Azure
/
helm-charts
зеркало из https://github.com/Azure/helm-charts.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Updating the service-catalog directory (#27) 

To point to the upstream install docs
This commit is contained in:
Aaron Schlesinger 2017-09-26 11:49:39 -07:00 коммит произвёл Kent Rancourt
Родитель a7ddb3c2fe
Коммит 92d2bb647f
10 изменённых файлов: 5 добавлений и 581 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
service-catalog/Chart.yaml
Просмотреть файл

@ -1,3 +0,0 @@
name: catalog
description: service-catalog API server and controller-manager helm chart
version: 0.0.1

95
service-catalog/README.md
Просмотреть файл

@ -6,94 +6,9 @@ Kubernetes-native workflow for integrating with
to provision and bind to application dependencies like databases, object
storage, message-oriented middleware, and more.
For more information, [visit the project on github](https://github.com/kubernetes-incubator/service-catalog).
For more information,
[visit the project on github](https://github.com/kubernetes-incubator/service-catalog).
## Prerequisites
- Kubernetes 1.7+ with Beta APIs enabled
_Note_: If you are using [Minikube](https://github.com/kubernetes/minikube), you may install
Kubernetes 1.7 with this command:
```console
minikube start --kubernetes-version=v1.7.0
```
- [Helm](https://github.com/kubernetes/helm) version 2.5.0+
_Note_: If you have a current helm install and you want to upgrade, download the new
version of the `helm` CLI and run `helm init --upgrade`
## Installing the Chart
To install the chart, first generate TLS files and capture output environment variables:
```console
source ./aggregation-tls-setup.sh
```
Then install with the release name `catalog`:
```bash
helm install . \
--name catalog \
--namespace catalog \
--set apiserver.tls.caFileName=${SC_SERVING_CA} \
--set apiserver.tls.certFileName=${SC_SERVING_CERT} \
--set apiserver.tls.keyFileName=${SC_SERVING_KEY}
```
## Uninstalling the Chart
To uninstall/delete the `catalog` deployment:
```bash
helm delete catalog
kubectl delete apiservice v1alpha1.servicecatalog.k8s.io
```
The command removes all the Kubernetes components associated with the chart and
deletes the release.
## Configuration
The following tables lists the configurable parameters of the Service Catalog
chart and their default values.
| Parameter | Description | Default |
|-----------|-------------|---------|
| `apiserver.image` | apiserver image to use | `quay.io/kubernetes-service-catalog/apiserver:v0.0.12` |
| `apiserver.imagePullPolicy` | `imagePullPolicy` for the apiserver | `Always` |
| `apiserver.insecure` | Whether to expose an insecure endpoint; keep this enabled because there are some outstanding problems with the TLS-secured endpoint | `true` |
| `apiserver.tls.cert` | Base64-encoded x509 certificate | A self-signed certificate |
| `apiserver.tls.key` | Base64-encoded private key | The private key for the certificate above |
| `apiserver.tls.ca` | Base64-encoded CA certificate used to sign the above certificate | |
| `apiserver.tls.requestHeaderCA` | Base64-encoded CA used to validate request-header authentication, when receiving delegated authentication from an aggregator | *none (will disable requestheader authentication)* |
| `apiserver.service.type` | Type of service; valid values are `LoadBalancer` and `NodePort` | `NodePort` |
| `apiserver.service.nodePort.securePort` | If service type is `NodePort`, specifies a port in allowable range (e.g. 30000 - 32767 on minikube); The TLS-enabled endpoint will be exposed here | `30443` |
| `apiserver.service.nodePort.insecurePort` | If service type is `NodePort`, specifies a port in allowable range (e.g. 30000 - 32767 on minikube); The insecure endpoint, if enabled, will be exposed here | `30080` |
| `apiserver.storage.type` | The storage backend to use; valid values are `etcd` and `tpr` | `etcd` |
| `apiserver.storage.etcd.useEmbedded` | If storage type is `etcd`: Whether to embed an etcd container in the apiserver pod; THIS IS INADEQUATE FOR PRODUCTION USE! | `true` |
| `apiserver.storage.etcd.servers` | If storage type is `etcd`: etcd URL(s); override this if NOT using embedded etcd | `http://localhost:2379` |
| `apiserver.storage.tpr.globalNamespace` | If storage type is `tpr`: Some service catalog resources are not namespaced, but third party resources must be; setting this designates a namespace that will be treated as a container for such resources | `servicecatalog` |
| `apiserver.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
| `apiserver.auth.enabled` | Enable authentication and authorization | `false` |
| `controllerManager.image` | controller-manager image to use | `quay.io/kubernetes-service-catalog/controller-manager:v0.0.12` |
| `controllerManager.imagePullPolicy` | `imagePullPolicy` for the controller-manager | `Always` |
| `controllerManager.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
| `controllerManager.resyncInterval` | How often the controller should resync informers; duration format (`20m`, `1h`, etc) | `5m` |
| `controllerManager.brokerRelistInterval` | How often the controller should relist the catalogs of ready brokers; duration format (`20m`, `1h`, etc) | `24h` |
| `useAggregator` | whether or not to set up the controller-manager to go through the main Kubernetes API server's API aggregator (requires setting `apiserver.tls.ca` to work) | `false` |
Specify each parameter using the `--set key=value[,key=value]` argument to
`helm install`.
Alternatively, a YAML file that specifies the values for the parameters can be
provided while installing the chart. For example:
```bash
$ helm install charts/catalog --name catalog --namespace catalog \
--values values.yaml
```
To install, we recommend that you have a Kubernetes 1.7 cluster. When you have
one available, see the
[installation documentation](https://github.com/kubernetes-incubator/service-catalog/blob/master/docs/install-1.7.md).

73
service-catalog/aggregation-tls-setup.sh
Просмотреть файл

@ -1,73 +0,0 @@
#!/bin/bash
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
CUR=$(pwd)
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
echo "Entering $DIR"
cd $DIR
export HELM_NAME=catalog
export SVCCAT_NAMESPACE=catalog
export SVCCAT_SERVICE_NAME=${HELM_NAME}-${SVCCAT_NAMESPACE}-apiserver
export CA_NAME=ca
export ALT_NAMES="\"${SVCCAT_SERVICE_NAME}.${SVCCAT_NAMESPACE}\",\"${SVCCAT_SERVICE_NAME}.${SVCCAT_NAMESPACE}.svc"\"
export SVCCAT_CA_SETUP=svc-cat-ca.json
cat > ${SVCCAT_CA_SETUP} << EOF
{
"hosts": [ ${ALT_NAMES} ],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "san jose",
"O": "kube",
"OU": "WWW",
"ST": "California"
}
]
}
EOF
cfssl genkey --initca ${SVCCAT_CA_SETUP} | cfssljson -bare ${CA_NAME}
# now the files 'ca.csr, ca-key.pem, and ca.pem' exist
export SVCCAT_CA_CERT=${CA_NAME}.pem
export SVCCAT_CA_KEY=${CA_NAME}-key.pem
export PURPOSE=server
echo '{"signing":{"default":{"expiry":"43800h","usages":["signing","key encipherment","'${PURPOSE}'"]}}}' > "${PURPOSE}-ca-config.json"
echo '{"CN":"'${SVCCAT_SERVICE_NAME}'","hosts":['${ALT_NAMES}'],"key":{"algo":"rsa","size":2048}}' \
| cfssl gencert -ca=${SVCCAT_CA_CERT} -ca-key=${SVCCAT_CA_KEY} -config=server-ca-config.json - \
| cfssljson -bare apiserver
export SC_SERVING_CA=${SVCCAT_CA_CERT}
echo "Set SC_SERVING_CA=${SC_SERVING_CA}"
export SC_SERVING_CERT=apiserver.pem
echo "Set SC_SERVING_CERT=${SC_SERVING_CERT}"
export SC_SERVING_KEY=apiserver-key.pem
echo "Set SC_SERVING_KEY=${SC_SERVING_KEY}"
echo "Done"

9
service-catalog/templates/_helpers.tpl
Просмотреть файл

@ -1,9 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "fullname" -}}
{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" -}}
{{- end -}}

16
service-catalog/templates/apiserver-cert-secret.yaml
Просмотреть файл

@ -1,16 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ template "fullname" . }}-apiserver-cert
labels:
app: {{ template "fullname" . }}-apiserver
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
type: Opaque
data:
tls.crt: {{ (.Files.Get (required "apiserver.tls.certFileName is required" .Values.apiserver.tls.certFileName)) | b64enc }}
tls.key: {{ (.Files.Get (required "apiserver.tls.keyFileName is required" .Values.apiserver.tls.keyFileName)) | b64enc }}
{{- if .Values.apiserver.tls.requestHeaderCA }}
requestheader-ca.crt: {{ .Values.apiserver.tls.requestHeaderCA }}
{{- end }}

157
service-catalog/templates/apiserver-deployment.yaml
Просмотреть файл

@ -1,157 +0,0 @@
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: {{ template "fullname" . }}-apiserver
labels:
app: {{ template "fullname" . }}-apiserver
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
replicas: 1
selector:
matchLabels:
app: {{ template "fullname" . }}-apiserver
template:
metadata:
labels:
app: {{ template "fullname" . }}-apiserver
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
containers:
- name: apiserver
image: {{ .Values.apiserver.image }}
imagePullPolicy: {{ .Values.apiserver.imagePullPolicy }}
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 100m
memory: 30Mi
args:
{{ if .Values.apiserver.audit.activated -}}
- --audit-log-path
- {{ .Values.apiserver.audit.logPath }}
{{- end}}
- --admission-control
- "KubernetesNamespaceLifecycle"
- --secure-port
- "8443"
{{- if .Values.apiserver.insecure }}
- --insecure-bind-address
- 0.0.0.0
- --insecure-port
- "8080"
{{- end }}
- --storage-type
- {{ .Values.apiserver.storage.type }}
{{- if eq .Values.apiserver.storage.type "etcd" }}
- --etcd-servers
- {{ .Values.apiserver.storage.etcd.servers }}
{{- else if eq .Values.apiserver.storage.type "tpr" }}
- --global-namespace
- {{ .Values.apiserver.storage.tpr.globalNamespace }}
{{- end }}
- -v
- "{{ .Values.apiserver.verbosity }}"
{{- if .Values.apiserver.tls.requestHeaderCA }}
- --requestheader-client-ca-file=/var/run/kubernetes-service-catalog/requestheader-ca.crt
{{ else }}
- --authentication-skip-lookup=true
{{- end }}
{{- if not .Values.apiserver.auth.enabled }}
- --disable-auth
{{- end }}
ports:
{{- if .Values.apiserver.insecure }}
- containerPort: 8080
{{- end }}
- containerPort: 8443
volumeMounts:
- name: apiserver-cert
mountPath: /var/run/kubernetes-service-catalog
readOnly: true
readinessProbe:
httpGet:
port: 8443
path: /healthz
scheme: HTTPS
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
httpGet:
port: 8443
path: /healthz
scheme: HTTPS
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
{{- if and (eq .Values.apiserver.storage.type "etcd") .Values.apiserver.storage.etcd.useEmbedded }}
- name: etcd
image: quay.io/coreos/etcd:latest
imagePullPolicy: Always
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 100m
memory: 30Mi
env:
- name: ETCD_DATA_DIR
value: /etcd-data-dir
command:
- /usr/local/bin/etcd
- --listen-client-urls
- http://0.0.0.0:2379
- --advertise-client-urls
- http://localhost:2379
ports:
- containerPort: 2379
volumeMounts:
- name: etcd-data-dir
mountPath: /etcd-data-dir
readinessProbe:
httpGet:
port: 2379
path: /health
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
httpGet:
port: 2379
path: /health
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
{{- end }}
volumes:
- name: apiserver-cert
secret:
secretName: {{ template "fullname" . }}-apiserver-cert
items:
- key: tls.crt
path: apiserver.crt
- key: tls.key
path: apiserver.key
{{- if .Values.apiserver.tls.requestHeaderCA }}
- key: requestheader-ca.crt
path: requestheader-ca.crt
{{- end }}
{{- if eq .Values.apiserver.storage.type "etcd" }}
- name: etcd-data-dir
emptyDir: {}
{{- end }}

30
service-catalog/templates/apiserver-service.yaml
Просмотреть файл

@ -1,30 +0,0 @@
kind: Service
apiVersion: v1
metadata:
name: {{ template "fullname" . }}-apiserver
labels:
app: {{ template "fullname" . }}-apiserver
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
type: {{ .Values.apiserver.service.type }}
selector:
app: {{ template "fullname" . }}-apiserver
ports:
{{- if .Values.apiserver.insecure }}
- name: insecure
protocol: TCP
port: 80
targetPort: 8080
{{- if eq .Values.apiserver.service.type "NodePort" }}
nodePort: {{ .Values.apiserver.service.nodePort.insecurePort }}
{{- end }}
{{- end }}
- name: secure
protocol: TCP
port: 443
targetPort: 8443
{{- if eq .Values.apiserver.service.type "NodePort" }}
nodePort: {{ .Values.apiserver.service.nodePort.securePort }}
{{- end }}

14
service-catalog/templates/apiservice.yaml
Просмотреть файл

@ -1,14 +0,0 @@
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1alpha1.servicecatalog.k8s.io
spec:
group: servicecatalog.k8s.io
version: v1alpha1
service:
namespace: {{ .Release.Namespace }}
name: {{ template "fullname" . }}-apiserver
caBundle: {{ (.Files.Get (required "apiserver.tls.caFileName is required" .Values.apiserver.tls.caFileName)) | b64enc }}
priority: 100
groupPriorityMinimum: 10000
versionPriority: 20

97
service-catalog/templates/controller-manager-deployment.yaml
Просмотреть файл

@ -1,97 +0,0 @@
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: {{ template "fullname" . }}-controller-manager
labels:
app: {{ template "fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
replicas: 1
selector:
matchLabels:
app: {{ template "fullname" . }}-controller-manager
template:
metadata:
labels:
app: {{ template "fullname" . }}-controller-manager
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
containers:
- name: controller-manager
image: {{ .Values.controllerManager.image }}
imagePullPolicy: {{ .Values.controllerManager.imagePullPolicy }}
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 100m
memory: 30Mi
env:
- name: K8S_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
args:
- --port
- "8080"
{{ if .Values.controllerManager.leaderElectionNamespace.activated -}}
- "--leader-election-namespace=$(K8S_NAMESPACE)"
{{- end }}
{{ if .Values.controllerManager.profiling.disabled -}}
- "--profiling=false"
{{- end}}
{{ if .Values.controllerManager.profiling.contentionProfiling -}}
- "--contention-profiling=true"
{{- end}}
{{- if not .Values.useAggregator }}
- --service-catalog-api-server-url
{{- if .Values.apiserver.insecure }}
- http://{{ template "fullname" . }}-apiserver
{{- else }}
- https://{{ template "fullname" . }}-apiserver
{{- end }}
{{- end }}
- -v
- "{{ .Values.controllerManager.verbosity }}"
- --resync-interval
- {{ .Values.controllerManager.resyncInterval }}
{{ if .Values.controllerManager.brokerRelistIntervalActivated -}}
- --broker-relist-interval
- {{ .Values.controllerManager.brokerRelistInterval }}
{{- end }}
ports:
- containerPort: 8080
volumeMounts:
- name: service-catalog-cert
mountPath: /etc/service-catalog-ssl
readOnly: true
readinessProbe:
httpGet:
port: 8080
path: /healthz
failureThreshold: 1
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
httpGet:
port: 8080
path: /healthz
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
volumes:
- name: service-catalog-cert
secret:
secretName: {{ template "fullname" . }}-apiserver-cert
items:
- key: tls.crt
path: apiserver.crt

92
service-catalog/values.yaml
Просмотреть файл

@ -1,92 +0,0 @@
# Default values for Service Catalog
apiserver:
# apiserver image to use
image: quay.io/kubernetes-service-catalog/apiserver:v0.0.12
# imagePullPolicy for the apiserver; valid values are "IfNotPresent",
# "Never", and "Always"
imagePullPolicy: Always
# Whether to expose an insecure endpoint; keep this enabled because there
# are some outstanding problems with the TLS-secured endpoint
insecure: true
tls:
# The name of the file that contains the certificate authority for the APIService object to
# register the Service Catalog API with the API aggregator in the APIRegistration object.
# This field is required if apiserver.auth.enabled is true.
caFileName:
# The name of the file that contains the x509 certificate for use in the aforementioned
# APIService object. This field is required if apiserver.auth.enabled is true.
certFileName:
# The name of the file that contains the private key for use in the aforementioned APIService
# object. This field is required if apiserver.auth.enabled is true.
# Base64-encoded private key
keyFileName:
# The name of the file that contains the CA to authenticate connections from API server
# proxies. This field is not required. If it is not set, the service-catalog API server
# will be started with the --authentication-skip-lookup flag, which will disable the auth checks
# from the API server proxies as well as client cert authentication.
requestHeaderCA:
# Attributes of the apiserver's service resource
service:
# Type of service; valid values are "LoadBalancer" and "NodePort"
# NodePort is useful if deploying on bare metal or hacking locally on
# minikube
type: NodePort
# Further configuration for services of type NodePort
nodePort:
# Available port in allowable range (e.g. 30000 - 32767 on minikube)
# The TLS-enabled endpoint will be exposed here
securePort: 30443
# Available port in allowable range (e.g. 30000 - 32767 on minikube)
# The insecure endpoint, if enabled, will be exposed here
insecurePort: 30080
storage:
# The storage backend to use; valid values are "etcd" and "tpr"
type: etcd
# Further configuration for the etcd-based backend
etcd:
# Whether to embed an etcd container in the apiserver pod
# THIS IS INADEQUATE FOR PRODUCTION USE!
useEmbedded: true
# etcd URL(s); override this if NOT using embedded etcd
servers: http://localhost:2379
tpr:
# Some service catalog resources are not namespaced, but third party
# resources must be; setting this designates a namespace that will be
# treated as a container for such resources
globalNamespace: servicecatalog
# Log level; valid values are in the range 0 - 10
verbosity: 10
auth:
# Enable or disable authentication and authorization. Disabling authentication
# and authorization can be useful for quickly getting the walkthrough up and running,
# but is not suitable for production.
enabled: true
audit:
# If true, enables the use of audit features via this chart.
activated: false
# If specified, audit log goes to specified path.
logPath: "/tmp/service-catalog-apiserver-audit.log"
controllerManager:
# controller-manager image to use
image: quay.io/kubernetes-service-catalog/controller-manager:v0.0.12
# imagePullPolicy for the controller-manager; valid values are
# "IfNotPresent", "Never", and "Always"
imagePullPolicy: Always
# Log level; valid values are in the range 0 - 10
verbosity: 10
# Resync interval; format is a duration (`20m`, `1h`, etc)
resyncInterval: 5m
# Broker relist interval; format is a duration (`20m`, `1h`, etc)
brokerRelistInterval: 24h
# Whether or not the controller supports a --broker-relist-interval flag. If this is
# set to true, brokerRelistInterval will be used as the value for that flag
brokerRelistIntervalActivated: true
# enables profiling via web interface host:port/debug/pprof/
profiling:
# Disable profiling via web interface host:port/debug/pprof/
disabled: false
# Enables lock contention profiling, if profiling is enabled.
contentionProfiling: false
leaderElectionNamespace:
# Whether the controller has option to set leader election namespace.
activated: false