okd/roles/openshift_master/templates/master.yaml.v1.j2

admissionConfig:
{% if 'admission_plugin_config' in openshift.master %}
  pluginConfig:{{ openshift.master.admission_plugin_config | to_padded_yaml(level=2) }}
{% endif %}
apiLevels:
- v1
apiVersion: v1
assetConfig:
  logoutURL: "{{ openshift.master.logout_url | default('') }}"
  masterPublicURL: {{ openshift.master.public_api_url }}
  publicURL: {{ openshift.master.public_console_url }}/
{% if 'logging_public_url' in openshift.master %}
  loggingPublicURL: {{ openshift.master.logging_public_url }}
{% endif %}
{% if openshift_hosted_metrics_deploy_url is defined %}
  metricsPublicURL: {{ openshift_hosted_metrics_deploy_url }}
{% endif %}
{% if 'extension_scripts' in openshift.master %}
  extensionScripts: {{ openshift.master.extension_scripts | to_padded_yaml(1, 2) }}
{% endif %}
{% if 'extension_stylesheets' in openshift.master %}
  extensionStylesheets: {{ openshift.master.extension_stylesheets | to_padded_yaml(1, 2) }}
{% endif %}
{% if 'extensions' in openshift.master %}
  extensions: {{ openshift.master.extensions | to_padded_yaml(1, 2) }}
{% endif %}
  servingInfo:
    bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.console_port }}
    bindNetwork: tcp4
    certFile: master.server.crt
    clientCA: ""
    keyFile: master.server.key
    maxRequestsInFlight: 0
    requestTimeoutSeconds: 0
{% if openshift_master_min_tls_version is defined %}
    minTLSVersion: {{ openshift_master_min_tls_version }}
{% endif %}
{% if openshift_master_cipher_suites is defined %}
    cipherSuites:
{% for cipher_suite in openshift_master_cipher_suites %}
    - {{ cipher_suite }}
{% endfor %}
{% endif %}
{% if openshift.master.audit_config | default(none) is not none %}
auditConfig:{{ openshift.master.audit_config | to_padded_yaml(level=1) }}
{% endif %}
controllerConfig:
  election:
    lockName: openshift-master-controllers
  serviceServingCert:
    signer:
      certFile: service-signer.crt
      keyFile: service-signer.key
controllers: '*'
corsAllowedOrigins:
  # anchor with start (\A) and end (\z) of the string, make the check case insensitive ((?i)) and escape hostname
{% for origin in ['127.0.0.1', 'localhost', openshift.common.ip, openshift.common.public_ip] | union(openshift.common.all_hostnames) | unique %}
  - (?i)//{{ origin | regex_escape() }}(:|\z)
{% endfor %}
{% for custom_origin in openshift.master.custom_cors_origins | default("") %}
  - (?i)//{{ custom_origin | regex_escape() }}(:|\z)
{% endfor %}
{% if 'disabled_features' in openshift.master %}
disabledFeatures: {{ openshift.master.disabled_features | to_json }}
{% endif %}
{% if openshift.master.embedded_dns | bool %}
dnsConfig:
  bindAddress: {{ openshift.master.bind_addr }}:{{ openshift_master_dns_port }}
  bindNetwork: tcp4
{% endif %}
etcdClientInfo:
  ca: {{ "ca-bundle.crt" if (openshift.master.embedded_etcd | bool) else "master.etcd-ca.crt" }}
  certFile: master.etcd-client.crt
  keyFile: master.etcd-client.key
  urls:
{% for etcd_url in openshift.master.etcd_urls %}
    - {{ etcd_url }}
{% endfor %}
{% if openshift.master.embedded_etcd | bool %}
etcdConfig:
  address: {{ openshift.common.hostname }}:{{ openshift.master.etcd_port }}
  peerAddress: {{ openshift.common.hostname }}:7001
  peerServingInfo:
    bindAddress: {{ openshift.master.bind_addr }}:7001
    certFile: etcd.server.crt
    clientCA: ca-bundle.crt
    keyFile: etcd.server.key
  servingInfo:
    bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.etcd_port }}
    certFile: etcd.server.crt
    clientCA: ca-bundle.crt
    keyFile: etcd.server.key
  storageDirectory: {{ r_openshift_master_data_dir }}/openshift.local.etcd
{% endif %}
etcdStorageConfig:
  kubernetesStoragePrefix: kubernetes.io
  kubernetesStorageVersion: v1
  openShiftStoragePrefix: openshift.io
  openShiftStorageVersion: v1
imageConfig:
  format: {{ openshift.master.registry_url }}
  latest: {{ openshift_master_image_config_latest }}
{% if 'image_policy_config' in openshift.master %}
imagePolicyConfig:{{ openshift.master.image_policy_config | to_padded_yaml(level=1) }}
{% endif %}
kind: MasterConfig
kubeletClientInfo:
{# TODO: allow user specified kubelet port #}
  ca: ca-bundle.crt
  certFile: master.kubelet-client.crt
  keyFile: master.kubelet-client.key
  port: 10250
{% if openshift.master.embedded_kube | bool %}
kubernetesMasterConfig:
  apiServerArguments: {{ openshift.master.api_server_args | default(None) | to_padded_yaml( level=2 ) }}
{% if r_openshift_master_etcd3_storage or ( r_openshift_master_clean_install and openshift.common.version_gte_3_6 ) %}
    storage-backend:
    - etcd3
    storage-media-type:
    - application/vnd.kubernetes.protobuf
{% endif %}
  controllerArguments: {{ openshift.master.controller_args | default(None) | to_padded_yaml( level=2 ) }}
  masterCount: {{ openshift.master.master_count if openshift.master.cluster_method | default(None) == 'native' else 1 }}
  masterIP: {{ openshift.common.ip }}
  podEvictionTimeout: {{ openshift.master.pod_eviction_timeout | default("") }}
  proxyClientInfo:
    certFile: master.proxy-client.crt
    keyFile: master.proxy-client.key
  schedulerArguments: {{ openshift_master_scheduler_args | default(None) | to_padded_yaml( level=3 ) }}
  schedulerConfigFile: {{ openshift_master_scheduler_conf }}
  servicesNodePortRange: "{{ openshift_node_port_range | default("") }}"
  servicesSubnet: {{ openshift.common.portal_net }}
  staticNodeNames: {{ openshift_node_ips | default([], true) }}
{% endif %}
masterClients:
{# TODO: allow user to set externalKubernetesKubeConfig #}
  externalKubernetesClientConnectionOverrides:
    acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
    contentType: application/vnd.kubernetes.protobuf
    burst: {{ openshift_master_external_ratelimit_burst | default(400) }}
    qps: {{ openshift_master_external_ratelimit_qps | default(200) }}
  externalKubernetesKubeConfig: ""
  openshiftLoopbackClientConnectionOverrides:
    acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
    contentType: application/vnd.kubernetes.protobuf
    burst: {{ openshift_master_loopback_ratelimit_burst | default(600) }}
    qps: {{ openshift_master_loopback_ratelimit_qps | default(300) }}
  openshiftLoopbackKubeConfig: openshift-master.kubeconfig
masterPublicURL: {{ openshift.master.public_api_url }}
networkConfig:
  clusterNetworkCIDR: {{ openshift.master.sdn_cluster_network_cidr }}
  hostSubnetLength: {{ openshift.master.sdn_host_subnet_length }}
{% if openshift.common.version_gte_3_7 | bool %}
  clusterNetworks:
  - cidr: {{ openshift.master.sdn_cluster_network_cidr }}
    hostSubnetLength: {{ openshift.master.sdn_host_subnet_length }}
{% endif %}
{% if r_openshift_master_use_openshift_sdn or r_openshift_master_use_nuage or r_openshift_master_use_contiv or r_openshift_master_use_kuryr or r_openshift_master_sdn_network_plugin_name == 'cni' %}
  networkPluginName: {{ r_openshift_master_sdn_network_plugin_name_default }}
{% endif %}
# serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet
  serviceNetworkCIDR: {{ openshift.common.portal_net }}
  externalIPNetworkCIDRs: {{ openshift_master_external_ip_network_cidrs | default(["0.0.0.0/0"]) | to_padded_yaml(1,2) }}
{% if openshift_master_ingress_ip_network_cidr is defined %}
  ingressIPNetworkCIDR: {{ openshift_master_ingress_ip_network_cidr }}
{% endif %}
oauthConfig:
{% if 'oauth_always_show_provider_selection' in openshift.master %}
  alwaysShowProviderSelection: {{ openshift.master.oauth_always_show_provider_selection }}
{% endif %}
{% if 'oauth_templates' in openshift.master %}
  templates:{{ openshift.master.oauth_templates | to_padded_yaml(level=2) }}
{% endif %}
  assetPublicURL: {{ openshift.master.public_console_url }}/
  grantConfig:
    method: {{ openshift.master.oauth_grant_method }}
  identityProviders:
{% for line in translated_identity_providers.splitlines() %}
  {{ line }}
{% endfor %}
  masterCA: ca-bundle.crt
  masterPublicURL: {{ openshift.master.public_api_url }}
  masterURL: {{ openshift.master.api_url }}
  sessionConfig:
    sessionMaxAgeSeconds: {{ openshift.master.session_max_seconds }}
    sessionName: {{ openshift.master.session_name }}
{% if openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined %}
    sessionSecretsFile: {{ openshift.master.session_secrets_file }}
{% endif %}
  tokenConfig:
    accessTokenMaxAgeSeconds: {{ openshift.master.access_token_max_seconds }}
    authorizeTokenMaxAgeSeconds: {{ openshift.master.auth_token_max_seconds }}
pauseControllers: false
policyConfig:
  bootstrapPolicyFile: {{ openshift_master_policy }}
  openshiftInfrastructureNamespace: openshift-infra
  openshiftSharedResourcesNamespace: openshift
projectConfig:
  defaultNodeSelector: "{{ openshift.master.default_node_selector }}"
  projectRequestMessage: "{{ openshift.master.project_request_message }}"
  projectRequestTemplate: "{{ openshift.master.project_request_template }}"
  securityAllocator:
    mcsAllocatorRange: "{{ openshift.master.mcs_allocator_range }}"
    mcsLabelsPerProject: {{ openshift.master.mcs_labels_per_project }}
    uidAllocatorRange: "{{ openshift.master.uid_allocator_range  }}"
routingConfig:
  subdomain:  "{{ openshift_master_default_subdomain | default("") }}"
serviceAccountConfig:
  limitSecretReferences: {{ openshift_master_saconfig_limitsecretreferences | default(false) }}
  managedNames:
  - default
  - builder
  - deployer
  masterCA: ca-bundle.crt
  privateKeyFile: serviceaccounts.private.key
  publicKeyFiles:
  - serviceaccounts.public.key
servingInfo:
  bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.api_port }}
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: {{ openshift.master.max_requests_inflight }}
  requestTimeoutSeconds: 3600
{% if openshift.master.named_certificates | default([]) | length > 0 %}
  namedCertificates:
{% for named_certificate in openshift.master.named_certificates %}
  - certFile: {{ named_certificate['certfile'] }}
    keyFile: {{ named_certificate['keyfile'] }}
    names:
{% for name in named_certificate['names'] %}
    - "{{ name }}"
{% endfor %}
{% endfor %}
{% endif %}
{% if openshift_master_min_tls_version is defined %}
  minTLSVersion: {{ openshift_master_min_tls_version }}
{% endif %}
{% if openshift_master_cipher_suites is defined %}
  cipherSuites:
{% for cipher_suite in openshift_master_cipher_suites %}
  - {{ cipher_suite }}
{% endfor %}
{% endif %}
volumeConfig:
  dynamicProvisioningEnabled: {{ openshift.master.dynamic_provisioning_enabled }}