Update charts to support api registration

config-syncer · Feb 13, 2018 · 0b92ab1 · 0b92ab1
1 parent 0ec92b3
commit 0b92ab1
Show file tree

Hide file tree

Showing 6 changed files with 177 additions and 43 deletions.
diff --git a/chart/stable/kubed/README.md b/chart/stable/kubed/README.md
@@ -39,18 +39,22 @@ The command removes all the Kubernetes components associated with the chart and
 The following tables lists the configurable parameters of the Kubed chart and their default values.
 
 
-| Parameter                 | Description                                                       | Default            |
-| --------------------------| ------------------------------------------------------------------|--------------------|
-| `replicaCount`            | Number of kubed operator replicas to create (only 1 is supported) | `1`                |
-| `image`                   | container image                                                   | `appscode/kubed`   |
-| `tag`                     | container image tag                                               | `0.5.0`            |
-| `imagePullSecrets`        | Specify image pull secrets                                        | `nil` (does not add image pull secrets to deployed pods) |
-| `imagePullPolicy`         | Image pull policy                                                 | `IfNotPresent`     |
-| `criticalAddon`           | If true, installs kubed operator as critical addon                | `false`            |
-| `logLevel`                | Log level for kubed                                               | `3`                |
-| `nodeSelector`            | Node labels for pod assignment                                    | `{}`               |
-| `rbac.create`             | install required rbac service account, roles and rolebindings     | `false`            |
-| `rbac.serviceAccountName` | ServiceAccount Kubed will use (ignored if rbac.create=true)       | `default`          |
+| Parameter                          | Description                                                       | Default            |
+| -----------------------------------| ------------------------------------------------------------------|--------------------|
+| `replicaCount`                     | Number of kubed operator replicas to create (only 1 is supported) | `1`                |
+| `dockerRegistry`                   | Docker registry used to pull Kubed related images                 | `appscode`         |
+| `imageTags.kubed`                  | Tag of Kubed operator image                                       | `0.5.0`            |
+| `imagePullSecrets`                 | Specify image pull secrets                                        | `nil` (does not add image pull secrets to deployed pods) |
+| `imagePullPolicy`                  | Image pull policy                                                 | `IfNotPresent`     |
+| `criticalAddon`                    | If true, installs kubed operator as critical addon                | `false`            |
+| `logLevel`                         | Log level for kubed                                               | `3`                |
+| `nodeSelector`                     | Node labels for pod assignment                                    | `{}`               |
+| `rbac.create`                      | install required rbac service account, roles and rolebindings     | `false`            |
+| `rbac.serviceAccountName`          | ServiceAccount Kubed will use (ignored if rbac.create=true)       | `default`          |
+| `apiserver.groupPriorityMinimum`   | The minimum priority the group should have.                       | 10000              |
+| `apiserver.versionPriority`        | The ordering of this API inside of the group.                     | 15                 |
+| `apiserver.enableAdmissionWebhook` | Configure apiserver as adission webhooks for Kubed CRDs           | false              |
+| `apiserver.ca`                     | CA certificate used by main Kubernetes api server                 | ``                 |
 
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:

diff --git a/chart/stable/kubed/templates/apiregistration.yaml b/chart/stable/kubed/templates/apiregistration.yaml
@@ -0,0 +1,79 @@
+{{- $ca := genCA "svc-cat-ca" 3650 }}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- $cn := printf "%s-%s" $name .Release.Name | trunc 63 -}}
+{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }}
+{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }}
+{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }}
+apiVersion: apiregistration.k8s.io/v1beta1
+kind: APIService
+metadata:
+  name: v1alpha1.kubed.appscode.com
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    app: "{{ template "kubed.name" . }}"
+    heritage: "{{ .Release.Service }}"
+    release: "{{ .Release.Name }}"
+spec:
+  group: kubed.appscode.com
+  version: v1alpha1
+  service:
+    namespace: {{ .Release.Namespace }}
+    name: {{ template "kubed.fullname" . }}
+  caBundle: {{ b64enc $ca.Cert }}
+  groupPriorityMinimum: {{ .Values.apiserver.groupPriorityMinimum }}
+  versionPriority: {{ .Values.apiserver.versionPriority }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kubed.fullname" . }}-apiserver-cert
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    app: "{{ template "kubed.name" . }}"
+    heritage: "{{ .Release.Service }}"
+    release: "{{ .Release.Name }}"
+type: Opaque
+data:
+  tls.crt: {{ b64enc $cert.Cert }}
+  tls.key: {{ b64enc $cert.Key }}
+---
+{{ if .Values.rbac.create }}
+# to read the config for terminating authentication
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ template "kubed.fullname" . }}-apiserver-extension-server-authentication-reader
+  namespace: kube-system
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    app: "{{ template "kubed.name" . }}"
+    heritage: "{{ .Release.Service }}"
+    release: "{{ .Release.Name }}"
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kubed.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+---
+# to delegate authentication and authorization
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "kubed.fullname" . }}-apiserver-auth-delegator
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    app: "{{ template "kubed.name" . }}"
+    heritage: "{{ .Release.Service }}"
+    release: "{{ .Release.Name }}"
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kubed.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+{{ end }}
diff --git a/chart/stable/kubed/templates/deployment.yaml b/chart/stable/kubed/templates/deployment.yaml
@@ -9,6 +9,10 @@ metadata:
     release: "{{ .Release.Name }}"
 spec:
   replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: "{{ template "kubed.name" . }}"
+      release: "{{ .Release.Name }}"
   template:
     metadata:
       labels:
@@ -20,41 +24,46 @@ spec:
 {{- end }}
     spec:
       serviceAccountName: {{ if .Values.rbac.create }}{{ template "kubed.fullname" . }}{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 6 }}
+      {{- end }}
       containers:
       - name: kubed
+        image: {{ .Values.dockerRegistry }}/kubed:{{ .Values.imageTags.kubed }}
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
         args:
         - run
         - --v={{ .Values.logLevel }}
-        - --api.address=:8080
-        - --web.address=:56790
-        image: '{{ .Values.kubed.image }}:{{ .Values.kubed.tag }}'
-        imagePullPolicy: {{ .Values.imagePullPolicy }}
-        {{- if .Values.imagePullSecrets }}
-        imagePullSecrets:
-{{ toYaml .Values.imagePullSecrets | indent 8 }}
-        {{- end }}
+        - --secure-port=8443
+        - --audit-log-path=-
+        - --tls-cert-file=/var/serving-cert/tls.crt
+        - --tls-private-key-file=/var/serving-cert/tls.key
+        - --ops-address=:56790
         ports:
-        - containerPort: 8080
-          name: api
-          protocol: TCP
+        - containerPort: 8443
         - containerPort: 56790
-          name: web
-          protocol: TCP
         volumeMounts:
-          - name: config
-            mountPath: /srv/kubed
-          - name: scratch
-            mountPath: /tmp
-      volumes:
         - name: config
-          secret:
-            secretName: {{ template "kubed.fullname" . }}
+          mountPath: /srv/kubed
         - name: scratch
-          emptyDir: {}
+          mountPath: /tmp
+        - mountPath: /var/serving-cert
+          name: serving-cert
+      volumes:
+      - name: config
+        secret:
+          secretName: {{ template "kubed.fullname" . }}
+      - name: scratch
+        emptyDir: {}
+      - name: serving-cert
+        secret:
+          defaultMode: 420
+          secretName: {{ template "kubed.fullname" . }}-apiserver-cert
 {{- if and .Values.criticalAddon (eq .Release.Namespace "kube-system") }}
       tolerations:
-      - key: "CriticalAddonsOnly"
-        operator: "Exists"
+      - key: CriticalAddonsOnly
+        operator: Exists
 {{- end -}}
 {{- if .Values.nodeSelector }}
       nodeSelector:

diff --git a/chart/stable/kubed/values.yaml b/chart/stable/kubed/values.yaml
@@ -1,10 +1,14 @@
-# Default values for kubed.
-# This is a YAML-formatted file.
+##
+## Kubed chart configuration
+##
 # Declare variables to be passed into your templates.
 replicaCount: 1
-kubed:
-  image: appscode/kubed
-  tag: 0.5.0
+# Docker registry containing Voyager & HAProxy images
+dockerRegistry: appscode
+## Tags for Docker images
+imageTags:
+  ## Docker image tag containing Voyager
+  kubed: 0.5.0
 ## Optionally specify an array of imagePullSecrets.
 ## Secrets must be manually created in the namespace.
 ## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
@@ -30,3 +34,17 @@ rbac:
   create: false
   ## Ignored if rbac.create is true
   serviceAccountName: default
+
+apiserver:
+  # groupPriorityMinimum is the minimum priority the group should have. Please see
+  # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64
+  # for more information on proper values of this field.
+  groupPriorityMinimum: 10000
+  # versionPriority is the ordering of this API inside of the group. Please see
+  # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70
+  # for more information on proper values of this field
+  versionPriority: 15
+  # enableAdmissionWebhook is used to configure apiserver as ValidationWebhook for Voyager CRDs
+  enableAdmissionWebhook: false
+  # CA certificate used by main Kubernetes api server
+  ca:
diff --git a/docs/setup/install.md b/docs/setup/install.md
@@ -165,15 +165,39 @@ $ curl -fsSL https://raw.githubusercontent.com/appscode/kubed/0.5.0/hack/deploy/
 
 ## Using Helm
 Kubed can be installed via [Helm](https://helm.sh/) using the [chart](https://github.com/appscode/kubed/tree/0.5.0/chart/stable/kubed) included in this repository. To install the chart with the release name `my-release`:
-```bash
+
+```console
+# Mac OSX amd64:
+curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-darwin-amd64 \
+  && chmod +x onessl \
+  && sudo mv onessl /usr/local/bin/
+
+# Linux amd64:
+curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-linux-amd64 \
+  && chmod +x onessl \
+  && sudo mv onessl /usr/local/bin/
+
+# Linux arm64:
+curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.1.0/onessl-linux-arm64 \
+  && chmod +x onessl \
+  && sudo mv onessl /usr/local/bin/
+
+# Kubernetes 1.8.x
 $ helm repo update
 $ helm install stable/kubed --name my-release
+
+# Kubernetes 1.9.0 or later
+$ helm repo update
+$ helm install stable/kubed --name my-release \
+  --set apiserver.ca="$(onessl get kube-ca)"
 ```
+
 To see the detailed configuration options, visit [here](https://github.com/appscode/kubed/tree/0.5.0/chart/stable/kubed).
 
 
 ## Verify installation
 To check if Kubed operator pods have started, run the following command:
+
 ```console
 $ kubectl get pods --all-namespaces -l app=kubed --watch
 ```

diff --git a/hack/deploy/operator.yaml b/hack/deploy/operator.yaml
@@ -23,16 +23,16 @@ spec:
       imagePullSecrets: [${KUBED_IMAGE_PULL_SECRET}]
       containers:
       - name: operator
-        image: ${KUBED_DOCKER_REGISTRY}/kubed:api
+        image: ${KUBED_DOCKER_REGISTRY}/kubed:0.5.0
         imagePullPolicy: Always
         args:
         - run
+        - --v=3
         - --secure-port=8443
         - --audit-log-path=-
         - --tls-cert-file=/var/serving-cert/tls.crt
         - --tls-private-key-file=/var/serving-cert/tls.key
         - --ops-address=:56790
-        - --v=5
         ports:
         - containerPort: 8443
         - containerPort: 56790