Network Operator Application Notes 23.10.0 - Sphinx Test
NVIDIA Docs Hub  NVIDIA Networking  Networking Software  Cloud Orchestration  Network Operator Application Notes 23.10.0 - Sphinx Test  universe-tenant-control-plane
1.0

universe-tenant-control-plane

Chart version: 0.5.0-dev

AppVersion: 0.5.0-dev

Description: A Helm chart with Universe components for tenant cluster

Dependencies

Name

Version

Repository
universe-k8s-tenant-resource-plugin 0.5.0-dev built-in
universe-k8s-tenant-workload-plugin 0.5.0-dev built-in
universe-k8s-tenant-workload-rule-plugin 0.5.0-dev built-in
lib-universe-proxy 0.0.0 file://../lib-universe-proxy
lib-vault-integration 0.0.0 file://../lib-vault-integration

Values

  • > global (object): global settings which will apply for all subcharts

    Default: see default values for nested options

  • > global.image.tag (string): this tag will be used for most images in all subcharts if tag doesn’t set explicitly fot the image

    Default:

    Copy
    Copied!
                
    
            
    null

  • > global.image.registry (string): this registry will be used for most images in all subcharts if registry doesn’t set explicitly fot the image

    Default:

    Copy
    Copied!
                
    
            
    null

  • > global.imagePullSecrets (list): imagePullSecrets will be added to all components. If imagePullSecrets explicitly set for a components then global value will be ignored for it.

    Default:

    Copy
    Copied!
                
    
            
    []

  • > global.nodeSelector (object): nodeSelector will be added to all components. If nodeSelector explicitly set for a components then global value will be ignored for it.

    Default:

    Copy
    Copied!
                
    
            
    {}

  • > global.tolerations (list): tolerations will be added to all components. If tolerations explicitly set for a components then global value will be ignored for it.

    Default:

    Copy
    Copied!
                
    
            
    []

  • > global.sidecars (object): setting for common sidecar containers

    Default:

    Copy
    Copied!
                
    
            
    {
  "proxy": {
    "config": {
      "enabled": true,
      "listener": {
        "access_log": {
          "enabled": true,
          "log_format": {
            "json_format": {
              "bytes_received": "%BYTES_RECEIVED%",
              "bytes_sent": "%BYTES_SENT%",
              "connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%",
              "downstream": "%DOWNSTREAM_REMOTE_ADDRESS%",
              "duration": "%DURATION%",
              "grpc_status": "%GRPC_STATUS%",
              "path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
              "protocol": "%PROTOCOL%",
              "start_time": "%START_TIME(%s.%3f)%",
              "tls_local_uri_san": "%DOWNSTREAM_LOCAL_URI_SAN%",
              "tls_peer_cert_end": "%DOWNSTREAM_PEER_CERT_V_END%",
              "tls_peer_cert_start": "%DOWNSTREAM_PEER_CERT_V_START%",
              "tls_peer_issuer": "%DOWNSTREAM_PEER_ISSUER%",
              "tls_peer_serial": "%DOWNSTREAM_PEER_SERIAL%",
              "tls_peer_subject": "%DOWNSTREAM_PEER_SUBJECT%",
              "tls_peer_uri_san": "%DOWNSTREAM_PEER_URI_SAN%",
              "tls_requested_server_name": "%REQUESTED_SERVER_NAME%",
              "upstream": "%UPSTREAM_HOST%",
              "upstream_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%"
            },
            "omit_empty_values": true
          }
        },
        "address": "127.0.0.1",
        "inject_headers": null,
        "port": 59090
      },
      "upstream": {
        "address": null,
        "clientTLS": {
          "cert": "/vault/secrets/client.cert",
          "enabled": false,
          "key": "/vault/secrets/client.key"
        },
        "peerValidation": {
          "ca": "/vault/secrets/ca.cert",
          "enabled": false
        },
        "port": null
      }
    },
    "enabled": true,
    "image": {
      "pullPolicy": "IfNotPresent",
      "registry": "",
      "repository": "universe-grpc-proxy",
      "tag": ""
    }
  }
}

  • > global.sidecars.proxy.enabled (bool): enables or disables deployment of proxy sidecar container

    Default:

    Copy
    Copied!
                
    
            
    true

  • > global.sidecars.proxy.image.registry (string): registry for proxy image

    Default:

    Copy
    Copied!
                
    
            
    ""

  • > global.sidecars.proxy.image.repository (string): proxy image name

    Default:

    Copy
    Copied!
                
    
            
    "universe-grpc-proxy"

  • > global.sidecars.proxy.image.pullPolicy (string): pullPolicy for proxy image

    Default:

    Copy
    Copied!
                
    
            
    "IfNotPresent"

  • > global.sidecars.proxy.image.tag (string): tag for proxy image if not set, Helm chart appVersion will be used as tag

    Default:

    Copy
    Copied!
                
    
            
    ""

  • > global.sidecars.proxy.config (object): will be translated to ConfigMap which holds envoy configuration

    Default: see default values for nested options

  • > global.sidecars.proxy.config.enabled (bool): enables or disables deployment of proxy sidecar configuration

    Default:

    Copy
    Copied!
                
    
            
    true

  • > global.sidecars.proxy.config.listener.inject_headers (string): allows to inject custom headers to GRPC requests which are forwarder to upstream cluster, e.g. inject_headers: {“tenant-id”: “tenant1”}

    Default:

    Copy
    Copied!
                
    
            
    null

  • > global.sidecars.proxy.config.listener.access_log.enabled (bool): enables or disables access_log for proxy container

    Default:

    Copy
    Copied!
                
    
            
    true

  • > global.sidecars.proxy.config.listener.access_log.log_format (object): format of the access log, will be injected as is to envoy’s config file

    Default:

    Copy
    Copied!
                
    
            
    {
  "json_format": {
    "bytes_received": "%BYTES_RECEIVED%",
    "bytes_sent": "%BYTES_SENT%",
    "connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%",
    "downstream": "%DOWNSTREAM_REMOTE_ADDRESS%",
    "duration": "%DURATION%",
    "grpc_status": "%GRPC_STATUS%",
    "path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
    "protocol": "%PROTOCOL%",
    "start_time": "%START_TIME(%s.%3f)%",
    "tls_local_uri_san": "%DOWNSTREAM_LOCAL_URI_SAN%",
    "tls_peer_cert_end": "%DOWNSTREAM_PEER_CERT_V_END%",
    "tls_peer_cert_start": "%DOWNSTREAM_PEER_CERT_V_START%",
    "tls_peer_issuer": "%DOWNSTREAM_PEER_ISSUER%",
    "tls_peer_serial": "%DOWNSTREAM_PEER_SERIAL%",
    "tls_peer_subject": "%DOWNSTREAM_PEER_SUBJECT%",
    "tls_peer_uri_san": "%DOWNSTREAM_PEER_URI_SAN%",
    "tls_requested_server_name": "%REQUESTED_SERVER_NAME%",
    "upstream": "%UPSTREAM_HOST%",
    "upstream_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%"
  },
  "omit_empty_values": true
}

  • > global.sidecars.proxy.config.listener.address (string): proxy container will listen on this address

    Default:

    Copy
    Copied!
                
    
            
    "127.0.0.1"

  • > global.sidecars.proxy.config.listener.port (int): proxy container will listen on this port

    Default:

    Copy
    Copied!
                
    
            
    59090

  • > global.sidecars.proxy.config.upstream.address (string): upstream server address

    Default:

    Copy
    Copied!
                
    
            
    null

  • > global.sidecars.proxy.config.upstream.port (string): upstream server address

    Default:

    Copy
    Copied!
                
    
            
    null

  • > global.sidecars.proxy.config.upstream.clientTLS (object): client configuration for mTLS when connecting to upstream server

    Default:

    Copy
    Copied!
                
    
            
    {
  "cert": "/vault/secrets/client.cert",
  "enabled": false,
  "key": "/vault/secrets/client.key"
}

  • > global.sidecars.proxy.config.upstream.peerValidation (object): configuration for upstream server certificate validation

    Default:

    Copy
    Copied!
                
    
            
    {
  "ca": "/vault/secrets/ca.cert",
  "enabled": false
}

  • > global.vaultApproleSecret (object): settings for Secret which store roleID and secretID for approle auth method in Vault. Config from this secret is read by vault-sidecar container and used to authenticate in Vault server If vaultApproleSecret settings explicitly set for a components then global value will be ignored for it.

    Default: see default values for nested options

  • > global.vaultApproleSecret.create (bool): enables or disables creation of the Secret

    Default:

    Copy
    Copied!
                
    
            
    false

  • > global.vaultApproleSecret.name (string): override for default Secret name

    Default: if not set explicitly Helm release name + “-secret” will be used

  • > global.vaultApproleSecret.roleID (string): roleID which vault-sidecar will use for authentication in Vault server

    Default:

    Copy
    Copied!
                
    
            
    null

  • > global.vaultApproleSecret.secretID (string): secretID which vault-sidecar will use for authentication in Vault server

    Default:

    Copy
    Copied!
                
    
            
    null

  • > global.vaultAnnotations (object): configuration for Vault related Pod annotations. These annotations are used by vault-injector mutating webhook to determine configuration of the vault-sidecar container which will be attached to the plugin Pod. If vaultAnnotations settings explicitly set for a components then global value will be ignored for it.

    Default: see default values for nested options

  • > global.vaultAnnotations.addAnnotations (bool): enables or disables addition of the annotations

    Default:

    Copy
    Copied!
                
    
            
    false

  • > global.vaultAnnotations.namespace (string): namespace in vault-server (namespaces are available only in Vault Enterprise)

    Default:

    Copy
    Copied!
                
    
            
    null

  • > global.vaultAnnotations.role (string): add label with role Name

    Default:

    Copy
    Copied!
                
    
            
    null

  • > global.vaultAnnotations.clientCertSecret (string): vault PKI cert issue path

    Default:

    Copy
    Copied!
                
    
            
    "pki_universe/issue/local"

  • > global.vaultAnnotations.clientCertCommonName (string): common name for generated certificate

    Default:

    Copy
    Copied!
                
    
            
    "proxy.local"

  • > global.vaultAnnotations.clientCertTTL (string): TTL for generated certificate

    Default:

    Copy
    Copied!
                
    
            
    "24h"

  • > universe-k8s-tenant-resource-plugin (object): settings for universe-k8s-tenant-resource-plugin subchart,

    Default: check universe-k8s-tenant-resource-plugin chart documentation

  • > universe-k8s-tenant-resource-plugin.enabled (bool): enables or disables deployment of universe-k8s-tenant-resource-plugin

    Default:

    Copy
    Copied!
                
    
            
    false

  • > universe-k8s-tenant-workload-plugin (object): settings for universe-k8s-tenant-workload-plugin subchart,

    Default: check universe-k8s-tenant-workload-plugin chart documentation

  • > universe-k8s-tenant-workload-plugin.enabled (bool): enables or disables deployment of universe-k8s-tenant-workload-plugin

    Default:

    Copy
    Copied!
                
    
            
    false

  • > universe-k8s-tenant-workload-rule-plugin (object): settings for universe-k8s-tenant-workload-rule-plugin subchart,

    Default: check universe-k8s-tenant-workload-rule-plugin chart documentation

  • > universe-k8s-tenant-workload-rule-plugin.enabled (bool): enables or disables deployment of universe-k8s-tenant-workload-rule-plugin

    Default:

    Copy
    Copied!
                
    
            
    false

Examples

example-values-secure.yaml

Copy
Copied!
            

            
global:
  image:
    tag: latest
    registry: harbor.mellanox.com/cloud-orchestration-dev/
  # imagePullSecrets:
  # - name: nvcrio-cred
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  tolerations:
    - effect: NoSchedule
      operator: "Exists"
      key: node-role.kubernetes.io/master
    - effect: NoSchedule
      operator: "Exists"
      key: node-role.kubernetes.io/control-plane
  sidecars:
    proxy:
      config:
        listener:
          inject_headers:
            tenant-id: tenant1
        upstream:
          address: 172.18.0.2 # Infra API gateway address
          port: 30001
          clientTLS:
            enabled: true
          peerValidation:
            enabled: true
  vaultAnnotations:
    addAnnotations: true
  vaultApproleSecret:
    create: true
    roleID: dc15780f-1b8a-b285-f875-07d7930f4b95 # vault roleID, will be shared by all plugins
    secretID: 98fbf93d-9441-0266-274f-b479a09b60e1 # vault secretID, will be shared by all plugins

universe-k8s-tenant-resource-plugin:
  enabled: true

universe-k8s-tenant-workload-plugin:
  enabled: true

universe-k8s-tenant-workload-rule-plugin:
  enabled: true

example-values-dev.yaml

Copy
Copied!
            

            
global:
  image:
    tag: latest
    registry: harbor.mellanox.com/cloud-orchestration-dev/
  # imagePullSecrets:
  # - name: nvcrio-cred
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  tolerations:
    - effect: NoSchedule
      operator: "Exists"
      key: node-role.kubernetes.io/master
    - effect: NoSchedule
      operator: "Exists"
      key: node-role.kubernetes.io/control-plane
  sidecars:
    proxy:
      config:
        listener:
          inject_headers:
            tenant-id: tenant1
        upstream:
          address: 172.18.0.2 # Infra API gateway address
          port: 30001

universe-k8s-tenant-resource-plugin:
  enabled: true

universe-k8s-tenant-workload-plugin:
  enabled: true

universe-k8s-tenant-workload-rule-plugin:
  enabled: true

Previous universe-infra-workload-rule-manager
Next universe-k8s-tenant-resource-plugin
© Copyright 2023, NVIDIA. Last updated on Feb 7, 2024.