From ed72dd796b4ae5a08b65a002ea0a13e388dff49b Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 4 Dec 2020 06:05:35 -0800 Subject: [PATCH] ECK fixes for Kube 1.18, Redis cluster support incl. Enyoy proxy --- .../charts/istio-ingress/README.md | 112 --------------- .../charts/istio-private-ingress/README.md | 112 --------------- charts/kubezero-istio/charts/base/README.md | 23 --- .../charts/istio-discovery/README.md | 133 ------------------ charts/kubezero-logging/README.md | 2 +- .../templates/eck/elasticsearch.yaml | 3 + charts/kubezero-logging/values.yaml | 2 +- charts/kubezero-metrics/README.md | 29 ++-- charts/kubezero-redis/README.md | 15 +- .../envoyfilter-custom-redis-cluster.yaml | 36 +++++ .../templates/envoyfilter-redis-proxy.yaml | 35 +++++ .../templates/istio-authorization-policy.yaml | 2 +- charts/kubezero-redis/values.yaml | 1 + charts/kubezero/README.md | 1 + charts/kubezero/bootstrap.sh | 11 +- charts/kubezero/scripts/remove_old_eck.sh | 25 ++++ charts/kubezero/values.yaml | 2 +- 17 files changed, 148 insertions(+), 396 deletions(-) delete mode 100644 charts/kubezero-istio-ingress/charts/istio-ingress/README.md delete mode 100644 charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md delete mode 100644 charts/kubezero-istio/charts/base/README.md delete mode 100644 charts/kubezero-istio/charts/istio-discovery/README.md create mode 100644 charts/kubezero-redis/templates/envoyfilter-custom-redis-cluster.yaml create mode 100644 charts/kubezero-redis/templates/envoyfilter-redis-proxy.yaml create mode 100755 charts/kubezero/scripts/remove_old_eck.sh diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/README.md b/charts/kubezero-istio-ingress/charts/istio-ingress/README.md deleted file mode 100644 index 708ce7b..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/README.md +++ /dev/null @@ -1,112 +0,0 @@ -# istio-ingress - -![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) - -Helm chart for deploying Istio gateways - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| gateways.istio-ingressgateway.additionalContainers | list | `[]` | | -| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | | -| gateways.istio-ingressgateway.autoscaleMax | int | `5` | | -| gateways.istio-ingressgateway.autoscaleMin | int | `1` | | -| gateways.istio-ingressgateway.configVolumes | list | `[]` | | -| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | | -| gateways.istio-ingressgateway.customService | bool | `false` | | -| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | | -| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | | -| gateways.istio-ingressgateway.ingressPorts | list | `[]` | | -| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | | -| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | | -| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | | -| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | | -| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | | -| gateways.istio-ingressgateway.nodeSelector | object | `{}` | | -| gateways.istio-ingressgateway.podAnnotations | object | `{}` | | -| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | | -| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | | -| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | -| gateways.istio-ingressgateway.ports[0].port | int | `15021` | | -| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | | -| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | -| gateways.istio-ingressgateway.ports[1].port | int | `80` | | -| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | -| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | -| gateways.istio-ingressgateway.ports[2].port | int | `443` | | -| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | -| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | | -| gateways.istio-ingressgateway.ports[3].port | int | `15443` | | -| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | | -| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | | -| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | | -| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | | -| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | | -| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | | -| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | | -| gateways.istio-ingressgateway.runAsRoot | bool | `false` | | -| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | | -| gateways.istio-ingressgateway.tolerations | list | `[]` | | -| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | | -| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | | -| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | | -| global.arch.amd64 | int | `2` | | -| global.arch.ppc64le | int | `2` | | -| global.arch.s390x | int | `2` | | -| global.caAddress | string | `""` | | -| global.defaultConfigVisibilitySettings | list | `[]` | | -| global.defaultPodDisruptionBudget.enabled | bool | `true` | | -| global.defaultResources.requests.cpu | string | `"10m"` | | -| global.defaultTolerations | list | `[]` | | -| global.hub | string | `"gcr.io/istio-testing"` | | -| global.imagePullPolicy | string | `""` | | -| global.imagePullSecrets | list | `[]` | | -| global.istioNamespace | string | `"istio-system"` | | -| global.jwtPolicy | string | `"third-party-jwt"` | | -| global.logAsJson | bool | `false` | | -| global.logging.level | string | `"default:info"` | | -| global.meshExpansion.enabled | bool | `false` | | -| global.meshExpansion.useILB | bool | `false` | | -| global.meshID | string | `""` | | -| global.mountMtlsCerts | bool | `false` | | -| global.multiCluster.clusterName | string | `""` | | -| global.multiCluster.enabled | bool | `false` | | -| global.multiCluster.globalDomainSuffix | string | `"global"` | | -| global.multiCluster.includeEnvoyFilter | bool | `true` | | -| global.network | string | `""` | | -| global.pilotCertProvider | string | `"istiod"` | | -| global.priorityClassName | string | `""` | | -| global.proxy.clusterDomain | string | `"cluster.local"` | | -| global.proxy.componentLogLevel | string | `"misc:error"` | | -| global.proxy.enableCoreDump | bool | `false` | | -| global.proxy.image | string | `"proxyv2"` | | -| global.proxy.logLevel | string | `"warning"` | | -| global.sds.token.aud | string | `"istio-ca"` | | -| global.sts.servicePort | int | `0` | | -| global.tag | string | `"latest"` | | -| meshConfig.defaultConfig.proxyMetadata | object | `{}` | | -| meshConfig.defaultConfig.tracing | string | `nil` | | -| meshConfig.enablePrometheusMerge | bool | `true` | | -| ownerName | string | `""` | | -| revision | string | `""` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md b/charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md deleted file mode 100644 index 708ce7b..0000000 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/README.md +++ /dev/null @@ -1,112 +0,0 @@ -# istio-ingress - -![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) - -Helm chart for deploying Istio gateways - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| gateways.istio-ingressgateway.additionalContainers | list | `[]` | | -| gateways.istio-ingressgateway.autoscaleEnabled | bool | `true` | | -| gateways.istio-ingressgateway.autoscaleMax | int | `5` | | -| gateways.istio-ingressgateway.autoscaleMin | int | `1` | | -| gateways.istio-ingressgateway.configVolumes | list | `[]` | | -| gateways.istio-ingressgateway.cpu.targetAverageUtilization | int | `80` | | -| gateways.istio-ingressgateway.customService | bool | `false` | | -| gateways.istio-ingressgateway.env.ISTIO_META_ROUTER_MODE | string | `"sni-dnat"` | | -| gateways.istio-ingressgateway.externalTrafficPolicy | string | `""` | | -| gateways.istio-ingressgateway.ingressPorts | list | `[]` | | -| gateways.istio-ingressgateway.labels.app | string | `"istio-ingressgateway"` | | -| gateways.istio-ingressgateway.labels.istio | string | `"ingressgateway"` | | -| gateways.istio-ingressgateway.loadBalancerIP | string | `""` | | -| gateways.istio-ingressgateway.loadBalancerSourceRanges | list | `[]` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].name | string | `"tcp-istiod"` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].port | int | `15012` | | -| gateways.istio-ingressgateway.meshExpansionPorts[0].targetPort | int | `15012` | | -| gateways.istio-ingressgateway.name | string | `"istio-ingressgateway"` | | -| gateways.istio-ingressgateway.nodeSelector | object | `{}` | | -| gateways.istio-ingressgateway.podAnnotations | object | `{}` | | -| gateways.istio-ingressgateway.podAntiAffinityLabelSelector | list | `[]` | | -| gateways.istio-ingressgateway.podAntiAffinityTermLabelSelector | list | `[]` | | -| gateways.istio-ingressgateway.ports[0].name | string | `"status-port"` | | -| gateways.istio-ingressgateway.ports[0].port | int | `15021` | | -| gateways.istio-ingressgateway.ports[0].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[0].targetPort | int | `15021` | | -| gateways.istio-ingressgateway.ports[1].name | string | `"http2"` | | -| gateways.istio-ingressgateway.ports[1].port | int | `80` | | -| gateways.istio-ingressgateway.ports[1].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[1].targetPort | int | `8080` | | -| gateways.istio-ingressgateway.ports[2].name | string | `"https"` | | -| gateways.istio-ingressgateway.ports[2].port | int | `443` | | -| gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | -| gateways.istio-ingressgateway.ports[3].name | string | `"tls"` | | -| gateways.istio-ingressgateway.ports[3].port | int | `15443` | | -| gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | | -| gateways.istio-ingressgateway.ports[3].targetPort | int | `15443` | | -| gateways.istio-ingressgateway.resources.limits.cpu | string | `"2000m"` | | -| gateways.istio-ingressgateway.resources.limits.memory | string | `"1024Mi"` | | -| gateways.istio-ingressgateway.resources.requests.cpu | string | `"100m"` | | -| gateways.istio-ingressgateway.resources.requests.memory | string | `"128Mi"` | | -| gateways.istio-ingressgateway.rollingMaxSurge | string | `"100%"` | | -| gateways.istio-ingressgateway.rollingMaxUnavailable | string | `"25%"` | | -| gateways.istio-ingressgateway.runAsRoot | bool | `false` | | -| gateways.istio-ingressgateway.secretVolumes[0].mountPath | string | `"/etc/istio/ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[0].name | string | `"ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[0].secretName | string | `"istio-ingressgateway-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].mountPath | string | `"/etc/istio/ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].name | string | `"ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.secretVolumes[1].secretName | string | `"istio-ingressgateway-ca-certs"` | | -| gateways.istio-ingressgateway.serviceAnnotations | object | `{}` | | -| gateways.istio-ingressgateway.tolerations | list | `[]` | | -| gateways.istio-ingressgateway.type | string | `"LoadBalancer"` | | -| gateways.istio-ingressgateway.zvpn.enabled | bool | `false` | | -| gateways.istio-ingressgateway.zvpn.suffix | string | `"global"` | | -| global.arch.amd64 | int | `2` | | -| global.arch.ppc64le | int | `2` | | -| global.arch.s390x | int | `2` | | -| global.caAddress | string | `""` | | -| global.defaultConfigVisibilitySettings | list | `[]` | | -| global.defaultPodDisruptionBudget.enabled | bool | `true` | | -| global.defaultResources.requests.cpu | string | `"10m"` | | -| global.defaultTolerations | list | `[]` | | -| global.hub | string | `"gcr.io/istio-testing"` | | -| global.imagePullPolicy | string | `""` | | -| global.imagePullSecrets | list | `[]` | | -| global.istioNamespace | string | `"istio-system"` | | -| global.jwtPolicy | string | `"third-party-jwt"` | | -| global.logAsJson | bool | `false` | | -| global.logging.level | string | `"default:info"` | | -| global.meshExpansion.enabled | bool | `false` | | -| global.meshExpansion.useILB | bool | `false` | | -| global.meshID | string | `""` | | -| global.mountMtlsCerts | bool | `false` | | -| global.multiCluster.clusterName | string | `""` | | -| global.multiCluster.enabled | bool | `false` | | -| global.multiCluster.globalDomainSuffix | string | `"global"` | | -| global.multiCluster.includeEnvoyFilter | bool | `true` | | -| global.network | string | `""` | | -| global.pilotCertProvider | string | `"istiod"` | | -| global.priorityClassName | string | `""` | | -| global.proxy.clusterDomain | string | `"cluster.local"` | | -| global.proxy.componentLogLevel | string | `"misc:error"` | | -| global.proxy.enableCoreDump | bool | `false` | | -| global.proxy.image | string | `"proxyv2"` | | -| global.proxy.logLevel | string | `"warning"` | | -| global.sds.token.aud | string | `"istio-ca"` | | -| global.sts.servicePort | int | `0` | | -| global.tag | string | `"latest"` | | -| meshConfig.defaultConfig.proxyMetadata | object | `{}` | | -| meshConfig.defaultConfig.tracing | string | `nil` | | -| meshConfig.enablePrometheusMerge | bool | `true` | | -| ownerName | string | `""` | | -| revision | string | `""` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-istio/charts/base/README.md b/charts/kubezero-istio/charts/base/README.md deleted file mode 100644 index 5fd1ccf..0000000 --- a/charts/kubezero-istio/charts/base/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# base - -![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) - -Helm chart for deploying Istio cluster resources and CRDs - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| base.enableCRDTemplates | bool | `false` | | -| base.validationURL | string | `""` | | -| global.configValidation | bool | `true` | | -| global.imagePullSecrets | list | `[]` | | -| global.istioNamespace | string | `"istio-system"` | | -| global.istiod.enableAnalysis | bool | `false` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-istio/charts/istio-discovery/README.md b/charts/kubezero-istio/charts/istio-discovery/README.md deleted file mode 100644 index 5d91ddb..0000000 --- a/charts/kubezero-istio/charts/istio-discovery/README.md +++ /dev/null @@ -1,133 +0,0 @@ -# istio-discovery - -![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![AppVersion: 1.2.0](https://img.shields.io/badge/AppVersion-1.2.0-informational?style=flat-square) - -Helm chart for istio control plane - -## Source Code - -* - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| global.caAddress | string | `""` | | -| global.centralIstiod | bool | `false` | | -| global.defaultPodDisruptionBudget.enabled | bool | `true` | | -| global.defaultResources.requests.cpu | string | `"10m"` | | -| global.externalIstiod | bool | `false` | | -| global.hub | string | `"gcr.io/istio-testing"` | | -| global.imagePullPolicy | string | `""` | | -| global.imagePullSecrets | list | `[]` | | -| global.istioNamespace | string | `"istio-system"` | | -| global.istiod.enableAnalysis | bool | `false` | | -| global.jwtPolicy | string | `"third-party-jwt"` | | -| global.logAsJson | bool | `false` | | -| global.logging.level | string | `"default:info"` | | -| global.meshID | string | `""` | | -| global.meshNetworks | object | `{}` | | -| global.mountMtlsCerts | bool | `false` | | -| global.multiCluster.clusterName | string | `""` | | -| global.multiCluster.enabled | bool | `false` | | -| global.network | string | `""` | | -| global.omitSidecarInjectorConfigMap | bool | `false` | | -| global.oneNamespace | bool | `false` | | -| global.operatorManageWebhooks | bool | `false` | | -| global.pilotCertProvider | string | `"istiod"` | | -| global.priorityClassName | string | `""` | | -| global.proxy.autoInject | string | `"enabled"` | | -| global.proxy.clusterDomain | string | `"cluster.local"` | | -| global.proxy.componentLogLevel | string | `"misc:error"` | | -| global.proxy.enableCoreDump | bool | `false` | | -| global.proxy.excludeIPRanges | string | `""` | | -| global.proxy.excludeInboundPorts | string | `""` | | -| global.proxy.excludeOutboundPorts | string | `""` | | -| global.proxy.holdApplicationUntilProxyStarts | bool | `false` | | -| global.proxy.image | string | `"proxyv2"` | | -| global.proxy.includeIPRanges | string | `"*"` | | -| global.proxy.logLevel | string | `"warning"` | | -| global.proxy.privileged | bool | `false` | | -| global.proxy.readinessFailureThreshold | int | `30` | | -| global.proxy.readinessInitialDelaySeconds | int | `1` | | -| global.proxy.readinessPeriodSeconds | int | `2` | | -| global.proxy.resources.limits.cpu | string | `"2000m"` | | -| global.proxy.resources.limits.memory | string | `"1024Mi"` | | -| global.proxy.resources.requests.cpu | string | `"100m"` | | -| global.proxy.resources.requests.memory | string | `"128Mi"` | | -| global.proxy.statusPort | int | `15020` | | -| global.proxy.tracer | string | `"zipkin"` | | -| global.proxy_init.image | string | `"proxyv2"` | | -| global.proxy_init.resources.limits.cpu | string | `"2000m"` | | -| global.proxy_init.resources.limits.memory | string | `"1024Mi"` | | -| global.proxy_init.resources.requests.cpu | string | `"10m"` | | -| global.proxy_init.resources.requests.memory | string | `"10Mi"` | | -| global.remotePilotAddress | string | `""` | | -| global.sds.token.aud | string | `"istio-ca"` | | -| global.sts.servicePort | int | `0` | | -| global.tag | string | `"latest"` | | -| global.tracer.datadog.address | string | `"$(HOST_IP):8126"` | | -| global.tracer.lightstep.accessToken | string | `""` | | -| global.tracer.lightstep.address | string | `""` | | -| global.tracer.stackdriver.debug | bool | `false` | | -| global.tracer.stackdriver.maxNumberOfAnnotations | int | `200` | | -| global.tracer.stackdriver.maxNumberOfAttributes | int | `200` | | -| global.tracer.stackdriver.maxNumberOfMessageEvents | int | `200` | | -| global.tracer.zipkin.address | string | `""` | | -| global.trustDomain | string | `""` | | -| global.useMCP | bool | `false` | | -| istiodRemote.injectionURL | string | `""` | | -| meshConfig.defaultConfig.proxyMetadata.DNS_AGENT | string | `""` | | -| meshConfig.rootNamespace | string | `"istio-system"` | | -| ownerName | string | `""` | | -| pilot.autoscaleEnabled | bool | `true` | | -| pilot.autoscaleMax | int | `5` | | -| pilot.autoscaleMin | int | `1` | | -| pilot.configMap | bool | `true` | | -| pilot.configSource.subscribedResources | list | `[]` | | -| pilot.cpu.targetAverageUtilization | int | `80` | | -| pilot.deploymentLabels | object | `{}` | | -| pilot.enableProtocolSniffingForInbound | bool | `true` | | -| pilot.enableProtocolSniffingForOutbound | bool | `true` | | -| pilot.env | object | `{}` | | -| pilot.hub | string | `""` | | -| pilot.image | string | `"pilot"` | | -| pilot.jwksResolverExtraRootCA | string | `""` | | -| pilot.keepaliveMaxServerConnectionAge | string | `"30m"` | | -| pilot.nodeSelector | object | `{}` | | -| pilot.plugins | list | `[]` | | -| pilot.podAnnotations | object | `{}` | | -| pilot.replicaCount | int | `1` | | -| pilot.resources.requests.cpu | string | `"500m"` | | -| pilot.resources.requests.memory | string | `"2048Mi"` | | -| pilot.rollingMaxSurge | string | `"100%"` | | -| pilot.rollingMaxUnavailable | string | `"25%"` | | -| pilot.tag | string | `""` | | -| pilot.traceSampling | float | `1` | | -| revision | string | `""` | | -| sidecarInjectorWebhook.alwaysInjectSelector | list | `[]` | | -| sidecarInjectorWebhook.enableNamespacesByDefault | bool | `false` | | -| sidecarInjectorWebhook.injectedAnnotations | object | `{}` | | -| sidecarInjectorWebhook.neverInjectSelector | list | `[]` | | -| sidecarInjectorWebhook.objectSelector.autoInject | bool | `true` | | -| sidecarInjectorWebhook.objectSelector.enabled | bool | `false` | | -| sidecarInjectorWebhook.rewriteAppHTTPProbe | bool | `true` | | -| telemetry.enabled | bool | `true` | | -| telemetry.v2.accessLogPolicy.enabled | bool | `false` | | -| telemetry.v2.accessLogPolicy.logWindowDuration | string | `"43200s"` | | -| telemetry.v2.enabled | bool | `true` | | -| telemetry.v2.metadataExchange.wasmEnabled | bool | `false` | | -| telemetry.v2.prometheus.configOverride.gateway | object | `{}` | | -| telemetry.v2.prometheus.configOverride.inboundSidecar | object | `{}` | | -| telemetry.v2.prometheus.configOverride.outboundSidecar | object | `{}` | | -| telemetry.v2.prometheus.enabled | bool | `true` | | -| telemetry.v2.prometheus.wasmEnabled | bool | `false` | | -| telemetry.v2.stackdriver.configOverride | object | `{}` | | -| telemetry.v2.stackdriver.disableOutbound | bool | `false` | | -| telemetry.v2.stackdriver.enabled | bool | `false` | | -| telemetry.v2.stackdriver.logging | bool | `false` | | -| telemetry.v2.stackdriver.monitoring | bool | `false` | | -| telemetry.v2.stackdriver.topology | bool | `false` | | - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.2.1](https://github.com/norwoodj/helm-docs/releases/v1.2.1) diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index c65a66e..10ab547 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -57,7 +57,7 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| eck-operator.enabled | bool | `false` | | +| eck-operator.enabled | bool | `true` | | | eck-operator.nodeSelector."node-role.kubernetes.io/master" | string | `""` | | | eck-operator.tolerations[0].effect | string | `"NoSchedule"` | | | eck-operator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | diff --git a/charts/kubezero-logging/templates/eck/elasticsearch.yaml b/charts/kubezero-logging/templates/eck/elasticsearch.yaml index ae95c1e..57a0a13 100644 --- a/charts/kubezero-logging/templates/eck/elasticsearch.yaml +++ b/charts/kubezero-logging/templates/eck/elasticsearch.yaml @@ -48,6 +48,9 @@ spec: {{- end }} containers: - name: elasticsearch + securityContext: + capabilities: + add: ["SYS_CHROOT"] resources: requests: cpu: {{ default "200m" .cpu_request }} diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index d3fa2e3..7b9ac0a 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -2,7 +2,7 @@ # fullnameOverride: "" eck-operator: - enabled: false + enabled: true tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule diff --git a/charts/kubezero-metrics/README.md b/charts/kubezero-metrics/README.md index 2dc4e71..bdec431 100644 --- a/charts/kubezero-metrics/README.md +++ b/charts/kubezero-metrics/README.md @@ -1,6 +1,6 @@ # kubezero-metrics -![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for prometheus-operator @@ -18,7 +18,7 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 12.2.4 | +| https://prometheus-community.github.io/helm-charts | kube-prometheus-stack | 12.3.0 | | https://prometheus-community.github.io/helm-charts | prometheus-adapter | 2.7.1 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | @@ -26,10 +26,22 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| grafana.istio.enabled | bool | `false` | | -| grafana.istio.gateway | string | `"istio-ingress/ingressgateway"` | | -| grafana.istio.ipBlocks | list | `[]` | | -| grafana.istio.url | string | `""` | | +| istio.alertmanager.destination | string | `"metrics-kube-prometheus-st-alertmanager"` | | +| istio.alertmanager.enabled | bool | `false` | | +| istio.alertmanager.gateway | string | `"istio-ingress/ingressgateway"` | | +| istio.alertmanager.ipBlocks | list | `[]` | | +| istio.alertmanager.url | string | `""` | | +| istio.grafana.destination | string | `"metrics-grafana"` | | +| istio.grafana.enabled | bool | `false` | | +| istio.grafana.gateway | string | `"istio-ingress/ingressgateway"` | | +| istio.grafana.ipBlocks | list | `[]` | | +| istio.grafana.url | string | `""` | | +| istio.prometheus.destination | string | `"metrics-kube-prometheus-st-prometheus"` | | +| istio.prometheus.enabled | bool | `false` | | +| istio.prometheus.gateway | string | `"istio-ingress/ingressgateway"` | | +| istio.prometheus.ipBlocks | list | `[]` | | +| istio.prometheus.url | string | `""` | | +| kube-prometheus-stack.alertmanager.alertmanagerSpec.logFormat | string | `"json"` | | | kube-prometheus-stack.alertmanager.enabled | bool | `false` | | | kube-prometheus-stack.coreDns.enabled | bool | `true` | | | kube-prometheus-stack.defaultRules.create | bool | `true` | | @@ -71,6 +83,7 @@ Kubernetes: `>= 1.16.0` | kube-prometheus-stack.nodeExporter.serviceMonitor.relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_node_name"` | | | kube-prometheus-stack.nodeExporter.serviceMonitor.relabelings[0].targetLabel | string | `"node"` | | | kube-prometheus-stack.prometheus.enabled | bool | `true` | | +| kube-prometheus-stack.prometheus.prometheusSpec.logFormat | string | `"json"` | | | kube-prometheus-stack.prometheus.prometheusSpec.portName | string | `"http-prometheus"` | | | kube-prometheus-stack.prometheus.prometheusSpec.resources.limits.memory | string | `"3Gi"` | | | kube-prometheus-stack.prometheus.prometheusSpec.resources.requests.cpu | string | `"500m"` | | @@ -83,6 +96,7 @@ Kubernetes: `>= 1.16.0` | kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].effect | string | `"NoSchedule"` | | | kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | | kube-prometheus-stack.prometheusOperator.enabled | bool | `true` | | +| kube-prometheus-stack.prometheusOperator.logFormat | string | `"json"` | | | kube-prometheus-stack.prometheusOperator.namespaces.additional[0] | string | `"kube-system"` | | | kube-prometheus-stack.prometheusOperator.namespaces.additional[1] | string | `"logging"` | | | kube-prometheus-stack.prometheusOperator.namespaces.releaseNamespace | bool | `true` | | @@ -108,9 +122,6 @@ Kubernetes: `>= 1.16.0` | prometheus-adapter.rules.resource.window | string | `"3m"` | | | prometheus-adapter.tolerations[0].effect | string | `"NoSchedule"` | | | prometheus-adapter.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | -| prometheus.istio.enabled | bool | `false` | | -| prometheus.istio.gateway | string | `"istio-ingress/ingressgateway"` | | -| prometheus.istio.url | string | `""` | | # Dashboards diff --git a/charts/kubezero-redis/README.md b/charts/kubezero-redis/README.md index 2fd3f16..e275f33 100644 --- a/charts/kubezero-redis/README.md +++ b/charts/kubezero-redis/README.md @@ -1,6 +1,6 @@ # kubezero-redis -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for Redis HA @@ -18,7 +18,8 @@ Kubernetes: `>= 1.16.0` | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | redis | 12.0.0 | +| https://charts.bitnami.com/bitnami | redis | 12.1.1 | +| https://charts.bitnami.com/bitnami | redis-cluster | 4.1.0 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -26,7 +27,17 @@ Kubernetes: `>= 1.16.0` | Key | Type | Default | Description | |-----|------|---------|-------------| | istio.enabled | bool | `false` | | +| redis-cluster.cluster.nodes | int | `2` | | +| redis-cluster.cluster.replicas | int | `1` | | +| redis-cluster.enabled | bool | `false` | | +| redis-cluster.metrics.enabled | bool | `false` | | +| redis-cluster.metrics.serviceMonitor.enabled | bool | `false` | | +| redis-cluster.metrics.serviceMonitor.selector.release | string | `"metrics"` | | +| redis-cluster.persistence.enabled | bool | `false` | | +| redis-cluster.redisPort | int | `6379` | | +| redis-cluster.usePassword | bool | `false` | | | redis.cluster.slaveCount | int | `0` | | +| redis.enabled | bool | `false` | | | redis.master.persistence.enabled | bool | `false` | | | redis.metrics.enabled | bool | `false` | | | redis.metrics.serviceMonitor.enabled | bool | `false` | | diff --git a/charts/kubezero-redis/templates/envoyfilter-custom-redis-cluster.yaml b/charts/kubezero-redis/templates/envoyfilter-custom-redis-cluster.yaml new file mode 100644 index 0000000..e044802 --- /dev/null +++ b/charts/kubezero-redis/templates/envoyfilter-custom-redis-cluster.yaml @@ -0,0 +1,36 @@ +{{- if index .Values "redis-cluster" "enabled" }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: {{ .Release.Namespace }}-{{ .Release.Name }}-redis-cluster + namespace: istio-ingress +spec: + configPatches: + - applyTo: CLUSTER + patch: + operation: INSERT_FIRST + value: + name: "{{ .Release.Namespace }}-{{ .Release.Name }}-redis-cluster" + connect_timeout: 0.5s + lb_policy: CLUSTER_PROVIDED + load_assignment: + cluster_name: {{ .Release.Namespace }}-{{ .Release.Name }}-redis-cluster + endpoints: + - lb_endpoints: + {{- $count := index .Values "redis-cluster" "cluster" "nodes" | int }}{{ range $i, $v := until $count }} + - endpoint: + address: + socket_address: + address: {{ $.Release.Name }}-{{ $i }}.{{ $.Release.Name }}-headless.{{ $.Release.Namespace }}.svc.cluster.local + port_value: {{ index $.Values "redis-cluster" "redisPort" }} + {{- end }} + cluster_type: + name: envoy.clusters.redis + typed_config: + "@type": type.googleapis.com/google.protobuf.Struct + value: + cluster_refresh_rate: 5s + cluster_refresh_timeout: 3s + redirect_refresh_interval: 5s + redirect_refresh_threshold: 5 +{{- end }} diff --git a/charts/kubezero-redis/templates/envoyfilter-redis-proxy.yaml b/charts/kubezero-redis/templates/envoyfilter-redis-proxy.yaml new file mode 100644 index 0000000..2c6e9ea --- /dev/null +++ b/charts/kubezero-redis/templates/envoyfilter-redis-proxy.yaml @@ -0,0 +1,35 @@ +{{- if index .Values "redis-cluster" "enabled" }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: {{ .Release.Namespace }}-{{ .Release.Name }}-redis-proxy + namespace: istio-ingress +spec: + workloadSelector: + labels: + istio: private-ingressgateway + configPatches: + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + listener: + name: 0.0.0.0_{{ index .Values "redis-cluster" "redisPort" }} + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: REPLACE + value: + name: envoy.redis_proxy + typed_config: + "@type": type.googleapis.com/envoy.config.filter.network.redis_proxy.v2.RedisProxy + stat_prefix: redis_stats + prefix_routes: + catch_all_route: + cluster: {{ .Release.Namespace }}-{{ .Release.Name }}-redis-cluster + settings: + op_timeout: 5s + enable_redirection: true + enable_command_stats: true + read_policy: PREFER_REPLICA +{{- end }} diff --git a/charts/kubezero-redis/templates/istio-authorization-policy.yaml b/charts/kubezero-redis/templates/istio-authorization-policy.yaml index 97a2a7f..c3666de 100644 --- a/charts/kubezero-redis/templates/istio-authorization-policy.yaml +++ b/charts/kubezero-redis/templates/istio-authorization-policy.yaml @@ -4,7 +4,7 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: {{ .Release.Namespace }}-redis-deny-not-in-ipblocks - namespace: istio-system + namespace: {{ .Release.Namespace }} labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: diff --git a/charts/kubezero-redis/values.yaml b/charts/kubezero-redis/values.yaml index a68d9a8..5f3d1c9 100644 --- a/charts/kubezero-redis/values.yaml +++ b/charts/kubezero-redis/values.yaml @@ -29,6 +29,7 @@ redis: redis-cluster: enabled: false + redisPort: 6379 usePassword: false cluster: diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index b1cf63e..2ae02fd 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -50,6 +50,7 @@ Kubernetes: `>= 1.16.0` | kiam.enabled | bool | `false` | | | local-path-provisioner.enabled | bool | `false` | | | local-volume-provisioner.enabled | bool | `false` | | +| logging.crds | bool | `true` | | | logging.enabled | bool | `false` | | | logging.namespace | string | `"logging"` | | | metrics.crds | bool | `true` | | diff --git a/charts/kubezero/bootstrap.sh b/charts/kubezero/bootstrap.sh index c96c708..97f32e5 100755 --- a/charts/kubezero/bootstrap.sh +++ b/charts/kubezero/bootstrap.sh @@ -101,7 +101,9 @@ function _helm() { local namespace=$(get_namespace $2) if [ $action == "crds" ]; then - _crds + declare -F ${release}-crds && ${release}-crds + declare -F ${release}-crds || _crds + elif [ $action == "apply" ]; then # namespace must exist prior to apply create_ns $namespace @@ -193,6 +195,13 @@ function kiam-post() { ########### # Logging # ########### +# eck operator still doesnt support helm v3 so we have to toggle settings in the eck subchart +function logging-crds() { + helm template $(chart_location $chart) --namespace $namespace --name-template $release --skip-crds --set eck-operator.installCRDs=false > $TMPDIR/helm-no-crds.yaml + helm template $(chart_location $chart) --namespace $namespace --name-template $release --include-crds --set eck-operator.installCRDs=true > $TMPDIR/helm-crds.yaml + diff -e $TMPDIR/helm-no-crds.yaml $TMPDIR/helm-crds.yaml | head -n-1 | tail -n+2 > $TMPDIR/crds.yaml + kubectl apply -f $TMPDIR/crds.yaml +} function logging-post() { kubectl annotate --overwrite namespace logging 'iam.amazonaws.com/permitted=.*ElasticSearchSnapshots.*' } diff --git a/charts/kubezero/scripts/remove_old_eck.sh b/charts/kubezero/scripts/remove_old_eck.sh new file mode 100755 index 0000000..1aa606f --- /dev/null +++ b/charts/kubezero/scripts/remove_old_eck.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License; +# you may not use this file except in compliance with the Elastic License. + +# Script to migrate an existing ECK 1.2.1 installation to Helm. + +set -euo pipefail + +RELEASE_NAMESPACE=${RELEASE_NAMESPACE:-"elastic-system"} + +echo "Uninstalling ECK" +kubectl delete -n "${RELEASE_NAMESPACE}" \ + serviceaccount/elastic-operator \ + secret/elastic-webhook-server-cert \ + clusterrole.rbac.authorization.k8s.io/elastic-operator \ + clusterrole.rbac.authorization.k8s.io/elastic-operator-view \ + clusterrole.rbac.authorization.k8s.io/elastic-operator-edit \ + clusterrolebinding.rbac.authorization.k8s.io/elastic-operator \ + rolebinding.rbac.authorization.k8s.io/elastic-operator \ + service/elastic-webhook-server \ + statefulset.apps/elastic-operator \ + validatingwebhookconfiguration.admissionregistration.k8s.io/elastic-webhook.k8s.elastic.co + diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index f681028..f034c88 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -53,7 +53,7 @@ metrics: logging: enabled: false - # crds: true + crds: true namespace: logging argocd: