wip: etcd: Deploy etcd

etcd/certificate.yaml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd
+spec:
+  secretName: etcd-cert
+  dnsNames:
+  - etcd.pyrocufflink.blue
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: dch-ca
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always

etcd/etcd.yaml

@@ -0,0 +1,116 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: etcd
+  labels: &labels
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/component: etcd
+spec:
+  type: NodePort
+  selector: *labels
+  ports:
+  - name: etcd
+    port: 2379
+    nodePort: 32379
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: etcd
+  labels: &labels
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/component: etcd
+spec:
+  replicas: 3
+  serviceName: etcd
+  podManagementPolicy: Parallel
+  selector:
+    matchLabels: *labels
+  template:
+    metadata:
+      labels: *labels
+    spec:
+      enableServiceLinks: false
+      containers:
+      - name: etcd
+        image: gcr.io/etcd-development/etcd:v3.5.15
+        command:
+        - etcd
+        args:
+        - --name=$(HOSTNAME)
+        - --listen-client-urls=https://0.0.0.0:2379
+        - --advertise-client-urls=https://0.0.0.0:32379
+        - --listen-peer-urls=https://0.0.0.0:2380
+        - --initial-advertise-peer-urls=https://$(POD_IP):2380
+        - --initial-cluster=etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380
+        - --initial-cluster-state=new
+        - --peer-auto-tls
+        - --client-cert-auth
+        - --cert-file=/run/secrets/etcd/certificate/tls.crt
+        - --key-file=/run/secrets/etcd/certificate/tls.key
+        - --trusted-ca-file=/run/dch-ca/dch-root-ca.crt
+        env:
+        - name: HOSTNAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        ports:
+        - name: etcd-client
+          containerPort: 2379
+        - name: etcd-peer
+          containerPort: 2380
+        readinessProbe: &probe
+          tcpSocket:
+            port: 2379
+          periodSeconds: 60
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
+        startupProbe:
+          <<: *probe
+          periodSeconds: 1
+          timeoutSeconds: 1
+          failureThreshold: 30
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /run/dch-ca
+          name: dch-ca
+          readOnly: true
+        - mountPath: /run/secrets/etcd/certificate
+          name: cert
+          readOnly: true
+        - mountPath: /var/lib/etcd
+          name: data
+          subPath: data
+      securityContext:
+        fsGroup: 2379
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 2379
+        runAsNonRoot: true
+        runAsUser: 2379
+      volumes:
+      - name: cert
+        secret:
+          secretName: etcd-cert
+          defaultMode: 0440
+      - name: dch-ca
+        configMap:
+          name: dch-root-ca
+  volumeClaimTemplates:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: data
+      labels: *labels
+    spec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: 4G

etcd/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: etcd
+    app.kubernetes.io/part-of: etcd
+
+namespace: etcd
+
+resources:
+- namespace.yaml
+- certificate.yaml
+- etcd.yaml
+- ../dch-root-ca

etcd/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: etcd
+  labels:
+    app.kubernetes.io/name: etcd
+    app.kubernetes.io/component: etcd