diff --git a/deploy/etcd/etcd-cluster.yaml b/deploy/etcd/etcd-cluster.yaml deleted file mode 100644 index c3d694f..0000000 --- a/deploy/etcd/etcd-cluster.yaml +++ /dev/null @@ -1,113 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: etcd - namespace: ---- -apiVersion: v1 -kind: Service -metadata: - name: etcd-server - namespace: -spec: - type: ClusterIP - ports: - - name: client - port: 2379 - protocol: TCP - targetPort: 2379 - selector: - app: etcd ---- -apiVersion: v1 -kind: Service -metadata: - name: etcd - namespace: -spec: - clusterIP: None - ports: - - port: 2379 - name: client - - port: 2380 - name: peer - selector: - app: etcd ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: etcd - labels: - app: etcd - namespace: -spec: - serviceName: etcd - selector: - matchLabels: - app: etcd - replicas: 3 - template: - metadata: - name: etcd - labels: - app: etcd - spec: - serviceAccountName: etcd - volumes: - - name: certs - secret: - secretName: etcd-certs - containers: - - name: etcd - image: quay.io/coreos/etcd:v3.5.1 - ports: - - containerPort: 2379 - name: client - - containerPort: 2380 - name: peer - volumeMounts: - - name: data - mountPath: /var/run/etcd - - name: certs - mountPath: /etc/etcd/pki - command: - - etcd - - --data-dir=/var/run/etcd - - --name=$(POD_NAME) - - --initial-cluster-state=new - - --initial-cluster=etcd-0=https://etcd-0.etcd.$(POD_NAMESPACE).svc.cluster.local:2380,etcd-1=https://etcd-1.etcd.$(POD_NAMESPACE).svc.cluster.local:2380,etcd-2=https://etcd-2.etcd.$(POD_NAMESPACE).svc.cluster.local:2380 - - --initial-advertise-peer-urls=https://$(POD_NAME).etcd.$(POD_NAMESPACE).svc.cluster.local:2380 - - --initial-cluster-token=kamaji - - --listen-client-urls=https://0.0.0.0:2379 - - --advertise-client-urls=https://etcd-0.etcd.$(POD_NAMESPACE).svc.cluster.local:2379,https://etcd-1.etcd.$(POD_NAMESPACE).svc.cluster.local:2379,https://etcd-2.etcd.$(POD_NAMESPACE).svc.cluster.local:2379,https://etcd-server.$(POD_NAMESPACE).svc.cluster.local:2379 - - --client-cert-auth=true - - --trusted-ca-file=/etc/etcd/pki/ca.crt - - --cert-file=/etc/etcd/pki/server.pem - - --key-file=/etc/etcd/pki/server-key.pem - - --listen-peer-urls=https://0.0.0.0:2380 - - --peer-client-cert-auth=true - - --peer-trusted-ca-file=/etc/etcd/pki/ca.crt - - --peer-cert-file=/etc/etcd/pki/peer.pem - - --peer-key-file=/etc/etcd/pki/peer-key.pem - - --auto-compaction-mode=periodic - - --auto-compaction-retention=5m - - --v=8 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: 2Gi - diff --git a/helm/kamaji/Chart.yaml b/helm/kamaji/Chart.yaml index 238d870..7316f3e 100644 --- a/helm/kamaji/Chart.yaml +++ b/helm/kamaji/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.1.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/kamaji/README.md b/helm/kamaji/README.md index 388fa3c..6da384e 100644 --- a/helm/kamaji/README.md +++ b/helm/kamaji/README.md @@ -1,36 +1,24 @@ # kamaji -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) +![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square) A Kubernetes distribution aimed to build and operate a Managed Kubernetes service with a fraction of operational burde. **Homepage:** -## Installing the Chart - -To install the chart with the release name `kamaji`: - ### Pre-requisites -1. Deploy a [multi-tenant Etcd cluster](https://github.com/clastix/kamaji-internal/blob/master/deploy/getting-started-with-kamaji.md#setup-internal-multi-tenant-etcd) -2. Create the `Secret` containing the Etcd CA cert keypair: +Kamaji requires a [multi-tenant etcd cluster](https://github.com/clastix/kamaji-internal/blob/master/deploy/getting-started-with-kamaji.md#setup-internal-multi-tenant-etcd) cluster. +The installation and provisioning processes are already put in place by the Helm Chart starting from v0.1.1 in order to streamline the local test. -``` -kubectl -n kamaji-system create secret generic etcd-certs \ - --from-file=/path/to/etcd/ca.crt \ - --from-file=/path/to/etcd/ca.key -``` +> For production use an externally managed etcd is highly recommended, the etcd addon offered by this chart is not considered production-grade. -3. Create a `Secret` containing the Etcd root user client cert keypair: - -``` -kubectl -n kamaji-system create secret tls root-client-certs \ - --cert=/path/to/etcd/root.pem \ - --key=/path/to/etcd/root-key.pem -``` +If you'd like to use an externally managed etcd instance, you can specify the overrides and by setting the value `etcd.deploy=false`. ### Install Kamaji +To install the chart with the release name `kamaji`: + ```console helm upgrade --install --namespace kamaji-system --create-namespace kamaji . ``` @@ -57,12 +45,15 @@ Kubernetes: `>=1.18` |-----|------|---------|-------------| | affinity | object | `{}` | Kubernetes affinity rules to apply to Kamaji controller pods | | configPath | string | `"./kamaji.yaml"` | Configuration file path alternative. (default "./kamaji.yaml") | -| etcd.caSecret.name | string | `"etcd-certs"` | Name of the secret which contains CA's certificate and private key. (default: "etcd-certs") | -| etcd.caSecret.namespace | string | `"kamaji-system"` | Namespace of the secret which contains CA's certificate and private key. (default: "kamaji") | -| etcd.clientSecret.name | string | `"root-client-certs"` | Name of the secret which contains ETCD client certificates. (default: "root-client-certs") | -| etcd.clientSecret.namespace | string | `"kamaji-system"` | Name of the namespace where the secret which contains ETCD client certificates is. (default: "kamaji") | | etcd.compactionInterval | int | `0` | ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled)) | -| etcd.endpoints | string | `"https://etcd-0.etcd.kamaji-system.svc.cluster.local:2379,https://etcd-1.etcd.kamaji-system.svc.cluster.local:2379,https://etcd-2.etcd.kamaji-system.svc.cluster.local:2379"` | (string) Comma-separated list of the endpoints of the etcd cluster's members. | +| etcd.deploy | bool | `true` | Install an etcd 3.5 with enabled multi-tenancy along with Kamaji | +| etcd.overrides.caSecret.name | string | `"etcd-certs"` | Name of the secret which contains CA's certificate and private key. (default: "etcd-certs") | +| etcd.overrides.caSecret.namespace | string | `"kamaji-system"` | Namespace of the secret which contains CA's certificate and private key. (default: "kamaji-system") | +| etcd.overrides.clientSecret.name | string | `"root-client-certs"` | Name of the secret which contains ETCD client certificates. (default: "root-client-certs") | +| etcd.overrides.clientSecret.namespace | string | `"kamaji-system"` | Name of the namespace where the secret which contains ETCD client certificates is. (default: "kamaji-system") | +| etcd.overrides.endpoints | string | `"https://etcd-0.etcd.kamaji-system.svc.cluster.local:2379,https://etcd-1.etcd.kamaji-system.svc.cluster.local:2379,https://etcd-2.etcd.kamaji-system.svc.cluster.local:2379"` | (string) Comma-separated list of the endpoints of the etcd cluster's members. | +| etcd.serviceAccount.create | bool | `true` | Create a ServiceAccount, required to install and provision the etcd backing storage (default: true) | +| etcd.serviceAccount.name | string | `""` | Define the ServiceAccount name to use during the setup and provision of the etcd backing storage (default: "") | | extraArgs | list | `[]` | A list of extra arguments to add to the kamaji controller default ones | | fullnameOverride | string | `""` | | | healthProbeBindAddress | string | `":8081"` | The address the probe endpoint binds to. (default ":8081") | diff --git a/helm/kamaji/README.md.gotmpl b/helm/kamaji/README.md.gotmpl index 6955117..80f3b6a 100644 --- a/helm/kamaji/README.md.gotmpl +++ b/helm/kamaji/README.md.gotmpl @@ -7,31 +7,19 @@ {{ template "chart.homepageLine" . }} -## Installing the Chart - -To install the chart with the release name `kamaji`: - ### Pre-requisites -1. Deploy a [multi-tenant Etcd cluster](https://github.com/clastix/kamaji-internal/blob/master/deploy/getting-started-with-kamaji.md#setup-internal-multi-tenant-etcd) -2. Create the `Secret` containing the Etcd CA cert keypair: +Kamaji requires a [multi-tenant etcd cluster](https://github.com/clastix/kamaji-internal/blob/master/deploy/getting-started-with-kamaji.md#setup-internal-multi-tenant-etcd) cluster. +The installation and provisioning processes are already put in place by the Helm Chart starting from v0.1.1 in order to streamline the local test. -``` -kubectl -n kamaji-system create secret generic etcd-certs \ - --from-file=/path/to/etcd/ca.crt \ - --from-file=/path/to/etcd/ca.key -``` +> For production use an externally managed etcd is highly recommended, the etcd addon offered by this chart is not considered production-grade. -3. Create a `Secret` containing the Etcd root user client cert keypair: - -``` -kubectl -n kamaji-system create secret tls root-client-certs \ - --cert=/path/to/etcd/root.pem \ - --key=/path/to/etcd/root-key.pem -``` +If you'd like to use an externally managed etcd instance, you can specify the overrides and by setting the value `etcd.deploy=false`. ### Install Kamaji +To install the chart with the release name `kamaji`: + ```console helm upgrade --install --namespace kamaji-system --create-namespace kamaji . ``` diff --git a/helm/kamaji/templates/_helpers_etcd.tpl b/helm/kamaji/templates/_helpers_etcd.tpl new file mode 100644 index 0000000..91af2cd --- /dev/null +++ b/helm/kamaji/templates/_helpers_etcd.tpl @@ -0,0 +1,120 @@ +{{/* +Create a default fully qualified etcd name. +*/}} +{{- define "etcd.fullname" -}} +{{- printf "etcd" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "etcd.serviceAccountName" -}} +{{- if .Values.etcd.serviceAccount.create }} +{{- default (include "etcd.fullname" .) .Values.etcd.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.etcd.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the Service to use +*/}} +{{- define "etcd.serviceName" -}} +{{- printf "%s" (include "etcd.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "etcd.labels" -}} +app.kubernetes.io/name: {{ include "kamaji.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/components: etcd +{{- end }} + +{{/* +Selector labels. +*/}} +{{- define "etcd.selectorLabels" -}} +app.kubernetes.io/name: {{ include "kamaji.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/component: etcd +{{- end }} + +{{/* +Name of the etcd CA secret. +*/}} +{{- define "etcd.caSecretName" }} +{{- if .Values.etcd.deploy }} +{{- printf "%s-%s" (include "etcd.fullname" .) "certs" | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- required "A valid .Values.etcd.overrides.caSecret.name required!" .Values.etcd.overrides.caSecret.name }} +{{- end }} +{{- end }} + +{{/* +Namespace of the etcd CA secret. +*/}} +{{- define "etcd.caSecretNamespace" }} +{{- if .Values.etcd.deploy }} +{{- .Release.Namespace }} +{{- else }} +{{- required "A valid .Values.etcd.overrides.caSecret.namespace required!" .Values.etcd.overrides.caSecret.namespace }} +{{- end }} +{{- end }} + +{{/* +Name of the certificate signing requests for the certificates required by etcd. +*/}} +{{- define "etcd.csrConfigMapName" }} +{{- printf "%s-csr" (include "etcd.fullname" .) }} +{{- end }} + +{{/* +Name of the etcd root-client secret. +*/}} +{{- define "etcd.clientSecretName" }} +{{- if .Values.etcd.deploy }} +{{- printf "root-client-certs" }} +{{- else }} +{{- required "A valid .Values.etcd.overrides.clientSecret.name required!" .Values.etcd.overrides.clientSecret.name }} +{{- end }} +{{- end }} + +{{/* +Namespace of the etcd root-client secret. +*/}} +{{- define "etcd.clientSecretNamespace" }} +{{- if .Values.etcd.deploy }} +{{- .Release.Namespace }} +{{- else }} +{{- required "A valid .Values.etcd.overrides.clientSecret.namespace required!" .Values.etcd.overrides.clientSecret.namespace }} +{{- end }} +{{- end }} + +{{/* +List the declared etcd endpoints, using the overrides in case of unmanaged etcd. +*/}} +{{- define "etcd.endpoints" }} +{{- if .Values.etcd.deploy }} +{{- range $count := until 3 -}} + {{- printf "https://%s-%d.%s.%s.svc.cluster.local:2379" "etcd" $count ( include "etcd.serviceName" . ) $.Release.Namespace -}} + {{- if lt $count ( sub 3 1 ) -}} + {{- printf "," -}} + {{- end -}} +{{- end }} +{{- else }} +{{- required "A valid .Values.etcd.overrides.endpoints required!" .Values.etcd.overrides.endpoints }} +{{- end }} +{{- end }} + +{{/* +Retrieve the current Kubernetes version to launch a kubectl container with the minimum version skew possible. +*/}} +{{- define "etcd.jobsTagKubeVersion" -}} +{{- if contains "-eks-" .Capabilities.KubeVersion.GitVersion }} +{{- print "v" .Capabilities.KubeVersion.Major "." (.Capabilities.KubeVersion.Minor | replace "+" "") -}} +{{- else }} +{{- print "v" .Capabilities.KubeVersion.Major "." .Capabilities.KubeVersion.Minor -}} +{{- end }} +{{- end }} diff --git a/helm/kamaji/templates/controller.yaml b/helm/kamaji/templates/controller.yaml index fba49ff..422cea1 100644 --- a/helm/kamaji/templates/controller.yaml +++ b/helm/kamaji/templates/controller.yaml @@ -40,12 +40,12 @@ spec: protocol: TCP - args: - --config-file={{ .Values.configPath }} - - --etcd-ca-secret-name={{ .Values.etcd.caSecret.name }} - - --etcd-ca-secret-namespace={{ .Values.etcd.caSecret.namespace }} - - --etcd-client-secret-name={{ .Values.etcd.clientSecret.name }} - - --etcd-client-secret-namespace={{ .Values.etcd.clientSecret.namespace }} + - --etcd-ca-secret-name={{ include "etcd.caSecretName" . }} + - --etcd-ca-secret-namespace={{ include "etcd.caSecretNamespace" . }} + - --etcd-client-secret-name={{ include "etcd.clientSecretName" . }} + - --etcd-client-secret-namespace={{ include "etcd.clientSecretNamespace" . }} - --etcd-compaction-interval={{ .Values.etcd.compactionInterval }} - - --etcd-endpoints={{ .Values.etcd.endpoints }} + - --etcd-endpoints={{ include "etcd.endpoints" . }} - --health-probe-bind-address={{ .Values.healthProbeBindAddress }} - --leader-elect - --metrics-bind-address={{ .Values.metricsBindAddress }} diff --git a/helm/kamaji/templates/etcd_cm.yaml b/helm/kamaji/templates/etcd_cm.yaml new file mode 100644 index 0000000..c70d525 --- /dev/null +++ b/helm/kamaji/templates/etcd_cm.yaml @@ -0,0 +1,94 @@ +{{- if .Values.etcd.deploy }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "etcd.labels" . | nindent 4 }} + name: {{ include "etcd.csrConfigMapName" . }} + namespace: {{ .Release.Namespace }} +data: + ca-csr.json: |- + { + "CN": "Clastix CA", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "IT", + "ST": "Italy", + "L": "Milan" + } + ] + } + config.json: |- + { + "signing": { + "default": { + "expiry": "8760h" + }, + "profiles": { + "server-authentication": { + "usages": ["signing", "key encipherment", "server auth"], + "expiry": "8760h" + }, + "client-authentication": { + "usages": ["signing", "key encipherment", "client auth"], + "expiry": "8760h" + }, + "peer-authentication": { + "usages": ["signing", "key encipherment", "server auth", "client auth"], + "expiry": "8760h" + } + } + } + } + server-csr.json: |- + { + "CN": "etcd", + "key": { + "algo": "rsa", + "size": 2048 + }, + "hosts": [ +{{- range $count := until 3 -}} + {{ printf "\"etcd-%d.%s.%s.svc.cluster.local\"," $count (include "etcd.serviceName" .) $.Release.Namespace }} +{{- end }} + "etcd-server.{{ .Release.Namespace }}.svc.cluster.local", + "etcd-server.{{ .Release.Namespace }}.svc", + "etcd-server", + "127.0.0.1" + ] + } + peer-csr.json: |- + { + "CN": "etcd", + "key": { + "algo": "rsa", + "size": 2048 + }, + "hosts": [ +{{- range $count := until 3 -}} + {{ printf "\"etcd-%d\"," $count }} + {{ printf "\"etcd-%d.%s\"," $count (include "etcd.serviceName" .) }} + {{ printf "\"etcd-%d.%s.%s.svc\"," $count (include "etcd.serviceName" .) $.Release.Namespace }} + {{ printf "\"etcd-%d.%s.%s.svc.cluster.local\"," $count (include "etcd.serviceName" .) $.Release.Namespace }} +{{- end }} + "127.0.0.1" + ] + } + root-client-csr.json: |- + { + "CN": "root", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "system:masters" + } + ] + } +{{- end }} diff --git a/helm/kamaji/templates/etcd_job_postdelete.yaml b/helm/kamaji/templates/etcd_job_postdelete.yaml new file mode 100644 index 0000000..ee18b4f --- /dev/null +++ b/helm/kamaji/templates/etcd_job_postdelete.yaml @@ -0,0 +1,31 @@ +{{- if .Values.etcd.deploy }} +apiVersion: batch/v1 +kind: Job +metadata: + labels: + {{- include "etcd.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded + name: "{{ .Release.Name }}-etcd-teardown" + namespace: {{ .Release.Namespace }} +spec: + template: + metadata: + name: "{{ .Release.Name }}" + spec: + serviceAccountName: {{ include "etcd.serviceAccountName" . }} + restartPolicy: Never + containers: + - name: kubectl + image: {{ printf "clastix/kubectl:%s" (include "etcd.jobsTagKubeVersion" .) }} + command: + - kubectl + - --namespace={{ .Release.Namespace }} + - delete + - secret + - --ignore-not-found=true + - {{ include "etcd.caSecretName" . }} + - {{ include "etcd.clientSecretName" . }} +{{- end }} diff --git a/helm/kamaji/templates/etcd_job_postinstall.yaml b/helm/kamaji/templates/etcd_job_postinstall.yaml new file mode 100644 index 0000000..e2c3b30 --- /dev/null +++ b/helm/kamaji/templates/etcd_job_postinstall.yaml @@ -0,0 +1,91 @@ +{{- if .Values.etcd.deploy }} +apiVersion: batch/v1 +kind: Job +metadata: + labels: + {{- include "etcd.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded + name: "{{ .Release.Name }}-etcd-setup" + namespace: {{ .Release.Namespace }} +spec: + template: + metadata: + name: "{{ .Release.Name }}" + spec: + serviceAccountName: {{ include "etcd.serviceAccountName" . }} + restartPolicy: Never + initContainers: + - name: cfssl + image: cfssl/cfssl:latest + command: + - bash + - -c + - |- + cfssl gencert -initca /csr/ca-csr.json | cfssljson -bare /certs/ca && + mv /certs/ca.pem /certs/ca.crt && mv /certs/ca-key.pem /certs/ca.key && + cfssl gencert -ca=/certs/ca.crt -ca-key=/certs/ca.key -config=/csr/config.json -profile=peer-authentication /csr/peer-csr.json | cfssljson -bare /certs/peer && + cfssl gencert -ca=/certs/ca.crt -ca-key=/certs/ca.key -config=/csr/config.json -profile=peer-authentication /csr/server-csr.json | cfssljson -bare /certs/server && + cfssl gencert -ca=/certs/ca.crt -ca-key=/certs/ca.key -config=/csr/config.json -profile=client-authentication /csr/root-client-csr.json | cfssljson -bare /certs/root-client + volumeMounts: + - mountPath: /certs + name: certs + - mountPath: /csr + name: csr + - name: kubectl + image: {{ printf "clastix/kubectl:%s" (include "etcd.jobsTagKubeVersion" .) }} + command: + - sh + - -c + - |- + kubectl --namespace={{ .Release.Namespace }} delete secret --ignore-not-found=true {{ include "etcd.caSecretName" . }} {{ include "etcd.clientSecretName" . }} && + kubectl --namespace={{ .Release.Namespace }} create secret generic {{ include "etcd.caSecretName" . }} --from-file=/certs/ca.crt --from-file=/certs/ca.key --from-file=/certs/peer-key.pem --from-file=/certs/peer.pem --from-file=/certs/server-key.pem --from-file=/certs/server.pem && + kubectl --namespace={{ .Release.Namespace }} create secret tls {{ include "etcd.clientSecretName" . }} --key=/certs/root-client-key.pem --cert=/certs/root-client.pem && + kubectl --namespace={{ .Release.Namespace }} rollout status sts/etcd --timeout=120s + volumeMounts: + - mountPath: /certs + name: certs + containers: + - command: + - bash + - -c + - |- + etcdctl member list -w table && + etcdctl user add --no-password=true root && + etcdctl role add root && + etcdctl user grant-role root root && + etcdctl auth enable + env: + - name: ETCDCTL_ENDPOINTS + value: https://etcd-0.{{ include "etcd.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local:2379 + - name: ETCDCTL_CACERT + value: /opt/certs/ca/ca.crt + - name: ETCDCTL_CERT + value: /opt/certs/root-certs/tls.crt + - name: ETCDCTL_KEY + value: /opt/certs/root-certs/tls.key + image: quay.io/coreos/etcd:v3.5.1 + imagePullPolicy: Always + name: etcd-client + volumeMounts: + - name: root-certs + mountPath: /opt/certs/root-certs + - name: certs + mountPath: /opt/certs/ca + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + volumes: + - name: root-certs + secret: + secretName: {{ include "etcd.clientSecretName" . }} + optional: true + - name: csr + configMap: + name: {{ include "etcd.csrConfigMapName" . }} + - name: certs + emptyDir: {} +{{- end }} diff --git a/helm/kamaji/templates/etcd_rbac.yaml b/helm/kamaji/templates/etcd_rbac.yaml new file mode 100644 index 0000000..a867616 --- /dev/null +++ b/helm/kamaji/templates/etcd_rbac.yaml @@ -0,0 +1,49 @@ +{{- if .Values.etcd.deploy }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "etcd.labels" . | nindent 4 }} + name: etcd-gen-certs-role + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - delete + resourceNames: + - {{ include "etcd.caSecretName" . }} + - {{ include "etcd.clientSecretName" . }} + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "etcd.labels" . | nindent 4 }} + name: etcd-gen-certs-rolebiding + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: etcd-gen-certs-role +subjects: + - kind: ServiceAccount + name: {{ include "etcd.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/kamaji/templates/etcd_sa.yaml b/helm/kamaji/templates/etcd_sa.yaml new file mode 100644 index 0000000..b14b31d --- /dev/null +++ b/helm/kamaji/templates/etcd_sa.yaml @@ -0,0 +1,9 @@ +{{- if .Values.etcd.deploy }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "etcd.labels" . | nindent 4 }} + name: {{ include "etcd.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/kamaji/templates/etcd_service.yaml b/helm/kamaji/templates/etcd_service.yaml new file mode 100644 index 0000000..b0f5fe2 --- /dev/null +++ b/helm/kamaji/templates/etcd_service.yaml @@ -0,0 +1,18 @@ +{{- if .Values.etcd.deploy }} +apiVersion: v1 +kind: Service +metadata: + labels: + {{- include "etcd.labels" . | nindent 4 }} + name: {{ include "etcd.serviceName" . }} + namespace: {{ .Release.Namespace }} +spec: + clusterIP: None + ports: + - port: 2379 + name: client + - port: 2380 + name: peer + selector: + {{- include "etcd.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/helm/kamaji/templates/etcd_sts.yaml b/helm/kamaji/templates/etcd_sts.yaml new file mode 100644 index 0000000..49e1195 --- /dev/null +++ b/helm/kamaji/templates/etcd_sts.yaml @@ -0,0 +1,97 @@ +{{- if .Values.etcd.deploy }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + {{- include "etcd.labels" . | nindent 4 }} + name: {{ include "etcd.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + serviceName: {{ include "etcd.serviceName" . }} + selector: + matchLabels: + {{- include "etcd.selectorLabels" . | nindent 6 }} + replicas: 3 + template: + metadata: + name: etcd + labels: + {{- include "etcd.selectorLabels" . | nindent 8 }} + spec: + volumes: + - name: certs + secret: + secretName: {{ include "etcd.caSecretName" . }} + containers: + - name: etcd + image: quay.io/coreos/etcd:v3.5.1 + ports: + - containerPort: 2379 + name: client + - containerPort: 2380 + name: peer + volumeMounts: + - name: data + mountPath: /var/run/etcd + - name: certs + mountPath: /etc/etcd/pki + command: + - etcd + - --data-dir=/var/run/etcd + - --name=$(POD_NAME) + - --initial-cluster-state=new + - --initial-cluster=etcd-0=https://etcd-0.etcd.$(POD_NAMESPACE).svc.cluster.local:2380,etcd-1=https://etcd-1.etcd.$(POD_NAMESPACE).svc.cluster.local:2380,etcd-2=https://etcd-2.etcd.$(POD_NAMESPACE).svc.cluster.local:2380 + - --initial-advertise-peer-urls=https://$(POD_NAME).etcd.$(POD_NAMESPACE).svc.cluster.local:2380 + - --initial-cluster-token=kamaji + - --listen-client-urls=https://0.0.0.0:2379 + - --advertise-client-urls={{ include "etcd.endpoints" . }} + - --client-cert-auth=true + - --trusted-ca-file=/etc/etcd/pki/ca.crt + - --cert-file=/etc/etcd/pki/server.pem + - --key-file=/etc/etcd/pki/server-key.pem + - --listen-peer-urls=https://0.0.0.0:2380 + - --peer-client-cert-auth=true + - --peer-trusted-ca-file=/etc/etcd/pki/ca.crt + - --peer-cert-file=/etc/etcd/pki/peer.pem + - --peer-key-file=/etc/etcd/pki/peer-key.pem + - --auto-compaction-mode=periodic + - --auto-compaction-retention=5m + - --v=8 + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + livenessProbe: + failureThreshold: 8 + httpGet: + host: 127.0.0.1 + path: /health + port: 2381 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + startupProbe: + failureThreshold: 24 + httpGet: + host: 127.0.0.1 + path: /health + port: 2381 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 8Gi +{{- end }} diff --git a/helm/kamaji/values.yaml b/helm/kamaji/values.yaml index 2d713ae..9de4ad4 100644 --- a/helm/kamaji/values.yaml +++ b/helm/kamaji/values.yaml @@ -19,24 +19,29 @@ extraArgs: [] configPath: "./kamaji.yaml" etcd: - caSecret: - # -- Name of the secret which contains CA's certificate and private key. (default: "etcd-certs") - name: etcd-certs - # -- Namespace of the secret which contains CA's certificate and private key. (default: "kamaji") - namespace: kamaji-system - - clientSecret: - # -- Name of the secret which contains ETCD client certificates. (default: "root-client-certs") - name: root-client-certs - # -- Name of the namespace where the secret which contains ETCD client certificates is. (default: "kamaji") - namespace: kamaji-system - + # -- Install an etcd 3.5 with enabled multi-tenancy along with Kamaji + deploy: true + serviceAccount: + # -- Create a ServiceAccount, required to install and provision the etcd backing storage (default: true) + create: true + # -- Define the ServiceAccount name to use during the setup and provision of the etcd backing storage (default: "") + name: "" + overrides: + caSecret: + # -- Name of the secret which contains CA's certificate and private key. (default: "etcd-certs") + name: etcd-certs + # -- Namespace of the secret which contains CA's certificate and private key. (default: "kamaji-system") + namespace: kamaji-system + clientSecret: + # -- Name of the secret which contains ETCD client certificates. (default: "root-client-certs") + name: root-client-certs + # -- Name of the namespace where the secret which contains ETCD client certificates is. (default: "kamaji-system") + namespace: kamaji-system + # -- (string) Comma-separated list of the endpoints of the etcd cluster's members. + endpoints: "https://etcd-0.etcd.kamaji-system.svc.cluster.local:2379,https://etcd-1.etcd.kamaji-system.svc.cluster.local:2379,https://etcd-2.etcd.kamaji-system.svc.cluster.local:2379" # -- ETCD Compaction interval (e.g. "5m0s"). (default: "0" (disabled)) compactionInterval: 0 - # -- (string) Comma-separated list of the endpoints of the etcd cluster's members. - endpoints: "https://etcd-0.etcd.kamaji-system.svc.cluster.local:2379,https://etcd-1.etcd.kamaji-system.svc.cluster.local:2379,https://etcd-2.etcd.kamaji-system.svc.cluster.local:2379" - # -- The address the probe endpoint binds to. (default ":8081") healthProbeBindAddress: ":8081"