-
Notifications
You must be signed in to change notification settings - Fork 413
/
etc-kubernetes-manifests-etcd-member.yaml
135 lines (129 loc) · 4.51 KB
/
etc-kubernetes-manifests-etcd-member.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
filesystem: "root"
mode: 0644
path: "/etc/kubernetes/manifests/etcd-member.yaml"
contents:
inline: |
apiVersion: v1
kind: Pod
metadata:
name: etcd-member
namespace: kube-system
labels:
k8s-app: etcd
spec:
initContainers:
- name: discovery
image: "registry.svc.ci.openshift.org/openshift/origin-v4.0:setup-etcd-environment"
args:
- "run"
- "--discovery-srv={{.ClusterName}}.{{.BaseDomain}}"
- "--output-file=/run/etcd/environment"
- "--v=4"
securityContext:
priviledged: true
volumeMounts:
- name: discovery
mountPath: /run/etcd/
- name: certs
image: "quay.io/coreos/kube-client-agent:36c62ccd7b16b522450c61e96fc556b217ee24f5" ## FIXME(abhinav): these images should be replacable by release image.
command:
- /bin/sh
- -c
- |
#!/bin/sh
set -euo pipefail
source /run/etcd/environment
[ -e /etc/ssl/etcd/system:etcd-server:${ETCD_DNS_NAME}.crt -a \
-e /etc/ssl/etcd/system:etcd-server:${ETCD_DNS_NAME}.key ] || \
/usr/local/bin/kube-client-agent \
request \
--kubeconfig=/etc/kubernetes/kubeconfig \
--orgname=system:etcd-servers \
--assetsdir=/etc/ssl/etcd \
--dnsnames={{etcdServerCertDNSNames .}} \
--commonname=system:etcd-server:${ETCD_DNS_NAME} \
--ipaddrs=${ETCD_IPV4_ADDRESS},127.0.0.1 \
[ -e /etc/ssl/etcd/system:etcd-peer:${ETCD_DNS_NAME}.crt -a \
-e /etc/ssl/etcd/system:etcd-peer:${ETCD_DNS_NAME}.key ] || \
/usr/local/bin/kube-client-agent \
request \
--kubeconfig=/etc/kubernetes/kubeconfig \
--orgname=system:etcd-peers \
--assetsdir=/etc/ssl/etcd \
--dnsnames={{etcdPeerCertDNSNames .}} \
--commonname=system:etcd-peer:${ETCD_DNS_NAME} \
--ipaddrs=${ETCD_IPV4_ADDRESS} \
securityContext:
priviledged: true
resources:
requests:
memory: 600Mi
volumeMounts:
- name: discovery
mountPath: /run/etcd/
- name: certs
mountPath: /etc/ssl/etcd/
- name: kubeconfig
mountPath: /etc/kubernetes/kubeconfig
containers:
- name: etcd-member
image: "quay.io/coreos/etcd:v3.3.10" ## FIXME(abhinav): these images should be replacable by release image.
command:
- /bin/sh
- -c
- |
#!/bin/sh
set -euo pipefail
source /run/etcd/environment
/usr/local/bin/etcd \
--discovery-srv {{.ClusterName}}.{{.BaseDomain}} \
--initial-advertise-peer-urls=https://${ETCD_IPV4_ADDRESS}:2380 \
--cert-file=/etc/ssl/etcd/system:etcd-server:${ETCD_DNS_NAME}.crt \
--key-file=/etc/ssl/etcd/system:etcd-server:${ETCD_DNS_NAME}.key \
--trusted-ca-file=/etc/ssl/etcd/ca.crt \
--client-cert-auth=true \
--peer-cert-file=/etc/ssl/etcd/system:etcd-peer:${ETCD_DNS_NAME}.crt \
--peer-key-file=/etc/ssl/etcd/system:etcd-peer:${ETCD_DNS_NAME}.key \
--peer-trusted-ca-file=/etc/ssl/etcd/ca.crt \
--peer-client-cert-auth=true \
--advertise-client-urls=https://${ETCD_IPV4_ADDRESS}:2379 \
--listen-client-urls=https://0.0.0.0:2379 \
--listen-peer-urls=https://0.0.0.0:2380 \
securityContext:
priviledged: true
volumeMounts:
- name: discovery
mountPath: /run/etcd/
- name: certs
mountPath: /etc/ssl/etcd/
- name: data-dir
mountPath: /var/lib/etcd/
env:
- name: ETCD_DATA_DIR
value: "/var/lib/etcd"
- name: ETCD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
ports:
- name: peer
containerPort: 2380
protocol: TCP
- name: server
containerPort: 2379
protocol: TCP
hostNetwork: true
restartPolicy: Always
volumes:
- name: certs
hostPath:
path: /etc/kubernetes/static-pod-resources/etcd-member
- name: kubeconfig
hostPath:
path: /etc/kubernetes/kubeconfig
- name: discovery
hostPath:
path: /run/etcd
- name: data-dir
hostPath:
path: /var/lib/etcd