Compare commits
14 Commits
a52bca6bae
...
f694190982
| Author | SHA1 | Date |
|---|---|---|
 Renovate Bot
|
f694190982 | |
 Stefan Reimer
|
1bdbb7c538 | |
|
Stefan Reimer
|
1350500f7f | |
|
Stefan Reimer
|
1cb0ff2c0d | |
|
Stefan Reimer
|
734f19010f | |
|
Stefan Reimer
|
3013c39061 | |
|
Stefan Reimer
|
ca14178e94 | |
|
Stefan Reimer
|
4b4431919a | |
|
Stefan Reimer
|
32e71b4129 | |
|
Renovate Bot
|
e8204779a5 | |
|
Renovate Bot
|
9a56c99ee5 | |
|
Renovate Bot
|
d9146abf72 | |
|
Renovate Bot
|
7d354402d6 | |
|
Renovate Bot
|
91a0034b26 |
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||
name: kubezero-falco
|
||||
description: Falco Container Security and Audit components
|
||||
type: application
|
||||
version: 0.1.1
|
||||
version: 0.1.2
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
|
@ -16,7 +16,7 @@ dependencies:
|
|||
version: ">= 0.1.6"
|
||||
repository: https://cdn.zero-downtime.net/charts/
|
||||
- name: falco
|
||||
version: 3.8.7
|
||||
version: 4.2.5
|
||||
repository: https://falcosecurity.github.io/charts
|
||||
condition: k8saudit.enabled
|
||||
alias: k8saudit
|
||||
|
|
|
|||
|
|
@ -0,0 +1,64 @@
|
|||
# kubezero-falco
|
||||
|
||||
 
|
||||
|
||||
Falco Container Security and Audit components
|
||||
|
||||
**Homepage:** <https://kubezero.com>
|
||||
|
||||
## Maintainers
|
||||
|
||||
| Name | Email | Url |
|
||||
| ---- | ------ | --- |
|
||||
| Stefan Reimer | <stefan@zero-downtime.net> | |
|
||||
|
||||
## Requirements
|
||||
|
||||
Kubernetes: `>= 1.26.0`
|
||||
|
||||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
||||
| https://falcosecurity.github.io/charts | k8saudit(falco) | 4.2.5 |
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| k8saudit.collectors | object | `{"enabled":false}` | Disable the collectors, no syscall events to enrich with metadata. |
|
||||
| k8saudit.controller | object | `{"deployment":{"replicas":1},"kind":"deployment"}` | Deploy Falco as a deployment. One instance of Falco is enough. Anyway the number of replicas is configurabale. |
|
||||
| k8saudit.controller.deployment.replicas | int | `1` | Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. For more info check the section on Plugins in the README.md file. |
|
||||
| k8saudit.driver | object | `{"enabled":false}` | Disable the drivers since we want to deploy only the k8saudit plugin. |
|
||||
| k8saudit.enabled | bool | `false` | |
|
||||
| k8saudit.falco.buffered_outputs | bool | `true` | |
|
||||
| k8saudit.falco.json_output | bool | `true` | |
|
||||
| k8saudit.falco.load_plugins[0] | string | `"k8saudit"` | |
|
||||
| k8saudit.falco.load_plugins[1] | string | `"json"` | |
|
||||
| k8saudit.falco.log_syslog | bool | `false` | |
|
||||
| k8saudit.falco.plugins[0].init_config.maxEventSize | int | `1048576` | |
|
||||
| k8saudit.falco.plugins[0].library_path | string | `"libk8saudit.so"` | |
|
||||
| k8saudit.falco.plugins[0].name | string | `"k8saudit"` | |
|
||||
| k8saudit.falco.plugins[0].open_params | string | `"http://:9765/k8s-audit"` | |
|
||||
| k8saudit.falco.plugins[1].init_config | string | `""` | |
|
||||
| k8saudit.falco.plugins[1].library_path | string | `"libjson.so"` | |
|
||||
| k8saudit.falco.plugins[1].name | string | `"json"` | |
|
||||
| k8saudit.falco.rules_file[0] | string | `"/etc/falco/rules.d"` | |
|
||||
| k8saudit.falco.syslog_output.enabled | bool | `false` | |
|
||||
| k8saudit.falcoctl.artifact.follow.enabled | bool | `false` | |
|
||||
| k8saudit.falcoctl.artifact.install.enabled | bool | `false` | |
|
||||
| k8saudit.fullnameOverride | string | `"falco-k8saudit"` | |
|
||||
| k8saudit.mounts.volumeMounts[0].mountPath | string | `"/etc/falco/rules.d"` | |
|
||||
| k8saudit.mounts.volumeMounts[0].name | string | `"rules-volume"` | |
|
||||
| k8saudit.mounts.volumes[0].configMap.name | string | `"falco-k8saudit-rules"` | |
|
||||
| k8saudit.mounts.volumes[0].name | string | `"rules-volume"` | |
|
||||
| k8saudit.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||
| k8saudit.resources.limits.cpu | string | `"1000m"` | |
|
||||
| k8saudit.resources.limits.memory | string | `"512Mi"` | |
|
||||
| k8saudit.resources.requests.cpu | string | `"100m"` | |
|
||||
| k8saudit.resources.requests.memory | string | `"256Mi"` | |
|
||||
| k8saudit.services[0].name | string | `"webhook"` | |
|
||||
| k8saudit.services[0].ports[0].port | int | `9765` | |
|
||||
| k8saudit.services[0].ports[0].protocol | string | `"TCP"` | |
|
||||
|
||||
----------------------------------------------
|
||||
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
|
||||
|
|
@ -20,10 +20,12 @@
|
|||
|
||||
- required_plugin_versions:
|
||||
- name: k8saudit
|
||||
version: 0.6.0
|
||||
version: 0.7.0
|
||||
alternatives:
|
||||
- name: k8saudit-eks
|
||||
version: 0.2.0
|
||||
version: 0.4.0
|
||||
- name: k8saudit-gke
|
||||
version: 0.1.0
|
||||
- name: json
|
||||
version: 0.7.0
|
||||
|
||||
|
|
@ -79,7 +81,45 @@
|
|||
"eks:vpc-resource-controller",
|
||||
"eks:addon-manager",
|
||||
]
|
||||
-
|
||||
|
||||
- list: k8s_audit_sensitive_mount_images
|
||||
items: [
|
||||
falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco,
|
||||
docker.io/sysdig/sysdig, sysdig/sysdig,
|
||||
gcr.io/google_containers/hyperkube,
|
||||
gcr.io/google_containers/kube-proxy, docker.io/calico/node,
|
||||
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
|
||||
docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
|
||||
docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
|
||||
amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent
|
||||
]
|
||||
|
||||
- list: k8s_audit_privileged_images
|
||||
items: [
|
||||
falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco,
|
||||
docker.io/calico/node, calico/node,
|
||||
docker.io/cloudnativelabs/kube-router,
|
||||
docker.io/docker/ucp-agent,
|
||||
docker.io/mesosphere/mesos-slave,
|
||||
docker.io/rook/toolbox,
|
||||
docker.io/sysdig/sysdig,
|
||||
gcr.io/google_containers/kube-proxy,
|
||||
gcr.io/google-containers/startup-script,
|
||||
gcr.io/projectcalico-org/node,
|
||||
gke.gcr.io/kube-proxy,
|
||||
gke.gcr.io/gke-metadata-server,
|
||||
gke.gcr.io/netd-amd64,
|
||||
gke.gcr.io/watcher-daemonset,
|
||||
gcr.io/google-containers/prometheus-to-sd,
|
||||
registry.k8s.io/ip-masq-agent-amd64,
|
||||
registry.k8s.io/kube-proxy,
|
||||
registry.k8s.io/prometheus-to-sd,
|
||||
quay.io/calico/node,
|
||||
sysdig/sysdig,
|
||||
registry.k8s.io/dns/k8s-dns-node-cache,
|
||||
mcr.microsoft.com/oss/kubernetes/kube-proxy
|
||||
]
|
||||
|
||||
- rule: Disallowed K8s User
|
||||
desc: Detect any k8s operation by users outside of an allowed set of users.
|
||||
condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users)
|
||||
|
|
@ -166,7 +206,7 @@
|
|||
- rule: Create Privileged Pod
|
||||
desc: >
|
||||
Detect an attempt to start a pod with a privileged container
|
||||
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
|
||||
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_privileged_images)
|
||||
output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
|
|
@ -180,7 +220,7 @@
|
|||
desc: >
|
||||
Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
|
||||
Exceptions are made for known trusted images.
|
||||
condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
|
||||
condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (k8s_audit_sensitive_mount_images)
|
||||
output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace resource=%ka.target.resource images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
|
|
@ -188,7 +228,7 @@
|
|||
|
||||
# These container images are allowed to run with hostnetwork=true
|
||||
# TODO: Remove k8s.gcr.io reference after 01/Dec/2023
|
||||
- list: falco_hostnetwork_images
|
||||
- list: k8s_audit_hostnetwork_images
|
||||
items: [
|
||||
gcr.io/google-containers/prometheus-to-sd,
|
||||
gcr.io/projectcalico-org/typha,
|
||||
|
|
@ -196,8 +236,6 @@
|
|||
gke.gcr.io/gke-metadata-server,
|
||||
gke.gcr.io/kube-proxy,
|
||||
gke.gcr.io/netd-amd64,
|
||||
k8s.gcr.io/ip-masq-agent-amd64,
|
||||
k8s.gcr.io/prometheus-to-sd,
|
||||
registry.k8s.io/ip-masq-agent-amd64,
|
||||
registry.k8s.io/prometheus-to-sd
|
||||
]
|
||||
|
|
@ -205,29 +243,29 @@
|
|||
# Corresponds to K8s CIS Benchmark 1.7.4
|
||||
- rule: Create HostNetwork Pod
|
||||
desc: Detect an attempt to start a pod using the host network.
|
||||
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
|
||||
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostnetwork_images)
|
||||
output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- list: falco_hostpid_images
|
||||
- list: k8s_audit_hostpid_images
|
||||
items: []
|
||||
|
||||
- rule: Create HostPid Pod
|
||||
desc: Detect an attempt to start a pod using the host pid namespace.
|
||||
condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostpid_images)
|
||||
condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostpid_images)
|
||||
output: Pod started using host pid namespace (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- list: falco_hostipc_images
|
||||
- list: k8s_audit_hostipc_images
|
||||
items: []
|
||||
|
||||
- rule: Create HostIPC Pod
|
||||
desc: Detect an attempt to start a pod using the host ipc namespace.
|
||||
condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostipc_images)
|
||||
condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostipc_images)
|
||||
output: Pod started using host ipc namespace (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||
priority: WARNING
|
||||
source: k8s_audit
|
||||
|
|
@ -298,6 +336,18 @@
|
|||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- macro: user_known_portforward_activities
|
||||
condition: (k8s_audit_never_true)
|
||||
|
||||
- rule: port-forward
|
||||
desc: >
|
||||
Detect any attempt to portforward
|
||||
condition: ka.target.subresource in (portforward) and not user_known_portforward_activities
|
||||
output: Portforward to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource )
|
||||
priority: NOTICE
|
||||
source: k8s_audit
|
||||
tags: [k8s]
|
||||
|
||||
- macro: user_known_pod_debug_activities
|
||||
condition: (k8s_audit_never_true)
|
||||
|
||||
|
|
@ -344,19 +394,11 @@
|
|||
gke.gcr.io/addon-resizer,
|
||||
gke.gcr.io/heapster,
|
||||
gke.gcr.io/gke-metadata-server,
|
||||
k8s.gcr.io/ip-masq-agent-amd64,
|
||||
k8s.gcr.io/kube-apiserver,
|
||||
registry.k8s.io/ip-masq-agent-amd64,
|
||||
registry.k8s.io/kube-apiserver,
|
||||
gke.gcr.io/kube-proxy,
|
||||
gke.gcr.io/netd-amd64,
|
||||
gke.gcr.io/watcher-daemonset,
|
||||
k8s.gcr.io/addon-resizer,
|
||||
k8s.gcr.io/prometheus-to-sd,
|
||||
k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
|
||||
k8s.gcr.io/k8s-dns-kube-dns-amd64,
|
||||
k8s.gcr.io/k8s-dns-sidecar-amd64,
|
||||
k8s.gcr.io/metrics-server-amd64,
|
||||
registry.k8s.io/addon-resizer,
|
||||
registry.k8s.io/prometheus-to-sd,
|
||||
registry.k8s.io/k8s-dns-dnsmasq-nanny-amd64,
|
||||
|
|
|
|||
|
|
@ -15,9 +15,9 @@ k8saudit:
|
|||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 256Mi
|
||||
memory: 64Mi
|
||||
limits:
|
||||
cpu: 1000m
|
||||
cpu: 1
|
||||
memory: 512Mi
|
||||
|
||||
nodeSelector:
|
||||
|
|
@ -43,10 +43,16 @@ k8saudit:
|
|||
|
||||
falcoctl:
|
||||
artifact:
|
||||
install:
|
||||
enabled: false
|
||||
follow:
|
||||
enabled: false
|
||||
# Since 0.37 the plugins are not part of the image anymore
|
||||
# but we provide our rules static via our CM
|
||||
config:
|
||||
artifact:
|
||||
allowedTypes:
|
||||
- plugin
|
||||
install:
|
||||
refs: [k8saudit:0.7.0,json:0.7.2]
|
||||
|
||||
services:
|
||||
- name: webhook
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||
name: kubezero-istio-gateway
|
||||
description: KubeZero Umbrella Chart for Istio gateways
|
||||
type: application
|
||||
version: 0.19.5
|
||||
version: 0.21.0
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# kubezero-istio-gateway
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
KubeZero Umbrella Chart for Istio gateways
|
||||
|
||||
|
|
@ -21,7 +21,7 @@ Kubernetes: `>= 1.26.0`
|
|||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
||||
| https://istio-release.storage.googleapis.com/charts | gateway | 1.19.4 |
|
||||
| https://istio-release.storage.googleapis.com/charts | gateway | 1.21.0 |
|
||||
|
||||
## Values
|
||||
|
||||
|
|
@ -41,6 +41,8 @@ Kubernetes: `>= 1.26.0`
|
|||
| gateway.service.externalTrafficPolicy | string | `"Local"` | |
|
||||
| gateway.service.type | string | `"NodePort"` | |
|
||||
| gateway.terminationGracePeriodSeconds | int | `120` | |
|
||||
| hardening.rejectUnderscoresHeaders | bool | `true` | |
|
||||
| hardening.unescapeSlashes | bool | `true` | |
|
||||
| proxyProtocol | bool | `true` | |
|
||||
| telemetry.enabled | bool | `false` | |
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
apiVersion: v2
|
||||
appVersion: 1.19.4
|
||||
appVersion: 1.21.0
|
||||
description: Helm chart for deploying Istio gateways
|
||||
icon: https://istio.io/latest/favicons/android-192x192.png
|
||||
keywords:
|
||||
|
|
@ -9,4 +9,4 @@ name: gateway
|
|||
sources:
|
||||
- https://github.com/istio/istio
|
||||
type: application
|
||||
version: 1.19.4
|
||||
version: 1.21.0
|
||||
|
|
|
|||
|
|
@ -35,6 +35,28 @@ To view support configuration options and documentation, run:
|
|||
helm show values istio/gateway
|
||||
```
|
||||
|
||||
### Profiles
|
||||
|
||||
Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets.
|
||||
These can be set with `--set profile=<profile>`.
|
||||
For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements.
|
||||
|
||||
For consistency, the same profiles are used across each chart, even if they do not impact a given chart.
|
||||
|
||||
Explicitly set values have highest priority, then profile settings, then chart defaults.
|
||||
|
||||
As an implementation detail of profiles, the default values for the chart are all nested under `defaults`.
|
||||
When configuring the chart, you should not include this.
|
||||
That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`.
|
||||
|
||||
### OpenShift
|
||||
|
||||
When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example:
|
||||
|
||||
```console
|
||||
helm install istio-ingressgateway istio/gateway -- set profile=openshift
|
||||
```
|
||||
|
||||
### `image: auto` Information
|
||||
|
||||
The image used by the chart, `auto`, may be unintuitive.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,25 @@
|
|||
# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed
|
||||
meshConfig:
|
||||
defaultConfig:
|
||||
proxyMetadata:
|
||||
ISTIO_META_ENABLE_HBONE: "true"
|
||||
variant: distroless
|
||||
pilot:
|
||||
variant: distroless
|
||||
env:
|
||||
# Setup more secure default that is off in 'default' only for backwards compatibility
|
||||
VERIFY_CERTIFICATE_AT_CLIENT: "true"
|
||||
ENABLE_AUTO_SNI: "true"
|
||||
|
||||
PILOT_ENABLE_HBONE: "true"
|
||||
CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel"
|
||||
PILOT_ENABLE_AMBIENT_CONTROLLERS: "true"
|
||||
cni:
|
||||
logLevel: info
|
||||
privileged: true
|
||||
ambient:
|
||||
enabled: true
|
||||
|
||||
# Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni
|
||||
excludeNamespaces:
|
||||
- kube-system
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
pilot:
|
||||
env:
|
||||
ENABLE_EXTERNAL_NAME_ALIAS: "false"
|
||||
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true"
|
||||
VERIFY_CERTIFICATE_AT_CLIENT: "false"
|
||||
ENABLE_AUTO_SNI: "false"
|
||||
|
|
@ -0,0 +1,69 @@
|
|||
# The demo profile enables a variety of things to try out Istio in non-production environments.
|
||||
# * Lower resource utilization.
|
||||
# * Some additional features are enabled by default; especially ones used in some tasks in istio.io.
|
||||
# * More ports enabled on the ingress, which is used in some tasks.
|
||||
meshConfig:
|
||||
accessLogFile: /dev/stdout
|
||||
extensionProviders:
|
||||
- name: otel
|
||||
envoyOtelAls:
|
||||
service: opentelemetry-collector.istio-system.svc.cluster.local
|
||||
port: 4317
|
||||
- name: skywalking
|
||||
skywalking:
|
||||
service: tracing.istio-system.svc.cluster.local
|
||||
port: 11800
|
||||
- name: otel-tracing
|
||||
opentelemetry:
|
||||
port: 4317
|
||||
service: opentelemetry-collector.otel-collector.svc.cluster.local
|
||||
|
||||
global:
|
||||
proxy:
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 40Mi
|
||||
|
||||
pilot:
|
||||
autoscaleEnabled: false
|
||||
traceSampling: 100
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 100Mi
|
||||
|
||||
gateways:
|
||||
istio-egressgateway:
|
||||
autoscaleEnabled: false
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 40Mi
|
||||
istio-ingressgateway:
|
||||
autoscaleEnabled: false
|
||||
ports:
|
||||
## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces.
|
||||
# Note that AWS ELB will by default perform health checks on the first port
|
||||
# on this list. Setting this to the health check port will ensure that health
|
||||
# checks always work. https://github.com/istio/istio/issues/12503
|
||||
- port: 15021
|
||||
targetPort: 15021
|
||||
name: status-port
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
name: http2
|
||||
- port: 443
|
||||
targetPort: 8443
|
||||
name: https
|
||||
- port: 31400
|
||||
targetPort: 31400
|
||||
name: tcp
|
||||
# This is the port where sni routing happens
|
||||
- port: 15443
|
||||
targetPort: 15443
|
||||
name: tls
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 40Mi
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
# The OpenShift profile provides a basic set of settings to run Istio on OpenShift
|
||||
# CNI must be installed.
|
||||
cni:
|
||||
cniBinDir: /var/lib/cni/bin
|
||||
cniConfDir: /etc/cni/multus/net.d
|
||||
chained: false
|
||||
cniConfFileName: "istio-cni.conf"
|
||||
excludeNamespaces:
|
||||
- istio-system
|
||||
- kube-system
|
||||
logLevel: info
|
||||
privileged: true
|
||||
provider: "multus"
|
||||
global:
|
||||
platform: openshift
|
||||
istio_cni:
|
||||
enabled: true
|
||||
chained: false
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# The preview profile contains features that are experimental.
|
||||
# This is intended to explore new features coming to Istio.
|
||||
# Stability, security, and performance are not guaranteed - use at your own risk.
|
||||
meshConfig:
|
||||
defaultConfig:
|
||||
proxyMetadata:
|
||||
# Enable Istio agent to handle DNS requests for known hosts
|
||||
# Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf
|
||||
ISTIO_META_DNS_CAPTURE: "true"
|
||||
|
|
@ -46,6 +46,10 @@ spec:
|
|||
- name: net.ipv4.ip_unprivileged_port_start
|
||||
value: "0"
|
||||
{{- end }}
|
||||
{{- with .Values.volumes }}
|
||||
volumes:
|
||||
{{ toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: istio-proxy
|
||||
# "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection
|
||||
|
|
@ -94,9 +98,9 @@ spec:
|
|||
name: http-envoy-prom
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
{{- if .Values.volumeMounts }}
|
||||
{{- with .Values.volumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml .Values.volumeMounts | nindent 12 }}
|
||||
{{ toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
|
|
@ -118,7 +122,3 @@ spec:
|
|||
{{- with .Values.priorityClassName }}
|
||||
priorityClassName: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.volumes }}
|
||||
volumes:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -28,4 +28,15 @@ spec:
|
|||
averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
|
||||
type: Utilization
|
||||
{{- end }}
|
||||
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
|
||||
- type: Resource
|
||||
resource:
|
||||
name: memory
|
||||
target:
|
||||
averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
|
||||
type: Utilization
|
||||
{{- end }}
|
||||
{{- if .Values.autoscaling.autoscaleBehavior }}
|
||||
behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -15,12 +15,19 @@ spec:
|
|||
{{- with .Values.service.loadBalancerIP }}
|
||||
loadBalancerIP: "{{ . }}"
|
||||
{{- end }}
|
||||
{{- with .Values.service.ipFamilyPolicy }}
|
||||
ipFamilyPolicy: "{{ . }}"
|
||||
{{- if eq .Values.service.type "LoadBalancer" }}
|
||||
{{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }}
|
||||
allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.service.ipFamilies }}
|
||||
{{- if .Values.service.ipFamilyPolicy }}
|
||||
ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
|
||||
{{- end }}
|
||||
{{- if .Values.service.ipFamilies }}
|
||||
ipFamilies:
|
||||
{{ toYaml . | indent 4 }}
|
||||
{{- range .Values.service.ipFamilies }}
|
||||
- {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.service.loadBalancerSourceRanges }}
|
||||
loadBalancerSourceRanges:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,34 @@
|
|||
{{/*
|
||||
Complex logic ahead...
|
||||
We have three sets of values, in order of precedence (last wins):
|
||||
1. The builtin values.yaml defaults
|
||||
2. The profile the user selects
|
||||
3. Users input (-f or --set)
|
||||
|
||||
Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2).
|
||||
|
||||
However, we can workaround this by placing all of (1) under a specific key (.Values.defaults).
|
||||
We can then merge the profile onto the defaults, then the user settings onto that.
|
||||
Finally, we can set all of that under .Values so the chart behaves without awareness.
|
||||
*/}}
|
||||
{{- $defaults := $.Values.defaults }}
|
||||
{{- $_ := unset $.Values "defaults" }}
|
||||
{{- $profile := dict }}
|
||||
{{- with .Values.profile }}
|
||||
{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}}
|
||||
{{- $profile = (. | fromYaml) }}
|
||||
{{- else }}
|
||||
{{ fail (cat "unknown profile" $.Values.profile) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.compatibilityVersion }}
|
||||
{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }}
|
||||
{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }}
|
||||
{{- else }}
|
||||
{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if $profile }}
|
||||
{{- $a := mustMergeOverwrite $defaults $profile }}
|
||||
{{- end }}
|
||||
{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }}
|
||||
|
|
@ -2,240 +2,300 @@
|
|||
"$schema": "http://json-schema.org/schema#",
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"properties": {
|
||||
"global": {
|
||||
"type": "object"
|
||||
},
|
||||
"affinity": {
|
||||
"type": "object"
|
||||
},
|
||||
"securityContext": {
|
||||
"type": ["object", "null"]
|
||||
},
|
||||
"containerSecurityContext": {
|
||||
"type": ["object", "null"]
|
||||
},
|
||||
"kind":{
|
||||
"type": "string",
|
||||
"enum": ["Deployment", "DaemonSet"]
|
||||
},
|
||||
"annotations": {
|
||||
"additionalProperties": {
|
||||
"type": [
|
||||
"string",
|
||||
"integer"
|
||||
]
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"autoscaling": {
|
||||
"$defs": {
|
||||
"values": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"maxReplicas": {
|
||||
"type": "integer"
|
||||
},
|
||||
"minReplicas": {
|
||||
"type": "integer"
|
||||
},
|
||||
"targetCPUUtilizationPercentage": {
|
||||
"type": "integer"
|
||||
}
|
||||
}
|
||||
},
|
||||
"env": {
|
||||
"type": "object"
|
||||
},
|
||||
"labels": {
|
||||
"type": "object"
|
||||
},
|
||||
"volumes": {
|
||||
"type": "array"
|
||||
},
|
||||
"volumeMounts": {
|
||||
"type": "array"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"nodeSelector": {
|
||||
"type": "object"
|
||||
},
|
||||
"podAnnotations": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"inject.istio.io/templates": {
|
||||
"type": "string"
|
||||
},
|
||||
"prometheus.io/path": {
|
||||
"type": "string"
|
||||
},
|
||||
"prometheus.io/port": {
|
||||
"type": "string"
|
||||
},
|
||||
"prometheus.io/scrape": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"replicaCount": {
|
||||
"type": [ "integer", "null" ]
|
||||
},
|
||||
"resources": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"limits": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"cpu": {
|
||||
"type": "string"
|
||||
},
|
||||
"memory": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"requests": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"cpu": {
|
||||
"type": "string"
|
||||
},
|
||||
"memory": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"revision": {
|
||||
"type": "string"
|
||||
},
|
||||
"runAsRoot": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"unprivilegedPort": {
|
||||
"type": ["string", "boolean"],
|
||||
"enum": [true, false, "auto"]
|
||||
},
|
||||
"service": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"global": {
|
||||
"type": "object"
|
||||
},
|
||||
"externalTrafficPolicy": {
|
||||
"affinity": {
|
||||
"type": "object"
|
||||
},
|
||||
"securityContext": {
|
||||
"type": [
|
||||
"object",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"containerSecurityContext": {
|
||||
"type": [
|
||||
"object",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"kind": {
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"Deployment",
|
||||
"DaemonSet"
|
||||
]
|
||||
},
|
||||
"annotations": {
|
||||
"additionalProperties": {
|
||||
"type": [
|
||||
"string",
|
||||
"integer"
|
||||
]
|
||||
},
|
||||
"type": "object"
|
||||
},
|
||||
"autoscaling": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"maxReplicas": {
|
||||
"type": "integer"
|
||||
},
|
||||
"minReplicas": {
|
||||
"type": "integer"
|
||||
},
|
||||
"targetCPUUtilizationPercentage": {
|
||||
"type": "integer"
|
||||
}
|
||||
}
|
||||
},
|
||||
"env": {
|
||||
"type": "object"
|
||||
},
|
||||
"labels": {
|
||||
"type": "object"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"loadBalancerIP": {
|
||||
"nodeSelector": {
|
||||
"type": "object"
|
||||
},
|
||||
"podAnnotations": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"inject.istio.io/templates": {
|
||||
"type": "string"
|
||||
},
|
||||
"prometheus.io/path": {
|
||||
"type": "string"
|
||||
},
|
||||
"prometheus.io/port": {
|
||||
"type": "string"
|
||||
},
|
||||
"prometheus.io/scrape": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"replicaCount": {
|
||||
"type": [
|
||||
"integer",
|
||||
"null"
|
||||
]
|
||||
},
|
||||
"resources": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"limits": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"cpu": {
|
||||
"type": "string"
|
||||
},
|
||||
"memory": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"requests": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"cpu": {
|
||||
"type": "string"
|
||||
},
|
||||
"memory": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"revision": {
|
||||
"type": "string"
|
||||
},
|
||||
"loadBalancerSourceRanges": {
|
||||
"compatibilityVersion": {
|
||||
"type": "string"
|
||||
},
|
||||
"runAsRoot": {
|
||||
"type": "boolean"
|
||||
},
|
||||
"unprivilegedPort": {
|
||||
"type": [
|
||||
"string",
|
||||
"boolean"
|
||||
],
|
||||
"enum": [
|
||||
true,
|
||||
false,
|
||||
"auto"
|
||||
]
|
||||
},
|
||||
"service": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"type": "object"
|
||||
},
|
||||
"externalTrafficPolicy": {
|
||||
"type": "string"
|
||||
},
|
||||
"loadBalancerIP": {
|
||||
"type": "string"
|
||||
},
|
||||
"loadBalancerSourceRanges": {
|
||||
"type": "array"
|
||||
},
|
||||
"ipFamilies": {
|
||||
"items": {
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"IPv4",
|
||||
"IPv6"
|
||||
]
|
||||
}
|
||||
},
|
||||
"ipFamilyPolicy": {
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"",
|
||||
"SingleStack",
|
||||
"PreferDualStack",
|
||||
"RequireDualStack"
|
||||
]
|
||||
},
|
||||
"ports": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"port": {
|
||||
"type": "integer"
|
||||
},
|
||||
"protocol": {
|
||||
"type": "string"
|
||||
},
|
||||
"targetPort": {
|
||||
"type": "integer"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"type": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"serviceAccount": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"type": "object"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
},
|
||||
"rbac": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tolerations": {
|
||||
"type": "array"
|
||||
},
|
||||
"ipFamilies" : {
|
||||
"items": {
|
||||
"type": "string",
|
||||
"enum": ["IPv4", "IPv6"]
|
||||
}
|
||||
"topologySpreadConstraints": {
|
||||
"type": "array"
|
||||
},
|
||||
"ipFamilyPolicy" : {
|
||||
"networkGateway": {
|
||||
"type": "string"
|
||||
},
|
||||
"imagePullPolicy": {
|
||||
"type": "string",
|
||||
"enum": ["", "SingleStack", "PreferDualStack", "RequireDualStack"]
|
||||
"enum": [
|
||||
"",
|
||||
"Always",
|
||||
"IfNotPresent",
|
||||
"Never"
|
||||
]
|
||||
},
|
||||
"ports": {
|
||||
"imagePullSecrets": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"port": {
|
||||
"type": "integer"
|
||||
},
|
||||
"protocol": {
|
||||
"type": "string"
|
||||
},
|
||||
"targetPort": {
|
||||
"type": "integer"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"type": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"serviceAccount": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"annotations": {
|
||||
"type": "object"
|
||||
},
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"create": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
},
|
||||
"rbac": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"enabled": {
|
||||
"type": "boolean"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tolerations": {
|
||||
"type": "array"
|
||||
},
|
||||
"topologySpreadConstraints": {
|
||||
"type": "array"
|
||||
},
|
||||
"networkGateway": {
|
||||
"type": "string"
|
||||
},
|
||||
"imagePullPolicy": {
|
||||
"type": "string",
|
||||
"enum": ["", "Always", "IfNotPresent", "Never"]
|
||||
},
|
||||
"imagePullSecrets": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"name": {
|
||||
"type": "string"
|
||||
"podDisruptionBudget": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"minAvailable": {
|
||||
"type": [
|
||||
"integer",
|
||||
"string"
|
||||
]
|
||||
},
|
||||
"maxUnavailable": {
|
||||
"type": [
|
||||
"integer",
|
||||
"string"
|
||||
]
|
||||
},
|
||||
"unhealthyPodEvictionPolicy": {
|
||||
"type": "string",
|
||||
"enum": [
|
||||
"",
|
||||
"IfHealthyBudget",
|
||||
"AlwaysAllow"
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"terminationGracePeriodSeconds": {
|
||||
"type": "number"
|
||||
},
|
||||
"volumes": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"volumeMounts": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object"
|
||||
}
|
||||
},
|
||||
"priorityClassName": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"podDisruptionBudget": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"minAvailable": {
|
||||
"type": ["integer", "string"]
|
||||
},
|
||||
"maxUnavailable": {
|
||||
"type": ["integer", "string"]
|
||||
},
|
||||
"unhealthyPodEvictionPolicy": {
|
||||
"type": "string",
|
||||
"enum": ["", "IfHealthyBudget", "AlwaysAllow"]
|
||||
}
|
||||
}
|
||||
},
|
||||
"terminationGracePeriodSeconds": {
|
||||
"type": "number"
|
||||
},
|
||||
"priorityClassName": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"defaults": {
|
||||
"$ref": "#/$defs/values"
|
||||
},
|
||||
"$ref": "#/$defs/values"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,139 +1,152 @@
|
|||
# Name allows overriding the release name. Generally this should not be set
|
||||
name: ""
|
||||
# revision declares which revision this gateway is a part of
|
||||
revision: ""
|
||||
|
||||
# Controls the spec.replicas setting for the Gateway deployment if set.
|
||||
# Otherwise defaults to Kubernetes Deployment default (1).
|
||||
replicaCount:
|
||||
|
||||
kind: Deployment
|
||||
|
||||
rbac:
|
||||
# If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
|
||||
# when using http://gateway-api.org/.
|
||||
enabled: true
|
||||
|
||||
serviceAccount:
|
||||
# If set, a service account will be created. Otherwise, the default is used
|
||||
create: true
|
||||
# Annotations to add to the service account
|
||||
annotations: {}
|
||||
# The name of the service account to use.
|
||||
# If not set, the release name is used
|
||||
defaults:
|
||||
# Name allows overriding the release name. Generally this should not be set
|
||||
name: ""
|
||||
# revision declares which revision this gateway is a part of
|
||||
revision: ""
|
||||
|
||||
podAnnotations:
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
inject.istio.io/templates: "gateway"
|
||||
sidecar.istio.io/inject: "true"
|
||||
# Controls the spec.replicas setting for the Gateway deployment if set.
|
||||
# Otherwise defaults to Kubernetes Deployment default (1).
|
||||
replicaCount:
|
||||
|
||||
# Define the security context for the pod.
|
||||
# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
|
||||
# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
|
||||
securityContext: ~
|
||||
containerSecurityContext: ~
|
||||
kind: Deployment
|
||||
|
||||
service:
|
||||
# Type of service. Set to "None" to disable the service entirely
|
||||
type: LoadBalancer
|
||||
ports:
|
||||
- name: status-port
|
||||
port: 15021
|
||||
protocol: TCP
|
||||
targetPort: 15021
|
||||
- name: http2
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: 80
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: 443
|
||||
rbac:
|
||||
# If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
|
||||
# when using http://gateway-api.org/.
|
||||
enabled: true
|
||||
|
||||
serviceAccount:
|
||||
# If set, a service account will be created. Otherwise, the default is used
|
||||
create: true
|
||||
# Annotations to add to the service account
|
||||
annotations: {}
|
||||
# The name of the service account to use.
|
||||
# If not set, the release name is used
|
||||
name: ""
|
||||
|
||||
podAnnotations:
|
||||
prometheus.io/port: "15020"
|
||||
prometheus.io/scrape: "true"
|
||||
prometheus.io/path: "/stats/prometheus"
|
||||
inject.istio.io/templates: "gateway"
|
||||
sidecar.istio.io/inject: "true"
|
||||
|
||||
# Define the security context for the pod.
|
||||
# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
|
||||
# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
|
||||
securityContext: ~
|
||||
containerSecurityContext: ~
|
||||
|
||||
service:
|
||||
# Type of service. Set to "None" to disable the service entirely
|
||||
type: LoadBalancer
|
||||
ports:
|
||||
- name: status-port
|
||||
port: 15021
|
||||
protocol: TCP
|
||||
targetPort: 15021
|
||||
- name: http2
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: 80
|
||||
- name: https
|
||||
port: 443
|
||||
protocol: TCP
|
||||
targetPort: 443
|
||||
annotations: {}
|
||||
loadBalancerIP: ""
|
||||
loadBalancerSourceRanges: []
|
||||
externalTrafficPolicy: ""
|
||||
externalIPs: []
|
||||
ipFamilyPolicy: ""
|
||||
ipFamilies: []
|
||||
## Whether to automatically allocate NodePorts (only for LoadBalancers).
|
||||
# allocateLoadBalancerNodePorts: false
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
|
||||
autoscaling:
|
||||
enabled: true
|
||||
minReplicas: 1
|
||||
maxReplicas: 5
|
||||
targetCPUUtilizationPercentage: 80
|
||||
targetMemoryUtilizationPercentage: {}
|
||||
autoscaleBehavior: {}
|
||||
|
||||
# Pod environment variables
|
||||
env: {}
|
||||
|
||||
# Labels to apply to all resources
|
||||
labels: {}
|
||||
|
||||
# Annotations to apply to all resources
|
||||
annotations: {}
|
||||
loadBalancerIP: ""
|
||||
loadBalancerSourceRanges: []
|
||||
externalTrafficPolicy: ""
|
||||
externalIPs: []
|
||||
ipFamilyPolicy: ""
|
||||
ipFamilies: []
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 2000m
|
||||
memory: 1024Mi
|
||||
nodeSelector: {}
|
||||
|
||||
autoscaling:
|
||||
enabled: true
|
||||
minReplicas: 1
|
||||
maxReplicas: 5
|
||||
targetCPUUtilizationPercentage: 80
|
||||
tolerations: []
|
||||
|
||||
# Pod environment variables
|
||||
env: {}
|
||||
topologySpreadConstraints: []
|
||||
|
||||
# Labels to apply to all resources
|
||||
labels: {}
|
||||
affinity: {}
|
||||
|
||||
# Annotations to apply to all resources
|
||||
annotations: {}
|
||||
# If specified, the gateway will act as a network gateway for the given network.
|
||||
networkGateway: ""
|
||||
|
||||
nodeSelector: {}
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent
|
||||
imagePullPolicy: ""
|
||||
|
||||
tolerations: []
|
||||
imagePullSecrets: []
|
||||
|
||||
topologySpreadConstraints: []
|
||||
# This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
|
||||
#
|
||||
# By default, the `podDisruptionBudget` is disabled (set to `{}`),
|
||||
# which means that no PodDisruptionBudget resource will be created.
|
||||
#
|
||||
# To enable the PodDisruptionBudget, configure it by specifying the
|
||||
# `minAvailable` or `maxUnavailable`. For example, to set the
|
||||
# minimum number of available replicas to 1, you can update this value as follows:
|
||||
#
|
||||
# podDisruptionBudget:
|
||||
# minAvailable: 1
|
||||
#
|
||||
# Or, to allow a maximum of 1 unavailable replica, you can set:
|
||||
#
|
||||
# podDisruptionBudget:
|
||||
# maxUnavailable: 1
|
||||
#
|
||||
# You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
|
||||
# For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
|
||||
#
|
||||
# podDisruptionBudget:
|
||||
# minAvailable: 1
|
||||
# unhealthyPodEvictionPolicy: AlwaysAllow
|
||||
#
|
||||
# To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
|
||||
#
|
||||
# podDisruptionBudget: {}
|
||||
#
|
||||
podDisruptionBudget: {}
|
||||
|
||||
affinity: {}
|
||||
terminationGracePeriodSeconds: 30
|
||||
|
||||
# If specified, the gateway will act as a network gateway for the given network.
|
||||
networkGateway: ""
|
||||
# A list of `Volumes` added into the Gateway Pods. See
|
||||
# https://kubernetes.io/docs/concepts/storage/volumes/.
|
||||
volumes: []
|
||||
|
||||
# Specify image pull policy if default behavior isn't desired.
|
||||
# Default behavior: latest images will be Always else IfNotPresent
|
||||
imagePullPolicy: ""
|
||||
# A list of `VolumeMounts` added into the Gateway Pods. See
|
||||
# https://kubernetes.io/docs/concepts/storage/volumes/.
|
||||
volumeMounts: []
|
||||
|
||||
imagePullSecrets: []
|
||||
|
||||
# This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
|
||||
#
|
||||
# By default, the `podDisruptionBudget` is disabled (set to `{}`),
|
||||
# which means that no PodDisruptionBudget resource will be created.
|
||||
#
|
||||
# To enable the PodDisruptionBudget, configure it by specifying the
|
||||
# `minAvailable` or `maxUnavailable`. For example, to set the
|
||||
# minimum number of available replicas to 1, you can update this value as follows:
|
||||
#
|
||||
# podDisruptionBudget:
|
||||
# minAvailable: 1
|
||||
#
|
||||
# Or, to allow a maximum of 1 unavailable replica, you can set:
|
||||
#
|
||||
# podDisruptionBudget:
|
||||
# maxUnavailable: 1
|
||||
#
|
||||
# You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
|
||||
# For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
|
||||
#
|
||||
# podDisruptionBudget:
|
||||
# minAvailable: 1
|
||||
# unhealthyPodEvictionPolicy: AlwaysAllow
|
||||
#
|
||||
# To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
|
||||
#
|
||||
# podDisruptionBudget: {}
|
||||
#
|
||||
podDisruptionBudget: {}
|
||||
|
||||
terminationGracePeriodSeconds: 30
|
||||
|
||||
# Configure this to a higher priority class in order to make sure your Istio gateway pods
|
||||
# will not be killed because of low priority class.
|
||||
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||
# for more detail.
|
||||
priorityClassName: ""
|
||||
# Configure this to a higher priority class in order to make sure your Istio gateway pods
|
||||
# will not be killed because of low priority class.
|
||||
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
|
||||
# for more detail.
|
||||
priorityClassName: ""
|
||||
|
|
|
|||
|
|
@ -11,25 +11,6 @@ diff -tubr charts/gateway.orig/templates/deployment.yaml charts/gateway/template
|
|||
selector:
|
||||
matchLabels:
|
||||
{{- include "gateway.selectorLabels" . | nindent 6 }}
|
||||
@@ -86,6 +90,10 @@
|
||||
name: http-envoy-prom
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
+ {{- if .Values.volumeMounts }}
|
||||
+ volumeMounts:
|
||||
+ {{- toYaml .Values.volumeMounts | nindent 12 }}
|
||||
+ {{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
@@ -102,3 +110,7 @@
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
+ {{- with .Values.volumes }}
|
||||
+ volumes:
|
||||
+ {{- toYaml . | nindent 8 }}
|
||||
+ {{- end }}
|
||||
diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/service.yaml
|
||||
--- charts/gateway.orig/templates/service.yaml 2022-12-09 14:58:33.000000000 +0000
|
||||
+++ charts/gateway/templates/service.yaml 2022-12-12 22:52:27.629670669 +0000
|
||||
|
|
@ -49,19 +30,3 @@ diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/s
|
|||
{{- end }}
|
||||
{{- if .Values.service.externalIPs }}
|
||||
externalIPs: {{- range .Values.service.externalIPs }}
|
||||
diff -tubr charts/gateway.orig/values.schema.json charts/gateway/values.schema.json
|
||||
--- charts/gateway.orig/values.schema.json 2022-12-09 14:58:33.000000000 +0000
|
||||
+++ charts/gateway/values.schema.json 2022-12-12 22:52:27.629670669 +0000
|
||||
@@ -51,6 +51,12 @@
|
||||
"labels": {
|
||||
"type": "object"
|
||||
},
|
||||
+ "volumes": {
|
||||
+ "type": "array"
|
||||
+ },
|
||||
+ "volumeMounts": {
|
||||
+ "type": "array"
|
||||
+ },
|
||||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||
name: kubezero-istio
|
||||
description: KubeZero Umbrella Chart for Istio
|
||||
type: application
|
||||
version: 0.19.5
|
||||
version: 0.21.0
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# kubezero-istio
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
KubeZero Umbrella Chart for Istio
|
||||
|
||||
|
|
@ -21,9 +21,9 @@ Kubernetes: `>= 1.26.0`
|
|||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
||||
| https://istio-release.storage.googleapis.com/charts | base | 1.19.4 |
|
||||
| https://istio-release.storage.googleapis.com/charts | istiod | 1.19.4 |
|
||||
| https://kiali.org/helm-charts | kiali-server | 1.76.0 |
|
||||
| https://istio-release.storage.googleapis.com/charts | base | 1.21.0 |
|
||||
| https://istio-release.storage.googleapis.com/charts | istiod | 1.21.0 |
|
||||
| https://kiali.org/helm-charts | kiali-server | 1.82.0 |
|
||||
|
||||
## Values
|
||||
|
||||
|
|
|
|||
|
|
@ -5,18 +5,18 @@ folder: Istio
|
|||
condition: '.Values.istiod.telemetry.enabled'
|
||||
dashboards:
|
||||
- name: istio-control-plane
|
||||
url: https://grafana.com/api/dashboards/7645/revisions/187/download
|
||||
url: https://grafana.com/api/dashboards/7645/revisions/201/download
|
||||
tags:
|
||||
- Istio
|
||||
- name: istio-mesh
|
||||
url: https://grafana.com/api/dashboards/7639/revisions/187/download
|
||||
url: https://grafana.com/api/dashboards/7639/revisions/201/download
|
||||
tags:
|
||||
- Istio
|
||||
- name: istio-service
|
||||
url: https://grafana.com/api/dashboards/7636/revisions/187/download
|
||||
url: https://grafana.com/api/dashboards/7636/revisions/201/download
|
||||
tags:
|
||||
- Istio
|
||||
- name: istio-workload
|
||||
url: https://grafana.com/api/dashboards/7630/revisions/187/download
|
||||
url: https://grafana.com/api/dashboards/7630/revisions/201/download
|
||||
tags:
|
||||
- Istio
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||
name: kubezero-metrics
|
||||
description: KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations.
|
||||
type: application
|
||||
version: 0.9.5
|
||||
version: 0.9.6
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
|
@ -19,14 +19,14 @@ dependencies:
|
|||
version: ">= 0.1.6"
|
||||
repository: https://cdn.zero-downtime.net/charts/
|
||||
- name: kube-prometheus-stack
|
||||
version: 54.2.2
|
||||
version: 57.2.0
|
||||
repository: https://prometheus-community.github.io/helm-charts
|
||||
- name: prometheus-adapter
|
||||
version: 4.9.0
|
||||
version: 4.9.1
|
||||
repository: https://prometheus-community.github.io/helm-charts
|
||||
condition: prometheus-adapter.enabled
|
||||
- name: prometheus-pushgateway
|
||||
version: 2.4.2
|
||||
version: 2.8.0
|
||||
repository: https://prometheus-community.github.io/helm-charts
|
||||
condition: prometheus-pushgateway.enabled
|
||||
kubeVersion: ">= 1.26.0"
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ dependencies:
|
|||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: rabbitmq.enabled
|
||||
- name: rabbitmq-cluster-operator
|
||||
version: 4.1.0
|
||||
version: 4.2.1
|
||||
repository: https://charts.bitnami.com/bitnami
|
||||
condition: rabbitmq-cluster-operator.enabled
|
||||
kubeVersion: ">= 1.25.0"
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||
name: kubezero-operators
|
||||
description: Various operators supported by KubeZero
|
||||
type: application
|
||||
version: 0.1.1
|
||||
version: 0.1.2
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
|
@ -21,7 +21,7 @@ dependencies:
|
|||
repository: https://opensearch-project.github.io/opensearch-k8s-operator/
|
||||
condition: opensearch-operator.enabled
|
||||
- name: eck-operator
|
||||
version: 2.11.1
|
||||
version: 2.12.1
|
||||
repository: https://helm.elastic.co
|
||||
condition: eck-operator.enabled
|
||||
kubeVersion: ">= 1.26.0"
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# kubezero-operators
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
Various operators supported by KubeZero
|
||||
|
||||
|
|
@ -19,7 +19,7 @@ Kubernetes: `>= 1.26.0`
|
|||
| Repository | Name | Version |
|
||||
|------------|------|---------|
|
||||
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
||||
| https://helm.elastic.co | eck-operator | 2.11.1 |
|
||||
| https://helm.elastic.co | eck-operator | 2.12.1 |
|
||||
| https://opensearch-project.github.io/opensearch-k8s-operator/ | opensearch-operator | 2.5.1 |
|
||||
|
||||
## Values
|
||||
|
|
@ -34,6 +34,8 @@ Kubernetes: `>= 1.26.0`
|
|||
| opensearch-operator.enabled | bool | `false` | |
|
||||
| opensearch-operator.fullnameOverride | string | `"opensearch-operator"` | |
|
||||
| opensearch-operator.kubeRbacProxy.enable | bool | `false` | |
|
||||
| opensearch-operator.manager.extraEnv[0].name | string | `"SKIP_INIT_CONTAINER"` | |
|
||||
| opensearch-operator.manager.extraEnv[0].value | string | `"true"` | |
|
||||
| opensearch-operator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||
| opensearch-operator.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||
| opensearch-operator.tolerations[0].key | string | `"node-role.kubernetes.io/control-plane"` | |
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
apiVersion: v2
|
||||
appVersion: 2.11.1
|
||||
appVersion: 2.12.1
|
||||
description: Elastic Cloud on Kubernetes (ECK) operator
|
||||
home: https://github.com/elastic/cloud-on-k8s
|
||||
icon: https://helm.elastic.co/icons/eck.png
|
||||
|
|
@ -18,4 +18,4 @@ maintainers:
|
|||
name: Elastic
|
||||
name: eck-operator
|
||||
type: application
|
||||
version: 2.11.1
|
||||
version: 2.12.1
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -114,6 +114,19 @@ elastic-webhook-server
|
|||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Determine the metrics port
|
||||
*/}}
|
||||
{{- define "eck-operator.metrics.port" -}}
|
||||
{{- if .Values.config.metrics.port -}}
|
||||
{{- .Values.config.metrics.port -}}
|
||||
{{- else if .Values.config.metricsPort -}}
|
||||
{{- .Values.config.metricsPort -}}
|
||||
{{- else -}}
|
||||
0
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
RBAC permissions
|
||||
NOTE - any changes made to RBAC permissions below require
|
||||
|
|
|
|||
|
|
@ -0,0 +1,22 @@
|
|||
{{- if .Values.config.metrics.secureMode.enabled }}
|
||||
{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ include "eck-operator.name" . }}-metrics-service
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
helm.sh/chart: {{ include "eck-operator.chart" . }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
name: "{{ include "eck-operator.fullname" . }}-metrics"
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- name: https
|
||||
port: {{ $metricsPort }}
|
||||
protocol: TCP
|
||||
targetPort: metrics
|
||||
selector:
|
||||
{{- include "eck-operator.selectorLabels" . | nindent 4 }}
|
||||
{{- end }}
|
||||
|
|
@ -1,3 +1,6 @@
|
|||
{{- if and (not .Values.createClusterScopedResources) (.Values.config.metrics.secureMode.enabled) -}}
|
||||
{{ fail "createClusterScopedResources is required to set config.metrics.secureMode.enabled to true" }}
|
||||
{{- end }}
|
||||
{{- if .Values.createClusterScopedResources -}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
|
@ -93,4 +96,26 @@ rules:
|
|||
- apiGroups: ["logstash.k8s.elastic.co"]
|
||||
resources: ["logstashes"]
|
||||
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
||||
{{- if .Values.config.metrics.secureMode.enabled }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "eck-operator.labels" . | nindent 4 }}
|
||||
name: "{{ include "eck-operator.fullname" . }}-proxy-role"
|
||||
rules:
|
||||
- apiGroups:
|
||||
- authentication.k8s.io
|
||||
resources:
|
||||
- tokenreviews
|
||||
verbs:
|
||||
- create
|
||||
- apiGroups:
|
||||
- authorization.k8s.io
|
||||
resources:
|
||||
- subjectaccessreviews
|
||||
verbs:
|
||||
- create
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
|
|||
|
|
@ -8,8 +8,16 @@ metadata:
|
|||
{{- include "eck-operator.labels" . | nindent 4 }}
|
||||
data:
|
||||
eck.yaml: |-
|
||||
{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
|
||||
log-verbosity: {{ int .Values.config.logVerbosity }}
|
||||
metrics-port: {{ int .Values.config.metricsPort }}
|
||||
{{- if and .Values.config.metrics.secureMode.enabled (eq $metricsPort 0) }}
|
||||
{{- fail "config.metrics.port must be greater than 0 when config.metrics.secureMode.enabled is true" }}
|
||||
{{- end }}
|
||||
{{- if .Values.config.metrics.secureMode.enabled }}
|
||||
metrics-port: {{ add $metricsPort 1 }}
|
||||
{{- else }}
|
||||
metrics-port: {{ $metricsPort }}
|
||||
{{- end }}
|
||||
container-registry: {{ .Values.config.containerRegistry }}
|
||||
{{- with .Values.config.containerSuffix }}
|
||||
container-suffix: {{ . }}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{{- if .Values.softMultiTenancy.enabled -}}
|
||||
{{- $kubeAPIServerIP := (required "kubeAPIServerIP is required" .Values.kubeAPIServerIP) -}}
|
||||
{{- $metricsPort := int .Values.config.metricsPort -}}
|
||||
{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
|
|
|
|||
|
|
@ -1,10 +1,16 @@
|
|||
{{- $metricsPort := int .Values.config.metricsPort -}}
|
||||
{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
|
||||
{{- if and .Values.config.metrics.secureMode.enabled (eq $metricsPort 0) }}
|
||||
{{- fail "config.metrics.port must be greater than 0 when config.metrics.secureMode.enabled is true" }}
|
||||
{{- end }}
|
||||
{{- if and .Values.podMonitor.enabled (gt $metricsPort 0) }}
|
||||
{{- if and .Values.podMonitor.enabled .Values.config.metrics.secureMode.enabled }}
|
||||
{{- fail "podMonitor and config.metrics.secureMode are mutually exclusive" }}
|
||||
{{- end }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PodMonitor
|
||||
metadata:
|
||||
name: {{ include "eck-operator.fullname" . }}
|
||||
namespace: {{ ternary .Values.podMonitor.namespace .Release.Namespace (not (empty .Values.podMonitor.namespace)) }}
|
||||
namespace: {{ ternary .Values.podMonitor.namespace .Release.Namespace (not (and (.Values.podMonitor) (empty .Values.podMonitor.namespace))) }}
|
||||
labels: {{- include "eck-operator.labels" . | nindent 4 }}
|
||||
{{- with .Values.podMonitor.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
|
|
@ -33,4 +39,4 @@ spec:
|
|||
- {{ .Release.Namespace }}
|
||||
selector:
|
||||
matchLabels: {{- include "eck-operator.selectorLabels" . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{{- $operatorNSIsManaged := has .Release.Namespace .Values.managedNamespaces -}}
|
||||
{{- $fullName := include "eck-operator.fullname" . -}}
|
||||
{{- $svcAccount := include "eck-operator.serviceAccountName" . }}
|
||||
{{- $enableSecureMetrics := .Values.config.metrics.secureMode.enabled -}}
|
||||
|
||||
{{- if not .Values.createClusterScopedResources }}
|
||||
{{- range .Values.managedNamespaces }}
|
||||
|
|
@ -74,7 +75,24 @@ roleRef:
|
|||
kind: ClusterRole
|
||||
name: {{ $fullName }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $svcAccount }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
{{- if $enableSecureMetrics }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "eck-operator.labels" $ | nindent 4 }}
|
||||
name: "{{ include "eck-operator.fullname" . }}-proxy-rolebinding"
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: "{{ include "eck-operator.fullname" . }}-proxy-role"
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $svcAccount }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,31 @@
|
|||
{{- if .Values.config.metrics.secureMode.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "eck-operator.fullname" . }}
|
||||
namespace: {{ ternary .Values.serviceMonitor.namespace .Release.Namespace (not (and (.Values.serviceMonitor) (empty .Values.serviceMonitor.namespace))) }}
|
||||
labels: {{- include "eck-operator.labels" . | nindent 4 }}
|
||||
spec:
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: {{ include "eck-operator.name" . }}-metrics-service
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
endpoints:
|
||||
- port: https
|
||||
path: /metrics
|
||||
scheme: https
|
||||
interval: 30s
|
||||
tlsConfig:
|
||||
insecureSkipVerify: {{ .Values.config.metrics.secureMode.tls.insecureSkipVerify | default false }}
|
||||
{{- if (not .Values.config.metrics.secureMode.tls.insecureSkipVerify) }}
|
||||
{{- with .Values.config.metrics.secureMode.tls.caSecret }}
|
||||
{{- $leading_path := trimSuffix "/" .Values.config.metrics.secureMode.tls.caMountDirectory }}
|
||||
caFile: "{{ $leading_path }}/{{ . }}/ca.crt"
|
||||
{{- end }}
|
||||
serverName: "{{ include "eck-operator.fullname" . }}-metrics.{{ .Release.Namespace }}.svc"
|
||||
{{- end }}
|
||||
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
{{- end }}
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
{{- $metricsPort := int .Values.config.metricsPort -}}
|
||||
---
|
||||
{{- $metricsPort := int (include "eck-operator.metrics.port" .)}}
|
||||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
|
|
@ -43,7 +43,7 @@ spec:
|
|||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
|
||||
- image: "{{ .Values.image.repository }}{{- if .Values.config.ubiOnly -}}-ubi{{- end -}}:{{ default .Chart.AppVersion .Values.image.tag }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
name: manager
|
||||
args:
|
||||
|
|
@ -79,10 +79,10 @@ spec:
|
|||
resources:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or (gt $metricsPort 0) .Values.webhook.enabled }}
|
||||
{{- if or .Values.webhook.enabled (gt $metricsPort 0) }}
|
||||
ports:
|
||||
{{- if (gt $metricsPort 0) }}
|
||||
- containerPort: {{ .Values.config.metricsPort }}
|
||||
{{- if and (gt $metricsPort 0) (not .Values.config.metrics.secureMode.enabled) }}
|
||||
- containerPort: {{ $metricsPort }}
|
||||
name: metrics
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
|
|
@ -104,6 +104,41 @@ spec:
|
|||
{{- with .Values.volumeMounts }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.config.metrics.secureMode.enabled }}
|
||||
- name: kube-rbac-proxy
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- "ALL"
|
||||
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0
|
||||
args:
|
||||
- "--secure-listen-address=0.0.0.0:{{ $metricsPort }}"
|
||||
- "--upstream=http://127.0.0.1:{{ add $metricsPort 1 }}/"
|
||||
- "--logtostderr=true"
|
||||
- "--v=0"
|
||||
{{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
|
||||
- "--tls-cert-file=/tls/tls.crt"
|
||||
- "--tls-private-key-file=/tls/tls.key"
|
||||
{{- end }}
|
||||
{{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
|
||||
volumeMounts:
|
||||
- mountPath: "/tls"
|
||||
name: tls-certificate
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
ports:
|
||||
- containerPort: {{ $metricsPort }}
|
||||
protocol: TCP
|
||||
name: metrics
|
||||
resources:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 128Mi
|
||||
requests:
|
||||
cpu: 5m
|
||||
memory: 64Mi
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: conf
|
||||
configMap:
|
||||
|
|
@ -114,6 +149,12 @@ spec:
|
|||
defaultMode: 420
|
||||
secretName: {{ include "eck-operator.webhookSecretName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
|
||||
- name: tls-certificate
|
||||
secret:
|
||||
defaultMode: 420
|
||||
secretName: {{ .Values.config.metrics.secureMode.tls.certificateSecret }}
|
||||
{{- end }}
|
||||
{{- with .Values.volumes }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -159,8 +159,67 @@ config:
|
|||
# number greater than 0: Errors, warnings, information, and debug details.
|
||||
logVerbosity: "0"
|
||||
|
||||
# metricsPort defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
|
||||
metricsPort: "0"
|
||||
# (Deprecated: use metrics.port: will be removed in v2.14.0) metricsPort defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
|
||||
metricsPort: 0
|
||||
|
||||
metrics:
|
||||
# port defines the port to expose operator metrics. Set to 0 to disable metrics reporting.
|
||||
port: "0"
|
||||
# secureMode contains the options for enabling and configuring RBAC and TLS/HTTPs for the metrics endpoint.
|
||||
secureMode:
|
||||
# secureMode.enabled specifies whether to enable RBAC and TLS/HTTPs for the metrics endpoint. (Will be enabled by default in v2.14.0)
|
||||
# * This option requires using a ServiceMonitor to scrape the metrics and as such is mutually exclusive with the podMonitor.enabled option.
|
||||
# * This option also requires using cluster scoped resources (ClusterRole, ClusterRoleBinding) to
|
||||
# grant access to the /metrics endpoint. (createClusterScopedResources: true is required)
|
||||
#
|
||||
# This option requires the following settings within Prometheus to function:
|
||||
# 1. RBAC settings for the Prometheus instance to access the metrics endpoint.
|
||||
#
|
||||
# - nonResourceURLs:
|
||||
# - /metrics
|
||||
# verbs:
|
||||
# - get
|
||||
#
|
||||
# 2. If using the Prometheus Operator and your Prometheus instance is not in the same namespace as the operator you will need
|
||||
# the Prometheus Operator configured with the following Helm values:
|
||||
#
|
||||
# prometheus:
|
||||
# prometheusSpec:
|
||||
# serviceMonitorNamespaceSelector: {}
|
||||
# serviceMonitorSelectorNilUsesHelmValues: false
|
||||
enabled: false
|
||||
tls:
|
||||
# certificateSecret is the name of the tls secret containing the custom TLS certificate and key for the secure metrics endpoint.
|
||||
#
|
||||
# * This is an optional setting and is only required if you are using a custom TLS certificate. A self-signed certificate will be generated by default.
|
||||
# * TLS secret key must be named tls.crt.
|
||||
# * TLS key's secret key must be named tls.key.
|
||||
# * It is assumed to be in the same namespace as the ServiceMonitor.
|
||||
#
|
||||
# example: kubectl create secret tls eck-metrics-tls-certificate -n elastic-system \
|
||||
# --cert=/path/to/tls.crt --key=/path/to/tls.key
|
||||
certificateSecret: ""
|
||||
# caSecret is the name of the secret containing the custom CA certificate used to generate the custom TLS certificate for the secure metrics endpoint.
|
||||
#
|
||||
# * This *must* be the name of the secret containing the CA certificate used to sign the custom TLS certificate.
|
||||
# * This secret *must* be in the same namespace as the Prometheus instance that will scrape the metrics.
|
||||
# * If using the Prometheus operator this secret must be within the `spec.secrets` field of the `Prometheus` custom resource such that it is mounted into the Prometheus pod at `caMountDirectory`, which defaults to /etc/prometheus/secrets/{secret-name}.
|
||||
# * This is an optional setting and is only required if you are using a custom TLS certificate.
|
||||
# * Key must be named ca.crt.
|
||||
#
|
||||
# example: kubectl create secret generic eck-metrics-tls-ca -n monitoring \
|
||||
# --from-file=ca.crt=/path/to/ca.pem
|
||||
caSecret: ""
|
||||
# caMountDirectory is the directory at which the CA certificate is mounted within the Prometheus pod.
|
||||
#
|
||||
# * You should only need to adjust this if you are *not* using the Prometheus operator.
|
||||
caMountDirectory: "/etc/prometheus/secrets/"
|
||||
# insecureSkipVerify specifies whether to skip verification of the TLS certificate for the secure metrics endpoint.
|
||||
#
|
||||
# * If this setting is set to false, then the following settings are required:
|
||||
# - certificateSecret
|
||||
# - caSecret
|
||||
insecureSkipVerify: true
|
||||
|
||||
# containerRegistry to use for pulling Elasticsearch and other application container images.
|
||||
containerRegistry: docker.elastic.co
|
||||
|
|
@ -223,7 +282,7 @@ config:
|
|||
# Interval between observations of Elasticsearch health, non-positive values disable asynchronous observation.
|
||||
elasticsearchObservationInterval: 10s
|
||||
|
||||
# ubiOnly specifies whether the operator will use only UBI container images to deploy Elastic Stack applications. UBI images are only available from 7.10.0 onward.
|
||||
# ubiOnly specifies whether the operator will use only UBI container images to deploy Elastic Stack applications as well as for its own StatefulSet image. UBI images are only available from 7.10.0 onward.
|
||||
# Cannot be combined with the containerSuffix value.
|
||||
ubiOnly: false
|
||||
|
||||
|
|
@ -232,7 +291,7 @@ config:
|
|||
podMonitor:
|
||||
|
||||
# enabled determines whether a podMonitor should deployed to scrape the eck metrics.
|
||||
# This requires the prometheus operator and the config.metricsPort not to be 0
|
||||
# This requires the prometheus operator and the config.metrics.port not to be 0
|
||||
enabled: false
|
||||
|
||||
# labels adds additional labels to the podMonitor
|
||||
|
|
@ -258,6 +317,15 @@ podMonitor:
|
|||
podMetricsEndpointConfig: {}
|
||||
# honorTimestamps: true
|
||||
|
||||
# Prometheus ServiceMonitor configuration
|
||||
# Only used when config.enableSecureMetrics is true
|
||||
# Reference: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#servicemonitor
|
||||
serviceMonitor: {}
|
||||
|
||||
# namespace determines in which namespace the serviceMonitor will be deployed.
|
||||
# If not set the serviceMonitor will be created in the namespace where the Helm release is installed into
|
||||
# namespace: monitoring
|
||||
|
||||
# Globals meant for internal use only
|
||||
global:
|
||||
# manifestGen specifies whether the chart is running under manifest generator.
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
|||
name: kubezero-telemetry
|
||||
description: KubeZero Umbrella Chart for OpenTelemetry, Jaeger etc.
|
||||
type: application
|
||||
version: 0.1.2
|
||||
version: 0.2.0
|
||||
home: https://kubezero.com
|
||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||
keywords:
|
||||
|
|
@ -18,11 +18,11 @@ dependencies:
|
|||
version: ">= 0.1.6"
|
||||
repository: https://cdn.zero-downtime.net/charts/
|
||||
- name: opentelemetry-collector
|
||||
version: 0.80.1
|
||||
version: 0.86.0
|
||||
repository: https://open-telemetry.github.io/opentelemetry-helm-charts
|
||||
condition: opentelemetry-collector.enabled
|
||||
- name: jaeger
|
||||
version: 1.0.0
|
||||
version: 2.0.1
|
||||
repository: https://jaegertracing.github.io/helm-charts
|
||||
condition: jaeger.enabled
|
||||
kubeVersion: ">= 1.26.0"
|
||||
|
|
|
|||
|
|
@ -49,11 +49,11 @@ jaeger:
|
|||
url: jaeger.example.com
|
||||
|
||||
opensearch:
|
||||
version: 2.11.1
|
||||
version: 2.12.0
|
||||
prometheus: false
|
||||
|
||||
nodeSets: []
|
||||
#- name: default-nodes
|
||||
#- name: default-nodes
|
||||
# replicas: 2
|
||||
# storage:
|
||||
# size: 16Gi
|
||||
|
|
|
|||
|
|
@ -58,13 +58,13 @@ storage:
|
|||
istio:
|
||||
enabled: false
|
||||
namespace: istio-system
|
||||
targetRevision: 0.19.4
|
||||
targetRevision: 0.21.0
|
||||
|
||||
istio-ingress:
|
||||
enabled: false
|
||||
chart: kubezero-istio-gateway
|
||||
namespace: istio-ingress
|
||||
targetRevision: 0.19.4
|
||||
targetRevision: 0.21.0
|
||||
gateway:
|
||||
service: {}
|
||||
|
||||
|
|
@ -72,7 +72,7 @@ istio-private-ingress:
|
|||
enabled: false
|
||||
chart: kubezero-istio-gateway
|
||||
namespace: istio-ingress
|
||||
targetRevision: 0.19.4
|
||||
targetRevision: 0.21.0
|
||||
gateway:
|
||||
service: {}
|
||||
|
||||
|
|
@ -80,17 +80,17 @@ falco:
|
|||
enabled: false
|
||||
k8saudit:
|
||||
enabled: false
|
||||
targetRevision: 0.1.0
|
||||
targetRevision: 0.1.2
|
||||
|
||||
telemetry:
|
||||
enabled: false
|
||||
namespace: telemetry
|
||||
targetRevision: 0.1.0
|
||||
targetRevision: 0.2.0
|
||||
|
||||
operators:
|
||||
enabled: false
|
||||
namespace: operators
|
||||
targetRevision: 0.1.0
|
||||
targetRevision: 0.1.2
|
||||
|
||||
metrics:
|
||||
enabled: false
|
||||
|
|
|
|||
Loading…
Reference in New Issue