openstack/openstack-helm-infra
Code Issues Proposed changes
f31cfb2ef9
openstack-helm-infra/ceph-provisioners/values.yaml
Brian Haley f31cfb2ef9 support image registries with authentication 
Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
2022-07-20 14:28:47 -05:00

484 lines
13 KiB
YAML
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for ceph-client.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
---
deployment:
ceph: true
client_secrets: false
# Original rbd_provisioner is now DEPRECATED. It will be removed in the
# next release; CSI RBD provisioner should be used instead.
rbd_provisioner: true
csi_rbd_provisioner: true
cephfs_provisioner: true
release_group: null
images:
pull_policy: IfNotPresent
tags:
ceph_bootstrap: 'docker.io/openstackhelm/ceph-daemon:change_770201_ubuntu_bionic-20210113'
ceph_cephfs_provisioner: 'docker.io/openstackhelm/ceph-cephfs-provisioner:ubuntu_bionic-20200521'
ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:change_770201_ubuntu_bionic-20210113'
ceph_rbd_provisioner: 'docker.io/openstackhelm/ceph-rbd-provisioner:change_770201_ubuntu_bionic-20210113'
csi_provisioner: 'k8s.gcr.io/sig-storage/csi-provisioner:v3.1.0'
csi_snapshotter: 'k8s.gcr.io/sig-storage/csi-snapshotter:v6.0.0'
csi_attacher: 'k8s.gcr.io/sig-storage/csi-attacher:v3.4.0'
csi_resizer: 'k8s.gcr.io/sig-storage/csi-resizer:v1.4.0'
csi_registrar: 'k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.5.0'
cephcsi: 'quay.io/cephcsi/cephcsi:v3.6.2'
dep_check: 'quay.io/airshipit/kubernetes-entrypoint:v1.0.0'
image_repo_sync: 'docker.io/library/docker:17.07.0'
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
provisioner:
node_selector_key: openstack-control-plane
node_selector_value: enabled
csi_rbd_plugin:
node_selector_key: openstack-control-plane
node_selector_value: enabled
pod:
test_pod:
wait_timeout: 600
rbd:
name: rbd-prov-test-pod
pvc_name: rbd-prov-test-pvc
csi_rbd:
name: csi-rbd-prov-test-pod
pvc_name: csi-rbd-prov-test-pvc
cephfs:
name: cephfs-prov-test-pod
pvc_name: cephfs-prov-test-pvc
security_context:
provisioner:
pod:
runAsUser: 0
container:
ceph_cephfs_provisioner:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
ceph_rbd_provisioner:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
ceph_rbd_snapshotter:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
ceph_rbd_attacher:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
ceph_rbd_resizer:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
ceph_rbd_cephcsi:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
plugin:
pod:
runAsUser: 0
container:
ceph_rbd_registrar:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
ceph_csi_rbd_plugin:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
bootstrap:
pod:
runAsUser: 99
container:
ceph_client_bootstrap:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
cephfs_client_key_generator:
pod:
runAsUser: 99
container:
ceph_storage_keys_generator:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
client_key_cleaner:
pod:
runAsUser: 99
container:
ceph_namespace_client_keys_cleaner:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
client_key_generator:
pod:
runAsUser: 99
container:
ceph_storage_keys_generator:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
test:
pod:
runAsUser: 0
container:
test:
readOnlyRootFilesystem: true
dns_policy: "ClusterFirstWithHostNet"
replicas:
cephfs_provisioner: 2
rbd_provisioner: 2
csi_rbd_provisioner: 2
lifecycle:
upgrades:
deployments:
pod_replacement_strategy: Recreate
daemonsets:
pod_replacement_strategy: RollingUpdate
plugin:
enabled: true
min_ready_seconds: 0
max_unavailable: 1
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
resources:
enabled: false
rbd_provisioner:
requests:
memory: "5Mi"
cpu: "250m"
limits:
memory: "50Mi"
cpu: "500m"
csi_rbd_provisioner:
requests:
memory: "5Mi"
cpu: "250m"
limits:
memory: "50Mi"
cpu: "500m"
cephfs_provisioner:
requests:
memory: "5Mi"
cpu: "250m"
limits:
memory: "50Mi"
cpu: "500m"
rbd_attacher:
requests:
memory: "5Mi"
cpu: "250m"
limits:
memory: "50Mi"
cpu: "500m"
rbd_registrar:
requests:
memory: "5Mi"
cpu: "250m"
limits:
memory: "50Mi"
cpu: "500m"
rbd_resizer:
requests:
memory: "5Mi"
cpu: "250m"
limits:
memory: "50Mi"
cpu: "500m"
rbd_snapshotter:
requests:
memory: "5Mi"
cpu: "250m"
limits:
memory: "50Mi"
cpu: "500m"
rbd_cephcsi:
requests:
memory: "5Mi"
cpu: "250m"
limits:
memory: "50Mi"
cpu: "500m"
jobs:
bootstrap:
limits:
memory: "1024Mi"
cpu: "2000m"
requests:
memory: "128Mi"
cpu: "500m"
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tolerations:
rbd_provisioner:
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 60
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 60
csi_rbd_provisioner:
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 60
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 60
cephfs_provisioner:
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 60
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 60
secrets:
keyrings:
admin: ceph-client-admin-keyring
prov_adminSecretName: pvc-ceph-conf-combined-storageclass
oci_image_registry:
ceph-provisioners: ceph-provisioners-oci-image-registry-key
network:
public: 192.168.0.0/16
cluster: 192.168.0.0/16
conf:
ceph:
global:
# auth
cephx: true
cephx_require_signatures: false
cephx_cluster_require_signatures: true
cephx_service_require_signatures: false
objecter_inflight_op_bytes: "1073741824"
objecter_inflight_ops: 10240
debug_ms: "0/0"
log_file: /dev/stdout
mon_cluster_log_file: /dev/stdout
osd:
osd_mkfs_type: xfs
osd_mkfs_options_xfs: -f -i size=2048
osd_max_object_name_len: 256
ms_bind_port_min: 6800
ms_bind_port_max: 7100
ext_ceph_cluster:
rook_ceph:
connect: false
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- ceph-provisioners-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
bootstrap:
jobs: null
services:
- endpoint: internal
service: ceph_mon
cephfs_client_key_generator:
jobs: null
cephfs_provisioner:
jobs:
- ceph-rbd-pool
services:
- endpoint: internal
service: ceph_mon
namespace_client_key_cleaner:
jobs: null
namespace_client_key_generator:
jobs: null
rbd_provisioner:
jobs:
- ceph-rbd-pool
services:
- endpoint: internal
service: ceph_mon
csi_rbd_provisioner:
jobs:
- ceph-rbd-pool
services:
- endpoint: internal
service: ceph_mon
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
bootstrap:
enabled: false
script: |
ceph -s
function ensure_pool () {
ceph osd pool stats $1 || ceph osd pool create $1 $2
if [[ $(ceph mon versions | awk '/version/{print $3}' | cut -d. -f1) -ge 12 ]]; then
ceph osd pool application enable $1 $3
fi
}
#ensure_pool volumes 8 cinder
# if you change provision_storage_class to false
# it is presumed you manage your own storage
# class definition externally
# NOTE(kranthikirang) We iterate over each storageclass parameters
# and derive the manifest.
storageclass:
rbd:
provision_storage_class: true
provisioner: ceph.com/rbd
ceph_configmap_name: ceph-etc
metadata:
name: general-rbd
parameters:
pool: rbd
adminId: admin
adminSecretName: pvc-ceph-conf-combined-storageclass
adminSecretNamespace: ceph
userId: admin
userSecretName: pvc-ceph-client-key
imageFormat: "2"
imageFeatures: layering
csi_rbd:
provision_storage_class: true
provisioner: ceph.rbd.csi.ceph.com
ceph_configmap_name: ceph-etc
metadata:
default_storage_class: true
name: general
parameters:
clusterID: ceph
csi.storage.k8s.io/controller-expand-secret-name: pvc-ceph-conf-combined-storageclass
csi.storage.k8s.io/controller-expand-secret-namespace: ceph
csi.storage.k8s.io/fstype: ext4
csi.storage.k8s.io/node-stage-secret-name: pvc-ceph-conf-combined-storageclass
csi.storage.k8s.io/node-stage-secret-namespace: ceph
csi.storage.k8s.io/provisioner-secret-name: pvc-ceph-conf-combined-storageclass
csi.storage.k8s.io/provisioner-secret-namespace: ceph
imageFeatures: layering
imageFormat: "2"
pool: rbd
adminId: admin
adminSecretName: pvc-ceph-conf-combined-storageclass
adminSecretNamespace: ceph
userId: admin
userSecretName: pvc-ceph-client-key
cephfs:
provision_storage_class: true
provisioner: ceph.com/cephfs
metadata:
name: cephfs
parameters:
adminId: admin
adminSecretName: pvc-ceph-cephfs-client-key
adminSecretNamespace: ceph
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oci_image_registry:
name: oci-image-registry
namespace: oci-image-registry
auth:
enabled: false
ceph-provisioners:
username: ceph-provisioners
password: password
hosts:
default: localhost
host_fqdn_override:
default: null
port:
registry:
default: null
ceph_mon:
namespace: null
hosts:
default: ceph-mon
discovery: ceph-mon-discovery
host_fqdn_override:
default: null
port:
mon:
default: 6789
mon_msgr2:
default: 3300
manifests:
configmap_bin: true
configmap_bin_common: true
configmap_etc: true
deployment_rbd_provisioner: true
# Original rbd_provisioner is now DEPRECATED. It will be removed in the
# next release; CSI RBD provisioner should be used instead.
deployment_csi_rbd_provisioner: true
deployment_cephfs_provisioner: true
job_bootstrap: false
job_cephfs_client_key: true
job_image_repo_sync: true
job_namespace_client_key_cleaner: true
job_namespace_client_key: true
job_namespace_client_ceph_config: true
storageclass: true
helm_tests: true
secret_registry: true
...
View Git Blame Copy Permalink