openstack/openstack-helm
Code Issues Proposed changes
openstack-helm/ingress/values.yaml
Phil Sphicas 3a10c5ba95 ingress: Add option to assign VIP as externalIP 
Some CNIs support the advertisement of service IPs into BGP, which may
provide an alternative to managing the VIP as an interface on the host.

This change adds an option to assign the ingress VIP as an externalIP to
the ingress service. For example:

    network:
      vip:
        manage: false
        addr: 172.18.0.1/32           # (with or without subnet mask)
        assign_as_external_ip: true

Change-Id: I1eeb07a1f94ef8efcb21f3373e0d5f86be725b33
2022-03-11 11:48:09 -08:00

330 lines
8.6 KiB
YAML
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for ingress.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
---
deployment:
mode: namespace
type: Deployment
cluster:
class: "nginx-cluster"
images:
tags:
entrypoint: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
ingress: k8s.gcr.io/ingress-nginx/controller:v0.42.0
ingress_module_init: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
ingress_routed_vip: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
error_pages: k8s.gcr.io/defaultbackend:1.4
keepalived: docker.io/osixia/keepalived:1.4.5
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/library/docker:17.07.0
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
pod:
security_context:
error_pages:
pod:
runAsUser: 65534
container:
ingress_error_pages:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
server:
pod:
runAsUser: 65534
container:
ingress_vip_kernel_modules:
capabilities:
add:
- SYS_MODULE
readOnlyRootFilesystem: true
runAsUser: 0
ingress_vip_init:
capabilities:
add:
- NET_ADMIN
readOnlyRootFilesystem: true
runAsUser: 0
ingress:
readOnlyRootFilesystem: false
runAsUser: 101
ingress_vip:
capabilities:
add:
- NET_ADMIN
readOnlyRootFilesystem: true
runAsUser: 0
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
dns_policy: "ClusterFirstWithHostNet"
replicas:
ingress: 1
error_page: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
termination_grace_period:
server:
timeout: 60
error_pages:
timeout: 60
resources:
enabled: false
ingress:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
error_pages:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
labels:
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
error_server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
network:
host_namespace: false
vip:
manage: false
# what type of vip manage machanism will be used
# possible options: routed, keepalived
mode: routed
interface: ingress-vip
addr: 172.18.0.1/32
keepalived_router_id: 100
# Use .network.vip.addr as an external IP for the service
# Useful if the CNI or provider can set up routes, etc.
assign_as_external_ip: false
ingress:
annotations:
# NOTE(portdirect): if left blank this is populated from
# .deployment.cluster.class
kubernetes.io/ingress.class: null
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-Frame-Options: deny";
more_set_headers "X-Permitted-Cross-Domain-Policies: none";
more_set_headers "Content-Security-Policy: script-src 'self'";
external_policy_local: false
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- ingress-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
error_pages:
jobs: null
ingress:
jobs: null
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
monitoring:
prometheus:
enabled: true
ingress_exporter:
scrape: true
port: 10254
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
ingress:
hosts:
default: ingress
error_pages: ingress-error-pages
host_fqdn_override:
default: null
# NOTE: The values under .endpoints.ingress.host_fqdn_override.public.tls
# will be used for the default SSL certificate.
# See also the .conf.default_ssl_certificate options below.
public:
tls:
crt: ""
key: ""
port:
http:
default: 80
https:
default: 443
healthz:
default: 10254
status:
default: 10246
stream:
default: 10247
profiler:
default: 10245
server:
default: 8181
ingress_exporter:
namespace: null
hosts:
default: ingress-exporter
host_fqdn_override:
default: null
path:
default: null
scheme:
default: 'http'
port:
metrics:
default: 10254
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
network_policy:
ingress:
ingress:
- {}
egress:
- {}
secrets:
tls:
ingress:
api:
# .secrets.tls.ingress.api.public="name of the TLS secret to create for the default cert"
# NOTE: The contents of the secret are from .endpoints.ingress.host_fqdn_override.public.tls
public: default-tls-public
dhparam:
secret_dhparam: |
conf:
controller:
# NOTE(portdirect): if left blank this is populated from
# .deployment.cluster.class in cluster mode, or set to
# "nginx" in namespace mode
INGRESS_CLASS: null
ingress:
enable-underscores-in-headers: "true"
# NOTE(portdirect): if left blank this is populated from
# .network.vip.addr when running in host networking
# and .network.vip.manage=true, otherwise it is left as
# an empty string (the default).
bind-address: null
enable-vts-status: "true"
server-tokens: "false"
ssl-dh-param: openstack/secret-dhparam
# This block sets the --default-ssl-certificate option
# https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate
default_ssl_certificate:
# .conf.default_ssl_certificate.enabled=true: use a default certificate
enabled: false
# If referencing an existing TLS secret with the default cert
# .conf.default_ssl_certificate.name="name of the secret"
# (defaults to value of .secrets.tls.ingress.api.public)
# .conf.default_ssl_certificate.namespace="namespace of the secret"
# (optional, defaults to release namespace)
name: ""
namespace: ""
# NOTE: To create a new secret to hold the default certificate, leave the
# above values empty, and specify:
# .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data"
# .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data"
# .manifests.secret_ingress_tls=true
services:
tcp: null
udp: null
manifests:
configmap_bin: true
configmap_conf: true
configmap_services_tcp: true
configmap_services_udp: true
deployment_error: true
deployment_ingress: true
endpoints_ingress: true
ingress: true
secret_ingress_tls: false
secret_dhparam: false
service_error: true
service_ingress: true
job_image_repo_sync: true
monitoring:
prometheus:
service_exporter: true
network_policy: false
...
View Git Blame Copy Permalink