fix: improved crd handling, version bumps of network, new HAProxy support, argocd auth fix
This commit is contained in:
parent
916c8a0c02
commit
2acfa302b4
@ -109,11 +109,18 @@ function delete_ns() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Extract crds via helm calls and apply delta=crds only
|
# Extract crds via helm calls
|
||||||
function _crds() {
|
function _crds() {
|
||||||
helm secrets --evaluate-templates template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --skip-crds --set ${module}.installCRDs=false -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION > $WORKDIR/helm-no-crds.yaml
|
helm secrets --evaluate-templates template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --include-crds --set ${module}.installCRDs=true -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION $@ | python3 -c '
|
||||||
helm secrets --evaluate-templates template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --include-crds --set ${module}.installCRDs=true -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION > $WORKDIR/helm-crds.yaml
|
#!/usr/bin/python3
|
||||||
diff -e $WORKDIR/helm-no-crds.yaml $WORKDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $WORKDIR/crds.yaml
|
import yaml
|
||||||
|
import sys
|
||||||
|
|
||||||
|
for manifest in yaml.safe_load_all(sys.stdin):
|
||||||
|
if manifest:
|
||||||
|
if "kind" in manifest and manifest["kind"] == "CustomResourceDefinition":
|
||||||
|
print("---")
|
||||||
|
print(yaml.dump(manifest))' > $WORKDIR/crds.yaml
|
||||||
|
|
||||||
# Only apply if there are actually any crds
|
# Only apply if there are actually any crds
|
||||||
if [ -s $WORKDIR/crds.yaml ]; then
|
if [ -s $WORKDIR/crds.yaml ]; then
|
||||||
@ -134,6 +141,8 @@ import sys
|
|||||||
|
|
||||||
for manifest in yaml.safe_load_all(sys.stdin):
|
for manifest in yaml.safe_load_all(sys.stdin):
|
||||||
if manifest:
|
if manifest:
|
||||||
|
if "kind" in manifest and manifest["kind"] == "CustomResourceDefinition":
|
||||||
|
continue
|
||||||
if "metadata" in manifest and "namespace" not in manifest["metadata"]:
|
if "metadata" in manifest and "namespace" not in manifest["metadata"]:
|
||||||
manifest["metadata"]["namespace"] = sys.argv[1]
|
manifest["metadata"]["namespace"] = sys.argv[1]
|
||||||
print("---")
|
print("---")
|
||||||
|
@ -19,7 +19,7 @@ spec:
|
|||||||
{{- toYaml (index .Values "argo-cd" "istio" "ipBlocks") | nindent 8 }}
|
{{- toYaml (index .Values "argo-cd" "istio" "ipBlocks") | nindent 8 }}
|
||||||
to:
|
to:
|
||||||
- operation:
|
- operation:
|
||||||
hosts: [{{ index .Values "argo-cd" "configs" "cm" "url" | quote }}]
|
hosts: [{{ get (urlParse (index .Values "argo-cd" "configs" "cm" "url")) "host" }}]
|
||||||
when:
|
when:
|
||||||
- key: connection.sni
|
- key: connection.sni
|
||||||
values:
|
values:
|
||||||
|
72
charts/kubezero-istio-gateway/tests/httpbin.yaml
Normal file
72
charts/kubezero-istio-gateway/tests/httpbin.yaml
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
# Copyright Istio Authors
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
##################################################################################################
|
||||||
|
# httpbin service
|
||||||
|
##################################################################################################
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: httpbin
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: httpbin
|
||||||
|
labels:
|
||||||
|
app: httpbin
|
||||||
|
service: httpbin
|
||||||
|
spec:
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
port: 8000
|
||||||
|
targetPort: 8080
|
||||||
|
selector:
|
||||||
|
app: httpbin
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: httpbin
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: httpbin
|
||||||
|
version: v1
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: httpbin
|
||||||
|
version: v1
|
||||||
|
spec:
|
||||||
|
serviceAccountName: httpbin
|
||||||
|
containers:
|
||||||
|
- image: docker.io/kong/httpbin
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
name: httpbin
|
||||||
|
# Same as found in Dockerfile's CMD but using an unprivileged port
|
||||||
|
command:
|
||||||
|
- gunicorn
|
||||||
|
- -b
|
||||||
|
- 0.0.0.0:8080
|
||||||
|
- httpbin:app
|
||||||
|
- -k
|
||||||
|
- gevent
|
||||||
|
env:
|
||||||
|
# Tells pipenv to use a writable directory instead of $HOME
|
||||||
|
- name: WORKON_HOME
|
||||||
|
value: /tmp
|
||||||
|
ports:
|
||||||
|
- containerPort: 8080
|
15
charts/kubezero-istio-gateway/tests/virtualservice.yaml
Normal file
15
charts/kubezero-istio-gateway/tests/virtualservice.yaml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: VirtualService
|
||||||
|
metadata:
|
||||||
|
name: httpbin
|
||||||
|
spec:
|
||||||
|
hosts:
|
||||||
|
- "httpbin.example.com"
|
||||||
|
gateways:
|
||||||
|
- istio-ingress/ingressgateway
|
||||||
|
http:
|
||||||
|
- route:
|
||||||
|
- destination:
|
||||||
|
port:
|
||||||
|
number: 8000
|
||||||
|
host: httpbin
|
@ -59,8 +59,52 @@ Kubernetes: `>= 1.26.0`
|
|||||||
| cilium.resources.limits.memory | string | `"1024Mi"` | |
|
| cilium.resources.limits.memory | string | `"1024Mi"` | |
|
||||||
| cilium.resources.requests.cpu | string | `"10m"` | |
|
| cilium.resources.requests.cpu | string | `"10m"` | |
|
||||||
| cilium.resources.requests.memory | string | `"256Mi"` | |
|
| cilium.resources.requests.memory | string | `"256Mi"` | |
|
||||||
|
| cilium.routingMode | string | `"tunnel"` | |
|
||||||
| cilium.tunnelProtocol | string | `"geneve"` | |
|
| cilium.tunnelProtocol | string | `"geneve"` | |
|
||||||
|
| haproxy.PodDisruptionBudget.enable | bool | `false` | |
|
||||||
|
| haproxy.PodDisruptionBudget.minAvailable | int | `1` | |
|
||||||
|
| haproxy.args.defaults[0] | string | `"-f"` | |
|
||||||
|
| haproxy.args.defaults[1] | string | `"/usr/local/etc/haproxy/includes/global.cfg"` | |
|
||||||
|
| haproxy.args.defaults[2] | string | `"-f"` | |
|
||||||
|
| haproxy.args.defaults[3] | string | `"/usr/local/etc/haproxy/includes/prometheus.cfg"` | |
|
||||||
|
| haproxy.args.defaults[4] | string | `"-f"` | |
|
||||||
|
| haproxy.args.defaults[5] | string | `"/usr/local/etc/haproxy/haproxy.cfg"` | |
|
||||||
|
| haproxy.config | string | `"frontend fe_main\n bind :8080\n default_backend be_main\n\nbackend be_main\n server web1 10.0.0.1:8080 check\n"` | |
|
||||||
|
| haproxy.containerPorts.http | int | `8080` | |
|
||||||
|
| haproxy.containerPorts.https | string | `nil` | |
|
||||||
|
| haproxy.containerPorts.prometheus | int | `8404` | |
|
||||||
|
| haproxy.containerPorts.stat | string | `nil` | |
|
||||||
| haproxy.enabled | bool | `false` | |
|
| haproxy.enabled | bool | `false` | |
|
||||||
|
| haproxy.includes."global.cfg" | string | `"global\n log stdout format raw local0\n maxconn 2048\n\ndefaults\n log global\n mode tcp\n option http-server-close\n timeout connect 10s\n timeout client 30s\n timeout client-fin 30s\n timeout server 30s\n timeout tunnel 1h\n\nresolvers coredns\n accepted_payload_size 4096\n parse-resolv-conf\n hold valid 10s\n hold other 10s\n hold refused 10s\n hold nx 10s\n hold timeout 10s\n"` | |
|
||||||
|
| haproxy.includes."prometheus.cfg" | string | `"frontend prometheus\n bind *:8404\n mode http\n http-request use-service prometheus-exporter if { path /metrics }\n no log\n stats enable\n stats uri /stats\n stats refresh 10s\n stats auth admin:letmein\n"` | |
|
||||||
|
| haproxy.livenessProbe.failureThreshold | int | `3` | |
|
||||||
|
| haproxy.livenessProbe.initialDelaySeconds | int | `0` | |
|
||||||
|
| haproxy.livenessProbe.periodSeconds | int | `10` | |
|
||||||
|
| haproxy.livenessProbe.successThreshold | int | `1` | |
|
||||||
|
| haproxy.livenessProbe.tcpSocket.port | int | `8404` | |
|
||||||
|
| haproxy.livenessProbe.timeoutSeconds | int | `1` | |
|
||||||
|
| haproxy.readinessProbe.failureThreshold | int | `3` | |
|
||||||
|
| haproxy.readinessProbe.initialDelaySeconds | int | `0` | |
|
||||||
|
| haproxy.readinessProbe.periodSeconds | int | `10` | |
|
||||||
|
| haproxy.readinessProbe.successThreshold | int | `1` | |
|
||||||
|
| haproxy.readinessProbe.tcpSocket.port | int | `8404` | |
|
||||||
|
| haproxy.readinessProbe.timeoutSeconds | int | `1` | |
|
||||||
|
| haproxy.replicaCount | int | `1` | |
|
||||||
|
| haproxy.resources.requests.cpu | string | `"10m"` | |
|
||||||
|
| haproxy.resources.requests.memory | string | `"48Mi"` | |
|
||||||
|
| haproxy.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||||
|
| haproxy.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||||
|
| haproxy.securityContext.enabled | bool | `true` | |
|
||||||
|
| haproxy.securityContext.runAsGroup | int | `1000` | |
|
||||||
|
| haproxy.securityContext.runAsNonRoot | bool | `true` | |
|
||||||
|
| haproxy.securityContext.runAsUser | int | `1000` | |
|
||||||
|
| haproxy.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||||
|
| haproxy.serviceMonitor.enabled | bool | `false` | |
|
||||||
|
| haproxy.serviceMonitor.endpoints[0].interval | string | `"30s"` | |
|
||||||
|
| haproxy.serviceMonitor.endpoints[0].params.no-maint[0] | string | `"empty"` | |
|
||||||
|
| haproxy.serviceMonitor.endpoints[0].path | string | `"/metrics"` | |
|
||||||
|
| haproxy.serviceMonitor.endpoints[0].port | string | `"prometheus"` | |
|
||||||
|
| haproxy.serviceMonitor.endpoints[0].scheme | string | `"http"` | |
|
||||||
| metallb.controller.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
| metallb.controller.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
| metallb.controller.tolerations[0].effect | string | `"NoSchedule"` | |
|
| metallb.controller.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| metallb.controller.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
| metallb.controller.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
|
10
charts/kubezero-network/haproxy-dashboards.yaml
Normal file
10
charts/kubezero-network/haproxy-dashboards.yaml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
configmap: haproxy-grafana-dashboards
|
||||||
|
gzip: true
|
||||||
|
condition: 'index .Values.haproxy.serviceMonitor.enabled'
|
||||||
|
folder: KubeZero
|
||||||
|
dashboards:
|
||||||
|
- name: HAProxy
|
||||||
|
url: https://grafana.com/api/dashboards/12693/revisions/8/download
|
||||||
|
tags:
|
||||||
|
- haproxy
|
||||||
|
- network
|
File diff suppressed because one or more lines are too long
@ -1,3 +1,4 @@
|
|||||||
|
{{- if .Values.multus.enabled }}
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
metadata:
|
metadata:
|
||||||
@ -42,3 +43,4 @@ spec:
|
|||||||
config:
|
config:
|
||||||
description: 'NetworkAttachmentDefinition config is a JSON-formatted CNI configuration'
|
description: 'NetworkAttachmentDefinition config is a JSON-formatted CNI configuration'
|
||||||
type: string
|
type: string
|
||||||
|
{{- end }}
|
@ -7,6 +7,7 @@ set -ex
|
|||||||
update_helm
|
update_helm
|
||||||
|
|
||||||
# Create ZDT dashboard configmap
|
# Create ZDT dashboard configmap
|
||||||
../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml
|
../kubezero-metrics/sync_grafana_dashboards.py cilium-dashboards.yaml templates/cilium-grafana-dashboards.yaml
|
||||||
|
../kubezero-metrics/sync_grafana_dashboards.py haproxy-dashboards.yaml templates/haproxy-grafana-dashboards.yaml
|
||||||
|
|
||||||
update_docs
|
update_docs
|
||||||
|
@ -113,3 +113,117 @@ cilium:
|
|||||||
|
|
||||||
haproxy:
|
haproxy:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
|
replicaCount: 1
|
||||||
|
|
||||||
|
# enable pdb if replica > 1
|
||||||
|
PodDisruptionBudget:
|
||||||
|
enable: false
|
||||||
|
minAvailable: 1
|
||||||
|
|
||||||
|
containerPorts:
|
||||||
|
http: 8080
|
||||||
|
https: null
|
||||||
|
prometheus: 8404
|
||||||
|
stat: null
|
||||||
|
|
||||||
|
serviceMonitor:
|
||||||
|
enabled: false
|
||||||
|
endpoints:
|
||||||
|
- port: prometheus
|
||||||
|
path: /metrics
|
||||||
|
scheme: http
|
||||||
|
interval: 30s
|
||||||
|
params:
|
||||||
|
no-maint:
|
||||||
|
- empty
|
||||||
|
config: |
|
||||||
|
frontend fe_main
|
||||||
|
bind :8080
|
||||||
|
default_backend be_main
|
||||||
|
|
||||||
|
backend be_main
|
||||||
|
server web1 10.0.0.1:8080 check
|
||||||
|
|
||||||
|
includes:
|
||||||
|
global.cfg: |
|
||||||
|
global
|
||||||
|
log stdout format raw local0
|
||||||
|
maxconn 2048
|
||||||
|
|
||||||
|
defaults
|
||||||
|
log global
|
||||||
|
mode tcp
|
||||||
|
option http-server-close
|
||||||
|
timeout connect 10s
|
||||||
|
timeout client 30s
|
||||||
|
timeout client-fin 30s
|
||||||
|
timeout server 30s
|
||||||
|
timeout tunnel 1h
|
||||||
|
|
||||||
|
resolvers coredns
|
||||||
|
accepted_payload_size 4096
|
||||||
|
parse-resolv-conf
|
||||||
|
hold valid 10s
|
||||||
|
hold other 10s
|
||||||
|
hold refused 10s
|
||||||
|
hold nx 10s
|
||||||
|
hold timeout 10s
|
||||||
|
|
||||||
|
prometheus.cfg: |
|
||||||
|
frontend prometheus
|
||||||
|
bind *:8404
|
||||||
|
mode http
|
||||||
|
http-request use-service prometheus-exporter if { path /metrics }
|
||||||
|
no log
|
||||||
|
stats enable
|
||||||
|
stats uri /stats
|
||||||
|
stats refresh 10s
|
||||||
|
stats auth admin:letmein
|
||||||
|
|
||||||
|
args:
|
||||||
|
defaults:
|
||||||
|
- "-f"
|
||||||
|
- "/usr/local/etc/haproxy/includes/global.cfg"
|
||||||
|
- "-f"
|
||||||
|
- "/usr/local/etc/haproxy/includes/prometheus.cfg"
|
||||||
|
- "-f"
|
||||||
|
- "/usr/local/etc/haproxy/haproxy.cfg"
|
||||||
|
|
||||||
|
livenessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
successThreshold: 1
|
||||||
|
initialDelaySeconds: 0
|
||||||
|
timeoutSeconds: 1
|
||||||
|
tcpSocket:
|
||||||
|
port: 8404
|
||||||
|
periodSeconds: 10
|
||||||
|
|
||||||
|
readinessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
successThreshold: 1
|
||||||
|
initialDelaySeconds: 0
|
||||||
|
timeoutSeconds: 1
|
||||||
|
tcpSocket:
|
||||||
|
port: 8404
|
||||||
|
periodSeconds: 10
|
||||||
|
|
||||||
|
securityContext:
|
||||||
|
enabled: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
runAsGroup: 1000
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 48Mi
|
||||||
|
# limits:
|
||||||
|
# cpu: 250m
|
||||||
|
# memory: 128Mi
|
||||||
|
Loading…
Reference in New Issue
Block a user