Merge pull request 'merge WIP v1.26 to start use Renovate' (#91) from v1.26 into master
Reviewed-on: ZeroDownTime/kubezero#91
This commit is contained in:
commit
a7ef468227
@ -37,7 +37,7 @@ build: ## Build the app
|
|||||||
|
|
||||||
test: rm-test-image ## Execute Dockerfile.test
|
test: rm-test-image ## Execute Dockerfile.test
|
||||||
test -f Dockerfile.test && \
|
test -f Dockerfile.test && \
|
||||||
{ buildah build --rm --layers -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test --platform linux/$(_ARCH) . && \
|
{ buildah build --rm --layers -t $(REGISTRY)/$(IMAGE):$(TAG)-$(_ARCH)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test --platform linux/$(_ARCH) . && \
|
||||||
podman run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-$(_ARCH)-test; } || \
|
podman run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-$(_ARCH)-test; } || \
|
||||||
echo "No Dockerfile.test found, skipping test"
|
echo "No Dockerfile.test found, skipping test"
|
||||||
|
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
ARG ALPINE_VERSION=3.17
|
ARG ALPINE_VERSION=3.18
|
||||||
|
|
||||||
FROM docker.io/alpine:${ALPINE_VERSION}
|
FROM docker.io/alpine:${ALPINE_VERSION}
|
||||||
|
|
||||||
ARG ALPINE_VERSION
|
ARG ALPINE_VERSION
|
||||||
ARG KUBE_VERSION=1.25
|
ARG KUBE_VERSION=1.26
|
||||||
|
|
||||||
RUN cd /etc/apk/keys && \
|
RUN cd /etc/apk/keys && \
|
||||||
wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \
|
wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \
|
||||||
|
22
admin/dev_apply.sh
Executable file
22
admin/dev_apply.sh
Executable file
@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#set -eEx
|
||||||
|
#set -o pipefail
|
||||||
|
set -x
|
||||||
|
|
||||||
|
#VERSION="latest"
|
||||||
|
KUBE_VERSION="v1.26.6"
|
||||||
|
WORKDIR=$(mktemp -p /tmp -d kubezero.XXX)
|
||||||
|
|
||||||
|
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
||||||
|
# shellcheck disable=SC1091
|
||||||
|
. "$SCRIPT_DIR"/libhelm.sh
|
||||||
|
CHARTS="$(dirname $SCRIPT_DIR)/charts"
|
||||||
|
|
||||||
|
get_kubezero_values
|
||||||
|
|
||||||
|
# Always use embedded kubezero chart
|
||||||
|
helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --kube-version $KUBE_VERSION --version ~$KUBE_VERSION --devel --output-dir $WORKDIR
|
||||||
|
|
||||||
|
# CRDs first
|
||||||
|
_helm crds $1
|
||||||
|
_helm apply $1
|
@ -8,11 +8,6 @@ import yaml
|
|||||||
def migrate(values):
|
def migrate(values):
|
||||||
"""Actual changes here"""
|
"""Actual changes here"""
|
||||||
|
|
||||||
# Remove various keys as they have been merged into the metrics template
|
|
||||||
deleteKey(values["metrics"]['kube-prometheus-stack']["alertmanager"]["alertmanagerSpec"], "podMetadata")
|
|
||||||
deleteKey(values["metrics"]['kube-prometheus-stack']["alertmanager"], "config")
|
|
||||||
deleteKey(values["metrics"]['kube-prometheus-stack']["prometheus"]["prometheusSpec"], "externalLabels")
|
|
||||||
|
|
||||||
return values
|
return values
|
||||||
|
|
||||||
|
|
||||||
|
@ -1,7 +1,9 @@
|
|||||||
#!/bin/bash -e
|
#!/bin/bash
|
||||||
|
set -eE
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
#VERSION="latest"
|
#VERSION="latest"
|
||||||
VERSION="v1.25"
|
VERSION="v1.26"
|
||||||
ARGO_APP=${1:-/tmp/new-kubezero-argoapp.yaml}
|
ARGO_APP=${1:-/tmp/new-kubezero-argoapp.yaml}
|
||||||
|
|
||||||
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
|
||||||
@ -35,9 +37,6 @@ spec:
|
|||||||
hostIPC: true
|
hostIPC: true
|
||||||
hostPID: true
|
hostPID: true
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
operator: Exists
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
operator: Exists
|
operator: Exists
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
@ -122,9 +121,6 @@ spec:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/control-plane: ""
|
node-role.kubernetes.io/control-plane: ""
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
operator: Exists
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
operator: Exists
|
operator: Exists
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
@ -147,14 +143,6 @@ argo_used && disable_argo
|
|||||||
|
|
||||||
#all_nodes_upgrade ""
|
#all_nodes_upgrade ""
|
||||||
|
|
||||||
# Cleanup
|
|
||||||
# Remove calico CRDs
|
|
||||||
kubectl delete -f https://git.zero-downtime.net/ZeroDownTime/kubezero/raw/tag/v1.23.11/charts/kubezero-network/charts/calico/crds/crds.yaml 2>/dev/null || true
|
|
||||||
kubectl delete servicemonitor calico-node -n kube-system 2>/dev/null || true
|
|
||||||
|
|
||||||
# delete old kubelet configs
|
|
||||||
for cm in $(kubectl get cm -n kube-system --no-headers | awk '{if ($1 ~ "kubelet-config-1*") print $1}'); do kubectl delete cm $cm -n kube-system; done
|
|
||||||
for rb in $(kubectl get rolebindings -n kube-system --no-headers | awk '{if ($1 ~ "kubelet-config-1*") print $1}'); do kubectl delete rolebindings $rb -n kube-system; done
|
|
||||||
|
|
||||||
control_plane_upgrade kubeadm_upgrade
|
control_plane_upgrade kubeadm_upgrade
|
||||||
|
|
||||||
|
@ -2,8 +2,8 @@ apiVersion: v2
|
|||||||
name: clamav
|
name: clamav
|
||||||
description: Chart for deploying a ClamavD on kubernetes as statfulSet
|
description: Chart for deploying a ClamavD on kubernetes as statfulSet
|
||||||
type: application
|
type: application
|
||||||
version: 0.1.1
|
version: "0.2.0"
|
||||||
appVersion: 0.104.0
|
appVersion: "1.1.0"
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -13,6 +13,6 @@ maintainers:
|
|||||||
- name: Quarky9
|
- name: Quarky9
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.4"
|
version: ">= 0.1.6"
|
||||||
repository: https://cdn.zero-downtime.net/charts/
|
repository: https://cdn.zero-downtime.net/charts/
|
||||||
kubeVersion: ">= 1.18.0"
|
kubeVersion: ">= 1.25.0"
|
||||||
|
@ -16,7 +16,7 @@ clamav:
|
|||||||
# clamav.image -- The clamav docker image
|
# clamav.image -- The clamav docker image
|
||||||
image: clamav/clamav
|
image: clamav/clamav
|
||||||
# clamav.version -- The clamav docker image version - defaults to .Chart.appVersion
|
# clamav.version -- The clamav docker image version - defaults to .Chart.appVersion
|
||||||
version: "unstable"
|
# version: "unstable"
|
||||||
|
|
||||||
replicaCount: 1
|
replicaCount: 1
|
||||||
|
|
||||||
@ -40,7 +40,7 @@ clamav:
|
|||||||
# clamav.resources -- The resource requests and limits for the clamav service
|
# clamav.resources -- The resource requests and limits for the clamav service
|
||||||
requests:
|
requests:
|
||||||
cpu: 300m
|
cpu: 300m
|
||||||
memory: 1300M
|
memory: 2000M
|
||||||
#limits:
|
#limits:
|
||||||
# cpu: 1500m
|
# cpu: 2
|
||||||
# memory: 2000M
|
# memory: 4000M
|
||||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubeadm
|
name: kubeadm
|
||||||
description: KubeZero Kubeadm cluster config
|
description: KubeZero Kubeadm cluster config
|
||||||
type: application
|
type: application
|
||||||
version: 1.25.8
|
version: 1.26.7
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -11,4 +11,4 @@ keywords:
|
|||||||
maintainers:
|
maintainers:
|
||||||
- name: Stefan Reimer
|
- name: Stefan Reimer
|
||||||
email: stefan@zero-downtime.net
|
email: stefan@zero-downtime.net
|
||||||
kubeVersion: ">= 1.25.0"
|
kubeVersion: ">= 1.26.0"
|
||||||
|
159
charts/kubeadm/create_audit_policy.sh
Executable file
159
charts/kubeadm/create_audit_policy.sh
Executable file
@ -0,0 +1,159 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
function createMasterAuditPolicy() {
|
||||||
|
path="templates/apiserver/audit-policy.yaml"
|
||||||
|
|
||||||
|
known_apis='
|
||||||
|
- group: "" # core
|
||||||
|
- group: "admissionregistration.k8s.io"
|
||||||
|
- group: "apiextensions.k8s.io"
|
||||||
|
- group: "apiregistration.k8s.io"
|
||||||
|
- group: "apps"
|
||||||
|
- group: "authentication.k8s.io"
|
||||||
|
- group: "authorization.k8s.io"
|
||||||
|
- group: "autoscaling"
|
||||||
|
- group: "batch"
|
||||||
|
- group: "certificates.k8s.io"
|
||||||
|
- group: "extensions"
|
||||||
|
- group: "metrics.k8s.io"
|
||||||
|
- group: "networking.k8s.io"
|
||||||
|
- group: "node.k8s.io"
|
||||||
|
- group: "policy"
|
||||||
|
- group: "rbac.authorization.k8s.io"
|
||||||
|
- group: "scheduling.k8s.io"
|
||||||
|
- group: "storage.k8s.io"'
|
||||||
|
|
||||||
|
cat <<EOF >"${path}"
|
||||||
|
apiVersion: audit.k8s.io/v1
|
||||||
|
kind: Policy
|
||||||
|
rules:
|
||||||
|
# The following requests were manually identified as high-volume and low-risk,
|
||||||
|
# so drop them.
|
||||||
|
- level: None
|
||||||
|
users: ["system:kube-proxy"]
|
||||||
|
verbs: ["watch"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["endpoints", "services", "services/status"]
|
||||||
|
- level: None
|
||||||
|
# Ingress controller reads 'configmaps/ingress-uid' through the unsecured port.
|
||||||
|
# TODO(#46983): Change this to the ingress controller service account.
|
||||||
|
users: ["system:unsecured"]
|
||||||
|
namespaces: ["kube-system"]
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["configmaps"]
|
||||||
|
- level: None
|
||||||
|
users: ["kubelet"] # legacy kubelet identity
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["nodes", "nodes/status"]
|
||||||
|
- level: None
|
||||||
|
userGroups: ["system:nodes"]
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["nodes", "nodes/status"]
|
||||||
|
- level: None
|
||||||
|
users:
|
||||||
|
- system:kube-controller-manager
|
||||||
|
- system:cloud-controller-manager
|
||||||
|
- system:kube-scheduler
|
||||||
|
- system:serviceaccount:kube-system:endpoint-controller
|
||||||
|
verbs: ["get", "update"]
|
||||||
|
namespaces: ["kube-system"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["endpoints"]
|
||||||
|
- level: None
|
||||||
|
users: ["system:apiserver"]
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
|
||||||
|
- level: None
|
||||||
|
users: ["cluster-autoscaler"]
|
||||||
|
verbs: ["get", "update"]
|
||||||
|
namespaces: ["kube-system"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["configmaps", "endpoints"]
|
||||||
|
# Don't log HPA fetching metrics.
|
||||||
|
- level: None
|
||||||
|
users:
|
||||||
|
- system:kube-controller-manager
|
||||||
|
- system:cloud-controller-manager
|
||||||
|
verbs: ["get", "list"]
|
||||||
|
resources:
|
||||||
|
- group: "metrics.k8s.io"
|
||||||
|
|
||||||
|
# Don't log these read-only URLs.
|
||||||
|
- level: None
|
||||||
|
nonResourceURLs:
|
||||||
|
- /healthz*
|
||||||
|
- /version
|
||||||
|
- /swagger*
|
||||||
|
- /readyz
|
||||||
|
|
||||||
|
# Don't log events requests because of performance impact.
|
||||||
|
- level: None
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["events"]
|
||||||
|
|
||||||
|
# node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes
|
||||||
|
- level: Request
|
||||||
|
users: ["kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector"]
|
||||||
|
verbs: ["update","patch"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["nodes/status", "pods/status"]
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
- level: Request
|
||||||
|
userGroups: ["system:nodes"]
|
||||||
|
verbs: ["update","patch"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["nodes/status", "pods/status"]
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
|
||||||
|
# deletecollection calls can be large, don't log responses for expected namespace deletions
|
||||||
|
- level: Request
|
||||||
|
users: ["system:serviceaccount:kube-system:namespace-controller"]
|
||||||
|
verbs: ["deletecollection"]
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
|
||||||
|
# Secrets, ConfigMaps, TokenRequest and TokenReviews can contain sensitive & binary data,
|
||||||
|
# so only log at the Metadata level.
|
||||||
|
- level: Metadata
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["secrets", "configmaps", "serviceaccounts/token"]
|
||||||
|
- group: authentication.k8s.io
|
||||||
|
resources: ["tokenreviews"]
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
# Get responses can be large; skip them.
|
||||||
|
- level: Request
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
resources: ${known_apis}
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
# Default level for known APIs
|
||||||
|
- level: RequestResponse
|
||||||
|
resources: ${known_apis}
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
# Default level for all other requests.
|
||||||
|
- level: Metadata
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
createMasterAuditPolicy
|
@ -9,7 +9,7 @@ networking:
|
|||||||
podSubnet: 10.244.0.0/16
|
podSubnet: 10.244.0.0/16
|
||||||
etcd:
|
etcd:
|
||||||
local:
|
local:
|
||||||
imageTag: 3.5.4-0
|
# imageTag: 3.5.5-0
|
||||||
extraArgs:
|
extraArgs:
|
||||||
### DNS discovery
|
### DNS discovery
|
||||||
#discovery-srv: {{ .Values.domain }}
|
#discovery-srv: {{ .Values.domain }}
|
||||||
@ -59,8 +59,11 @@ apiServer:
|
|||||||
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
|
audit-policy-file: /etc/kubernetes/apiserver/audit-policy.yaml
|
||||||
audit-log-maxage: "7"
|
audit-log-maxage: "7"
|
||||||
audit-log-maxsize: "100"
|
audit-log-maxsize: "100"
|
||||||
audit-log-maxbackup: "3"
|
audit-log-maxbackup: "1"
|
||||||
audit-log-compress: "true"
|
audit-log-compress: "true"
|
||||||
|
{{- if .Values.api.falco.enabled }}
|
||||||
|
audit-webhook-config-file: /etc/kubernetes/apiserver/audit-webhook.yaml
|
||||||
|
{{- end }}
|
||||||
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
||||||
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
|
admission-control-config-file: /etc/kubernetes/apiserver/admission-configuration.yaml
|
||||||
api-audiences: {{ .Values.api.apiAudiences }}
|
api-audiences: {{ .Values.api.apiAudiences }}
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
{{- /* Feature gates for all control plane components */ -}}
|
{{- /* Feature gates for all control plane components */ -}}
|
||||||
{{- define "kubeadm.featuregates" }}
|
{{- define "kubeadm.featuregates" }}
|
||||||
{{- $gates := list "CustomCPUCFSQuotaPeriod" "NodeOutOfServiceVolumeDetach" }}
|
{{- $gates := list "CustomCPUCFSQuotaPeriod" }}
|
||||||
{{- if eq .return "csv" }}
|
{{- if eq .return "csv" }}
|
||||||
{{- range $key := $gates }}
|
{{- range $key := $gates }}
|
||||||
{{- $key }}=true,
|
{{- $key }}=true,
|
||||||
|
7
charts/kubeadm/templates/apiserver/audit-policy-off.yaml
Normal file
7
charts/kubeadm/templates/apiserver/audit-policy-off.yaml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# Don't Log anything, but audit policy enabled
|
||||||
|
apiVersion: audit.k8s.io/v1
|
||||||
|
kind: Policy
|
||||||
|
metadata:
|
||||||
|
name: kubezero-auditpolicy
|
||||||
|
rules:
|
||||||
|
- level: None
|
@ -1,7 +1,164 @@
|
|||||||
# Don't Log anything, but audit policy enabled
|
|
||||||
apiVersion: audit.k8s.io/v1
|
apiVersion: audit.k8s.io/v1
|
||||||
kind: Policy
|
kind: Policy
|
||||||
metadata:
|
|
||||||
name: kubezero-auditpolicy
|
|
||||||
rules:
|
rules:
|
||||||
- level: None
|
# The following requests were manually identified as high-volume and low-risk,
|
||||||
|
# so drop them.
|
||||||
|
- level: None
|
||||||
|
users: ["system:kube-proxy"]
|
||||||
|
verbs: ["watch"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["endpoints", "services", "services/status"]
|
||||||
|
- level: None
|
||||||
|
# Ingress controller reads 'configmaps/ingress-uid' through the unsecured port.
|
||||||
|
# TODO(#46983): Change this to the ingress controller service account.
|
||||||
|
users: ["system:unsecured"]
|
||||||
|
namespaces: ["kube-system"]
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["configmaps"]
|
||||||
|
- level: None
|
||||||
|
users: ["kubelet"] # legacy kubelet identity
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["nodes", "nodes/status"]
|
||||||
|
- level: None
|
||||||
|
userGroups: ["system:nodes"]
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["nodes", "nodes/status"]
|
||||||
|
- level: None
|
||||||
|
users:
|
||||||
|
- system:kube-controller-manager
|
||||||
|
- system:cloud-controller-manager
|
||||||
|
- system:kube-scheduler
|
||||||
|
- system:serviceaccount:kube-system:endpoint-controller
|
||||||
|
verbs: ["get", "update"]
|
||||||
|
namespaces: ["kube-system"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["endpoints"]
|
||||||
|
- level: None
|
||||||
|
users: ["system:apiserver"]
|
||||||
|
verbs: ["get"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["namespaces", "namespaces/status", "namespaces/finalize"]
|
||||||
|
- level: None
|
||||||
|
users: ["cluster-autoscaler"]
|
||||||
|
verbs: ["get", "update"]
|
||||||
|
namespaces: ["kube-system"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["configmaps", "endpoints"]
|
||||||
|
# Don't log HPA fetching metrics.
|
||||||
|
- level: None
|
||||||
|
users:
|
||||||
|
- system:kube-controller-manager
|
||||||
|
- system:cloud-controller-manager
|
||||||
|
verbs: ["get", "list"]
|
||||||
|
resources:
|
||||||
|
- group: "metrics.k8s.io"
|
||||||
|
|
||||||
|
# Don't log these read-only URLs.
|
||||||
|
- level: None
|
||||||
|
nonResourceURLs:
|
||||||
|
- /healthz*
|
||||||
|
- /version
|
||||||
|
- /swagger*
|
||||||
|
|
||||||
|
# Don't log events requests because of performance impact.
|
||||||
|
- level: None
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["events"]
|
||||||
|
|
||||||
|
# node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes
|
||||||
|
- level: Request
|
||||||
|
users: ["kubelet", "system:node-problem-detector", "system:serviceaccount:kube-system:node-problem-detector"]
|
||||||
|
verbs: ["update","patch"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["nodes/status", "pods/status"]
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
- level: Request
|
||||||
|
userGroups: ["system:nodes"]
|
||||||
|
verbs: ["update","patch"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["nodes/status", "pods/status"]
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
|
||||||
|
# deletecollection calls can be large, don't log responses for expected namespace deletions
|
||||||
|
- level: Request
|
||||||
|
users: ["system:serviceaccount:kube-system:namespace-controller"]
|
||||||
|
verbs: ["deletecollection"]
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
|
||||||
|
# Secrets, ConfigMaps, TokenRequest and TokenReviews can contain sensitive & binary data,
|
||||||
|
# so only log at the Metadata level.
|
||||||
|
- level: Metadata
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
resources: ["secrets", "configmaps", "serviceaccounts/token"]
|
||||||
|
- group: authentication.k8s.io
|
||||||
|
resources: ["tokenreviews"]
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
# Get responses can be large; skip them.
|
||||||
|
- level: Request
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
- group: "admissionregistration.k8s.io"
|
||||||
|
- group: "apiextensions.k8s.io"
|
||||||
|
- group: "apiregistration.k8s.io"
|
||||||
|
- group: "apps"
|
||||||
|
- group: "authentication.k8s.io"
|
||||||
|
- group: "authorization.k8s.io"
|
||||||
|
- group: "autoscaling"
|
||||||
|
- group: "batch"
|
||||||
|
- group: "certificates.k8s.io"
|
||||||
|
- group: "extensions"
|
||||||
|
- group: "metrics.k8s.io"
|
||||||
|
- group: "networking.k8s.io"
|
||||||
|
- group: "node.k8s.io"
|
||||||
|
- group: "policy"
|
||||||
|
- group: "rbac.authorization.k8s.io"
|
||||||
|
- group: "scheduling.k8s.io"
|
||||||
|
- group: "storage.k8s.io"
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
# Default level for known APIs
|
||||||
|
- level: RequestResponse
|
||||||
|
resources:
|
||||||
|
- group: "" # core
|
||||||
|
- group: "admissionregistration.k8s.io"
|
||||||
|
- group: "apiextensions.k8s.io"
|
||||||
|
- group: "apiregistration.k8s.io"
|
||||||
|
- group: "apps"
|
||||||
|
- group: "authentication.k8s.io"
|
||||||
|
- group: "authorization.k8s.io"
|
||||||
|
- group: "autoscaling"
|
||||||
|
- group: "batch"
|
||||||
|
- group: "certificates.k8s.io"
|
||||||
|
- group: "extensions"
|
||||||
|
- group: "metrics.k8s.io"
|
||||||
|
- group: "networking.k8s.io"
|
||||||
|
- group: "node.k8s.io"
|
||||||
|
- group: "policy"
|
||||||
|
- group: "rbac.authorization.k8s.io"
|
||||||
|
- group: "scheduling.k8s.io"
|
||||||
|
- group: "storage.k8s.io"
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
# Default level for all other requests.
|
||||||
|
- level: Metadata
|
||||||
|
omitStages:
|
||||||
|
- "RequestReceived"
|
||||||
|
14
charts/kubeadm/templates/apiserver/audit-webhook.yaml
Normal file
14
charts/kubeadm/templates/apiserver/audit-webhook.yaml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Config
|
||||||
|
clusters:
|
||||||
|
- name: falco
|
||||||
|
cluster:
|
||||||
|
server: http://falco-control-plane-k8saudit-webhook:9765/k8s-audit
|
||||||
|
contexts:
|
||||||
|
- context:
|
||||||
|
cluster: falco
|
||||||
|
user: ""
|
||||||
|
name: default-context
|
||||||
|
current-context: default-context
|
||||||
|
preferences: {}
|
||||||
|
users: []
|
@ -1,4 +1,5 @@
|
|||||||
spec:
|
spec:
|
||||||
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
containers:
|
containers:
|
||||||
- name: kube-apiserver
|
- name: kube-apiserver
|
||||||
resources:
|
resources:
|
||||||
|
@ -110,14 +110,12 @@ spec:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/control-plane: ""
|
node-role.kubernetes.io/control-plane: ""
|
||||||
tolerations:
|
tolerations:
|
||||||
- effect: NoSchedule
|
|
||||||
key: node-role.kubernetes.io/master
|
|
||||||
- effect: NoSchedule
|
- effect: NoSchedule
|
||||||
key: node-role.kubernetes.io/control-plane
|
key: node-role.kubernetes.io/control-plane
|
||||||
|
|
||||||
containers:
|
containers:
|
||||||
- name: aws-iam-authenticator
|
- name: aws-iam-authenticator
|
||||||
image: public.ecr.aws/zero-downtime/aws-iam-authenticator:v0.5.11
|
image: public.ecr.aws/zero-downtime/aws-iam-authenticator:v0.6.10
|
||||||
args:
|
args:
|
||||||
- server
|
- server
|
||||||
- --backend-mode=CRD,MountedFile
|
- --backend-mode=CRD,MountedFile
|
||||||
|
@ -25,6 +25,9 @@ api:
|
|||||||
workerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode"
|
workerNodeRole: "arn:aws:iam::000000000000:role/KubernetesNode"
|
||||||
kubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"
|
kubeAdminRole: "arn:aws:iam::000000000000:role/KubernetesNode"
|
||||||
|
|
||||||
|
falco:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
etcd:
|
etcd:
|
||||||
nodeName: etcd
|
nodeName: etcd
|
||||||
state: new
|
state: new
|
||||||
|
@ -2,8 +2,8 @@ apiVersion: v2
|
|||||||
name: kubezero-addons
|
name: kubezero-addons
|
||||||
description: KubeZero umbrella chart for various optional cluster addons
|
description: KubeZero umbrella chart for various optional cluster addons
|
||||||
type: application
|
type: application
|
||||||
version: 0.7.5
|
version: 0.8.0
|
||||||
appVersion: v1.25
|
appVersion: v1.26
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -15,6 +15,7 @@ keywords:
|
|||||||
- sealed-secrets
|
- sealed-secrets
|
||||||
- external-dns
|
- external-dns
|
||||||
- aws-node-termination-handler
|
- aws-node-termination-handler
|
||||||
|
- falco
|
||||||
maintainers:
|
maintainers:
|
||||||
- name: Stefan Reimer
|
- name: Stefan Reimer
|
||||||
email: stefan@zero-downtime.net
|
email: stefan@zero-downtime.net
|
||||||
@ -44,4 +45,9 @@ dependencies:
|
|||||||
version: 1.3.0
|
version: 1.3.0
|
||||||
# repository: https://twin.github.io/helm-charts
|
# repository: https://twin.github.io/helm-charts
|
||||||
condition: aws-eks-asg-rolling-update-handler.enabled
|
condition: aws-eks-asg-rolling-update-handler.enabled
|
||||||
kubeVersion: ">= 1.25.0"
|
- name: falco
|
||||||
|
version: 3.3.0
|
||||||
|
repository: https://falcosecurity.github.io/charts
|
||||||
|
condition: falco-control-plane.enabled
|
||||||
|
alias: falco-control-plane
|
||||||
|
kubeVersion: ">= 1.26.0"
|
||||||
|
@ -66,9 +66,7 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
|
|||||||
| aws-eks-asg-rolling-update-handler.resources.requests.cpu | string | `"10m"` | |
|
| aws-eks-asg-rolling-update-handler.resources.requests.cpu | string | `"10m"` | |
|
||||||
| aws-eks-asg-rolling-update-handler.resources.requests.memory | string | `"32Mi"` | |
|
| aws-eks-asg-rolling-update-handler.resources.requests.memory | string | `"32Mi"` | |
|
||||||
| aws-eks-asg-rolling-update-handler.tolerations[0].effect | string | `"NoSchedule"` | |
|
| aws-eks-asg-rolling-update-handler.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| aws-eks-asg-rolling-update-handler.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| aws-eks-asg-rolling-update-handler.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| aws-eks-asg-rolling-update-handler.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| aws-eks-asg-rolling-update-handler.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| aws-node-termination-handler.deleteLocalData | bool | `true` | |
|
| aws-node-termination-handler.deleteLocalData | bool | `true` | |
|
||||||
| aws-node-termination-handler.emitKubernetesEvents | bool | `true` | |
|
| aws-node-termination-handler.emitKubernetesEvents | bool | `true` | |
|
||||||
| aws-node-termination-handler.enableProbesServer | bool | `true` | |
|
| aws-node-termination-handler.enableProbesServer | bool | `true` | |
|
||||||
@ -93,9 +91,7 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
|
|||||||
| aws-node-termination-handler.rbac.pspEnabled | bool | `false` | |
|
| aws-node-termination-handler.rbac.pspEnabled | bool | `false` | |
|
||||||
| aws-node-termination-handler.taintNode | bool | `true` | |
|
| aws-node-termination-handler.taintNode | bool | `true` | |
|
||||||
| aws-node-termination-handler.tolerations[0].effect | string | `"NoSchedule"` | |
|
| aws-node-termination-handler.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| aws-node-termination-handler.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| aws-node-termination-handler.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| aws-node-termination-handler.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| aws-node-termination-handler.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| aws-node-termination-handler.useProviderId | bool | `true` | |
|
| aws-node-termination-handler.useProviderId | bool | `true` | |
|
||||||
| awsNeuron.enabled | bool | `false` | |
|
| awsNeuron.enabled | bool | `false` | |
|
||||||
| awsNeuron.image.name | string | `"public.ecr.aws/neuron/neuron-device-plugin"` | |
|
| awsNeuron.image.name | string | `"public.ecr.aws/neuron/neuron-device-plugin"` | |
|
||||||
@ -115,9 +111,7 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
|
|||||||
| cluster-autoscaler.serviceMonitor.enabled | bool | `false` | |
|
| cluster-autoscaler.serviceMonitor.enabled | bool | `false` | |
|
||||||
| cluster-autoscaler.serviceMonitor.interval | string | `"30s"` | |
|
| cluster-autoscaler.serviceMonitor.interval | string | `"30s"` | |
|
||||||
| cluster-autoscaler.tolerations[0].effect | string | `"NoSchedule"` | |
|
| cluster-autoscaler.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| cluster-autoscaler.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| cluster-autoscaler.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| cluster-autoscaler.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| cluster-autoscaler.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| clusterBackup.enabled | bool | `false` | |
|
| clusterBackup.enabled | bool | `false` | |
|
||||||
| clusterBackup.extraEnv | list | `[]` | |
|
| clusterBackup.extraEnv | list | `[]` | |
|
||||||
| clusterBackup.image.name | string | `"public.ecr.aws/zero-downtime/kubezero-admin"` | |
|
| clusterBackup.image.name | string | `"public.ecr.aws/zero-downtime/kubezero-admin"` | |
|
||||||
@ -129,9 +123,7 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
|
|||||||
| external-dns.provider | string | `"inmemory"` | |
|
| external-dns.provider | string | `"inmemory"` | |
|
||||||
| external-dns.sources[0] | string | `"service"` | |
|
| external-dns.sources[0] | string | `"service"` | |
|
||||||
| external-dns.tolerations[0].effect | string | `"NoSchedule"` | |
|
| external-dns.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| external-dns.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| external-dns.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| external-dns.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| external-dns.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| external-dns.triggerLoopOnEvent | bool | `true` | |
|
| external-dns.triggerLoopOnEvent | bool | `true` | |
|
||||||
| forseti.aws.iamRoleArn | string | `""` | "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.kubezeroForseti" |
|
| forseti.aws.iamRoleArn | string | `""` | "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.kubezeroForseti" |
|
||||||
| forseti.aws.region | string | `""` | |
|
| forseti.aws.region | string | `""` | |
|
||||||
@ -171,6 +163,4 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/)
|
|||||||
| sealed-secrets.resources.requests.cpu | string | `"10m"` | |
|
| sealed-secrets.resources.requests.cpu | string | `"10m"` | |
|
||||||
| sealed-secrets.resources.requests.memory | string | `"24Mi"` | |
|
| sealed-secrets.resources.requests.memory | string | `"24Mi"` | |
|
||||||
| sealed-secrets.tolerations[0].effect | string | `"NoSchedule"` | |
|
| sealed-secrets.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| sealed-secrets.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| sealed-secrets.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| sealed-secrets.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| sealed-secrets.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
|
@ -55,8 +55,6 @@ spec:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/control-plane: ""
|
node-role.kubernetes.io/control-plane: ""
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
restartPolicy: Never
|
restartPolicy: Never
|
||||||
|
@ -69,8 +69,6 @@ spec:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/control-plane: ""
|
node-role.kubernetes.io/control-plane: ""
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
volumes:
|
volumes:
|
||||||
|
@ -47,8 +47,6 @@ sealed-secrets:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/control-plane: ""
|
node-role.kubernetes.io/control-plane: ""
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
|
|
||||||
@ -88,8 +86,6 @@ aws-eks-asg-rolling-update-handler:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/control-plane: ""
|
node-role.kubernetes.io/control-plane: ""
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
|
|
||||||
@ -98,8 +94,9 @@ aws-node-termination-handler:
|
|||||||
|
|
||||||
fullnameOverride: "aws-node-termination-handler"
|
fullnameOverride: "aws-node-termination-handler"
|
||||||
|
|
||||||
# -- "aws-node-termination-handler/${ClusterName}"
|
checkASGTagBeforeDraining: false
|
||||||
managedTag: "aws-node-termination-handler/managed"
|
# -- "zdt:kubezero:nth:${ClusterName}"
|
||||||
|
managedTag: "zdt:kubezero:nth:${ClusterName}"
|
||||||
|
|
||||||
useProviderId: true
|
useProviderId: true
|
||||||
enableSqsTerminationDraining: true
|
enableSqsTerminationDraining: true
|
||||||
@ -132,8 +129,6 @@ aws-node-termination-handler:
|
|||||||
logFormatVersion: 2
|
logFormatVersion: 2
|
||||||
|
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -218,8 +213,6 @@ cluster-autoscaler:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/control-plane: ""
|
node-role.kubernetes.io/control-plane: ""
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
|
|
||||||
@ -250,8 +243,6 @@ external-dns:
|
|||||||
triggerLoopOnEvent: true
|
triggerLoopOnEvent: true
|
||||||
|
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -263,3 +254,72 @@ external-dns:
|
|||||||
#- istio-gateway
|
#- istio-gateway
|
||||||
|
|
||||||
provider: inmemory
|
provider: inmemory
|
||||||
|
|
||||||
|
falco-control-plane:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
fullnameOverride: falco-control-plane
|
||||||
|
|
||||||
|
# -- Disable the drivers since we want to deploy only the k8saudit plugin.
|
||||||
|
driver:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
# -- Disable the collectors, no syscall events to enrich with metadata.
|
||||||
|
collectors:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
nodeSelector:
|
||||||
|
node-role.kubernetes.io/control-plane: ""
|
||||||
|
|
||||||
|
# -- Deploy Falco as a deployment. One instance of Falco is enough. Anyway the number of replicas is configurabale.
|
||||||
|
controller:
|
||||||
|
kind: deployment
|
||||||
|
deployment:
|
||||||
|
# -- Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing.
|
||||||
|
# For more info check the section on Plugins in the README.md file.
|
||||||
|
replicas: 1
|
||||||
|
|
||||||
|
|
||||||
|
falcoctl:
|
||||||
|
artifact:
|
||||||
|
install:
|
||||||
|
# -- Enable the init container. We do not recommend installing (or following) plugins for security reasons since they are executable objects.
|
||||||
|
enabled: true
|
||||||
|
follow:
|
||||||
|
# -- Enable the sidecar container. We do not support it yet for plugins. It is used only for rules feed such as k8saudit-rules rules.
|
||||||
|
enabled: true
|
||||||
|
config:
|
||||||
|
artifact:
|
||||||
|
install:
|
||||||
|
# -- Do not resolve the depenencies for artifacts. By default is true, but for our use case we disable it.
|
||||||
|
resolveDeps: false
|
||||||
|
# -- List of artifacts to be installed by the falcoctl init container.
|
||||||
|
# Only rulesfiles, we do no recommend plugins for security reasonts since they are executable objects.
|
||||||
|
refs: [k8saudit-rules:0.6]
|
||||||
|
follow:
|
||||||
|
# -- List of artifacts to be followed by the falcoctl sidecar container.
|
||||||
|
# Only rulesfiles, we do no recommend plugins for security reasonts since they are executable objects.
|
||||||
|
refs: [k8saudit-rules:0.6]
|
||||||
|
|
||||||
|
services:
|
||||||
|
- name: k8saudit-webhook
|
||||||
|
ports:
|
||||||
|
- port: 9765 # See plugin open_params
|
||||||
|
protocol: TCP
|
||||||
|
|
||||||
|
falco:
|
||||||
|
rules_file:
|
||||||
|
- /etc/falco/k8s_audit_rules.yaml
|
||||||
|
- /etc/falco/rules.d
|
||||||
|
plugins:
|
||||||
|
- name: k8saudit
|
||||||
|
library_path: libk8saudit.so
|
||||||
|
init_config:
|
||||||
|
maxEventBytes: 1048576
|
||||||
|
# sslCertificate: /etc/falco/falco.pem
|
||||||
|
open_params: "http://:9765/k8s-audit"
|
||||||
|
- name: json
|
||||||
|
library_path: libjson.so
|
||||||
|
init_config: ""
|
||||||
|
# Plugins that Falco will load. Note: the same plugins are installed by the falcoctl-artifact-install init container.
|
||||||
|
load_plugins: [k8saudit, json]
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
apiVersion: v2
|
apiVersion: v2
|
||||||
description: KubeZero ArgoCD - config, branding, image-updater (optional)
|
description: KubeZero ArgoCD - config, branding, image-updater (optional)
|
||||||
name: kubezero-argocd
|
name: kubezero-argocd
|
||||||
version: 0.12.0
|
version: 0.13.0
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -17,13 +17,13 @@ dependencies:
|
|||||||
version: ">= 0.1.6"
|
version: ">= 0.1.6"
|
||||||
repository: https://cdn.zero-downtime.net/charts/
|
repository: https://cdn.zero-downtime.net/charts/
|
||||||
- name: argo-cd
|
- name: argo-cd
|
||||||
version: 5.28.2
|
version: 5.37.1
|
||||||
repository: https://argoproj.github.io/argo-helm
|
repository: https://argoproj.github.io/argo-helm
|
||||||
- name: argocd-apps
|
- name: argocd-apps
|
||||||
version: 0.0.9
|
version: 1.2.0
|
||||||
repository: https://argoproj.github.io/argo-helm
|
repository: https://argoproj.github.io/argo-helm
|
||||||
- name: argocd-image-updater
|
- name: argocd-image-updater
|
||||||
version: 0.8.5
|
version: 0.9.1
|
||||||
repository: https://argoproj.github.io/argo-helm
|
repository: https://argoproj.github.io/argo-helm
|
||||||
condition: argocd-image-updater.enabled
|
condition: argocd-image-updater.enabled
|
||||||
kubeVersion: ">= 1.25.0"
|
kubeVersion: ">= 1.26.0"
|
||||||
|
@ -26,6 +26,7 @@ argo-cd:
|
|||||||
configs:
|
configs:
|
||||||
styles: |
|
styles: |
|
||||||
.sidebar__logo img { content: url(https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png); }
|
.sidebar__logo img { content: url(https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png); }
|
||||||
|
.sidebar__logo__text-logo { height: 0em; }
|
||||||
.sidebar { background: linear-gradient(to bottom, #6A4D79, #493558, #2D1B30, #0D0711); }
|
.sidebar { background: linear-gradient(to bottom, #6A4D79, #493558, #2D1B30, #0D0711); }
|
||||||
|
|
||||||
cm:
|
cm:
|
||||||
|
@ -34,9 +34,7 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
|
|||||||
|-----|------|---------|-------------|
|
|-----|------|---------|-------------|
|
||||||
| cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
| cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
| cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | |
|
| cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| cert-manager.cainjector.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| cert-manager.cainjector.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| cert-manager.enabled | bool | `true` | |
|
| cert-manager.enabled | bool | `true` | |
|
||||||
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
|
| cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | |
|
||||||
| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | |
|
| cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | |
|
||||||
@ -46,14 +44,10 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make
|
|||||||
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
|
| cert-manager.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||||
| cert-manager.startupapicheck.enabled | bool | `false` | |
|
| cert-manager.startupapicheck.enabled | bool | `false` | |
|
||||||
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
|
| cert-manager.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| cert-manager.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| cert-manager.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| cert-manager.webhook.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
| cert-manager.webhook.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
| cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | |
|
| cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| cert-manager.webhook.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| cert-manager.webhook.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| clusterIssuer | object | `{}` | |
|
| clusterIssuer | object | `{}` | |
|
||||||
| localCA.enabled | bool | `false` | |
|
| localCA.enabled | bool | `false` | |
|
||||||
| localCA.selfsigning | bool | `true` | |
|
| localCA.selfsigning | bool | `true` | |
|
||||||
|
@ -49,8 +49,6 @@ cert-manager:
|
|||||||
# readOnly: true
|
# readOnly: true
|
||||||
|
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -62,8 +60,6 @@ cert-manager:
|
|||||||
|
|
||||||
webhook:
|
webhook:
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -71,8 +67,6 @@ cert-manager:
|
|||||||
|
|
||||||
cainjector:
|
cainjector:
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
@ -2,14 +2,14 @@ apiVersion: v2
|
|||||||
name: kubezero-ci
|
name: kubezero-ci
|
||||||
description: KubeZero umbrella chart for all things CI
|
description: KubeZero umbrella chart for all things CI
|
||||||
type: application
|
type: application
|
||||||
version: 0.6.3
|
version: 0.7.0
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
- kubezero
|
- kubezero
|
||||||
- jenkins
|
- jenkins
|
||||||
- goCD
|
|
||||||
- gitea
|
- gitea
|
||||||
|
- renovate
|
||||||
maintainers:
|
maintainers:
|
||||||
- name: Stefan Reimer
|
- name: Stefan Reimer
|
||||||
email: stefan@zero-downtime.net
|
email: stefan@zero-downtime.net
|
||||||
@ -17,20 +17,20 @@ dependencies:
|
|||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.6"
|
version: ">= 0.1.6"
|
||||||
repository: https://cdn.zero-downtime.net/charts/
|
repository: https://cdn.zero-downtime.net/charts/
|
||||||
- name: gocd
|
|
||||||
version: 1.40.8
|
|
||||||
repository: https://gocd.github.io/helm-chart
|
|
||||||
condition: gocd.enabled
|
|
||||||
- name: gitea
|
- name: gitea
|
||||||
version: 8.3.0
|
version: 9.1.0
|
||||||
repository: https://dl.gitea.io/charts/
|
repository: https://dl.gitea.io/charts/
|
||||||
condition: gitea.enabled
|
condition: gitea.enabled
|
||||||
- name: jenkins
|
- name: jenkins
|
||||||
version: 4.3.24
|
version: 4.5.0
|
||||||
repository: https://charts.jenkins.io
|
repository: https://charts.jenkins.io
|
||||||
condition: jenkins.enabled
|
condition: jenkins.enabled
|
||||||
- name: trivy
|
- name: trivy
|
||||||
version: 0.7.0
|
version: 0.7.0
|
||||||
repository: https://aquasecurity.github.io/helm-charts/
|
repository: https://aquasecurity.github.io/helm-charts/
|
||||||
condition: trivy.enabled
|
condition: trivy.enabled
|
||||||
kubeVersion: ">= 1.24.0"
|
- name: renovate
|
||||||
|
version: 36.31.0
|
||||||
|
repository: https://docs.renovatebot.com/helm-charts
|
||||||
|
condition: renovate.enabled
|
||||||
|
kubeVersion: ">= 1.25.0"
|
||||||
|
@ -21,7 +21,7 @@ Kubernetes: `>= 1.24.0`
|
|||||||
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.7.0 |
|
| https://aquasecurity.github.io/helm-charts/ | trivy | 0.7.0 |
|
||||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
||||||
| https://charts.jenkins.io | jenkins | 4.3.24 |
|
| https://charts.jenkins.io | jenkins | 4.3.24 |
|
||||||
| https://dl.gitea.io/charts/ | gitea | 8.2.0 |
|
| https://dl.gitea.io/charts/ | gitea | 8.3.0 |
|
||||||
| https://gocd.github.io/helm-chart | gocd | 1.40.8 |
|
| https://gocd.github.io/helm-chart | gocd | 1.40.8 |
|
||||||
|
|
||||||
# Jenkins
|
# Jenkins
|
||||||
@ -101,9 +101,8 @@ Kubernetes: `>= 1.24.0`
|
|||||||
| jenkins.controller.installPlugins[0] | string | `"kubernetes:3937.vd7b_82db_e347b_"` | |
|
| jenkins.controller.installPlugins[0] | string | `"kubernetes:3937.vd7b_82db_e347b_"` | |
|
||||||
| jenkins.controller.installPlugins[10] | string | `"build-discarder:139.v05696a_7fe240"` | |
|
| jenkins.controller.installPlugins[10] | string | `"build-discarder:139.v05696a_7fe240"` | |
|
||||||
| jenkins.controller.installPlugins[11] | string | `"dark-theme:315.va_22e7d692ea_a"` | |
|
| jenkins.controller.installPlugins[11] | string | `"dark-theme:315.va_22e7d692ea_a"` | |
|
||||||
| jenkins.controller.installPlugins[12] | string | `"kubernetes-credentials-provider:1.211.vc236a_f5a_2f3c"` | |
|
|
||||||
| jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:581.v0c46fa_697ffd"` | |
|
| jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:581.v0c46fa_697ffd"` | |
|
||||||
| jenkins.controller.installPlugins[2] | string | `"git:5.0.2"` | |
|
| jenkins.controller.installPlugins[2] | string | `"git:5.1.0"` | |
|
||||||
| jenkins.controller.installPlugins[3] | string | `"basic-branch-build-strategies:71.vc1421f89888e"` | |
|
| jenkins.controller.installPlugins[3] | string | `"basic-branch-build-strategies:71.vc1421f89888e"` | |
|
||||||
| jenkins.controller.installPlugins[4] | string | `"pipeline-graph-view:183.v9e27732d970f"` | |
|
| jenkins.controller.installPlugins[4] | string | `"pipeline-graph-view:183.v9e27732d970f"` | |
|
||||||
| jenkins.controller.installPlugins[5] | string | `"pipeline-stage-view:2.32"` | |
|
| jenkins.controller.installPlugins[5] | string | `"pipeline-stage-view:2.32"` | |
|
||||||
@ -112,7 +111,7 @@ Kubernetes: `>= 1.24.0`
|
|||||||
| jenkins.controller.installPlugins[8] | string | `"prometheus:2.2.3"` | |
|
| jenkins.controller.installPlugins[8] | string | `"prometheus:2.2.3"` | |
|
||||||
| jenkins.controller.installPlugins[9] | string | `"htmlpublisher:1.31"` | |
|
| jenkins.controller.installPlugins[9] | string | `"htmlpublisher:1.31"` | |
|
||||||
| jenkins.controller.javaOpts | string | `"-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | |
|
| jenkins.controller.javaOpts | string | `"-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | |
|
||||||
| jenkins.controller.jenkinsOpts | string | `"--sessionTimeout=180 --sessionEviction=3600"` | |
|
| jenkins.controller.jenkinsOpts | string | `"--sessionTimeout=300 --sessionEviction=10800"` | |
|
||||||
| jenkins.controller.prometheus.enabled | bool | `false` | |
|
| jenkins.controller.prometheus.enabled | bool | `false` | |
|
||||||
| jenkins.controller.resources.limits.memory | string | `"4096Mi"` | |
|
| jenkins.controller.resources.limits.memory | string | `"4096Mi"` | |
|
||||||
| jenkins.controller.resources.requests.cpu | string | `"250m"` | |
|
| jenkins.controller.resources.requests.cpu | string | `"250m"` | |
|
||||||
|
@ -1,18 +0,0 @@
|
|||||||
{{- if and .Values.gocd.enabled .Values.gocd.istio.enabled }}
|
|
||||||
apiVersion: networking.istio.io/v1beta1
|
|
||||||
kind: VirtualService
|
|
||||||
metadata:
|
|
||||||
name: {{ include "kubezero-lib.fullname" . }}
|
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
|
||||||
{{- include "kubezero-lib.labels" . | nindent 4 }}
|
|
||||||
spec:
|
|
||||||
gateways:
|
|
||||||
- {{ .Values.gocd.istio.gateway }}
|
|
||||||
hosts:
|
|
||||||
- {{ .Values.gocd.istio.url }}
|
|
||||||
http:
|
|
||||||
- route:
|
|
||||||
- destination:
|
|
||||||
host: gocd-server
|
|
||||||
{{- end }}
|
|
@ -1,24 +1,23 @@
|
|||||||
gocd:
|
|
||||||
enabled: false
|
|
||||||
|
|
||||||
server:
|
|
||||||
service:
|
|
||||||
type: "ClusterIP"
|
|
||||||
ingress:
|
|
||||||
enabled: false
|
|
||||||
|
|
||||||
istio:
|
|
||||||
enabled: false
|
|
||||||
gateway: istio-ingress/private-ingressgateway
|
|
||||||
url: "" # gocd.example.com
|
|
||||||
|
|
||||||
|
|
||||||
gitea:
|
gitea:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
image:
|
#image:
|
||||||
#tag: 1.17.4
|
#tag: 1.17.4
|
||||||
rootless: true
|
#rootless: true
|
||||||
|
|
||||||
|
repliaCount: 1
|
||||||
|
|
||||||
|
# We use RWO persistence
|
||||||
|
strategy:
|
||||||
|
type: "Recreate"
|
||||||
|
|
||||||
|
# Since V9 they default to RWX and deployment, we default to old existing RWO from statefulset
|
||||||
|
persistence:
|
||||||
|
enabled: true
|
||||||
|
mount: true
|
||||||
|
create: false
|
||||||
|
#claimName: <set per install>
|
||||||
|
size: 4Gi
|
||||||
|
|
||||||
securityContext:
|
securityContext:
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
@ -28,10 +27,6 @@ gitea:
|
|||||||
add:
|
add:
|
||||||
- SYS_CHROOT
|
- SYS_CHROOT
|
||||||
|
|
||||||
persistence:
|
|
||||||
enabled: true
|
|
||||||
size: 4Gi
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
cpu: "150m"
|
cpu: "150m"
|
||||||
@ -56,15 +51,17 @@ gitea:
|
|||||||
DB_TYPE: sqlite3
|
DB_TYPE: sqlite3
|
||||||
cache:
|
cache:
|
||||||
ADAPTER: memory
|
ADAPTER: memory
|
||||||
|
session:
|
||||||
|
PROVIDER: memory
|
||||||
|
queue:
|
||||||
|
TYPE: level
|
||||||
|
|
||||||
memcached:
|
redis-cluster:
|
||||||
|
enabled: false
|
||||||
|
postgresql-ha:
|
||||||
enabled: false
|
enabled: false
|
||||||
postgresql:
|
postgresql:
|
||||||
enabled: false
|
enabled: false
|
||||||
mysql:
|
|
||||||
enabled: false
|
|
||||||
mariadb:
|
|
||||||
enabled: false
|
|
||||||
|
|
||||||
istio:
|
istio:
|
||||||
enabled: false
|
enabled: false
|
||||||
@ -121,19 +118,19 @@ jenkins:
|
|||||||
numToKeepStr: "10"
|
numToKeepStr: "10"
|
||||||
|
|
||||||
installPlugins:
|
installPlugins:
|
||||||
- kubernetes:3937.vd7b_82db_e347b_
|
- kubernetes:3985.vd26d77b_2a_48a_
|
||||||
|
- kubernetes-credentials-provider:1.225.v14f9e6b_28f53
|
||||||
- workflow-aggregator:581.v0c46fa_697ffd
|
- workflow-aggregator:581.v0c46fa_697ffd
|
||||||
- git:5.1.0
|
- git:5.2.0
|
||||||
- basic-branch-build-strategies:71.vc1421f89888e
|
- basic-branch-build-strategies:81.v05e333931c7d
|
||||||
- pipeline-graph-view:183.v9e27732d970f
|
- pipeline-graph-view:183.v9e27732d970f
|
||||||
- pipeline-stage-view:2.32
|
- pipeline-stage-view:2.33
|
||||||
- configuration-as-code:1647.ve39ca_b_829b_42
|
- configuration-as-code:1670.v564dc8b_982d0
|
||||||
- antisamy-markup-formatter:159.v25b_c67cd35fb_
|
- antisamy-markup-formatter:162.v0e6ec0fcfcf6
|
||||||
- prometheus:2.2.3
|
- prometheus:2.2.3
|
||||||
- htmlpublisher:1.31
|
- htmlpublisher:1.32
|
||||||
- build-discarder:139.v05696a_7fe240
|
- build-discarder:139.v05696a_7fe240
|
||||||
- dark-theme:315.va_22e7d692ea_a
|
- dark-theme:336.v02165cd8c2ee
|
||||||
- kubernetes-credentials-provider:1.211.vc236a_f5a_2f3c
|
|
||||||
|
|
||||||
serviceAccountAgent:
|
serviceAccountAgent:
|
||||||
create: true
|
create: true
|
||||||
@ -142,7 +139,7 @@ jenkins:
|
|||||||
# Preconfigure agents to use zdt podman requires fuse/overlayfs
|
# Preconfigure agents to use zdt podman requires fuse/overlayfs
|
||||||
agent:
|
agent:
|
||||||
image: public.ecr.aws/zero-downtime/jenkins-podman
|
image: public.ecr.aws/zero-downtime/jenkins-podman
|
||||||
tag: v0.4.2
|
tag: v0.4.3
|
||||||
#alwaysPullImage: true
|
#alwaysPullImage: true
|
||||||
podRetention: "Default"
|
podRetention: "Default"
|
||||||
showRawYaml: false
|
showRawYaml: false
|
||||||
@ -237,3 +234,16 @@ trivy:
|
|||||||
size: 1Gi
|
size: 1Gi
|
||||||
rbac:
|
rbac:
|
||||||
create: false
|
create: false
|
||||||
|
|
||||||
|
renovate:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
env:
|
||||||
|
LOG_FORMAT: json
|
||||||
|
cronjob:
|
||||||
|
concurrencyPolicy: Forbid
|
||||||
|
jobBackoffLimit: 3
|
||||||
|
schedule: "0 3 * * *"
|
||||||
|
successfulJobsHistoryLimit: 1
|
||||||
|
securityContext:
|
||||||
|
fsGroup: 1000
|
||||||
|
@ -43,9 +43,7 @@ Kubernetes: `>= 1.25.0`
|
|||||||
| istiod.pilot.resources.requests.cpu | string | `"100m"` | |
|
| istiod.pilot.resources.requests.cpu | string | `"100m"` | |
|
||||||
| istiod.pilot.resources.requests.memory | string | `"128Mi"` | |
|
| istiod.pilot.resources.requests.memory | string | `"128Mi"` | |
|
||||||
| istiod.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
|
| istiod.pilot.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| istiod.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| istiod.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| istiod.pilot.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| istiod.pilot.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| istiod.telemetry.enabled | bool | `false` | |
|
| istiod.telemetry.enabled | bool | `false` | |
|
||||||
| kiali-server.auth.strategy | string | `"anonymous"` | |
|
| kiali-server.auth.strategy | string | `"anonymous"` | |
|
||||||
| kiali-server.deployment.ingress_enabled | bool | `false` | |
|
| kiali-server.deployment.ingress_enabled | bool | `false` | |
|
||||||
|
@ -16,10 +16,8 @@ istiod:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/control-plane: ""
|
node-role.kubernetes.io/control-plane: ""
|
||||||
tolerations:
|
tolerations:
|
||||||
- effect: NoSchedule
|
- key: node-role.kubernetes.io/control-plane
|
||||||
key: node-role.kubernetes.io/master
|
effect: NoSchedule
|
||||||
- effect: NoSchedule
|
|
||||||
key: node-role.kubernetes.io/control-plane
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
|
@ -61,9 +61,7 @@ Kubernetes: `>= 1.24.0`
|
|||||||
| eck-operator.installCRDs | bool | `false` | |
|
| eck-operator.installCRDs | bool | `false` | |
|
||||||
| eck-operator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
| eck-operator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
| eck-operator.tolerations[0].effect | string | `"NoSchedule"` | |
|
| eck-operator.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| eck-operator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| eck-operator.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| eck-operator.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| eck-operator.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| elastic_password | string | `""` | |
|
| elastic_password | string | `""` | |
|
||||||
| es.nodeSets | list | `[]` | |
|
| es.nodeSets | list | `[]` | |
|
||||||
| es.prometheus | bool | `false` | |
|
| es.prometheus | bool | `false` | |
|
||||||
|
@ -5,8 +5,6 @@ eck-operator:
|
|||||||
enabled: false
|
enabled: false
|
||||||
installCRDs: false
|
installCRDs: false
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
@ -126,9 +126,7 @@ Kubernetes: `>= 1.25.0`
|
|||||||
| kube-prometheus-stack.grafana.testFramework.enabled | bool | `false` | |
|
| kube-prometheus-stack.grafana.testFramework.enabled | bool | `false` | |
|
||||||
| kube-prometheus-stack.kube-state-metrics.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
| kube-prometheus-stack.kube-state-metrics.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
| kube-prometheus-stack.kube-state-metrics.tolerations[0].effect | string | `"NoSchedule"` | |
|
| kube-prometheus-stack.kube-state-metrics.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| kube-prometheus-stack.kube-state-metrics.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| kube-prometheus-stack.kube-state-metrics.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| kube-prometheus-stack.kube-state-metrics.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| kube-prometheus-stack.kube-state-metrics.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| kube-prometheus-stack.kubeApiServer.enabled | bool | `true` | |
|
| kube-prometheus-stack.kubeApiServer.enabled | bool | `true` | |
|
||||||
| kube-prometheus-stack.kubeControllerManager.enabled | bool | `true` | |
|
| kube-prometheus-stack.kubeControllerManager.enabled | bool | `true` | |
|
||||||
| kube-prometheus-stack.kubeControllerManager.service.port | int | `10257` | |
|
| kube-prometheus-stack.kubeControllerManager.service.port | int | `10257` | |
|
||||||
@ -172,9 +170,7 @@ Kubernetes: `>= 1.25.0`
|
|||||||
| kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"16Gi"` | |
|
| kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"16Gi"` | |
|
||||||
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].effect | string | `"NoSchedule"` | |
|
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| kube-prometheus-stack.prometheusOperator.enabled | bool | `true` | |
|
| kube-prometheus-stack.prometheusOperator.enabled | bool | `true` | |
|
||||||
| kube-prometheus-stack.prometheusOperator.logFormat | string | `"json"` | |
|
| kube-prometheus-stack.prometheusOperator.logFormat | string | `"json"` | |
|
||||||
| kube-prometheus-stack.prometheusOperator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
| kube-prometheus-stack.prometheusOperator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
@ -182,9 +178,7 @@ Kubernetes: `>= 1.25.0`
|
|||||||
| kube-prometheus-stack.prometheusOperator.resources.requests.cpu | string | `"20m"` | |
|
| kube-prometheus-stack.prometheusOperator.resources.requests.cpu | string | `"20m"` | |
|
||||||
| kube-prometheus-stack.prometheusOperator.resources.requests.memory | string | `"32Mi"` | |
|
| kube-prometheus-stack.prometheusOperator.resources.requests.memory | string | `"32Mi"` | |
|
||||||
| kube-prometheus-stack.prometheusOperator.tolerations[0].effect | string | `"NoSchedule"` | |
|
| kube-prometheus-stack.prometheusOperator.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| kube-prometheus-stack.prometheusOperator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| kube-prometheus-stack.prometheusOperator.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| kube-prometheus-stack.prometheusOperator.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| kube-prometheus-stack.prometheusOperator.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| prometheus-adapter.enabled | bool | `true` | |
|
| prometheus-adapter.enabled | bool | `true` | |
|
||||||
| prometheus-adapter.logLevel | int | `1` | |
|
| prometheus-adapter.logLevel | int | `1` | |
|
||||||
| prometheus-adapter.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
| prometheus-adapter.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
@ -204,9 +198,7 @@ Kubernetes: `>= 1.25.0`
|
|||||||
| prometheus-adapter.rules.resource.memory.resources.overrides.pod.resource | string | `"pod"` | |
|
| prometheus-adapter.rules.resource.memory.resources.overrides.pod.resource | string | `"pod"` | |
|
||||||
| prometheus-adapter.rules.resource.window | string | `"5m"` | |
|
| prometheus-adapter.rules.resource.window | string | `"5m"` | |
|
||||||
| prometheus-adapter.tolerations[0].effect | string | `"NoSchedule"` | |
|
| prometheus-adapter.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| prometheus-adapter.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| prometheus-adapter.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| prometheus-adapter.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| prometheus-adapter.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| prometheus-pushgateway.enabled | bool | `false` | |
|
| prometheus-pushgateway.enabled | bool | `false` | |
|
||||||
| prometheus-pushgateway.serviceMonitor.enabled | bool | `true` | |
|
| prometheus-pushgateway.serviceMonitor.enabled | bool | `true` | |
|
||||||
|
|
||||||
|
@ -50,8 +50,6 @@ kube-prometheus-stack:
|
|||||||
|
|
||||||
# Run on controller nodes
|
# Run on controller nodes
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -66,8 +64,6 @@ kube-prometheus-stack:
|
|||||||
admissionWebhooks:
|
admissionWebhooks:
|
||||||
patch:
|
patch:
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -210,8 +206,6 @@ kube-prometheus-stack:
|
|||||||
# Assign state metrics to control plane
|
# Assign state metrics to control plane
|
||||||
kube-state-metrics:
|
kube-state-metrics:
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -327,8 +321,6 @@ prometheus-adapter:
|
|||||||
prometheus:
|
prometheus:
|
||||||
url: http://metrics-kube-prometheus-st-prometheus
|
url: http://metrics-kube-prometheus-st-prometheus
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubezero-mq
|
name: kubezero-mq
|
||||||
description: KubeZero umbrella chart for MQ systems like NATS, RabbitMQ
|
description: KubeZero umbrella chart for MQ systems like NATS, RabbitMQ
|
||||||
type: application
|
type: application
|
||||||
version: 0.3.5
|
version: 0.3.6
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -22,11 +22,11 @@ dependencies:
|
|||||||
#repository: https://nats-io.github.io/k8s/helm/charts/
|
#repository: https://nats-io.github.io/k8s/helm/charts/
|
||||||
condition: nats.enabled
|
condition: nats.enabled
|
||||||
- name: rabbitmq
|
- name: rabbitmq
|
||||||
version: 11.3.2
|
version: 12.0.3
|
||||||
repository: https://charts.bitnami.com/bitnami
|
repository: https://charts.bitnami.com/bitnami
|
||||||
condition: rabbitmq.enabled
|
condition: rabbitmq.enabled
|
||||||
- name: rabbitmq-cluster-operator
|
- name: rabbitmq-cluster-operator
|
||||||
version: 3.1.4
|
version: 3.1.4
|
||||||
repository: https://charts.bitnami.com/bitnami
|
repository: https://charts.bitnami.com/bitnami
|
||||||
condition: rabbitmq-cluster-operator.enabled
|
condition: rabbitmq-cluster-operator.enabled
|
||||||
kubeVersion: ">= 1.20.0"
|
kubeVersion: ">= 1.25.0"
|
||||||
|
@ -1,6 +1,8 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
|
helm dep update
|
||||||
|
|
||||||
## NATS
|
## NATS
|
||||||
|
|
||||||
NATS_VERSION=0.8.4
|
NATS_VERSION=0.8.4
|
||||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubezero-network
|
name: kubezero-network
|
||||||
description: KubeZero umbrella chart for all things network
|
description: KubeZero umbrella chart for all things network
|
||||||
type: application
|
type: application
|
||||||
version: 0.4.3
|
version: 0.4.5
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -19,11 +19,11 @@ dependencies:
|
|||||||
version: ">= 0.1.6"
|
version: ">= 0.1.6"
|
||||||
repository: https://cdn.zero-downtime.net/charts/
|
repository: https://cdn.zero-downtime.net/charts/
|
||||||
- name: cilium
|
- name: cilium
|
||||||
version: 1.13.1
|
version: 1.13.5
|
||||||
repository: https://helm.cilium.io/
|
repository: https://helm.cilium.io/
|
||||||
condition: cilium.enabled
|
condition: cilium.enabled
|
||||||
- name: metallb
|
- name: metallb
|
||||||
version: 0.13.9
|
version: 0.13.9
|
||||||
repository: https://metallb.github.io/metallb
|
repository: https://metallb.github.io/metallb
|
||||||
condition: metallb.enabled
|
condition: metallb.enabled
|
||||||
kubeVersion: ">= 1.25.0"
|
kubeVersion: ">= 1.26.0"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero-network
|
# kubezero-network
|
||||||
|
|
||||||
![Version: 0.4.3](https://img.shields.io/badge/Version-0.4.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
![Version: 0.4.4](https://img.shields.io/badge/Version-0.4.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero umbrella chart for all things network
|
KubeZero umbrella chart for all things network
|
||||||
|
|
||||||
@ -19,7 +19,7 @@ Kubernetes: `>= 1.25.0`
|
|||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
||||||
| https://helm.cilium.io/ | cilium | 1.13.1 |
|
| https://helm.cilium.io/ | cilium | 1.13.4 |
|
||||||
| https://metallb.github.io/metallb | metallb | 0.13.9 |
|
| https://metallb.github.io/metallb | metallb | 0.13.9 |
|
||||||
|
|
||||||
## Values
|
## Values
|
||||||
@ -33,7 +33,6 @@ Kubernetes: `>= 1.25.0`
|
|||||||
| cilium.cni.binPath | string | `"/usr/libexec/cni"` | |
|
| cilium.cni.binPath | string | `"/usr/libexec/cni"` | |
|
||||||
| cilium.cni.exclusive | bool | `false` | |
|
| cilium.cni.exclusive | bool | `false` | |
|
||||||
| cilium.cni.logFile | string | `"/var/log/cilium-cni.log"` | |
|
| cilium.cni.logFile | string | `"/var/log/cilium-cni.log"` | |
|
||||||
| cilium.containerRuntime.integration | string | `"crio"` | |
|
|
||||||
| cilium.enabled | bool | `false` | |
|
| cilium.enabled | bool | `false` | |
|
||||||
| cilium.hubble.enabled | bool | `false` | |
|
| cilium.hubble.enabled | bool | `false` | |
|
||||||
| cilium.hubble.relay.enabled | bool | `false` | |
|
| cilium.hubble.relay.enabled | bool | `false` | |
|
||||||
@ -42,6 +41,7 @@ Kubernetes: `>= 1.25.0`
|
|||||||
| cilium.hubble.tls.auto.certManagerIssuerRef.name | string | `"kubezero-local-ca-issuer"` | |
|
| cilium.hubble.tls.auto.certManagerIssuerRef.name | string | `"kubezero-local-ca-issuer"` | |
|
||||||
| cilium.hubble.tls.auto.method | string | `"cert-manager"` | |
|
| cilium.hubble.tls.auto.method | string | `"cert-manager"` | |
|
||||||
| cilium.hubble.ui.enabled | bool | `false` | |
|
| cilium.hubble.ui.enabled | bool | `false` | |
|
||||||
|
| cilium.image.useDigest | bool | `false` | |
|
||||||
| cilium.ipam.operator.clusterPoolIPv4PodCIDRList[0] | string | `"10.240.0.0/16"` | |
|
| cilium.ipam.operator.clusterPoolIPv4PodCIDRList[0] | string | `"10.240.0.0/16"` | |
|
||||||
| cilium.l7Proxy | bool | `false` | |
|
| cilium.l7Proxy | bool | `false` | |
|
||||||
| cilium.operator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
| cilium.operator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
@ -49,22 +49,17 @@ Kubernetes: `>= 1.25.0`
|
|||||||
| cilium.operator.prometheus.serviceMonitor.enabled | bool | `false` | |
|
| cilium.operator.prometheus.serviceMonitor.enabled | bool | `false` | |
|
||||||
| cilium.operator.replicas | int | `1` | |
|
| cilium.operator.replicas | int | `1` | |
|
||||||
| cilium.operator.tolerations[0].effect | string | `"NoSchedule"` | |
|
| cilium.operator.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| cilium.operator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| cilium.operator.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| cilium.operator.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| cilium.operator.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| cilium.prometheus.enabled | bool | `false` | |
|
| cilium.prometheus.enabled | bool | `false` | |
|
||||||
| cilium.prometheus.port | int | `9091` | |
|
| cilium.prometheus.port | int | `9091` | |
|
||||||
| cilium.prometheus.serviceMonitor.enabled | bool | `false` | |
|
| cilium.prometheus.serviceMonitor.enabled | bool | `false` | |
|
||||||
| cilium.resources.limits.memory | string | `"1024Mi"` | |
|
| cilium.resources.limits.memory | string | `"1024Mi"` | |
|
||||||
| cilium.resources.requests.cpu | string | `"10m"` | |
|
| cilium.resources.requests.cpu | string | `"10m"` | |
|
||||||
| cilium.resources.requests.memory | string | `"256Mi"` | |
|
| cilium.resources.requests.memory | string | `"256Mi"` | |
|
||||||
| cilium.securityContext.privileged | bool | `true` | |
|
|
||||||
| cilium.tunnel | string | `"geneve"` | |
|
| cilium.tunnel | string | `"geneve"` | |
|
||||||
| metallb.controller.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
| metallb.controller.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
| metallb.controller.tolerations[0].effect | string | `"NoSchedule"` | |
|
| metallb.controller.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| metallb.controller.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| metallb.controller.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| metallb.controller.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| metallb.controller.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| metallb.enabled | bool | `false` | |
|
| metallb.enabled | bool | `false` | |
|
||||||
| metallb.ipAddressPools | list | `[]` | |
|
| metallb.ipAddressPools | list | `[]` | |
|
||||||
| multus.clusterNetwork | string | `"cilium"` | |
|
| multus.clusterNetwork | string | `"cilium"` | |
|
||||||
|
@ -3,8 +3,6 @@ metallb:
|
|||||||
|
|
||||||
controller:
|
controller:
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -27,12 +25,9 @@ multus:
|
|||||||
cilium:
|
cilium:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
containerRuntime:
|
# breaks preloaded images otherwise
|
||||||
integration: crio
|
image:
|
||||||
|
useDigest: false
|
||||||
# remove with 1.26
|
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
@ -85,8 +80,6 @@ cilium:
|
|||||||
operator:
|
operator:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
@ -44,9 +44,7 @@ Kubernetes: `>= 1.24.0`
|
|||||||
| pxc-operator.resources.requests.cpu | string | `"50m"` | |
|
| pxc-operator.resources.requests.cpu | string | `"50m"` | |
|
||||||
| pxc-operator.resources.requests.memory | string | `"32Mi"` | |
|
| pxc-operator.resources.requests.memory | string | `"32Mi"` | |
|
||||||
| pxc-operator.tolerations[0].effect | string | `"NoSchedule"` | |
|
| pxc-operator.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| pxc-operator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| pxc-operator.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||||
| pxc-operator.tolerations[1].effect | string | `"NoSchedule"` | |
|
|
||||||
| pxc-operator.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
|
||||||
| pxc-operator.watchAllNamespaces | bool | `true` | |
|
| pxc-operator.watchAllNamespaces | bool | `true` | |
|
||||||
|
|
||||||
# Changes
|
# Changes
|
||||||
|
@ -6,8 +6,6 @@ pxc-operator:
|
|||||||
|
|
||||||
# running on the control-plane
|
# running on the control-plane
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
- key: node-role.kubernetes.io/control-plane
|
- key: node-role.kubernetes.io/control-plane
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||||||
name: kubezero
|
name: kubezero
|
||||||
description: KubeZero - Root App of Apps chart
|
description: KubeZero - Root App of Apps chart
|
||||||
type: application
|
type: application
|
||||||
version: 1.25.8-2
|
version: 1.26.7
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
@ -15,4 +15,4 @@ dependencies:
|
|||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.6"
|
version: ">= 0.1.6"
|
||||||
repository: https://cdn.zero-downtime.net/charts
|
repository: https://cdn.zero-downtime.net/charts
|
||||||
kubeVersion: ">= 1.25.0"
|
kubeVersion: ">= 1.26.0"
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# kubezero
|
# kubezero
|
||||||
|
|
||||||
![Version: 1.25.8-2](https://img.shields.io/badge/Version-1.25.8--2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
![Version: 1.26.6](https://img.shields.io/badge/Version-1.26.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||||
|
|
||||||
KubeZero - Root App of Apps chart
|
KubeZero - Root App of Apps chart
|
||||||
|
|
||||||
@ -14,7 +14,7 @@ KubeZero - Root App of Apps chart
|
|||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
Kubernetes: `>= 1.25.0`
|
Kubernetes: `>= 1.26.0`
|
||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
@ -66,12 +66,13 @@ Kubernetes: `>= 1.25.0`
|
|||||||
| metrics.enabled | bool | `false` | |
|
| metrics.enabled | bool | `false` | |
|
||||||
| metrics.istio.grafana | object | `{}` | |
|
| metrics.istio.grafana | object | `{}` | |
|
||||||
| metrics.istio.prometheus | object | `{}` | |
|
| metrics.istio.prometheus | object | `{}` | |
|
||||||
|
| metrics.kubezero.prometheus.prometheusSpec.additionalScrapeConfigs | list | `[]` | |
|
||||||
| metrics.namespace | string | `"monitoring"` | |
|
| metrics.namespace | string | `"monitoring"` | |
|
||||||
| metrics.targetRevision | string | `"0.9.2"` | |
|
| metrics.targetRevision | string | `"0.9.2"` | |
|
||||||
| network.cilium.cluster | object | `{}` | |
|
| network.cilium.cluster | object | `{}` | |
|
||||||
| network.enabled | bool | `true` | |
|
| network.enabled | bool | `true` | |
|
||||||
| network.retain | bool | `true` | |
|
| network.retain | bool | `true` | |
|
||||||
| network.targetRevision | string | `"0.4.3"` | |
|
| network.targetRevision | string | `"0.4.4"` | |
|
||||||
| storage.aws-ebs-csi-driver.enabled | bool | `false` | |
|
| storage.aws-ebs-csi-driver.enabled | bool | `false` | |
|
||||||
| storage.aws-efs-csi-driver.enabled | bool | `false` | |
|
| storage.aws-efs-csi-driver.enabled | bool | `false` | |
|
||||||
| storage.enabled | bool | `false` | |
|
| storage.enabled | bool | `false` | |
|
||||||
|
@ -131,6 +131,11 @@ sealed-secrets:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
{{- with index .Values "addons" "falco-control-plane" }}
|
||||||
|
falco-control-plane:
|
||||||
|
{{- toYaml . | nindent 2 }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
{{- if .Values.global.aws }}
|
{{- if .Values.global.aws }}
|
||||||
# AWS only
|
# AWS only
|
||||||
aws-node-termination-handler:
|
aws-node-termination-handler:
|
||||||
@ -145,7 +150,7 @@ aws-node-termination-handler:
|
|||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth"
|
queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth"
|
||||||
managedTag: "aws-node-termination-handler/{{ .Values.global.clusterName }}"
|
managedTag: "zdt:kubezero:nth:{{ .Values.global.clusterName }}"
|
||||||
extraEnv:
|
extraEnv:
|
||||||
- name: AWS_ROLE_ARN
|
- name: AWS_ROLE_ARN
|
||||||
value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth"
|
value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth"
|
||||||
|
@ -50,7 +50,7 @@ prometheus:
|
|||||||
region: {{ .global.aws.region }}
|
region: {{ .global.aws.region }}
|
||||||
filters:
|
filters:
|
||||||
- name: 'tag-key'
|
- name: 'tag-key'
|
||||||
values: ['zdt:prometheus.crio']
|
values: ['zdt:prometheus:crio']
|
||||||
{{- with .metrics.kubezero.prometheus.prometheusSpec.additionalScrapeConfigsEC2Filters }}
|
{{- with .metrics.kubezero.prometheus.prometheusSpec.additionalScrapeConfigsEC2Filters }}
|
||||||
{{- toYaml . | nindent 14 }}
|
{{- toYaml . | nindent 14 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -10,7 +10,7 @@ global:
|
|||||||
|
|
||||||
addons:
|
addons:
|
||||||
enabled: true
|
enabled: true
|
||||||
targetRevision: 0.7.5
|
targetRevision: 0.8.0
|
||||||
external-dns:
|
external-dns:
|
||||||
enabled: false
|
enabled: false
|
||||||
forseti:
|
forseti:
|
||||||
@ -25,11 +25,13 @@ addons:
|
|||||||
enabled: false
|
enabled: false
|
||||||
aws-eks-asg-rolling-update-handler:
|
aws-eks-asg-rolling-update-handler:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
falco-control-plane:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
network:
|
network:
|
||||||
enabled: true
|
enabled: true
|
||||||
retain: true
|
retain: true
|
||||||
targetRevision: 0.4.3
|
targetRevision: 0.4.5
|
||||||
cilium:
|
cilium:
|
||||||
cluster: {}
|
cluster: {}
|
||||||
|
|
||||||
@ -94,7 +96,7 @@ logging:
|
|||||||
argocd:
|
argocd:
|
||||||
enabled: false
|
enabled: false
|
||||||
namespace: argocd
|
namespace: argocd
|
||||||
targetRevision: 0.12.1
|
targetRevision: 0.13.0
|
||||||
argocd-image-updater:
|
argocd-image-updater:
|
||||||
enabled: false
|
enabled: false
|
||||||
istio:
|
istio:
|
||||||
|
@ -27,6 +27,7 @@ Something along the lines of https://github.com/onfido/k8s-cleanup which doesnt
|
|||||||
## Resources
|
## Resources
|
||||||
- https://docs.google.com/spreadsheets/d/1WPHt0gsb7adVzY3eviMK2W8LejV0I5m_Zpc8tMzl_2w/edit#gid=0
|
- https://docs.google.com/spreadsheets/d/1WPHt0gsb7adVzY3eviMK2W8LejV0I5m_Zpc8tMzl_2w/edit#gid=0
|
||||||
- https://github.com/ishantanu/awesome-kubectl-plugins
|
- https://github.com/ishantanu/awesome-kubectl-plugins
|
||||||
|
- https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh
|
||||||
|
|
||||||
## Update Api-server config
|
## Update Api-server config
|
||||||
Add the following extraArgs to the ClusterConfiguration configMap in the kube-system namespace:
|
Add the following extraArgs to the ClusterConfiguration configMap in the kube-system namespace:
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
REPO_URL_S3="s3://zero-downtime-web/cdn/charts"
|
REPO_URL_S3="s3://zero-downtime-web-cdn/charts"
|
||||||
REPO_URL="https://cdn.zero-downtime.net/charts"
|
REPO_URL="https://cdn.zero-downtime.net/charts"
|
||||||
|
|
||||||
CHARTS=${1:-'.*'}
|
CHARTS=${1:-'.*'}
|
||||||
@ -55,6 +55,6 @@ function publish_chart() {
|
|||||||
|
|
||||||
publish_chart
|
publish_chart
|
||||||
|
|
||||||
CF_DIST=E1YFUJXMCXT2RN
|
CF_DIST=E11OFTOA3L8IVY
|
||||||
aws cloudfront create-invalidation --distribution $CF_DIST --paths "/charts/*"
|
aws cloudfront create-invalidation --distribution $CF_DIST --paths "/charts/*"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user