diff --git a/chart/etcd-backup-restore/templates/etcd-ca-secret.yaml b/chart/etcd-backup-restore/templates/etcd-ca-secret.yaml index 245c80d05..2ea7cb812 100644 --- a/chart/etcd-backup-restore/templates/etcd-ca-secret.yaml +++ b/chart/etcd-backup-restore/templates/etcd-ca-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.etcdTLS }} +{{- if .Values.tls.etcd }} apiVersion: v1 kind: Secret metadata: @@ -10,5 +10,5 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} type: Opaque data: - bundle.crt: {{ .Values.etcdTLS.caBundle | b64enc }} + bundle.crt: {{ .Values.tls.etcd.ca | b64enc }} {{- end }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/etcd-client-service.yaml b/chart/etcd-backup-restore/templates/etcd-client-service.yaml index 90f2f9544..05b5a858d 100644 --- a/chart/etcd-backup-restore/templates/etcd-client-service.yaml +++ b/chart/etcd-backup-restore/templates/etcd-client-service.yaml @@ -16,13 +16,13 @@ spec: ports: - name: client protocol: TCP - port: {{ .Values.servicePorts.client }} - targetPort: {{ .Values.servicePorts.client }} - - name: server + port: {{ .Values.servicePorts.etcd.client }} + targetPort: {{ .Values.servicePorts.etcd.client }} + - name: peer protocol: TCP - port: {{ .Values.servicePorts.server }} - targetPort: {{ .Values.servicePorts.server }} + port: {{ .Values.servicePorts.etcd.peer }} + targetPort: {{ .Values.servicePorts.etcd.peer }} - name: backuprestore protocol: TCP - port: {{ .Values.servicePorts.backupRestore }} - targetPort: {{ .Values.servicePorts.backupRestore }} \ No newline at end of file + port: {{ .Values.servicePorts.etcdBackupRestore.server }} + targetPort: {{ .Values.servicePorts.etcdBackupRestore.server }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/etcd-client-tls-secret.yaml b/chart/etcd-backup-restore/templates/etcd-client-tls-secret.yaml index b7d3b74f5..024b10089 100644 --- a/chart/etcd-backup-restore/templates/etcd-client-tls-secret.yaml +++ b/chart/etcd-backup-restore/templates/etcd-client-tls-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.etcdTLS }} +{{- if .Values.tls.etcd }} apiVersion: v1 kind: Secret metadata: @@ -10,6 +10,6 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} type: kubernetes.io/tls data: - tls.crt: {{ .Values.etcdTLS.clientTLS.crt | b64enc }} - tls.key: {{ .Values.etcdTLS.clientTLS.key | b64enc }} + tls.crt: {{ .Values.tls.etcd.client.crt | b64enc }} + tls.key: {{ .Values.tls.etcd.client.key | b64enc }} {{- end }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/etcd-configmap.yaml b/chart/etcd-backup-restore/templates/etcd-configmap.yaml index 95da7aa2e..5b2c03661 100644 --- a/chart/etcd-backup-restore/templates/etcd-configmap.yaml +++ b/chart/etcd-backup-restore/templates/etcd-configmap.yaml @@ -10,6 +10,21 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} data: etcd.conf.yaml: |- + {{- $replicas := int .Values.replicas }} + # precompute the peer scheme based on whether or not the peer is tls enabled + {{- $peerScheme := "http" }} + {{- if .Values.tls.etcd.peer }} + {{- $peerScheme = "https" }} + {{- end }} + # store the root context for later use + {{- $root := . }} + # store the cluster entries in a list to be used for the initial-cluster configuration + {{- $clusterEntries := list }} + {{- range $i := until $replicas }} + {{- $entry := printf "%s-etcd-%d=%s://%s-etcd-%d.%s-etcd-peer.%s.svc:%d" $root.Release.Name $i $peerScheme $root.Release.Name $i $root.Release.Name $root.Release.Namespace (int $root.Values.servicePorts.etcd.peer) }} + {{- $clusterEntries = append $clusterEntries $entry }} + {{- end }} + # Human-readable name for this member. name: {{ .Release.Name }}-etcd @@ -31,25 +46,29 @@ data: {{- end }} # List of comma separated URLs to listen on for client traffic. - listen-client-urls: {{ if .Values.etcdTLS }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.client }} + listen-client-urls: {{ if .Values.tls.etcd }}https{{ else }}http{{ end }}://0.0.0.0:{{ .Values.servicePorts.etcd.client }} # List of comma separated URLs to listen on for peer traffic. - listen-peer-urls: http://0.0.0.0:{{ .Values.servicePorts.server }} + listen-peer-urls: {{ $peerScheme }}://0.0.0.0:{{ .Values.servicePorts.etcd.peer }} # List of each member's client URLs to advertise to the public. # Each member should include it's client URLs under the member name. advertise-client-urls: - {{ .Release.Name }}-etcd-0: - - {{ if .Values.etcdTLS }}https{{ else }}http{{ end }}://{{ .Release.Name }}-etcd-0.{{ .Release.Name }}-etcd-peer.{{ .Release.Namespace }}.svc:{{ .Values.servicePorts.client }} + {{- range $i := until $replicas }} + {{ $root.Release.Name }}-etcd-{{ $i }}: + - {{ if $root.Values.tls.etcd }}https{{ else }}http{{ end }}://{{ $root.Release.Name }}-etcd-{{ $i }}.{{ $root.Release.Name }}-etcd-peer.{{ $root.Release.Namespace }}.svc:{{ $root.Values.servicePorts.etcd.client }} + {{- end }} # List of each member's peer URLs to advertise to the public # Each member should include it's peer URLs under the member name. initial-advertise-peer-urls: - {{ .Release.Name }}-etcd-0: - - http://{{ .Release.Name }}-etcd-0.{{ .Release.Name }}-etcd-peer.{{ .Release.Namespace }}.svc:{{ .Values.servicePorts.server }} + {{- range $i := until $replicas }} + {{ $root.Release.Name }}-etcd-{{ $i }}: + - {{ $peerScheme }}://{{ $root.Release.Name }}-etcd-{{ $i }}.{{ $root.Release.Name }}-etcd-peer.{{ $root.Release.Namespace }}.svc:{{ $root.Values.servicePorts.etcd.peer }} + {{- end }} # List of server endpoints with which this cluster should be started - initial-cluster: {{ .Release.Name }}-etcd-0=http://{{ .Release.Name }}-etcd-0.{{ .Release.Name }}-etcd-peer.{{ .Release.Namespace }}.svc:{{ .Values.servicePorts.server }} + initial-cluster: {{ join "," $clusterEntries }} # Initial cluster token for the etcd cluster during bootstrap. initial-cluster-token: 'etcd-cluster' @@ -69,7 +88,7 @@ data: {{- end }} {{- end }} -{{- if .Values.etcdTLS }} +{{- if .Values.tls.etcd }} client-transport-security: # Path to the etcd server TLS cert file. cert-file: /var/etcd/ssl/server/tls.crt @@ -84,4 +103,20 @@ data: trusted-ca-file: /var/etcd/ssl/ca/bundle.crt auto-tls: false + {{- if .Values.tls.etcd.peer }} + peer-transport-security: + # Path to the etcd peer server TLS cert file. + cert-file: /var/etcd/ssl/peer/server/tls.crt + + # Path to the etcd peer server TLS key file. + key-file: /var/etcd/ssl/peer/server/tls.key + + # Enable peer client cert authentication. + client-cert-auth: true + + # Path to the etcd peer server TLS trusted CA cert file. + trusted-ca-file: /var/etcd/ssl/peer/ca/bundle.crt + + auto-tls: false + {{- end }} {{- end }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/etcd-peer-ca-secret.yaml b/chart/etcd-backup-restore/templates/etcd-peer-ca-secret.yaml new file mode 100644 index 000000000..225f50687 --- /dev/null +++ b/chart/etcd-backup-restore/templates/etcd-peer-ca-secret.yaml @@ -0,0 +1,14 @@ +{{- if .Values.tls.etcd.peer }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-etcd-peer-ca + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: etcd + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +type: Opaque +data: + bundle.crt: {{ .Values.tls.etcd.peer.ca | b64enc }} +{{- end }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/etcd-peer-server-tls-secret.yaml b/chart/etcd-backup-restore/templates/etcd-peer-server-tls-secret.yaml new file mode 100644 index 000000000..8acfacd38 --- /dev/null +++ b/chart/etcd-backup-restore/templates/etcd-peer-server-tls-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.tls.etcd.peer }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-etcd-peer-server-tls + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: etcd + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.tls.etcd.peer.server.crt | b64enc }} + tls.key: {{ .Values.tls.etcd.peer.server.key | b64enc }} +{{- end }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/etcd-peer-service.yaml b/chart/etcd-backup-restore/templates/etcd-peer-service.yaml index 6b4409fc5..7e59f6244 100644 --- a/chart/etcd-backup-restore/templates/etcd-peer-service.yaml +++ b/chart/etcd-backup-restore/templates/etcd-peer-service.yaml @@ -22,5 +22,5 @@ spec: ports: - name: peer protocol: TCP - port: {{ .Values.servicePorts.server }} - targetPort: {{ .Values.servicePorts.server }} \ No newline at end of file + port: {{ .Values.servicePorts.etcd.peer }} + targetPort: {{ .Values.servicePorts.etcd.peer }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/etcd-server-tls-secret.yaml b/chart/etcd-backup-restore/templates/etcd-server-tls-secret.yaml index acadcca27..e095a7868 100644 --- a/chart/etcd-backup-restore/templates/etcd-server-tls-secret.yaml +++ b/chart/etcd-backup-restore/templates/etcd-server-tls-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.etcdTLS }} +{{- if .Values.tls.etcd }} apiVersion: v1 kind: Secret metadata: @@ -10,6 +10,6 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} type: kubernetes.io/tls data: - tls.crt: {{ .Values.etcdTLS.serverTLS.crt | b64enc }} - tls.key: {{ .Values.etcdTLS.serverTLS.key | b64enc }} + tls.crt: {{ .Values.tls.etcd.server.crt | b64enc }} + tls.key: {{ .Values.tls.etcd.server.key | b64enc }} {{- end }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/etcd-statefulset.yaml b/chart/etcd-backup-restore/templates/etcd-statefulset.yaml index af8a4ff43..ce9d1fcd3 100644 --- a/chart/etcd-backup-restore/templates/etcd-statefulset.yaml +++ b/chart/etcd-backup-restore/templates/etcd-statefulset.yaml @@ -11,7 +11,8 @@ spec: updateStrategy: type: RollingUpdate serviceName: {{ .Release.Name }}-etcd-peer - replicas: 1 + replicas: {{ (int .Values.replicas) }} + podManagementPolicy: Parallel selector: matchLabels: app.kubernetes.io/name: etcd @@ -36,8 +37,8 @@ spec: - -c - -- name: change-backup-bucket-permissions - image: {{ .Values.images.initContainer.repository }}:{{ .Values.images.initContainer.tag }} - imagePullPolicy: {{ .Values.images.initContainer.pullPolicy }} + image: {{ .Values.images.changeBackupBucketPermissions.repository }}:{{ .Values.images.changeBackupBucketPermissions.tag }} + imagePullPolicy: {{ .Values.images.changeBackupBucketPermissions.pullPolicy }} volumeMounts: - name: local-backup mountPath: /home/nonroot/{{ .Values.backup.storageContainer}} @@ -49,36 +50,43 @@ spec: containers: - args: - start-etcd - - --backup-restore-host-port=localhost:{{ .Values.servicePorts.backupRestore }} - - --etcd-server-name=localhost -{{- if .Values.etcdTLS }} + - --backup-restore-host-port={{ .Release.Name }}-etcd-local:{{ .Values.servicePorts.etcdBackupRestore.server }} + - --etcd-server-name={{ .Release.Name }}-etcd-local +{{- if .Values.tls.etcdBackupRestore }} - --backup-restore-tls-enabled=true - --backup-restore-ca-cert-bundle-path=/var/etcdbr/ssl/ca/bundle.crt - - --etcd-client-cert-path=/var/etcd/ssl/client/tls.crt - - --etcd-client-key-path=/var/etcd/ssl/client/tls.key {{- else }} - --backup-restore-tls-enabled=false +{{- end }} +{{- if .Values.tls.etcd }} + - --etcd-client-cert-path=/var/etcd/ssl/client/tls.crt + - --etcd-client-key-path=/var/etcd/ssl/client/tls.key {{- end }} name: etcd - image: {{ .Values.images.etcd.repository }}:{{ .Values.images.etcd.tag }} - imagePullPolicy: {{ .Values.images.etcd.pullPolicy }} + image: {{ .Values.images.etcdWrapper.repository }}:{{ .Values.images.etcdWrapper.tag }} + imagePullPolicy: {{ .Values.images.etcdWrapper.pullPolicy }} readinessProbe: httpGet: -{{- if .Values.backupRestoreTLS }} +{{- if .Values.tls.etcdBackupRestore }} scheme: HTTPS {{- else }} scheme: HTTP {{- end }} +{{- if eq (int .Values.replicas) 1 }} path: /healthz - port: {{ .Values.servicePorts.backupRestore }} + port: {{ .Values.servicePorts.etcdBackupRestore.server }} +{{- else }} + path: /readyz + port: {{ .Values.servicePorts.etcdWrapper.server }} +{{- end }} initialDelaySeconds: 15 periodSeconds: 5 failureThreshold: 5 ports: - - containerPort: {{ .Values.servicePorts.server }} - name: server + - containerPort: {{ .Values.servicePorts.etcd.peer }} + name: peer protocol: TCP - - containerPort: {{ .Values.servicePorts.client }} + - containerPort: {{ .Values.servicePorts.etcd.client }} name: client protocol: TCP resources: @@ -86,15 +94,21 @@ spec: volumeMounts: - name: {{ .Release.Name }}-etcd mountPath: /var/etcd/data/ -{{- if .Values.etcdTLS }} +{{- if .Values.tls.etcd }} - name: etcd-ca mountPath: /var/etcd/ssl/ca - name: etcd-server-tls mountPath: /var/etcd/ssl/server - name: etcd-client-tls mountPath: /var/etcd/ssl/client + {{ if .Values.tls.etcd.peer }} + - name: etcd-peer-ca + mountPath: /var/etcd/ssl/peer/ca + - name: etcd-peer-server-tls + mountPath: /var/etcd/ssl/peer/server + {{- end }} {{- end }} -{{- if .Values.backupRestoreTLS }} +{{- if .Values.tls.etcdBackupRestore }} - name: backup-restore-ca mountPath: /var/etcdbr/ssl/ca {{- end }} @@ -141,19 +155,19 @@ spec: {{- end }} {{- end }} # Client and Backup TLS command line flags -{{- if .Values.etcdTLS }} +{{- if .Values.tls.etcd }} - --cacert=/var/etcd/ssl/ca/bundle.crt - --cert=/var/etcd/ssl/client/tls.crt - --key=/var/etcd/ssl/client/tls.key - --insecure-transport=false - --insecure-skip-tls-verify=false - - --endpoints=https://{{ .Release.Name }}-etcd-0:{{ .Values.servicePorts.client }} + - --endpoints=https://{{ .Release.Name }}-etcd-local:{{ .Values.servicePorts.etcd.client }} {{ else }} - --insecure-transport=true - --insecure-skip-tls-verify=true - - --endpoints=http://{{ .Release.Name }}-etcd-0:{{ .Values.servicePorts.client }} + - --endpoints=http://{{ .Release.Name }}-etcd-local:{{ .Values.servicePorts.etcd.client }} {{- end }} -{{- if .Values.backupRestoreTLS }} +{{- if .Values.tls.etcdBackupRestore }} - --server-cert=/var/etcdbr/ssl/server/tls.crt - --server-key=/var/etcdbr/ssl/server/tls.key {{- end }} @@ -173,14 +187,17 @@ spec: image: {{ .Values.images.etcdBackupRestore.repository }}:{{ .Values.images.etcdBackupRestore.tag }} imagePullPolicy: {{ .Values.images.etcdBackupRestore.pullPolicy }} ports: - - containerPort: {{ .Values.servicePorts.backupRestore }} + - containerPort: {{ .Values.servicePorts.etcdBackupRestore.server }} name: server protocol: TCP resources: {{ toYaml .Values.resources.backup | indent 10 }} env: - name: "POD_NAME" - value: {{ .Release.Name }}-etcd-0 + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name - name: "POD_NAMESPACE" value: {{ .Release.Namespace }} - name: STORAGE_CONTAINER @@ -248,13 +265,13 @@ spec: mountPath: /var/etcd/data/ - name: etcd-config-file mountPath: /var/etcd/config/ -{{- if .Values.etcdTLS }} +{{- if .Values.tls.etcd }} - name: etcd-ca mountPath: /var/etcd/ssl/ca - name: etcd-client-tls mountPath: /var/etcd/ssl/client {{- end }} -{{- if .Values.backupRestoreTLS }} +{{- if .Values.tls.etcdBackupRestore }} - name: backup-restore-server-tls mountPath: /var/etcdbr/ssl/server {{- end }} @@ -276,6 +293,11 @@ spec: runAsUser: 65532 fsGroup: 65532 shareProcessNamespace: true + hostAliases: + - hostnames: + - {{ .Release.Name }}-etcd-local + ip: 127.0.0.1 + serviceAccountName: {{ .Release.Name }}-etcd volumes: - name: etcd-config-file configMap: @@ -284,7 +306,7 @@ spec: items: - key: etcd.conf.yaml path: etcd.conf.yaml -{{- if .Values.etcdTLS }} +{{- if .Values.tls.etcd }} - name: etcd-ca secret: secretName: {{ .Release.Name }}-etcd-ca @@ -294,8 +316,16 @@ spec: - name: etcd-client-tls secret: secretName: {{ .Release.Name }}-etcd-client-tls + {{ if .Values.tls.etcd.peer }} + - name: etcd-peer-ca + secret: + secretName: {{ .Release.Name }}-etcd-peer-ca + - name: etcd-peer-server-tls + secret: + secretName: {{ .Release.Name }}-etcd-peer-server-tls + {{- end }} {{- end }} -{{- if .Values.backupRestoreTLS }} +{{- if .Values.tls.etcdBackupRestore }} - name: backup-restore-ca secret: secretName: {{ .Release.Name }}-etcdbr-ca diff --git a/chart/etcd-backup-restore/templates/etcdbr-ca-secret.yaml b/chart/etcd-backup-restore/templates/etcdbr-ca-secret.yaml index 90b9482d2..eaba6188b 100644 --- a/chart/etcd-backup-restore/templates/etcdbr-ca-secret.yaml +++ b/chart/etcd-backup-restore/templates/etcdbr-ca-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.backupRestoreTLS }} +{{- if .Values.tls.etcdBackupRestore }} apiVersion: v1 kind: Secret metadata: @@ -10,5 +10,5 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} type: Opaque data: - bundle.crt: {{ .Values.backupRestoreTLS.caBundle | b64enc }} + bundle.crt: {{ .Values.tls.etcdBackupRestore.ca | b64enc }} {{- end }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/etcdbr-client-tls-secret.yaml b/chart/etcd-backup-restore/templates/etcdbr-client-tls-secret.yaml index cf9c6db74..e9131b540 100644 --- a/chart/etcd-backup-restore/templates/etcdbr-client-tls-secret.yaml +++ b/chart/etcd-backup-restore/templates/etcdbr-client-tls-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.backupRestoreTLS }} +{{- if .Values.tls.etcdBackupRestore }} apiVersion: v1 kind: Secret metadata: @@ -10,6 +10,6 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} type: kubernetes.io/tls data: - tls.crt: {{ .Values.backupRestoreTLS.clientTLS.crt | b64enc }} - tls.key: {{ .Values.backupRestoreTLS.clientTLS.key | b64enc }} + tls.crt: {{ .Values.tls.etcdBackupRestore.client.crt | b64enc }} + tls.key: {{ .Values.tls.etcdBackupRestore.client.key | b64enc }} {{- end }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/etcdbr-server-tls-secret.yaml b/chart/etcd-backup-restore/templates/etcdbr-server-tls-secret.yaml index 22db030d2..1f2f97d1a 100644 --- a/chart/etcd-backup-restore/templates/etcdbr-server-tls-secret.yaml +++ b/chart/etcd-backup-restore/templates/etcdbr-server-tls-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.backupRestoreTLS }} +{{- if .Values.tls.etcdBackupRestore }} apiVersion: v1 kind: Secret metadata: @@ -10,6 +10,6 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} type: kubernetes.io/tls data: - tls.crt: {{ .Values.backupRestoreTLS.serverTLS.crt | b64enc }} - tls.key: {{ .Values.backupRestoreTLS.serverTLS.key | b64enc }} + tls.crt: {{ .Values.tls.etcdBackupRestore.server.crt | b64enc }} + tls.key: {{ .Values.tls.etcdBackupRestore.server.key | b64enc }} {{- end }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/role.yaml b/chart/etcd-backup-restore/templates/role.yaml new file mode 100644 index 000000000..6a1fce7b8 --- /dev/null +++ b/chart/etcd-backup-restore/templates/role.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-etcd + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: etcd + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +rules: + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/rolebinding.yaml b/chart/etcd-backup-restore/templates/rolebinding.yaml new file mode 100644 index 000000000..cc0c815f7 --- /dev/null +++ b/chart/etcd-backup-restore/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-etcd + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: etcd + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-etcd +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-etcd + namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/templates/serviceaccount.yaml b/chart/etcd-backup-restore/templates/serviceaccount.yaml new file mode 100644 index 000000000..967f69c08 --- /dev/null +++ b/chart/etcd-backup-restore/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name}}-etcd + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: etcd + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} \ No newline at end of file diff --git a/chart/etcd-backup-restore/values.yaml b/chart/etcd-backup-restore/values.yaml index 9aafc4b3e..f571e4ec3 100644 --- a/chart/etcd-backup-restore/values.yaml +++ b/chart/etcd-backup-restore/values.yaml @@ -1,18 +1,19 @@ images: - # initContainer image to use for changing backup bucket permissions - initContainer: + # Image to use for changing backup bucket permissions + changeBackupBucketPermissions: repository: europe-docker.pkg.dev/gardener-project/public/3rd/alpine tag: 3.20.3 pullPolicy: IfNotPresent # etcd image to use - etcd: + etcdWrapper: repository: europe-docker.pkg.dev/gardener-project/public/gardener/etcd-wrapper tag: v0.3.0 pullPolicy: IfNotPresent # etcd-backup-restore image to use + # TODO: @anveshreddy18: use the latest tag for etcd-backup-restore once the v0.33.0 is released etcdBackupRestore: - repository: europe-docker.pkg.dev/gardener-project/releases/gardener/etcdbrctl - tag: v0.32.0 + repository: europe-docker.pkg.dev/gardener-project/snapshots/gardener/etcdbrctl + tag: v0.33.0-dev-e1690dd6ea14ca889d357307018ba2e53ced5203 pullPolicy: IfNotPresent resources: @@ -32,9 +33,13 @@ resources: memory: 128Mi servicePorts: - client: 2379 - server: 2380 - backupRestore: 8080 + etcd: + client: 2379 + peer: 2380 + etcdBackupRestore: + server: 8080 + etcdWrapper: + server: 9095 storageCapacity: 20Gi @@ -45,6 +50,8 @@ autoCompaction: mode: periodic retentionLength: "30m" +replicas: 1 + backup: # schedule is cron standard schedule to take full snapshots. schedule: "0 */1 * * *" @@ -76,7 +83,7 @@ backup: # storageProvider indicate the type of backup storage provider. # Supported values are ABS,GCS,S3,Swift,OSS,ECS,Local, empty means no backup. - storageProvider: "" + storageProvider: "GCS" # compression defines the specification to compress the snapshots(full as well as delta). # it only supports 3 compression Policy: gzip(default), zlib, lzw. @@ -99,10 +106,10 @@ backup: # s3ForcePathStyle: "true" # optional # sseCustomerKey: aes-256-sse-customer-key # optional # sseCustomerAlgorithm: aes-256-sse-customer-algorithm # optional - # gcs: - # serviceAccountJson: service-account-json-with-object-storage-privileges - # storageAPIEndpoint: endpoint-override-for-storage-api # optional - # emulatorEnabled: boolean-flag-to-configure-etcdbr-to-use-gcs-emulator # optional + gcs: + serviceAccountJson: "hello" + storageAPIEndpoint: "http://fake-gcs.default:8000/storage/v1/" + emulatorEnabled: "true" # abs: # storageAccount: storage-account-with-object-storage-privileges # storageKey: storage-key-with-object-storage-privileges @@ -133,53 +140,68 @@ etcdAuth: {} # username: username # password: password -etcdTLS: {} - # caBundle: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # serverTLS: - # crt: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # key: | - # -----BEGIN PRIVATE KEY----- - # ... - # -----END PRIVATE KEY----- - # clientTLS: - # crt: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # key: | - # -----BEGIN PRIVATE KEY----- - # ... - # -----END PRIVATE KEY----- -# backupRestoreTLS field contains the pre-created secrets for backup-restore server. -# Comment this whole section if you dont want to use tls for the backup-restore server. -backupRestoreTLS: {} - # caBundle: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # serverTLS: - # crt: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # key: | - # -----BEGIN PRIVATE KEY----- - # ... - # -----END PRIVATE KEY----- - # clientTLS: - # crt: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # key: | - # -----BEGIN PRIVATE KEY----- - # ... - # -----END PRIVATE KEY----- +tls: + etcd: {} + # ca: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # server: + # crt: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # key: | + # -----BEGIN PRIVATE KEY----- + # ... + # -----END PRIVATE KEY----- + # client: + # crt: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # key: | + # -----BEGIN PRIVATE KEY----- + # ... + # -----END PRIVATE KEY----- + # peer: + # ca: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # server: + # crt: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # key: | + # -----BEGIN PRIVATE KEY----- + # ... + # -----END PRIVATE KEY----- + # # etcdBackupRestore field contains the pre-created secrets for backup-restore server. + # # Comment this whole section if you dont want to use tls for the backup-restore server. + etcdBackupRestore: + # ca: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # server: + # crt: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # key: | + # -----BEGIN PRIVATE KEY----- + # ... + # -----END PRIVATE KEY----- + # client: + # crt: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # key: | + # -----BEGIN PRIVATE KEY----- + # ... + # -----END PRIVATE KEY----- # podAnnotations that will be passed to the resulting etcd pod podAnnotations: {}