From d8092b99bf98c5df3f34969b001e67af5e5a9c0f Mon Sep 17 00:00:00 2001 From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> Date: Wed, 29 Oct 2025 21:13:45 -0400 Subject: [PATCH 1/2] fix(dns): Use direct vendor etcd for coredns The bitnami artifacts are no longer publicly available. Switches the configuration to use the direct vendor option using direct k8s manifests vs. the previous helm chart. Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> --- contexts/_template/blueprint.jsonnet | 52 ++++---- kustomize/dns/coredns/etcd/certificates.yaml | 22 ++-- .../dns/coredns/etcd/ha/kustomization.yaml | 5 +- .../coredns/etcd/ha/patches/helm-release.yaml | 18 --- .../etcd/ha/patches/statefulset-patch.yaml | 24 ++++ .../coredns/etcd/ha/statefulset-patch.yaml | 24 ++++ kustomize/dns/coredns/etcd/helm-release.yaml | 57 --------- .../dns/coredns/etcd/helm-repository.yaml | 10 -- kustomize/dns/coredns/etcd/kustomization.yaml | 13 +- .../dns/coredns/etcd/network-policy.yaml | 54 ++++++++ .../coredns/etcd/patches/helm-release.yaml | 23 +++- kustomize/dns/coredns/etcd/patches/patch.yaml | 17 --- kustomize/dns/coredns/etcd/rbac.yaml | 33 +++++ kustomize/dns/coredns/etcd/service.yaml | 43 +++++++ kustomize/dns/coredns/etcd/statefulset.yaml | 121 ++++++++++++++++++ .../coredns/patches/helm-release.yaml | 9 +- 16 files changed, 362 insertions(+), 163 deletions(-) delete mode 100644 kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml create mode 100644 kustomize/dns/coredns/etcd/ha/patches/statefulset-patch.yaml create mode 100644 kustomize/dns/coredns/etcd/ha/statefulset-patch.yaml delete mode 100644 kustomize/dns/coredns/etcd/helm-release.yaml delete mode 100644 kustomize/dns/coredns/etcd/helm-repository.yaml create mode 100644 kustomize/dns/coredns/etcd/network-policy.yaml delete mode 100644 kustomize/dns/coredns/etcd/patches/patch.yaml create mode 100644 kustomize/dns/coredns/etcd/rbac.yaml create mode 100644 kustomize/dns/coredns/etcd/service.yaml create mode 100644 kustomize/dns/coredns/etcd/statefulset.yaml diff --git a/contexts/_template/blueprint.jsonnet b/contexts/_template/blueprint.jsonnet index 95519bb4..e9fe967f 100644 --- a/contexts/_template/blueprint.jsonnet +++ b/contexts/_template/blueprint.jsonnet @@ -155,7 +155,7 @@ local concat(arrays) = std.foldl(function(x, y) x + y, arrays, []); [ "nginx", if vmDriver == "docker-desktop" then "nginx/nodeport" else null, - // "nginx/coredns", + "nginx/coredns", "nginx/flux-webhook", "nginx/web", ] @@ -163,31 +163,31 @@ local concat(arrays) = std.foldl(function(x, y) x + y, arrays, []); dependsOn: ["pki-resources"], cleanup: ["loadbalancers", "ingresses"], }, - // { - // name: "dns", - // path: "dns", - // components: - // if provider == "aws" then [ - // "external-dns", - // "external-dns/route53", - // ] - // else if vmDriver == "docker-desktop" then [ - // "coredns", - // "coredns/etcd", - // "external-dns", - // "external-dns/localhost", - // "external-dns/coredns", - // "external-dns/ingress", - // ] - // else [ - // "coredns", - // "coredns/etcd", - // "external-dns", - // "external-dns/coredns", - // "external-dns/ingress", - // ], - // dependsOn: if provider == "aws" then [] else ["pki-base"], - // }, + { + name: "dns", + path: "dns", + components: + if provider == "aws" then [ + "external-dns", + "external-dns/route53", + ] + else if vmDriver == "docker-desktop" then [ + "coredns", + "coredns/etcd", + "external-dns", + "external-dns/localhost", + "external-dns/coredns", + "external-dns/ingress", + ] + else [ + "coredns", + "coredns/etcd", + "external-dns", + "external-dns/coredns", + "external-dns/ingress", + ], + dependsOn: if provider == "aws" then [] else ["pki-base"], + }, { name: "gitops", path: "gitops/flux", diff --git a/kustomize/dns/coredns/etcd/certificates.yaml b/kustomize/dns/coredns/etcd/certificates.yaml index 87f93422..6101d616 100644 --- a/kustomize/dns/coredns/etcd/certificates.yaml +++ b/kustomize/dns/coredns/etcd/certificates.yaml @@ -9,12 +9,12 @@ spec: issuerRef: name: private kind: ClusterIssuer - commonName: etcd-peer-coredns + commonName: etcd-peer dnsNames: - - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" usages: - digital signature - key encipherment @@ -31,12 +31,12 @@ spec: issuerRef: name: private kind: ClusterIssuer - commonName: etcd-coredns + commonName: etcd dnsNames: - - "etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "*.etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" - - "*.etcd-coredns-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" + - "*.etcd-headless.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}" usages: - server auth - client auth @@ -51,6 +51,6 @@ spec: issuerRef: name: private kind: ClusterIssuer - commonName: etcd-coredns + commonName: etcd-client usages: - client auth diff --git a/kustomize/dns/coredns/etcd/ha/kustomization.yaml b/kustomize/dns/coredns/etcd/ha/kustomization.yaml index 8138d116..9357c159 100644 --- a/kustomize/dns/coredns/etcd/ha/kustomization.yaml +++ b/kustomize/dns/coredns/etcd/ha/kustomization.yaml @@ -1,4 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component patches: - - path: patches/helm-release.yaml + - path: patches/statefulset-patch.yaml + target: + kind: StatefulSet + name: etcd diff --git a/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml b/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml deleted file mode 100644 index 83be0d6f..00000000 --- a/kustomize/dns/coredns/etcd/ha/patches/helm-release.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: etcd-coredns - namespace: system-dns -spec: - values: - replicaCount: 3 - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: "app.kubernetes.io/name" - operator: In - values: - - etcd - topologyKey: "kubernetes.io/hostname" diff --git a/kustomize/dns/coredns/etcd/ha/patches/statefulset-patch.yaml b/kustomize/dns/coredns/etcd/ha/patches/statefulset-patch.yaml new file mode 100644 index 00000000..aed053e5 --- /dev/null +++ b/kustomize/dns/coredns/etcd/ha/patches/statefulset-patch.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: etcd + namespace: system-dns +spec: + replicas: 3 + template: + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - etcd + topologyKey: kubernetes.io/hostname + containers: + - name: etcd + env: + - name: ETCD_INITIAL_CLUSTER + value: "etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380" diff --git a/kustomize/dns/coredns/etcd/ha/statefulset-patch.yaml b/kustomize/dns/coredns/etcd/ha/statefulset-patch.yaml new file mode 100644 index 00000000..aed053e5 --- /dev/null +++ b/kustomize/dns/coredns/etcd/ha/statefulset-patch.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: etcd + namespace: system-dns +spec: + replicas: 3 + template: + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - etcd + topologyKey: kubernetes.io/hostname + containers: + - name: etcd + env: + - name: ETCD_INITIAL_CLUSTER + value: "etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380" diff --git a/kustomize/dns/coredns/etcd/helm-release.yaml b/kustomize/dns/coredns/etcd/helm-release.yaml deleted file mode 100644 index 8009c383..00000000 --- a/kustomize/dns/coredns/etcd/helm-release.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: etcd-coredns - namespace: system-dns -spec: - interval: 5m - timeout: 10m - chart: - spec: - chart: etcd - # renovate: datasource=helm depName=etcd package=etcd helmRepo=https://charts.bitnami.com/bitnami - version: 10.2.6 - sourceRef: - kind: HelmRepository - name: coredns-etcd-bitnami - namespace: system-gitops - values: - replicaCount: 1 - securityContext: - fsGroup: 1000 - # Modifies the liveness probe to behave like the other probes. Endpoint healthchecks with mTLS are not supported by k8s. - customLivenessProbe: - exec: - command: - - /opt/bitnami/scripts/etcd/healthcheck.sh - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - auth: - rbac: - create: false - allowNoneAuthentication: true - peer: - useAutoTLS: false - secureTransport: true - enableAuthentication: true - certFilename: tls.crt - certKeyFilename: tls.key - caFilename: ca.crt - existingSecret: etcd-peer-tls - client: - secureTransport: true - enableAuthentication: true - certFilename: tls.crt - certKeyFilename: tls.key - caFilename: ca.crt - # The server certificate is what etcd serves to clients - existingSecret: etcd-server-tls - persistence: - enabled: false - resources: - requests: - cpu: 200m - memory: 256Mi diff --git a/kustomize/dns/coredns/etcd/helm-repository.yaml b/kustomize/dns/coredns/etcd/helm-repository.yaml deleted file mode 100644 index 77b7fa10..00000000 --- a/kustomize/dns/coredns/etcd/helm-repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: coredns-etcd-bitnami - namespace: system-gitops -spec: - interval: 10m - timeout: 3m - url: https://charts.bitnami.com/bitnami diff --git a/kustomize/dns/coredns/etcd/kustomization.yaml b/kustomize/dns/coredns/etcd/kustomization.yaml index 847d14fc..dcdb365c 100644 --- a/kustomize/dns/coredns/etcd/kustomization.yaml +++ b/kustomize/dns/coredns/etcd/kustomization.yaml @@ -1,15 +1,10 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component resources: + - statefulset.yaml + - service.yaml - certificates.yaml - - helm-repository.yaml - - helm-release.yaml + - rbac.yaml + - network-policy.yaml patches: - - path: patches/patch.yaml - target: - group: helm.toolkit.fluxcd.io - version: v2 - kind: HelmRelease - name: coredns - namespace: system-dns - path: patches/helm-release.yaml diff --git a/kustomize/dns/coredns/etcd/network-policy.yaml b/kustomize/dns/coredns/etcd/network-policy.yaml new file mode 100644 index 00000000..839c3b12 --- /dev/null +++ b/kustomize/dns/coredns/etcd/network-policy.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: etcd + namespace: system-dns +spec: + podSelector: + matchLabels: + app: etcd + policyTypes: + - Ingress + - Egress + ingress: + # Allow etcd peer communication + - from: + - podSelector: + matchLabels: + app: etcd + ports: + - protocol: TCP + port: 2380 + # Allow client connections from CoreDNS + - from: + - podSelector: + matchLabels: + app: coredns + ports: + - protocol: TCP + port: 2379 + egress: + # Allow DNS resolution + - to: [] + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + # Allow etcd peer communication + - to: + - podSelector: + matchLabels: + app: etcd + ports: + - protocol: TCP + port: 2380 + # Allow client connections to other etcd instances + - to: + - podSelector: + matchLabels: + app: etcd + ports: + - protocol: TCP + port: 2379 diff --git a/kustomize/dns/coredns/etcd/patches/helm-release.yaml b/kustomize/dns/coredns/etcd/patches/helm-release.yaml index 63000cc5..479c4d18 100644 --- a/kustomize/dns/coredns/etcd/patches/helm-release.yaml +++ b/kustomize/dns/coredns/etcd/patches/helm-release.yaml @@ -6,27 +6,36 @@ metadata: namespace: system-dns spec: values: + extraVolumes: + - name: etcd-client-tls + secret: + secretName: etcd-client-tls + extraVolumeMounts: + - name: etcd-client-tls + mountPath: /etc/etcd/tls + readOnly: true servers: - zones: - zone: . port: 53 plugins: - - name: log - parameters: stdout - name: errors - name: health configBlock: |- lameduck 5s - - name: ready - name: etcd configBlock: | path /skydns - endpoint etcd-coredns.system-dns.svc.cluster.local:2379 - tls /etc/coredns/tls/tls.crt /etc/coredns/tls/tls.key /etc/coredns/tls/ca.crt + endpoint etcd.system-dns.svc.cluster.local:2379 + tls /etc/etcd/tls/tls.crt /etc/etcd/tls/tls.key /etc/etcd/tls/ca.crt fallthrough - name: forward parameters: . 1.1.1.1 8.8.8.8 - - name: loop - - name: reload + - name: ready - name: prometheus parameters: 0.0.0.0:9153 + - name: cache + parameters: 30 + - name: loop + - name: reload + - name: loadbalance diff --git a/kustomize/dns/coredns/etcd/patches/patch.yaml b/kustomize/dns/coredns/etcd/patches/patch.yaml deleted file mode 100644 index f99092b3..00000000 --- a/kustomize/dns/coredns/etcd/patches/patch.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- op: add - path: /spec/dependsOn/- - value: - name: etcd-coredns - namespace: system-dns -- op: add - path: /spec/values/extraVolumes/- - value: - name: etcd-client-tls - secret: - secretName: etcd-client-tls -- op: add - path: /spec/values/extraVolumeMounts/- - value: - name: etcd-client-tls - mountPath: /etc/coredns/tls - readOnly: true diff --git a/kustomize/dns/coredns/etcd/rbac.yaml b/kustomize/dns/coredns/etcd/rbac.yaml new file mode 100644 index 00000000..2810fcb8 --- /dev/null +++ b/kustomize/dns/coredns/etcd/rbac.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: etcd + namespace: system-dns +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: etcd + namespace: system-dns +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: etcd + namespace: system-dns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: etcd +subjects: +- kind: ServiceAccount + name: etcd + namespace: system-dns diff --git a/kustomize/dns/coredns/etcd/service.yaml b/kustomize/dns/coredns/etcd/service.yaml new file mode 100644 index 00000000..ed73c7bf --- /dev/null +++ b/kustomize/dns/coredns/etcd/service.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Service +metadata: + name: etcd + namespace: system-dns + labels: + app: etcd +spec: + type: ClusterIP + clusterIP: None + ports: + - name: client + port: 2379 + targetPort: 2379 + protocol: TCP + - name: peer + port: 2380 + targetPort: 2380 + protocol: TCP + selector: + app: etcd +--- +apiVersion: v1 +kind: Service +metadata: + name: etcd-headless + namespace: system-dns + labels: + app: etcd +spec: + type: ClusterIP + clusterIP: None + ports: + - name: client + port: 2379 + targetPort: 2379 + protocol: TCP + - name: peer + port: 2380 + targetPort: 2380 + protocol: TCP + selector: + app: etcd diff --git a/kustomize/dns/coredns/etcd/statefulset.yaml b/kustomize/dns/coredns/etcd/statefulset.yaml new file mode 100644 index 00000000..4bf42020 --- /dev/null +++ b/kustomize/dns/coredns/etcd/statefulset.yaml @@ -0,0 +1,121 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: etcd + namespace: system-dns + labels: + app: etcd +spec: + serviceName: etcd + replicas: 1 + podManagementPolicy: Parallel + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: etcd + template: + metadata: + labels: + app: etcd + spec: + securityContext: + fsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + serviceAccountName: etcd + containers: + - name: etcd + # renovate: datasource=docker depName=quay.io/coreos/etcd package=quay.io/coreos/etcd + image: quay.io/coreos/etcd:v3.6.5 + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + capabilities: + drop: + - ALL + ports: + - name: client + containerPort: 2379 + protocol: TCP + - name: peer + containerPort: 2380 + protocol: TCP + command: + - /usr/local/bin/etcd + args: + - --name=etcd-0 + - --data-dir=/var/lib/etcd + - --listen-client-urls=https://0.0.0.0:2379 + - --advertise-client-urls=https://etcd-0.etcd:2379 + - --listen-peer-urls=https://0.0.0.0:2380 + - --initial-advertise-peer-urls=https://etcd-0.etcd:2380 + - --initial-cluster=etcd-0=https://etcd-0.etcd:2380 + - --initial-cluster-state=new + - --initial-cluster-token=etcd-cluster-1 + - --client-cert-auth + - --trusted-ca-file=/etc/etcd/tls/ca.crt + - --cert-file=/etc/etcd/tls/tls.crt + - --key-file=/etc/etcd/tls/tls.key + - --peer-client-cert-auth + - --peer-trusted-ca-file=/etc/etcd/tls/ca.crt + - --peer-cert-file=/etc/etcd/tls/tls.crt + - --peer-key-file=/etc/etcd/tls/tls.key + - --auto-compaction-retention=1 + - --quota-backend-bytes=8589934592 + - --max-request-bytes=33554432 + - --grpc-keepalive-min-time=5s + - --grpc-keepalive-interval=2h + - --grpc-keepalive-timeout=20s + - --enable-grpc-gateway + env: [] + livenessProbe: + tcpSocket: + port: 2379 + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + tcpSocket: + port: 2379 + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 3 + successThreshold: 1 + failureThreshold: 3 + resources: + requests: + cpu: 200m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + volumeMounts: + - name: etcd-data + mountPath: /var/lib/etcd + - name: etcd-tls + mountPath: /etc/etcd/tls + readOnly: true + - name: tmp + mountPath: /tmp + volumes: + - name: etcd-tls + secret: + secretName: etcd-server-tls + - name: tmp + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: etcd-data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 1Gi diff --git a/kustomize/dns/external-dns/coredns/patches/helm-release.yaml b/kustomize/dns/external-dns/coredns/patches/helm-release.yaml index 1f256c16..a6b31b06 100644 --- a/kustomize/dns/external-dns/coredns/patches/helm-release.yaml +++ b/kustomize/dns/external-dns/coredns/patches/helm-release.yaml @@ -1,8 +1,3 @@ -- op: add - path: /spec/dependsOn/- - value: - name: etcd-coredns - namespace: system-dns - op: add path: /spec/values/provider value: @@ -11,7 +6,7 @@ path: /spec/values/env/- value: name: ETCD_URLS - value: https://etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}:2379 + value: https://etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local}:2379 - op: add path: /spec/values/env/- value: @@ -31,7 +26,7 @@ path: /spec/values/env/- value: name: ETCD_TLS_SERVER_NAME - value: etcd-coredns.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local} + value: etcd.system-dns.svc.${CLUSTER_DOMAIN:-cluster.local} - op: add path: /spec/values/extraVolumes/- value: From 5423bb9ce251e9aa3a5df6c7ae2bbed805fb83e8 Mon Sep 17 00:00:00 2001 From: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> Date: Wed, 29 Oct 2025 21:35:26 -0400 Subject: [PATCH 2/2] optimize etcd config for coredns Signed-off-by: Ryan VanGundy <85766511+rmvangun@users.noreply.github.com> --- .../dns/coredns/etcd/ha/kustomization.yaml | 7 ------ .../etcd/ha/patches/statefulset-patch.yaml | 24 ------------------- .../coredns/etcd/ha/statefulset-patch.yaml | 24 ------------------- kustomize/dns/coredns/etcd/statefulset.yaml | 15 ++++-------- 4 files changed, 4 insertions(+), 66 deletions(-) delete mode 100644 kustomize/dns/coredns/etcd/ha/kustomization.yaml delete mode 100644 kustomize/dns/coredns/etcd/ha/patches/statefulset-patch.yaml delete mode 100644 kustomize/dns/coredns/etcd/ha/statefulset-patch.yaml diff --git a/kustomize/dns/coredns/etcd/ha/kustomization.yaml b/kustomize/dns/coredns/etcd/ha/kustomization.yaml deleted file mode 100644 index 9357c159..00000000 --- a/kustomize/dns/coredns/etcd/ha/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1alpha1 -kind: Component -patches: - - path: patches/statefulset-patch.yaml - target: - kind: StatefulSet - name: etcd diff --git a/kustomize/dns/coredns/etcd/ha/patches/statefulset-patch.yaml b/kustomize/dns/coredns/etcd/ha/patches/statefulset-patch.yaml deleted file mode 100644 index aed053e5..00000000 --- a/kustomize/dns/coredns/etcd/ha/patches/statefulset-patch.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: etcd - namespace: system-dns -spec: - replicas: 3 - template: - spec: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - etcd - topologyKey: kubernetes.io/hostname - containers: - - name: etcd - env: - - name: ETCD_INITIAL_CLUSTER - value: "etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380" diff --git a/kustomize/dns/coredns/etcd/ha/statefulset-patch.yaml b/kustomize/dns/coredns/etcd/ha/statefulset-patch.yaml deleted file mode 100644 index aed053e5..00000000 --- a/kustomize/dns/coredns/etcd/ha/statefulset-patch.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: etcd - namespace: system-dns -spec: - replicas: 3 - template: - spec: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - etcd - topologyKey: kubernetes.io/hostname - containers: - - name: etcd - env: - - name: ETCD_INITIAL_CLUSTER - value: "etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380" diff --git a/kustomize/dns/coredns/etcd/statefulset.yaml b/kustomize/dns/coredns/etcd/statefulset.yaml index 4bf42020..2a424f96 100644 --- a/kustomize/dns/coredns/etcd/statefulset.yaml +++ b/kustomize/dns/coredns/etcd/statefulset.yaml @@ -57,7 +57,6 @@ spec: - --initial-advertise-peer-urls=https://etcd-0.etcd:2380 - --initial-cluster=etcd-0=https://etcd-0.etcd:2380 - --initial-cluster-state=new - - --initial-cluster-token=etcd-cluster-1 - --client-cert-auth - --trusted-ca-file=/etc/etcd/tls/ca.crt - --cert-file=/etc/etcd/tls/tls.crt @@ -66,13 +65,8 @@ spec: - --peer-trusted-ca-file=/etc/etcd/tls/ca.crt - --peer-cert-file=/etc/etcd/tls/tls.crt - --peer-key-file=/etc/etcd/tls/tls.key - - --auto-compaction-retention=1 - - --quota-backend-bytes=8589934592 - - --max-request-bytes=33554432 - - --grpc-keepalive-min-time=5s - - --grpc-keepalive-interval=2h - - --grpc-keepalive-timeout=20s - - --enable-grpc-gateway + - --auto-compaction-retention=24h + - --quota-backend-bytes=1073741824 env: [] livenessProbe: tcpSocket: @@ -92,11 +86,10 @@ spec: failureThreshold: 3 resources: requests: - cpu: 200m + cpu: 100m memory: 256Mi limits: - cpu: 500m - memory: 512Mi + memory: 256Mi volumeMounts: - name: etcd-data mountPath: /var/lib/etcd