ansible/roles/etcd/templates/etcd.yml

   1 {#
   2 Copyright 2019 Nokia
   3
   4 Licensed under the Apache License, Version 2.0 (the "License");
   5 you may not use this file except in compliance with the License.
   6 You may obtain a copy of the License at
   7
   8     http://www.apache.org/licenses/LICENSE-2.0
   9
  10 Unless required by applicable law or agreed to in writing, software
  11 distributed under the License is distributed on an "AS IS" BASIS,
  12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 See the License for the specific language governing permissions and
  14 limitations under the License.
  15 #}
  16 ---
  17 apiVersion: v1
  18 kind: Pod
  19 metadata:
  20   name: etcd
  21   namespace: kube-system
  22 spec:
  23   hostNetwork: true
  24   dnsPolicy: ClusterFirst
  25   securityContext:
  26     runAsUser: {{ caas.uid.caas_etcd }}
  27   containers:
  28     - name: kube-etcd
  29       image: {{ container_image_names | select('search', '/etcd') | list | last }}
  30       command: ["/usr/bin/etcd"]
  31       env:
  32         - name: PORT
  33           value: "{{ caas.etcd_api_port }}"
  34         - name: ETCD_NAME
  35           value: "etcd{{ nodeindex }}"
  36         - name: ETCD_DATA_DIR
  37           value: "/var/lib/etcd/etcd{{ nodeindex }}.etcd"
  38         - name: ETCD_ADVERTISE_CLIENT_URLS
  39           value: "https://{{ ansible_host }}:{{ caas.etcd_api_port }}"
  40         - name: ETCD_LISTEN_CLIENT_URLS
  41           value: "https://{{ ansible_host }}:{{ caas.etcd_api_port }}"
  42         - name: ETCD_CLIENT_CERT_AUTH
  43           value: "true"
  44         - name: ETCD_TRUSTED_CA_FILE
  45           value: "/etc/etcd/ssl/ca.pem"
  46         - name: ETCD_CERT_FILE
  47           value: "/etc/etcd/ssl/etcd{{ nodeindex }}.pem"
  48         - name: ETCD_KEY_FILE
  49           value: "/etc/etcd/ssl/etcd{{ nodeindex }}-key.pem"
  50         - name: ETCD_MAX_WALS
  51           value: "1"
  52         - name: ETCD_LOG_PACKAGE_LEVELS
  53           value: "etcdserver=CRITICAL,etcdmain=CRITICAL"
  54         - name: ETCD_INITIAL_ADVERTISE_PEER_URLS
  55           value: "https://{{ ansible_host }}:{{ caas.etcd_peer_port }}"
  56         - name: ETCD_LISTEN_PEER_URLS
  57           value: "https://{{ ansible_host }}:{{ caas.etcd_peer_port }}"
  58         - name: ETCD_PEER_CLIENT_CERT_AUTH
  59           value: "true"
  60         - name: ETCD_PEER_TRUSTED_CA_FILE
  61           value: "/etc/etcd/ssl/ca.pem"
  62         - name: ETCD_PEER_CERT_FILE
  63           value: "/etc/etcd/ssl/etcd{{ nodeindex }}.pem"
  64         - name: ETCD_PEER_KEY_FILE
  65           value: "/etc/etcd/ssl/etcd{{ nodeindex }}-key.pem"
  66         - name: ETCD_INITIAL_CLUSTER
  67 {% set etcdclusternodes = [] -%}
  68 {%- for nodenumber in range(nodeindex|int) -%}
  69 {%- if etcdclusternodes.append('etcd' + ((nodenumber+1)|string) + '=https://' + (hostvars[groups.caas_master[nodenumber]]['networking']['infra_internal']['ip']|string) + ':' + (caas.etcd_peer_port|string) ) -%}{%- endif -%}
  70 {%- endfor %}
  71           value: "{{ etcdclusternodes|join(",") }}"
  72 {% if not nodename | search("caas_master1") %}
  73         - name: ETCD_INITIAL_CLUSTER_STATE
  74           value: "existing"
  75 {% endif %}
  76         - name: ETCD_LISTENONINTERFACE
  77           value: "{{ networking.infra_internal.interface }}"
  78       resources:
  79         requests:
  80           cpu: "60m"
  81       volumeMounts:
  82         - name: time-mount
  83           mountPath: /etc/localtime
  84           readOnly: true
  85         - name: store
  86           mountPath: /var/lib/etcd
  87         - name: etcd-config
  88           mountPath: /etcd-config
  89         - name: secret
  90           mountPath: /etc/etcd/ssl
  91           readOnly: true
  92     - name: kube-etcd-proxy
  93       image: {{ container_image_names | select('search', '/etcd') | list | last }}
  94 {% set etcdproxys = [] -%}
  95 {%- for nodenumber in range(groups['caas_master']|length|int) -%}
  96 {%- if etcdproxys.append('https://' + (hostvars[groups.caas_master[nodenumber]]['networking']['infra_internal']['ip']|string) + ':' + (caas.etcd_api_port|string) ) -%}{%- endif -%}
  97 {%- endfor %}
  98       command:
  99       - /usr/bin/etcd
 100       args:
 101       - grpc-proxy
 102       - start
 103       - --endpoints={{ etcdproxys|join(',')}}
 104       - --listen-addr={{ ansible_host }}:{{ caas.etcd_proxy_port }}
 105       - --advertise-client-url={{ ansible_host }}:{{ caas.etcd_proxy_port }}
 106       - --resolver-prefix='___grpc_proxy_endpoint'
 107       - --resolver-ttl=60
 108       - --cert=/etc/etcd/ssl/etcd{{ nodeindex }}.pem
 109       - --key=/etc/etcd/ssl/etcd{{ nodeindex }}-key.pem
 110       - --cacert=/etc/etcd/ssl/ca.pem
 111       resources:
 112         requests:
 113           cpu: "10m"
 114       volumeMounts:
 115         - name: time-mount
 116           mountPath: /etc/localtime
 117           readOnly: true
 118         - name: secret
 119           mountPath: /etc/etcd/ssl
 120           readOnly: true
 121   volumes:
 122     - name: time-mount
 123       hostPath:
 124         path: /etc/localtime
 125     - name: store
 126       hostPath:
 127         path: /var/lib/etcd
 128     - name: etcd-config
 129       emptyDir: {}
 130     - name: secret
 131       hostPath:
 132         path: /etc/etcd/ssl