Network Operator Application Notes 23.10.0 - Sphinx Test
1.0

universe-tenant-control-plane

Chart version: 0.5.0-dev

AppVersion: 0.5.0-dev

Description: A Helm chart with Universe components for tenant cluster

Name

Version

Repository

universe-k8s-tenant-resource-plugin 0.5.0-dev built-in
universe-k8s-tenant-workload-plugin 0.5.0-dev built-in
universe-k8s-tenant-workload-rule-plugin 0.5.0-dev built-in
lib-universe-proxy 0.0.0 file://../lib-universe-proxy
lib-vault-integration 0.0.0 file://../lib-vault-integration

  • > global (object): global settings which will apply for all subcharts

    Default: see default values for nested options

  • > global.image.tag (string): this tag will be used for most images in all subcharts if tag doesn’t set explicitly fot the image

    Default:

    Copy
    Copied!
                

    null

  • > global.image.registry (string): this registry will be used for most images in all subcharts if registry doesn’t set explicitly fot the image

    Default:

    Copy
    Copied!
                

    null

  • > global.imagePullSecrets (list): imagePullSecrets will be added to all components. If imagePullSecrets explicitly set for a components then global value will be ignored for it.

    Default:

    Copy
    Copied!
                

    []

  • > global.nodeSelector (object): nodeSelector will be added to all components. If nodeSelector explicitly set for a components then global value will be ignored for it.

    Default:

    Copy
    Copied!
                

    {}

  • > global.tolerations (list): tolerations will be added to all components. If tolerations explicitly set for a components then global value will be ignored for it.

    Default:

    Copy
    Copied!
                

    []

  • > global.sidecars (object): setting for common sidecar containers

    Default:

    Copy
    Copied!
                

    { "proxy": { "config": { "enabled": true, "listener": { "access_log": { "enabled": true, "log_format": { "json_format": { "bytes_received": "%BYTES_RECEIVED%", "bytes_sent": "%BYTES_SENT%", "connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%", "downstream": "%DOWNSTREAM_REMOTE_ADDRESS%", "duration": "%DURATION%", "grpc_status": "%GRPC_STATUS%", "path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%", "protocol": "%PROTOCOL%", "start_time": "%START_TIME(%s.%3f)%", "tls_local_uri_san": "%DOWNSTREAM_LOCAL_URI_SAN%", "tls_peer_cert_end": "%DOWNSTREAM_PEER_CERT_V_END%", "tls_peer_cert_start": "%DOWNSTREAM_PEER_CERT_V_START%", "tls_peer_issuer": "%DOWNSTREAM_PEER_ISSUER%", "tls_peer_serial": "%DOWNSTREAM_PEER_SERIAL%", "tls_peer_subject": "%DOWNSTREAM_PEER_SUBJECT%", "tls_peer_uri_san": "%DOWNSTREAM_PEER_URI_SAN%", "tls_requested_server_name": "%REQUESTED_SERVER_NAME%", "upstream": "%UPSTREAM_HOST%", "upstream_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%" }, "omit_empty_values": true } }, "address": "127.0.0.1", "inject_headers": null, "port": 59090 }, "upstream": { "address": null, "clientTLS": { "cert": "/vault/secrets/client.cert", "enabled": false, "key": "/vault/secrets/client.key" }, "peerValidation": { "ca": "/vault/secrets/ca.cert", "enabled": false }, "port": null } }, "enabled": true, "image": { "pullPolicy": "IfNotPresent", "registry": "", "repository": "universe-grpc-proxy", "tag": "" } } }

  • > global.sidecars.proxy.enabled (bool): enables or disables deployment of proxy sidecar container

    Default:

    Copy
    Copied!
                

    true

  • > global.sidecars.proxy.image.registry (string): registry for proxy image

    Default:

    Copy
    Copied!
                

    ""

  • > global.sidecars.proxy.image.repository (string): proxy image name

    Default:

    Copy
    Copied!
                

    "universe-grpc-proxy"

  • > global.sidecars.proxy.image.pullPolicy (string): pullPolicy for proxy image

    Default:

    Copy
    Copied!
                

    "IfNotPresent"

  • > global.sidecars.proxy.image.tag (string): tag for proxy image if not set, Helm chart appVersion will be used as tag

    Default:

    Copy
    Copied!
                

    ""

  • > global.sidecars.proxy.config (object): will be translated to ConfigMap which holds envoy configuration

    Default: see default values for nested options

  • > global.sidecars.proxy.config.enabled (bool): enables or disables deployment of proxy sidecar configuration

    Default:

    Copy
    Copied!
                

    true

  • > global.sidecars.proxy.config.listener.inject_headers (string): allows to inject custom headers to GRPC requests which are forwarder to upstream cluster, e.g. inject_headers: {“tenant-id”: “tenant1”}

    Default:

    Copy
    Copied!
                

    null

  • > global.sidecars.proxy.config.listener.access_log.enabled (bool): enables or disables access_log for proxy container

    Default:

    Copy
    Copied!
                

    true

  • > global.sidecars.proxy.config.listener.access_log.log_format (object): format of the access log, will be injected as is to envoy’s config file

    Default:

    Copy
    Copied!
                

    { "json_format": { "bytes_received": "%BYTES_RECEIVED%", "bytes_sent": "%BYTES_SENT%", "connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%", "downstream": "%DOWNSTREAM_REMOTE_ADDRESS%", "duration": "%DURATION%", "grpc_status": "%GRPC_STATUS%", "path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%", "protocol": "%PROTOCOL%", "start_time": "%START_TIME(%s.%3f)%", "tls_local_uri_san": "%DOWNSTREAM_LOCAL_URI_SAN%", "tls_peer_cert_end": "%DOWNSTREAM_PEER_CERT_V_END%", "tls_peer_cert_start": "%DOWNSTREAM_PEER_CERT_V_START%", "tls_peer_issuer": "%DOWNSTREAM_PEER_ISSUER%", "tls_peer_serial": "%DOWNSTREAM_PEER_SERIAL%", "tls_peer_subject": "%DOWNSTREAM_PEER_SUBJECT%", "tls_peer_uri_san": "%DOWNSTREAM_PEER_URI_SAN%", "tls_requested_server_name": "%REQUESTED_SERVER_NAME%", "upstream": "%UPSTREAM_HOST%", "upstream_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%" }, "omit_empty_values": true }

  • > global.sidecars.proxy.config.listener.address (string): proxy container will listen on this address

    Default:

    Copy
    Copied!
                

    "127.0.0.1"

  • > global.sidecars.proxy.config.listener.port (int): proxy container will listen on this port

    Default:

    Copy
    Copied!
                

    59090

  • > global.sidecars.proxy.config.upstream.address (string): upstream server address

    Default:

    Copy
    Copied!
                

    null

  • > global.sidecars.proxy.config.upstream.port (string): upstream server address

    Default:

    Copy
    Copied!
                

    null

  • > global.sidecars.proxy.config.upstream.clientTLS (object): client configuration for mTLS when connecting to upstream server

    Default:

    Copy
    Copied!
                

    { "cert": "/vault/secrets/client.cert", "enabled": false, "key": "/vault/secrets/client.key" }

  • > global.sidecars.proxy.config.upstream.peerValidation (object): configuration for upstream server certificate validation

    Default:

    Copy
    Copied!
                

    { "ca": "/vault/secrets/ca.cert", "enabled": false }

  • > global.vaultApproleSecret (object): settings for Secret which store roleID and secretID for approle auth method in Vault. Config from this secret is read by vault-sidecar container and used to authenticate in Vault server If vaultApproleSecret settings explicitly set for a components then global value will be ignored for it.

    Default: see default values for nested options

  • > global.vaultApproleSecret.create (bool): enables or disables creation of the Secret

    Default:

    Copy
    Copied!
                

    false

  • > global.vaultApproleSecret.name (string): override for default Secret name

    Default: if not set explicitly Helm release name + “-secret” will be used

  • > global.vaultApproleSecret.roleID (string): roleID which vault-sidecar will use for authentication in Vault server

    Default:

    Copy
    Copied!
                

    null

  • > global.vaultApproleSecret.secretID (string): secretID which vault-sidecar will use for authentication in Vault server

    Default:

    Copy
    Copied!
                

    null

  • > global.vaultAnnotations (object): configuration for Vault related Pod annotations. These annotations are used by vault-injector mutating webhook to determine configuration of the vault-sidecar container which will be attached to the plugin Pod. If vaultAnnotations settings explicitly set for a components then global value will be ignored for it.

    Default: see default values for nested options

  • > global.vaultAnnotations.addAnnotations (bool): enables or disables addition of the annotations

    Default:

    Copy
    Copied!
                

    false

  • > global.vaultAnnotations.namespace (string): namespace in vault-server (namespaces are available only in Vault Enterprise)

    Default:

    Copy
    Copied!
                

    null

  • > global.vaultAnnotations.role (string): add label with role Name

    Default:

    Copy
    Copied!
                

    null

  • > global.vaultAnnotations.clientCertSecret (string): vault PKI cert issue path

    Default:

    Copy
    Copied!
                

    "pki_universe/issue/local"

  • > global.vaultAnnotations.clientCertCommonName (string): common name for generated certificate

    Default:

    Copy
    Copied!
                

    "proxy.local"

  • > global.vaultAnnotations.clientCertTTL (string): TTL for generated certificate

    Default:

    Copy
    Copied!
                

    "24h"

  • > universe-k8s-tenant-resource-plugin (object): settings for universe-k8s-tenant-resource-plugin subchart,

    Default: check universe-k8s-tenant-resource-plugin chart documentation

  • > universe-k8s-tenant-resource-plugin.enabled (bool): enables or disables deployment of universe-k8s-tenant-resource-plugin

    Default:

    Copy
    Copied!
                

    false

  • > universe-k8s-tenant-workload-plugin (object): settings for universe-k8s-tenant-workload-plugin subchart,

    Default: check universe-k8s-tenant-workload-plugin chart documentation

  • > universe-k8s-tenant-workload-plugin.enabled (bool): enables or disables deployment of universe-k8s-tenant-workload-plugin

    Default:

    Copy
    Copied!
                

    false

  • > universe-k8s-tenant-workload-rule-plugin (object): settings for universe-k8s-tenant-workload-rule-plugin subchart,

    Default: check universe-k8s-tenant-workload-rule-plugin chart documentation

  • > universe-k8s-tenant-workload-rule-plugin.enabled (bool): enables or disables deployment of universe-k8s-tenant-workload-rule-plugin

    Default:

    Copy
    Copied!
                

    false

example-values-secure.yaml

Copy
Copied!
            

global: image: tag: latest registry: harbor.mellanox.com/cloud-orchestration-dev/ # imagePullSecrets: # - name: nvcrio-cred nodeSelector: node-role.kubernetes.io/control-plane: "" tolerations: - effect: NoSchedule operator: "Exists" key: node-role.kubernetes.io/master - effect: NoSchedule operator: "Exists" key: node-role.kubernetes.io/control-plane sidecars: proxy: config: listener: inject_headers: tenant-id: tenant1 upstream: address: 172.18.0.2 # Infra API gateway address port: 30001 clientTLS: enabled: true peerValidation: enabled: true vaultAnnotations: addAnnotations: true vaultApproleSecret: create: true roleID: dc15780f-1b8a-b285-f875-07d7930f4b95 # vault roleID, will be shared by all plugins secretID: 98fbf93d-9441-0266-274f-b479a09b60e1 # vault secretID, will be shared by all plugins universe-k8s-tenant-resource-plugin: enabled: true universe-k8s-tenant-workload-plugin: enabled: true universe-k8s-tenant-workload-rule-plugin: enabled: true

example-values-dev.yaml

Copy
Copied!
            

global: image: tag: latest registry: harbor.mellanox.com/cloud-orchestration-dev/ # imagePullSecrets: # - name: nvcrio-cred nodeSelector: node-role.kubernetes.io/control-plane: "" tolerations: - effect: NoSchedule operator: "Exists" key: node-role.kubernetes.io/master - effect: NoSchedule operator: "Exists" key: node-role.kubernetes.io/control-plane sidecars: proxy: config: listener: inject_headers: tenant-id: tenant1 upstream: address: 172.18.0.2 # Infra API gateway address port: 30001 universe-k8s-tenant-resource-plugin: enabled: true universe-k8s-tenant-workload-plugin: enabled: true universe-k8s-tenant-workload-rule-plugin: enabled: true

Previous universe-infra-workload-rule-manager
Next universe-k8s-tenant-resource-plugin
© Copyright 2023, NVIDIA. Last updated on Feb 7, 2024.