-
Notifications
You must be signed in to change notification settings - Fork 47
Expand file tree
/
Copy pathbase_pillar.yaml
More file actions
199 lines (199 loc) · 5.18 KB
/
base_pillar.yaml
File metadata and controls
199 lines (199 loc) · 5.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
---
metalk8s:
archives:
- /archives/metalk8s-2.7.1.iso
ca:
minion: bootstrap
cluster_version: 2.7.1
debug: false
endpoints:
repositories:
- hostname: null
ip: 51.68.68.162
node_name: bootstrap
ports:
http: 8080
salt-master:
- hostname: null
ip: 51.68.68.162
node_name: bootstrap
ports:
api: 4507
publisher: 4505
requestserver: 4506
etcd:
members:
- client_urls:
- https://51.68.68.162:2379
id: 4746124461829215571
name: bootstrap
peer_urls:
- https://51.68.68.162:2380
nodes:
bootstrap:
roles:
- ca
- master
- bootstrap
- etcd
- infra
version: 2.7.1
private:
apiserver_key: '<some_rsa_key>'
sa_private_key: '<some_rsa_key>'
solutions:
available: {}
config:
kind: SolutionsConfiguration
apiVersion: solutions.metalk8s.scality.com/v1alpha1
archives: []
active: {}
environments: {}
volumes: {}
networks:
control_plane:
cidr:
- 51.68.68.0/24
workload_plane:
cidr:
- 51.68.68.0/24
mtu: 1460
pod: 10.233.0.0/16
service: 10.96.0.0/12
proxies: {}
mine_functions:
control_plane_ip:
- mine_function: grains.get
- metalk8s:control_plane_ip
dex_ca_b64:
- mine_function: hashutil.base64_encodefile
- /etc/metalk8s/pki/dex/ca.crt
ingress_ca_b64:
- mine_function: hashutil.base64_encodefile
- /etc/metalk8s/pki/nginx-ingress/ca.crt
kubernetes_etcd_ca_b64:
- mine_function: hashutil.base64_encodefile
- /etc/kubernetes/pki/etcd/ca.crt
kubernetes_front_proxy_ca_b64:
- mine_function: hashutil.base64_encodefile
- /etc/kubernetes/pki/front-proxy-ca.crt
kubernetes_root_ca_b64:
- mine_function: hashutil.base64_encodefile
- /etc/kubernetes/pki/ca.crt
kubernetes_sa_pub_key_b64:
- mine_function: hashutil.base64_encodefile
- /etc/kubernetes/pki/sa.pub
workload_plane_ip:
- mine_function: grains.get
- metalk8s:workload_plane_ip
x509_signing_policies:
dex_server_policy:
- minions: '*'
- signing_private_key: /etc/metalk8s/pki/dex/ca.key
- signing_cert: /etc/metalk8s/pki/dex/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
etcd_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
etcd_server_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth, clientAuth
- authorityKeyIdentifier: keyid
front_proxy_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/front-proxy-ca.key
- signing_cert: /etc/kubernetes/pki/front-proxy-ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
ingress_server_policy:
- minions: '*'
- signing_private_key: /etc/metalk8s/pki/nginx-ingress/ca.key
- signing_cert: /etc/metalk8s/pki/nginx-ingress/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
kube_apiserver_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/ca.key
- signing_cert: /etc/kubernetes/pki/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
kube_apiserver_server_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/ca.key
- signing_cert: /etc/kubernetes/pki/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
certificates:
client:
files:
apiserver-etcd:
watched: true
apiserver-kubelet:
watched: true
etcd-healthcheck:
watched: true
front-proxy:
watched: true
salt-master-etcd:
watched: true
kubeconfig:
files:
super-admin:
watched: true
admin:
watched: true
controller-manager:
watched: true
kubelet:
watched: true
salt-master:
watched: true
scheduler:
watched: true
server:
files:
apiserver:
watched: true
control-plane-ingress:
watched: true
dex:
watched: true
etcd:
watched: true
etcd-peer:
watched: true
salt-api:
watched: true
workload-plane-ingress:
watched: true
kubernetes:
controllerManager:
config:
terminatedPodGCThreshold: 500
coreDNS:
hostForward: true
replicas: 2
affinity:
podAntiAffinity:
soft:
- topologyKey: kubernetes.io/hostname
addons:
dex:
enabled: True
fluent-bit:
enabled: True
loki:
enabled: True