feat: migrate device-plugins and k8s-ecr-login-renew into kubezero-addons

This commit is contained in:
Stefan Reimer 2021-09-02 19:36:11 +02:00
parent fe46c756ae
commit 2da5044e10
8 changed files with 70 additions and 15 deletions

View File

@ -1,8 +0,0 @@
# Create IAM role for ECR read-only access
- Attach managed policy: `AmazonEC2ContainerRegistryReadOnly`
# Create secret for IAM user for ecr-renew
`kubectl create secret -n kube-system generic ecr-renew-cred --from-literal=AWS_REGION=<AWS_REGION> --from-literal=AWS_ACCESS_KEY_ID=<AWS_SECRET_ID> --from-literal=AWS_SECRET_ACCESS_KEY=<AWS_SECRET_KEY>
# Resources
- https://github.com/nabsul/k8s-ecr-login-renew

View File

@ -2,7 +2,7 @@ apiVersion: v2
name: kubezero-addons
description: KubeZero umbrella chart for various optional cluster addons
type: application
version: 0.0.1
version: 0.1.0
home: https://kubezero.com
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
keywords:

View File

@ -1,6 +1,6 @@
# kubezero-addons
![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero umbrella chart for various optional cluster addons
@ -20,16 +20,32 @@ Kubernetes: `>= 1.18.0`
|------------|------|---------|
| https://metallb.github.io/metallb | metallb | 0.10.2 |
# MetalLB
# device-plugins
# k8s-ecr-login-renew
## IAM setup
- Create IAM user for ECR read-only access and attach the following managed policy: `AmazonEC2ContainerRegistryReadOnly`
- create AWS credentials for the IAM users
## Kubernetes secret
Create secret with the IAM user credential for ecr-renew to use, using the credentials from the previous step:
`kubectl create secret -n kube-system generic ecr-renew-cred --from-literal=AWS_REGION=<AWS_REGION> --from-literal=AWS_ACCESS_KEY_ID=<AWS_SECRET_ID> --from-literal=AWS_SECRET_ACCESS_KEY=<AWS_SECRET_KEY>`
## Resources
- https://github.com/nabsul/k8s-ecr-login-renew
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| fuseDevicePlugin.enabled | bool | `false` | |
| k8sEcrLoginRenew.enabled | bool | `false` | |
| metallb.configInline | object | `{}` | |
| metallb.controller.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
| metallb.controller.tolerations[0].effect | string | `"NoSchedule"` | |
| metallb.controller.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
| metallb.enabled | bool | `true` | |
| metallb.enabled | bool | `false` | |
| metallb.psp.create | bool | `false` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

View File

@ -0,0 +1,33 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
# MetalLB
# device-plugins
# k8s-ecr-login-renew
## IAM setup
- Create IAM user for ECR read-only access and attach the following managed policy: `AmazonEC2ContainerRegistryReadOnly`
- create AWS credentials for the IAM users
## Kubernetes secret
Create secret with the IAM user credential for ecr-renew to use, using the credentials from the previous step:
`kubectl create secret -n kube-system generic ecr-renew-cred --from-literal=AWS_REGION=<AWS_REGION> --from-literal=AWS_ACCESS_KEY_ID=<AWS_SECRET_ID> --from-literal=AWS_SECRET_ACCESS_KEY=<AWS_SECRET_KEY>`
## Resources
- https://github.com/nabsul/k8s-ecr-login-renew
{{ template "chart.valuesSection" . }}

View File

@ -1,3 +1,4 @@
{{- if .Values.fuseDevicePlugin.enabled }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
@ -28,3 +29,4 @@ spec:
- name: device-plugin
hostPath:
path: /var/lib/kubelet/device-plugins
{{- end }}

View File

@ -1,3 +1,4 @@
{{- if .Values.k8sEcrLoginRenew.enabled }}
apiVersion: batch/v1beta1
kind: CronJob
metadata:
@ -38,3 +39,4 @@ spec:
secretKeyRef:
name: ecr-renew-cred
key: AWS_SECRET_ACCESS_KEY
{{- end }}

View File

@ -1,9 +1,11 @@
{{- if .Values.k8sEcrLoginRenew.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: ecr-renew
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
@ -16,6 +18,7 @@ rules:
resources: ["namespaces"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
@ -29,3 +32,4 @@ subjects:
- kind: ServiceAccount
name: ecr-renew
namespace: kube-system
{{- end }}

View File

@ -1,5 +1,5 @@
metallb:
enabled: true
enabled: false
psp:
create: false
@ -16,3 +16,9 @@ metallb:
# protocol: layer2
# addresses:
# - 192.168.42.0/24
fuseDevicePlugin:
enabled: false
k8sEcrLoginRenew:
enabled: false