     nodePort: {{ . }}
32 |     {{- end }}
33 |   selector:
34 |     app: {{ $fullName }}-konnectivity-server
35 | {{- end }}
36 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/kubeadm-cronjob.yaml:
--------------------------------------------------------------------------------
 1 | {{- if .Values.admin.job.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: batch/v1
 5 | kind: CronJob
 6 | metadata:
 7 |   name: "{{ $fullName }}-kubeadm-tasks"
 8 |   labels:
 9 |     app: "{{ $fullName }}-kubeadm-tasks"
10 |     {{- with .Values.admin.job.labels }}
11 |     {{- toYaml . | nindent 4 }}
12 |     {{- end }}
13 |     {{- with .Values.admin.job.annotations }}
14 |     annotations:
15 |       {{- toYaml . | nindent 4 }}
16 |     {{- end }}
17 | spec:
18 |   schedule: "{{ .Values.admin.job.schedule }}"
19 |   successfulJobsHistoryLimit: {{ .Values.admin.job.successfulJobsHistoryLimit }}
20 |   failedJobsHistoryLimit: {{ .Values.admin.job.failedJobsHistoryLimit }}
21 |   jobTemplate:
22 |     metadata:
23 |       labels:
24 |         app: "{{ $fullName }}-kubeadm-tasks"
25 |         {{- with .Values.admin.job.labels }}
26 |         {{- toYaml . | nindent 4 }}
27 |         {{- end }}
28 |       annotations:
29 |         checksum/config: {{ include (print $.Template.BasePath "/kubeadm-config.yaml") . | sha256sum }}
30 |         checksum/scripts: {{ include (print $.Template.BasePath "/kubeadm-scripts.yaml") . | sha256sum }}
31 |         {{- with .Values.admin.job.annotations }}
32 |         {{- toYaml . | nindent 8 }}
33 |         {{- end }}
34 |     spec:
35 |       template:
36 |         {{- (include (print $.Template.BasePath "/kubeadm-job.yaml") . | fromYaml ).spec.template | toYaml | nindent 8 }}
37 | {{- end }}
38 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Kubernetes-in-Kubernetes
 2 | 
 3 | Deploy Kubernetes in Kubernetes using Helm
 4 | 
 5 | ![demo](https://gist.githubusercontent.com/kvaps/3cc5d772d750f8f2d36a76d00c3342b1/raw/8596ae812e83d186d0d57d448159b05f84cb0d53/kubernetes-in-kubernetes.gif)
 6 | 
 7 | ## Requirements
 8 | 
 9 | * Kubernetes v1.21+
10 | * Helm v3
11 | * cert-manager v1.0.0+
12 | 
13 | ## Quick Start
14 | 
15 | ### Preparation
16 | 
17 | * Install [cert-manager].
18 | 
19 | * If you running over [minikube] you might also need to install a provisioner, you can use [local-path-provisioner] for example.
20 | 
21 | [cert-manager]: https://cert-manager.io/docs/installation
22 | [minikube]: https://github.com/kubernetes/minikube
23 | [local-path-provisioner]: https://github.com/rancher/local-path-provisioner#installation
24 | 
25 | ### Installation
26 | 
27 | ```bash
28 | helm repo add kvaps https://kvaps.github.io/charts
29 | helm install foo kvaps/kubernetes --version 0.13.5 \
30 |   --namespace foo \
31 |   --create-namespace \
32 |   --set persistence.storageClassName=local-path
33 | ```
34 | 
35 | ### Cleanup
36 | 
37 | ```bash
38 | kubectl delete namespace foo
39 | ```
40 | 
41 | ## Usage
42 | 
43 | Kubernetes-in-Kubernetes is just a control plane, in most cases it's useless without workers.  
44 | If you're looking for a real use case, check out the following projects that implement worker nodes management:
45 | 
46 | * **[Kubefarm]** - Automated Kubernetes deployment and the PXE-bootable servers farm
47 | 
48 | [kubefarm]: https://github.com/kubefarm/kubefarm
49 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/kubernetes-front-proxy-certs.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.apiServer.enabled }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | {{- $certName := include "kubernetes.certname" . -}}
 4 | ---
 5 | apiVersion: cert-manager.io/v1
 6 | kind: Certificate
 7 | metadata:
 8 |   name: "{{ $fullName }}-pki-front-proxy-ca"
 9 | spec:
10 |   commonName: "{{ $certName }}-front-proxy-ca"
11 |   secretName: "{{ $fullName }}-pki-front-proxy-ca"
12 |   duration: 87600h # 3650d
13 |   renewBefore: 8760h # 365d
14 |   subject:
15 |     organizations:
16 |     - "{{ $fullName }}"
17 |   usages:
18 |   - "signing"
19 |   - "key encipherment"
20 |   - "cert sign"
21 |   isCA: true
22 |   issuerRef:
23 |     name: "{{ $fullName }}-selfsigning-issuer"
24 |     kind: Issuer
25 | ---
26 | apiVersion: cert-manager.io/v1
27 | kind: Issuer
28 | metadata:
29 |   name: "{{ $fullName }}-front-proxy-issuer"
30 | spec:
31 |   ca:
32 |     secretName: "{{ $fullName }}-pki-front-proxy-ca"
33 | ---
34 | apiVersion: cert-manager.io/v1
35 | kind: Certificate
36 | metadata:
37 |   name: "{{ $fullName }}-pki-front-proxy-client"
38 | spec:
39 |   commonName: "{{ $certName }}-front-proxy-client"
40 |   secretName: "{{ $fullName }}-pki-front-proxy-client"
41 |   duration: 8760h # 365d
42 |   renewBefore: 4380h # 178d
43 |   subject:
44 |     organizations:
45 |     - "system:masters"
46 |   usages:
47 |   - "signing"
48 |   - "key encipherment"
49 |   - "client auth"
50 |   issuerRef:
51 |     name: "{{ $fullName }}-front-proxy-issuer"
52 |     kind: Issuer
53 | {{- end }}
54 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/apiserver-config.yaml:
--------------------------------------------------------------------------------
 1 | {{- $fullName := include "kubernetes.fullname" . -}}
 2 | ---
 3 | apiVersion: v1
 4 | kind: ConfigMap
 5 | metadata:
 6 |   name: {{ $fullName }}-apiserver-config
 7 | data:
 8 |   egress-selector-configuration.yaml: |
 9 |     apiVersion: apiserver.k8s.io/v1beta1
10 |     kind: EgressSelectorConfiguration
11 |     egressSelections:
12 |     - name: cluster
13 |       connection:
14 |         {{- if and .Values.konnectivityServer.enabled }}
15 |         {{- if has .Values.konnectivityServer.mode (list "HTTPConnect" "GRPC") }}
16 |         proxyProtocol: {{ .Values.konnectivityServer.mode }}
17 |         {{- else }}
18 |         {{- fail ".Values.konnectivityServer.mode supports only \"HTTPConnect\" and \"GRPC\" values" }}
19 |         {{- end }}
20 |         transport:
21 |           {{- if eq .Values.konnectivityServer.mode "GRPC" }}
22 |           uds:
23 |             udsName: /run/konnectivity-server/konnectivity-server.socket
24 |           {{- else }}
25 |           tcp:
26 |             url: "https://{{ $fullName }}-konnectivity-server:8131"
27 |             TLSConfig:
28 |               caBundle: /pki/konnectivity-client/ca.crt
29 |               clientKey: /pki/konnectivity-client/tls.key
30 |               clientCert: /pki/konnectivity-client/tls.crt
31 |           {{- end }}
32 |         {{- else }}
33 |         proxyProtocol: Direct
34 |         {{- end }}
35 |     - name: master
36 |       connection:
37 |         proxyProtocol: Direct
38 |     - name: etcd
39 |       connection:
40 |         proxyProtocol: Direct
41 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/konnectivity-certs.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.konnectivityServer.enabled (eq .Values.konnectivityServer.mode "HTTPConnect") }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | {{- $certName := include "kubernetes.certname" . -}}
 4 | ---
 5 | apiVersion: cert-manager.io/v1
 6 | kind: Certificate
 7 | metadata:
 8 |   name: "{{ $fullName }}-pki-konnectivity-ca"
 9 | spec:
10 |   commonName: "{{ $certName }}-konnectivity-ca"
11 |   secretName: "{{ $fullName }}-pki-konnectivity-ca"
12 |   duration: 87600h # 3650d
13 |   renewBefore: 8760h # 365d
14 |   subject:
15 |     organizations:
16 |     - "{{ $fullName }}"
17 |   usages:
18 |   - "signing"
19 |   - "key encipherment"
20 |   - "cert sign"
21 |   isCA: true
22 |   issuerRef:
23 |     name: "{{ $fullName }}-selfsigning-issuer"
24 |     kind: Issuer
25 | ---
26 | apiVersion: cert-manager.io/v1
27 | kind: Issuer
28 | metadata:
29 |   name: "{{ $fullName }}-konnectivity-issuer"
30 | spec:
31 |   ca:
32 |     secretName: "{{ $fullName }}-pki-konnectivity-ca"
33 | 
34 | ---
35 | {{- $svcName1 := printf "%s-konnectivity-server" $fullName }}
36 | {{- $svcName2 := printf "%s-konnectivity-server.%s" $fullName .Release.Namespace }}
37 | {{- $svcName3 := printf "%s-konnectivity-server.%s.svc" $fullName .Release.Namespace }}
38 | apiVersion: cert-manager.io/v1
39 | kind: Certificate
40 | metadata:
41 |   name: "{{ $fullName }}-pki-konnectivity-server"
42 | spec:
43 |   commonName: "{{ $certName }}-konnectivity-server"
44 |   secretName: "{{ $fullName }}-pki-konnectivity-server"
45 |   duration: 8760h # 365d
46 |   renewBefore: 4380h # 178d
47 |   subject:
48 |     organizations:
49 |     - "{{ $fullName }}"
50 |   usages:
51 |   - "signing"
52 |   - "key encipherment"
53 |   - "server auth"
54 |   dnsNames:
55 |   - "{{ $svcName1 }}"
56 |   - "{{ $svcName2 }}"
57 |   - "{{ $svcName3 }}"
58 |   - "localhost"
59 |   ipAddresses:
60 |   - "127.0.0.1"
61 |   issuerRef:
62 |     name: "{{ $fullName }}-konnectivity-issuer"
63 |     kind: Issuer
64 | ---
65 | apiVersion: cert-manager.io/v1
66 | kind: Certificate
67 | metadata:
68 |   name: "{{ $fullName }}-pki-konnectivity-client"
69 | spec:
70 |   commonName: "{{ $certName }}-konnectivity-client"
71 |   secretName: "{{ $fullName }}-pki-konnectivity-client"
72 |   duration: 8760h # 365d
73 |   renewBefore: 4380h # 178d
74 |   subject:
75 |     organizations:
76 |     - "system:masters"
77 |   usages:
78 |   - "signing"
79 |   - "key encipherment"
80 |   - "client auth"
81 |   issuerRef:
82 |     name: "{{ $fullName }}-konnectivity-issuer"
83 |     kind: Issuer
84 | {{- end }}
85 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/konnectivity-server-deployment.yaml:
--------------------------------------------------------------------------------
 1 | {{- if and .Values.konnectivityServer.enabled (eq .Values.konnectivityServer.mode "HTTPConnect") }}
 2 | {{- $fullName := include "kubernetes.fullname" . -}}
 3 | ---
 4 | apiVersion: apps/v1
 5 | kind: Deployment
 6 | metadata:
 7 |   name: "{{ $fullName }}-konnectivity-server"
 8 |   labels:
 9 |     app: "{{ $fullName }}-konnectivity-server"
10 |     {{- with .Values.konnectivityServer.labels }}
11 |     {{- toYaml . | nindent 4 }}
12 |     {{- end }}
13 |     {{- with .Values.konnectivityServer.annotations }}
14 |     annotations:
15 |       {{- toYaml . | nindent 4 }}
16 |     {{- end }}
17 | spec:
18 |   replicas: {{ .Values.konnectivityServer.replicaCount }}
19 |   selector:
20 |     matchLabels:
21 |       app: "{{ $fullName }}-konnectivity-server"
22 |   template:
23 |     metadata:
24 |       labels:
25 |         app: "{{ $fullName }}-konnectivity-server"
26 |         {{- with .Values.konnectivityServer.podLabels }}
27 |         {{- toYaml . | nindent 8 }}
28 |         {{- end }}
29 |       {{- with .Values.konnectivityServer.podAnnotations }}
30 |       annotations:
31 |         {{- toYaml . | nindent 8 }}
32 |       {{- end }}
33 |     spec:
34 |       {{- with .Values.konnectivityServer.nodeSelector }}
35 |       nodeSelector:
36 |         {{- toYaml . | nindent 8 }}
37 |       {{- end }}
38 |       {{- with .Values.konnectivityServer.tolerations }}
39 |       tolerations:
40 |       {{- toYaml . | nindent 6 }}
41 |       {{- end }}
42 |       {{- if or .Values.konnectivityServer.affinity .Values.konnectivityServer.podAntiAffinity }}
43 |       affinity:
44 |         {{- with .Values.konnectivityServer.affinity }}
45 |         {{- toYaml . | nindent 8 }}
46 |         {{- end }}
47 |         {{- if eq .Values.konnectivityServer.podAntiAffinity "hard" }}
48 |         podAntiAffinity:
49 |           requiredDuringSchedulingIgnoredDuringExecution:
50 |             - topologyKey: "{{ .Values.konnectivityServer.podAntiAffinityTopologyKey }}"
51 |               labelSelector:
52 |                 matchLabels:
53 |                   app: {{ $fullName }}-konnectivity-server
54 |         {{- else if eq .Values.konnectivityServer.podAntiAffinity "soft" }}
55 |         podAntiAffinity:
56 |           preferredDuringSchedulingIgnoredDuringExecution:
57 |             - weight: 1
58 |               podAffinityTerm:
59 |                 topologyKey: "{{ .Values.konnectivityServer.podAntiAffinityTopologyKey }}"
60 |                 labelSelector:
61 |                   matchLabels:
62 |                     app: {{ $fullName }}-konnectivity-server
63 |         {{- end }}
64 |       {{- end }}
65 |       {{- with .Values.konnectivityServer.image.pullSecrets }}
66 |       imagePullSecrets:
67 |         {{- toYaml . | nindent 10 }}
68 |       {{- end }}
69 |       automountServiceAccountToken: false
70 |       containers:
71 |       {{ template "kubernetes.konnectivityServer.containers" . }}
72 |       {{- with .Values.konnectivityServer.sidecars }}
73 |       {{- toYaml . | nindent 6 }}
74 |       {{- end }}
75 |       securityContext:
76 |         seccompProfile:
77 |           type: RuntimeDefault
78 |       {{ template "kubernetes.konnectivityServer.volumes" . }}
79 | {{- end }}
80 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/scripts/configure-cluster.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | set -e
 3 | set -x
 4 | ENDPOINT=$(awk -F'[ "]+' '$1 == "controlPlaneEndpoint:" {print $2}' /config/kubeadmcfg.yaml)
 5 | 
 6 | # ------------------------------------------------------------------------------
 7 | # Update secrets and component configs
 8 | # ------------------------------------------------------------------------------
 9 | 
10 | # wait for cluster
11 | echo "Waiting for api-server endpoint ${ENDPOINT}..."
12 | until kubectl cluster-info >/dev/null 2>/dev/null; do
13 |   sleep 1
14 | done
15 | 
16 | # ------------------------------------------------------------------------------
17 | # Cluster configuration
18 | # ------------------------------------------------------------------------------
19 | export KUBECONFIG=/etc/kubernetes/admin.conf
20 | 
21 | # upload configuration
22 | # TODO: https://github.com/kubefarm/kubernetes-in-kubernetes/issues/6
23 | kubeadm init phase upload-config kubeadm --config /config/kubeadmcfg.yaml
24 | 
25 | # upload configuration
26 | # TODO: https://github.com/kubefarm/kubernetes-in-kubernetes/issues/5
27 | kubeadm init phase upload-config kubelet --config /config/kubeadmcfg.yaml -v1 2>&1 |
28 |   while read line; do echo "$line" | grep 'Preserving the CRISocket information for the control-plane node' && killall kubeadm || echo "$line"; done
29 | 
30 | # setup bootstrap-tokens
31 | # TODO: https://github.com/kubefarm/kubernetes-in-kubernetes/issues/7
32 | # TODO: https://github.com/kubernetes/kubernetes/issues/98881
33 | flatconfig=$(mktemp)
34 | kubectl config view --flatten > "$flatconfig"
35 | kubeadm init phase bootstrap-token --config /config/kubeadmcfg.yaml --skip-token-print --kubeconfig="$flatconfig"
36 | rm -f "$flatconfig"
37 | 
38 | # correct apiserver address for the external clients
39 | kubectl apply -n kube-public -f - <<EOT
40 | apiVersion: v1
41 | kind: ConfigMap
42 | metadata:
43 |   name: cluster-info
44 | data:
45 |   kubeconfig: |
46 |     apiVersion: v1
47 |     clusters:
48 |     - cluster:
49 |         certificate-authority-data: $(base64 /pki/admin-client/ca.crt | tr -d '\n')
50 |         server: https://${ENDPOINT}
51 |       name: ""
52 |     contexts: null
53 |     current-context: ""
54 |     kind: Config
55 |     preferences: {}
56 |     users: null
57 | EOT
58 | 
59 | {{- if .Values.konnectivityServer.enabled }}{{"\n"}}
60 | # install konnectivity server
61 | kubectl apply -f /manifests/konnectivity-server-rbac.yaml
62 | {{- else }}{{"\n"}}
63 | kubectl delete -f /manifests/konnectivity-server-rbac.yaml 2>/dev/null || true
64 | {{- end }}
65 | 
66 | {{- if .Values.konnectivityAgent.enabled }}{{"\n"}}
67 | # install konnectivity agent
68 | kubectl apply -f /manifests/konnectivity-agent-deployment.yaml -f /manifests/konnectivity-agent-rbac.yaml
69 | {{- else }}{{"\n"}}
70 | # uninstall konnectivity agent
71 | kubectl delete -f /manifests/konnectivity-agent-deployment.yaml -f /manifests/konnectivity-agent-rbac.yaml 2>/dev/null || true
72 | {{- end }}
73 | 
74 | {{- if .Values.coredns.enabled }}{{"\n"}}
75 | # install coredns addon
76 | kubectl apply -f /manifests/coredns.yaml
77 | {{- else }}{{"\n"}}
78 | # uninstall coredns addon
79 | kubectl delete -f /manifests/coredns.yaml 2>/dev/null || true
80 | {{- end }}
81 | 
82 | {{- if .Values.kubeProxy.enabled }}{{"\n"}}
83 | # install kube-proxy addon
84 | # TODO: https://github.com/kubefarm/kubernetes-in-kubernetes/issues/4
85 | kubeadm init phase addon kube-proxy --config /config/kubeadmcfg.yaml
86 | {{- else }}{{"\n"}}
87 | # uninstall kube-proxy addon
88 | kubectl -n kube-system delete configmap/kube-proxy daemonset/kube-proxy 2>/dev/null || true
89 | {{- end }}
90 | 
91 | {{- with .Values.extraManifests }}{{"\n"}}
92 | kubectl apply{{- range $key, $value := . }} -f /manifests/{{ $key }}{{- end }}
93 | {{- end }}
94 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/kubeadm-job.yaml:
--------------------------------------------------------------------------------
  1 | {{- if .Values.admin.job.enabled }}
  2 | {{- $fullName := include "kubernetes.fullname" . -}}
  3 | ---
  4 | apiVersion: batch/v1
  5 | kind: Job
  6 | metadata:
  7 |   name: "{{ $fullName }}-kubeadm-tasks"
  8 |   labels:
  9 |     app: "{{ $fullName }}-kubeadm-tasks"
 10 |     {{- with .Values.admin.labels }}
 11 |     {{- toYaml . | nindent 4 }}
 12 |     {{- end }}
 13 |   annotations:
 14 |     helm.sh/hook: post-install,post-upgrade
 15 |     helm.sh/hook-delete-policy: before-hook-creation
 16 |     checksum/config: {{ include (print $.Template.BasePath "/kubeadm-config.yaml") . | sha256sum }}
 17 |     checksum/scripts: {{ include (print $.Template.BasePath "/kubeadm-scripts.yaml") . | sha256sum }}
 18 |     {{- with .Values.admin.annotations }}
 19 |     {{- toYaml . | nindent 4 }}
 20 |     {{- end }}
 21 | spec:
 22 |   template:
 23 |     metadata:
 24 |       labels:
 25 |         app: "{{ $fullName }}-kubeadm-tasks"
 26 |         {{- with .Values.admin.podLabels }}
 27 |         {{- toYaml . | nindent 8 }}
 28 |         {{- end }}
 29 |       {{- with .Values.admin.podAnnotations }}
 30 |       annotations:
 31 |         {{- toYaml . | nindent 8 }}
 32 |       {{- end }}
 33 |     spec:
 34 |       {{- with .Values.admin.nodeSelector }}
 35 |       nodeSelector:
 36 |         {{- toYaml . | nindent 8 }}
 37 |       {{- end }}
 38 |       {{- with .Values.admin.tolerations }}
 39 |       tolerations:
 40 |       {{- toYaml . | nindent 6 }}
 41 |       {{- end }}
 42 |       {{- with .Values.admin.affinity }}
 43 |       affinity:
 44 |         {{- toYaml . | nindent 8 }}
 45 |       {{- end }}
 46 |       {{- with .Values.admin.image.pullSecrets }}
 47 |       imagePullSecrets:
 48 |         {{- toYaml . | nindent 10 }}
 49 |       {{- end }}
 50 |       automountServiceAccountToken: false
 51 |       restartPolicy: OnFailure
 52 |       containers:
 53 |       - name: kubeadm
 54 |         {{- with .Values.admin.image }}
 55 |         image: "{{ .repository }}{{ if .digest }}@{{ .digest }}{{ else }}:{{ .tag }}{{ end }}"
 56 |         imagePullPolicy: {{ .pullPolicy }}
 57 |         {{- end }}
 58 |         command: [ '/scripts/configure-cluster.sh' ]
 59 |         env:
 60 |         - name: KUBECONFIG
 61 |           value: "/etc/kubernetes/admin.conf"
 62 |         {{- with .Values.admin.extraEnv }}
 63 |         {{- toYaml . | nindent 8 }}
 64 |         {{- end }}
 65 |         volumeMounts:
 66 |         - mountPath: /etc/kubernetes/
 67 |           name: kubeconfig
 68 |           readOnly: true
 69 |         - mountPath: /pki/admin-client
 70 |           name: pki-admin-client
 71 |         - mountPath: /scripts
 72 |           name: scripts
 73 |         {{- if or .Values.extraManifests .Values.konnectivityServer.enabled .Values.konnectivityAgent.enabled .Values.coredns.enabled }}
 74 |         - mountPath: /manifests
 75 |           name: manifests
 76 |         {{- end }}
 77 |         - mountPath: /config
 78 |           name: config
 79 |         {{- with .Values.admin.extraVolumeMounts }}
 80 |         {{- toYaml . | nindent 8 }}
 81 |         {{- end }}
 82 |       {{- with .Values.admin.sidecars }}
 83 |       {{- toYaml . | nindent 6 }}
 84 |       {{- end }}
 85 |       volumes:
 86 |       - configMap:
 87 |           name: "{{ $fullName }}-admin-conf"
 88 |         name: kubeconfig
 89 |       - secret:
 90 |           secretName: "{{ $fullName }}-pki-admin-client"
 91 |         name: pki-admin-client
 92 |       - name: scripts
 93 |         configMap:
 94 |           name: "{{ $fullName }}-kubeadm-scripts"
 95 |           defaultMode: 0777
 96 |       {{- if or .Values.extraManifests .Values.konnectivityServer.enabled .Values.konnectivityAgent.enabled .Values.coredns.enabled }}
 97 |       - name: manifests
 98 |         projected:
 99 |           sources:
100 |           {{- if or .Values.extraManifests }}
101 |           - secret:
102 |               name: "{{ $fullName }}-extra-manifests"
103 |           {{- end }}
104 |           {{- if or .Values.konnectivityServer.enabled .Values.konnectivityAgent.enabled }}
105 |           - configMap:
106 |               name: "{{ $fullName }}-konnectivity-manifests"
107 |           {{- end }}
108 |           {{- if .Values.coredns.enabled }}
109 |           - configMap:
110 |               name: "{{ $fullName }}-coredns-manifests"
111 |           {{- end }}
112 |       {{- end }}
113 |       - name: config
114 |         configMap:
115 |           name: "{{ $fullName }}-kubeadm-config"
116 |       {{- with .Values.admin.extraVolumes }}
117 |       {{- toYaml . | nindent 6 }}
118 |       {{- end }}
119 | {{- end }}
120 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/etcd-certs.yaml:
--------------------------------------------------------------------------------
  1 | {{- if .Values.etcd.enabled }}
  2 | {{- $fullName := include "kubernetes.fullname" . -}}
  3 | {{- $certName := include "kubernetes.certname" . -}}
  4 | ---
  5 | apiVersion: cert-manager.io/v1
  6 | kind: Certificate
  7 | metadata:
  8 |   name: "{{ $fullName }}-pki-etcd-ca"
  9 | spec:
 10 |   commonName: "{{ $certName }}-etcd-ca"
 11 |   secretName: "{{ $fullName }}-pki-etcd-ca"
 12 |   duration: 87600h # 3650d
 13 |   renewBefore: 8760h # 365d
 14 |   subject:
 15 |     organizations:
 16 |     - "{{ $fullName }}"
 17 |   usages:
 18 |   - "signing"
 19 |   - "key encipherment"
 20 |   - "cert sign"
 21 |   isCA: true
 22 |   issuerRef:
 23 |     name: "{{ $fullName }}-selfsigning-issuer"
 24 |     kind: Issuer
 25 | ---
 26 | apiVersion: cert-manager.io/v1
 27 | kind: Issuer
 28 | metadata:
 29 |   name: "{{ $fullName }}-etcd-issuer"
 30 | spec:
 31 |   ca:
 32 |     secretName: "{{ $fullName }}-pki-etcd-ca"
 33 | ---
 34 | {{- $svcName1 := printf "%s-etcd" $fullName }}
 35 | {{- $svcName2 := printf "%s-etcd.%s" $fullName .Release.Namespace }}
 36 | {{- $svcName3 := printf "%s-etcd.%s.svc" $fullName .Release.Namespace }}
 37 | {{- $podName1 := printf "*.%s-etcd" $fullName }}
 38 | {{- $podName2 := printf "*.%s-etcd.%s" $fullName .Release.Namespace }}
 39 | {{- $podName3 := printf "*.%s-etcd.%s.svc" $fullName .Release.Namespace }}
 40 | {{- $svcClientName1 := printf "%s-etcd-client" $fullName }}
 41 | {{- $svcClientName2 := printf "%s-etcd-client.%s" $fullName .Release.Namespace }}
 42 | {{- $svcClientName3 := printf "%s-etcd-client.%s.svc" $fullName .Release.Namespace }}
 43 | apiVersion: cert-manager.io/v1
 44 | kind: Certificate
 45 | metadata:
 46 |   name: "{{ $fullName }}-pki-etcd-peer"
 47 | spec:
 48 |   commonName: "{{ $certName }}-etcd-peer"
 49 |   secretName: "{{ $fullName }}-pki-etcd-peer"
 50 |   duration: 8760h # 365d
 51 |   renewBefore: 4380h # 178d
 52 |   subject:
 53 |     organizations:
 54 |     - "{{ $fullName }}"
 55 |   usages:
 56 |   - "signing"
 57 |   - "key encipherment"
 58 |   - "server auth"
 59 |   - "client auth"
 60 |   dnsNames:
 61 |   - "{{ $svcName1 }}"
 62 |   - "{{ $svcName2 }}"
 63 |   - "{{ $svcName3 }}"
 64 |   - "{{ $podName1 }}"
 65 |   - "{{ $podName2 }}"
 66 |   - "{{ $podName3 }}"
 67 |   - "localhost"
 68 |   ipAddresses:
 69 |   - "127.0.0.1"
 70 |   issuerRef:
 71 |     name: "{{ $fullName }}-etcd-issuer"
 72 |     kind: Issuer
 73 | ---
 74 | apiVersion: cert-manager.io/v1
 75 | kind: Certificate
 76 | metadata:
 77 |   name: "{{ $fullName }}-pki-etcd-server"
 78 | spec:
 79 |   commonName: "{{ $certName }}-etcd-server"
 80 |   secretName: "{{ $fullName }}-pki-etcd-server"
 81 |   duration: 8760h # 365d
 82 |   renewBefore: 4380h # 178d
 83 |   subject:
 84 |     organizations:
 85 |     - "{{ $fullName }}"
 86 |   usages:
 87 |   - "signing"
 88 |   - "key encipherment"
 89 |   - "server auth"
 90 |   - "client auth"
 91 |   dnsNames:
 92 |   - "{{ $svcName1 }}"
 93 |   - "{{ $svcName2 }}"
 94 |   - "{{ $svcName3 }}"
 95 |   - "{{ $podName1 }}"
 96 |   - "{{ $podName2 }}"
 97 |   - "{{ $podName3 }}"
 98 |   - "{{ $svcClientName1 }}"
 99 |   - "{{ $svcClientName2 }}"
100 |   - "{{ $svcClientName3 }}"
101 |   - "localhost"
102 |   {{- with .Values.etcd.certSANs.dnsNames }}
103 |   {{- . | toYaml | nindent 2 }}
104 |   {{- end }}
105 |   ipAddresses:
106 |   - "127.0.0.1"
107 |   {{- with .Values.etcd.service.loadBalancerIP }}
108 |   {{- if not (has . $.Values.etcd.certSANs.ipAddresses) }}
109 |   - {{ . | quote }}
110 |   {{- end }}
111 |   {{- end }}
112 |   {{- with .Values.etcd.certSANs.ipAddresses }}
113 |   {{- . | toYaml | nindent 2 }}
114 |   {{- end }}
115 |   issuerRef:
116 |     name: "{{ $fullName }}-etcd-issuer"
117 |     kind: Issuer
118 | ---
119 | apiVersion: cert-manager.io/v1
120 | kind: Certificate
121 | metadata:
122 |   name: "{{ $fullName }}-pki-etcd-healthcheck-client"
123 | spec:
124 |   commonName: "{{ $certName }}-etcd-healthcheck-client"
125 |   secretName: "{{ $fullName }}-pki-etcd-healthcheck-client"
126 |   duration: 8760h # 365d
127 |   renewBefore: 4380h # 178d
128 |   subject:
129 |     organizations:
130 |     - "system:masters"
131 |   usages:
132 |   - "signing"
133 |   - "key encipherment"
134 |   - "client auth"
135 |   issuerRef:
136 |     name: "{{ $fullName }}-etcd-issuer"
137 |     kind: Issuer
138 | ---
139 | apiVersion: cert-manager.io/v1
140 | kind: Certificate
141 | metadata:
142 |   name: "{{ $fullName }}-pki-apiserver-etcd-client"
143 | spec:
144 |   commonName: "{{ $certName }}-apiserver-etcd-client"
145 |   secretName: "{{ $fullName }}-pki-apiserver-etcd-client"
146 |   duration: 8760h # 365d
147 |   renewBefore: 4380h # 178d
148 |   subject:
149 |     organizations:
150 |     - "system:masters"
151 |   usages:
152 |   - "signing"
153 |   - "key encipherment"
154 |   - "client auth"
155 |   issuerRef:
156 |     name: "{{ $fullName }}-etcd-issuer"
157 |     kind: Issuer
158 | {{- end }}
159 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/scheduler-deployment.yaml:
--------------------------------------------------------------------------------
  1 | {{- if .Values.scheduler.enabled }}
  2 | {{- $fullName := include "kubernetes.fullname" . -}}
  3 | ---
  4 | apiVersion: apps/v1
  5 | kind: Deployment
  6 | metadata:
  7 |   name: "{{ $fullName }}-scheduler"
  8 |   labels:
  9 |     app: "{{ $fullName }}-scheduler"
 10 |     {{- with .Values.scheduler.labels }}
 11 |     {{- toYaml . | nindent 4 }}
 12 |     {{- end }}
 13 |     {{- with .Values.scheduler.annotations }}
 14 |     annotations:
 15 |       {{- toYaml . | nindent 4 }}
 16 |     {{- end }}
 17 | spec:
 18 |   replicas: {{ .Values.scheduler.replicaCount }}
 19 |   selector:
 20 |     matchLabels:
 21 |       app: "{{ $fullName }}-scheduler"
 22 |   template:
 23 |     metadata:
 24 |       labels:
 25 |         app: "{{ $fullName }}-scheduler"
 26 |         {{- with .Values.scheduler.podLabels }}
 27 |         {{- toYaml . | nindent 8 }}
 28 |         {{- end }}
 29 |       {{- with .Values.scheduler.podAnnotations }}
 30 |       annotations:
 31 |         {{- toYaml . | nindent 8 }}
 32 |       {{- end }}
 33 |     spec:
 34 |       {{- with .Values.scheduler.nodeSelector }}
 35 |       nodeSelector:
 36 |         {{- toYaml . | nindent 8 }}
 37 |       {{- end }}
 38 |       {{- with .Values.scheduler.tolerations }}
 39 |       tolerations:
 40 |       {{- toYaml . | nindent 6 }}
 41 |       {{- end }}
 42 |       {{- if or .Values.scheduler.affinity .Values.scheduler.podAntiAffinity }}
 43 |       affinity:
 44 |         {{- with .Values.scheduler.affinity }}
 45 |         {{- toYaml . | nindent 8 }}
 46 |         {{- end }}
 47 |         {{- if eq .Values.scheduler.podAntiAffinity "hard" }}
 48 |         podAntiAffinity:
 49 |           requiredDuringSchedulingIgnoredDuringExecution:
 50 |             - topologyKey: "{{ .Values.scheduler.podAntiAffinityTopologyKey }}"
 51 |               labelSelector:
 52 |                 matchLabels:
 53 |                   app: {{ $fullName }}-scheduler
 54 |         {{- else if eq .Values.scheduler.podAntiAffinity "soft" }}
 55 |         podAntiAffinity:
 56 |           preferredDuringSchedulingIgnoredDuringExecution:
 57 |             - weight: 1
 58 |               podAffinityTerm:
 59 |                 topologyKey: "{{ .Values.scheduler.podAntiAffinityTopologyKey }}"
 60 |                 labelSelector:
 61 |                   matchLabels:
 62 |                     app: {{ $fullName }}-scheduler
 63 |         {{- end }}
 64 |       {{- end }}
 65 |       {{- with .Values.scheduler.image.pullSecrets }}
 66 |       imagePullSecrets:
 67 |         {{- toYaml . | nindent 10 }}
 68 |       {{- end }}
 69 |       automountServiceAccountToken: false
 70 |       containers:
 71 |       - command:
 72 |         - kube-scheduler
 73 |         - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf
 74 |         - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf
 75 |         - --bind-address=0.0.0.0
 76 |         - --kubeconfig=/etc/kubernetes/scheduler.conf
 77 |         - --leader-elect=true
 78 |         - --secure-port={{ .Values.scheduler.port }}
 79 |         - --tls-cert-file=/pki/scheduler-server/tls.crt
 80 |         - --tls-private-key-file=/pki/scheduler-server/tls.key
 81 |         {{- range $key, $value := .Values.scheduler.extraArgs }}
 82 |         - --{{ $key }}={{ $value }}
 83 |         {{- end }}
 84 |         {{- with .Values.scheduler.image }}
 85 |         image: "{{ .repository }}{{ if .digest }}@{{ .digest }}{{ else }}:{{ .tag }}{{ end }}"
 86 |         imagePullPolicy: {{ .pullPolicy }}
 87 |         {{- end }}
 88 |         livenessProbe:
 89 |           failureThreshold: 8
 90 |           httpGet:
 91 |             path: /healthz
 92 |             port: {{ .Values.scheduler.port }}
 93 |             scheme: HTTPS
 94 |           initialDelaySeconds: 15
 95 |           timeoutSeconds: 15
 96 |         name: kube-scheduler
 97 |         resources:
 98 |           {{- toYaml .Values.scheduler.resources | nindent 10 }}
 99 |         {{- with .Values.scheduler.extraEnv }}
100 |         env:
101 |         {{- toYaml . | nindent 8 }}
102 |         {{- end }}
103 |         volumeMounts:
104 |         - mountPath: /etc/kubernetes/
105 |           name: kubeconfig
106 |           readOnly: true
107 |         - mountPath: /pki/scheduler-server
108 |           name: pki-scheduler-server
109 |         - mountPath: /pki/scheduler-client
110 |           name: pki-scheduler-client
111 |         {{- with .Values.scheduler.extraVolumeMounts }}
112 |         {{- toYaml . | nindent 8 }}
113 |         {{- end }}
114 |       {{- with .Values.scheduler.sidecars }}
115 |       {{- toYaml . | nindent 6 }}
116 |       {{- end }}
117 |       securityContext:
118 |         seccompProfile:
119 |           type: RuntimeDefault
120 |       volumes:
121 |       - configMap:
122 |           name: "{{ $fullName }}-scheduler-conf"
123 |         name: kubeconfig
124 |       - secret:
125 |           secretName: "{{ $fullName }}-pki-scheduler-server"
126 |         name: pki-scheduler-server
127 |       - secret:
128 |           secretName: "{{ $fullName }}-pki-scheduler-client"
129 |         name: pki-scheduler-client
130 | 
131 |       {{- with .Values.scheduler.extraVolumes }}
132 |       {{- toYaml . | nindent 6 }}
133 |       {{- end }}
134 | {{- end }}
135 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/admin-deployment.yaml:
--------------------------------------------------------------------------------
  1 | {{- if .Values.admin.enabled }}
  2 | {{- $fullName := include "kubernetes.fullname" . -}}
  3 | ---
  4 | apiVersion: apps/v1
  5 | kind: Deployment
  6 | metadata:
  7 |   name: "{{ $fullName }}-admin"
  8 |   labels:
  9 |     app: "{{ $fullName }}-admin"
 10 |     {{- with .Values.admin.labels }}
 11 |     {{- toYaml . | nindent 4 }}
 12 |     {{- end }}
 13 |     {{- with .Values.admin.annotations }}
 14 |     annotations:
 15 |       {{- toYaml . | nindent 4 }}
 16 |     {{- end }}
 17 | spec:
 18 |   replicas: {{ .Values.admin.replicaCount }}
 19 |   selector:
 20 |     matchLabels:
 21 |       app: "{{ $fullName }}-admin"
 22 |   template:
 23 |     metadata:
 24 |       labels:
 25 |         app: "{{ $fullName }}-admin"
 26 |         {{- with .Values.admin.podLabels }}
 27 |         {{- toYaml . | nindent 8 }}
 28 |         {{- end }}
 29 |       {{- with .Values.admin.podAnnotations }}
 30 |       annotations:
 31 |         {{- toYaml . | nindent 8 }}
 32 |       {{- end }}
 33 |     spec:
 34 |       {{- with .Values.admin.nodeSelector }}
 35 |       nodeSelector:
 36 |         {{- toYaml . | nindent 8 }}
 37 |       {{- end }}
 38 |       {{- with .Values.admin.tolerations }}
 39 |       tolerations:
 40 |       {{- toYaml . | nindent 6 }}
 41 |       {{- end }}
 42 |       {{- if or .Values.admin.affinity .Values.admin.podAntiAffinity }}
 43 |       affinity:
 44 |         {{- with .Values.admin.affinity }}
 45 |         {{- toYaml . | nindent 8 }}
 46 |         {{- end }}
 47 |         {{- if eq .Values.admin.podAntiAffinity "hard" }}
 48 |         podAntiAffinity:
 49 |           requiredDuringSchedulingIgnoredDuringExecution:
 50 |             - topologyKey: "{{ .Values.admin.podAntiAffinityTopologyKey }}"
 51 |               labelSelector:
 52 |                 matchLabels:
 53 |                   app: {{ $fullName }}-admin
 54 |         {{- else if eq .Values.admin.podAntiAffinity "soft" }}
 55 |         podAntiAffinity:
 56 |           preferredDuringSchedulingIgnoredDuringExecution:
 57 |             - weight: 1
 58 |               podAffinityTerm:
 59 |                 topologyKey: "{{ .Values.admin.podAntiAffinityTopologyKey }}"
 60 |                 labelSelector:
 61 |                   matchLabels:
 62 |                     app: {{ $fullName }}-admin
 63 |         {{- end }}
 64 |       {{- end }}
 65 |       {{- with .Values.admin.image.pullSecrets }}
 66 |       imagePullSecrets:
 67 |         {{- toYaml . | nindent 10 }}
 68 |       {{- end }}
 69 |       automountServiceAccountToken: false
 70 |       terminationGracePeriodSeconds: 5
 71 |       containers:
 72 |       - command: [ 'sleep', 'infinity' ]
 73 |         {{- with .Values.admin.image }}
 74 |         image: "{{ .repository }}{{ if .digest }}@{{ .digest }}{{ else }}:{{ .tag }}{{ end }}"
 75 |         imagePullPolicy: {{ .pullPolicy }}
 76 |         {{- end }}
 77 |         name: admin
 78 |         readinessProbe:
 79 |           exec:
 80 |             command:
 81 |             - kubectl
 82 |             - auth
 83 |             - can-i
 84 |             - '*'
 85 |             - '*'
 86 |           initialDelaySeconds: 15
 87 |           periodSeconds: 5
 88 |         resources:
 89 |           {{- toYaml .Values.admin.resources | nindent 10 }}
 90 |         env:
 91 |         - name: KUBECONFIG
 92 |           value: "/etc/kubernetes/admin.conf"
 93 |         {{- with .Values.admin.extraEnv }}
 94 |         {{- toYaml . | nindent 8 }}
 95 |         {{- end }}
 96 |         volumeMounts:
 97 |         - mountPath: /etc/kubernetes/
 98 |           name: kubeconfig
 99 |           readOnly: true
100 |         - mountPath: /pki/admin-client
101 |           name: pki-admin-client
102 |         - mountPath: /scripts
103 |           name: scripts
104 |         {{- if or .Values.extraManifests .Values.konnectivityServer.enabled .Values.konnectivityAgent.enabled }}
105 |         - mountPath: /manifests
106 |           name: manifests
107 |         {{- end }}
108 |         - mountPath: /config
109 |           name: config
110 |         {{- with .Values.admin.extraVolumeMounts }}
111 |         {{- toYaml . | nindent 8 }}
112 |         {{- end }}
113 |       {{- with .Values.admin.sidecars }}
114 |       {{- toYaml . | nindent 6 }}
115 |       {{- end }}
116 |       securityContext:
117 |         seccompProfile:
118 |           type: RuntimeDefault
119 |       volumes:
120 |       - configMap:
121 |           name: "{{ $fullName }}-admin-conf"
122 |         name: kubeconfig
123 |       - secret:
124 |           secretName: "{{ $fullName }}-pki-admin-client"
125 |         name: pki-admin-client
126 |       - name: scripts
127 |         configMap:
128 |           name: "{{ $fullName }}-kubeadm-scripts"
129 |           defaultMode: 0777
130 |       {{- if or .Values.extraManifests .Values.konnectivityServer.enabled .Values.konnectivityAgent.enabled }}
131 |       - name: manifests
132 |         projected:
133 |           sources:
134 |           {{- if or .Values.extraManifests }}
135 |           - secret:
136 |               name: "{{ $fullName }}-extra-manifests"
137 |           {{- end }}
138 |           {{- if or .Values.konnectivityServer.enabled .Values.konnectivityAgent.enabled }}
139 |           - configMap:
140 |               name: "{{ $fullName }}-konnectivity-manifests"
141 |           {{- end }}
142 |       {{- end }}
143 |       - name: config
144 |         configMap:
145 |           name: "{{ $fullName }}-kubeadm-config"
146 |       {{- with .Values.admin.extraVolumes }}
147 |       {{- toYaml . | nindent 6 }}
148 |       {{- end }}
149 | {{- end }}
150 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/manifests/coredns.yaml:
--------------------------------------------------------------------------------
  1 | # Source: https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/coredns/coredns.yaml.base
  2 | ---
  3 | apiVersion: v1
  4 | kind: ServiceAccount
  5 | metadata:
  6 |   name: coredns
  7 |   namespace: kube-system
  8 |   labels:
  9 |       kubernetes.io/cluster-service: "true"
 10 |       addonmanager.kubernetes.io/mode: Reconcile
 11 | ---
 12 | apiVersion: rbac.authorization.k8s.io/v1
 13 | kind: ClusterRole
 14 | metadata:
 15 |   labels:
 16 |     kubernetes.io/bootstrapping: rbac-defaults
 17 |     addonmanager.kubernetes.io/mode: Reconcile
 18 |   name: system:coredns
 19 | rules:
 20 | - apiGroups:
 21 |   - ""
 22 |   resources:
 23 |   - endpoints
 24 |   - services
 25 |   - pods
 26 |   - namespaces
 27 |   verbs:
 28 |   - list
 29 |   - watch
 30 | - apiGroups:
 31 |   - ""
 32 |   resources:
 33 |   - nodes
 34 |   verbs:
 35 |   - get
 36 | - apiGroups:
 37 |   - discovery.k8s.io
 38 |   resources:
 39 |   - endpointslices
 40 |   verbs:
 41 |   - list
 42 |   - watch
 43 | ---
 44 | apiVersion: rbac.authorization.k8s.io/v1
 45 | kind: ClusterRoleBinding
 46 | metadata:
 47 |   annotations:
 48 |     rbac.authorization.kubernetes.io/autoupdate: "true"
 49 |   labels:
 50 |     kubernetes.io/bootstrapping: rbac-defaults
 51 |     addonmanager.kubernetes.io/mode: EnsureExists
 52 |   name: system:coredns
 53 | roleRef:
 54 |   apiGroup: rbac.authorization.k8s.io
 55 |   kind: ClusterRole
 56 |   name: system:coredns
 57 | subjects:
 58 | - kind: ServiceAccount
 59 |   name: coredns
 60 |   namespace: kube-system
 61 | ---
 62 | apiVersion: v1
 63 | kind: ConfigMap
 64 | metadata:
 65 |   name: coredns
 66 |   namespace: kube-system
 67 | data:
 68 |   Corefile: |
 69 |     .:53 {
 70 |         errors
 71 |         health {
 72 |             lameduck 5s
 73 |         }
 74 |         ready
 75 |         kubernetes {{ .Values.networking.dnsDomain }} in-addr.arpa ip6.arpa {
 76 |             pods insecure
 77 |             fallthrough in-addr.arpa ip6.arpa
 78 |             ttl 30
 79 |         }
 80 |         prometheus :9153
 81 |         forward . /etc/resolv.conf {
 82 |             max_concurrent 1000
 83 |         }
 84 |         cache 30
 85 |         loop
 86 |         reload
 87 |         loadbalance
 88 |     }
 89 | ---
 90 | apiVersion: apps/v1
 91 | kind: Deployment
 92 | metadata:
 93 |   name: coredns
 94 |   namespace: kube-system
 95 |   labels:
 96 |     k8s-app: kube-dns
 97 |     kubernetes.io/cluster-service: "true"
 98 |     addonmanager.kubernetes.io/mode: Reconcile
 99 |     kubernetes.io/name: "CoreDNS"
100 | spec:
101 |   replicas: {{ .Values.coredns.replicaCount }}
102 |   strategy:
103 |     type: RollingUpdate
104 |     rollingUpdate:
105 |       maxUnavailable: 1
106 |   selector:
107 |     matchLabels:
108 |       k8s-app: kube-dns
109 |   template:
110 |     metadata:
111 |       labels:
112 |         k8s-app: kube-dns
113 |     spec:
114 |       securityContext:
115 |         seccompProfile:
116 |           type: RuntimeDefault
117 |       priorityClassName: system-cluster-critical
118 |       serviceAccountName: coredns
119 |       affinity:
120 |         podAntiAffinity:
121 |           preferredDuringSchedulingIgnoredDuringExecution:
122 |           - weight: 100
123 |             podAffinityTerm:
124 |               labelSelector:
125 |                 matchExpressions:
126 |                   - key: k8s-app
127 |                     operator: In
128 |                     values: ["kube-dns"]
129 |               topologyKey: kubernetes.io/hostname
130 |       tolerations:
131 |         - key: "CriticalAddonsOnly"
132 |           operator: "Exists"
133 |       nodeSelector:
134 |         kubernetes.io/os: linux
135 |       {{- with .Values.coredns.image.pullSecrets }}
136 |       imagePullSecrets:
137 |         {{- toYaml . | nindent 10 }}
138 |       {{- end }}
139 |       containers:
140 |       - name: coredns
141 |         {{- with .Values.coredns.image }}
142 |         image: "{{ .repository }}{{ if .digest }}@{{ .digest }}{{ else }}:{{ .tag }}{{ end }}"
143 |         imagePullPolicy: {{ .pullPolicy }}
144 |         {{- end }}
145 |         resources:
146 |           {{- toYaml .Values.coredns.resources | nindent 10 }}
147 |         args: [ "-conf", "/etc/coredns/Corefile" ]
148 |         volumeMounts:
149 |         - name: config-volume
150 |           mountPath: /etc/coredns
151 |           readOnly: true
152 |         ports:
153 |         - containerPort: 53
154 |           name: dns
155 |           protocol: UDP
156 |         - containerPort: 53
157 |           name: dns-tcp
158 |           protocol: TCP
159 |         - containerPort: 9153
160 |           name: metrics
161 |           protocol: TCP
162 |         livenessProbe:
163 |           httpGet:
164 |             path: /health
165 |             port: 8080
166 |             scheme: HTTP
167 |           initialDelaySeconds: 60
168 |           timeoutSeconds: 5
169 |           successThreshold: 1
170 |           failureThreshold: 5
171 |         readinessProbe:
172 |           httpGet:
173 |             path: /ready
174 |             port: 8181
175 |             scheme: HTTP
176 |         securityContext:
177 |           allowPrivilegeEscalation: false
178 |           capabilities:
179 |             add:
180 |             - NET_BIND_SERVICE
181 |             drop:
182 |             - all
183 |           readOnlyRootFilesystem: true
184 |       dnsPolicy: Default
185 |       volumes:
186 |         - name: config-volume
187 |           configMap:
188 |             name: coredns
189 |             items:
190 |             - key: Corefile
191 |               path: Corefile
192 | ---
193 | apiVersion: v1
194 | kind: Service
195 | metadata:
196 |   name: kube-dns
197 |   namespace: kube-system
198 |   annotations:
199 |     prometheus.io/port: "9153"
200 |     prometheus.io/scrape: "true"
201 |   labels:
202 |     k8s-app: kube-dns
203 |     kubernetes.io/cluster-service: "true"
204 |     addonmanager.kubernetes.io/mode: Reconcile
205 |     kubernetes.io/name: "CoreDNS"
206 | spec:
207 |   selector:
208 |     k8s-app: kube-dns
209 |   clusterIP: {{ template "kubernetes.getCoreDNS" . }}
210 |   ports:
211 |   - name: dns
212 |     port: 53
213 |     protocol: UDP
214 |   - name: dns-tcp
215 |     port: 53
216 |     protocol: TCP
217 |   - name: metrics
218 |     port: 9153
219 |     protocol: TCP
220 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/etcd-backup-cronjob.yaml:
--------------------------------------------------------------------------------
  1 | {{- if .Values.etcd.backup.enabled }}
  2 | {{- $fullName := include "kubernetes.fullname" . -}}
  3 | ---
  4 | apiVersion: batch/v1
  5 | kind: CronJob
  6 | metadata:
  7 |   name: {{ $fullName }}-etcd-backup
  8 |   labels:
  9 |     app: {{ $fullName }}-etcd-backup
 10 |     {{- with .Values.etcd.backup.labels }}
 11 |     {{- toYaml . | nindent 4 }}
 12 |     {{- end }}
 13 |   {{- with .Values.etcd.backup.annotations }}
 14 |   annotations:
 15 |     {{- toYaml . | nindent 4 }}
 16 |   {{- end }}
 17 | spec:
 18 |   schedule: "{{ .Values.etcd.backup.schedule }}"
 19 |   successfulJobsHistoryLimit: {{ .Values.etcd.backup.successfulJobsHistoryLimit }}
 20 |   failedJobsHistoryLimit: {{ .Values.etcd.backup.failedJobsHistoryLimit }}
 21 |   jobTemplate:
 22 |     metadata:
 23 |       labels:
 24 |         app: {{ $fullName }}-etcd-backup
 25 |         {{- with .Values.etcd.backup.labels }}
 26 |         {{- toYaml . | nindent 8 }}
 27 |         {{- end }}
 28 |       {{- with .Values.etcd.backup.annotations }}
 29 |       annotations:
 30 |         {{- toYaml . | nindent 8 }}
 31 |       {{- end }}
 32 |     spec:
 33 |       template:
 34 |         metadata:
 35 |           labels:
 36 |             app: {{ $fullName }}-etcd-backup
 37 |             {{- with .Values.etcd.backup.podLabels }}
 38 |             {{- toYaml . | nindent 12 }}
 39 |             {{- end }}
 40 |           {{- with .Values.etcd.backup.podAnnotations }}
 41 |           annotations:
 42 |             {{- toYaml . | nindent 12 }}
 43 |           {{- end }}
 44 |         spec:
 45 |           {{- with .Values.etcd.backup.nodeSelector }}
 46 |           nodeSelector:
 47 |             {{- toYaml . | nindent 12 }}
 48 |           {{- end }}
 49 |           {{- with .Values.etcd.backup.tolerations }}
 50 |           tolerations:
 51 |           {{- toYaml . | nindent 10 }}
 52 |           {{- end }}
 53 |           {{- if or .Values.etcd.backup.affinity .Values.etcd.backup.podAffinity }}
 54 |           affinity:
 55 |             {{- with .Values.etcd.backup.affinity }}
 56 |             {{- toYaml . | nindent 12 }}
 57 |             {{- end }}
 58 |             {{- if eq .Values.etcd.backup.podAffinity "hard" }}
 59 |             podAffinity:
 60 |               requiredDuringSchedulingIgnoredDuringExecution:
 61 |                 - topologyKey: "{{ .Values.etcd.backup.podAffinityTopologyKey }}"
 62 |                   labelSelector:
 63 |                     matchLabels:
 64 |                       app: {{ $fullName }}-etcd
 65 |             {{- else if eq .Values.etcd.backup.podAffinity "soft" }}
 66 |             podAffinity:
 67 |               preferredDuringSchedulingIgnoredDuringExecution:
 68 |                 - weight: 1
 69 |                   podAffinityTerm:
 70 |                     topologyKey: "{{ .Values.etcd.backup.podAffinityTopologyKey }}"
 71 |                     labelSelector:
 72 |                       matchLabels:
 73 |                         app: {{ $fullName }}-etcd
 74 |             {{- end }}
 75 |           {{- end }}
 76 | 
 77 |           {{- with .Values.etcd.image.pullSecrets }}
 78 |           imagePullSecrets:
 79 |             {{- toYaml . | nindent 10 }}
 80 |           {{- end }}
 81 |           automountServiceAccountToken: false
 82 |           restartPolicy: OnFailure
 83 |           containers:
 84 |           - command:
 85 |             - /bin/sh
 86 |             - -xc
 87 |             - |
 88 |               rtc() { while read k s v; do test "$k" = "rtc_$1" && echo "$v" && break; done </proc/driver/rtc; }
 89 |               etcdctl snapshot save /data/etcd-prod-hosting-$(rtc date)-$(rtc time).db
 90 |               {{- range $key, $value := .Values.etcd.backup.extraArgs }} --{{ $key }}={{ $value }}{{- end }}
 91 |             env:
 92 |             - name: ETCDCTL_API
 93 |               value: "3"
 94 |             - name: ETCDCTL_CACERT
 95 |               value: /pki/etcd/peer/ca.crt
 96 |             - name: ETCDCTL_CERT
 97 |               value: /pki/etcd/peer/tls.crt
 98 |             - name: ETCDCTL_KEY
 99 |               value: /pki/etcd/peer/tls.key 
100 |             - name: ETCDCTL_ENDPOINTS
101 |               value: {{ $fullName }}-etcd:{{ .Values.etcd.ports.client }}
102 |             {{- with .Values.etcd.backup.extraEnv }}
103 |             {{- toYaml . | nindent 12 }}
104 |             {{- end }}
105 |             {{- with .Values.etcd.image }}
106 |             image: "{{ .repository }}{{ if .digest }}@{{ .digest }}{{ else }}:{{ .tag }}{{ end }}"
107 |             imagePullPolicy: {{ .pullPolicy }}
108 |             {{- end }}
109 |             name: etcd-backup
110 |             resources:
111 |               {{- toYaml .Values.etcd.backup.resources | nindent 14 }}
112 |             volumeMounts:
113 |             - mountPath: /pki/etcd/ca
114 |               name: pki-etcd-certs-ca
115 |             - mountPath: /pki/etcd/peer
116 |               name: pki-etcd-certs-peer
117 |             - mountPath: /pki/etcd/server
118 |               name: pki-etcd-certs-server
119 |             - mountPath: /data
120 |               name: data
121 |               {{- with .Values.persistence.backup.subPath }}
122 |               subPath: {{ . }}
123 |               {{- end }}
124 |             {{- with .Values.etcd.backup.extraVolumeMounts }}
125 |             {{- toYaml . | nindent 12 }}
126 |             {{- end }}
127 |           {{- with .Values.etcd.backup.sidecars }}
128 |           {{- toYaml . | nindent 10 }}
129 |           {{- end }}
130 |           securityContext:
131 |             seccompProfile:
132 |               type: RuntimeDefault
133 |           volumes:
134 |           - secret:
135 |               secretName: {{ $fullName }}-pki-etcd-ca
136 |             name: pki-etcd-certs-ca
137 |           - secret:
138 |               secretName: {{ $fullName }}-pki-etcd-peer
139 |             name: pki-etcd-certs-peer
140 |           - secret:
141 |               secretName: {{ $fullName }}-pki-etcd-server
142 |             name: pki-etcd-certs-server
143 |           - name: data
144 |             persistentVolumeClaim: 
145 |               claimName: {{ .Values.persistence.backup.existingClaim | default (printf "etcd-backup-%s-etcd" $fullName) }}
146 |           {{- with .Values.etcd.backup.extraVolumes }}
147 |           {{- toYaml . | nindent 10 }}
148 |           {{- end }}
149 | {{- end }}
150 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/manifests/konnectivity-agent-deployment.yaml:
--------------------------------------------------------------------------------
  1 | {{- $fullName := include "kubernetes.fullname" . -}}
  2 | 
  3 | {{- if .Values.konnectivityAgent.daemonSet -}}
  4 | apiVersion: apps/v1
  5 | kind: DaemonSet
  6 | {{- else -}}
  7 | apiVersion: apps/v1
  8 | kind: Deployment
  9 | {{- end }}
 10 | metadata:
 11 |   labels:
 12 |     addonmanager.kubernetes.io/mode: Reconcile
 13 |     k8s-app: konnectivity-agent
 14 |     {{- with .Values.konnectivityAgent.labels }}
 15 |     {{- toYaml . | nindent 4 }}
 16 |     {{- end }}
 17 |     {{- with .Values.konnectivityAgent.annotations }}
 18 |     annotations:
 19 |       {{- toYaml . | nindent 4 }}
 20 |     {{- end }}
 21 |   namespace: kube-system
 22 |   name: konnectivity-agent
 23 | spec:
 24 |   {{- if not .Values.konnectivityAgent.daemonSet }}
 25 |   replicas: {{ .Values.konnectivityAgent.replicaCount }}
 26 |   {{- end }}
 27 |   selector:
 28 |     matchLabels:
 29 |       k8s-app: konnectivity-agent
 30 |   template:
 31 |     metadata:
 32 |       labels:
 33 |         k8s-app: konnectivity-agent
 34 |         {{- with .Values.konnectivityAgent.podLabels }}
 35 |         {{- toYaml . | nindent 8 }}
 36 |         {{- end }}
 37 |       {{- with .Values.konnectivityAgent.podAnnotations }}
 38 |       annotations:
 39 |         {{- toYaml . | nindent 8 }}
 40 |       {{- end }}
 41 |     spec:
 42 |       {{- with .Values.konnectivityAgent.nodeSelector }}
 43 |       nodeSelector:
 44 |         {{- toYaml . | nindent 8 }}
 45 |       {{- end }}
 46 |       hostNetwork: {{ .Values.konnectivityAgent.hostNetwork }}
 47 |       securityContext:
 48 |         seccompProfile:
 49 |           type: RuntimeDefault
 50 |       priorityClassName: system-cluster-critical
 51 |       tolerations:
 52 |       - key: "CriticalAddonsOnly"
 53 |         operator: "Exists"
 54 |       {{- with .Values.konnectivityAgent.tolerations }}
 55 |       {{- toYaml . | nindent 6 }}
 56 |       {{- end }}
 57 |       {{- if or .Values.konnectivityServer.affinity .Values.konnectivityServer.podAntiAffinity }}
 58 |       affinity:
 59 |         {{- with .Values.konnectivityServer.affinity }}
 60 |         {{- toYaml . | nindent 8 }}
 61 |         {{- end }}
 62 |         {{- if eq .Values.konnectivityServer.podAntiAffinity "hard" }}
 63 |         podAntiAffinity:
 64 |           requiredDuringSchedulingIgnoredDuringExecution:
 65 |             - topologyKey: "{{ .Values.konnectivityServer.podAntiAffinityTopologyKey }}"
 66 |               labelSelector:
 67 |                 matchLabels:
 68 |                   app: {{ $fullName }}-konnectivity-server
 69 |         {{- else if eq .Values.konnectivityServer.podAntiAffinity "soft" }}
 70 |         podAntiAffinity:
 71 |           preferredDuringSchedulingIgnoredDuringExecution:
 72 |             - weight: 1
 73 |               podAffinityTerm:
 74 |                 topologyKey: "{{ .Values.konnectivityServer.podAntiAffinityTopologyKey }}"
 75 |                 labelSelector:
 76 |                   matchLabels:
 77 |                     app: {{ $fullName }}-konnectivity-server
 78 |         {{- end }}
 79 |       {{- end }}
 80 |       {{- with .Values.konnectivityServer.image.pullSecrets }}
 81 |       imagePullSecrets:
 82 |         {{- toYaml . | nindent 10 }}
 83 |       {{- end }}
 84 |       containers:
 85 |       - name: konnectivity-agent
 86 |         {{- with .Values.konnectivityAgent.image }}
 87 |         image: "{{ .repository }}{{ if .digest }}@{{ .digest }}{{ else }}:{{ .tag }}{{ end }}"
 88 |         imagePullPolicy: {{ .pullPolicy }}
 89 |         {{- end }}
 90 |         command:
 91 |         - /proxy-agent
 92 |         - --logtostderr=true
 93 |         - --ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
 94 |         - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token
 95 | 
 96 |         {{- if not (hasKey .Values.konnectivityAgent.extraArgs "proxy-server-host") }}
 97 |         {{- if and (eq .Values.konnectivityServer.mode "HTTPConnect") .Values.konnectivityServer.service.loadBalancerIP }}
 98 |         - --proxy-server-host={{ .Values.konnectivityServer.service.loadBalancerIP }}
 99 |         {{- else if and (eq .Values.konnectivityServer.mode "GRPC") .Values.apiServer.service.loadBalancerIP }}
100 |         - --proxy-server-host={{ .Values.apiServer.service.loadBalancerIP }}
101 |         {{- else }}
102 |         {{- fail ".konnectivityAgent.extraArgs.proxy-server-host must be specified!" }}
103 |         {{- end }}
104 |         {{- end }}
105 | 
106 |         {{- if not (hasKey .Values.konnectivityAgent.extraArgs "proxy-server-port") }}
107 |         {{- if eq .Values.konnectivityServer.service.type "LoadBalancer" }}
108 |         - --proxy-server-port={{ .Values.konnectivityServer.service.ports.agent }}
109 |         {{- else if .Values.konnectivityServer.service.NodePort }}
110 |         - --proxy-server-port={{ .Values.konnectivityServer.service.nodePorts.agent }}
111 |         {{- else }}
112 |         {{- fail ".konnectivityAgent.extraArgs.proxy-server-port must be specified!" }}
113 |         {{- end }}
114 |         {{- end }}
115 | 
116 |         - --admin-server-port={{ .Values.konnectivityAgent.ports.admin }}
117 |         - --health-server-port={{ .Values.konnectivityAgent.ports.health }}
118 | 
119 |         {{- range $key, $value := .Values.konnectivityAgent.extraArgs }}
120 |         - --{{ $key }}={{ $value }}
121 |         {{- end }}
122 |         ports:
123 |         - containerPort: {{ .Values.konnectivityAgent.ports.admin }}
124 |           name: admin
125 |         - containerPort: {{ .Values.konnectivityAgent.ports.health }}
126 |           name: health
127 |         volumeMounts:
128 |         - mountPath: /var/run/secrets/tokens
129 |           name: konnectivity-agent-token
130 |         {{- with .Values.konnectivityAgent.extraVolumeMounts }}
131 |         {{- toYaml . | nindent 8 }}
132 |         {{- end }}
133 |         livenessProbe:
134 |           httpGet:
135 |             path: /healthz
136 |             port: {{ .Values.konnectivityAgent.ports.health }}
137 |             scheme: HTTP
138 |           initialDelaySeconds: 15
139 |           timeoutSeconds: 15
140 |       {{- with .Values.konnectivityAgent.sidecars }}
141 |       {{- toYaml . | nindent 6 }}
142 |       {{- end }}
143 |       serviceAccountName: konnectivity-agent
144 |       volumes:
145 |       - name: konnectivity-agent-token
146 |         projected:
147 |           sources:
148 |           - serviceAccountToken:
149 |               path: konnectivity-agent-token
150 |               audience: system:konnectivity-server
151 |       {{- with .Values.konnectivityAgent.extraVolumes }}
152 |       {{- toYaml . | nindent 6 }}
153 |       {{- end }}
154 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/controller-manager-deployment.yaml:
--------------------------------------------------------------------------------
  1 | {{- if .Values.controllerManager.enabled }}
  2 | {{- $fullName := include "kubernetes.fullname" . -}}
  3 | ---
  4 | apiVersion: apps/v1
  5 | kind: Deployment
  6 | metadata:
  7 |   name: "{{ $fullName }}-controller-manager"
  8 |   labels:
  9 |     app: "{{ $fullName }}-controller-manager"
 10 |     {{- with .Values.controllerManager.labels }}
 11 |     {{- toYaml . | nindent 4 }}
 12 |     {{- end }}
 13 |     {{- with .Values.controllerManager.annotations }}
 14 |     annotations:
 15 |       {{- toYaml . | nindent 4 }}
 16 |     {{- end }}
 17 | spec:
 18 |   replicas: {{ .Values.controllerManager.replicaCount }}
 19 |   selector:
 20 |     matchLabels:
 21 |       app: "{{ $fullName }}-controller-manager"
 22 |   template:
 23 |     metadata:
 24 |       labels:
 25 |         app: "{{ $fullName }}-controller-manager"
 26 |         {{- with .Values.controllerManager.podLabels }}
 27 |         {{- toYaml . | nindent 8 }}
 28 |         {{- end }}
 29 |       {{- with .Values.controllerManager.podAnnotations }}
 30 |       annotations:
 31 |         {{- toYaml . | nindent 8 }}
 32 |       {{- end }}
 33 |     spec:
 34 |       {{- with .Values.controllerManager.nodeSelector }}
 35 |       nodeSelector:
 36 |         {{- toYaml . | nindent 8 }}
 37 |       {{- end }}
 38 |       {{- with .Values.controllerManager.tolerations }}
 39 |       tolerations:
 40 |       {{- toYaml . | nindent 6 }}
 41 |       {{- end }}
 42 |       {{- if or .Values.controllerManager.affinity .Values.controllerManager.podAntiAffinity }}
 43 |       affinity:
 44 |         {{- with .Values.controllerManager.affinity }}
 45 |         {{- toYaml . | nindent 8 }}
 46 |         {{- end }}
 47 |         {{- if eq .Values.controllerManager.podAntiAffinity "hard" }}
 48 |         podAntiAffinity:
 49 |           requiredDuringSchedulingIgnoredDuringExecution:
 50 |             - topologyKey: "{{ .Values.controllerManager.podAntiAffinityTopologyKey }}"
 51 |               labelSelector:
 52 |                 matchLabels:
 53 |                   app: {{ $fullName }}-controller-manager
 54 |         {{- else if eq .Values.controllerManager.podAntiAffinity "soft" }}
 55 |         podAntiAffinity:
 56 |           preferredDuringSchedulingIgnoredDuringExecution:
 57 |             - weight: 1
 58 |               podAffinityTerm:
 59 |                 topologyKey: "{{ .Values.controllerManager.podAntiAffinityTopologyKey }}"
 60 |                 labelSelector:
 61 |                   matchLabels:
 62 |                     app: {{ $fullName }}-controller-manager
 63 |         {{- end }}
 64 |       {{- end }}
 65 |       {{- with .Values.controllerManager.image.pullSecrets }}
 66 |       imagePullSecrets:
 67 |         {{- toYaml . | nindent 10 }}
 68 |       {{- end }}
 69 |       automountServiceAccountToken: false
 70 |       containers:
 71 |       - command:
 72 |         - kube-controller-manager
 73 |         - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
 74 |         - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
 75 |         - --bind-address=0.0.0.0
 76 |         - --client-ca-file=/pki/ca/tls.crt
 77 |         - --cluster-name=kubernetes
 78 |         - --cluster-signing-cert-file=/pki/ca/tls.crt
 79 |         - --cluster-signing-key-file=/pki/ca/tls.key
 80 |         - --controllers=*,bootstrapsigner,tokencleaner
 81 |         - --kubeconfig=/etc/kubernetes/controller-manager.conf
 82 |         - --leader-elect=true
 83 |         - --requestheader-client-ca-file=/pki/front-proxy-client/tls.crt
 84 |         - --root-ca-file=/pki/ca/tls.crt
 85 |         - --secure-port={{ .Values.controllerManager.port }}
 86 |         - --service-account-private-key-file=/pki/sa/tls.key
 87 |         - --use-service-account-credentials=true
 88 |         - --tls-cert-file=/pki/controller-manager-server/tls.crt
 89 |         - --tls-private-key-file=/pki/controller-manager-server/tls.key
 90 |         - --service-cluster-ip-range={{ .Values.networking.serviceSubnet }}
 91 |         {{ with .Values.networking.podSubnet }}
 92 |         - --allocate-node-cidrs=true
 93 |         - --cluster-cidr={{ . }}
 94 |         {{- end }}
 95 |         {{- range $key, $value := .Values.controllerManager.extraArgs }}
 96 |         - --{{ $key }}={{ $value }}
 97 |         {{- end }}
 98 |         {{- with .Values.controllerManager.image }}
 99 |         image: "{{ .repository }}{{ if .digest }}@{{ .digest }}{{ else }}:{{ .tag }}{{ end }}"
100 |         imagePullPolicy: {{ .pullPolicy }}
101 |         {{- end }}
102 |         livenessProbe:
103 |           failureThreshold: 8
104 |           httpGet:
105 |             path: /healthz
106 |             port: {{ .Values.controllerManager.port }}
107 |             scheme: HTTPS
108 |           initialDelaySeconds: 15
109 |           timeoutSeconds: 15
110 |         name: kube-controller-manager
111 |         resources:
112 |           {{- toYaml .Values.controllerManager.resources | nindent 10 }}
113 |         {{- with .Values.controllerManager.extraEnv }}
114 |         env:
115 |         {{- toYaml . | nindent 8 }}
116 |         {{- end }}
117 |         volumeMounts:
118 |         - mountPath: /etc/kubernetes/
119 |           name: kubeconfig
120 |           readOnly: true
121 |         - mountPath: /pki/controller-manager-server
122 |           name: pki-controller-manager-server
123 |         - mountPath: /pki/controller-manager-client
124 |           name: pki-controller-manager-client
125 |         - mountPath: /pki/ca
126 |           name: pki-ca
127 |         - mountPath: /pki/front-proxy-client
128 |           name: pki-front-proxy-client
129 |         - mountPath: /pki/sa
130 |           name: pki-sa
131 |         {{- with .Values.controllerManager.extraVolumeMounts }}
132 |         {{- toYaml . | nindent 8 }}
133 |         {{- end }}
134 |       {{- with .Values.controllerManager.sidecars }}
135 |       {{- toYaml . | nindent 6 }}
136 |       {{- end }}
137 |       securityContext:
138 |         seccompProfile:
139 |           type: RuntimeDefault
140 |       volumes:
141 |       - configMap:
142 |           name: "{{ $fullName }}-controller-manager-conf"
143 |         name: kubeconfig
144 |       - secret:
145 |           secretName: "{{ $fullName }}-pki-controller-manager-server"
146 |         name: pki-controller-manager-server
147 |       - secret:
148 |           secretName: "{{ $fullName }}-pki-controller-manager-client"
149 |         name: pki-controller-manager-client
150 |       - secret:
151 |           secretName: "{{ $fullName }}-pki-ca"
152 |         name: pki-ca
153 |       - secret:
154 |           secretName: "{{ $fullName }}-pki-front-proxy-client"
155 |         name: pki-front-proxy-client
156 |       - secret:
157 |           secretName: "{{ $fullName }}-pki-sa"
158 |         name: pki-sa
159 |       {{- with .Values.controllerManager.extraVolumes }}
160 |       {{- toYaml . | nindent 6 }}
161 |       {{- end }}
162 | {{- end }}
163 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/etcd-statefulset.yaml:
--------------------------------------------------------------------------------
  1 | {{- if .Values.etcd.enabled }}
  2 | {{- $fullName := include "kubernetes.fullname" . -}}
  3 | ---
  4 | apiVersion: apps/v1
  5 | kind: StatefulSet
  6 | metadata:
  7 |   name: {{ $fullName }}-etcd
  8 |   labels:
  9 |     app: {{ $fullName }}-etcd
 10 |     {{- with .Values.etcd.labels }}
 11 |     {{- toYaml . | nindent 4 }}
 12 |     {{- end }}
 13 |     {{- with .Values.etcd.annotations }}
 14 |     annotations:
 15 |       {{- toYaml . | nindent 4 }}
 16 |     {{- end }}
 17 | spec:
 18 |   replicas: {{ .Values.etcd.replicaCount }}
 19 |   serviceName: {{ $fullName }}-etcd
 20 |   podManagementPolicy: Parallel
 21 |   selector:
 22 |     matchLabels:
 23 |       app: {{ $fullName }}-etcd
 24 |   template:
 25 |     metadata:
 26 |       name: {{ $fullName }}-etcd
 27 |       labels:
 28 |         app: {{ $fullName }}-etcd
 29 |         {{- with .Values.etcd.podLabels }}
 30 |         {{- toYaml . | nindent 8 }}
 31 |         {{- end }}
 32 |       {{- with .Values.etcd.podAnnotations }}
 33 |       annotations:
 34 |         {{- toYaml . | nindent 8 }}
 35 |       {{- end }}
 36 |     spec:
 37 |       {{- with .Values.etcd.nodeSelector }}
 38 |       nodeSelector:
 39 |         {{- toYaml . | nindent 8 }}
 40 |       {{- end }}
 41 |       {{- with .Values.etcd.tolerations }}
 42 |       tolerations:
 43 |       {{- toYaml . | nindent 6 }}
 44 |       {{- end }}
 45 |       {{- if or .Values.etcd.affinity .Values.etcd.podAntiAffinity }}
 46 |       affinity:
 47 |         {{- with .Values.etcd.affinity }}
 48 |         {{- toYaml . | nindent 8 }}
 49 |         {{- end }}
 50 |         {{- if eq .Values.etcd.podAntiAffinity "hard" }}
 51 |         podAntiAffinity:
 52 |           requiredDuringSchedulingIgnoredDuringExecution:
 53 |             - topologyKey: "{{ .Values.etcd.podAntiAffinityTopologyKey }}"
 54 |               labelSelector:
 55 |                 matchLabels:
 56 |                   app: {{ $fullName }}-etcd
 57 |         {{- else if eq .Values.etcd.podAntiAffinity "soft" }}
 58 |         podAntiAffinity:
 59 |           preferredDuringSchedulingIgnoredDuringExecution:
 60 |             - weight: 1
 61 |               podAffinityTerm:
 62 |                 topologyKey: "{{ .Values.etcd.podAntiAffinityTopologyKey }}"
 63 |                 labelSelector:
 64 |                   matchLabels:
 65 |                     app: {{ $fullName }}-etcd
 66 |         {{- end }}
 67 |       {{- end }}
 68 |       {{- with .Values.etcd.image.pullSecrets }}
 69 |       imagePullSecrets:
 70 |         {{- toYaml . | nindent 10 }}
 71 |       {{- end }}
 72 |       automountServiceAccountToken: false
 73 |       containers:
 74 |       - command:
 75 |         - etcd
 76 |         - --advertise-client-urls=https://$(POD_NAME).{{ $fullName }}-etcd:{{ .Values.etcd.ports.client }}
 77 |         - --cert-file=/pki/etcd/server/tls.crt
 78 |         - --client-cert-auth=true
 79 |         - --data-dir=/var/lib/etcd
 80 |         - --initial-advertise-peer-urls=https://$(POD_NAME).{{ $fullName }}-etcd:{{ .Values.etcd.ports.peer }}
 81 |         - --initial-cluster={{ template "kubernetes.etcdInitialCluster" . }}
 82 |         - --initial-cluster-state={{ ternary "new" "existing" .Release.IsInstall }}
 83 |         - --initial-cluster-token={{ $fullName }}-etcd
 84 |         - --key-file=/pki/etcd/server/tls.key
 85 |         - --listen-client-urls=https://0.0.0.0:{{ .Values.etcd.ports.client }}
 86 |         - --listen-peer-urls=https://0.0.0.0:{{ .Values.etcd.ports.peer }}
 87 |         - --listen-metrics-urls=http://0.0.0.0:{{ .Values.etcd.ports.metrics }}
 88 |         - --name=$(POD_NAME)
 89 |         - --peer-cert-file=/pki/etcd/peer/tls.crt
 90 |         - --peer-client-cert-auth=true
 91 |         - --peer-key-file=/pki/etcd/peer/tls.key
 92 |         - --peer-trusted-ca-file=/pki/etcd/ca/tls.crt
 93 |         - --snapshot-count=10000
 94 |         - --trusted-ca-file=/pki/etcd/ca/tls.crt
 95 |         {{- range $key, $value := .Values.etcd.extraArgs }}
 96 |         - --{{ $key }}={{ $value }}
 97 |         {{- end }}
 98 |         env:
 99 |         - name: POD_NAME
100 |           valueFrom:
101 |             fieldRef:
102 |               fieldPath: metadata.name
103 |         - name: ETCDCTL_API
104 |           value: "3"
105 |         - name: ETCDCTL_CACERT
106 |           value: /pki/etcd/peer/ca.crt
107 |         - name: ETCDCTL_CERT
108 |           value: /pki/etcd/peer/tls.crt
109 |         - name: ETCDCTL_KEY
110 |           value: /pki/etcd/peer/tls.key 
111 |         - name: ETCDCTL_ENDPOINTS
112 |           value: {{ template "kubernetes.etcdEndpoints" . }}
113 |         {{- with .Values.etcd.extraEnv }}
114 |         {{- toYaml . | nindent 8 }}
115 |         {{- end }}
116 |         {{- with .Values.etcd.image }}
117 |         image: "{{ .repository }}{{ if .digest }}@{{ .digest }}{{ else }}:{{ .tag }}{{ end }}"
118 |         imagePullPolicy: {{ .pullPolicy }}
119 |         {{- end }}
120 |         ports:
121 |         - containerPort: {{ .Values.etcd.ports.client }}
122 |           name: client
123 |         - containerPort: {{ .Values.etcd.ports.peer }}
124 |           name: peer
125 |         - containerPort: {{ .Values.etcd.ports.metrics }}
126 |           name: metrics
127 |         livenessProbe:
128 |           failureThreshold: 8
129 |           httpGet:
130 |             path: /health
131 |             port: {{ .Values.etcd.ports.metrics }}
132 |             scheme: HTTP
133 |           initialDelaySeconds: 15
134 |           timeoutSeconds: 15
135 |         name: etcd
136 |         resources:
137 |           {{- toYaml .Values.etcd.resources | nindent 10 }}
138 |         volumeMounts:
139 |         - mountPath: /pki/etcd/ca
140 |           name: pki-etcd-certs-ca
141 |         - mountPath: /pki/etcd/peer
142 |           name: pki-etcd-certs-peer
143 |         - mountPath: /pki/etcd/server
144 |           name: pki-etcd-certs-server
145 |         - mountPath: /var/lib/etcd
146 |           name: etcd-data
147 |         {{- with .Values.etcd.extraVolumeMounts }}
148 |         {{- toYaml . | nindent 8 }}
149 |         {{- end }}
150 |       {{- with .Values.etcd.sidecars }}
151 |       {{- toYaml . | nindent 6 }}
152 |       {{- end }}
153 |       securityContext:
154 |         seccompProfile:
155 |           type: RuntimeDefault
156 |       volumes:
157 |       - secret:
158 |           secretName: {{ $fullName }}-pki-etcd-ca
159 |         name: pki-etcd-certs-ca
160 |       - secret:
161 |           secretName: {{ $fullName }}-pki-etcd-peer
162 |         name: pki-etcd-certs-peer
163 |       - secret:
164 |           secretName: {{ $fullName }}-pki-etcd-server
165 |         name: pki-etcd-certs-server
166 |       {{- if not .Values.persistence.enabled }}
167 |       - emptyDir: {}
168 |         name: etcd-data
169 |       {{- end }}
170 |       {{- with .Values.etcd.extraVolumes }}
171 |       {{- toYaml . | nindent 6 }}
172 |       {{- end }}
173 |   {{- if .Values.persistence.enabled }}
174 |   volumeClaimTemplates:
175 |   - metadata:
176 |       name: etcd-data
177 |       labels:
178 |         app: {{ $fullName }}-etcd
179 |         {{- if .Values.persistence.labels }}
180 |         {{- toYaml .Values.persistence.labels | nindent 4 }}
181 |         {{- end }}
182 |       {{- with .Values.persistence.annotations  }}
183 |       annotations:
184 |         {{- toYaml . | nindent 8 }}
185 |       {{- end }}
186 |       {{- with .Values.persistence.finalizers  }}
187 |       finalizers:
188 |         {{- toYaml . | nindent 8 }}
189 |       {{- end }}
190 |     spec:
191 |       accessModes:
192 |         {{- range .Values.persistence.accessModes }}
193 |         - {{ . | quote }}
194 |         {{- end }}
195 |       {{- if .Values.persistence.storageClassName }}
196 |       storageClassName: {{ .Values.persistence.storageClassName }}
197 |       {{- end }}
198 |       resources:
199 |         requests:
200 |           storage: {{ .Values.persistence.size | quote }}
201 |   {{- end }}
202 | {{- end }}
203 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/_helpers.tpl:
--------------------------------------------------------------------------------
  1 | {{/* vim: set filetype=gohtmltmpl: */}}
  2 | {{/*
  3 | Expand the name of the chart.
  4 | */}}
  5 | {{- define "kubernetes.name" -}}
  6 | {{- default "kubernetes" .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
  7 | {{- end -}}
  8 | 
  9 | {{/*
 10 | Create a default fully qualified app name.
 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 12 | */}}
 13 | {{- define "kubernetes.fullname" -}}
 14 | {{- if .Values.fullnameOverride -}}
 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 16 | {{- else -}}
 17 | {{- $name := default "kubernetes" .Values.nameOverride -}}
 18 | {{- if or (eq $name .Release.Name) (eq (.Release.Name | upper) "RELEASE-NAME") -}}
 19 | {{- $name | trunc 63 | trimSuffix "-" -}}
 20 | {{- else -}}
 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
 22 | {{- end -}}
 23 | {{- end -}}
 24 | {{- end -}}
 25 | 
 26 | {{/*
 27 | Create a default certificate name.
 28 | */}}
 29 | {{- define "kubernetes.certname" -}}
 30 | {{- if .Values.certnameOverride -}}
 31 | {{- .Values.certnameOverride | trunc 63 | trimSuffix "-" -}}
 32 | {{- else -}}
 33 | {{- template "kubernetes.fullname" . -}}
 34 | {{- end -}}
 35 | {{- end -}}
 36 | 
 37 | {{/*
 38 | Generate etcd servers list.
 39 | */}}
 40 | {{- define "kubernetes.etcdEndpoints" -}}
 41 |   {{- $fullName := include "kubernetes.fullname" . -}}
 42 |   {{- range $etcdcount, $e := until (int .Values.etcd.replicaCount) -}}
 43 |     {{- printf "https://" -}}
 44 |     {{- printf "%s-etcd-%d." $fullName $etcdcount -}}
 45 |     {{- printf "%s-etcd:%d" $fullName (int $.Values.etcd.ports.client) -}}
 46 |     {{- if lt $etcdcount (sub (int $.Values.etcd.replicaCount) 1 ) -}}
 47 |       {{- printf "," -}}
 48 |     {{- end -}}
 49 |   {{- end -}}
 50 | {{- end -}}
 51 | 
 52 | {{- define "kubernetes.etcdInitialCluster" -}}
 53 |   {{- $fullName := include "kubernetes.fullname" . -}}
 54 |   {{- range $etcdcount, $e := until (int .Values.etcd.replicaCount) -}}
 55 |     {{- printf "%s-etcd-%d=" $fullName $etcdcount -}}
 56 |     {{- printf "https://" -}}
 57 |     {{- printf "%s-etcd-%d." $fullName $etcdcount -}}
 58 |     {{- printf "%s-etcd:%d" $fullName (int $.Values.etcd.ports.peer) -}}
 59 |     {{- if lt $etcdcount (sub (int $.Values.etcd.replicaCount) 1 ) -}}
 60 |       {{- printf "," -}}
 61 |     {{- end -}}
 62 |   {{- end -}}
 63 | {{- end -}}
 64 | 
 65 | {{/*
 66 | Take the first IP address from the serviceSubnet for the kube-dns service.
 67 | */}}
 68 | {{- define "kubernetes.getCoreDNS" -}}
 69 |   {{- $octetsList := splitList "." .Values.networking.serviceSubnet -}}
 70 |   {{- printf "%d.%d.%d.%d" (index $octetsList 0 | int) (index $octetsList 1 | int) (index $octetsList 2 | int) 10 -}}
 71 | {{- end -}}
 72 | 
 73 | {{- define "kubernetes.getAPIAddress" -}}
 74 |   {{- $octetsList := splitList "." .Values.networking.serviceSubnet -}}
 75 |   {{- printf "%d.%d.%d.%d" (index $octetsList 0 | int) (index $octetsList 1 | int) (index $octetsList 2 | int) 1 -}}
 76 | {{- end -}}
 77 | 
 78 | {{/*
 79 | Template for konnectivityServer containers
 80 | */}}
 81 | {{- define "kubernetes.konnectivityServer.containers" -}}
 82 |       - command:
 83 |         - /proxy-server
 84 |         - --logtostderr=true
 85 |         - --server-count={{ .Values.konnectivityServer.replicaCount }}
 86 |         - --server-id=$(POD_NAME)
 87 |         - --cluster-cert=/pki/apiserver/tls.crt
 88 |         - --cluster-key=/pki/apiserver/tls.key
 89 |         {{- if eq .Values.konnectivityServer.mode "HTTPConnect" }}
 90 |         - --mode=http-connect
 91 |         - --server-port={{ .Values.konnectivityServer.ports.server }}
 92 |         - --server-ca-cert=/pki/konnectivity-server/ca.crt
 93 |         - --server-cert=/pki/konnectivity-server/tls.crt
 94 |         - --server-key=/pki/konnectivity-server/tls.key
 95 |         {{- else }}
 96 |         - --mode=grpc
 97 |         - --uds-name=/run/konnectivity-server/konnectivity-server.socket
 98 |         - --server-port=0
 99 |         {{- end }}
100 |         - --agent-port={{ .Values.konnectivityServer.ports.agent }}
101 |         - --admin-port={{ .Values.konnectivityServer.ports.admin }}
102 |         - --health-port={{ .Values.konnectivityServer.ports.health }}
103 |         - --agent-namespace=kube-system
104 |         - --agent-service-account=konnectivity-agent
105 |         - --kubeconfig=/etc/kubernetes/konnectivity-server.conf
106 |         - --authentication-audience=system:konnectivity-server
107 |         {{- range $key, $value := .Values.konnectivityServer.extraArgs }}
108 |         - --{{ $key }}={{ $value }}
109 |         {{- end }}
110 |         ports:
111 |         {{- if eq .Values.konnectivityServer.mode "HTTPConnect" }}
112 |         - containerPort: {{ .Values.konnectivityServer.ports.server }}
113 |           name: server
114 |         {{- end }}
115 |         - containerPort: {{ .Values.konnectivityServer.ports.agent }}
116 |           name: agent
117 |         - containerPort: {{ .Values.konnectivityServer.ports.admin }}
118 |           name: admin
119 |         - containerPort: {{ .Values.konnectivityServer.ports.health }}
120 |           name: health
121 |         {{- with .Values.konnectivityServer.image }}
122 |         image: "{{ .repository }}{{ if .digest }}@{{ .digest }}{{ else }}:{{ .tag }}{{ end }}"
123 |         imagePullPolicy: {{ .pullPolicy }}
124 |         {{- end }}
125 |         livenessProbe:
126 |           failureThreshold: 8
127 |           httpGet:
128 |             path: /healthz
129 |             port: {{ .Values.konnectivityServer.ports.health }}
130 |             scheme: HTTP
131 |           initialDelaySeconds: 30
132 |           timeoutSeconds: 60
133 |         name: konnectivity-server
134 |         resources:
135 |           {{- toYaml .Values.konnectivityServer.resources | nindent 10 }}
136 |         env:
137 |         - name: POD_NAME
138 |           valueFrom:
139 |             fieldRef:
140 |               fieldPath: metadata.name
141 |         {{- with .Values.konnectivityServer.extraEnv }}
142 |         {{- toYaml . | nindent 8 }}
143 |         {{- end }}
144 |         volumeMounts:
145 |         - mountPath: /pki/apiserver
146 |           name: pki-apiserver
147 |         {{- if eq .Values.konnectivityServer.mode "HTTPConnect" }}
148 |         - mountPath: /pki/konnectivity-server
149 |           name: pki-konnectivity-server
150 |         {{- else }}
151 |         - mountPath: /run/konnectivity-server
152 |           name: konnectivity-uds
153 |         {{- end }}
154 |         - mountPath: /pki/konnectivity-server-client
155 |           name: pki-konnectivity-server-client
156 |         - mountPath: /etc/kubernetes/
157 |           name: kubeconfig
158 |           readOnly: true
159 |         {{- with .Values.konnectivityServer.extraVolumeMounts }}
160 |         {{- toYaml . | nindent 8 }}
161 |         {{- end }}
162 | {{- end -}}
163 | 
164 | {{/*
165 | Template for konnectivityServer volumes
166 | */}}
167 | {{- define "kubernetes.konnectivityServer.volumes" -}}
168 |       - secret:
169 |           secretName: "{{ template "kubernetes.fullname" . }}-pki-apiserver-server"
170 |         name: pki-apiserver
171 |       {{- if eq .Values.konnectivityServer.mode "HTTPConnect" }}
172 |       - secret:
173 |           secretName: "{{ template "kubernetes.fullname" . }}-pki-konnectivity-server"
174 |         name: pki-konnectivity-server
175 |       {{- else }}
176 |       - secret:
177 |           secretName: "{{ template "kubernetes.fullname" . }}-pki-konnectivity-server-client"
178 |         name: pki-konnectivity-server-client
179 |       - emptyDir: {}
180 |         name: konnectivity-uds
181 |       {{- end }}
182 |       - configMap:
183 |           name: "{{ template "kubernetes.fullname" . }}-konnectivity-server-conf"
184 |         name: kubeconfig
185 |       {{- with .Values.konnectivityServer.extraVolumes }}
186 |       {{- toYaml . | nindent 6 }}
187 |       {{- end }}
188 | {{- end -}}
189 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/kubernetes-certs.yaml:
--------------------------------------------------------------------------------
  1 | {{- $fullName := include "kubernetes.fullname" . -}}
  2 | {{- $certName := include "kubernetes.certname" . -}}
  3 | ---
  4 | apiVersion: cert-manager.io/v1
  5 | kind: Certificate
  6 | metadata:
  7 |   name: "{{ $fullName }}-pki-ca"
  8 | spec:
  9 |   commonName: "{{ $certName }}-ca"
 10 |   secretName: "{{ $fullName }}-pki-ca"
 11 |   duration: 87600h # 3650d
 12 |   renewBefore: 8760h # 365d
 13 |   subject:
 14 |     organizations:
 15 |     - "{{ $fullName }}"
 16 |   usages:
 17 |   - "signing"
 18 |   - "key encipherment"
 19 |   - "cert sign"
 20 |   isCA: true
 21 |   issuerRef:
 22 |     name: "{{ $fullName }}-selfsigning-issuer"
 23 |     kind: Issuer
 24 | ---
 25 | apiVersion: cert-manager.io/v1
 26 | kind: Issuer
 27 | metadata:
 28 |   name: "{{ $fullName }}-issuer"
 29 | spec:
 30 |   ca:
 31 |     secretName: "{{ $fullName }}-pki-ca"
 32 | ---
 33 | apiVersion: cert-manager.io/v1
 34 | kind: Certificate
 35 | metadata:
 36 |   name: "{{ $fullName }}-pki-sa"
 37 | spec:
 38 |   commonName: "{{ $certName }}-sa"
 39 |   secretName: "{{ $fullName }}-pki-sa"
 40 |   duration: 87600h # 3650d
 41 |   renewBefore: 8760h # 365d
 42 |   subject:
 43 |     organizations:
 44 |     - "{{ $fullName }}"
 45 |   usages:
 46 |   - "signing"
 47 |   - "key encipherment"
 48 |   - "cert sign"
 49 |   isCA: true
 50 |   issuerRef:
 51 |     name: "{{ $fullName }}-selfsigning-issuer"
 52 |     kind: Issuer
 53 | ---
 54 | {{- $svcName1 := printf "%s-controller-manager" $fullName }}
 55 | {{- $svcName2 := printf "%s-controller-manager.%s" $fullName .Release.Namespace }}
 56 | {{- $svcName3 := printf "%s-controller-manager.%s.svc" $fullName .Release.Namespace }}
 57 | apiVersion: cert-manager.io/v1
 58 | kind: Certificate
 59 | metadata:
 60 |   name: "{{ $fullName }}-pki-controller-manager-server"
 61 | spec:
 62 |   commonName: "{{ $certName }}-controller-manager-server"
 63 |   secretName: "{{ $fullName }}-pki-controller-manager-server"
 64 |   duration: 8760h # 365d
 65 |   renewBefore: 4380h # 178d
 66 |   subject:
 67 |     organizations:
 68 |     - "{{ $fullName }}"
 69 |   usages:
 70 |   - "signing"
 71 |   - "key encipherment"
 72 |   - "server auth"
 73 |   dnsNames:
 74 |   - "{{ $svcName1 }}"
 75 |   - "{{ $svcName2 }}"
 76 |   - "{{ $svcName3 }}"
 77 |   - "localhost"
 78 |   {{- with .Values.apiServer.certSANs.dnsNames }}
 79 |   {{- . | toYaml | nindent 2 }}
 80 |   {{- end }}
 81 |   ipAddresses:
 82 |   - "127.0.0.1"
 83 |   - "{{- template "kubernetes.getAPIAddress" . }}"
 84 |   {{- with .Values.apiServer.service.loadBalancerIP }}
 85 |   {{- if not (has . $.Values.apiServer.certSANs.ipAddresses) }}
 86 |   - {{ . | quote }}
 87 |   {{- end }}
 88 |   {{- end }}
 89 |   {{- with .Values.apiServer.certSANs.ipAddresses }}
 90 |   {{- . | toYaml | nindent 2 }}
 91 |   {{- end }}
 92 |   issuerRef:
 93 |     name: "{{ $fullName }}-issuer"
 94 |     kind: Issuer
 95 | ---
 96 | {{- $svcName1 := printf "%s-scheduler" $fullName }}
 97 | {{- $svcName2 := printf "%s-scheduler.%s" $fullName .Release.Namespace }}
 98 | {{- $svcName3 := printf "%s-scheduler.%s.svc" $fullName .Release.Namespace }}
 99 | apiVersion: cert-manager.io/v1
100 | kind: Certificate
101 | metadata:
102 |   name: "{{ $fullName }}-pki-scheduler-server"
103 | spec:
104 |   commonName: "{{ $certName }}-scheduler-server"
105 |   secretName: "{{ $fullName }}-pki-scheduler-server"
106 |   duration: 8760h # 365d
107 |   renewBefore: 4380h # 178d
108 |   subject:
109 |     organizations:
110 |     - "{{ $fullName }}"
111 |   usages:
112 |   - "signing"
113 |   - "key encipherment"
114 |   - "server auth"
115 |   dnsNames:
116 |   - "{{ $svcName1 }}"
117 |   - "{{ $svcName2 }}"
118 |   - "{{ $svcName3 }}"
119 |   - "localhost"
120 |   {{- with .Values.apiServer.certSANs.dnsNames }}
121 |   {{- . | toYaml | nindent 2 }}
122 |   {{- end }}
123 |   ipAddresses:
124 |   - "127.0.0.1"
125 |   - "{{- template "kubernetes.getAPIAddress" . }}"
126 |   {{- with .Values.apiServer.service.loadBalancerIP }}
127 |   {{- if not (has . $.Values.apiServer.certSANs.ipAddresses) }}
128 |   - {{ . | quote }}
129 |   {{- end }}
130 |   {{- end }}
131 |   {{- with .Values.apiServer.certSANs.ipAddresses }}
132 |   {{- . | toYaml | nindent 2 }}
133 |   {{- end }}
134 |   issuerRef:
135 |     name: "{{ $fullName }}-issuer"
136 |     kind: Issuer
137 | ---
138 | {{- $svcName1 := printf "%s-apiserver" $fullName }}
139 | {{- $svcName2 := printf "%s-apiserver.%s" $fullName .Release.Namespace }}
140 | {{- $svcName3 := printf "%s-apiserver.%s.svc" $fullName .Release.Namespace }}
141 | apiVersion: cert-manager.io/v1
142 | kind: Certificate
143 | metadata:
144 |   name: "{{ $fullName }}-pki-apiserver-server"
145 | spec:
146 |   commonName: "{{ $certName }}-apiserver-server"
147 |   secretName: "{{ $fullName }}-pki-apiserver-server"
148 |   duration: 8760h # 365d
149 |   renewBefore: 4380h # 178d
150 |   subject:
151 |     organizations:
152 |     - "{{ $fullName }}"
153 |   usages:
154 |   - "signing"
155 |   - "key encipherment"
156 |   - "server auth"
157 |   dnsNames:
158 |   - "{{ $svcName1 }}"
159 |   - "{{ $svcName2 }}"
160 |   - "{{ $svcName3 }}"
161 |   - "localhost"
162 |   {{- with .Values.apiServer.certSANs.dnsNames }}
163 |   {{- . | toYaml | nindent 2 }}
164 |   {{- end }}
165 |   ipAddresses:
166 |   - "127.0.0.1"
167 |   - "{{- template "kubernetes.getAPIAddress" . }}"
168 |   {{- with .Values.apiServer.service.loadBalancerIP }}
169 |   {{- if not (has . $.Values.apiServer.certSANs.ipAddresses) }}
170 |   - {{ . | quote }}
171 |   {{- end }}
172 |   {{- end }}
173 |   {{- with .Values.apiServer.certSANs.ipAddresses }}
174 |   {{- . | toYaml | nindent 2 }}
175 |   {{- end }}
176 |   issuerRef:
177 |     name: "{{ $fullName }}-issuer"
178 |     kind: Issuer
179 | ---
180 | apiVersion: cert-manager.io/v1
181 | kind: Certificate
182 | metadata:
183 |   name: "{{ $fullName }}-pki-controller-manager-client"
184 | spec:
185 |   commonName: "system:kube-controller-manager"
186 |   secretName: "{{ $fullName }}-pki-controller-manager-client"
187 |   duration: 8760h # 365d
188 |   renewBefore: 4380h # 178d
189 |   subject:
190 |     organizations:
191 |     - "system:kube-controller-manager"
192 |   usages:
193 |   - "signing"
194 |   - "key encipherment"
195 |   - "client auth"
196 |   issuerRef:
197 |     name: "{{ $fullName }}-issuer"
198 |     kind: Issuer
199 | ---
200 | apiVersion: cert-manager.io/v1
201 | kind: Certificate
202 | metadata:
203 |   name: "{{ $fullName }}-pki-scheduler-client"
204 | spec:
205 |   commonName: "system:kube-scheduler"
206 |   secretName: "{{ $fullName }}-pki-scheduler-client"
207 |   duration: 8760h # 365d
208 |   renewBefore: 4380h # 178d
209 |   subject:
210 |     organizations:
211 |     - "system:kube-scheduler"
212 |   usages:
213 |   - "signing"
214 |   - "key encipherment"
215 |   - "client auth"
216 |   issuerRef:
217 |     name: "{{ $fullName }}-issuer"
218 |     kind: Issuer
219 | ---
220 | apiVersion: cert-manager.io/v1
221 | kind: Certificate
222 | metadata:
223 |   name: "{{ $fullName }}-pki-konnectivity-server-client"
224 | spec:
225 |   commonName: "system:konnectivity-server"
226 |   secretName: "{{ $fullName }}-pki-konnectivity-server-client"
227 |   duration: 8760h # 365d
228 |   renewBefore: 4380h # 178d
229 |   subject:
230 |     organizations:
231 |     - "system:konnectivity-server"
232 |   usages:
233 |   - "signing"
234 |   - "key encipherment"
235 |   - "client auth"
236 |   issuerRef:
237 |     name: "{{ $fullName }}-issuer"
238 |     kind: Issuer
239 | ---
240 | apiVersion: cert-manager.io/v1
241 | kind: Certificate
242 | metadata:
243 |   name: "{{ $fullName }}-pki-admin-client"
244 | spec:
245 |   commonName: "{{ $certName }}-admin-client"
246 |   secretName: "{{ $fullName }}-pki-admin-client"
247 |   duration: 8760h # 365d
248 |   renewBefore: 4380h # 178d
249 |   subject:
250 |     organizations:
251 |     - "system:masters"
252 |   usages:
253 |   - "signing"
254 |   - "key encipherment"
255 |   - "client auth"
256 |   issuerRef:
257 |     name: "{{ $fullName }}-issuer"
258 |     kind: Issuer
259 | ---
260 | apiVersion: cert-manager.io/v1
261 | kind: Certificate
262 | metadata:
263 |   name: "{{ $fullName }}-pki-apiserver-kubelet-client"
264 | spec:
265 |   commonName: "{{ $certName }}-apiserver-kubelet-client"
266 |   secretName: "{{ $fullName }}-pki-apiserver-kubelet-client"
267 |   duration: 8760h # 365d
268 |   renewBefore: 4380h # 178d
269 |   subject:
270 |     organizations:
271 |     - "system:masters"
272 |   usages:
273 |   - "signing"
274 |   - "key encipherment"
275 |   - "client auth"
276 |   issuerRef:
277 |     name: "{{ $fullName }}-issuer"
278 |     kind: Issuer
279 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/templates/apiserver-deployment.yaml:
--------------------------------------------------------------------------------
  1 | {{- if .Values.apiServer.enabled }}
  2 | {{- $fullName := include "kubernetes.fullname" . -}}
  3 | {{- $certName := include "kubernetes.certname" . -}}
  4 | ---
  5 | apiVersion: apps/v1
  6 | kind: Deployment
  7 | metadata:
  8 |   name: "{{ $fullName }}-apiserver"
  9 |   labels:
 10 |     app: "{{ $fullName }}-apiserver"
 11 |     {{- with .Values.apiServer.labels }}
 12 |     {{- toYaml . | nindent 4 }}
 13 |     {{- end }}
 14 |     {{- with .Values.apiServer.annotations }}
 15 |     annotations:
 16 |       {{- toYaml . | nindent 4 }}
 17 |     {{- end }}
 18 | spec:
 19 |   replicas: {{ .Values.apiServer.replicaCount }}
 20 |   selector:
 21 |     matchLabels:
 22 |       app: "{{ $fullName }}-apiserver"
 23 |   template:
 24 |     metadata:
 25 |       labels:
 26 |         app: "{{ $fullName }}-apiserver"
 27 |         {{- with .Values.apiServer.podLabels }}
 28 |         {{- toYaml . | nindent 8 }}
 29 |         {{- end }}
 30 |       annotations:
 31 |         checksum/config: {{ include (print $.Template.BasePath "/apiserver-config.yaml") . | sha256sum }}
 32 |         {{- with .Values.apiServer.podAnnotations }}
 33 |         {{- toYaml . | nindent 8 }}
 34 |         {{- end }}
 35 |     spec:
 36 |       {{- with .Values.apiServer.nodeSelector }}
 37 |       nodeSelector:
 38 |         {{- toYaml . | nindent 8 }}
 39 |       {{- end }}
 40 |       {{- with .Values.apiServer.tolerations }}
 41 |       tolerations:
 42 |       {{- toYaml . | nindent 6 }}
 43 |       {{- end }}
 44 |       {{- if or .Values.apiServer.affinity .Values.apiServer.podAntiAffinity }}
 45 |       affinity:
 46 |         {{- with .Values.apiServer.affinity }}
 47 |         {{- toYaml . | nindent 8 }}
 48 |         {{- end }}
 49 |         {{- if eq .Values.apiServer.podAntiAffinity "hard" }}
 50 |         podAntiAffinity:
 51 |           requiredDuringSchedulingIgnoredDuringExecution:
 52 |             - topologyKey: "{{ .Values.apiServer.podAntiAffinityTopologyKey }}"
 53 |               labelSelector:
 54 |                 matchLabels:
 55 |                   app: {{ $fullName }}-apiserver
 56 |         {{- else if eq .Values.apiServer.podAntiAffinity "soft" }}
 57 |         podAntiAffinity:
 58 |           preferredDuringSchedulingIgnoredDuringExecution:
 59 |             - weight: 1
 60 |               podAffinityTerm:
 61 |                 topologyKey: "{{ .Values.apiServer.podAntiAffinityTopologyKey }}"
 62 |                 labelSelector:
 63 |                   matchLabels:
 64 |                     app: {{ $fullName }}-apiserver
 65 |         {{- end }}
 66 |       {{- end }}
 67 |       {{- with .Values.apiServer.image.pullSecrets }}
 68 |       imagePullSecrets:
 69 |         {{- toYaml . | nindent 10 }}
 70 |       {{- end }}
 71 |       automountServiceAccountToken: false
 72 |       containers:
 73 |       - command:
 74 |         - kube-apiserver
 75 |         - --allow-privileged=true
 76 |         - --authorization-mode=Node,RBAC
 77 |         - --bind-address=0.0.0.0
 78 |         - --client-ca-file=/pki/apiserver-server/ca.crt
 79 |         - --enable-admission-plugins=NodeRestriction
 80 |         - --enable-bootstrap-token-auth=true
 81 |         - --etcd-cafile=/pki/apiserver-etcd-client/ca.crt
 82 |         - --etcd-certfile=/pki/apiserver-etcd-client/tls.crt
 83 |         - --etcd-keyfile=/pki/apiserver-etcd-client/tls.key
 84 |         - --etcd-servers={{ template "kubernetes.etcdEndpoints" . }}
 85 |         - --insecure-port=0
 86 |         - --kubelet-client-certificate=/pki/apiserver-kubelet-client/tls.crt
 87 |         - --kubelet-client-key=/pki/apiserver-kubelet-client/tls.key
 88 |         - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
 89 |         - --proxy-client-cert-file=/pki/front-proxy-client/tls.crt
 90 |         - --proxy-client-key-file=/pki/front-proxy-client/tls.key
 91 |         - --requestheader-allowed-names={{ $certName }}-front-proxy-client
 92 |         - --requestheader-client-ca-file=/pki/front-proxy-client/ca.crt
 93 |         - --requestheader-extra-headers-prefix=X-Remote-Extra-
 94 |         - --requestheader-group-headers=X-Remote-Group
 95 |         - --requestheader-username-headers=X-Remote-User
 96 |         - --secure-port={{ .Values.apiServer.port }}
 97 |         - --service-account-key-file=/pki/sa/tls.crt
 98 |         - --service-cluster-ip-range={{ .Values.networking.serviceSubnet }}
 99 |         - --tls-cert-file=/pki/apiserver-server/tls.crt
100 |         - --tls-private-key-file=/pki/apiserver-server/tls.key
101 |         - --egress-selector-config-file=/etc/kubernetes/egress-selector-configuration.yaml
102 |         - --service-account-issuer=https://kubernetes.default.svc.{{ .Values.networking.dnsDomain }}
103 |         - --service-account-signing-key-file=/pki/sa/tls.key
104 |         {{- if not (hasKey .Values.apiServer.extraArgs "advertise-address") }}
105 |         {{- with .Values.apiServer.service.loadBalancerIP }}
106 |         - --advertise-address={{ . }}
107 |         {{- end }}
108 |         {{- end }}
109 |         {{- range $key, $value := .Values.apiServer.extraArgs }}
110 |         - --{{ $key }}={{ $value }}
111 |         {{- end }}
112 |         ports:
113 |         - containerPort: {{ .Values.apiServer.port }}
114 |           name: client
115 |         {{- with .Values.apiServer.image }}
116 |         image: "{{ .repository }}{{ if .digest }}@{{ .digest }}{{ else }}:{{ .tag }}{{ end }}"
117 |         imagePullPolicy: {{ .pullPolicy }}
118 |         {{- end }}
119 |         livenessProbe:
120 |           failureThreshold: 8
121 |           httpGet:
122 |             path: /livez
123 |             port: {{ .Values.apiServer.port }}
124 |             scheme: HTTPS
125 |           initialDelaySeconds: 15
126 |           timeoutSeconds: 15
127 |         name: kube-apiserver
128 |         resources:
129 |           {{- toYaml .Values.apiServer.resources | nindent 10 }}
130 |         {{- with .Values.apiServer.extraEnv }}
131 |         env:
132 |         {{- toYaml . | nindent 8 }}
133 |         {{- end }}
134 |         volumeMounts:
135 |         - mountPath: /etc/kubernetes
136 |           name: apiserver-config
137 |         - mountPath: /pki/front-proxy-client
138 |           name: pki-front-proxy-client
139 |         - mountPath: /pki/apiserver-server
140 |           name: pki-apiserver-server
141 |         - mountPath: /pki/apiserver-etcd-client
142 |           name: pki-apiserver-etcd-client
143 |         - mountPath: /pki/apiserver-kubelet-client
144 |           name: pki-apiserver-kubelet-client
145 |         - mountPath: /pki/sa
146 |           name: pki-sa
147 |         {{- if and .Values.konnectivityServer.enabled (eq .Values.konnectivityServer.mode "HTTPConnect") }}
148 |         - mountPath: /pki/konnectivity-client
149 |           name: pki-konnectivity-client
150 |         {{- end }}
151 |         {{- if and .Values.konnectivityServer.enabled (eq .Values.konnectivityServer.mode "GRPC") }}
152 |         - mountPath: /run/konnectivity-server
153 |           name: konnectivity-uds
154 |         {{- end }}
155 |         {{- with .Values.apiServer.extraVolumeMounts }}
156 |         {{- toYaml . | nindent 8 }}
157 |         {{- end }}
158 |       {{- if and .Values.konnectivityServer.enabled (eq .Values.konnectivityServer.mode "GRPC") }}
159 |       {{ template "kubernetes.konnectivityServer.containers" . }}
160 |       {{- end }}
161 |       {{- with .Values.apiServer.sidecars }}
162 |       {{- toYaml . | nindent 6 }}
163 |       {{- end }}
164 |       securityContext:
165 |         seccompProfile:
166 |           type: RuntimeDefault
167 |       volumes:
168 |       - configMap:
169 |           name: "{{ $fullName }}-apiserver-config"
170 |         name: apiserver-config
171 |       - secret:
172 |           secretName: "{{ $fullName }}-pki-front-proxy-client"
173 |         name: pki-front-proxy-client
174 |       - secret:
175 |           secretName: "{{ $fullName }}-pki-apiserver-server"
176 |         name: pki-apiserver-server
177 |       - secret:
178 |           secretName: "{{ $fullName }}-pki-apiserver-etcd-client"
179 |         name: pki-apiserver-etcd-client
180 |       - secret:
181 |           secretName: "{{ $fullName }}-pki-apiserver-kubelet-client"
182 |         name: pki-apiserver-kubelet-client
183 |       - secret:
184 |           secretName: "{{ $fullName }}-pki-sa"
185 |         name: pki-sa
186 |       {{- if .Values.konnectivityServer.enabled }}
187 |       - secret:
188 |           secretName: "{{ $fullName }}-pki-konnectivity-client"
189 |         name: pki-konnectivity-client
190 |       {{- end }}
191 |       {{- if and .Values.konnectivityServer.enabled (eq .Values.konnectivityServer.mode "GRPC") }}
192 |       {{ template "kubernetes.konnectivityServer.volumes" . }}
193 |       {{- end }}
194 |       {{- with .Values.apiServer.extraVolumes }}
195 |       {{- toYaml . | nindent 6 }}
196 |       {{- end }}
197 | {{- end }}
198 | 


--------------------------------------------------------------------------------
/deploy/helm/kubernetes/values.yaml:
--------------------------------------------------------------------------------
  1 | controlPlaneEndpoint:
  2 | networking:
  3 |   dnsDomain: cluster.local
  4 |   serviceSubnet: 10.96.0.0/12
  5 |   podSubnet: #10.112.0.0/12
  6 | 
  7 | persistence:
  8 |   enabled: true
  9 |   accessModes:
 10 |     - ReadWriteOnce
 11 |   size: 1Gi
 12 |   # storageClassName: default
 13 |   annotations: {}
 14 |   finalizers:
 15 |     - kubernetes.io/pvc-protection
 16 | 
 17 |   backup:
 18 |     # existingClaim: your-claim
 19 |     # subPath: backups
 20 |     accessModes:
 21 |       - ReadWriteOnce
 22 |     size: 1Gi
 23 |     # storageClassName: default
 24 |     annotations: {}
 25 |     finalizers:
 26 |       - kubernetes.io/pvc-protection
 27 | 
 28 | etcd:
 29 |   enabled: true
 30 |   image:
 31 |     repository: k8s.gcr.io/etcd
 32 |     tag: 3.5.1-0
 33 |     pullPolicy: IfNotPresent
 34 |     pullSecrets: []
 35 |   replicaCount: 3
 36 |   resources:
 37 |     requests:
 38 |       cpu: 100m
 39 |       memory: 128Mi
 40 |     # limits:
 41 |     #   cpu: 100m
 42 |     #   memory: 128Mi
 43 | 
 44 |   certSANs:
 45 |     dnsNames: []
 46 |     ipAddresses: []
 47 | 
 48 |   extraArgs: {}
 49 |   labels: {}
 50 |   annotations: {}
 51 |   podLabels: {}
 52 |   podAnnotations: {}
 53 |   nodeSelector: {}
 54 |   tolerations: []
 55 |   podAntiAffinity: soft
 56 |   podAntiAffinityTopologyKey: kubernetes.io/hostname
 57 |   affinity: {}
 58 |   extraEnv: []
 59 |   sidecars: []
 60 |   extraVolumes: []
 61 |   extraVolumeMounts: []
 62 | 
 63 |   ports:
 64 |     client: 2379
 65 |     peer: 2380
 66 |     metrics: 2381
 67 |   service:
 68 |     enabled: true
 69 |     type: ClusterIP
 70 |     ports:
 71 |       client: 2379
 72 |       peer: 2380
 73 |       metrics: 2381
 74 |     labels: {}
 75 |     annotations: {}
 76 |     loadBalancerIP:
 77 | 
 78 |   backup:
 79 |     enabled: false
 80 |     schedule: "0 */12 * * *"
 81 |     successfulJobsHistoryLimit: 3
 82 |     failedJobsHistoryLimit: 3
 83 |     extraArgs: #{}
 84 |       debug: true
 85 |     resources:
 86 |       requests:
 87 |         cpu: 100m
 88 |         memory: 128Mi
 89 |       # limits:
 90 |       #   cpu: 100m
 91 |       #   memory: 128Mi
 92 | 
 93 |     labels: {}
 94 |     annotations: {}
 95 |     podLabels: {}
 96 |     podAnnotations: {}
 97 |     nodeSelector: {}
 98 |     tolerations: []
 99 |     podAffinity: soft
100 |     podAffinityTopologyKey: kubernetes.io/hostname
101 |     affinity: {}
102 |     extraEnv: []
103 |     sidecars: []
104 |     extraVolumes: []
105 |     extraVolumeMounts: []
106 | 
107 | apiServer:
108 |   enabled: true
109 |   image:
110 |     repository: k8s.gcr.io/kube-apiserver
111 |     tag: v1.22.4
112 |     pullPolicy: IfNotPresent
113 |     pullSecrets: []
114 |   replicaCount: 2
115 |   resources:
116 |     requests:
117 |       cpu: 100m
118 |       memory: 128Mi
119 |     # limits:
120 |     #   cpu: 100m
121 |     #   memory: 128Mi
122 | 
123 |   certSANs:
124 |     dnsNames: []
125 |     ipAddresses: []
126 | 
127 |   extraArgs: {}
128 |     # advertise-address is required for kube-proxy
129 |     #advertise-address: 10.9.8.10
130 |   labels: {}
131 |   annotations: {}
132 |   podLabels: {}
133 |   podAnnotations: {}
134 |   nodeSelector: {}
135 |   tolerations: []
136 |   podAntiAffinity: soft
137 |   podAntiAffinityTopologyKey: kubernetes.io/hostname
138 |   affinity: {}
139 |   extraEnv: []
140 |   sidecars: []
141 |   extraVolumes: []
142 |   extraVolumeMounts: []
143 | 
144 | 
145 |   port: 6443
146 |   service:
147 |     enabled: true
148 |     type: ClusterIP # NodePort / LoadBalancer
149 |     port: 6443
150 |     # Specify nodePort for apiserver service (30000-32767)
151 |     nodePort:
152 |     labels: {}
153 |     annotations: {}
154 |     loadBalancerIP:
155 | 
156 | controllerManager:
157 |   enabled: true
158 |   image:
159 |     repository: k8s.gcr.io/kube-controller-manager
160 |     tag: v1.22.4
161 |     pullPolicy: IfNotPresent
162 |     pullSecrets: []
163 |   replicaCount: 2
164 |   resources:
165 |     requests:
166 |       cpu: 100m
167 |       memory: 128Mi
168 |     # limits:
169 |     #   cpu: 100m
170 |     #   memory: 128Mi
171 | 
172 |   extraArgs: {}
173 |   labels: {}
174 |   annotations: {}
175 |   podLabels: {}
176 |   podAnnotations: {}
177 |   nodeSelector: {}
178 |   tolerations: []
179 |   podAntiAffinity: soft
180 |   podAntiAffinityTopologyKey: kubernetes.io/hostname
181 |   affinity: {}
182 |   extraEnv: []
183 |   sidecars: []
184 |   extraVolumes: []
185 |   extraVolumeMounts: []
186 | 
187 |   port: 10257
188 |   service:
189 |     enabled: true
190 |     type: ClusterIP
191 |     port: 10257
192 |     labels: {}
193 |     annotations: {}
194 |     loadBalancerIP:
195 | 
196 | scheduler:
197 |   enabled: true
198 |   image:
199 |     repository: k8s.gcr.io/kube-scheduler
200 |     tag: v1.22.4
201 |     pullPolicy: IfNotPresent
202 |     pullSecrets: []
203 |   replicaCount: 2
204 |   resources:
205 |     requests:
206 |       cpu: 100m
207 |       memory: 128Mi
208 |     # limits:
209 |     #   cpu: 100m
210 |     #   memory: 128Mi
211 | 
212 |   extraArgs: {}
213 |   labels: {}
214 |   annotations: {}
215 |   podLabels: {}
216 |   podAnnotations: {}
217 |   nodeSelector: {}
218 |   tolerations: []
219 |   podAntiAffinity: soft
220 |   podAntiAffinityTopologyKey: kubernetes.io/hostname
221 |   affinity: {}
222 |   extraEnv: []
223 |   sidecars: []
224 |   extraVolumes: []
225 |   extraVolumeMounts: []
226 | 
227 |   port: 10259
228 |   service:
229 |     enabled: true
230 |     type: ClusterIP
231 |     port: 10259
232 |     labels: {}
233 |     annotations: {}
234 |     loadBalancerIP:
235 | 
236 | admin:
237 |   enabled: true
238 |   image:
239 |     repository: ghcr.io/kvaps/kubernetes-tools
240 |     tag: v0.13.5
241 |     pullPolicy: IfNotPresent
242 |     pullSecrets: []
243 |   replicaCount: 1
244 |   resources:
245 |     requests:
246 |       cpu: 100m
247 |       memory: 128Mi
248 |     # limits:
249 |     #   cpu: 100m
250 |     #   memory: 128Mi
251 | 
252 |   job:
253 |     enabled: true
254 |     schedule: "0 0 1 */6 *"
255 |     successfulJobsHistoryLimit: 3
256 |     failedJobsHistoryLimit: 3
257 | 
258 |   labels: {}
259 |   annotations: {}
260 |   podLabels: {}
261 |   podAnnotations: {}
262 |   nodeSelector: {}
263 |   tolerations: []
264 |   podAntiAffinity: soft
265 |   podAntiAffinityTopologyKey: kubernetes.io/hostname
266 |   affinity: {}
267 |   extraEnv: []
268 |   sidecars: []
269 |   extraVolumes: []
270 |   extraVolumeMounts: []
271 | 
272 | kubeProxy:
273 |   enabled: true
274 | 
275 | coredns:
276 |   enabled: true
277 |   image:
278 |     repository: coredns/coredns
279 |     tag: 1.8.6
280 |     pullPolicy: IfNotPresent
281 |     pullSecrets: []
282 |   replicaCount: 2
283 |   resources:
284 |     limits:
285 |       memory: 170Mi
286 |     requests:
287 |       cpu: 100m
288 |       memory: 70Mi
289 | 
290 | konnectivityServer:
291 |   enabled: false
292 |   # This controls the protocol between the API Server and the Konnectivity server.
293 |   # Supported values are "GRPC" and "HTTPConnect".
294 |   # "GRPC" will deploy konnectivity-server as a sidecar for apiserver
295 |   # "HTTPConnect" will deploy konnectivity-server as separate deployment
296 |   mode: GRPC
297 |   image:
298 |     repository: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-server
299 |     tag: v0.0.24
300 |     pullPolicy: IfNotPresent
301 |     pullSecrets: []
302 |   replicaCount: 2
303 |   resources:
304 |     requests:
305 |       cpu: 100m
306 |       memory: 128Mi
307 |     # limits:
308 |     #   cpu: 100m
309 |     #   memory: 128Mi
310 | 
311 |   extraArgs: {}
312 |   labels: {}
313 |   annotations: {}
314 |   podLabels: {}
315 |   podAnnotations: {}
316 |   nodeSelector: {}
317 |   tolerations: []
318 |   podAntiAffinity: soft
319 |   podAntiAffinityTopologyKey: kubernetes.io/hostname
320 |   affinity: {}
321 |   extraEnv: []
322 |   sidecars: []
323 |   extraVolumes: []
324 |   extraVolumeMounts: []
325 | 
326 |   ports:
327 |     server: 8131
328 |     agent: 8132
329 |     admin: 8133
330 |     health: 8134
331 |   service:
332 |     enabled: true
333 |     type: ClusterIP
334 |     ports:
335 |       server: 8131
336 |       agent: 8132
337 |       admin: 8133
338 |     nodePorts:
339 |       server:
340 |       agent:
341 |       admin:
342 |     labels: {}
343 |     annotations: {}
344 |     loadBalancerIP:
345 | 
346 | konnectivityAgent:
347 |   enabled: false
348 |   image:
349 |     repository: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent
350 |     tag: v0.0.24
351 |     pullPolicy: IfNotPresent
352 |     pullSecrets: []
353 |   daemonSet: false
354 |   replicaCount: 2
355 |   hostNetwork: true
356 | 
357 |   extraArgs: {}
358 |   labels: {}
359 |   annotations: {}
360 |   podLabels: {}
361 |   podAnnotations: {}
362 |   nodeSelector: {}
363 |   tolerations: []
364 |   podAntiAffinity: soft
365 |   podAntiAffinityTopologyKey: kubernetes.io/hostname
366 |   affinity: {}
367 |   extraEnv: []
368 |   sidecars: []
369 |   extraVolumes: []
370 |   extraVolumeMounts: []
371 | 
372 |   ports:
373 |     admin: 8133
374 |     health: 8134
375 | 
376 | # these manifests will be applied inside the cluster
377 | extraManifests: {}
378 |   #namespace.yaml:
379 |   #  apiVersion: v1
380 |   #  kind: Namespace
381 |   #  metadata:
382 |   #    name: example
383 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------