Update of various components, new aroless bootstrap working
This commit is contained in:
parent
cd0e559678
commit
35b1570d18
@ -1 +0,0 @@
|
||||
../../helm-charts/charts/fluent-bit
|
@ -1,7 +1,7 @@
|
||||
apiVersion: v2
|
||||
description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
||||
name: kubezero-argo-cd
|
||||
version: 0.6.0
|
||||
version: 0.6.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -15,6 +15,6 @@ dependencies:
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: argo-cd
|
||||
version: 2.9.3
|
||||
version: 2.9.5
|
||||
repository: https://argoproj.github.io/argo-helm
|
||||
kubeVersion: ">= 1.17.0"
|
||||
|
@ -12,7 +12,6 @@ spec:
|
||||
sourceRepos:
|
||||
- '*'
|
||||
|
||||
# Only permit applications to deploy to the guestbook namespace in the same cluster
|
||||
destinations:
|
||||
- namespace: argocd
|
||||
server: https://kubernetes.default.svc
|
||||
|
@ -31,7 +31,7 @@ argo-cd:
|
||||
|
||||
global:
|
||||
image:
|
||||
tag: v1.7.8
|
||||
tag: v1.7.10
|
||||
|
||||
controller:
|
||||
args:
|
||||
|
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: kubezero-calico
|
||||
description: KubeZero Umbrella Chart for Calico
|
||||
type: application
|
||||
version: 0.2.0
|
||||
appVersion: v3.16.1
|
||||
version: 0.2.1
|
||||
appVersion: v3.16.5
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-calico
|
||||
|
||||
![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.1](https://img.shields.io/badge/AppVersion-v3.16.1-informational?style=flat-square)
|
||||
![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.5](https://img.shields.io/badge/AppVersion-v3.16.5-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Calico
|
||||
|
||||
@ -47,7 +47,6 @@ The setup is based on the upstream calico-vxlan config from
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| image.tag | string | `""` | |
|
||||
| installCRDs | bool | `false` | |
|
||||
| loglevel | string | `"Warning"` | |
|
||||
| mtu | int | `8941` | |
|
||||
| network | string | `"vxlan"` | |
|
||||
|
@ -1,101 +0,0 @@
|
||||
--- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100
|
||||
+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100
|
||||
@@ -10,13 +10,13 @@
|
||||
# Typha is disabled.
|
||||
typha_service_name: "none"
|
||||
# Configure the backend to use.
|
||||
- calico_backend: "bird"
|
||||
+ calico_backend: "vxlan"
|
||||
# Configure the MTU to use for workload interfaces and tunnels.
|
||||
# - If Wireguard is enabled, set to your network MTU - 60
|
||||
# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
|
||||
# - Otherwise, if IPIP is enabled, set to your network MTU - 20
|
||||
# - Otherwise, if not using any encapsulation, set to your network MTU.
|
||||
- veth_mtu: "1410"
|
||||
+ veth_mtu: "8941"
|
||||
|
||||
# The CNI network configuration to install on each node. The special
|
||||
# values in this config will be automatically populated.
|
||||
@@ -3451,29 +3451,6 @@
|
||||
terminationGracePeriodSeconds: 0
|
||||
priorityClassName: system-node-critical
|
||||
initContainers:
|
||||
- # This container performs upgrade from host-local IPAM to calico-ipam.
|
||||
- # It can be deleted if this is a fresh installation, or if you have already
|
||||
- # upgraded to use calico-ipam.
|
||||
- - name: upgrade-ipam
|
||||
- image: calico/cni:v3.15.0
|
||||
- command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
|
||||
- env:
|
||||
- - name: KUBERNETES_NODE_NAME
|
||||
- valueFrom:
|
||||
- fieldRef:
|
||||
- fieldPath: spec.nodeName
|
||||
- - name: CALICO_NETWORKING_BACKEND
|
||||
- valueFrom:
|
||||
- configMapKeyRef:
|
||||
- name: calico-config
|
||||
- key: calico_backend
|
||||
- volumeMounts:
|
||||
- - mountPath: /var/lib/cni/networks
|
||||
- name: host-local-net-dir
|
||||
- - mountPath: /host/opt/cni/bin
|
||||
- name: cni-bin-dir
|
||||
- securityContext:
|
||||
- privileged: true
|
||||
# This container installs the CNI binaries
|
||||
# and CNI network config file on each node.
|
||||
- name: install-cni
|
||||
@@ -3545,7 +3522,7 @@
|
||||
key: calico_backend
|
||||
# Cluster type to identify the deployment type
|
||||
- name: CLUSTER_TYPE
|
||||
- value: "k8s,bgp"
|
||||
+ value: "k8s,kubeadm"
|
||||
# Auto-detect the BGP IP address.
|
||||
- name: IP
|
||||
value: "autodetect"
|
||||
@@ -3554,7 +3531,7 @@
|
||||
value: "Never"
|
||||
# Enable or Disable VXLAN on the default IP pool.
|
||||
- name: CALICO_IPV4POOL_VXLAN
|
||||
- value: "CrossSubnet"
|
||||
+ value: "Always"
|
||||
# Set MTU for tunnel device used if ipip is enabled
|
||||
- name: FELIX_IPINIPMTU
|
||||
valueFrom:
|
||||
@@ -3595,9 +3572,17 @@
|
||||
value: "false"
|
||||
# Set Felix logging to "info"
|
||||
- name: FELIX_LOGSEVERITYSCREEN
|
||||
- value: "info"
|
||||
+ value: "Warning"
|
||||
+ - name: FELIX_LOGSEVERITYFILE
|
||||
+ value: "Warning"
|
||||
+ - name: FELIX_LOGSEVERITYSYS
|
||||
+ value: ""
|
||||
- name: FELIX_HEALTHENABLED
|
||||
value: "true"
|
||||
+ - name: FELIX_PROMETHEUSGOMETRICSENABLED
|
||||
+ value: "false"
|
||||
+ - name: FELIX_PROMETHEUSMETRICSENABLED
|
||||
+ value: "true"
|
||||
securityContext:
|
||||
privileged: true
|
||||
resources:
|
||||
@@ -3608,7 +3593,6 @@
|
||||
command:
|
||||
- /bin/calico-node
|
||||
- -felix-live
|
||||
- - -bird-live
|
||||
periodSeconds: 10
|
||||
initialDelaySeconds: 10
|
||||
failureThreshold: 6
|
||||
@@ -3617,7 +3601,6 @@
|
||||
command:
|
||||
- /bin/calico-node
|
||||
- -felix-ready
|
||||
- - -bird-ready
|
||||
periodSeconds: 10
|
||||
volumeMounts:
|
||||
- mountPath: /lib/modules
|
3359
charts/kubezero-calico/calico-v3.16.5.patch
Normal file
3359
charts/kubezero-calico/calico-v3.16.5.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,3 +1,4 @@
|
||||
---
|
||||
# Source: calico/templates/kdd-crds.yaml
|
||||
|
||||
|
||||
@ -192,6 +193,29 @@ spec:
|
||||
description: Selector for the nodes that should have this peering. When
|
||||
this is set, the Node field must be empty.
|
||||
type: string
|
||||
password:
|
||||
description: Optional BGP password for the peerings generated by this
|
||||
BGPPeer resource.
|
||||
properties:
|
||||
secretKeyRef:
|
||||
description: Selects a key of a secret in the node pod's namespace.
|
||||
properties:
|
||||
key:
|
||||
description: The key of the secret to select from. Must be
|
||||
a valid secret key.
|
||||
type: string
|
||||
name:
|
||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
||||
TODO: Add other useful fields. apiVersion, kind, uid?'
|
||||
type: string
|
||||
optional:
|
||||
description: Specify whether the Secret or its key must be
|
||||
defined
|
||||
type: boolean
|
||||
required:
|
||||
- key
|
||||
type: object
|
||||
type: object
|
||||
peerIP:
|
||||
description: The IP address of the peer followed by an optional port
|
||||
number to peer with. If port number is given, format should be `[<IPv6>]:port`
|
||||
@ -396,6 +420,16 @@ spec:
|
||||
spec:
|
||||
description: FelixConfigurationSpec contains the values of the Felix configuration.
|
||||
properties:
|
||||
allowIPIPPacketsFromWorkloads:
|
||||
description: 'AllowIPIPPacketsFromWorkloads controls whether Felix
|
||||
will add a rule to drop IPIP encapsulated traffic from workloads
|
||||
[Default: false]'
|
||||
type: boolean
|
||||
allowVXLANPacketsFromWorkloads:
|
||||
description: 'AllowVXLANPacketsFromWorkloads controls whether Felix
|
||||
will add a rule to drop VXLAN encapsulated traffic from workloads
|
||||
[Default: false]'
|
||||
type: boolean
|
||||
awsSrcDstCheck:
|
||||
description: 'Set source-destination-check on AWS EC2 instances. Accepted
|
||||
value must be one of "DoNothing", "Enabled" or "Disabled". [Default:
|
||||
|
@ -1,6 +0,0 @@
|
||||
{{- if .Values.installCRDs }}
|
||||
{{- range $path, $_ := .Files.Glob "crds/*.yaml" }}
|
||||
{{ $.Files.Get $path }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -1,5 +1,3 @@
|
||||
installCRDs: false
|
||||
|
||||
image:
|
||||
tag: ""
|
||||
|
||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
||||
name: kubezero-cert-manager
|
||||
description: KubeZero Umbrella Chart for cert-manager
|
||||
type: application
|
||||
version: 0.4.0
|
||||
version: 0.4.1
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -15,6 +15,7 @@ dependencies:
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: cert-manager
|
||||
version: 1.0.3
|
||||
version: 1.0.4
|
||||
repository: https://charts.jetstack.io
|
||||
condition: cert-manager.enabled
|
||||
kubeVersion: ">= 1.16.0"
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-cert-manager
|
||||
|
||||
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
![Version: 0.4.1](https://img.shields.io/badge/Version-0.4.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for cert-manager
|
||||
|
||||
@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://charts.jetstack.io | cert-manager | 1.0.3 |
|
||||
| https://charts.jetstack.io | cert-manager | 1.0.4 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## AWS - IAM Role
|
||||
@ -38,10 +38,10 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
|
||||
| cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| cert-manager.enabled | bool | `true` | |
|
||||
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
|
||||
| cert-manager.ingressShim.defaultIssuerKind | string | `"ClusterIssuer"` | |
|
||||
| cert-manager.ingressShim.defaultIssuerName | string | `"letsencrypt-dns-prod"` | |
|
||||
| cert-manager.installCRDs | bool | `true` | |
|
||||
| cert-manager.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| cert-manager.podAnnotations | object | `{}` | "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" |
|
||||
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||
@ -51,5 +51,5 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
|
||||
| cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| clusterIssuer | object | `{}` | |
|
||||
| localCA.enabled | bool | `true` | |
|
||||
| localCA.enabled | bool | `false` | |
|
||||
| localCA.selfsigning | bool | `true` | |
|
||||
|
@ -3,11 +3,11 @@
|
||||
|
||||
# KubeZero / Local cluster CA
|
||||
# The resources are serialized via waves in Argo
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Issuer
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: kubezero-selfsigning-issuer
|
||||
namespace: kube-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
annotations:
|
||||
@ -15,11 +15,11 @@ metadata:
|
||||
spec:
|
||||
selfSigned: {}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: kubezero-local-ca
|
||||
namespace: kube-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
annotations:
|
||||
@ -30,6 +30,7 @@ spec:
|
||||
isCA: true
|
||||
issuerRef:
|
||||
name: kubezero-selfsigning-issuer
|
||||
kind: ClusterIssuer
|
||||
usages:
|
||||
- "any"
|
||||
---
|
||||
@ -39,7 +40,7 @@ apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: kubezero-ca-tls
|
||||
namespace: kube-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
data:
|
||||
@ -48,11 +49,11 @@ data:
|
||||
---
|
||||
{{- end }}
|
||||
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Issuer
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: kubezero-local-ca-issuer
|
||||
namespace: kube-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
annotations:
|
||||
|
@ -1,5 +1,5 @@
|
||||
{{- if .Values.clusterIssuer.name }}
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ .Values.clusterIssuer.name }}
|
||||
|
@ -17,34 +17,45 @@ localCA:
|
||||
# crt: <pem-crt-material>
|
||||
|
||||
cert-manager:
|
||||
installCRDs: true
|
||||
enabled: true
|
||||
|
||||
global:
|
||||
leaderElection:
|
||||
namespace: "cert-manager"
|
||||
|
||||
podAnnotations: {}
|
||||
# iam.amazonaws.com/role: ""
|
||||
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
|
||||
ingressShim:
|
||||
defaultIssuerName: letsencrypt-dns-prod
|
||||
defaultIssuerKind: ClusterIssuer
|
||||
|
||||
webhook:
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
|
||||
cainjector:
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
|
||||
extraArgs:
|
||||
- "--dns01-recursive-nameservers-only"
|
||||
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
|
||||
# - --enable-certificate-owner-ref=true
|
||||
|
||||
prometheus:
|
||||
servicemonitor:
|
||||
enabled: false
|
||||
# cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn"
|
||||
podAnnotations: {}
|
||||
# iam.amazonaws.com/role: ""
|
||||
|
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: kubezero-istio
|
||||
description: KubeZero Umbrella Chart for Istio
|
||||
type: application
|
||||
version: 0.3.4
|
||||
appVersion: 1.7.3
|
||||
version: 0.4.0
|
||||
appVersion: 1.7.4
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-istio
|
||||
|
||||
![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.3](https://img.shields.io/badge/AppVersion-1.7.3-informational?style=flat-square)
|
||||
![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.7.4](https://img.shields.io/badge/AppVersion-1.7.4-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Istio
|
||||
|
||||
@ -34,10 +34,11 @@ Kubernetes: `>= 1.16.0`
|
||||
| ingress.dnsNames[0] | string | `"*"` | |
|
||||
| ingress.private.enabled | bool | `true` | |
|
||||
| ingress.private.nodeSelector | string | `"31080_31443_31671_31672_31224"` | |
|
||||
| ingress.public.enabled | bool | `true` | |
|
||||
| ingress.replicaCount | int | `2` | |
|
||||
| ingress.type | string | `"NodePort"` | |
|
||||
| istio-operator.hub | string | `"docker.io/istio"` | |
|
||||
| istio-operator.tag | string | `"1.7.3"` | |
|
||||
| istio-operator.tag | string | `"1.7.4"` | |
|
||||
| istiod.autoscaleEnabled | bool | `false` | |
|
||||
| istiod.replicaCount | int | `1` | |
|
||||
|
||||
|
@ -99,6 +99,7 @@ rules:
|
||||
- events
|
||||
- namespaces
|
||||
- pods
|
||||
- pods/proxy
|
||||
- persistentvolumeclaims
|
||||
- secrets
|
||||
- services
|
||||
|
File diff suppressed because it is too large
Load Diff
82
charts/kubezero-istio/crds/crd-mixer.yaml
Normal file
82
charts/kubezero-istio/crds/crd-mixer.yaml
Normal file
@ -0,0 +1,82 @@
|
||||
kind: CustomResourceDefinition
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
metadata:
|
||||
name: adapters.config.istio.io
|
||||
labels:
|
||||
app: mixer
|
||||
package: adapter
|
||||
istio: mixer-adapter
|
||||
chart: istio
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
annotations:
|
||||
"helm.sh/resource-policy": keep
|
||||
spec:
|
||||
group: config.istio.io
|
||||
names:
|
||||
kind: adapter
|
||||
plural: adapters
|
||||
singular: adapter
|
||||
categories:
|
||||
- istio-io
|
||||
- policy-istio-io
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1alpha2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
spec:
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
status:
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
|
||||
---
|
||||
kind: CustomResourceDefinition
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
metadata:
|
||||
name: templates.config.istio.io
|
||||
labels:
|
||||
app: mixer
|
||||
package: template
|
||||
istio: mixer-template
|
||||
chart: istio
|
||||
heritage: Tiller
|
||||
release: istio
|
||||
annotations:
|
||||
"helm.sh/resource-policy": keep
|
||||
spec:
|
||||
group: config.istio.io
|
||||
names:
|
||||
kind: template
|
||||
plural: templates
|
||||
singular: template
|
||||
categories:
|
||||
- istio-io
|
||||
- policy-istio-io
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v1alpha2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
spec:
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
status:
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
---
|
||||
|
74
charts/kubezero-istio/crds/crd-operator.yaml
Normal file
74
charts/kubezero-istio/crds/crd-operator.yaml
Normal file
@ -0,0 +1,74 @@
|
||||
# SYNC WITH manifests/charts/istio-operator/templates
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
name: istiooperators.install.istio.io
|
||||
labels:
|
||||
release: istio
|
||||
spec:
|
||||
group: install.istio.io
|
||||
names:
|
||||
kind: IstioOperator
|
||||
plural: istiooperators
|
||||
singular: istiooperator
|
||||
shortNames:
|
||||
- iop
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- description: Istio control plane revision
|
||||
jsonPath: .spec.revision
|
||||
name: Revision
|
||||
type: string
|
||||
- description: IOP current state
|
||||
jsonPath: .status.status
|
||||
type: string
|
||||
name: Status
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
description:
|
||||
"CreationTimestamp is a timestamp representing the server time when
|
||||
this object was created. It is not guaranteed to be set in happens-before order
|
||||
across separate operations. Clients may not set this value. It is represented
|
||||
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
|
||||
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
|
||||
name: Age
|
||||
type: date
|
||||
name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
properties:
|
||||
apiVersion:
|
||||
description:
|
||||
"APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources"
|
||||
type: string
|
||||
kind:
|
||||
description:
|
||||
"Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
|
||||
type: string
|
||||
spec:
|
||||
description:
|
||||
"Specification of the desired state of the istio control plane resource.
|
||||
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
status:
|
||||
description:
|
||||
"Status describes each of istio control plane component status at the current time.
|
||||
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
|
||||
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
|
||||
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
subresources:
|
||||
status: {}
|
||||
---
|
||||
|
@ -1,3 +1,4 @@
|
||||
{{- if .Values.ingress.public.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: EnvoyFilter
|
||||
metadata:
|
||||
@ -30,6 +31,7 @@ spec:
|
||||
name: 5
|
||||
int_value: 60
|
||||
state: STATE_LISTENING
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.ingress.private.enabled }}
|
||||
---
|
||||
|
@ -1,5 +1,5 @@
|
||||
{{- if .Values.ingress.dnsNames }}
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: public-ingress-cert
|
||||
|
@ -1,4 +1,5 @@
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
{{- if .Values.ingress.public.enabled }}
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: ingressgateway
|
||||
@ -28,10 +29,10 @@ spec:
|
||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||
credentialName: public-ingress-cert
|
||||
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.private.enabled }}
|
||||
---
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
apiVersion: networking.istio.io/v1beta1
|
||||
kind: Gateway
|
||||
metadata:
|
||||
name: private-ingressgateway
|
||||
@ -84,4 +85,16 @@ spec:
|
||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||
credentialName: public-ingress-cert
|
||||
- port:
|
||||
number: 6379
|
||||
name: redis
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
- port:
|
||||
number: 6380
|
||||
name: redis-1
|
||||
protocol: TCP
|
||||
hosts:
|
||||
{{- toYaml .Values.ingress.dnsNames | nindent 4 }}
|
||||
{{- end }}
|
||||
|
@ -120,6 +120,16 @@ spec:
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 31672
|
||||
{{- end }}
|
||||
- name: redis
|
||||
port: 6379
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 31379
|
||||
{{- end }}
|
||||
- name: redis-1
|
||||
port: 6380
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 31380
|
||||
{{- end }}
|
||||
|
||||
global:
|
||||
jwtPolicy: first-party-jwt
|
||||
|
@ -8,6 +8,9 @@ metadata:
|
||||
spec:
|
||||
profile: empty
|
||||
components:
|
||||
base:
|
||||
enabled: true
|
||||
{{- if .Values.ingress.public.enabled }}
|
||||
ingressGateways:
|
||||
- enabled: true
|
||||
k8s:
|
||||
@ -62,6 +65,7 @@ spec:
|
||||
value: 90
|
||||
|
||||
name: istio-ingressgateway
|
||||
{{- end }}
|
||||
pilot:
|
||||
enabled: true
|
||||
k8s:
|
||||
@ -102,6 +106,7 @@ spec:
|
||||
interval: 30s
|
||||
time: 60s
|
||||
values:
|
||||
{{- if .Values.ingress.public.enabled }}
|
||||
gateways:
|
||||
istio-ingressgateway:
|
||||
autoscaleEnabled: {{ .Values.ingress.autoscaleEnabled }}
|
||||
@ -134,6 +139,7 @@ spec:
|
||||
{{- if eq .Values.ingress.type "NodePort" }}
|
||||
nodePort: 30443
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
global:
|
||||
jwtPolicy: first-party-jwt
|
||||
logAsJson: true
|
||||
|
@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
set -ex
|
||||
|
||||
export ISTIO_VERSION=1.7.3
|
||||
export ISTIO_VERSION=1.7.4
|
||||
|
||||
if [ ! -d istio-$ISTIO_VERSION ]; then
|
||||
NAME="istio-$ISTIO_VERSION"
|
||||
@ -10,17 +10,17 @@ if [ ! -d istio-$ISTIO_VERSION ]; then
|
||||
curl -sL "$URL" | tar xz
|
||||
fi
|
||||
|
||||
# Now lets extract what we need
|
||||
# Get matching istioctl
|
||||
[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; }
|
||||
|
||||
# Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs
|
||||
# Now lets extract istio-operator chart
|
||||
rm -rf charts/istio-operator
|
||||
cp -r istio-${ISTIO_VERSION}/manifests/charts/istio-operator charts
|
||||
|
||||
# Apply our patch
|
||||
patch -i istio-operator.patch -p0
|
||||
|
||||
[ -x istioctl ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; }
|
||||
|
||||
# Extract base / CRDs from istioctl into plain manifest to workaround chicken egg problem with CRDs
|
||||
./istioctl manifest generate --set profile=empty --set components.base.enabled=true > templates/istio-base.yaml
|
||||
|
||||
# Remove double CRD
|
||||
patch -i istio-base.patch -p3
|
||||
# Extract crds
|
||||
rm -rf crds
|
||||
cp -r istio-${ISTIO_VERSION}/manifests/charts/base/crds .
|
||||
|
@ -6,6 +6,8 @@ ingress:
|
||||
autoscaleEnabled: false
|
||||
replicaCount: 2
|
||||
type: NodePort
|
||||
public:
|
||||
enabled: true
|
||||
private:
|
||||
enabled: true
|
||||
nodeSelector: "31080_31443_31671_31672_31224"
|
||||
@ -13,5 +15,6 @@ ingress:
|
||||
- "*"
|
||||
|
||||
istio-operator:
|
||||
operatorNamespace: istio-system
|
||||
hub: docker.io/istio
|
||||
tag: 1.7.3
|
||||
tag: 1.7.4
|
||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
||||
name: kubezero-kiam
|
||||
description: KubeZero Umbrella Chart for Kiam
|
||||
type: application
|
||||
version: 0.2.11
|
||||
version: 0.2.12
|
||||
appVersion: 3.6
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
@ -16,7 +16,7 @@ dependencies:
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: kiam
|
||||
version: 5.8.1
|
||||
version: 5.9.0
|
||||
repository: https://uswitch.github.io/kiam-helm-charts/charts/
|
||||
condition: kiam.enabled
|
||||
kubeVersion: ">= 1.16.0"
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-kiam
|
||||
|
||||
![Version: 0.2.11](https://img.shields.io/badge/Version-0.2.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.6](https://img.shields.io/badge/AppVersion-3.6-informational?style=flat-square)
|
||||
![Version: 0.2.12](https://img.shields.io/badge/Version-0.2.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.6](https://img.shields.io/badge/AppVersion-3.6-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Kiam
|
||||
|
||||
@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.8.1 |
|
||||
| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.9.0 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## KubeZero default configuration
|
||||
@ -47,8 +47,8 @@ By default all access to the meta-data service is blocked, expect for:
|
||||
| kiam.agent.gatewayTimeoutCreation | string | `"5s"` | |
|
||||
| kiam.agent.host.interface | string | `"cali+"` | |
|
||||
| kiam.agent.host.iptables | bool | `false` | |
|
||||
| kiam.agent.image.tag | string | `"v3.6"` | |
|
||||
| kiam.agent.log.level | string | `"warn"` | |
|
||||
| kiam.agent.log.level | string | `"info"` | |
|
||||
| kiam.agent.priorityClassName | string | `"system-node-critical"` | |
|
||||
| kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||
| kiam.agent.prometheus.servicemonitor.interval | string | `"30s"` | |
|
||||
| kiam.agent.prometheus.servicemonitor.labels.release | string | `"metrics"` | |
|
||||
@ -69,9 +69,9 @@ By default all access to the meta-data service is blocked, expect for:
|
||||
| kiam.server.assumeRoleArn | string | `""` | kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role |
|
||||
| kiam.server.deployment.enabled | bool | `true` | |
|
||||
| kiam.server.deployment.replicas | int | `1` | |
|
||||
| kiam.server.image.tag | string | `"v3.6"` | |
|
||||
| kiam.server.log.level | string | `"warn"` | |
|
||||
| kiam.server.log.level | string | `"info"` | |
|
||||
| kiam.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| kiam.server.priorityClassName | string | `"system-cluster-critical"` | |
|
||||
| kiam.server.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||
| kiam.server.prometheus.servicemonitor.interval | string | `"30s"` | |
|
||||
| kiam.server.prometheus.servicemonitor.labels.release | string | `"metrics"` | |
|
||||
|
@ -1,28 +1,32 @@
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: kiam-agent
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
secretName: kiam-agent-tls
|
||||
issuerRef:
|
||||
name: kubezero-local-ca-issuer
|
||||
kind: ClusterIssuer
|
||||
usages:
|
||||
- "any"
|
||||
dnsNames:
|
||||
- "kiam-agent"
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: kiam-server
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
secretName: kiam-server-tls
|
||||
issuerRef:
|
||||
name: kubezero-local-ca-issuer
|
||||
kind: ClusterIssuer
|
||||
usages:
|
||||
- "any"
|
||||
dnsNames:
|
||||
|
@ -3,8 +3,6 @@ annotateKubeSystemNameSpace: false
|
||||
kiam:
|
||||
enabled: true
|
||||
server:
|
||||
image:
|
||||
tag: "v3.6"
|
||||
# kiam.server.assumeRoleArn -- kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role
|
||||
assumeRoleArn: ''
|
||||
useHostNetwork: true
|
||||
@ -33,6 +31,7 @@ kiam:
|
||||
effect: NoSchedule
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
priorityClassName: system-cluster-critical
|
||||
prometheus:
|
||||
servicemonitor:
|
||||
enabled: false
|
||||
@ -40,11 +39,9 @@ kiam:
|
||||
labels:
|
||||
release: metrics
|
||||
log:
|
||||
level: warn
|
||||
level: info
|
||||
|
||||
agent:
|
||||
image:
|
||||
tag: "v3.6"
|
||||
gatewayTimeoutCreation: "5s"
|
||||
updateStrategy: RollingUpdate
|
||||
# IP tables set on each node at boot, see CloudBender
|
||||
@ -68,6 +65,7 @@ kiam:
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
priorityClassName: system-node-critical
|
||||
prometheus:
|
||||
servicemonitor:
|
||||
enabled: false
|
||||
@ -75,7 +73,7 @@ kiam:
|
||||
labels:
|
||||
release: metrics
|
||||
log:
|
||||
level: warn
|
||||
level: info
|
||||
# extraEnv:
|
||||
# - name: GRPC_GO_LOG_SEVERITY_LEVEL
|
||||
# value: "info"
|
||||
|
@ -2,8 +2,8 @@ apiVersion: v2
|
||||
name: kubezero-logging
|
||||
description: KubeZero Umbrella Chart for complete EFK stack
|
||||
type: application
|
||||
version: 0.4.1
|
||||
appVersion: 1.2.1
|
||||
version: 0.5.0
|
||||
appVersion: 1.3.0
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -18,6 +18,10 @@ dependencies:
|
||||
- name: kubezero-lib
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: eck-operator
|
||||
version: 1.3.0
|
||||
repository: https://helm.elastic.co
|
||||
condition: eck-operator.enabled
|
||||
- name: fluentd
|
||||
version: 2.5.1
|
||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,6 +0,0 @@
|
||||
resources:
|
||||
- all-in-one.yaml
|
||||
|
||||
# map operator to controller nodes
|
||||
patchesStrategicMerge:
|
||||
- map-operator.yaml
|
@ -1,14 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: elastic-operator
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
tolerations:
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
@ -1,7 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
ECK_VERSION=1.2.1
|
||||
|
||||
curl -o all-in-one.yaml https://download.elastic.co/downloads/eck/${ECK_VERSION}/all-in-one.yaml
|
||||
|
||||
kubectl kustomize . > ../templates/eck-operator.yaml
|
File diff suppressed because it is too large
Load Diff
@ -5,11 +5,11 @@
|
||||
# This is for backwards compatibility with older zdt-logging setup
|
||||
fullnameOverride: logging
|
||||
|
||||
# Version for ElasticSearch and Kibana have to match so we define it at top-level
|
||||
version: 7.6.0
|
||||
|
||||
elastic_password: "dsfsfs" # super_secret_elastic_password
|
||||
|
||||
eck-operator:
|
||||
enabled: true
|
||||
|
||||
es:
|
||||
nodeSets:
|
||||
- name: default-zone-0
|
||||
|
@ -1,8 +1,16 @@
|
||||
# use this for backwards compatability
|
||||
# fullnameOverride: ""
|
||||
|
||||
eck-operator:
|
||||
enabled: false
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
|
||||
# Version for ElasticSearch and Kibana have to match so we define it at top-level
|
||||
version: 7.8.1
|
||||
version: 7.10.0
|
||||
|
||||
elastic_password: "" # super_secret_elastic_password
|
||||
|
||||
@ -67,7 +75,7 @@ fluentd:
|
||||
enabled: true
|
||||
additionalLabels:
|
||||
release: metrics
|
||||
namespace: monitoring
|
||||
# namespace: monitoring
|
||||
|
||||
output:
|
||||
# Default should be "logging-kubezero-logging-es-http" if fullnameOverride is NOT used
|
||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
||||
name: kubezero-metrics
|
||||
description: KubeZero Umbrella Chart for prometheus-operator
|
||||
type: application
|
||||
version: 0.2.1
|
||||
version: 0.3.0
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
@ -16,9 +16,10 @@ dependencies:
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: kube-prometheus-stack
|
||||
version: 10.1.3
|
||||
version: 11.1.1
|
||||
repository: https://prometheus-community.github.io/helm-charts
|
||||
- name: prometheus-adapter
|
||||
version: 2.7.0
|
||||
version: 2.7.1
|
||||
repository: https://prometheus-community.github.io/helm-charts
|
||||
condition: prometheus-adapter.enabled
|
||||
kubeVersion: ">= 1.16.0"
|
||||
|
@ -1,6 +1,6 @@
|
||||
# kubezero-metrics
|
||||
|
||||
![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for prometheus-operator
|
||||
|
||||
@ -18,8 +18,8 @@ Kubernetes: `>= 1.16.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 10.0.1 |
|
||||
| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 2.7.0 |
|
||||
| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 11.1.1 |
|
||||
| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 2.7.1 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## Values
|
||||
@ -41,6 +41,9 @@ Kubernetes: `>= 1.16.0`
|
||||
| kube-prometheus-stack.grafana.plugins[0] | string | `"grafana-piechart-panel"` | |
|
||||
| kube-prometheus-stack.grafana.service.portName | string | `"http-grafana"` | |
|
||||
| kube-prometheus-stack.grafana.testFramework.enabled | bool | `false` | |
|
||||
| kube-prometheus-stack.kube-state-metrics.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| kube-prometheus-stack.kube-state-metrics.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| kube-prometheus-stack.kube-state-metrics.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| kube-prometheus-stack.kubeApiServer.enabled | bool | `true` | |
|
||||
| kube-prometheus-stack.kubeControllerManager.enabled | bool | `true` | |
|
||||
| kube-prometheus-stack.kubeControllerManager.service.port | int | `10257` | |
|
||||
@ -69,7 +72,6 @@ Kubernetes: `>= 1.16.0`
|
||||
| kube-prometheus-stack.nodeExporter.serviceMonitor.relabelings[0].targetLabel | string | `"node"` | |
|
||||
| kube-prometheus-stack.prometheus.enabled | bool | `true` | |
|
||||
| kube-prometheus-stack.prometheus.prometheusSpec.portName | string | `"http-prometheus"` | |
|
||||
| kube-prometheus-stack.prometheus.prometheusSpec.resources.limits.cpu | string | `"1000m"` | |
|
||||
| kube-prometheus-stack.prometheus.prometheusSpec.resources.limits.memory | string | `"3Gi"` | |
|
||||
| kube-prometheus-stack.prometheus.prometheusSpec.resources.requests.cpu | string | `"500m"` | |
|
||||
| kube-prometheus-stack.prometheus.prometheusSpec.resources.requests.memory | string | `"1Gi"` | |
|
||||
@ -77,17 +79,17 @@ Kubernetes: `>= 1.16.0`
|
||||
| kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0] | string | `"ReadWriteOnce"` | |
|
||||
| kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"16Gi"` | |
|
||||
| kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName | string | `"ebs-sc-gp2-xfs"` | |
|
||||
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.enabled | bool | `false` | |
|
||||
| kube-prometheus-stack.prometheusOperator.createCustomResource | bool | `true` | |
|
||||
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| kube-prometheus-stack.prometheusOperator.enabled | bool | `true` | |
|
||||
| kube-prometheus-stack.prometheusOperator.manageCrds | bool | `false` | |
|
||||
| kube-prometheus-stack.prometheusOperator.namespaces.additional[0] | string | `"kube-system"` | |
|
||||
| kube-prometheus-stack.prometheusOperator.namespaces.additional[1] | string | `"logging"` | |
|
||||
| kube-prometheus-stack.prometheusOperator.namespaces.releaseNamespace | bool | `true` | |
|
||||
| kube-prometheus-stack.prometheusOperator.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| kube-prometheus-stack.prometheusOperator.tlsProxy.enabled | bool | `false` | |
|
||||
| kube-prometheus-stack.prometheusOperator.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| kube-prometheus-stack.prometheusOperator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||
| prometheus-adapter.enabled | bool | `true` | |
|
||||
| prometheus-adapter.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||
| prometheus-adapter.prometheus.url | string | `"http://metrics-kube-prometheus-st-prometheus"` | |
|
||||
| prometheus-adapter.rules.default | bool | `false` | |
|
||||
|
@ -3,6 +3,7 @@ apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: grafana
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
@ -21,6 +22,7 @@ apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: prometheus
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
|
@ -59,10 +59,6 @@ kube-prometheus-stack:
|
||||
|
||||
prometheusOperator:
|
||||
enabled: true
|
||||
#image:
|
||||
# tag: v0.42.1
|
||||
#prometheusConfigReloaderImage:
|
||||
# tag: v0.42.1
|
||||
|
||||
# Run on controller nodes
|
||||
tolerations:
|
||||
@ -71,24 +67,20 @@ kube-prometheus-stack:
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
|
||||
# Argo takes care of CRDs
|
||||
manageCrds: false
|
||||
createCustomResource: true
|
||||
|
||||
# Operator has TLS support starting 0.39, but chart does not support CAConfig and operator flags yet
|
||||
# see: https://github.com/coreos/prometheus-operator/blob/master/Documentation/user-guides/webhook.md#deploying-the-admission-webhook
|
||||
# Until then we disable them as the patching interferes with Argo anyways
|
||||
tlsProxy:
|
||||
enabled: false
|
||||
admissionWebhooks:
|
||||
enabled: false
|
||||
|
||||
namespaces:
|
||||
releaseNamespace: true
|
||||
additional:
|
||||
- kube-system
|
||||
- logging
|
||||
|
||||
admissionWebhooks:
|
||||
patch:
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
|
||||
nodeExporter:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
@ -141,12 +133,21 @@ kube-prometheus-stack:
|
||||
testFramework:
|
||||
enabled: false
|
||||
|
||||
# Assign state metrics to control plane
|
||||
kube-state-metrics:
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
effect: NoSchedule
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/master: ""
|
||||
|
||||
# Todo
|
||||
alertmanager:
|
||||
enabled: false
|
||||
|
||||
# Metrics adapter
|
||||
prometheus-adapter:
|
||||
enabled: true
|
||||
prometheus:
|
||||
url: http://metrics-kube-prometheus-st-prometheus
|
||||
tolerations:
|
||||
|
23
charts/kubezero-redis/.helmignore
Normal file
23
charts/kubezero-redis/.helmignore
Normal file
@ -0,0 +1,23 @@
|
||||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*.orig
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
20
charts/kubezero-redis/Chart.yaml
Normal file
20
charts/kubezero-redis/Chart.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
apiVersion: v2
|
||||
name: kubezero-redis
|
||||
description: KubeZero Umbrella Chart for Redis HA
|
||||
type: application
|
||||
version: 0.1.0
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
- kubezero
|
||||
- redis
|
||||
maintainers:
|
||||
- name: Quarky9
|
||||
dependencies:
|
||||
- name: kubezero-lib
|
||||
version: ">= 0.1.3"
|
||||
repository: https://zero-down-time.github.io/kubezero/
|
||||
- name: redis
|
||||
version: 12.0.0
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
kubeVersion: ">= 1.16.0"
|
44
charts/kubezero-redis/README.md
Normal file
44
charts/kubezero-redis/README.md
Normal file
@ -0,0 +1,44 @@
|
||||
# kubezero-redis
|
||||
|
||||
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||
|
||||
KubeZero Umbrella Chart for Redis HA
|
||||
|
||||
**Homepage:** <https://kubezero.com>
|
||||
|
||||
## Maintainers
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Quarky9 | | |
|
||||
|
||||
## Requirements
|
||||
|
||||
Kubernetes: `>= 1.16.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://charts.bitnami.com/bitnami | redis | 12.0.0 |
|
||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| istio.enabled | bool | `false` | |
|
||||
| redis.cluster.slaveCount | int | `0` | |
|
||||
| redis.master.persistence.enabled | bool | `false` | |
|
||||
| redis.metrics.enabled | bool | `false` | |
|
||||
| redis.metrics.serviceMonitor.enabled | bool | `false` | |
|
||||
| redis.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||
| redis.metrics.serviceMonitor.selector.release | string | `"metrics"` | |
|
||||
| redis.usePassword | bool | `false` | |
|
||||
|
||||
# Dashboards
|
||||
|
||||
## Redis
|
||||
|
||||
# Resources
|
||||
- https://github.com/helm/charts/tree/master/stable/redis
|
||||
- https://github.com/rustudorcalin/deploying-redis-cluster
|
||||
-
|
26
charts/kubezero-redis/README.md.gotmpl
Normal file
26
charts/kubezero-redis/README.md.gotmpl
Normal file
@ -0,0 +1,26 @@
|
||||
{{ template "chart.header" . }}
|
||||
{{ template "chart.deprecationWarning" . }}
|
||||
|
||||
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
|
||||
|
||||
{{ template "chart.description" . }}
|
||||
|
||||
{{ template "chart.homepageLine" . }}
|
||||
|
||||
{{ template "chart.maintainersSection" . }}
|
||||
|
||||
{{ template "chart.sourcesSection" . }}
|
||||
|
||||
{{ template "chart.requirementsSection" . }}
|
||||
|
||||
{{ template "chart.valuesSection" . }}
|
||||
|
||||
# Dashboards
|
||||
https://grafana.com/grafana/dashboards/11835
|
||||
|
||||
## Redis
|
||||
|
||||
# Resources
|
||||
- https://github.com/helm/charts/tree/master/stable/redis
|
||||
- https://github.com/rustudorcalin/deploying-redis-cluster
|
||||
-
|
@ -0,0 +1,26 @@
|
||||
{{- if .Values.istio.enabled }}
|
||||
{{- if .Values.istio.ipBlocks }}
|
||||
apiVersion: security.istio.io/v1beta1
|
||||
kind: AuthorizationPolicy
|
||||
metadata:
|
||||
name: {{ .Release.Namespace }}-redis-deny-not-in-ipblocks
|
||||
namespace: istio-system
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: istio-private-ingressgateway
|
||||
action: DENY
|
||||
rules:
|
||||
- from:
|
||||
- source:
|
||||
notIpBlocks:
|
||||
{{- with .Values.istio.ipBlocks }}
|
||||
{{- . | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
to:
|
||||
- operation:
|
||||
ports: ["{{ default 6379 .Values.redis.redisPort }}"]
|
||||
{{- end }}
|
||||
{{- end }}
|
22
charts/kubezero-redis/templates/istio-service.yaml
Normal file
22
charts/kubezero-redis/templates/istio-service.yaml
Normal file
@ -0,0 +1,22 @@
|
||||
{{- if .Values.istio.enabled }}
|
||||
apiVersion: networking.istio.io/v1alpha3
|
||||
kind: VirtualService
|
||||
metadata:
|
||||
name: redis
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||
spec:
|
||||
hosts:
|
||||
- {{ .Values.istio.url }}
|
||||
gateways:
|
||||
- {{ .Values.istio.gateway }}
|
||||
tcp:
|
||||
- match:
|
||||
- port: {{ default 6379 .Values.redis.redisPort }}
|
||||
route:
|
||||
- destination:
|
||||
host: redis-headless
|
||||
port:
|
||||
number: {{ default 6379 .Values.redis.redisPort }}
|
||||
{{- end }}
|
27
charts/kubezero-redis/values.yaml
Normal file
27
charts/kubezero-redis/values.yaml
Normal file
@ -0,0 +1,27 @@
|
||||
redis:
|
||||
redisPort: 6379
|
||||
|
||||
cluster:
|
||||
slaveCount: 0
|
||||
|
||||
usePassword: false
|
||||
|
||||
master:
|
||||
persistence:
|
||||
enabled: false
|
||||
# resources:
|
||||
# requests:
|
||||
# memory: 256Mi
|
||||
# cpu: 100m
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
serviceMonitor:
|
||||
enabled: false
|
||||
selector:
|
||||
release: metrics
|
||||
# extraArgs:
|
||||
# redis.addr: "redis://localhost:6379"
|
||||
|
||||
istio:
|
||||
enabled: false
|
@ -44,4 +44,4 @@ Kubernetes: `>= 1.16.0`
|
||||
| platform | string | `"aws"` | |
|
||||
|
||||
----------------------------------------------
|
||||
Autogenerated from chart metadata using [helm-docs v1.4.0](https://github.com/norwoodj/helm-docs/releases/v1.4.0)
|
||||
Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1)
|
||||
|
@ -1,7 +1,22 @@
|
||||
#!/bin/bash
|
||||
set -ex
|
||||
|
||||
LOCATION=${1-""}
|
||||
ACTION=$1
|
||||
ARTIFACTS=("$2")
|
||||
LOCATION=${3:-""}
|
||||
|
||||
DEPLOY_DIR=$( dirname $( realpath $0 ))
|
||||
which yq || { echo "yq not found!"; exit 1; }
|
||||
|
||||
TMPDIR=$(mktemp -d kubezero.XXX)
|
||||
|
||||
# First lets generate kubezero.yaml
|
||||
# This will be stored as secret during the initial kubezero chart install
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > $TMPDIR/kubezero.yaml
|
||||
|
||||
if [ ${ARTIFACTS[0]} == "all" ]; then
|
||||
ARTIFACTS=($(yq r -p p $TMPDIR/kubezero.yaml "kubezero.*.enabled" | awk -F "." '{print $2}'))
|
||||
fi
|
||||
|
||||
# Update only if we use upstream
|
||||
if [ -z "$LOCATION" ]; then
|
||||
@ -9,20 +24,27 @@ if [ -z "$LOCATION" ]; then
|
||||
helm repo update
|
||||
fi
|
||||
|
||||
DEPLOY_DIR=$( dirname $( realpath $0 ))
|
||||
which yq || { echo "yq not found!"; exit 1; }
|
||||
|
||||
# Waits for max 300s and retries
|
||||
function wait_for() {
|
||||
local TRIES=0
|
||||
while true; do
|
||||
$@ && break
|
||||
[ $TRIES -eq 200 ] && return 1
|
||||
eval " $@" && break
|
||||
[ $TRIES -eq 100 ] && return 1
|
||||
let TRIES=$TRIES+1
|
||||
sleep 3
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
function chart_location() {
|
||||
if [ -z "$LOCATION" ]; then
|
||||
echo "$1 --repo https://zero-down-time.github.io/kubezero"
|
||||
else
|
||||
echo "$LOCATION/$1"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
function _helm() {
|
||||
local action=$1
|
||||
local chart=$2
|
||||
@ -30,89 +52,257 @@ function _helm() {
|
||||
local namespace=$4
|
||||
shift 4
|
||||
|
||||
local location
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds $@ > $TMPDIR/helm.yaml
|
||||
|
||||
if [ -z "$LOCATION" ]; then
|
||||
location="$chart --repo https://zero-down-time.github.io/kubezero"
|
||||
else
|
||||
location="$LOCATION/$chart"
|
||||
if [ $action == "apply" ]; then
|
||||
# make sure namespace exists prior to calling helm as the create-namespace options doesn't work
|
||||
kubectl get ns $namespace || kubectl create ns $namespace
|
||||
fi
|
||||
|
||||
[ -n "$namespace" ] && kubectl get ns $namespace || kubectl create ns $namespace
|
||||
helm template $location --namespace $namespace --name-template $release $@ | kubectl $action -f -
|
||||
# If resources are out of the single $namespace, apply without restrictions
|
||||
nr_ns=$(grep -e '^ namespace:' $TMPDIR/helm.yaml | sed "s/\"//g" | sort | uniq | wc -l)
|
||||
if [ $nr_ns -gt 1 ]; then
|
||||
kubectl $action -f $TMPDIR/helm.yaml
|
||||
else
|
||||
kubectl $action --namespace $namespace -f $TMPDIR/helm.yaml
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
function deploy() {
|
||||
_helm apply $@
|
||||
}
|
||||
|
||||
|
||||
function delete() {
|
||||
_helm delete $@
|
||||
}
|
||||
|
||||
|
||||
function is_enabled() {
|
||||
local chart=$1
|
||||
|
||||
enabled=$(yq r $TMPDIR/kubezero.yaml kubezero.${chart}.enabled)
|
||||
if [ "$enabled" == "true" ]; then
|
||||
yq r $TMPDIR/kubezero.yaml kubezero.${chart}.values > $TMPDIR/values.yaml
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
|
||||
##########
|
||||
# Calico #
|
||||
##########
|
||||
function calico() {
|
||||
local chart="kubezero-calico"
|
||||
local release="calico"
|
||||
local namespace="kube-system"
|
||||
|
||||
local task=$1
|
||||
|
||||
if [ $task == "deploy" ]; then
|
||||
deploy $chart $release $namespace -f $TMPDIR/values.yaml && rc=$? || rc=$?
|
||||
kubectl apply -f $TMPDIR/helm.yaml
|
||||
# Don't delete the only CNI
|
||||
#elif [ $task == "delete" ]; then
|
||||
# delete $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
elif [ $task == "crds" ]; then
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml
|
||||
diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml
|
||||
kubectl apply -f $TMPDIR/crds.yaml
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
################
|
||||
# cert-manager #
|
||||
################
|
||||
function cert-manager() {
|
||||
local chart="kubezero-cert-manager"
|
||||
local release="cert-manager"
|
||||
local namespace="cert-manager"
|
||||
|
||||
# Let's start with minimal cert-manager to get the webhook in place
|
||||
deploy kubezero-cert-manager cert-manager cert-manager
|
||||
local task=$1
|
||||
|
||||
echo "Waiting for cert-manager to be ready..."
|
||||
wait_for kubectl get deployment -n cert-manager cert-manager-webhook 2>/dev/null 1>&2
|
||||
kubectl rollout status deployment -n cert-manager cert-manager-webhook
|
||||
wait_for kubectl get validatingwebhookconfigurations -o yaml | grep "caBundle: LS0" 2>/dev/null 1>&2
|
||||
if [ $task == "deploy" ]; then
|
||||
deploy $chart $release $namespace -f $TMPDIR/values.yaml && rc=$? || rc=$?
|
||||
|
||||
# Either inject cert-manager backup or bootstrap
|
||||
if [ -f cert-manager-backup.yaml ]; then
|
||||
kubectl apply -f cert-manager-backup.yaml
|
||||
else
|
||||
deploy kubezero-cert-manager cert-manager cert-manager --set localCA.enabled=true
|
||||
wait_for kubectl get Issuer -n kube-system kubezero-local-ca-issuer 2>/dev/null 1>&2
|
||||
kubectl wait --for=condition=Ready -n kube-system Issuer/kubezero-local-ca-issuer
|
||||
fi
|
||||
# If any error occurs, wait for initial webhook deployment and try again
|
||||
# see: https://cert-manager.io/docs/concepts/webhook/#webhook-connection-problems-shortly-after-cert-manager-installation
|
||||
if [ $rc -ne 0 ]; then
|
||||
wait_for "kubectl get deployment -n $namespace cert-manager-webhook"
|
||||
kubectl rollout status deployment -n $namespace cert-manager-webhook
|
||||
wait_for 'kubectl get validatingwebhookconfigurations -o yaml | grep "caBundle: LS0"'
|
||||
deploy $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
fi
|
||||
|
||||
echo "KubeZero installed successfully."
|
||||
read
|
||||
wait_for "kubectl get ClusterIssuer -n $namespace kubezero-local-ca-issuer"
|
||||
kubectl wait --timeout=180s --for=condition=Ready -n $namespace ClusterIssuer/kubezero-local-ca-issuer
|
||||
|
||||
# Remove all kubezero
|
||||
delete kubezero-cert-manager cert-manager cert-manager
|
||||
elif [ $task == "delete" ]; then
|
||||
delete $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
kubectl delete ns $namespace
|
||||
|
||||
exit 0
|
||||
|
||||
# Determine if we bootstrap or update
|
||||
helm list -n argocd -f kubezero -q | grep -q kubezero && rc=$? || rc=$?
|
||||
if [ $rc -eq 0 ]; then
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
else
|
||||
elif [ $task == "crds" ]; then
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set cert-manager.installCRDs=false > $TMPDIR/helm-no-crds.yaml
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set cert-manager.installCRDs=true > $TMPDIR/helm-crds.yaml
|
||||
diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml
|
||||
kubectl apply -f $TMPDIR/crds.yaml
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
# Make sure kube-system is allowed to kiam
|
||||
########
|
||||
# Kiam #
|
||||
########
|
||||
function kiam() {
|
||||
local chart="kubezero-kiam"
|
||||
local release="kiam"
|
||||
local namespace="kube-system"
|
||||
|
||||
local task=$1
|
||||
|
||||
if [ $task == "deploy" ]; then
|
||||
# Certs only first
|
||||
deploy $chart $release $namespace --set kiam.enabled=false
|
||||
kubectl wait --timeout=120s --for=condition=Ready -n kube-system Certificate/kiam-server
|
||||
|
||||
# Make sure kube-system and cert-manager are allowed to kiam
|
||||
kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*'
|
||||
kubectl annotate --overwrite namespace cert-manager 'iam.amazonaws.com/permitted=.*CertManagerRole.*'
|
||||
|
||||
# Now that we have the cert-manager webhook, get the kiam certs in place but do NOT deploy kiam yet
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-3.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
kubectl wait --for=condition=Ready -n kube-system certificates/kiam-server
|
||||
|
||||
# Now lets make sure kiam is working
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-4.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
wait_for kubectl get daemonset -n kube-system kiam-agent 2>/dev/null 1>&2
|
||||
# Get kiam rolled out and make sure it is working
|
||||
deploy $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
wait_for 'kubectl get daemonset -n kube-system kiam-agent'
|
||||
kubectl rollout status daemonset -n kube-system kiam-agent
|
||||
|
||||
# Install Istio if enabled, but keep ArgoCD istio support disabled for now in case
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-5.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
wait_for kubectl get deployment -n istio-operator istio-operator 2>/dev/null 1>&2
|
||||
kubectl rollout status deployment -n istio-operator istio-operator
|
||||
elif [ $task == "delete" ]; then
|
||||
delete $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
fi
|
||||
}
|
||||
|
||||
# Metrics
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-6.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
wait_for kubectl get crds servicemonitors.monitoring.coreos.com 2>/dev/null 1>&2
|
||||
|
||||
# Finally we could enable the actual config and deploy all
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
#######
|
||||
# EBS #
|
||||
#######
|
||||
function aws-ebs-csi-driver() {
|
||||
local chart="kubezero-aws-ebs-csi-driver"
|
||||
local release="aws-ebs-csi-driver"
|
||||
local namespace="kube-system"
|
||||
|
||||
local task=$1
|
||||
|
||||
if [ $task == "deploy" ]; then
|
||||
deploy $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
elif [ $task == "delete" ]; then
|
||||
delete $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
#########
|
||||
# Istio #
|
||||
#########
|
||||
function istio() {
|
||||
local chart="kubezero-istio"
|
||||
local release="istio"
|
||||
local namespace="istio-system"
|
||||
|
||||
local task=$1
|
||||
|
||||
if [ $task == "deploy" ]; then
|
||||
deploy $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
|
||||
elif [ $task == "delete" ]; then
|
||||
for i in $(kubectl get istiooperators -A -o name); do
|
||||
kubectl delete $i -n istio-system
|
||||
done
|
||||
delete $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
kubectl delete ns istio-system
|
||||
|
||||
elif [ $task == "crds" ]; then
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml
|
||||
diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml
|
||||
kubectl apply -f $TMPDIR/crds.yaml
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
###########
|
||||
# Metrics #
|
||||
###########
|
||||
function metrics() {
|
||||
local chart="kubezero-metrics"
|
||||
local release="metrics"
|
||||
local namespace="monitoring"
|
||||
|
||||
local task=$1
|
||||
|
||||
if [ $task == "deploy" ]; then
|
||||
deploy $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
|
||||
elif [ $task == "delete" ]; then
|
||||
delete $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
kubectl delete ns monitoring
|
||||
|
||||
elif [ $task == "crds" ]; then
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml
|
||||
helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml
|
||||
diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml
|
||||
kubectl apply -f $TMPDIR/crds.yaml
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
###########
|
||||
# Logging #
|
||||
###########
|
||||
function logging() {
|
||||
local chart="kubezero-logging"
|
||||
local release="logging"
|
||||
local namespace="logging"
|
||||
|
||||
local task=$1
|
||||
|
||||
if [ $task == "deploy" ]; then
|
||||
deploy $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
|
||||
kubectl annotate --overwrite namespace logging 'iam.amazonaws.com/permitted=.*ElasticSearchSnapshots.*'
|
||||
|
||||
elif [ $task == "delete" ]; then
|
||||
delete $chart $release $namespace -f $TMPDIR/values.yaml
|
||||
kubectl delete ns logging
|
||||
|
||||
# Doesnt work right now due to V2 Helm implementation of the eck-operator-crd chart
|
||||
#elif [ $task == "crds" ]; then
|
||||
# helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds > $TMPDIR/helm-no-crds.yaml
|
||||
# helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds > $TMPDIR/helm-crds.yaml
|
||||
# diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml
|
||||
# kubectl apply -f $TMPDIR/crds.yaml
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
## MAIN ##
|
||||
if [ $1 == "deploy" ]; then
|
||||
for t in ${ARTIFACTS[@]}; do
|
||||
is_enabled $t && $t deploy
|
||||
done
|
||||
|
||||
elif [ $1 == "crds" ]; then
|
||||
for t in ${ARTIFACTS[@]}; do
|
||||
is_enabled $t && $t crds
|
||||
done
|
||||
|
||||
# Delete in reverse order, continue even if errors
|
||||
elif [ $1 == "delete" ]; then
|
||||
set +e
|
||||
for (( idx=${#ARTIFACTS[@]}-1 ; idx>=0 ; idx-- )) ; do
|
||||
is_enabled ${ARTIFACTS[idx]} && ${ARTIFACTS[idx]} delete
|
||||
done
|
||||
fi
|
||||
|
||||
[ "$DEBUG" == "" ] && rm -rf $TMPDIR
|
||||
|
@ -2,18 +2,6 @@
|
||||
set -e
|
||||
|
||||
DEPLOY_DIR=$( dirname $( realpath $0 ))
|
||||
which yq || { echo "yq not found!"; exit 1; }
|
||||
|
||||
# Waits for max 300s and retries
|
||||
function wait_for() {
|
||||
local TRIES=0
|
||||
while true; do
|
||||
$@ && break
|
||||
[ $TRIES -eq 200 ] && return 1
|
||||
let TRIES=$TRIES+1
|
||||
sleep 3
|
||||
done
|
||||
}
|
||||
|
||||
helm repo add kubezero https://zero-down-time.github.io/kubezero
|
||||
helm repo update
|
||||
@ -24,72 +12,6 @@ if [ $rc -eq 0 ]; then
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
else
|
||||
# During bootstrap we first generate a minimal values.yaml to prevent various deadlocks
|
||||
|
||||
# Generate ArgoCD password if not in values.yaml yet and add it
|
||||
grep -q argocdServerAdminPassword values.yaml && rc=$? || rc=$?
|
||||
if [ $rc -ne 0 ]; then
|
||||
_argo_date="$(date -u --iso-8601=seconds)"
|
||||
_argo_passwd="$($DEPLOY_DIR/argocd_password.py)"
|
||||
|
||||
cat <<EOF > _argocd_values.yaml
|
||||
argo-cd:
|
||||
configs:
|
||||
secret:
|
||||
# ArgoCD password: ${_argo_passwd%%:*} Please move to secure location !
|
||||
argocdServerAdminPassword: "${_argo_passwd##*:}"
|
||||
argocdServerAdminPasswordMtime: "$_argo_date"
|
||||
EOF
|
||||
yq merge -i --overwrite values.yaml _argocd_values.yaml && rm -f _argocd_values.yaml
|
||||
fi
|
||||
|
||||
# Deploy initial argocd
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-1.yaml > generated-values.yaml
|
||||
helm install -n argocd kubezero kubezero/kubezero-argo-cd --create-namespace -f generated-values.yaml
|
||||
# Wait for argocd-server to be running
|
||||
kubectl rollout status deployment -n argocd kubezero-argocd-server
|
||||
|
||||
# Now wait for cert-manager and the local CA to be bootstrapped
|
||||
echo "Waiting for cert-manager to be deployed..."
|
||||
wait_for kubectl get deployment -n cert-manager cert-manager-webhook 2>/dev/null 1>&2
|
||||
kubectl rollout status deployment -n cert-manager cert-manager-webhook
|
||||
|
||||
# Either inject cert-manager backup or bootstrap
|
||||
if [ -f cert-manager-backup.yaml ]; then
|
||||
kubectl apply -f cert-manager-backup.yaml
|
||||
else
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-2.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
wait_for kubectl get Issuer -n kube-system kubezero-local-ca-issuer 2>/dev/null 1>&2
|
||||
kubectl wait --for=condition=Ready -n kube-system Issuer/kubezero-local-ca-issuer
|
||||
fi
|
||||
|
||||
# Make sure kube-system is allowed to kiam
|
||||
kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*'
|
||||
|
||||
# Now that we have the cert-manager webhook, get the kiam certs in place but do NOT deploy kiam yet
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-3.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
kubectl wait --for=condition=Ready -n kube-system certificates/kiam-server
|
||||
|
||||
# Now lets make sure kiam is working
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-4.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
wait_for kubectl get daemonset -n kube-system kiam-agent 2>/dev/null 1>&2
|
||||
kubectl rollout status daemonset -n kube-system kiam-agent
|
||||
|
||||
# Install Istio if enabled, but keep ArgoCD istio support disabled for now in case
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-5.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
wait_for kubectl get deployment -n istio-operator istio-operator 2>/dev/null 1>&2
|
||||
kubectl rollout status deployment -n istio-operator istio-operator
|
||||
|
||||
# Metrics
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml -f $DEPLOY_DIR/values-step-6.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
wait_for kubectl get crds servicemonitors.monitoring.coreos.com 2>/dev/null 1>&2
|
||||
|
||||
# Finally we could enable the actual config and deploy all
|
||||
helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml > generated-values.yaml
|
||||
helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
|
||||
echo "To bootstrap clusters please use bootstrap.sh !"
|
||||
exit 1
|
||||
fi
|
||||
|
@ -134,6 +134,11 @@ kubezero:
|
||||
logging:
|
||||
enabled: {{ .Values.logging.enabled }}
|
||||
values:
|
||||
{{- with index .Values "logging" "eck-operator" }}
|
||||
eck-operator:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.logging.elastic_password }}
|
||||
elastic_password: {{ .Values.logging.elastic_password }}
|
||||
{{- end }}
|
||||
|
@ -1,17 +0,0 @@
|
||||
kiam:
|
||||
enabled: false
|
||||
ready: false
|
||||
|
||||
cert-manager:
|
||||
ready: false
|
||||
|
||||
istio:
|
||||
enabled: false
|
||||
ready: false
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
ready: false
|
||||
|
||||
logging:
|
||||
enabled: false
|
@ -1,17 +0,0 @@
|
||||
kiam:
|
||||
enabled: false
|
||||
ready: false
|
||||
|
||||
cert-manager:
|
||||
ready: true
|
||||
|
||||
istio:
|
||||
enabled: false
|
||||
ready: false
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
ready: false
|
||||
|
||||
logging:
|
||||
enabled: false
|
@ -1,17 +0,0 @@
|
||||
kiam:
|
||||
certsOnly: true
|
||||
ready: false
|
||||
|
||||
cert-manager:
|
||||
ready: true
|
||||
|
||||
istio:
|
||||
enabled: false
|
||||
ready: false
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
ready: false
|
||||
|
||||
logging:
|
||||
enabled: false
|
@ -1,16 +0,0 @@
|
||||
kiam:
|
||||
ready: false
|
||||
|
||||
cert-manager:
|
||||
ready: true
|
||||
|
||||
istio:
|
||||
enabled: false
|
||||
ready: false
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
ready: false
|
||||
|
||||
logging:
|
||||
enabled: false
|
@ -1,9 +0,0 @@
|
||||
istio:
|
||||
ready: false
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
ready: false
|
||||
|
||||
logging:
|
||||
enabled: false
|
@ -1,6 +0,0 @@
|
||||
metrics:
|
||||
enabled: true
|
||||
ready: false
|
||||
|
||||
logging:
|
||||
enabled: false
|
@ -39,12 +39,15 @@ metrics:
|
||||
|
||||
logging:
|
||||
enabled: false
|
||||
eck-operator:
|
||||
enabled: false
|
||||
fluentd:
|
||||
enabled: false
|
||||
fluent-bit:
|
||||
enabled: false
|
||||
|
||||
argo-cd:
|
||||
enabled: false
|
||||
server: {}
|
||||
istio:
|
||||
enabled: true
|
||||
|
Loading…
Reference in New Issue
Block a user