ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 32 Packages Projects Releases Wiki Activity

ci: cleanup and consolidate helmignore files

Browse Source
This commit is contained in:
Stefan Reimer 2025-07-02 16:33:26 +00:00
parent 9eba23bcd5
commit 780fa1db96
88 changed files with 441 additions and 3726 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
charts/kubezero-logging/charts/fluent-bit/.helmignore → .helmignore
View File

@ -21,3 +21,17 @@
.idea/
*.tmproj
.vscode/
ci/
*.gotmpl
/*.tgz
output
jsonnet
/dashboards.yaml
/prometheus-rules.yaml
*.patch
*.sh
*.py
*.md
istioctl
argocd

24
charts/clamav/.helmignore
View File

@ -1,24 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
clamav.yaml

1
charts/clamav/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

5
charts/clamav/README.md
View File

@ -18,7 +18,7 @@ Kubernetes: `>= 1.26.0`
| Repository | Name | Version |
|------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
## Values
@ -36,3 +36,6 @@ Kubernetes: `>= 1.26.0`
| replicaCount | int | `1` | |
| resources | object | `{"requests":{"cpu":"300m","memory":"2000M"}}` | The resource requests and limits for the clamav service |
| service.port | int | `3310` | The port to be used by the clamav service |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

32
charts/envoy-ratelimit/.helmignore
View File

@ -1,32 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
README.md.gotmpl
*.patch
*.sh
*.py
istioctl
istio
istio.zdt

1
charts/envoy-ratelimit/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

32
charts/envoy-ratelimit/README.md
View File

@ -1,6 +1,6 @@
# envoy-ratelimit
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
Envoy gobal ratelimiting service - part of KubeZero
@ -24,14 +24,30 @@ Kubernetes: `>= 1.31.0-0`
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| descriptors.ingress[0].key | string | `"remote_address"` | |
| descriptors.ingress[0].rate_limit.requests_per_unit | int | `10` | |
| descriptors.ingress[0].rate_limit.unit | string | `"second"` | |
| descriptors.privateIngress[0].key | string | `"remote_address"` | |
| descriptors.privateIngress[0].rate_limit.requests_per_unit | int | `10` | |
| descriptors.privateIngress[0].rate_limit.unit | string | `"second"` | |
| descriptors.ingress[0].descriptors[0].key | string | `"remote_address"` | |
| descriptors.ingress[0].descriptors[0].rate_limit.requests_per_unit | int | `60` | |
| descriptors.ingress[0].descriptors[0].rate_limit.unit | string | `"minute"` | |
| descriptors.ingress[0].key | string | `"sourceIp"` | |
| descriptors.ingress[0].value | string | `"sixtyPerMinute"` | |
| descriptors.ingress[1].descriptors[0].key | string | `"remote_address"` | |
| descriptors.ingress[1].descriptors[0].rate_limit.requests_per_unit | int | `10` | |
| descriptors.ingress[1].descriptors[0].rate_limit.unit | string | `"second"` | |
| descriptors.ingress[1].key | string | `"sourceIp"` | |
| descriptors.ingress[1].value | string | `"tenPerSecond"` | |
| descriptors.privateIngress[0].descriptors[0].key | string | `"remote_address"` | |
| descriptors.privateIngress[0].descriptors[0].rate_limit.requests_per_unit | int | `60` | |
| descriptors.privateIngress[0].descriptors[0].rate_limit.unit | string | `"minute"` | |
| descriptors.privateIngress[0].key | string | `"sourceIp"` | |
| descriptors.privateIngress[0].value | string | `"sixtyPerMinute"` | |
| descriptors.privateIngress[1].descriptors[0].key | string | `"remote_address"` | |
| descriptors.privateIngress[1].descriptors[0].rate_limit.requests_per_unit | int | `10` | |
| descriptors.privateIngress[1].descriptors[0].rate_limit.unit | string | `"second"` | |
| descriptors.privateIngress[1].key | string | `"sourceIp"` | |
| descriptors.privateIngress[1].value | string | `"tenPerSecond"` | |
| failureModeDeny | bool | `false` | |
| image.repository | string | `"envoyproxy/ratelimit"` | |
| image.tag | string | `"80b15778"` | |
| localCacheSize | int | `1048576` | |
| log.format | string | `"json"` | |
| log.level | string | `"warn"` | |
| metrics.enabled | bool | `true` | |
| metrics.enabled | bool | `false` | |

2
charts/kubeadm/.helmignore
View File

@ -1,2 +0,0 @@
*.md
*.md.gotmpl

1
charts/kubeadm/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

2
charts/kubeadm/README.md
View File

@ -1,6 +1,6 @@
# kubeadm
![Version: 1.32.3](https://img.shields.io/badge/Version-1.32.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 1.32.6](https://img.shields.io/badge/Version-1.32.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Kubeadm cluster config

1
charts/kubezero-addons/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

1
charts/kubezero-argo/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
argocd

28
charts/kubezero-argo/.helmignore
View File

@ -1,28 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
README.md.gotmpl
dashboards.yaml
jsonnet
update.sh

1
charts/kubezero-argo/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

5
charts/kubezero-argo/update.sh
View File

@ -10,3 +10,8 @@ patch_chart argo-cd
../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/argo-cd/grafana-dashboards.yaml
update_docs
ARGOCD_VERSION=$(yq eval '.appVersion' charts/argo-cd/Chart.yaml)
# Get matching istioctl
[ -x argocd ] && [ "$(./argocd version --short --client | awk '{print $2}' | sed -e 's/+.*//')" == $ARGOCD_VERSION ] || { curl -sL -o argocd https://github.com/argoproj/argo-cd/releases/download/$ARGOCD_VERSION/argocd-linux-amd64; chmod +x argocd; }

1
charts/kubezero-auth/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

23
charts/kubezero-cache/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

1
charts/kubezero-cache/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

8
charts/kubezero-cache/README.md
View File

@ -1,6 +1,6 @@
# kubezero-cache
![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Cache module
@ -18,9 +18,9 @@ Kubernetes: `>= 1.29.0-0`
| Repository | Name | Version |
|------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.2.1 |
| https://charts.bitnami.com/bitnami | redis | 20.0.3 |
| https://charts.bitnami.com/bitnami | redis-cluster | 11.0.2 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
| https://charts.bitnami.com/bitnami | redis | 20.11.5 |
| https://charts.bitnami.com/bitnami | redis-cluster | 11.5.0 |
## Values

25
charts/kubezero-cert-manager/.helmignore
View File

@ -1,25 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
vendor
rules

1
charts/kubezero-cert-manager/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

2
charts/kubezero-cert-manager/README.md
View File

@ -18,7 +18,7 @@ Kubernetes: `>= 1.30.0-0`
| Repository | Name | Version |
|------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
| https://charts.jetstack.io | cert-manager | v1.17.1 |
## AWS - OIDC IAM roles

0
charts/kubezero-cert-manager/jsonnetfile.json → charts/kubezero-cert-manager/jsonnet/jsonnetfile.json
View File

70
charts/kubezero-cert-manager/jsonnetfile.lock.json → charts/kubezero-cert-manager/jsonnet/jsonnetfile.lock.json
View File

@ -18,7 +18,7 @@
"subdir": "contrib/mixin"
}
},
"version": "eb7607bd8b3665d14aa40d50435ae8c9002d620c",
"version": "2e242a63fbea44b54802d40f4757936f8f67b434",
"sum": "XmXkOCriQIZmXwlIIFhqlJMa0e6qGWdxZD+ZDYaN0Po="
},
{
@ -28,8 +28,8 @@
"subdir": "grafana-mixin"
}
},
"version": "1120f9e255760a3c104b57871fcb91801e934382",
"sum": "MkjR7zCgq6MUZgjDzop574tFKoTX2OBr7DTwm1K+Ofs="
"version": "0a44e27aab911fcc9bef5c456fadaadab9c8d619",
"sum": "S8mRTRH4w62kMCa2je3iCtvscYrwQmkyJ7Y/aM14KbE="
},
{
"source": {
@ -48,7 +48,7 @@
"subdir": "gen/grafonnet-latest"
}
},
"version": "d20e609202733790caf5b554c9945d049f243ae3",
"version": "5a8f3d6aa89b7e7513528371d2d1265aedc844bc",
"sum": "V9vAj21qJOc2DlMPDgB1eEjSQU4A+sAA4AXuJ6bd4xc="
},
{
@ -58,7 +58,7 @@
"subdir": "gen/grafonnet-v10.0.0"
}
},
"version": "d20e609202733790caf5b554c9945d049f243ae3",
"version": "5a8f3d6aa89b7e7513528371d2d1265aedc844bc",
"sum": "xdcrJPJlpkq4+5LpGwN4tPAuheNNLXZjE6tDcyvFjr0="
},
{
@ -68,7 +68,7 @@
"subdir": "gen/grafonnet-v11.4.0"
}
},
"version": "d20e609202733790caf5b554c9945d049f243ae3",
"version": "5a8f3d6aa89b7e7513528371d2d1265aedc844bc",
"sum": "aVAX09paQYNOoCSKVpuk1exVIyBoMt/C50QJI+Q/3nA="
},
{
@ -78,8 +78,18 @@
"subdir": "grafana-builder"
}
},
"version": "ef841d571a704013b689368fe51e437810b6c935",
"sum": "yxqWcq/N3E/a/XreeU6EuE6X7kYPnG0AspAQFKOjASo="
"version": "cd4dd9a04aa740b2644e12810e48382188c25adc",
"sum": "G7B6E5sqWirDbMWRhifbLRfGgRFbIh9WCYa6X3kMh6g="
},
{
"source": {
"git": {
"remote": "https://github.com/grafana/jsonnet-libs.git",
"subdir": "mixin-utils"
}
},
"version": "cd4dd9a04aa740b2644e12810e48382188c25adc",
"sum": "iu4NT+YOgpxQnxElKML76cSxgTA0cwTmFfI0hOfHHmw="
},
{
"source": {
@ -88,8 +98,8 @@
"subdir": ""
}
},
"version": "de46a6811837f9750ef9c6df29dcae314f22da81",
"sum": "TMt8tZMdzt2JL7Wt6cvxxdwEY9FbQ3OOKxAzLsTu5/w="
"version": "d19464640e21f03d3b8c58e964763183f0f2a092",
"sum": "j3fnCr/3ubg190uvYT7nROp3waDaNFvO/Hopukwmq1A="
},
{
"source": {
@ -108,8 +118,8 @@
"subdir": ""
}
},
"version": "1199b50e9d2ff53d4bb5fb2304ad1fb69d38e609",
"sum": "LfbgcJbilu4uBdKYZSvmkoOTPwEAzg10L3/VqKAIWtA="
"version": "4eee017d21cb63a303925d1dcd9fc5c496809b46",
"sum": "Kh0GbIycNmJPzk6IOMXn1BbtLNyaiiimclYk7+mvsns="
},
{
"source": {
@ -118,8 +128,8 @@
"subdir": ""
}
},
"version": "4ff562d5e8145940cf355f62cf2308895c4dca81",
"sum": "kiL19fTbXOtNglsmT62kOzIf/Xpu+YwoiMPAApDXhkE="
"version": "cc7c60b9182346be662703df319e4ea56e317208",
"sum": "ij0NZqctn1iOw3wNr3ul3D6QjFZgvNmTNt6gu8/6oac="
},
{
"source": {
@ -128,7 +138,7 @@
"subdir": "jsonnet/kube-state-metrics"
}
},
"version": "350a7c472e1801a2e13b9895ec8ef38876c96dd0",
"version": "56d3b561e6954e0055ea0d6f2d7034f6d898b6c6",
"sum": "3bioG7CfTfY9zeu5xU4yon6Zt3kYvNkyl492nOhQxnM="
},
{
@ -138,7 +148,7 @@
"subdir": "jsonnet/kube-state-metrics-mixin"
}
},
"version": "350a7c472e1801a2e13b9895ec8ef38876c96dd0",
"version": "56d3b561e6954e0055ea0d6f2d7034f6d898b6c6",
"sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c="
},
{
@ -148,8 +158,8 @@
"subdir": "jsonnet/kube-prometheus"
}
},
"version": "1eea946a1532f1e8cccfceea98d907bf3a10b1d9",
"sum": "17LhiwefVfoNDsF3DcFZw/UL4PMU7YpNNUaOdaYd1gE="
"version": "f0abeaf2c817f8ec51f8e6ca0497d0d87b5a1c0c",
"sum": "ClY5bR72mU4gIQiWfvcZ+dT2uzqJAOb4oFbXD1h2vQE="
},
{
"source": {
@ -158,7 +168,7 @@
"subdir": "jsonnet/mixin"
}
},
"version": "7deab71d6d5921eeaf8c79e3ae8e31efe63783a9",
"version": "89a0ea9b2dc37dd9fbd42c93046275aae1a4dbfc",
"sum": "gi+knjdxs2T715iIQIntrimbHRgHnpM8IFBJDD1gYfs=",
"name": "prometheus-operator-mixin"
},
@ -169,8 +179,8 @@
"subdir": "jsonnet/prometheus-operator"
}
},
"version": "7deab71d6d5921eeaf8c79e3ae8e31efe63783a9",
"sum": "LctDdofQostvviE5y8vpRKWGGO1ZKO3dgJe7P9xifW0="
"version": "89a0ea9b2dc37dd9fbd42c93046275aae1a4dbfc",
"sum": "LaZuMowhHMgjroyJvccvXjj7FBdC1lgUnODu6/JzqLo="
},
{
"source": {
@ -179,8 +189,8 @@
"subdir": "doc/alertmanager-mixin"
}
},
"version": "b5d1a64ad5bb0ff879705714d1e40cea82efbd5c",
"sum": "Mf4h1BYLle2nrgjf/HXrBbl0Zk8N+xaoEM017o0BC+k=",
"version": "0ce3cfb962db3cbb1649d3e816a49a13c4036cd1",
"sum": "j5prvRrJdoCv7n45l5Uy2ghl1IDb9BBUqjwCDs4ZJoQ=",
"name": "alertmanager"
},
{
@ -190,8 +200,8 @@
"subdir": "docs/node-mixin"
}
},
"version": "02afa5c53c36123611533f2defea6ccd4546a9bb",
"sum": "8dNyJ4vpnKVBbCFN9YLsugp1IjlZjDCwdKMjKi0KTG4="
"version": "2179f0a34d2d7b6212f3a1c647d5aca44ffa33e5",
"sum": "NcpQ0Hz0qciUqmOYoAR0X8GUK5pH/QiUXm1aDNgvua0="
},
{
"source": {
@ -200,8 +210,8 @@
"subdir": "documentation/prometheus-mixin"
}
},
"version": "a5ffa83be83be22e2ec9fd1d4765299d8d16119e",
"sum": "2c+wttfee9TwuQJZIkNV7Tekem74Qgc7iZ842P28rNw=",
"version": "c481aaf762bf24155d297a3efdaef5ebc61aeba0",
"sum": "lT5n+8i4q20LuvlmtIs/GXdlX6fQiwwuZkeOtnAPT50=",
"name": "prometheus"
},
{
@ -211,8 +221,8 @@
"subdir": "jsonnet/controller-gen"
}
},
"version": "d723f4d1a066dd657e9d09c46a158519dda0faa8",
"sum": "cxAPQovFkM16zNB5/94O+sk/n3SETk6ao6Oas2Sa6RE=",
"version": "d31e021e01525a2629401b226bedff600f881757",
"sum": "O3c9Uurei8MWAY0Ad7DOL1fMqSgdHyHB7MpHsxSITKM=",
"name": "pyrra"
},
{
@ -222,7 +232,7 @@
"subdir": "mixin"
}
},
"version": "346d18bb0f8011c63d7106de494cf3b9253161a1",
"version": "ddd5ff85f4594e6970b0df3813d31c8f3024fe5f",
"sum": "ieCD4eMgGbOlrI8GmckGPHBGQDcLasE1rULYq56W/bs=",
"name": "thanos-mixin"
}

0
charts/kubezero-cert-manager/rules.jsonnet → charts/kubezero-cert-manager/jsonnet/rules.jsonnet
View File

0
charts/kubezero-cert-manager/rules/cert-manager-mixin-prometheusRule → charts/kubezero-cert-manager/jsonnet/rules/cert-manager-mixin-prometheusRule
View File

0
charts/kubezero-cert-manager/cert-manager-rules.yaml → charts/kubezero-cert-manager/prometheus-rules.yaml
View File

10
charts/kubezero-cert-manager/update.sh
View File

@ -5,6 +5,10 @@ set -ex
update_helm
update_docs
cd jsonnet
update_jsonnet
# Install cert-mamanger mixin
@ -13,9 +17,7 @@ jb install github.com/imusmanmalik/cert-manager-mixin@main
# Install rules
rm -rf rules && mkdir -p rules
jsonnet -J vendor -m rules rules.jsonnet
../kubezero-metrics/sync_prometheus_rules.py cert-manager-rules.yaml templates
../../kubezero-metrics/sync_prometheus_rules.py ../prometheus-rules.yaml ../templates
# Fetch dashboards from Grafana.com and update ZDT CM
../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml
update_docs
../../kubezero-metrics/sync_grafana_dashboards.py ../dashboards.yaml ../templates/grafana-dashboards.yaml

1
charts/kubezero-ci/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

11
charts/kubezero-ci/README.md
View File

@ -76,16 +76,17 @@ Kubernetes: `>= 1.25.0`
| gitea.persistence.size | string | `"4Gi"` | |
| gitea.postgresql-ha.enabled | bool | `false` | |
| gitea.postgresql.enabled | bool | `false` | |
| gitea.redis-cluster.enabled | bool | `false` | |
| gitea.repliaCount | int | `1` | |
| gitea.resources.limits.memory | string | `"2048Mi"` | |
| gitea.resources.requests.cpu | string | `"150m"` | |
| gitea.resources.requests.memory | string | `"320Mi"` | |
| gitea.resources.requests.cpu | string | `"200m"` | |
| gitea.resources.requests.memory | string | `"1024Mi"` | |
| gitea.securityContext.allowPrivilegeEscalation | bool | `false` | |
| gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| gitea.service.http.port | int | `80` | |
| gitea.strategy.type | string | `"Recreate"` | |
| gitea.test.enabled | bool | `false` | |
| gitea.valkey-cluster.enabled | bool | `false` | |
| gitea.valkey.enabled | bool | `false` | |
| jenkins.agent.annotations."cluster-autoscaler.kubernetes.io/safe-to-evict" | string | `"false"` | |
| jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | |
| jenkins.agent.containerCap | int | `2` | |
@ -94,7 +95,7 @@ Kubernetes: `>= 1.25.0`
| jenkins.agent.garbageCollection.enabled | bool | `true` | |
| jenkins.agent.idleMinutes | int | `30` | |
| jenkins.agent.image.repository | string | `"public.ecr.aws/zero-downtime/jenkins-podman"` | |
| jenkins.agent.image.tag | string | `"v0.7.0"` | |
| jenkins.agent.image.tag | string | `"v0.7.1"` | |
| jenkins.agent.inheritYamlMergeStrategy | bool | `true` | |
| jenkins.agent.podName | string | `"podman-aws"` | |
| jenkins.agent.podRetention | string | `"Default"` | |
@ -166,5 +167,5 @@ Kubernetes: `>= 1.25.0`
| renovate.securityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | |
| trivy.enabled | bool | `false` | |
| trivy.persistence.enabled | bool | `true` | |
| trivy.persistence.size | string | `"1Gi"` | |
| trivy.persistence.size | string | `"2Gi"` | |
| trivy.rbac.create | bool | `false` | |

1
charts/kubezero-falco/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

9
charts/kubezero-falco/README.md
View File

@ -1,6 +1,6 @@
# kubezero-falco
![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
Falco Container Security and Audit components
@ -18,8 +18,8 @@ Kubernetes: `>= 1.26.0`
| Repository | Name | Version |
|------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://falcosecurity.github.io/charts | k8saudit(falco) | 4.2.5 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
| https://falcosecurity.github.io/charts | k8saudit(falco) | 5.0.0 |
## Values
@ -61,3 +61,6 @@ Kubernetes: `>= 1.26.0`
| k8saudit.services[0].name | string | `"webhook"` | |
| k8saudit.services[0].ports[0].port | int | `9765` | |
| k8saudit.services[0].ports[0].protocol | string | `"TCP"` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

359
charts/kubezero-falco/files/rules/k8s_audit_rules.yaml
View File

@ -1,6 +1,6 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (C) 2023 The Falco Authors.
# Copyright (C) 2025 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
@ -19,15 +19,19 @@
- required_engine_version: 15
- required_plugin_versions:
- name: k8saudit
version: 0.7.0
alternatives:
- name: k8saudit-eks
version: 0.4.0
- name: k8saudit-gke
version: 0.1.0
- name: json
version: 0.7.0
- name: k8saudit
version: 0.7.0
alternatives:
- name: k8saudit-aks
version: 0.1.0
- name: k8saudit-eks
version: 0.4.0
- name: k8saudit-gke
version: 0.1.0
- name: k8saudit-ovh
version: 0.1.0
- name: json
version: 0.7.0
# Like always_true/always_false, but works with k8s audit events
- macro: k8s_audit_always_true
@ -57,68 +61,95 @@
items: ["vpa-recommender", "vpa-updater"]
- list: allowed_k8s_users
items: [
"minikube", "minikube-user", "kubelet", "kops", "admin", "kube", "kube-proxy", "kube-apiserver-healthcheck",
"kubernetes-admin",
vertical_pod_autoscaler_users,
cluster-autoscaler,
"system:addon-manager",
"cloud-controller-manager",
"system:kube-controller-manager"
items:
[
"minikube",
"minikube-user",
"kubelet",
"kops",
"admin",
"kube",
"kube-proxy",
"kube-apiserver-healthcheck",
"kubernetes-admin",
vertical_pod_autoscaler_users,
cluster-autoscaler,
"system:addon-manager",
"cloud-controller-manager",
"system:kube-controller-manager",
]
- list: eks_allowed_k8s_users
items: [
"eks:node-manager",
"eks:certificate-controller",
"eks:fargate-scheduler",
"eks:k8s-metrics",
"eks:authenticator",
"eks:cluster-event-watcher",
"eks:nodewatcher",
"eks:pod-identity-mutating-webhook",
"eks:cloud-controller-manager",
"eks:vpc-resource-controller",
"eks:addon-manager",
items:
[
"eks:node-manager",
"eks:certificate-controller",
"eks:fargate-scheduler",
"eks:k8s-metrics",
"eks:authenticator",
"eks:cluster-event-watcher",
"eks:nodewatcher",
"eks:pod-identity-mutating-webhook",
"eks:cloud-controller-manager",
"eks:vpc-resource-controller",
"eks:addon-manager",
]
- list: k8s_audit_sensitive_mount_images
items: [
falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco,
docker.io/sysdig/sysdig, sysdig/sysdig,
gcr.io/google_containers/hyperkube,
gcr.io/google_containers/kube-proxy, docker.io/calico/node,
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent
]
items:
[
falcosecurity/falco,
docker.io/falcosecurity/falco,
public.ecr.aws/falcosecurity/falco,
docker.io/sysdig/sysdig,
sysdig/sysdig,
gcr.io/google_containers/hyperkube,
gcr.io/google_containers/kube-proxy,
docker.io/calico/node,
docker.io/rook/toolbox,
docker.io/cloudnativelabs/kube-router,
docker.io/consul,
docker.io/datadog/docker-dd-agent,
docker.io/datadog/agent,
docker.io/docker/ucp-agent,
docker.io/gliderlabs/logspout,
docker.io/netdata/netdata,
docker.io/google/cadvisor,
docker.io/prom/node-exporter,
amazon/amazon-ecs-agent,
prom/node-exporter,
amazon/cloudwatch-agent,
]
- list: k8s_audit_privileged_images
items: [
falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco,
docker.io/calico/node, calico/node,
docker.io/cloudnativelabs/kube-router,
docker.io/docker/ucp-agent,
docker.io/mesosphere/mesos-slave,
docker.io/rook/toolbox,
docker.io/sysdig/sysdig,
gcr.io/google_containers/kube-proxy,
gcr.io/google-containers/startup-script,
gcr.io/projectcalico-org/node,
gke.gcr.io/kube-proxy,
gke.gcr.io/gke-metadata-server,
gke.gcr.io/netd-amd64,
gke.gcr.io/watcher-daemonset,
gcr.io/google-containers/prometheus-to-sd,
registry.k8s.io/ip-masq-agent-amd64,
registry.k8s.io/kube-proxy,
registry.k8s.io/prometheus-to-sd,
quay.io/calico/node,
sysdig/sysdig,
registry.k8s.io/dns/k8s-dns-node-cache,
mcr.microsoft.com/oss/kubernetes/kube-proxy
]
items:
[
falcosecurity/falco,
docker.io/falcosecurity/falco,
public.ecr.aws/falcosecurity/falco,
docker.io/calico/node,
calico/node,
docker.io/cloudnativelabs/kube-router,
docker.io/docker/ucp-agent,
docker.io/mesosphere/mesos-slave,
docker.io/rook/toolbox,
docker.io/sysdig/sysdig,
gcr.io/google_containers/kube-proxy,
gcr.io/google-containers/startup-script,
gcr.io/projectcalico-org/node,
gke.gcr.io/kube-proxy,
gke.gcr.io/gke-metadata-server,
gke.gcr.io/netd-amd64,
gke.gcr.io/watcher-daemonset,
gcr.io/google-containers/prometheus-to-sd,
registry.k8s.io/ip-masq-agent-amd64,
registry.k8s.io/kube-proxy,
registry.k8s.io/prometheus-to-sd,
quay.io/calico/node,
sysdig/sysdig,
registry.k8s.io/dns/k8s-dns-node-cache,
mcr.microsoft.com/oss/kubernetes/kube-proxy,
]
- rule: Disallowed K8s User
desc: Detect any k8s operation by users outside of an allowed set of users.
@ -182,6 +213,9 @@
- macro: role
condition: ka.target.resource=roles
- macro: rolebinding
condition: ka.target.resource=rolebindings
- macro: secret
condition: ka.target.resource=secrets
@ -229,16 +263,17 @@
# These container images are allowed to run with hostnetwork=true
# TODO: Remove k8s.gcr.io reference after 01/Dec/2023
- list: k8s_audit_hostnetwork_images
items: [
gcr.io/google-containers/prometheus-to-sd,
gcr.io/projectcalico-org/typha,
gcr.io/projectcalico-org/node,
gke.gcr.io/gke-metadata-server,
gke.gcr.io/kube-proxy,
gke.gcr.io/netd-amd64,
registry.k8s.io/ip-masq-agent-amd64,
registry.k8s.io/prometheus-to-sd
]
items:
[
gcr.io/google-containers/prometheus-to-sd,
gcr.io/projectcalico-org/typha,
gcr.io/projectcalico-org/node,
gke.gcr.io/gke-metadata-server,
gke.gcr.io/kube-proxy,
gke.gcr.io/netd-amd64,
registry.k8s.io/ip-masq-agent-amd64,
registry.k8s.io/prometheus-to-sd,
]
# Corresponds to K8s CIS Benchmark 1.7.4
- rule: Create HostNetwork Pod
@ -294,9 +329,9 @@
- rule: Create/Modify Configmap With Private Credentials
desc: >
Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
condition: kevt and configmap and kmodify and contains_private_credentials
output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb resource=%ka.target.resource configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb resource=%ka.target.resource configmap=%ka.req.configmap.name)
priority: WARNING
source: k8s_audit
tags: [k8s]
@ -330,7 +365,7 @@
- rule: Attach/Exec Pod
desc: >
Detect any attempt to attach/exec to a pod
condition: kevt_started and pod_subresource and kcreate and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
condition: kevt_started and pod_subresource and (kcreate or kget) and ka.target.subresource in (exec,attach) and not user_known_exec_pod_activities
output: Attach/Exec to pod (user=%ka.user.name pod=%ka.target.name resource=%ka.target.resource ns=%ka.target.namespace action=%ka.target.subresource command=%ka.uri.param[command])
priority: NOTICE
source: k8s_audit
@ -388,30 +423,32 @@
# TODO: Remove k8s.gcr.io reference after 01/Dec/2023
- list: allowed_kube_namespace_image_list
items: [
gcr.io/google-containers/prometheus-to-sd,
gcr.io/projectcalico-org/node,
gke.gcr.io/addon-resizer,
gke.gcr.io/heapster,
gke.gcr.io/gke-metadata-server,
registry.k8s.io/ip-masq-agent-amd64,
registry.k8s.io/kube-apiserver,
gke.gcr.io/kube-proxy,
gke.gcr.io/netd-amd64,
gke.gcr.io/watcher-daemonset,
registry.k8s.io/addon-resizer,
registry.k8s.io/prometheus-to-sd,
registry.k8s.io/k8s-dns-dnsmasq-nanny-amd64,
registry.k8s.io/k8s-dns-kube-dns-amd64,
registry.k8s.io/k8s-dns-sidecar-amd64,
registry.k8s.io/metrics-server-amd64,
kope/kube-apiserver-healthcheck,
k8s_image_list
]
items:
[
gcr.io/google-containers/prometheus-to-sd,
gcr.io/projectcalico-org/node,
gke.gcr.io/addon-resizer,
gke.gcr.io/heapster,
gke.gcr.io/gke-metadata-server,
registry.k8s.io/ip-masq-agent-amd64,
registry.k8s.io/kube-apiserver,
gke.gcr.io/kube-proxy,
gke.gcr.io/netd-amd64,
gke.gcr.io/watcher-daemonset,
registry.k8s.io/addon-resizer,
registry.k8s.io/prometheus-to-sd,
registry.k8s.io/k8s-dns-dnsmasq-nanny-amd64,
registry.k8s.io/k8s-dns-kube-dns-amd64,
registry.k8s.io/k8s-dns-sidecar-amd64,
registry.k8s.io/metrics-server-amd64,
kope/kube-apiserver-healthcheck,
k8s_image_list,
]
- macro: allowed_kube_namespace_pods
condition: (ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
condition:
(ka.req.pod.containers.image.repository in (user_allowed_kube_namespace_image_list) or
ka.req.pod.containers.image.repository in (allowed_kube_namespace_image_list))
# Detect any new pod created in the kube-system namespace
- rule: Pod Created in Kube Namespace
@ -426,31 +463,32 @@
items: []
- list: known_sa_list
items: [
coredns,
coredns-autoscaler,
cronjob-controller,
daemon-set-controller,
deployment-controller,
disruption-controller,
endpoint-controller,
endpointslice-controller,
endpointslicemirroring-controller,
generic-garbage-collector,
horizontal-pod-autoscaler,
job-controller,
namespace-controller,
node-controller,
persistent-volume-binder,
pod-garbage-collector,
pv-protection-controller,
pvc-protection-controller,
replicaset-controller,
resourcequota-controller,
root-ca-cert-publisher,
service-account-controller,
statefulset-controller
]
items:
[
coredns,
coredns-autoscaler,
cronjob-controller,
daemon-set-controller,
deployment-controller,
disruption-controller,
endpoint-controller,
endpointslice-controller,
endpointslicemirroring-controller,
generic-garbage-collector,
horizontal-pod-autoscaler,
job-controller,
namespace-controller,
node-controller,
persistent-volume-binder,
pod-garbage-collector,
pv-protection-controller,
pvc-protection-controller,
replicaset-controller,
resourcequota-controller,
root-ca-cert-publisher,
service-account-controller,
statefulset-controller,
]
- macro: trusted_sa
condition: (ka.target.name in (known_sa_list, user_known_sa_list))
@ -469,8 +507,9 @@
# normal operation.
- rule: System ClusterRole Modified/Deleted
desc: Detect any attempt to modify/delete a ClusterRole/Role starting with system
condition: kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
not ka.target.name in (system:coredns, system:managed-certificate-controller)
condition:
kevt and (role or clusterrole) and (kmodify or kdelete) and (ka.target.name startswith "system:") and
not ka.target.name in (system:coredns, system:managed-certificate-controller)
output: System ClusterRole/Role modified or deleted (user=%ka.user.name role=%ka.target.name resource=%ka.target.resource ns=%ka.target.namespace action=%ka.verb)
priority: WARNING
source: k8s_audit
@ -603,34 +642,66 @@
source: k8s_audit
tags: [k8s]
- rule: K8s Role/Clusterrole Created
desc: Detect any attempt to create a cluster role/role
condition: (kactivity and kcreate and (clusterrole or role) and response_successful)
output: K8s Cluster Role Created (user=%ka.user.name role=%ka.target.name resource=%ka.target.resource rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
- rule: K8s Role Created
desc: Detect any attempt to create a role
condition: (kactivity and kcreate and role and response_successful)
output: K8s Role Created (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace resource=%ka.target.resource rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
tags: [k8s]
- rule: K8s Role/Clusterrole Deleted
desc: Detect any attempt to delete a cluster role/role
condition: (kactivity and kdelete and (clusterrole or role) and response_successful)
output: K8s Cluster Role Deleted (user=%ka.user.name role=%ka.target.name resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
- rule: K8s Role Deleted
desc: Detect any attempt to delete a role
condition: (kactivity and kdelete and role and response_successful)
output: K8s Role Deleted (user=%ka.user.name role=%ka.target.name ns=%ka.target.namespace resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
tags: [k8s]
- rule: K8s Role/Clusterrolebinding Created
- rule: K8s ClusterRole Created
desc: Detect any attempt to create a cluster role
condition: (kactivity and kcreate and clusterrole and response_successful)
output: K8s ClusterRole Created (user=%ka.user.name role=%ka.target.name resource=%ka.target.resource rules=%ka.req.role.rules resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
tags: [k8s]
- rule: K8s ClusterRole Deleted
desc: Detect any attempt to delete a cluster role
condition: (kactivity and kdelete and clusterrole and response_successful)
output: K8s ClusterRole Deleted (user=%ka.user.name role=%ka.target.name resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
tags: [k8s]
- rule: K8s RoleBinding Created
desc: Detect any attempt to create a rolebinding
condition: (kactivity and kcreate and rolebinding and response_successful)
output: K8s RoleBinding Created (user=%ka.user.name binding=%ka.target.name ns=%ka.target.namespace resource=%ka.target.resource subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
tags: [k8s]
- rule: K8s RoleBinding Deleted
desc: Detect any attempt to delete a rolebinding
condition: (kactivity and kdelete and rolebinding and response_successful)
output: K8s RoleBinding Deleted (user=%ka.user.name binding=%ka.target.name ns=%ka.target.namespace resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
tags: [k8s]
- rule: K8s ClusterRoleBinding Created
desc: Detect any attempt to create a clusterrolebinding
condition: (kactivity and kcreate and clusterrolebinding and response_successful)
output: K8s Cluster Role Binding Created (user=%ka.user.name binding=%ka.target.name resource=%ka.target.resource subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
output: K8s ClusterRoleBinding Created (user=%ka.user.name binding=%ka.target.name resource=%ka.target.resource subjects=%ka.req.binding.subjects role=%ka.req.binding.role resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
tags: [k8s]
- rule: K8s Role/Clusterrolebinding Deleted
- rule: K8s ClusterRoleBinding Deleted
desc: Detect any attempt to delete a clusterrolebinding
condition: (kactivity and kdelete and clusterrolebinding and response_successful)
output: K8s Cluster Role Binding Deleted (user=%ka.user.name binding=%ka.target.name resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
output: K8s ClusterRoleBinding Deleted (user=%ka.user.name binding=%ka.target.name resource=%ka.target.resource resp=%ka.response.code decision=%ka.auth.decision reason=%ka.auth.reason)
priority: INFO
source: k8s_audit
tags: [k8s]
@ -663,7 +734,7 @@
source: k8s_audit
tags: [k8s]
- rule: K8s Secret Get Unsuccessfully Tried
- rule: K8s Secret Get Unsuccessfully Tried
desc: >
Detect an unsuccessful attempt to get the secret. Service account tokens are excluded.
condition: >
@ -693,14 +764,20 @@
source: k8s_audit
tags: [k8s]
# This macro disables following rule, change to k8s_audit_never_true to enable it
- macro: allowed_full_admin_users
condition: (k8s_audit_always_true)
# This list includes some of the default user names for an administrator in several K8s installations
- list: full_admin_k8s_users
items: ["admin", "kubernetes-admin", "kubernetes-admin@kubernetes", "kubernetes-admin@cluster.local", "minikube-user"]
items:
[
"admin",
"kubernetes-admin",
"kubernetes-admin@kubernetes",
"kubernetes-admin@cluster.local",
"minikube-user",
]
# This rules detect an operation triggered by an user name that is
# included in the list of those that are default administrators upon

23
charts/kubezero-graph/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

1
charts/kubezero-graph/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

1
charts/kubezero-istio-gateway/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

2
charts/kubezero-istio/.gitignore vendored
View File

@ -1,3 +1 @@
istioctl
istio
istio.zdt

32
charts/kubezero-istio/.helmignore
View File

@ -1,32 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
README.md.gotmpl
*.patch
*.sh
*.py
istioctl
istio
istio.zdt

1
charts/kubezero-istio/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

2
charts/kubezero-istio/README.md
View File

@ -1,6 +1,6 @@
# kubezero-istio
![Version: 0.24.7](https://img.shields.io/badge/Version-0.24.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.26.1](https://img.shields.io/badge/Version-0.26.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for Istio

23
charts/kubezero-lib/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

1
charts/kubezero-lib/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

23
charts/kubezero-logging/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

1
charts/kubezero-logging/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

2
charts/kubezero-logging/README.md
View File

@ -111,7 +111,7 @@ Kubernetes: `>= 1.26.0`
| fluentd.fileConfigs."02_filters.conf" | string | `"<label @KUBERNETES>\n # prevent log feedback loops eg. ES has issues etc.\n # discard logs from our own pods\n <match kube.logging.fluentd>\n @type relabel\n @label @FLUENT_LOG\n </match>\n\n # Exclude current fluent-bit multiline noise\n <filter kube.logging.fluent-bit>\n @type grep\n <exclude>\n key log\n pattern /could not append content to multiline context/\n </exclude>\n </filter>\n\n # Generate Hash ID to break endless loop for already ingested events during retries\n <filter **>\n @type elasticsearch_genid\n use_entire_record true\n </filter>\n\n # Route through DISPATCH for Prometheus metrics\n <match **>\n @type relabel\n @label @DISPATCH\n </match>\n</label>"` | |
| fluentd.fileConfigs."04_outputs.conf" | string | `"<label @OUTPUT>\n <match **>\n @id out_es\n @type elasticsearch\n # @log_level debug\n include_tag_key true\n\n id_key _hash\n remove_keys _hash\n write_operation create\n\n # KubeZero pipeline incl. GeoIP etc.\n pipeline fluentd\n\n hosts \"{{ .Values.output.host }}\"\n port 9200\n scheme http\n user elastic\n password \"#{ENV['OUTPUT_PASSWORD']}\"\n\n log_es_400_reason\n logstash_format true\n reconnect_on_error true\n reload_on_failure true\n request_timeout 300s\n slow_flush_log_threshold 55.0\n\n #with_transporter_log true\n\n verify_es_version_at_startup false\n default_elasticsearch_version 7\n suppress_type_name true\n\n # Retry failed bulk requests\n # https://github.com/uken/fluent-plugin-elasticsearch#unrecoverable-error-types\n unrecoverable_error_types [\"out_of_memory_error\"]\n bulk_message_request_threshold 1048576\n\n <buffer>\n @type file\n\n flush_mode interval\n flush_thread_count 2\n flush_interval 10s\n\n chunk_limit_size 2MB\n total_limit_size 1GB\n\n flush_at_shutdown true\n retry_type exponential_backoff\n retry_timeout 6h\n overflow_action drop_oldest_chunk\n disable_chunk_backup true\n </buffer>\n </match>\n</label>"` | |
| fluentd.image.repository | string | `"public.ecr.aws/zero-downtime/fluentd-concenter"` | |
| fluentd.image.tag | string | `"v1.16.3"` | |
| fluentd.image.tag | string | `"v1.16.5"` | |
| fluentd.istio.enabled | bool | `false` | |
| fluentd.kind | string | `"Deployment"` | |
| fluentd.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |

27
charts/kubezero-logging/charts/fluent-bit/Chart.yaml
View File

@ -1,27 +0,0 @@
annotations:
artifacthub.io/changes: |
- kind: changed
description: "Updated Fluent Bit OCI image to v3.1.9"
apiVersion: v1
appVersion: 3.1.9
description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD
family operating systems.
home: https://fluentbit.io/
icon: https://raw.githubusercontent.com/cncf/artwork/master/projects/fluentd/fluentbit/icon/fluentbit-icon-color.svg
keywords:
- logging
- fluent-bit
- fluentd
maintainers:
- email: eduardo@calyptia.com
name: edsiper
- email: naseem@transit.app
name: naseemkullah
- email: towmeykaw@gmail.com
name: Towmeykaw
- email: steve.hipwell@gmail.com
name: stevehipwell
name: fluent-bit
sources:
- https://github.com/fluent/fluent-bit/
version: 0.47.10

57
charts/kubezero-logging/charts/fluent-bit/README.md
View File

@ -1,57 +0,0 @@
# Fluent Bit Helm chart
[Fluent Bit](https://fluentbit.io) is a fast and lightweight log processor and forwarder or Linux, OSX and BSD family operating systems.
## Installation
To add the `fluent` helm repo, run:
```sh
helm repo add fluent https://fluent.github.io/helm-charts
```
To install a release named `fluent-bit`, run:
```sh
helm install fluent-bit fluent/fluent-bit
```
## Chart values
```sh
helm show values fluent/fluent-bit
```
## Using Lua scripts
Fluent Bit allows us to build filter to modify the incoming records using custom [Lua scripts.](https://docs.fluentbit.io/manual/pipeline/filters/lua)
### How to use Lua scripts with this Chart
First, you should add your Lua scripts to `luaScripts` in values.yaml, for example:
```yaml
luaScripts:
filter_example.lua: |
function filter_name(tag, timestamp, record)
-- put your lua code here.
end
```
After that, the Lua scripts will be ready to be used as filters. So next step is to add your Fluent bit [filter](https://docs.fluentbit.io/manual/concepts/data-pipeline/filter) to `config.filters` in values.yaml, for example:
```yaml
config:
filters: |
[FILTER]
Name lua
Match <your-tag>
script /fluent-bit/scripts/filter_example.lua
call filter_name
```
Under the hood, the chart will:
- Create a configmap using `luaScripts`.
- Add a volumeMounts for each Lua scripts using the path `/fluent-bit/scripts/<script>`.
- Add the Lua script's configmap as volume to the pod.
### Note
Remember to set the `script` attribute in the filter using `/fluent-bit/scripts/`, otherwise the file will not be found by fluent bit.

8
charts/kubezero-logging/charts/fluent-bit/ci/ci-values.yaml
View File

@ -1,8 +0,0 @@
testFramework:
enabled: true
logLevel: debug
dashboards:
enabled: true
deterministicUid: true

1565
charts/kubezero-logging/charts/fluent-bit/dashboards/fluent-bit.json
View File

File diff suppressed because it is too large Load Diff

6
charts/kubezero-logging/charts/fluent-bit/templates/NOTES.txt
View File

@ -1,6 +0,0 @@
Get Fluent Bit build information by running these commands:
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "fluent-bit.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 2020:2020
curl http://127.0.0.1:2020

138
charts/kubezero-logging/charts/fluent-bit/templates/_helpers.tpl
View File

@ -1,138 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "fluent-bit.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "fluent-bit.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "fluent-bit.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "fluent-bit.labels" -}}
helm.sh/chart: {{ include "fluent-bit.chart" . }}
{{ include "fluent-bit.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "fluent-bit.selectorLabels" -}}
app.kubernetes.io/name: {{ include "fluent-bit.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "fluent-bit.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "fluent-bit.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Fluent-bit image with tag/digest
*/}}
{{- define "fluent-bit.image" -}}
{{- $tag := ternary "" (printf ":%s" (toString .tag)) (or (empty .tag) (eq "-" (toString .tag))) -}}
{{- $digest := ternary "" (printf "@%s" .digest) (empty .digest) -}}
{{- printf "%s%s%s" .repository $tag $digest -}}
{{- end -}}
{{/*
Ingress ApiVersion according k8s version
*/}}
{{- define "fluent-bit.ingress.apiVersion" -}}
{{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion) -}}
networking.k8s.io/v1
{{- else if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") (semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion) -}}
networking.k8s.io/v1beta1
{{- else -}}
extensions/v1beta1
{{- end }}
{{- end }}
{{/*
Return if ingress is stable.
*/}}
{{- define "fluent-bit.ingress.isStable" -}}
{{- eq (include "fluent-bit.ingress.apiVersion" .) "networking.k8s.io/v1" -}}
{{- end -}}
{{/*
Return if ingress supports ingressClassName.
*/}}
{{- define "fluent-bit.ingress.supportsIngressClassName" -}}
{{- or (eq (include "fluent-bit.ingress.isStable" .) "true") (and (eq (include "fluent-bit.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}}
{{- end -}}
{{/*
Return if ingress supports pathType.
*/}}
{{- define "fluent-bit.ingress.supportsPathType" -}}
{{- or (eq (include "fluent-bit.ingress.isStable" .) "true") (and (eq (include "fluent-bit.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}}
{{- end -}}
{{/*
Pdb apiVersion according k8s version and capabilities
*/}}
{{- define "fluent-bit.pdb.apiVersion" -}}
{{- if and (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion) -}}
policy/v1
{{- else -}}
policy/v1beta1
{{- end }}
{{- end -}}
{{/*
HPA ApiVersion according k8s version
Check legacy first so helm template / kustomize will default to latest version
*/}}
{{- define "fluent-bit.hpa.apiVersion" -}}
{{- if and (.Capabilities.APIVersions.Has "autoscaling/v2beta2") (semverCompare "<1.23-0" .Capabilities.KubeVersion.GitVersion) -}}
autoscaling/v2beta2
{{- else -}}
autoscaling/v2
{{- end -}}
{{- end -}}
{{/*
Create the name of OpenShift SecurityContextConstraints to use
*/}}
{{- define "fluent-bit.openShiftSccName" -}}
{{- if not .Values.openShift.securityContextConstraints.create -}}
{{- printf "%s" .Values.openShift.securityContextConstraints.existingName -}}
{{- else -}}
{{- printf "%s" (default (include "fluent-bit.fullname" .) .Values.openShift.securityContextConstraints.name) -}}
{{- end -}}
{{- end -}}

155
charts/kubezero-logging/charts/fluent-bit/templates/_pod.tpl
View File

@ -1,155 +0,0 @@
{{- define "fluent-bit.pod" -}}
serviceAccountName: {{ include "fluent-bit.serviceAccountName" . }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- with .Values.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ . }}
{{- end }}
hostNetwork: {{ .Values.hostNetwork }}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- with .Values.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.hostAliases }}
hostAliases:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.initContainers }}
initContainers:
{{- if kindIs "string" . }}
{{- tpl . $ | nindent 2 }}
{{- else }}
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- end }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 6 }}
{{- end }}
image: {{ include "fluent-bit.image" (merge .Values.image (dict "tag" (default .Chart.AppVersion .Values.image.tag))) | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if or .Values.env .Values.envWithTpl }}
env:
{{- with .Values.env }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- range $item := .Values.envWithTpl }}
- name: {{ $item.name }}
value: {{ tpl $item.value $ | quote }}
{{- end }}
{{- end }}
{{- if .Values.envFrom }}
envFrom:
{{- toYaml .Values.envFrom | nindent 6 }}
{{- end }}
{{- with .Values.command }}
command:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- if or .Values.args .Values.hotReload.enabled }}
args:
{{- toYaml .Values.args | nindent 6 }}
{{- if .Values.hotReload.enabled }}
- --enable-hot-reload
{{- end }}
{{- end}}
ports:
- name: http
containerPort: {{ .Values.metricsPort }}
protocol: TCP
{{- if .Values.extraPorts }}
{{- range .Values.extraPorts }}
- name: {{ .name }}
containerPort: {{ .containerPort }}
protocol: {{ .protocol }}
{{- end }}
{{- end }}
{{- with .Values.lifecycle }}
lifecycle:
{{- toYaml . | nindent 6 }}
{{- end }}
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 6 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 6 }}
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 6 }}
{{- end }}
volumeMounts:
- name: config
mountPath: /fluent-bit/etc/conf
{{- if or .Values.luaScripts .Values.hotReload.enabled }}
- name: luascripts
mountPath: /fluent-bit/scripts
{{- end }}
{{- if eq .Values.kind "DaemonSet" }}
{{- toYaml .Values.daemonSetVolumeMounts | nindent 6 }}
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 6 }}
{{- end }}
{{- if .Values.hotReload.enabled }}
- name: reloader
image: {{ include "fluent-bit.image" .Values.hotReload.image }}
args:
- {{ printf "-webhook-url=http://localhost:%s/api/v2/reload" (toString .Values.metricsPort) }}
- -volume-dir=/watch/config
- -volume-dir=/watch/scripts
volumeMounts:
- name: config
mountPath: /watch/config
- name: luascripts
mountPath: /watch/scripts
{{- with .Values.hotReload.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.extraContainers }}
{{- if kindIs "string" .Values.extraContainers }}
{{- tpl .Values.extraContainers $ | nindent 2 }}
{{- else }}
{{- toYaml .Values.extraContainers | nindent 2 }}
{{- end -}}
{{- end }}
volumes:
- name: config
configMap:
name: {{ default (include "fluent-bit.fullname" .) .Values.existingConfigMap }}
{{- if or .Values.luaScripts .Values.hotReload.enabled }}
- name: luascripts
configMap:
name: {{ include "fluent-bit.fullname" . }}-luascripts
{{- end }}
{{- if eq .Values.kind "DaemonSet" }}
{{- toYaml .Values.daemonSetVolumes | nindent 2 }}
{{- end }}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 2 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end -}}

46
charts/kubezero-logging/charts/fluent-bit/templates/clusterrole.yaml
View File

@ -1,46 +0,0 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "fluent-bit.fullname" . }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
{{- if .Values.rbac.nodeAccess }}
- nodes
- nodes/metrics
- nodes/proxy
{{- end }}
{{- if .Values.rbac.eventsAccess }}
- events
{{- end }}
verbs:
- get
- list
- watch
{{- if and .Values.podSecurityPolicy.create (semverCompare "<=1.25-0" .Capabilities.KubeVersion.GitVersion) }}
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- {{ include "fluent-bit.fullname" . }}
verbs:
- use
{{- end }}
{{- if .Values.openShift.enabled }}
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- {{ include "fluent-bit.openShiftSccName" . }}
verbs:
- use
{{- end }}
{{- end -}}

16
charts/kubezero-logging/charts/fluent-bit/templates/clusterrolebinding.yaml
View File

@ -1,16 +0,0 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "fluent-bit.fullname" . }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "fluent-bit.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "fluent-bit.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}

21
charts/kubezero-logging/charts/fluent-bit/templates/configmap-dashboards.yaml
View File

@ -1,21 +0,0 @@
{{- if .Values.dashboards.enabled -}}
{{- range $path, $_ := .Files.Glob "dashboards/*.json" }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "fluent-bit.fullname" $ }}-dashboard-{{ trimSuffix ".json" (base $path) }}
namespace: {{ default $.Release.Namespace $.Values.dashboards.namespace }}
{{- with $.Values.dashboards.annotations }}
annotations:
{{- toYaml . | nindent 4 -}}
{{- end }}
labels:
{{- include "fluent-bit.labels" $ | nindent 4 }}
{{ $.Values.dashboards.labelKey }}: {{ $.Values.dashboards.labelValue | quote }}
data:
{{ include "fluent-bit.fullname" $ }}-{{ base $path }}: |
{{- tpl ($.Files.Get $path) $ | nindent 4 }}
---
{{- end }}
{{- end -}}

13
charts/kubezero-logging/charts/fluent-bit/templates/configmap-luascripts.yaml
View File

@ -1,13 +0,0 @@
{{- if or .Values.luaScripts .Values.hotReload.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "fluent-bit.fullname" . }}-luascripts
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
data:
{{ range $key, $value := .Values.luaScripts }}
{{ $key }}: {{ $value | quote }}
{{ end }}
{{- end -}}

25
charts/kubezero-logging/charts/fluent-bit/templates/configmap.yaml
View File

@ -1,25 +0,0 @@
{{- if not .Values.existingConfigMap -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "fluent-bit.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
data:
custom_parsers.conf: |
{{- (tpl .Values.config.customParsers $) | nindent 4 }}
fluent-bit.conf: |
{{- (tpl .Values.config.service $) | nindent 4 }}
{{- (tpl .Values.config.inputs $) | nindent 4 }}
{{- (tpl .Values.config.filters $) | nindent 4 }}
{{- (tpl .Values.config.outputs $) | nindent 4 }}
{{- range $key, $val := .Values.config.upstream }}
{{ $key }}: |
{{- (tpl $val $) | nindent 4 }}
{{- end }}
{{- range $key, $val := .Values.config.extraFiles }}
{{ $key }}: |
{{- (tpl $val $) | nindent 4 }}
{{- end }}
{{- end -}}

48
charts/kubezero-logging/charts/fluent-bit/templates/daemonset.yaml
View File

@ -1,48 +0,0 @@
{{- if eq .Values.kind "DaemonSet" }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ include "fluent-bit.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "fluent-bit.selectorLabels" . | nindent 6 }}
{{- with .Values.updateStrategy }}
updateStrategy:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.minReadySeconds }}
minReadySeconds: {{ . }}
{{- end }}
template:
metadata:
labels:
{{- include "fluent-bit.selectorLabels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or (not .Values.hotReload.enabled) .Values.podAnnotations }}
annotations:
{{- if not .Values.hotReload.enabled }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- if .Values.luaScripts }}
checksum/luascripts: {{ include (print $.Template.BasePath "/configmap-luascripts.yaml") . | sha256sum }}
{{- end }}
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- include "fluent-bit.pod" . | nindent 6 }}
{{- end }}

51
charts/kubezero-logging/charts/fluent-bit/templates/deployment.yaml
View File

@ -1,51 +0,0 @@
{{- if eq .Values.kind "Deployment" }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "fluent-bit.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- with .Values.updateStrategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "fluent-bit.selectorLabels" . | nindent 6 }}
{{- with .Values.minReadySeconds }}
minReadySeconds: {{ . }}
{{- end }}
template:
metadata:
labels:
{{- include "fluent-bit.selectorLabels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or (not .Values.hotReload.enabled) .Values.podAnnotations }}
annotations:
{{- if not .Values.hotReload.enabled }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- if .Values.luaScripts }}
checksum/luascripts: {{ include (print $.Template.BasePath "/configmap-luascripts.yaml") . | sha256sum }}
{{- end }}
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- include "fluent-bit.pod" . | nindent 6 }}
{{- end }}

40
charts/kubezero-logging/charts/fluent-bit/templates/hpa.yaml
View File

@ -1,40 +0,0 @@
{{- if and ( eq .Values.kind "Deployment" ) .Values.autoscaling.enabled }}
apiVersion: {{ include "fluent-bit.hpa.apiVersion" . }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "fluent-bit.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
spec:
{{- if .Values.autoscaling.behavior }}
behavior:
{{- toYaml .Values.autoscaling.behavior | nindent 4 }}
{{- end }}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "fluent-bit.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
type: Utilization
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
type: Utilization
{{- end }}
{{- if .Values.autoscaling.customRules -}}
{{- toYaml .Values.autoscaling.customRules | nindent 4}}
{{- end -}}
{{- end }}

65
charts/kubezero-logging/charts/fluent-bit/templates/ingress.yaml
View File

@ -1,65 +0,0 @@
{{- $ingressApiIsStable := eq (include "fluent-bit.ingress.isStable" .) "true" -}}
{{- $ingressSupportsIngressClassName := eq (include "fluent-bit.ingress.supportsIngressClassName" .) "true" -}}
{{- $ingressSupportsPathType := eq (include "fluent-bit.ingress.supportsPathType" .) "true" -}}
{{- $fullName := include "fluent-bit.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and ( eq .Values.kind "Deployment" ) .Values.ingress.enabled }}
apiVersion: {{ include "fluent-bit.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- range $key, $value := . }}
{{ printf "%s: %s" $key ((tpl $value $) | quote) }}
{{- end }}
{{- end }}
spec:
{{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
{{- end -}}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
{{- with .secretName }}
secretName: {{ . }}
{{- end }}
{{- end }}
{{- end }}
rules:
{{- range concat .Values.ingress.hosts .Values.ingress.extraHosts }}
- host: {{ .host | quote }}
http:
paths:
- path: /
{{- if $ingressSupportsPathType }}
pathType: Prefix
{{- end }}
backend:
{{- if $ingressApiIsStable }}
service:
name: {{ $fullName }}
port:
{{- if .port }}
number: {{ .port }}
{{- else }}
number: {{ $svcPort }}
{{- end }}
{{- else }}
serviceName: {{ $fullName }}
{{- if .port }}
servicePort: {{ .port }}
{{- else }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

23
charts/kubezero-logging/charts/fluent-bit/templates/networkpolicy.yaml
View File

@ -1,23 +0,0 @@
{{- if .Values.networkPolicy.enabled }}
apiVersion: "networking.k8s.io/v1"
kind: "NetworkPolicy"
metadata:
name: {{ include "fluent-bit.fullname" . | quote }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
spec:
policyTypes:
- "Ingress"
podSelector:
matchLabels:
{{- include "fluent-bit.selectorLabels" . | nindent 6 }}
ingress:
{{- with .Values.networkPolicy.ingress }}
- from:
{{- with .from }}{{- . | toYaml | nindent 8 }}{{- else }} []{{- end }}
ports:
- protocol: "TCP"
port: {{ $.Values.service.port }}
{{- end }}
{{- end }}

21
charts/kubezero-logging/charts/fluent-bit/templates/pdb.yaml
View File

@ -1,21 +0,0 @@
{{- if and ( eq .Values.kind "Deployment" ) .Values.podDisruptionBudget.enabled }}
apiVersion: {{ include "fluent-bit.pdb.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ include "fluent-bit.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- with .Values.podDisruptionBudget.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
selector:
matchLabels:
{{- include "fluent-bit.selectorLabels" . | nindent 6 }}
{{- with .Values.labels }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}

18
charts/kubezero-logging/charts/fluent-bit/templates/prometheusrule.yaml
View File

@ -1,18 +0,0 @@
{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "fluent-bit.fullname" . }}
namespace: {{ default $.Release.Namespace .Values.prometheusRule.namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- if .Values.prometheusRule.additionalLabels }}
{{- toYaml .Values.prometheusRule.additionalLabels | nindent 4 }}
{{- end }}
spec:
{{- if .Values.prometheusRule.rules }}
groups:
- name: {{ template "fluent-bit.name" . }}
rules: {{- toYaml .Values.prometheusRule.rules | nindent 4 }}
{{- end }}
{{- end }}

42
charts/kubezero-logging/charts/fluent-bit/templates/psp.yaml
View File

@ -1,42 +0,0 @@
{{- if and .Values.podSecurityPolicy.create (semverCompare "<=1.25-0" .Capabilities.KubeVersion.GitVersion) -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "fluent-bit.fullname" . }}
{{- if .Values.podSecurityPolicy.annotations }}
annotations:
{{- toYaml .Values.podSecurityPolicy.annotations | nindent 4 }}
{{- end }}
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
volumes:
- '*'
hostNetwork: {{ .Values.hostNetwork }}
hostIPC: false
hostPID: false
runAsUser:
# TODO: Require the container to run without root privileges.
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}

41
charts/kubezero-logging/charts/fluent-bit/templates/scc.yaml
View File

@ -1,41 +0,0 @@
{{- if and .Values.openShift.enabled .Values.openShift.securityContextConstraints.create }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ include "fluent-bit.openShiftSccName" . }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- with .Values.openShift.securityContextConstraints.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
allowPrivilegedContainer: true
allowPrivilegeEscalation: true
allowHostDirVolumePlugin: true
defaultAllowPrivilegeEscalation: false
# forbid host namespaces
allowHostNetwork: false
allowHostIPC: false
allowHostPorts: false
allowHostPID: false
allowedCapabilities: []
forbiddenSysctls:
- "*"
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret
{{- end }}

57
charts/kubezero-logging/charts/fluent-bit/templates/service.yaml
View File

@ -1,57 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "fluent-bit.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- with .Values.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and (eq .Values.service.type "ClusterIP") (.Values.service.clusterIP) }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- if .Values.service.externalIPs }}
externalIPs: {{- toYaml .Values.service.externalIPs | nindent 4 }}
{{- end }}
{{- if (eq .Values.kind "DaemonSet") }}
{{- with .Values.service.internalTrafficPolicy }}
internalTrafficPolicy: {{ . }}
{{- end }}
{{- end }}
{{- if (eq .Values.service.type "LoadBalancer")}}
{{- with .Values.service.loadBalancerClass}}
loadBalancerClass: {{ . }}
{{- end }}
{{- with .Values.service.loadBalancerSourceRanges}}
loadBalancerSourceRanges:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
{{- if and (eq .Values.service.type "NodePort") (.Values.service.nodePort) }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
{{- if .Values.extraPorts }}
{{- range .Values.extraPorts }}
- name: {{ .name }}
targetPort: {{ .name }}
protocol: {{ .protocol }}
port: {{ .port }}
{{- if and (eq $.Values.service.type "NodePort") (.nodePort) }}
nodePort: {{ .nodePort }}
{{- end }}
{{- end }}
{{- end }}
selector:
{{- include "fluent-bit.selectorLabels" . | nindent 4 }}

13
charts/kubezero-logging/charts/fluent-bit/templates/serviceaccount.yaml
View File

@ -1,13 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "fluent-bit.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

51
charts/kubezero-logging/charts/fluent-bit/templates/servicemonitor.yaml
View File

@ -1,51 +0,0 @@
{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "fluent-bit.fullname" . }}
namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- with .Values.serviceMonitor.selector }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
jobLabel: app.kubernetes.io/instance
endpoints:
- port: http
path: {{ default "/api/v2/metrics/prometheus" .Values.serviceMonitor.path }}
{{- with .Values.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
{{- with .Values.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- if kindIs "string" . }}
{{- tpl . $ | nindent 8 }}
{{- else }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- with .Values.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.serviceMonitor.scheme }}
scheme: {{ .Values.serviceMonitor.scheme }}
{{- end }}
{{- if .Values.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml .Values.serviceMonitor.tlsConfig | nindent 8 }}
{{- end }}
{{- with .Values.serviceMonitor.additionalEndpoints }}
{{- toYaml . | nindent 4 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
{{- include "fluent-bit.selectorLabels" . | nindent 6 }}
{{- end }}

26
charts/kubezero-logging/charts/fluent-bit/templates/tests/test-connection.yaml
View File

@ -1,26 +0,0 @@
{{- if .Values.testFramework.enabled }}
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "fluent-bit.fullname" . }}-test-connection"
namespace: {{ default .Release.Namespace .Values.testFramework.namespace }}
labels:
helm.sh/chart: {{ include "fluent-bit.chart" . }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: hook-succeeded
spec:
containers:
- name: wget
image: {{ include "fluent-bit.image" .Values.testFramework.image | quote }}
imagePullPolicy: {{ .Values.testFramework.image.pullPolicy }}
command: ["sh"]
args: ["-c", "wget -O- {{ include "fluent-bit.fullname" . }}:{{ .Values.service.port }}"]
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 4 }}
{{- end }}
restartPolicy: Never
{{- end }}

39
charts/kubezero-logging/charts/fluent-bit/templates/vpa.yaml
View File

@ -1,39 +0,0 @@
{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler") .Values.autoscaling.vpa.enabled }}
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: {{ include "fluent-bit.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "fluent-bit.labels" . | nindent 4 }}
{{- with .Values.autoscaling.vpa.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
resourcePolicy:
containerPolicies:
- containerName: {{ .Chart.Name }}
{{- with .Values.autoscaling.vpa.controlledResources }}
controlledResources:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.autoscaling.vpa.maxAllowed }}
maxAllowed:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.autoscaling.vpa.minAllowed }}
minAllowed:
{{- toYaml . | nindent 8 }}
{{- end }}
targetRef:
apiVersion: apps/v1
kind: {{ .Values.kind }}
name: {{ include "fluent-bit.fullname" . }}
{{- if .Values.autoscaling.vpa.updatePolicy }}
updatePolicy:
{{- with .Values.autoscaling.vpa.updatePolicy.updateMode }}
updateMode: {{ . }}
{{- end }}
{{- end }}
{{- end }}

512
charts/kubezero-logging/charts/fluent-bit/values.yaml
View File

@ -1,512 +0,0 @@
# Default values for fluent-bit.
# kind -- DaemonSet or Deployment
kind: DaemonSet
# replicaCount -- Only applicable if kind=Deployment
replicaCount: 1
image:
repository: cr.fluentbit.io/fluent/fluent-bit
# Overrides the image tag whose default is {{ .Chart.AppVersion }}
# Set to "-" to not use the default value
tag:
digest:
pullPolicy: IfNotPresent
testFramework:
enabled: true
namespace:
image:
repository: busybox
pullPolicy: Always
tag: latest
digest:
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
create: true
annotations: {}
name:
rbac:
create: true
nodeAccess: false
eventsAccess: false
# Configure podsecuritypolicy
# Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
# from Kubernetes 1.25, PSP is deprecated
# See: https://kubernetes.io/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes
# We automatically disable PSP if Kubernetes version is 1.25 or higher
podSecurityPolicy:
create: false
annotations: {}
# OpenShift-specific configuration
openShift:
enabled: false
securityContextConstraints:
# Create SCC for Fluent-bit and allow use it
create: true
name: ""
annotations: {}
# Use existing SCC in cluster, rather then create new one
existingName: ""
podSecurityContext: {}
# fsGroup: 2000
hostNetwork: false
dnsPolicy: ClusterFirst
dnsConfig: {}
# nameservers:
# - 1.2.3.4
# searches:
# - ns1.svc.cluster-domain.example
# - my.dns.search.suffix
# options:
# - name: ndots
# value: "2"
# - name: edns0
hostAliases: []
# - ip: "1.2.3.4"
# hostnames:
# - "foo.local"
# - "bar.local"
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 2020
internalTrafficPolicy:
loadBalancerClass:
loadBalancerSourceRanges: []
labels: {}
# nodePort: 30020
# clusterIP: 172.16.10.1
annotations: {}
# prometheus.io/path: "/api/v1/metrics/prometheus"
# prometheus.io/port: "2020"
# prometheus.io/scrape: "true"
externalIPs: []
# externalIPs:
# - 2.2.2.2
serviceMonitor:
enabled: false
# namespace: monitoring
# interval: 10s
# scrapeTimeout: 10s
# selector:
# prometheus: my-prometheus
# ## metric relabel configs to apply to samples before ingestion.
# ##
# metricRelabelings:
# - sourceLabels: [__meta_kubernetes_service_label_cluster]
# targetLabel: cluster
# regex: (.*)
# replacement: ${1}
# action: replace
# ## relabel configs to apply to samples after ingestion.
# ##
# relabelings:
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# targetLabel: nodename
# replacement: $1
# action: replace
# scheme: ""
# tlsConfig: {}
## Bear in mind if you want to collect metrics from a different port
## you will need to configure the new ports on the extraPorts property.
additionalEndpoints: []
# - port: metrics
# path: /metrics
# interval: 10s
# scrapeTimeout: 10s
# scheme: ""
# tlsConfig: {}
# # metric relabel configs to apply to samples before ingestion.
# #
# metricRelabelings:
# - sourceLabels: [__meta_kubernetes_service_label_cluster]
# targetLabel: cluster
# regex: (.*)
# replacement: ${1}
# action: replace
# # relabel configs to apply to samples after ingestion.
# #
# relabelings:
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# targetLabel: nodename
# replacement: $1
# action: replace
prometheusRule:
enabled: false
# namespace: ""
# additionalLabels: {}
# rules:
# - alert: NoOutputBytesProcessed
# expr: rate(fluentbit_output_proc_bytes_total[5m]) == 0
# annotations:
# message: |
# Fluent Bit instance {{ $labels.instance }}'s output plugin {{ $labels.name }} has not processed any
# bytes for at least 15 minutes.
# summary: No Output Bytes Processed
# for: 15m
# labels:
# severity: critical
dashboards:
enabled: false
labelKey: grafana_dashboard
labelValue: 1
annotations: {}
namespace: ""
deterministicUid: false
lifecycle: {}
# preStop:
# exec:
# command: ["/bin/sh", "-c", "sleep 20"]
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /api/v1/health
port: http
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## only available if kind is Deployment
ingress:
enabled: false
ingressClassName: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts: []
# - host: fluent-bit.example.tld
extraHosts: []
# - host: fluent-bit-extra.example.tld
## specify extraPort number
# port: 5170
tls: []
# - secretName: fluent-bit-example-tld
# hosts:
# - fluent-bit.example.tld
## only available if kind is Deployment
autoscaling:
vpa:
enabled: false
annotations: {}
# List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
controlledResources: []
# Define the max allowed resources for the pod
maxAllowed: {}
# cpu: 200m
# memory: 100Mi
# Define the min allowed resources for the pod
minAllowed: {}
# cpu: 200m
# memory: 100Mi
updatePolicy:
# Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
# are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
updateMode: Auto
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPUUtilizationPercentage: 75
# targetMemoryUtilizationPercentage: 75
## see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/#autoscaling-on-multiple-metrics-and-custom-metrics
customRules: []
# - type: Pods
# pods:
# metric:
# name: packets-per-second
# target:
# type: AverageValue
# averageValue: 1k
## see https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-configurable-scaling-behavior
behavior: {}
# scaleDown:
# policies:
# - type: Pods
# value: 4
# periodSeconds: 60
# - type: Percent
# value: 10
# periodSeconds: 60
## only available if kind is Deployment
podDisruptionBudget:
enabled: false
annotations: {}
maxUnavailable: "30%"
nodeSelector: {}
tolerations: []
affinity: {}
labels: {}
annotations: {}
podAnnotations: {}
podLabels: {}
## How long (in seconds) a pods needs to be stable before progressing the deployment
##
minReadySeconds:
## How long (in seconds) a pod may take to exit (useful with lifecycle hooks to ensure lb deregistration is done)
##
terminationGracePeriodSeconds:
priorityClassName: ""
env: []
# - name: FOO
# value: "bar"
# The envWithTpl array below has the same usage as "env", but is using the tpl function to support templatable string.
# This can be useful when you want to pass dynamic values to the Chart using the helm argument "--set <variable>=<value>"
# https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
envWithTpl: []
# - name: FOO_2
# value: "{{ .Values.foo2 }}"
#
# foo2: bar2
envFrom: []
# This supports either a structured array or a templatable string
extraContainers: []
# Array mode
# extraContainers:
# - name: do-something
# image: busybox
# command: ['do', 'something']
# String mode
# extraContainers: |-
# - name: do-something
# image: bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}
# command: ['kubectl', 'version']
flush: 1
metricsPort: 2020
extraPorts: []
# - port: 5170
# containerPort: 5170
# protocol: TCP
# name: tcp
# nodePort: 30517
extraVolumes: []
extraVolumeMounts: []
updateStrategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxUnavailable: 1
# Make use of a pre-defined configmap instead of the one templated here
existingConfigMap: ""
networkPolicy:
enabled: false
# ingress:
# from: []
luaScripts: {}
## https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file
config:
service: |
[SERVICE]
Daemon Off
Flush {{ .Values.flush }}
Log_Level {{ .Values.logLevel }}
Parsers_File /fluent-bit/etc/parsers.conf
Parsers_File /fluent-bit/etc/conf/custom_parsers.conf
HTTP_Server On
HTTP_Listen 0.0.0.0
HTTP_Port {{ .Values.metricsPort }}
Health_Check On
## https://docs.fluentbit.io/manual/pipeline/inputs
inputs: |
[INPUT]
Name tail
Path /var/log/containers/*.log
multiline.parser docker, cri
Tag kube.*
Mem_Buf_Limit 5MB
Skip_Long_Lines On
[INPUT]
Name systemd
Tag host.*
Systemd_Filter _SYSTEMD_UNIT=kubelet.service
Read_From_Tail On
## https://docs.fluentbit.io/manual/pipeline/filters
filters: |
[FILTER]
Name kubernetes
Match kube.*
Merge_Log On
Keep_Log Off
K8S-Logging.Parser On
K8S-Logging.Exclude On
## https://docs.fluentbit.io/manual/pipeline/outputs
outputs: |
[OUTPUT]
Name es
Match kube.*
Host elasticsearch-master
Logstash_Format On
Retry_Limit False
[OUTPUT]
Name es
Match host.*
Host elasticsearch-master
Logstash_Format On
Logstash_Prefix node
Retry_Limit False
## https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/upstream-servers
## This configuration is deprecated, please use `extraFiles` instead.
upstream: {}
## https://docs.fluentbit.io/manual/pipeline/parsers
customParsers: |
[PARSER]
Name docker_no_time
Format json
Time_Keep Off
Time_Key time
Time_Format %Y-%m-%dT%H:%M:%S.%L
# This allows adding more files with arbitrary filenames to /fluent-bit/etc/conf by providing key/value pairs.
# The key becomes the filename, the value becomes the file content.
extraFiles: {}
# upstream.conf: |
# [UPSTREAM]
# upstream1
#
# [NODE]
# name node-1
# host 127.0.0.1
# port 43000
# example.conf: |
# [OUTPUT]
# Name example
# Match foo.*
# Host bar
# The config volume is mounted by default, either to the existingConfigMap value, or the default of "fluent-bit.fullname"
volumeMounts:
- name: config
mountPath: /fluent-bit/etc/conf
daemonSetVolumes:
- name: varlog
hostPath:
path: /var/log
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
- name: etcmachineid
hostPath:
path: /etc/machine-id
type: File
daemonSetVolumeMounts:
- name: varlog
mountPath: /var/log
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
- name: etcmachineid
mountPath: /etc/machine-id
readOnly: true
command:
- /fluent-bit/bin/fluent-bit
args:
- --workdir=/fluent-bit/etc
- --config=/fluent-bit/etc/conf/fluent-bit.conf
# This supports either a structured array or a templatable string
initContainers: []
# Array mode
# initContainers:
# - name: do-something
# image: bitnami/kubectl:1.22
# command: ['kubectl', 'version']
# String mode
# initContainers: |-
# - name: do-something
# image: bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}
# command: ['kubectl', 'version']
logLevel: info
hotReload:
enabled: false
image:
repository: ghcr.io/jimmidyson/configmap-reload
tag: v0.11.1
digest:
pullPolicy: IfNotPresent
resources: {}

29
charts/kubezero-metrics/.helmignore
View File

@ -1,29 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
README.md.gotmpl
*.patch
*.sh
*.py
jsonnet

1
charts/kubezero-metrics/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

34
charts/kubezero-metrics/jsonnet/jsonnetfile.lock.json
View File

@ -18,7 +18,7 @@
"subdir": "contrib/mixin"
}
},
"version": "5dfd6e05a4bd8e09debe31742dee4221ff391d0d",
"version": "2e242a63fbea44b54802d40f4757936f8f67b434",
"sum": "XmXkOCriQIZmXwlIIFhqlJMa0e6qGWdxZD+ZDYaN0Po="
},
{
@ -28,8 +28,8 @@
"subdir": "grafana-mixin"
}
},
"version": "1120f9e255760a3c104b57871fcb91801e934382",
"sum": "MkjR7zCgq6MUZgjDzop574tFKoTX2OBr7DTwm1K+Ofs="
"version": "0a44e27aab911fcc9bef5c456fadaadab9c8d619",
"sum": "S8mRTRH4w62kMCa2je3iCtvscYrwQmkyJ7Y/aM14KbE="
},
{
"source": {
@ -78,7 +78,7 @@
"subdir": "grafana-builder"
}
},
"version": "c29b27c792561c8e6086c1ba187e9f708ec1c9de",
"version": "cd4dd9a04aa740b2644e12810e48382188c25adc",
"sum": "G7B6E5sqWirDbMWRhifbLRfGgRFbIh9WCYa6X3kMh6g="
},
{
@ -88,7 +88,7 @@
"subdir": "mixin-utils"
}
},
"version": "c29b27c792561c8e6086c1ba187e9f708ec1c9de",
"version": "cd4dd9a04aa740b2644e12810e48382188c25adc",
"sum": "iu4NT+YOgpxQnxElKML76cSxgTA0cwTmFfI0hOfHHmw="
},
{
@ -118,8 +118,8 @@
"subdir": ""
}
},
"version": "98e85ddf870783424a921de5efda8d3f827b5580",
"sum": "eMj9kk9Zf4YgAK8/mJ3BnmpfMW3GDkAQlqZQut8Lidc="
"version": "cc7c60b9182346be662703df319e4ea56e317208",
"sum": "ij0NZqctn1iOw3wNr3ul3D6QjFZgvNmTNt6gu8/6oac="
},
{
"source": {
@ -128,7 +128,7 @@
"subdir": "jsonnet/kube-state-metrics"
}
},
"version": "97bfa326abe54600a6b9ad4c6238b9fc1d559d55",
"version": "56d3b561e6954e0055ea0d6f2d7034f6d898b6c6",
"sum": "3bioG7CfTfY9zeu5xU4yon6Zt3kYvNkyl492nOhQxnM="
},
{
@ -138,7 +138,7 @@
"subdir": "jsonnet/kube-state-metrics-mixin"
}
},
"version": "97bfa326abe54600a6b9ad4c6238b9fc1d559d55",
"version": "56d3b561e6954e0055ea0d6f2d7034f6d898b6c6",
"sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c="
},
{
@ -148,8 +148,8 @@
"subdir": "jsonnet/kube-prometheus"
}
},
"version": "03cb9b9319c2057728570875561fe331f7ee61c3",
"sum": "cNj7EBtOA0BlSSoas2dSYnIzvKHLi/gNIIONd77DU+M="
"version": "f0abeaf2c817f8ec51f8e6ca0497d0d87b5a1c0c",
"sum": "ClY5bR72mU4gIQiWfvcZ+dT2uzqJAOb4oFbXD1h2vQE="
},
{
"source": {
@ -158,7 +158,7 @@
"subdir": "jsonnet/mixin"
}
},
"version": "fb494cffd5117aaa895eaedfae8397a96691466f",
"version": "89a0ea9b2dc37dd9fbd42c93046275aae1a4dbfc",
"sum": "gi+knjdxs2T715iIQIntrimbHRgHnpM8IFBJDD1gYfs=",
"name": "prometheus-operator-mixin"
},
@ -169,8 +169,8 @@
"subdir": "jsonnet/prometheus-operator"
}
},
"version": "fb494cffd5117aaa895eaedfae8397a96691466f",
"sum": "dtH2oiXvUttHg2fz6uITHKuZflkQ832ddkdnhVu0drY="
"version": "89a0ea9b2dc37dd9fbd42c93046275aae1a4dbfc",
"sum": "LaZuMowhHMgjroyJvccvXjj7FBdC1lgUnODu6/JzqLo="
},
{
"source": {
@ -200,7 +200,7 @@
"subdir": "documentation/prometheus-mixin"
}
},
"version": "69906bb4f5f9e62255bced373c56fc13a3f61093",
"version": "c481aaf762bf24155d297a3efdaef5ebc61aeba0",
"sum": "lT5n+8i4q20LuvlmtIs/GXdlX6fQiwwuZkeOtnAPT50=",
"name": "prometheus"
},
@ -211,7 +211,7 @@
"subdir": "jsonnet/controller-gen"
}
},
"version": "a80a1021000b5c19dfd17cd20e62364f6675dceb",
"version": "d31e021e01525a2629401b226bedff600f881757",
"sum": "O3c9Uurei8MWAY0Ad7DOL1fMqSgdHyHB7MpHsxSITKM=",
"name": "pyrra"
},
@ -222,7 +222,7 @@
"subdir": "mixin"
}
},
"version": "933f04f55efba2ec599501df0ae58714714384d0",
"version": "ddd5ff85f4594e6970b0df3813d31c8f3024fe5f",
"sum": "ieCD4eMgGbOlrI8GmckGPHBGQDcLasE1rULYq56W/bs=",
"name": "thanos-mixin"
}

7
charts/kubezero-metrics/jsonnet/rules/kubernetes-prometheusRule
View File

@ -3,6 +3,7 @@
"kind": "PrometheusRule",
"metadata": {
"labels": {
"app.kubernetes.io/component": "kubernetes",
"app.kubernetes.io/name": "kube-prometheus",
"app.kubernetes.io/part-of": "kube-prometheus",
"prometheus": "k8s",
@ -1285,21 +1286,21 @@
"name": "kubelet.rules",
"rules": [
{
"expr": "histogram_quantile(0.99, sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job=\"kubelet\", metrics_path=\"/metrics\"}[5m])) by (cluster, instance, le) * on(cluster, instance) group_left(node) kubelet_node_name{job=\"kubelet\", metrics_path=\"/metrics\"})\n",
"expr": "histogram_quantile(\n 0.99, \n sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job=\"kubelet\", metrics_path=\"/metrics\"}[5m])) by (cluster, instance, le) \n * on(cluster, instance) group_left (node) \n max by (cluster, instance, node) (kubelet_node_name{job=\"kubelet\", metrics_path=\"/metrics\"})\n)\n",
"labels": {
"quantile": "0.99"
},
"record": "node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile"
},
{
"expr": "histogram_quantile(0.9, sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job=\"kubelet\", metrics_path=\"/metrics\"}[5m])) by (cluster, instance, le) * on(cluster, instance) group_left(node) kubelet_node_name{job=\"kubelet\", metrics_path=\"/metrics\"})\n",
"expr": "histogram_quantile(\n 0.9, \n sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job=\"kubelet\", metrics_path=\"/metrics\"}[5m])) by (cluster, instance, le) \n * on(cluster, instance) group_left (node) \n max by (cluster, instance, node) (kubelet_node_name{job=\"kubelet\", metrics_path=\"/metrics\"})\n)\n",
"labels": {
"quantile": "0.9"
},
"record": "node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile"
},
{
"expr": "histogram_quantile(0.5, sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job=\"kubelet\", metrics_path=\"/metrics\"}[5m])) by (cluster, instance, le) * on(cluster, instance) group_left(node) kubelet_node_name{job=\"kubelet\", metrics_path=\"/metrics\"})\n",
"expr": "histogram_quantile(\n 0.5, \n sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job=\"kubelet\", metrics_path=\"/metrics\"}[5m])) by (cluster, instance, le) \n * on(cluster, instance) group_left (node) \n max by (cluster, instance, node) (kubelet_node_name{job=\"kubelet\", metrics_path=\"/metrics\"})\n)\n",
"labels": {
"quantile": "0.5"
},

12
charts/kubezero-metrics/templates/rules/kubernetes.yaml
View File

@ -957,21 +957,15 @@ spec:
record: cluster:node_cpu:ratio_rate5m
- name: kubelet.rules
rules:
- expr: 'histogram_quantile(0.99, sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job="kubelet", metrics_path="/metrics"}[5m])) by (cluster, instance, le) * on(cluster, instance) group_left(node) kubelet_node_name{job="kubelet", metrics_path="/metrics"})
'
- expr: "histogram_quantile(\n 0.99, \n sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job=\"kubelet\", metrics_path=\"/metrics\"}[5m])) by (cluster, instance, le) \n * on(cluster, instance) group_left (node) \n max by (cluster, instance, node) (kubelet_node_name{job=\"kubelet\", metrics_path=\"/metrics\"})\n)\n"
labels:
quantile: '0.99'
record: node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile
- expr: 'histogram_quantile(0.9, sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job="kubelet", metrics_path="/metrics"}[5m])) by (cluster, instance, le) * on(cluster, instance) group_left(node) kubelet_node_name{job="kubelet", metrics_path="/metrics"})
'
- expr: "histogram_quantile(\n 0.9, \n sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job=\"kubelet\", metrics_path=\"/metrics\"}[5m])) by (cluster, instance, le) \n * on(cluster, instance) group_left (node) \n max by (cluster, instance, node) (kubelet_node_name{job=\"kubelet\", metrics_path=\"/metrics\"})\n)\n"
labels:
quantile: '0.9'
record: node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile
- expr: 'histogram_quantile(0.5, sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job="kubelet", metrics_path="/metrics"}[5m])) by (cluster, instance, le) * on(cluster, instance) group_left(node) kubelet_node_name{job="kubelet", metrics_path="/metrics"})
'
- expr: "histogram_quantile(\n 0.5, \n sum(rate(kubelet_pleg_relist_duration_seconds_bucket{job=\"kubelet\", metrics_path=\"/metrics\"}[5m])) by (cluster, instance, le) \n * on(cluster, instance) group_left (node) \n max by (cluster, instance, node) (kubelet_node_name{job=\"kubelet\", metrics_path=\"/metrics\"})\n)\n"
labels:
quantile: '0.5'
record: node_quantile:kubelet_pleg_relist_duration_seconds:histogram_quantile

1
charts/kubezero-mq/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

1
charts/kubezero-mq/README.md
View File

@ -26,6 +26,7 @@ Kubernetes: `>= 1.26.0`
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| nats.config.cluster.routeURLs.useFQDN | bool | `true` | |
| nats.config.jetstream.enabled | bool | `true` | |
| nats.enabled | bool | `false` | |
| nats.istio.enabled | bool | `false` | |

1
charts/kubezero-network/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

2
charts/kubezero-network/README.md
View File

@ -65,7 +65,7 @@ Kubernetes: `>= 1.30.0-0`
| cilium.prometheus.port | int | `9091` | |
| cilium.prometheus.serviceMonitor.enabled | bool | `false` | |
| cilium.resources.requests.cpu | string | `"50m"` | |
| cilium.resources.requests.memory | string | `"256Mi"` | |
| cilium.resources.requests.memory | string | `"384Mi"` | |
| cilium.routingMode | string | `"tunnel"` | |
| cilium.sysctlfix.enabled | bool | `false` | |
| cilium.tunnelProtocol | string | `"geneve"` | |

1
charts/kubezero-operators/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

12
charts/kubezero-operators/templates/cloudnative-pg/ClusterImageCatalog-bookworm.yaml
View File

@ -1,4 +1,3 @@
{{- if index .Values "cloudnative-pg" "enabled" }}
apiVersion: postgresql.cnpg.io/v1
kind: ClusterImageCatalog
metadata:
@ -6,13 +5,12 @@ metadata:
spec:
images:
- major: 13
image: ghcr.io/cloudnative-pg/postgresql:13.21-1-bookworm@sha256:189ae9e434654d224a3573beffa3552c67f50e344debfe14be7ad92245be8589
image: ghcr.io/cloudnative-pg/postgresql:13.21-9-bookworm@sha256:f80ffc9c454a69d9268e3a93091590ca8dc4db1f9adf230ec3a1d6290a251267
- major: 14
image: ghcr.io/cloudnative-pg/postgresql:14.18-1-bookworm@sha256:26bca18fee9dc5a0d7bfafddd5b9cc69600b4c14a430f2e8785eb2fc8a802ed2
image: ghcr.io/cloudnative-pg/postgresql:14.18-9-bookworm@sha256:6fb7ee809fa91c9d9b599d4bd6b25ef282366a66316bc19e29d5d450d8f32090
- major: 15
image: ghcr.io/cloudnative-pg/postgresql:15.13-1-bookworm@sha256:32312ca4300023b15d260adb9b25ef2ea8c061e3218e788fe5de84eac08a3033
image: ghcr.io/cloudnative-pg/postgresql:15.13-9-bookworm@sha256:974befc8b8adc1ed0edfc4038944a36d3368c083a258b90667fcf2e0f6d775ed
- major: 16
image: ghcr.io/cloudnative-pg/postgresql:16.9-1-bookworm@sha256:cf533c5f141b13a327d4678f49a1ace3bd5475f847e08d33b33255fde85717dc
image: ghcr.io/cloudnative-pg/postgresql:16.9-9-bookworm@sha256:60811544a39c8b901bb164d33d0de37820067e13419aaf2306500d6e468fb2e5
- major: 17
image: ghcr.io/cloudnative-pg/postgresql:17.5-1-bookworm@sha256:c860bf22cc86b8033c0aa77299e6c8df41cddf4a884b72115153aeb2f4574e94
{{- end }}
image: ghcr.io/cloudnative-pg/postgresql:17.5-9-bookworm@sha256:bdcd7959f23e02bad6bee74f26b31b6797694b9faabef442eebc63694bdf8d10

2
charts/kubezero-operators/templates/cloudnative-pg/grafana-dashboards.yaml
View File

File diff suppressed because one or more lines are too long

1
charts/kubezero-policy/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

5
charts/kubezero-policy/README.md
View File

@ -28,8 +28,11 @@ Kubernetes: `>= 1.30.0-0`
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| kyverno.admissionController.container.extraArgs.leaderElectionRetryPeriod | string | `"30s"` | |
| kyverno.admissionController.revisionHistoryLimit | int | `2` | |
| kyverno.backgroundController.extraArgs.leaderElectionRetryPeriod | string | `"30s"` | |
| kyverno.backgroundController.revisionHistoryLimit | int | `2` | |
| kyverno.cleanupController.extraArgs.leaderElectionRetryPeriod | string | `"30s"` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].apiGroups[0] | string | `"postgresql.cnpg.io"` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].resources[0] | string | `"backups"` | |
| kyverno.cleanupController.rbac.clusterRole.extraResources[0].verbs[0] | string | `"delete"` | |
@ -46,4 +49,4 @@ Kubernetes: `>= 1.30.0-0`
| kyverno.reportsController.enabled | bool | `false` | |
| kyverno.reportsController.revisionHistoryLimit | int | `2` | |
| kyverno.webhooksCleanup.autoDeleteWebhooks.enabled | bool | `true` | |
| kyverno.webhooksCleanup.enabled | bool | `true` | |
| kyverno.webhooksCleanup.enabled | bool | `false` | |

2
charts/kubezero-policy/values.yaml
View File

@ -5,7 +5,7 @@ kyverno:
policyReportsCleanup:
enabled: false
webhooksCleanup:
enabled: true
enabled: false
autoDeleteWebhooks:
enabled: true

1
charts/kubezero-sql/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

3
charts/kubezero-sql/README.md
View File

@ -18,7 +18,7 @@ Kubernetes: `>= 1.26.0`
| Repository | Name | Version |
|------------|------|---------|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
| https://charts.bitnami.com/bitnami | mariadb-galera | 14.0.10 |
## Values
@ -28,7 +28,6 @@ Kubernetes: `>= 1.26.0`
| mariadb-galera.configurationConfigMap | string | `"{{ .Release.Name }}-mariadb-galera-configuration"` | |
| mariadb-galera.db.user | string | `"mariadb"` | |
| mariadb-galera.enabled | bool | `false` | |
| mariadb-galera.galera | string | `nil` | |
| mariadb-galera.istio.enabled | bool | `false` | |
| mariadb-galera.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | |
| mariadb-galera.istio.url | string | `"mariadb.example.com"` | |

1
charts/kubezero-storage/.helmignore
View File

@ -1 +0,0 @@
jsonnet

1
charts/kubezero-storage/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

54
charts/kubezero-storage/jsonnet/jsonnetfile.lock.json
View File

@ -18,7 +18,7 @@
"subdir": "contrib/mixin"
}
},
"version": "8f933a5b5867d078c714fd6a9584aa47f450d8d0",
"version": "2e242a63fbea44b54802d40f4757936f8f67b434",
"sum": "XmXkOCriQIZmXwlIIFhqlJMa0e6qGWdxZD+ZDYaN0Po="
},
{
@ -28,8 +28,8 @@
"subdir": "grafana-mixin"
}
},
"version": "1120f9e255760a3c104b57871fcb91801e934382",
"sum": "MkjR7zCgq6MUZgjDzop574tFKoTX2OBr7DTwm1K+Ofs="
"version": "0a44e27aab911fcc9bef5c456fadaadab9c8d619",
"sum": "S8mRTRH4w62kMCa2je3iCtvscYrwQmkyJ7Y/aM14KbE="
},
{
"source": {
@ -48,7 +48,7 @@
"subdir": "gen/grafonnet-latest"
}
},
"version": "d20e609202733790caf5b554c9945d049f243ae3",
"version": "5a8f3d6aa89b7e7513528371d2d1265aedc844bc",
"sum": "V9vAj21qJOc2DlMPDgB1eEjSQU4A+sAA4AXuJ6bd4xc="
},
{
@ -58,7 +58,7 @@
"subdir": "gen/grafonnet-v10.0.0"
}
},
"version": "d20e609202733790caf5b554c9945d049f243ae3",
"version": "5a8f3d6aa89b7e7513528371d2d1265aedc844bc",
"sum": "xdcrJPJlpkq4+5LpGwN4tPAuheNNLXZjE6tDcyvFjr0="
},
{
@ -68,7 +68,7 @@
"subdir": "gen/grafonnet-v11.4.0"
}
},
"version": "d20e609202733790caf5b554c9945d049f243ae3",
"version": "5a8f3d6aa89b7e7513528371d2d1265aedc844bc",
"sum": "aVAX09paQYNOoCSKVpuk1exVIyBoMt/C50QJI+Q/3nA="
},
{
@ -78,7 +78,7 @@
"subdir": "grafana-builder"
}
},
"version": "42da78cf7f2735c0cf57dee8f80cc52e9e7e57d8",
"version": "cd4dd9a04aa740b2644e12810e48382188c25adc",
"sum": "G7B6E5sqWirDbMWRhifbLRfGgRFbIh9WCYa6X3kMh6g="
},
{
@ -88,8 +88,8 @@
"subdir": "mixin-utils"
}
},
"version": "42da78cf7f2735c0cf57dee8f80cc52e9e7e57d8",
"sum": "SRElwa/XrKAN8aZA9zvdRUx8iebl2It7KNQ7VFvMcBA="
"version": "cd4dd9a04aa740b2644e12810e48382188c25adc",
"sum": "iu4NT+YOgpxQnxElKML76cSxgTA0cwTmFfI0hOfHHmw="
},
{
"source": {
@ -118,8 +118,8 @@
"subdir": ""
}
},
"version": "aad557d746a4e05d028a2ce542f61dde3b13c621",
"sum": "H+gpR450rmG2/USp9Y4vMfiz9FCUhKiG7xgqPNB1FJk="
"version": "cc7c60b9182346be662703df319e4ea56e317208",
"sum": "ij0NZqctn1iOw3wNr3ul3D6QjFZgvNmTNt6gu8/6oac="
},
{
"source": {
@ -128,7 +128,7 @@
"subdir": "jsonnet/kube-state-metrics"
}
},
"version": "0b01e3abce1da521b5e620b8aaa76774bb0fda87",
"version": "56d3b561e6954e0055ea0d6f2d7034f6d898b6c6",
"sum": "3bioG7CfTfY9zeu5xU4yon6Zt3kYvNkyl492nOhQxnM="
},
{
@ -138,7 +138,7 @@
"subdir": "jsonnet/kube-state-metrics-mixin"
}
},
"version": "0b01e3abce1da521b5e620b8aaa76774bb0fda87",
"version": "56d3b561e6954e0055ea0d6f2d7034f6d898b6c6",
"sum": "qclI7LwucTjBef3PkGBkKxF0mfZPbHnn4rlNWKGtR4c="
},
{
@ -148,8 +148,8 @@
"subdir": ""
}
},
"version": "9abc7566be4b58233d7b2aa29665bf47425b30e6",
"sum": "lL17qG4Ejhae7giWBzD2y6HDSxaNgkg8kX7p0i4eUNA="
"version": "3738a77b6f52b7194f5a190ffd12827dc5db46f8",
"sum": "R3760LGiSFlE5ppdUTOUJuYpefwZp/NOEpooIZ6599w="
},
{
"source": {
@ -158,8 +158,8 @@
"subdir": "jsonnet/kube-prometheus"
}
},
"version": "696ce89f1f4d9107bd3a3b026178b320bac03b8e",
"sum": "NYKZ3k27E/3sk27DCNct1X7gqv8tmYxqACnOm96W7pc="
"version": "f0abeaf2c817f8ec51f8e6ca0497d0d87b5a1c0c",
"sum": "ClY5bR72mU4gIQiWfvcZ+dT2uzqJAOb4oFbXD1h2vQE="
},
{
"source": {
@ -168,7 +168,7 @@
"subdir": "jsonnet/mixin"
}
},
"version": "8ce76ccb32d054cb26898f498ec6bc947cd87d6c",
"version": "89a0ea9b2dc37dd9fbd42c93046275aae1a4dbfc",
"sum": "gi+knjdxs2T715iIQIntrimbHRgHnpM8IFBJDD1gYfs=",
"name": "prometheus-operator-mixin"
},
@ -179,8 +179,8 @@
"subdir": "jsonnet/prometheus-operator"
}
},
"version": "8ce76ccb32d054cb26898f498ec6bc947cd87d6c",
"sum": "D8bNt3/sB6EO2AirgMZDt1M/5MwbLMpiQtKqCzfTrE4="
"version": "89a0ea9b2dc37dd9fbd42c93046275aae1a4dbfc",
"sum": "LaZuMowhHMgjroyJvccvXjj7FBdC1lgUnODu6/JzqLo="
},
{
"source": {
@ -189,7 +189,7 @@
"subdir": "doc/alertmanager-mixin"
}
},
"version": "79805945102a7ba3566f38a627ca3f1edd27756e",
"version": "0ce3cfb962db3cbb1649d3e816a49a13c4036cd1",
"sum": "j5prvRrJdoCv7n45l5Uy2ghl1IDb9BBUqjwCDs4ZJoQ=",
"name": "alertmanager"
},
@ -200,7 +200,7 @@
"subdir": "docs/node-mixin"
}
},
"version": "38d32a397720dfdaf547429ea1b40ab8cfa57e85",
"version": "2179f0a34d2d7b6212f3a1c647d5aca44ffa33e5",
"sum": "NcpQ0Hz0qciUqmOYoAR0X8GUK5pH/QiUXm1aDNgvua0="
},
{
@ -210,8 +210,8 @@
"subdir": "documentation/prometheus-mixin"
}
},
"version": "9659e30dec7073703fb8548e7b0ad80dd0df48f0",
"sum": "2c+wttfee9TwuQJZIkNV7Tekem74Qgc7iZ842P28rNw=",
"version": "c481aaf762bf24155d297a3efdaef5ebc61aeba0",
"sum": "lT5n+8i4q20LuvlmtIs/GXdlX6fQiwwuZkeOtnAPT50=",
"name": "prometheus"
},
{
@ -221,8 +221,8 @@
"subdir": "jsonnet/controller-gen"
}
},
"version": "d723f4d1a066dd657e9d09c46a158519dda0faa8",
"sum": "cxAPQovFkM16zNB5/94O+sk/n3SETk6ao6Oas2Sa6RE=",
"version": "d31e021e01525a2629401b226bedff600f881757",
"sum": "O3c9Uurei8MWAY0Ad7DOL1fMqSgdHyHB7MpHsxSITKM=",
"name": "pyrra"
},
{
@ -232,7 +232,7 @@
"subdir": "mixin"
}
},
"version": "7d7ea650b76cd201de8ee2c73f31497914026293",
"version": "ddd5ff85f4594e6970b0df3813d31c8f3024fe5f",
"sum": "ieCD4eMgGbOlrI8GmckGPHBGQDcLasE1rULYq56W/bs=",
"name": "thanos-mixin"
}

2
charts/kubezero-storage/jsonnet/rules/openebs-mixin-prometheusRules
View File

@ -72,7 +72,7 @@
"description": "Persistent Volume Claim '{{ $labels.persistentvolumeclaim }}' has no consumer",
"summary": "Persistent Volume Claim '{{ $labels.persistentvolumeclaim }}' in namespace '{{ $labels.namespace }}' is not consumed by any pod in any namespace"
},
"expr": "kube_persistentvolumeclaim_info unless (kube_persistentvolumeclaim_info * on(persistentvolumeclaim) group_left kube_pod_spec_volumes_persistentvolumeclaims_info) == 1",
"expr": "kube_persistentvolumeclaim_info UNLESS ON (namespace, persistentvolumeclaim) count by (namespace, persistentvolumeclaim) (kube_pod_spec_volumes_persistentvolumeclaims_info) == 1",
"for": "5m",
"labels": {
"severity": "info"

2
charts/kubezero-storage/templates/lvm/prometheus-rules.yaml
View File

@ -52,7 +52,7 @@ spec:
annotations:
description: Persistent Volume Claim '{{`{{`}} $labels.persistentvolumeclaim {{`}}`}}' has no consumer
summary: Persistent Volume Claim '{{`{{`}} $labels.persistentvolumeclaim {{`}}`}}' in namespace '{{`{{`}} $labels.namespace {{`}}`}}' is not consumed by any pod in any namespace
expr: kube_persistentvolumeclaim_info unless (kube_persistentvolumeclaim_info * on(persistentvolumeclaim) group_left kube_pod_spec_volumes_persistentvolumeclaims_info) == 1
expr: kube_persistentvolumeclaim_info UNLESS ON (namespace, persistentvolumeclaim) count by (namespace, persistentvolumeclaim) (kube_pod_spec_volumes_persistentvolumeclaims_info) == 1
for: 5m
labels:
severity: info

1
charts/kubezero-telemetry/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

2
charts/kubezero-telemetry/README.md
View File

@ -1,6 +1,6 @@
# kubezero-telemetry
![Version: 0.4.2](https://img.shields.io/badge/Version-0.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero Umbrella Chart for OpenTelemetry, Jaeger etc.

28
charts/kubezero/.helmignore
View File

@ -1,28 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
README.md.gotmpl
dashboards.yaml
jsonnet
update.sh

1
charts/kubezero/.helmignore Symbolic link
View File

@ -0,0 +1 @@
../../.helmignore

27
charts/kubezero/README.md
View File

@ -1,6 +1,6 @@
# kubezero
![Version: 1.32.3](https://img.shields.io/badge/Version-1.32.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![Version: 1.32.6](https://img.shields.io/badge/Version-1.32.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
KubeZero - Root App of Apps chart
@ -28,7 +28,7 @@ Kubernetes: `>= 1.32.0-0`
| addons.aws-node-termination-handler.enabled | bool | `false` | |
| addons.cluster-autoscaler.enabled | bool | `false` | |
| addons.clusterBackup.enabled | bool | `false` | |
| addons.enabled | bool | `true` | |
| addons.enabled | bool | `false` | |
| addons.external-dns.enabled | bool | `false` | |
| addons.forseti.enabled | bool | `false` | |
| addons.sealed-secrets.enabled | bool | `false` | |
@ -38,13 +38,14 @@ Kubernetes: `>= 1.32.0-0`
| argo.argocd-image-updater.enabled | bool | `false` | |
| argo.enabled | bool | `false` | |
| argo.namespace | string | `"argocd"` | |
| argo.targetRevision | string | `"0.3.2"` | |
| argo.targetRevision | string | `"0.4.2"` | |
| cert-manager.enabled | bool | `false` | |
| cert-manager.namespace | string | `"cert-manager"` | |
| cert-manager.targetRevision | string | `"0.9.12"` | |
| falco.enabled | bool | `false` | |
| falco.k8saudit.enabled | bool | `false` | |
| falco.targetRevision | string | `"0.1.2"` | |
| global.apiServerUrl | string | `"localhost:6443"` | |
| global.aws.accountId | string | `"123456789012"` | |
| global.aws.region | string | `"the-moon"` | |
| global.clusterName | string | `"zdt-trial-cluster"` | |
@ -55,16 +56,15 @@ Kubernetes: `>= 1.32.0-0`
| istio-ingress.enabled | bool | `false` | |
| istio-ingress.gateway.service | object | `{}` | |
| istio-ingress.namespace | string | `"istio-ingress"` | |
| istio-ingress.targetRevision | string | `"0.24.3"` | |
| istio-ingress.targetRevision | string | `"0.26.1"` | |
| istio-private-ingress.chart | string | `"kubezero-istio-gateway"` | |
| istio-private-ingress.enabled | bool | `false` | |
| istio-private-ingress.gateway.service | object | `{}` | |
| istio-private-ingress.namespace | string | `"istio-ingress"` | |
| istio-private-ingress.targetRevision | string | `"0.24.3"` | |
| istio-private-ingress.targetRevision | string | `"0.26.1"` | |
| istio.enabled | bool | `false` | |
| istio.namespace | string | `"istio-system"` | |
| istio.targetRevision | string | `"0.24.3"` | |
| logging.annotations."argocd.argoproj.io/compare-options" | string | `"ServerSideDiff=false"` | |
| istio.targetRevision | string | `"0.26.1"` | |
| logging.enabled | bool | `false` | |
| logging.namespace | string | `"logging"` | |
| logging.targetRevision | string | `"0.8.14"` | |
@ -73,14 +73,17 @@ Kubernetes: `>= 1.32.0-0`
| metrics.istio.prometheus | object | `{}` | |
| metrics.kubezero.prometheus.prometheusSpec.additionalScrapeConfigs | list | `[]` | |
| metrics.namespace | string | `"monitoring"` | |
| metrics.targetRevision | string | `"0.11.0"` | |
| network.cilium.cluster | object | `{}` | |
| network.enabled | bool | `true` | |
| metrics.targetRevision | string | `"0.12.0"` | |
| network.cilium.enabled | bool | `true` | |
| network.enabled | bool | `false` | |
| network.retain | bool | `true` | |
| network.targetRevision | string | `"0.5.8"` | |
| network.targetRevision | string | `"0.5.9"` | |
| operators.enabled | bool | `false` | |
| operators.namespace | string | `"operators"` | |
| operators.targetRevision | string | `"0.2.1"` | |
| policy.enabled | bool | `false` | |
| policy.namespace | string | `"kyverno"` | |
| policy.targetRevision | string | `"0.1.0"` | |
| storage.aws-ebs-csi-driver.enabled | bool | `false` | |
| storage.aws-efs-csi-driver.enabled | bool | `false` | |
| storage.enabled | bool | `false` | |
@ -91,7 +94,7 @@ Kubernetes: `>= 1.32.0-0`
| storage.targetRevision | string | `"0.8.11"` | |
| telemetry.enabled | bool | `false` | |
| telemetry.namespace | string | `"telemetry"` | |
| telemetry.targetRevision | string | `"0.4.1"` | |
| telemetry.targetRevision | string | `"0.5.0"` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

23
charts/manticore/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

Some files were not shown because too many files have changed in this diff Show More