diff --git a/.ci/podman.mk b/.ci/podman.mk index f1794c8..29e69d6 100644 --- a/.ci/podman.mk +++ b/.ci/podman.mk @@ -1,12 +1,14 @@ # Parse version from latest git semver tag -GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null) -TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//') +BRANCH := $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null) +GIT_TAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null) +TAG ?= $(shell echo $(GIT_TAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//') ARCH := amd64 +ALL_ARCHS := amd64 arm64 # EXTRA_TAGS supposed to be set at the caller, eg. $(shell echo $(TAG) | awk -F '.' '{ print $$1 "." $$2 }') ifneq ($(TRIVY_REMOTE),) - TRIVY_OPTS := --server $(TRIVY_REMOTE) + TRIVY_OPTS := --server $(TRIVY_REMOTE) endif .SILENT: ; # no need for @ @@ -20,46 +22,48 @@ help: ## Show Help grep -E '^[a-zA-Z_-]+:.*?## .*$$' .ci/podman.mk | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' build: ## Build the app - docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(ARCH) --platform linux/$(ARCH) . + buildah build --rm --layers -t $(IMAGE):$(TAG)-$(ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(ARCH) --platform linux/$(ARCH) . test: rm-test-image ## Execute Dockerfile.test test -f Dockerfile.test && \ - { docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test --platform linux/$(ARCH) . && \ - docker run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH)-test; } || \ + { buildah build --rm --layers -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test --platform linux/$(ARCH) . && \ + podman run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH)-test; } || \ echo "No Dockerfile.test found, skipping test" scan: ## Scan image using trivy - echo "Scanning $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH) using Trivy $(TRIVY_REMOTE)" - trivy image $(TRIVY_OPTS) $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH) + echo "Scanning $(IMAGE):$(TAG)-$(ARCH) using Trivy $(TRIVY_REMOTE)" + trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(ARCH) -# We create new manifest and add TAG-ARCH image -# if manigest exists already, get it and add TAG-ARCH to eg. add arm64 to existing amd64 -push: ## push images to registry - for t in $(TAG) latest $(EXTRA_TAGS); \ - do echo "creating and pushing: $$t"; \ - docker tag $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH) $(REGISTRY)/$(IMAGE):$${t}-$(ARCH) && \ - docker push $(REGISTRY)/$(IMAGE):$${t}-$(ARCH); \ - podman manifest exists $(IMAGE):$$t || podman manifest create $(IMAGE):$$t; \ - buildah manifest add $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$(TAG)-$(ARCH) && docker manifest push $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$$t; \ +# first tag and push all actual images +# create new manifest for each tag and add all available TAG-ARCH before pushing +push: ecr-login ## push images to registry + for t in $(TAG) latest $(EXTRA_TAGS); do \ + buildah tag $(IMAGE):$(TAG)-$(ARCH) $(REGISTRY)/$(IMAGE):$${t}-$(ARCH); \ + buildah manifest rm $(IMAGE):$$t || true; \ + buildah manifest create $(IMAGE):$$t; \ + for a in $(ALL_ARCHS); do \ + buildah manifest add $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$(TAG)-$$a; \ + done; \ + buildah manifest push --all $(IMAGE):$$t docker://$(REGISTRY)/$(IMAGE):$$t; \ done ecr-login: ## log into AWS ECR public - aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY) + aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY) clean: rm-test-image rm-image ## delete local built container and test images rm-remote-untagged: ## delete all remote untagged images echo "Removing all untagged images from $(IMAGE) in $(REGION)" IMAGE_IDS=$$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done) ; \ - [ -n "$$IMAGE_IDS" ] && aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$IMAGE_IDS || echo "No image to remove" + [ -n "$$IMAGE_IDS" ] && aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$IMAGE_IDS || echo "No image to remove" rm-image: - test -z "$$(docker image ls -q $(IMAGE):$(TAG)-$(ARCH))" || docker image rm -f $(IMAGE):$(TAG)-$(ARCH) > /dev/null + test -z "$$(docker image ls -q $(IMAGE):$(TAG)-$(ARCH))" || podman image rm -f $(IMAGE):$(TAG)-$(ARCH) > /dev/null test -z "$$(docker image ls -q $(IMAGE):$(TAG)-$(ARCH))" || echo "Error: Removing image failed" # Ensure we run the tests by removing any previous runs rm-test-image: - test -z "$$(docker image ls -q $(IMAGE):$(TAG)-$(ARCH)-test)" || docker image rm -f $(IMAGE):$(TAG)-$(ARCH)-test > /dev/null + test -z "$$(docker image ls -q $(IMAGE):$(TAG)-$(ARCH)-test)" || podman image rm -f $(IMAGE):$(TAG)-$(ARCH)-test > /dev/null test -z "$$(docker image ls -q $(IMAGE):$(TAG)-$(ARCH)-test)" || echo "Error: Removing test image failed" ci-pull-upstream: ## pull latest shared .ci subtree diff --git a/Dockerfile b/Dockerfile index fb3abbb..aaa37c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,12 +3,13 @@ ARG ALPINE_VERSION=3.16 FROM alpine:${ALPINE_VERSION} ARG ALPINE_VERSION -ARG KUBE_VERSION=1.23 +ARG KUBE_VERSION=1.24 RUN cd /etc/apk/keys && \ wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \ echo "@kubezero https://cdn.zero-downtime.net/alpine/v${ALPINE_VERSION}/kubezero" >> /etc/apk/repositories && \ - echo "@testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \ + echo "@edge-testing http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \ + echo "@edge-community http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories && \ apk upgrade -U -a --no-cache && \ apk --no-cache add \ jq \ @@ -21,9 +22,9 @@ RUN cd /etc/apk/keys && \ kubeadm@kubezero~=${KUBE_VERSION} \ kubectl@kubezero~=${KUBE_VERSION} \ etcdhelper@kubezero \ - etcd-ctl@testing \ - restic@testing \ - helm@testing + etcd-ctl@edge-testing \ + restic@edge-community \ + helm@edge-community RUN helm repo add kubezero https://cdn.zero-downtime.net/charts && \ mkdir -p /var/lib/kubezero diff --git a/README.md b/README.md index aaaa2e9..46a7947 100644 --- a/README.md +++ b/README.md @@ -5,11 +5,11 @@ KubeZero is a Kubernetes distribution providing an integrated container platform # Design philosophy - Cloud provider agnostic, bare-metal/self-hosted -- Focus on security and simplicity before feature bloat -- No vendor lock in, most components are optional and could be exchanged +- Focus on security and simplicity over feature creep +- No vendor lock in, most components are optional and could be easily exchanged - Organic Open Source / open and permissive licenses over closed-source solutions - No premium services / subscriptions required -- Staying and contributing back to upstream projects as much as possible +- Staying up to date and contributing back to upstream projects, like alpine-cloud-images and others - Corgi approved :dog: @@ -19,7 +19,7 @@ KubeZero is a Kubernetes distribution providing an integrated container platform # Version / Support Matrix KubeZero releases track the same *minor* version of Kubernetes. -Any 1.21.X-Y release of Kubezero supports any Kubernetes cluster 1.21.X. +Any 1.24.X-Y release of Kubezero supports any Kubernetes cluster 1.24.X. KubeZero is distributed as a collection of versioned Helm charts, allowing custom upgrade schedules and module versions as needed. @@ -28,15 +28,15 @@ KubeZero is distributed as a collection of versioned Helm charts, allowing custo gantt title KubeZero Support Timeline dateFormat YYYY-MM-DD - section 1.22 - beta :122b, 2022-05-01, 2022-06-01 - release :after 122b, 2022-10-28 section 1.23 beta :123b, 2022-08-01, 2022-09-01 - release :after 123b, 2023-02-28 + release :after 123b, 2023-02-01 section 1.24 - beta :124b, 2022-12-01, 2022-12-31 - release :after 124b, 2023-05-01 + beta :124b, 2022-11-14, 2022-12-31 + release :after 124b, 2023-06-01 + section 1.25 + beta :125b, 2023-03-01, 2023-03-31 + release :after 125b, 2023-08-01 ``` [Upstream release policy](https://kubernetes.io/releases/) @@ -44,7 +44,7 @@ gantt # Components ## OS -- all nodes are based on Alpine V3.15 +- all nodes are based on Alpine V3.16 - 2 GB encrypted root filesystem - no 3rd party dependencies at boot ( other than container registries ) - minimal attack surface diff --git a/admin/kubezero.sh b/admin/kubezero.sh index 9e40051..0892388 100755 --- a/admin/kubezero.sh +++ b/admin/kubezero.sh @@ -56,7 +56,7 @@ render_kubeadm() { cat ${WORKDIR}/kubeadm/templates/${f}Configuration.yaml >> ${HOSTFS}/etc/kubernetes/kubeadm.yaml done - # hack to "uncloack" the json patches after they go processed by helm + # "uncloak" the json patches after they got processed by helm for s in apiserver controller-manager scheduler; do yq eval '.json' ${WORKDIR}/kubeadm/templates/patches/kube-${s}1\+json.yaml > /tmp/_tmp.yaml && \ mv /tmp/_tmp.yaml ${WORKDIR}/kubeadm/templates/patches/kube-${s}1\+json.yaml @@ -65,11 +65,6 @@ render_kubeadm() { parse_kubezero() { - # remove with 1.24 - if [ ! -f ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml ]; then - [ -f ${HOSTFS}/etc/kubernetes/kubezero.yaml ] && cp ${HOSTFS}/etc/kubernetes/kubezero.yaml ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml - fi - export CLUSTERNAME=$(yq eval '.global.clusterName // .clusterName' ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml) export HIGHAVAILABLE=$(yq eval '.global.highAvailable // .highAvailable // "false"' ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml) export ETCD_NODENAME=$(yq eval '.etcd.nodeName' ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml) @@ -328,6 +323,21 @@ apply_module() { } +delete_module() { + MODULES=$1 + + get_kubezero_values + + # Always use embedded kubezero chart + helm template $CHARTS/kubezero -f $WORKDIR/kubezero-values.yaml --version ~$KUBE_VERSION --devel --output-dir $WORKDIR + + for t in $MODULES; do + _helm delete $t + done + + echo "Deleted KubeZero modules: $MODULES. Potential CRDs must be removed manually." +} + # backup etcd + /etc/kubernetes/pki backup() { # Display all ENVs, careful this exposes the password ! @@ -382,7 +392,8 @@ for t in $@; do bootstrap) control_plane_node bootstrap;; join) control_plane_node join;; restore) control_plane_node restore;; - apply_*) apply_module ${t##apply_};; + apply_*) apply_module "${t##apply_}";; + delete_*) delete_module "${t##delete_}";; backup) backup;; debug_shell) debug_shell;; *) echo "Unknown command: '$t'";; diff --git a/admin/libhelm.sh b/admin/libhelm.sh index cc2291d..94a29f8 100644 --- a/admin/libhelm.sh +++ b/admin/libhelm.sh @@ -108,6 +108,7 @@ function _crds() { # Only apply if there are actually any crds if [ -s $WORKDIR/crds.yaml ]; then + [ -n "$DEBUG" ] && cat $WORKDIR/crds.yaml kubectl apply -f $WORKDIR/crds.yaml --server-side --force-conflicts fi } @@ -115,7 +116,7 @@ function _crds() { # helm template | kubectl apply -f - # confine to one namespace if possible -function apply() { +function render() { helm template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --skip-crds -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION $@ \ | python3 -c ' #!/usr/bin/python3 @@ -128,8 +129,6 @@ for manifest in yaml.safe_load_all(sys.stdin): manifest["metadata"]["namespace"] = sys.argv[1] print("---") print(yaml.dump(manifest))' $namespace > $WORKDIR/helm.yaml - - kubectl $action -f $WORKDIR/helm.yaml --server-side --force-conflicts && rc=$? || rc=$? } @@ -164,13 +163,15 @@ function _helm() { # Optional pre hook declare -F ${module}-pre && ${module}-pre - apply + render + kubectl $action -f $WORKDIR/helm.yaml --server-side --force-conflicts && rc=$? || rc=$? # Optional post hook declare -F ${module}-post && ${module}-post elif [ $action == "delete" ]; then - apply + render + kubectl $action -f $WORKDIR/helm.yaml && rc=$? || rc=$? # Delete dedicated namespace if not kube-system [ -n "$DELETE_NS" ] && delete_ns $namespace diff --git a/admin/migrate_argo_values.py b/admin/migrate_argo_values.py index 35ed68d..b049b0b 100755 --- a/admin/migrate_argo_values.py +++ b/admin/migrate_argo_values.py @@ -8,32 +8,34 @@ import yaml def migrate(values): """Actual changes here""" - # migrate ClusterName to clusterName - if "ClusterName" in values: - values["clusterName"] = values["ClusterName"] - values.pop("ClusterName") + # ClusterBackup is enabled on AWS anyways, same with cluster-autoscaler + if "aws" in values["global"]: + deleteKey(values["addons"], "clusterBackup") + deleteKey(values["addons"], "cluster-autoscaler") - # Remove HighAvailableControlplane + # Remove calico and multus + deleteKey(values["network"], "calico") + deleteKey(values["network"], "multus") + + # ArgoCD helm changes + if "argocd" in values: + if "server" in values["argocd"]: + if not "configs" in values["argocd"]: + values["argocd"]["configs"] = {} + if not "cm" in values["argocd"]["configs"]: + values["argocd"]["configs"]["cm"] = {} + values["argocd"]["configs"]["cm"]["url"] = values["argocd"]["server"]["config"][ + "url" + ] + deleteKey(values["argocd"], "server") + + return values + + +def deleteKey(values, key): + """Delete key from dictionary if exists""" try: - values["global"]["highAvailable"] = values["HighAvailableControlplane"] - values.pop("HighAvailableControlplane") - except KeyError: - pass - - # Create new clusterwide cloudprovider data if possible - # IamArn: arn:aws:iam:::role/..cert-manager - try: - if values["cert-manager"]["IamArn"]: - account_id = values["cert-manager"]["IamArn"].split(":")[4] - region = values["cert-manager"]["IamArn"].split(":")[5].split('.')[0].split('/')[1] - if "global" not in values: - values["global"] = {} - if "aws" not in values["global"]: - values["global"]["aws"] = {} - - values["global"]["aws"]["region"] = region - values["global"]["aws"]["accountId"] = account_id - + values.pop(key) except KeyError: pass @@ -44,9 +46,11 @@ class MyDumper(yaml.Dumper): """ Required to add additional indent for arrays to match yq behaviour to reduce noise in diffs """ + def increase_indent(self, flow=False, indentless=False): return super(MyDumper, self).increase_indent(flow, False) + def str_presenter(dumper, data): if len(data.splitlines()) > 1: # check for multiline string return dumper.represent_scalar("tag:yaml.org,2002:str", data, style="|") @@ -93,5 +97,5 @@ yaml.dump( default_flow_style=False, indent=2, sort_keys=False, - Dumper=MyDumper + Dumper=MyDumper, ) diff --git a/admin/upgrade_cluster.sh b/admin/upgrade_cluster.sh index ecec0c2..3cf7097 100755 --- a/admin/upgrade_cluster.sh +++ b/admin/upgrade_cluster.sh @@ -1,11 +1,12 @@ #!/bin/bash -e -VERSION="v1.23" #VERSION="latest" +VERSION="v1.24" ARGO_APP=${1:-/tmp/new-kubezero-argoapp.yaml} SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) -. $SCRIPT_DIR/libhelm.sh +# shellcheck disable=SC1091 +. "$SCRIPT_DIR"/libhelm.sh [ -n "$DEBUG" ] && set -x @@ -38,6 +39,9 @@ spec: - key: node-role.kubernetes.io/master operator: Exists effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule initContainers: - name: node-upgrade image: busybox @@ -75,7 +79,7 @@ EOF control_plane_upgrade() { TASKS="$1" - echo "Deploy cluster admin task: $TASK" + echo "Deploy cluster admin task: $TASKS" cat < fail +kubectl delete configmap cilium-config -n kube-system || true control_plane_upgrade "apply_network, apply_addons, apply_storage" -kubectl rollout restart daemonset/calico-node -n kube-system -kubectl rollout restart daemonset/cilium -n kube-system kubectl rollout restart daemonset/kube-multus-ds -n kube-system +kubectl rollout restart daemonset/cilium -n kube-system echo "Checking that all pods in kube-system are running ..." waitSystemPodsRunning echo "Applying remaining KubeZero modules..." -# Delete outdated cert-manager CRDs, otherwise serverside apply will fail -for c in certificaterequests.cert-manager.io certificates.cert-manager.io challenges.acme.cert-manager.io clusterissuers.cert-manager.io issuers.cert-manager.io orders.acme.cert-manager.io; do - kubectl delete crd $c -done +# delete argocd deployments as various immutable things changed, also redis restart fails otherwise +kubectl delete deployment argocd-redis -n argocd || true +kubectl delete deployment argocd-repo-server -n argocd || true +kubectl delete statefulset argocd-application-controller -n argocd || true + +# Delete prometheus-push gateway due to label changes +kubectl delete deploy -l app=prometheus-pushgateway -n monitoring || true control_plane_upgrade "apply_cert-manager, apply_istio, apply_istio-ingress, apply_istio-private-ingress, apply_logging, apply_metrics, apply_argocd" -# delete legace ArgCD controller which is now a statefulSet -kubectl delete deployment argocd-application-controller -n argocd || true - # Final step is to commit the new argocd kubezero app kubectl get app kubezero -n argocd -o yaml | yq 'del(.status) | del(.metadata) | del(.operation) | .metadata.name="kubezero" | .metadata.namespace="argocd"' | yq 'sort_keys(..) | .spec.source.helm.values |= (from_yaml | to_yaml)' > $ARGO_APP @@ -186,6 +189,6 @@ echo "Please commit $ARGO_APP as the updated kubezero/application.yaml for your echo "Then head over to ArgoCD for this cluster and sync all KubeZero modules to apply remaining upgrades." echo " to continue and re-enable ArgoCD:" -read +read -r argo_used && enable_argo diff --git a/admin/v1.23/pre-upgrade.sh b/admin/v1.23/pre-upgrade.sh deleted file mode 100644 index d21b815..0000000 --- a/admin/v1.23/pre-upgrade.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/bash - -# Migrate addons and network values from local kubeadm-values.yaml on controllers into CM -# - enable cilium - -# Create emtpy CM if not exists yet -kubectl get cm -n kube-system kubezero-values || \ -kubectl create configmap -n kube-system kubezero-values - -kubectl get cm -n kube-system kubeadm-values || \ -kubectl create configmap -n kube-system kubeadm-values - -# tweak local kubeadm for upgrade later on -yq eval -i '.global.clusterName = strenv(CLUSTERNAME) | - .global.highAvailable = env(HIGHAVAILABLE)' \ - ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml - -# extract network -yq e '.network | - .cilium.enabled = true | - .calico.enabled = true | - .multus.enabled = true | - .multus.defaultNetworks = ["cilium"] | - .cilium.cluster.name = strenv(CLUSTERNAME) | - {"network": .}' ${HOSTFS}/etc/kubernetes/kubeadm-values.yaml > $WORKDIR/network-values.yaml - -# get current argo cd values -kubectl get application kubezero -n argocd -o yaml | yq '.spec.source.helm.values' > ${WORKDIR}/argo-values.yaml - -# merge all into new CM and set new minimal addons -yq ea '. as $item ireduce ({}; . * $item ) | - .global.clusterName = strenv(CLUSTERNAME) | - .global.highAvailable = env(HIGHAVAILABLE) | - .addons.clusterBackup.image.tag = "v1.23" ' ${WORKDIR}/network-values.yaml $WORKDIR/argo-values.yaml > $WORKDIR/kubezero-pre-values.yaml - -# tumble new config through migrate.py -cat $WORKDIR/kubezero-pre-values.yaml | migrate_argo_values.py > $WORKDIR/kubezero-values.yaml - -# Update kubezero-values CM -kubectl get cm -n kube-system kubezero-values -o=yaml | \ - yq e '.data."values.yaml" |= load_str("/tmp/kubezero/kubezero-values.yaml")' | \ - kubectl replace -f - - - -# update argo app -kubectl get application kubezero -n argocd -o yaml | \ - kubezero_chart_version=$(yq .version /charts/kubezero/Chart.yaml) \ - yq '.spec.source.helm.values |= load_str("/tmp/kubezero/kubezero-values.yaml") | .spec.source.targetRevision = strenv(kubezero_chart_version)' | \ - kubectl apply -f - - -# finally remove annotation to allow argo to sync again -kubectl patch app kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/annotations"}]' diff --git a/admin/v1.24/pre-upgrade.sh b/admin/v1.24/pre-upgrade.sh new file mode 100644 index 0000000..86e3519 --- /dev/null +++ b/admin/v1.24/pre-upgrade.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# get current values, argo app over cm +get_kubezero_values + +# tumble new config through migrate.py +migrate_argo_values.py < "$WORKDIR"/kubezero-values.yaml > "$WORKDIR"/new-kubezero-values.yaml + +# Update kubezero-values CM +kubectl get cm -n kube-system kubezero-values -o=yaml | \ + yq e '.data."values.yaml" |= load_str("/tmp/kubezero/new-kubezero-values.yaml")' | \ + kubectl replace -f - + +# update argo app +kubectl get application kubezero -n argocd -o yaml | \ + kubezero_chart_version=$(yq .version /charts/kubezero/Chart.yaml) \ + yq '.spec.source.helm.values |= load_str("/tmp/kubezero/new-kubezero-values.yaml") | .spec.source.targetRevision = strenv(kubezero_chart_version)' | \ + kubectl apply -f - + +# finally remove annotation to allow argo to sync again +kubectl patch app kubezero -n argocd --type json -p='[{"op": "remove", "path": "/metadata/annotations"}]' diff --git a/charts/kubeadm/Chart.yaml b/charts/kubeadm/Chart.yaml index 031c568..895873c 100644 --- a/charts/kubeadm/Chart.yaml +++ b/charts/kubeadm/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubeadm description: KubeZero Kubeadm cluster config type: application -version: 1.23.11 +version: 1.24.9 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -11,4 +11,4 @@ keywords: maintainers: - name: Stefan Reimer email: stefan@zero-downtime.net -kubeVersion: ">= 1.20.0" +kubeVersion: ">= 1.24.0" diff --git a/charts/kubeadm/README.md b/charts/kubeadm/README.md index 6b7c5aa..1b59427 100644 --- a/charts/kubeadm/README.md +++ b/charts/kubeadm/README.md @@ -1,6 +1,6 @@ # kubeadm -![Version: 1.23.10](https://img.shields.io/badge/Version-1.23.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 1.24.9](https://img.shields.io/badge/Version-1.24.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Kubeadm cluster config @@ -14,7 +14,7 @@ KubeZero Kubeadm cluster config ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.24.0` ## Values @@ -44,7 +44,7 @@ Kubernetes: `>= 1.20.0` ## Resources - https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/ -- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2 +- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3 - https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3 - https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go - https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/ diff --git a/charts/kubeadm/README.md.gotmpl b/charts/kubeadm/README.md.gotmpl index 59239ae..43d20a8 100644 --- a/charts/kubeadm/README.md.gotmpl +++ b/charts/kubeadm/README.md.gotmpl @@ -18,7 +18,7 @@ ## Resources - https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/ -- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2 +- https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3 - https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta3 - https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/kubelet/config/v1beta1/types.go - https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/ diff --git a/charts/kubeadm/templates/ClusterConfiguration.yaml b/charts/kubeadm/templates/ClusterConfiguration.yaml index d42aafa..0ee4401 100644 --- a/charts/kubeadm/templates/ClusterConfiguration.yaml +++ b/charts/kubeadm/templates/ClusterConfiguration.yaml @@ -2,8 +2,8 @@ apiVersion: kubeadm.k8s.io/v1beta3 kind: ClusterConfiguration kubernetesVersion: {{ .Chart.Version }} clusterName: {{ .Values.global.clusterName }} -featureGates: - UnversionedKubeletConfigMap: true +#featureGates: +# NonGracefulFailover: true controlPlaneEndpoint: {{ .Values.api.endpoint }} networking: podSubnet: 10.244.0.0/16 diff --git a/charts/kubeadm/templates/KubeletConfiguration.yaml b/charts/kubeadm/templates/KubeletConfiguration.yaml index 8fdfd48..f107c4f 100644 --- a/charts/kubeadm/templates/KubeletConfiguration.yaml +++ b/charts/kubeadm/templates/KubeletConfiguration.yaml @@ -17,8 +17,8 @@ protectKernelDefaults: {{ .Values.protectKernelDefaults }} tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256] featureGates: {{- include "kubeadm.featuregates" ( dict "return" "map" ) | nindent 2 }} -# Minimal unit is 50m per pod -podsPerCore: 20 +# Minimal unit is 40m per pod +podsPerCore: 25 # cpuCFSQuotaPeriod: 10ms # Basic OS incl. crio systemReserved: diff --git a/charts/kubeadm/templates/_helpers.tpl b/charts/kubeadm/templates/_helpers.tpl index 1d193f4..3cc9322 100644 --- a/charts/kubeadm/templates/_helpers.tpl +++ b/charts/kubeadm/templates/_helpers.tpl @@ -1,6 +1,6 @@ {{- /* Feature gates for all control plane components */ -}} {{- define "kubeadm.featuregates" }} -{{- $gates := list "CustomCPUCFSQuotaPeriod" "KubeletCredentialProviders"}} +{{- $gates := list "CustomCPUCFSQuotaPeriod" "CronJobTimeZone" "NodeOutOfServiceVolumeDetach" }} {{- if eq .return "csv" }} {{- range $key := $gates }} {{- $key }}=true, diff --git a/charts/kubeadm/templates/credential-provider.yaml b/charts/kubeadm/templates/credential-provider.yaml index af930e1..9bf23d0 100644 --- a/charts/kubeadm/templates/credential-provider.yaml +++ b/charts/kubeadm/templates/credential-provider.yaml @@ -1,4 +1,4 @@ -apiVersion: kubelet.config.k8s.io/v1alpha1 +apiVersion: kubelet.config.k8s.io/v1beta1 kind: CredentialProviderConfig providers: - name: amazon-ecr-credential-helper diff --git a/charts/kubeadm/templates/resources/51-aws-iam-authenticator-deployment.yaml b/charts/kubeadm/templates/resources/51-aws-iam-authenticator-deployment.yaml index d4c7c51..6896cea 100644 --- a/charts/kubeadm/templates/resources/51-aws-iam-authenticator-deployment.yaml +++ b/charts/kubeadm/templates/resources/51-aws-iam-authenticator-deployment.yaml @@ -112,10 +112,12 @@ spec: tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane containers: - name: aws-iam-authenticator - image: public.ecr.aws/zero-downtime/aws-iam-authenticator:v0.5.9 + image: public.ecr.aws/zero-downtime/aws-iam-authenticator:v0.5.11 args: - server - --backend-mode=CRD,MountedFile @@ -131,7 +133,7 @@ spec: resources: requests: - memory: 20Mi + memory: 32Mi cpu: 10m limits: memory: 64Mi diff --git a/charts/kubezero-addons/Chart.yaml b/charts/kubezero-addons/Chart.yaml index 27d69f4..9f104a2 100644 --- a/charts/kubezero-addons/Chart.yaml +++ b/charts/kubezero-addons/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-addons description: KubeZero umbrella chart for various optional cluster addons type: application -version: 0.6.3 -appVersion: v1.23.11 +version: 0.7.3 +appVersion: v1.24 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -11,16 +11,14 @@ keywords: - fuse-device-plugin - neuron-device-plugin - nvidia-device-plugin - - aws-node-termination-handler + - cluster-autoscaler + - sealed-secrets - external-dns + - aws-node-termination-handler maintainers: - name: Stefan Reimer email: stefan@zero-downtime.net dependencies: - - name: aws-node-termination-handler - version: 0.18.5 - # repository: https://aws.github.io/eks-charts - condition: aws-node-termination-handler.enabled - name: external-dns version: 1.11.0 repository: https://kubernetes-sigs.github.io/external-dns/ @@ -30,8 +28,20 @@ dependencies: repository: https://kubernetes.github.io/autoscaler condition: cluster-autoscaler.enabled - name: nvidia-device-plugin - version: 0.12.2 + version: 0.13.0 # https://github.com/NVIDIA/k8s-device-plugin repository: https://nvidia.github.io/k8s-device-plugin condition: nvidia-device-plugin.enabled -kubeVersion: ">= 1.20.0" + - name: sealed-secrets + version: 2.7.1 + repository: https://bitnami-labs.github.io/sealed-secrets + condition: sealed-secrets.enabled + - name: aws-node-termination-handler + version: 0.20.1 + # repository: https://aws.github.io/eks-charts + condition: aws-node-termination-handler.enabled + - name: aws-eks-asg-rolling-update-handler + version: 1.2.7 + # repository: https://twin.github.io/helm-charts + condition: aws-eks-asg-rolling-update-handler.enabled +kubeVersion: ">= 1.24.0" diff --git a/charts/kubezero-addons/README.md b/charts/kubezero-addons/README.md index d3d0527..d1aea26 100644 --- a/charts/kubezero-addons/README.md +++ b/charts/kubezero-addons/README.md @@ -1,6 +1,6 @@ # kubezero-addons -![Version: 0.6.3](https://img.shields.io/badge/Version-0.6.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.23.11](https://img.shields.io/badge/AppVersion-v1.23.11-informational?style=flat-square) +![Version: 0.7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.24](https://img.shields.io/badge/AppVersion-v1.24-informational?style=flat-square) KubeZero umbrella chart for various optional cluster addons @@ -14,14 +14,16 @@ KubeZero umbrella chart for various optional cluster addons ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.24.0` | Repository | Name | Version | |------------|------|---------| -| | aws-node-termination-handler | 0.18.5 | +| | aws-eks-asg-rolling-update-handler | 1.2.7 | +| | aws-node-termination-handler | 0.20.1 | +| https://bitnami-labs.github.io/sealed-secrets | sealed-secrets | 2.7.1 | | https://kubernetes-sigs.github.io/external-dns/ | external-dns | 1.11.0 | | https://kubernetes.github.io/autoscaler | cluster-autoscaler | 9.21.0 | -| https://nvidia.github.io/k8s-device-plugin | nvidia-device-plugin | 0.12.2 | +| https://nvidia.github.io/k8s-device-plugin | nvidia-device-plugin | 0.13.0 | # MetalLB @@ -39,6 +41,34 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/) | Key | Type | Default | Description | |-----|------|---------|-------------| +| aws-eks-asg-rolling-update-handler.enabled | bool | `false` | | +| aws-eks-asg-rolling-update-handler.environmentVars[0].name | string | `"CLUSTER_NAME"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[0].value | string | `""` | | +| aws-eks-asg-rolling-update-handler.environmentVars[1].name | string | `"AWS_REGION"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[1].value | string | `"us-west-2"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[2].name | string | `"EXECUTION_INTERVAL"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[2].value | string | `"60"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[3].name | string | `"METRICS"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[3].value | string | `"true"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[4].name | string | `"EAGER_CORDONING"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[4].value | string | `"true"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[5].name | string | `"SLOW_MODE"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[5].value | string | `"true"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[6].name | string | `"AWS_ROLE_ARN"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[6].value | string | `""` | | +| aws-eks-asg-rolling-update-handler.environmentVars[7].name | string | `"AWS_WEB_IDENTITY_TOKEN_FILE"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[7].value | string | `"/var/run/secrets/sts.amazonaws.com/serviceaccount/token"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[8].name | string | `"AWS_STS_REGIONAL_ENDPOINTS"` | | +| aws-eks-asg-rolling-update-handler.environmentVars[8].value | string | `"regional"` | | +| aws-eks-asg-rolling-update-handler.image.tag | string | `"v1.7.0"` | | +| aws-eks-asg-rolling-update-handler.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | +| aws-eks-asg-rolling-update-handler.resources.limits.memory | string | `"128Mi"` | | +| aws-eks-asg-rolling-update-handler.resources.requests.cpu | string | `"10m"` | | +| aws-eks-asg-rolling-update-handler.resources.requests.memory | string | `"32Mi"` | | +| aws-eks-asg-rolling-update-handler.tolerations[0].effect | string | `"NoSchedule"` | | +| aws-eks-asg-rolling-update-handler.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| aws-eks-asg-rolling-update-handler.tolerations[1].effect | string | `"NoSchedule"` | | +| aws-eks-asg-rolling-update-handler.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | aws-node-termination-handler.deleteLocalData | bool | `true` | | | aws-node-termination-handler.emitKubernetesEvents | bool | `true` | | | aws-node-termination-handler.enableProbesServer | bool | `true` | | @@ -54,7 +84,8 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/) | aws-node-termination-handler.fullnameOverride | string | `"aws-node-termination-handler"` | | | aws-node-termination-handler.ignoreDaemonSets | bool | `true` | | | aws-node-termination-handler.jsonLogging | bool | `true` | | -| aws-node-termination-handler.managedAsgTag | string | `"aws-node-termination-handler/managed"` | "aws-node-termination-handler/${ClusterName}" | +| aws-node-termination-handler.logFormatVersion | int | `2` | | +| aws-node-termination-handler.managedTag | string | `"aws-node-termination-handler/managed"` | "aws-node-termination-handler/${ClusterName}" | | aws-node-termination-handler.metadataTries | int | `0` | | | aws-node-termination-handler.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | aws-node-termination-handler.podMonitor.create | bool | `false` | | @@ -63,6 +94,8 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/) | aws-node-termination-handler.taintNode | bool | `true` | | | aws-node-termination-handler.tolerations[0].effect | string | `"NoSchedule"` | | | aws-node-termination-handler.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| aws-node-termination-handler.tolerations[1].effect | string | `"NoSchedule"` | | +| aws-node-termination-handler.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | aws-node-termination-handler.useProviderId | bool | `true` | | | awsNeuron.enabled | bool | `false` | | | awsNeuron.image.name | string | `"public.ecr.aws/neuron/neuron-device-plugin"` | | @@ -80,30 +113,22 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/) | cluster-autoscaler.serviceMonitor.interval | string | `"30s"` | | | cluster-autoscaler.tolerations[0].effect | string | `"NoSchedule"` | | | cluster-autoscaler.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| cluster-autoscaler.tolerations[1].effect | string | `"NoSchedule"` | | +| cluster-autoscaler.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | clusterBackup.enabled | bool | `false` | | | clusterBackup.extraEnv | list | `[]` | | | clusterBackup.image.name | string | `"public.ecr.aws/zero-downtime/kubezero-admin"` | | | clusterBackup.password | string | `""` | /etc/cloudbender/clusterBackup.passphrase | | clusterBackup.repository | string | `""` | s3:https://s3.amazonaws.com/${CFN[ConfigBucket]}/k8s/${CLUSTERNAME}/clusterBackup | | external-dns.enabled | bool | `false` | | -| external-dns.env[0] | object | `{"name":"AWS_ROLE_ARN","value":""}` | "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.externalDNS" | -| external-dns.env[1].name | string | `"AWS_WEB_IDENTITY_TOKEN_FILE"` | | -| external-dns.env[1].value | string | `"/var/run/secrets/sts.amazonaws.com/serviceaccount/token"` | | -| external-dns.env[2].name | string | `"AWS_STS_REGIONAL_ENDPOINTS"` | | -| external-dns.env[2].value | string | `"regional"` | | -| external-dns.extraVolumeMounts[0].mountPath | string | `"/var/run/secrets/sts.amazonaws.com/serviceaccount/"` | | -| external-dns.extraVolumeMounts[0].name | string | `"aws-token"` | | -| external-dns.extraVolumeMounts[0].readOnly | bool | `true` | | -| external-dns.extraVolumes[0].name | string | `"aws-token"` | | -| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.audience | string | `"sts.amazonaws.com"` | | -| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.expirationSeconds | int | `86400` | | -| external-dns.extraVolumes[0].projected.sources[0].serviceAccountToken.path | string | `"token"` | | | external-dns.interval | string | `"3m"` | | | external-dns.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | external-dns.provider | string | `"inmemory"` | | | external-dns.sources[0] | string | `"service"` | | | external-dns.tolerations[0].effect | string | `"NoSchedule"` | | | external-dns.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| external-dns.tolerations[1].effect | string | `"NoSchedule"` | | +| external-dns.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | external-dns.triggerLoopOnEvent | bool | `true` | | | forseti.aws.iamRoleArn | string | `""` | "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.kubezeroForseti" | | forseti.aws.region | string | `""` | | @@ -128,3 +153,15 @@ Device plugin for [AWS Neuron](https://aws.amazon.com/machine-learning/neuron/) | nvidia-device-plugin.tolerations[1].effect | string | `"NoSchedule"` | | | nvidia-device-plugin.tolerations[1].key | string | `"kubezero-workergroup"` | | | nvidia-device-plugin.tolerations[1].operator | string | `"Exists"` | | +| sealed-secrets.enabled | bool | `false` | | +| sealed-secrets.fullnameOverride | string | `"sealed-secrets-controller"` | | +| sealed-secrets.keyrenewperiod | int | `0` | | +| sealed-secrets.metrics.serviceMonitor.enabled | bool | `false` | | +| sealed-secrets.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | +| sealed-secrets.resources.limits.memory | string | `"128Mi"` | | +| sealed-secrets.resources.requests.cpu | string | `"10m"` | | +| sealed-secrets.resources.requests.memory | string | `"24Mi"` | | +| sealed-secrets.tolerations[0].effect | string | `"NoSchedule"` | | +| sealed-secrets.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| sealed-secrets.tolerations[1].effect | string | `"NoSchedule"` | | +| sealed-secrets.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | diff --git a/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/Chart.yaml b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/Chart.yaml new file mode 100644 index 0000000..91ce0de --- /dev/null +++ b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +description: Handles rolling upgrades for AWS ASGs for EKS by replacing outdated nodes + by new nodes. +home: https://github.com/TwiN/aws-eks-asg-rolling-update-handler +maintainers: +- name: TwiN +name: aws-eks-asg-rolling-update-handler +version: 1.2.7 diff --git a/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/_helpers.tpl b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/_helpers.tpl new file mode 100644 index 0000000..404193d --- /dev/null +++ b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/_helpers.tpl @@ -0,0 +1,31 @@ +{{/* +Create a default app name. +*/}} +{{- define "aws-eks-asg-rolling-update-handler.name" -}} +{{- .Chart.Name -}} +{{- end -}} + +{{/* +Create a default namespace. +*/}} +{{- define "aws-eks-asg-rolling-update-handler.namespace" -}} +{{- .Release.Namespace -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "aws-eks-asg-rolling-update-handler.labels" -}} +app.kubernetes.io/name: {{ include "aws-eks-asg-rolling-update-handler.name" . }} +{{- end -}} + +{{/* +Create the name of the service account to use. +*/}} +{{- define "aws-eks-asg-rolling-update-handler.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "aws-eks-asg-rolling-update-handler.name" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/cluster-role-binding.yaml b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/cluster-role-binding.yaml new file mode 100644 index 0000000..e6c8bbd --- /dev/null +++ b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/cluster-role-binding.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "aws-eks-asg-rolling-update-handler.name" . }} + labels: +{{ include "aws-eks-asg-rolling-update-handler.labels" . | indent 4 }} +roleRef: + kind: ClusterRole + name: {{ template "aws-eks-asg-rolling-update-handler.name" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ template "aws-eks-asg-rolling-update-handler.serviceAccountName" . }} + namespace: {{ template "aws-eks-asg-rolling-update-handler.namespace" . }} \ No newline at end of file diff --git a/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/cluster-role.yaml b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/cluster-role.yaml new file mode 100644 index 0000000..33b8215 --- /dev/null +++ b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/cluster-role.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "aws-eks-asg-rolling-update-handler.name" . }} + labels: +{{ include "aws-eks-asg-rolling-update-handler.labels" . | indent 4 }} +rules: + - apiGroups: + - "*" + resources: + - "*" + verbs: + - get + - list + - watch + - apiGroups: + - "*" + resources: + - nodes + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - "*" + resources: + - pods/eviction + verbs: + - get + - list + - create + - apiGroups: + - "*" + resources: + - pods + verbs: + - get + - list \ No newline at end of file diff --git a/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/deployment.yaml b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/deployment.yaml new file mode 100644 index 0000000..c4894cf --- /dev/null +++ b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/deployment.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "aws-eks-asg-rolling-update-handler.name" . }} + namespace: {{ template "aws-eks-asg-rolling-update-handler.namespace" . }} + labels: +{{ include "aws-eks-asg-rolling-update-handler.labels" . | indent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: +{{ include "aws-eks-asg-rolling-update-handler.labels" . | indent 6 }} + template: + metadata: + labels: +{{ include "aws-eks-asg-rolling-update-handler.labels" . | indent 8 }} + spec: + automountServiceAccountToken: true + serviceAccountName: {{ template "aws-eks-asg-rolling-update-handler.serviceAccountName" . }} + restartPolicy: Always + dnsPolicy: Default + containers: + - name: {{ template "aws-eks-asg-rolling-update-handler.name" . }} + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + {{- toYaml .Values.environmentVars | nindent 12 }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + readOnly: true + volumes: + - name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: +{{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/service-account.yaml b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/service-account.yaml new file mode 100644 index 0000000..958b1db --- /dev/null +++ b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/templates/service-account.yaml @@ -0,0 +1,13 @@ +{{ if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "aws-eks-asg-rolling-update-handler.serviceAccountName" . }} + namespace: {{ template "aws-eks-asg-rolling-update-handler.namespace" . }} + labels: +{{ include "aws-eks-asg-rolling-update-handler.labels" . | indent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{ end }} \ No newline at end of file diff --git a/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/values.yaml b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/values.yaml new file mode 100644 index 0000000..8a5d57a --- /dev/null +++ b/charts/kubezero-addons/charts/aws-eks-asg-rolling-update-handler/values.yaml @@ -0,0 +1,28 @@ +replicaCount: 1 + +image: + repository: twinproduction/aws-eks-asg-rolling-update-handler + tag: v1.4.3 + pullPolicy: IfNotPresent + +#imagePullSecrets: +#- imagePullSecret + +environmentVars: +- name: CLUSTER_NAME + value: "cluster-name" # REPLACE THIS WITH THE NAME OF YOUR EKS CLUSTER +#- name: AUTO_SCALING_GROUP_NAMES +# value: "asg-1,asg-2,asg-3" # REPLACE THESE VALUES FOR THE NAMES OF THE ASGs, if CLUSTER_NAME is provided, this is ignored +#- name: IGNORE_DAEMON_SETS +# value: "true" +#- name: DELETE_LOCAL_DATA +# value: "true" +#- name: AWS_REGION +# value: us-west-2 +#- name: ENVIRONMENT +# value: "" + +serviceAccount: + create: true + #name: aws-eks-asg-rolling-update-handler + annotations: {} diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/Chart.yaml b/charts/kubezero-addons/charts/aws-node-termination-handler/Chart.yaml index 0eeba08..0ee89da 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/Chart.yaml +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.16.5 +appVersion: 1.18.1 description: A Helm chart for the AWS Node Termination Handler. home: https://github.com/aws/eks-charts icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png @@ -22,4 +22,4 @@ sources: - https://github.com/aws/aws-node-termination-handler/ - https://github.com/aws/eks-charts/ type: application -version: 0.18.5 +version: 0.20.1 diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/README.md b/charts/kubezero-addons/charts/aws-node-termination-handler/README.md index 2a1e774..4b9c884 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/README.md +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/README.md @@ -70,6 +70,7 @@ The configuration in this table applies to all AWS Node Termination Handler mode | `extraEnv` | Additional environment variables for the _aws-node-termination-handler_ container. | `[]` | | `probes` | The Kubernetes liveness probe configuration. | _See values.yaml_ | | `logLevel` | Sets the log level (`info`,`debug`, or `error`) | `info` | +| `logFormatVersion` | Sets the log format version. Available versions: 1, 2. Version 1 refers to the format that has been used through v1.17.3. Version 2 offers more detail for the "event kind" and "reason", especially when operating in Queue Processor mode. | `1` | | `jsonLogging` | If `true`, use JSON-formatted logs instead of human readable logs. | `false` | | `enablePrometheusServer` | If `true`, start an http server exposing `/metrics` endpoint for _Prometheus_. | `false` | | `prometheusServerPort` | Replaces the default HTTP port for exposing _Prometheus_ metrics. | `9092` | @@ -82,6 +83,7 @@ The configuration in this table applies to all AWS Node Termination Handler mode | `podTerminationGracePeriod` | The time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used, which defaults to 30 seconds if not specified for the pod. | `-1` | | `nodeTerminationGracePeriod` | Period of time in seconds given to each node to terminate gracefully. Node draining will be scheduled based on this value to optimize the amount of compute time, but still safely drain the node before an event. | `120` | | `emitKubernetesEvents` | If `true`, Kubernetes events will be emitted when interruption events are received and when actions are taken on Kubernetes nodes. In IMDS Processor mode a default set of annotations with all the node metadata gathered from IMDS will be attached to each event. More information [here](https://github.com/aws/aws-node-termination-handler/blob/main/docs/kubernetes_events.md). | `false` | +| `completeLifecycleActionDelaySeconds` | Pause after draining the node before completing the EC2 Autoscaling lifecycle action. This may be helpful if Pods on the node have Persistent Volume Claims. | -1 | | `kubernetesEventsExtraAnnotations` | A comma-separated list of `key=value` extra annotations to attach to all emitted Kubernetes events (e.g. `first=annotation,sample.annotation/number=two"`). | `""` | | `webhookURL` | Posts event data to URL upon instance interruption action. | `""` | | `webhookURLSecretName` | Pass the webhook URL as a Secret using the key `webhookurl`. | `""` | @@ -110,9 +112,11 @@ The configuration in this table applies to AWS Node Termination Handler in queue | `awsRegion` | If specified, use the AWS region for AWS API calls, else NTH will try to find the region through the `AWS_REGION` environment variable, IMDS, or the specified queue URL. | `""` | | `queueURL` | Listens for messages on the specified SQS queue URL. | `""` | | `workers` | The maximum amount of parallel event processors to handle concurrent events. | `10` | -| `checkASGTagBeforeDraining` | If `true`, check that the instance is tagged with the `managedAsgTag` before draining the node. If `false`, disables calls ASG API. | `true` | -| `managedAsgTag` | The node tag to check if `checkASGTagBeforeDraining` is `true`. | `aws-node-termination-handler/managed` | -| `useProviderId` | If `true`, fetch node name through Kubernetes node spec ProviderID instead of AWS event PrivateDnsHostname. | `false` | +| `checkTagBeforeDraining` | If `true`, check that the instance is tagged with the `managedTag` before draining the node. | `true` | +| `managedTag` | The node tag to check if `checkTagBeforeDraining` is `true`. | `aws-node-termination-handler/managed` | +| `checkASGTagBeforeDraining` | [DEPRECATED](Use `checkTagBeforeDraining` instead) If `true`, check that the instance is tagged with the `managedAsgTag` before draining the node. If `false`, disables calls ASG API. | `true` | +| `managedAsgTag` | [DEPRECATED](Use `managedTag` instead) The node tag to check if `checkASGTagBeforeDraining` is `true`. +| `useProviderId` | If `true`, fetch node name through Kubernetes node spec ProviderID instead of AWS event PrivateDnsHostname. | `false` | ### IMDS Mode Configuration diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.linux.yaml b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.linux.yaml index 5fcac07..95e4b50 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.linux.yaml +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.linux.yaml @@ -81,6 +81,8 @@ spec: value: {{ .Values.logLevel | quote }} - name: JSON_LOGGING value: {{ .Values.jsonLogging | quote }} + - name: LOG_FORMAT_VERSION + value: {{ .Values.logFormatVersion | quote }} - name: ENABLE_PROMETHEUS_SERVER value: {{ .Values.enablePrometheusServer | quote }} - name: PROMETHEUS_SERVER_PORT @@ -151,6 +153,9 @@ spec: value: "false" - name: UPTIME_FROM_FILE value: {{ .Values.procUptimeFile | quote }} + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- if or .Values.enablePrometheusServer .Values.enableProbesServer }} ports: {{- if .Values.enableProbesServer }} diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.windows.yaml b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.windows.yaml index f021db8..8a9db7b 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.windows.yaml +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/daemonset.windows.yaml @@ -52,7 +52,7 @@ spec: {{- end }} containers: - name: aws-node-termination-handler - {{- with .Values.securityContext }} + {{- with unset .Values.securityContext "runAsUser" }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} @@ -81,6 +81,8 @@ spec: value: {{ .Values.logLevel | quote }} - name: JSON_LOGGING value: {{ .Values.jsonLogging | quote }} + - name: LOG_FORMAT_VERSION + value: {{ .Values.logFormatVersion | quote }} - name: ENABLE_PROMETHEUS_SERVER value: {{ .Values.enablePrometheusServer | quote }} - name: PROMETHEUS_SERVER_PORT @@ -149,6 +151,9 @@ spec: value: {{ .Values.enableRebalanceDraining | quote }} - name: ENABLE_SQS_TERMINATION_DRAINING value: "false" + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- if or .Values.enablePrometheusServer .Values.enableProbesServer }} ports: {{- if .Values.enableProbesServer }} diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/deployment.yaml b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/deployment.yaml index eea2d33..33f31bb 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/templates/deployment.yaml +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/templates/deployment.yaml @@ -78,14 +78,22 @@ spec: value: {{ .Values.logLevel | quote }} - name: JSON_LOGGING value: {{ .Values.jsonLogging | quote }} + - name: LOG_FORMAT_VERSION + value: {{ .Values.logFormatVersion | quote }} - name: ENABLE_PROMETHEUS_SERVER value: {{ .Values.enablePrometheusServer | quote }} - name: PROMETHEUS_SERVER_PORT value: {{ .Values.prometheusServerPort | quote }} + # [DEPRECATED] Use CHECK_TAG_BEFORE_DRAINING instead - name: CHECK_ASG_TAG_BEFORE_DRAINING value: {{ .Values.checkASGTagBeforeDraining | quote }} + - name: CHECK_TAG_BEFORE_DRAINING + value: {{ .Values.checkTagBeforeDraining | quote }} + # [DEPRECATED] Use MANAGED_TAG instead - name: MANAGED_ASG_TAG value: {{ .Values.managedAsgTag | quote }} + - name: MANAGED_TAG + value: {{ .Values.managedTag | quote }} - name: USE_PROVIDER_ID value: {{ .Values.useProviderId | quote }} - name: DRY_RUN @@ -106,6 +114,8 @@ spec: value: {{ .Values.nodeTerminationGracePeriod | quote }} - name: EMIT_KUBERNETES_EVENTS value: {{ .Values.emitKubernetesEvents | quote }} + - name: COMPLETE_LIFECYCLE_ACTION_DELAY_SECONDS + value: {{ .Values.completeLifecycleActionDelaySeconds | quote }} {{- with .Values.kubernetesEventsExtraAnnotations }} - name: KUBERNETES_EVENTS_EXTRA_ANNOTATIONS value: {{ . | quote }} diff --git a/charts/kubezero-addons/charts/aws-node-termination-handler/values.yaml b/charts/kubezero-addons/charts/aws-node-termination-handler/values.yaml index 9f19efd..c965358 100644 --- a/charts/kubezero-addons/charts/aws-node-termination-handler/values.yaml +++ b/charts/kubezero-addons/charts/aws-node-termination-handler/values.yaml @@ -66,6 +66,9 @@ probes: # Set the log level logLevel: info +# Set the log format version +logFormatVersion: 1 + # Log messages in JSON format jsonLogging: false @@ -100,6 +103,9 @@ nodeTerminationGracePeriod: 120 # emitKubernetesEvents If true, Kubernetes events will be emitted when interruption events are received and when actions are taken on Kubernetes nodes. In IMDS Processor mode a default set of annotations with all the node metadata gathered from IMDS will be attached to each event emitKubernetesEvents: false +# completeLifecycleActionDelaySeconds will pause for the configured duration after draining the node before completing the EC2 Autoscaling lifecycle action. This may be helpful if Pods on the node have Persistent Volume Claims. +completeLifecycleActionDelaySeconds: -1 + # kubernetesEventsExtraAnnotations A comma-separated list of key=value extra annotations to attach to all emitted Kubernetes events # Example: "first=annotation,sample.annotation/number=two" kubernetesEventsExtraAnnotations: "" @@ -170,13 +176,18 @@ queueURL: "" # The maximum amount of parallel event processors to handle concurrent events workers: 10 -# If true, check that the instance is tagged with "aws-node-termination-handler/managed" as the key before draining the node -# If false, disables calls to ASG API. +# [DEPRECATED] Use checkTagBeforeDraining instead checkASGTagBeforeDraining: true -# The tag to ensure is on a node if checkASGTagBeforeDraining is true +# If true, check that the instance is tagged with "aws-node-termination-handler/managed" as the key before draining the node +checkTagBeforeDraining: true + +# [DEPRECATED] Use managedTag instead managedAsgTag: "aws-node-termination-handler/managed" +# The tag to ensure is on a node if checkTagBeforeDraining is true +managedTag: "aws-node-termination-handler/managed" + # If true, fetch node name through Kubernetes node spec ProviderID instead of AWS event PrivateDnsHostname. useProviderId: false diff --git a/charts/kubezero-addons/ruh.patch b/charts/kubezero-addons/ruh.patch new file mode 100644 index 0000000..b88c55f --- /dev/null +++ b/charts/kubezero-addons/ruh.patch @@ -0,0 +1,36 @@ +diff -tuNr charts/aws-eks-asg-rolling-update-handler.orig/templates/deployment.yaml charts/aws-eks-asg-rolling-update-handler/templates/deployment.yaml +--- charts/aws-eks-asg-rolling-update-handler.orig/templates/deployment.yaml 2022-12-16 13:10:26.049272371 +0000 ++++ charts/aws-eks-asg-rolling-update-handler/templates/deployment.yaml 2022-12-16 15:56:00.880666339 +0000 +@@ -25,7 +25,31 @@ + image: {{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: +-{{- toYaml .Values.environmentVars | nindent 12 }} ++ {{- toYaml .Values.environmentVars | nindent 12 }} ++ {{- with .Values.resources }} ++ resources: ++ {{- toYaml . | nindent 12 }} ++ {{- end }} ++ volumeMounts: ++ - name: aws-token ++ mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" ++ readOnly: true ++ volumes: ++ - name: aws-token ++ projected: ++ sources: ++ - serviceAccountToken: ++ path: token ++ expirationSeconds: 86400 ++ audience: "sts.amazonaws.com" ++ {{- with .Values.nodeSelector }} ++ nodeSelector: ++ {{- toYaml . | nindent 8 }} ++ {{- end }} ++ {{- with .Values.tolerations }} ++ tolerations: ++ {{- toYaml . | nindent 8 }} ++ {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} diff --git a/charts/kubezero-addons/templates/cluster-backup/cronjob.yaml b/charts/kubezero-addons/templates/cluster-backup/cronjob.yaml index 401a8ee..12c31b4 100644 --- a/charts/kubezero-addons/templates/cluster-backup/cronjob.yaml +++ b/charts/kubezero-addons/templates/cluster-backup/cronjob.yaml @@ -6,6 +6,7 @@ metadata: namespace: kube-system spec: schedule: "0 * * * *" + concurrencyPolicy: "Replace" jobTemplate: spec: backoffLimit: 1 @@ -56,5 +57,7 @@ spec: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule restartPolicy: Never {{- end }} diff --git a/charts/kubezero-addons/templates/forseti/deployment.yaml b/charts/kubezero-addons/templates/forseti/deployment.yaml index b2e35a6..6be8a5c 100644 --- a/charts/kubezero-addons/templates/forseti/deployment.yaml +++ b/charts/kubezero-addons/templates/forseti/deployment.yaml @@ -71,6 +71,8 @@ spec: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule volumes: - name: aws-token projected: diff --git a/charts/kubezero-addons/update.sh b/charts/kubezero-addons/update.sh index c29d465..4b2cf20 100755 --- a/charts/kubezero-addons/update.sh +++ b/charts/kubezero-addons/update.sh @@ -4,6 +4,7 @@ set -ex helm repo update NTH_VERSION=$(yq eval '.dependencies[] | select(.name=="aws-node-termination-handler") | .version' Chart.yaml) +RUH_VERSION=$(yq eval '.dependencies[] | select(.name=="aws-eks-asg-rolling-update-handler") | .version' Chart.yaml) rm -rf charts/aws-node-termination-handler helm pull eks/aws-node-termination-handler --untar --untardir charts --version $NTH_VERSION @@ -11,4 +12,8 @@ helm pull eks/aws-node-termination-handler --untar --untardir charts --version $ # diff -tuNr charts/aws-node-termination-handler.orig charts/aws-node-termination-handler > nth.patch patch -p0 -i nth.patch --no-backup-if-mismatch +rm -rf charts/aws-eks-asg-rolling-update-handler +helm pull twin/aws-eks-asg-rolling-update-handler --untar --untardir charts --version $RUH_VERSION +patch -p0 -i ruh.patch --no-backup-if-mismatch + helm dep update diff --git a/charts/kubezero-addons/values.yaml b/charts/kubezero-addons/values.yaml index 1c6bba9..9e8d716 100644 --- a/charts/kubezero-addons/values.yaml +++ b/charts/kubezero-addons/values.yaml @@ -24,16 +24,82 @@ forseti: # -- "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.kubezeroForseti" iamRoleArn: "" +sealed-secrets: + enabled: false + + # ensure kubeseal default values match + fullnameOverride: sealed-secrets-controller + + # Disable auto keyrotation for now + keyrenewperiod: 0 + + resources: + requests: + cpu: 10m + memory: 24Mi + limits: + memory: 128Mi + + metrics: + serviceMonitor: + enabled: false + + nodeSelector: + node-role.kubernetes.io/control-plane: "" + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + +aws-eks-asg-rolling-update-handler: + enabled: false + image: + tag: v1.7.0 + + environmentVars: + - name: CLUSTER_NAME + value: "" + - name: AWS_REGION + value: us-west-2 + - name: EXECUTION_INTERVAL + value: "60" + - name: METRICS + value: "true" + - name: EAGER_CORDONING + value: "true" + # Only disable if all services have PDBs across AZs + - name: SLOW_MODE + value: "true" + - name: AWS_ROLE_ARN + value: "" + - name: AWS_WEB_IDENTITY_TOKEN_FILE + value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + - name: AWS_STS_REGIONAL_ENDPOINTS + value: "regional" + + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + memory: 128Mi + + nodeSelector: + node-role.kubernetes.io/control-plane: "" + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + aws-node-termination-handler: enabled: false fullnameOverride: "aws-node-termination-handler" - #image: - # tag: v1.14.1 - # -- "aws-node-termination-handler/${ClusterName}" - managedAsgTag: "aws-node-termination-handler/managed" + managedTag: "aws-node-termination-handler/managed" useProviderId: true enableSqsTerminationDraining: true @@ -63,10 +129,13 @@ aws-node-termination-handler: create: false jsonLogging: true + logFormatVersion: 2 tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" @@ -109,6 +178,7 @@ nvidia-device-plugin: - g5.16xlarge - g5.24xlarge - g5.48xlarge + - g4dn.xlarge cluster-autoscaler: enabled: false @@ -140,6 +210,8 @@ cluster-autoscaler: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule # On AWS enable Projected Service Accounts to assume IAM role #extraEnv: @@ -170,6 +242,8 @@ external-dns: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" @@ -179,24 +253,3 @@ external-dns: #- istio-gateway provider: inmemory - - extraVolumes: - - name: aws-token - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 86400 - audience: "sts.amazonaws.com" - extraVolumeMounts: - - name: aws-token - mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" - readOnly: true - env: - # -- "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.externalDNS" - - name: AWS_ROLE_ARN - value: "" - - name: AWS_WEB_IDENTITY_TOKEN_FILE - value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" - - name: AWS_STS_REGIONAL_ENDPOINTS - value: "regional" diff --git a/charts/kubezero-argocd/Chart.yaml b/charts/kubezero-argocd/Chart.yaml index 3bfb8d2..390cf37 100644 --- a/charts/kubezero-argocd/Chart.yaml +++ b/charts/kubezero-argocd/Chart.yaml @@ -1,21 +1,29 @@ apiVersion: v2 -description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application +description: KubeZero ArgoCD - config, branding, image-updater (optional) name: kubezero-argocd -version: 0.10.2 +version: 0.11.2 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: - kubezero - argocd - - gitops + - argocd-image-updater maintainers: - name: Stefan Reimer email: stefan@zero-downtime.net +# Url: https://github.com/argoproj/argo-helm/tree/main/charts dependencies: - name: kubezero-lib - version: ">= 0.1.5" + version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ - name: argo-cd - version: 4.10.9 + version: 5.16.10 repository: https://argoproj.github.io/argo-helm -kubeVersion: ">= 1.20.0" + - name: argocd-apps + version: 0.0.6 + repository: https://argoproj.github.io/argo-helm + - name: argocd-image-updater + version: 0.8.1 + repository: https://argoproj.github.io/argo-helm + condition: argocd-image-updater.enabled +kubeVersion: ">= 1.24.0" diff --git a/charts/kubezero-argocd/README.md b/charts/kubezero-argocd/README.md index 2a37feb..a579dab 100644 --- a/charts/kubezero-argocd/README.md +++ b/charts/kubezero-argocd/README.md @@ -1,8 +1,8 @@ # kubezero-argocd -![Version: 0.10.2](https://img.shields.io/badge/Version-0.10.2-informational?style=flat-square) +![Version: 0.11.2](https://img.shields.io/badge/Version-0.11.2-informational?style=flat-square) -KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application +KubeZero ArgoCD - config, branding, image-updater (optional) **Homepage:** @@ -14,42 +14,57 @@ KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Appl ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.24.0` | Repository | Name | Version | |------------|------|---------| -| https://argoproj.github.io/argo-helm | argo-cd | 4.10.9 | -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | +| https://argoproj.github.io/argo-helm | argo-cd | 5.16.10 | +| https://argoproj.github.io/argo-helm | argocd-apps | 0.0.6 | +| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.8.1 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | argo-cd.applicationSet.enabled | bool | `false` | | +| argo-cd.configs.cm."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | | +| argo-cd.configs.cm."timeout.reconciliation" | int | `300` | | +| argo-cd.configs.cm."ui.bannercontent" | string | `"KubeZero v1.24 - Release notes"` | | +| argo-cd.configs.cm."ui.bannerpermanent" | string | `"true"` | | +| argo-cd.configs.cm."ui.bannerposition" | string | `"bottom"` | | +| argo-cd.configs.cm."ui.bannerurl" | string | `"https://kubezero.com/releases/v1.24"` | | +| argo-cd.configs.cm.url | string | `"argocd.example.com"` | | | argo-cd.configs.knownHosts.data.ssh_known_hosts | string | `"bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==\ngithub.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=\ngithub.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl\ngithub.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==\ngitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=\ngitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf\ngitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9\ngit.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8YdJ4YcOK7A0K7qOWsRjCS+wHTStXRcwBe7gjG43HPSNijiCKoGf/c+tfNsRhyouawg7Law6M6ahmS/jKWBpznRIM+OdOFVSuhnK/nr6h6wG3/ZfdLicyAPvx1/STGY/Fc6/zXA88i/9PV+g84gSVmhf3fGY92wokiASiu9DU4T9dT1gIkdyOX6fbMi1/mMKLSrHnAQcjyasYDvw9ISCJ95EoSwbj7O4c+7jo9fxYvdCfZZZAEZGozTRLAAO0AnjVcRah7bZV/jfHJuhOipV/TB7UVAhlVv1dfGV7hoTp9UKtKZFJF4cjIrSGxqQA/mdhSdLgkepK7yc4Jp2xGnaarhY29DfqsQqop+ugFpTbj7Xy5Rco07mXc6XssbAZhI1xtCOX20N4PufBuYippCK5AE6AiAyVtJmvfGQk4HP+TjOyhFo7PZm3wc9Hym7IBBVC0Sl30K8ddufkAgHwNGvvu1ZmD9ZWaMOXJDHBCZGMMr16QREZwVtZTwMEQalc7/yqmuqMhmcJIfs/GA2Lt91y+pq9C8XyeUL0VFPch0vkcLSRe3ghMZpRFJ/ht307xPcLzgTJqN6oQtNNDzSQglSEjwhge2K4GyWcIh+oGsWxWz5dHyk1iJmw90Y976BZIl/mYVgbTtZAJ81oGe/0k5rAe+LDL+Yq6tG28QFOg0QmiQ==\n"` | | +| argo-cd.configs.params."controller.operation.processors" | string | `"5"` | | +| argo-cd.configs.params."controller.status.processors" | string | `"10"` | | +| argo-cd.configs.params."server.enable.gzip" | bool | `true` | | +| argo-cd.configs.params."server.insecure" | bool | `true` | | | argo-cd.configs.secret.createSecret | bool | `false` | | -| argo-cd.controller.args.appResyncPeriod | string | `"300"` | | -| argo-cd.controller.args.operationProcessors | string | `"4"` | | -| argo-cd.controller.args.statusProcessors | string | `"8"` | | -| argo-cd.controller.logFormat | string | `"json"` | | +| argo-cd.configs.styles | string | `".sidebar__logo img { content: url(https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png); }\n.sidebar { background: linear-gradient(to bottom, #6A4D79, #493558, #2D1B30, #0D0711); }\n"` | | | argo-cd.controller.metrics.enabled | bool | `false` | | | argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.controller.resources.requests.cpu | string | `"100m"` | | | argo-cd.controller.resources.requests.memory | string | `"256Mi"` | | | argo-cd.dex.enabled | bool | `false` | | -| argo-cd.global | string | `nil` | | -| argo-cd.installCRDs | bool | `false` | | +| argo-cd.global.logging.format | string | `"json"` | | | argo-cd.notifications.enabled | bool | `false` | | -| argo-cd.repoServer.logFormat | string | `"json"` | | | argo-cd.repoServer.metrics.enabled | bool | `false` | | | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | | -| argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | | -| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio | -| argo-cd.server.extraArgs[0] | string | `"--insecure"` | | -| argo-cd.server.logFormat | string | `"json"` | | | argo-cd.server.metrics.enabled | bool | `false` | | | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | | | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | | +| argocd-apps.applications | list | `[]` | | +| argocd-apps.projects | list | `[]` | | +| argocd-image-updater.authScripts.enabled | bool | `true` | | +| argocd-image-updater.authScripts.scripts."ecr-login.sh" | string | `"#!/bin/sh\naws ecr --region $AWS_REGION get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d\n"` | | +| argocd-image-updater.authScripts.scripts."ecr-public-login.sh" | string | `"#!/bin/sh\naws ecr-public --region us-east-1 get-authorization-token --output text --query 'authorizationData.authorizationToken' | base64 -d\n"` | | +| argocd-image-updater.config.argocd.plaintext | bool | `true` | | +| argocd-image-updater.enabled | bool | `false` | | +| argocd-image-updater.fullnameOverride | string | `"argocd-image-updater"` | | +| argocd-image-updater.metrics.enabled | bool | `false` | | +| argocd-image-updater.metrics.serviceMonitor.enabled | bool | `true` | | +| argocd-image-updater.sshConfig.config | string | `"Host *\n PubkeyAcceptedAlgorithms +ssh-rsa\n HostkeyAlgorithms +ssh-rsa\n"` | | | istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD | | istio.gateway | string | `"istio-ingress/ingressgateway"` | Name of the Istio gateway to add the VirtualService to | | istio.ipBlocks | list | `[]` | | diff --git a/charts/kubezero-argocd/templates/istio-authorization-policy.yaml b/charts/kubezero-argocd/templates/istio-authorization-policy.yaml index 7cf4fa6..cb31373 100644 --- a/charts/kubezero-argocd/templates/istio-authorization-policy.yaml +++ b/charts/kubezero-argocd/templates/istio-authorization-policy.yaml @@ -19,7 +19,7 @@ spec: {{- toYaml .Values.istio.ipBlocks | nindent 8 }} to: - operation: - hosts: [{{ index .Values "argo-cd" "server" "config" "url" | quote }}] + hosts: [{{ index .Values "argo-cd" "configs" "cm" "url" | quote }}] when: - key: connection.sni values: diff --git a/charts/kubezero-argocd/templates/istio-service.yaml b/charts/kubezero-argocd/templates/istio-service.yaml index 156befe..a5bfbbd 100644 --- a/charts/kubezero-argocd/templates/istio-service.yaml +++ b/charts/kubezero-argocd/templates/istio-service.yaml @@ -10,7 +10,7 @@ spec: gateways: - {{ .Values.istio.gateway }} hosts: - - {{ index .Values "argo-cd" "server" "config" "url" }} + - {{ index .Values "argo-cd" "configs" "cm" "url" }} http: - name: grpc match: diff --git a/charts/kubezero-argocd/values.yaml b/charts/kubezero-argocd/values.yaml index 466b1e6..1bfc7c2 100644 --- a/charts/kubezero-argocd/values.yaml +++ b/charts/kubezero-argocd/values.yaml @@ -6,9 +6,11 @@ istio: gateway: istio-ingress/ingressgateway ipBlocks: [] -argo-cd: - installCRDs: false +argocd-apps: + projects: [] + applications: [] +argo-cd: #configs: # secret: # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` @@ -16,62 +18,26 @@ argo-cd: # argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST" global: + logging: + format: json # image: # tag: v2.1.6 configs: - secret: - createSecret: false - knownHosts: - data: - ssh_known_hosts: | - bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== - github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= - github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== - gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= - gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf - gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 - git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8YdJ4YcOK7A0K7qOWsRjCS+wHTStXRcwBe7gjG43HPSNijiCKoGf/c+tfNsRhyouawg7Law6M6ahmS/jKWBpznRIM+OdOFVSuhnK/nr6h6wG3/ZfdLicyAPvx1/STGY/Fc6/zXA88i/9PV+g84gSVmhf3fGY92wokiASiu9DU4T9dT1gIkdyOX6fbMi1/mMKLSrHnAQcjyasYDvw9ISCJ95EoSwbj7O4c+7jo9fxYvdCfZZZAEZGozTRLAAO0AnjVcRah7bZV/jfHJuhOipV/TB7UVAhlVv1dfGV7hoTp9UKtKZFJF4cjIrSGxqQA/mdhSdLgkepK7yc4Jp2xGnaarhY29DfqsQqop+ugFpTbj7Xy5Rco07mXc6XssbAZhI1xtCOX20N4PufBuYippCK5AE6AiAyVtJmvfGQk4HP+TjOyhFo7PZm3wc9Hym7IBBVC0Sl30K8ddufkAgHwNGvvu1ZmD9ZWaMOXJDHBCZGMMr16QREZwVtZTwMEQalc7/yqmuqMhmcJIfs/GA2Lt91y+pq9C8XyeUL0VFPch0vkcLSRe3ghMZpRFJ/ht307xPcLzgTJqN6oQtNNDzSQglSEjwhge2K4GyWcIh+oGsWxWz5dHyk1iJmw90Y976BZIl/mYVgbTtZAJ81oGe/0k5rAe+LDL+Yq6tG28QFOg0QmiQ== + styles: | + .sidebar__logo img { content: url(https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png); } + .sidebar { background: linear-gradient(to bottom, #6A4D79, #493558, #2D1B30, #0D0711); } - controller: - args: - statusProcessors: "8" - operationProcessors: "4" - appResyncPeriod: "300" - logFormat: json - - metrics: - enabled: false - serviceMonitor: - enabled: true - - resources: - # limits: - # cpu: 500m - # memory: 2048Mi - requests: - cpu: 100m - memory: 256Mi - - repoServer: - logFormat: json - metrics: - enabled: false - serviceMonitor: - enabled: true - - server: - logFormat: json - config: - #ui.bannercontent: "KubeZero Release 1.20.8-12 incl. ArgoCD 2.1 -> Release notes" - #ui.bannerurl: "https://blog.argoproj.io/argo-cd-v2-1-first-release-candidate-is-ready-c1aab7795638" + cm: + ui.bannercontent: "KubeZero v1.24 - Release notes" + ui.bannerurl: "https://kubezero.com/releases/v1.24" + ui.bannerpermanent: "true" + ui.bannerposition: "bottom" # argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio url: argocd.example.com - #repositories: | - # - url: https://cdn.zero-downtime.net/charts + timeout.reconciliation: 300 resource.customizations: | cert-manager.io/Certificate: @@ -98,17 +64,56 @@ argo-cd: hs.message = "Waiting for certificate" return hs - # Rename former https port to grpc, works with istio + insecure - service: - servicePortHttpsName: grpc + secret: + createSecret: false + knownHosts: + data: + ssh_known_hosts: | + bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= + github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl + github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= + gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf + gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 + git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8YdJ4YcOK7A0K7qOWsRjCS+wHTStXRcwBe7gjG43HPSNijiCKoGf/c+tfNsRhyouawg7Law6M6ahmS/jKWBpznRIM+OdOFVSuhnK/nr6h6wG3/ZfdLicyAPvx1/STGY/Fc6/zXA88i/9PV+g84gSVmhf3fGY92wokiASiu9DU4T9dT1gIkdyOX6fbMi1/mMKLSrHnAQcjyasYDvw9ISCJ95EoSwbj7O4c+7jo9fxYvdCfZZZAEZGozTRLAAO0AnjVcRah7bZV/jfHJuhOipV/TB7UVAhlVv1dfGV7hoTp9UKtKZFJF4cjIrSGxqQA/mdhSdLgkepK7yc4Jp2xGnaarhY29DfqsQqop+ugFpTbj7Xy5Rco07mXc6XssbAZhI1xtCOX20N4PufBuYippCK5AE6AiAyVtJmvfGQk4HP+TjOyhFo7PZm3wc9Hym7IBBVC0Sl30K8ddufkAgHwNGvvu1ZmD9ZWaMOXJDHBCZGMMr16QREZwVtZTwMEQalc7/yqmuqMhmcJIfs/GA2Lt91y+pq9C8XyeUL0VFPch0vkcLSRe3ghMZpRFJ/ht307xPcLzgTJqN6oQtNNDzSQglSEjwhge2K4GyWcIh+oGsWxWz5dHyk1iJmw90Y976BZIl/mYVgbTtZAJ81oGe/0k5rAe+LDL+Yq6tG28QFOg0QmiQ== + + params: + controller.status.processors: "10" + controller.operation.processors: "5" + + server.insecure: true + server.enable.gzip: true + + controller: metrics: enabled: false serviceMonitor: enabled: true - extraArgs: - - --insecure + resources: + # limits: + # cpu: 500m + # memory: 2048Mi + requests: + cpu: 100m + memory: 256Mi + + repoServer: + metrics: + enabled: false + serviceMonitor: + enabled: true + + server: + # Rename former https port to grpc, works with istio + insecure + service: + servicePortHttpsName: grpc + metrics: + enabled: false + serviceMonitor: + enabled: true # redis: # We might want to try to keep redis close to the controller @@ -122,3 +127,33 @@ argo-cd: notifications: enabled: false + +argocd-image-updater: + enabled: false + + # Unify all ArgoCD pieces under the same argocd namespace + fullnameOverride: argocd-image-updater + + config: + argocd: + plaintext: true + + metrics: + enabled: false + serviceMonitor: + enabled: true + + authScripts: + enabled: true + scripts: + ecr-login.sh: | + #!/bin/sh + aws ecr --region $AWS_REGION get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d + ecr-public-login.sh: | + #!/bin/sh + aws ecr-public --region us-east-1 get-authorization-token --output text --query 'authorizationData.authorizationToken' | base64 -d + sshConfig: + config: | + Host * + PubkeyAcceptedAlgorithms +ssh-rsa + HostkeyAlgorithms +ssh-rsa diff --git a/charts/kubezero-auth/Chart.yaml b/charts/kubezero-auth/Chart.yaml index ea3c042..5d17fe4 100644 --- a/charts/kubezero-auth/Chart.yaml +++ b/charts/kubezero-auth/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-auth description: KubeZero umbrella chart for all things Authentication and Identity management type: application -version: 0.2.4 -appVersion: 19.0.1 +version: 0.3.4 +appVersion: 20.0.2 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -14,7 +14,7 @@ maintainers: email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: ">= 0.1.5" + version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ - name: postgresql version: 11.8.1 diff --git a/charts/kubezero-auth/README.md b/charts/kubezero-auth/README.md index dc2fdcf..1cb849a 100644 --- a/charts/kubezero-auth/README.md +++ b/charts/kubezero-auth/README.md @@ -1,6 +1,6 @@ # kubezero-auth -![Version: 0.2.4](https://img.shields.io/badge/Version-0.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 19.0.1](https://img.shields.io/badge/AppVersion-19.0.1-informational?style=flat-square) +![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 20.0.2](https://img.shields.io/badge/AppVersion-20.0.2-informational?style=flat-square) KubeZero umbrella chart for all things Authentication and Identity management @@ -18,7 +18,7 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | | https://charts.bitnami.com/bitnami | postgresql | 11.8.1 | # Keycloak @@ -26,6 +26,8 @@ Kubernetes: `>= 1.20.0` ## Operator https://github.com/keycloak/keycloak/tree/main/operator +https://github.com/aerogear/keycloak-metrics-spi +https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates ## Resources @@ -41,6 +43,8 @@ https://github.com/keycloak/keycloak/tree/main/operator | keycloak.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | keycloak.istio.url | string | `""` | | | keycloak.metrics.enabled | bool | `false` | | +| keycloak.podDisruptionBudget.minAvailable | int | `1` | | +| keycloak.replicas | int | `1` | | | postgresql.auth.database | string | `"keycloak"` | | | postgresql.auth.existingSecret | string | `"kubezero-auth-postgresql"` | | | postgresql.auth.username | string | `"keycloak"` | | diff --git a/charts/kubezero-auth/README.md.gotmpl b/charts/kubezero-auth/README.md.gotmpl index 5d55cd6..c0b6241 100644 --- a/charts/kubezero-auth/README.md.gotmpl +++ b/charts/kubezero-auth/README.md.gotmpl @@ -18,6 +18,8 @@ ## Operator https://github.com/keycloak/keycloak/tree/main/operator +https://github.com/aerogear/keycloak-metrics-spi +https://github.com/keycloak/keycloak-benchmark/tree/main/provision/minikube/keycloak/templates ## Resources diff --git a/charts/kubezero-auth/crds/keycloak-realmimports.yaml b/charts/kubezero-auth/crds/keycloak-realmimports.yaml index cf4e799..b617a30 100644 --- a/charts/kubezero-auth/crds/keycloak-realmimports.yaml +++ b/charts/kubezero-auth/crds/keycloak-realmimports.yaml @@ -938,6 +938,8 @@ spec: type: array type: object type: array + otpPolicyCodeReusable: + type: boolean clientProfiles: type: object x-kubernetes-preserve-unknown-fields: true diff --git a/charts/kubezero-auth/crds/keycloak.yaml b/charts/kubezero-auth/crds/keycloak.yaml index 13abb8d..5003659 100644 --- a/charts/kubezero-auth/crds/keycloak.yaml +++ b/charts/kubezero-auth/crds/keycloak.yaml @@ -19,46 +19,59 @@ spec: properties: spec: properties: - hostname: - description: |- - Hostname for the Keycloak server. - The special value `INSECURE-DISABLE` disables the hostname strict resolution. - type: string instances: description: Number of Keycloak instances in HA mode. Default is 1. type: integer - serverConfiguration: - description: |- - Configuration of the Keycloak server. - expressed as a keys (reference: https://www.keycloak.org/server/all-config) and values that can be either direct values or references to secrets. - items: - properties: - secret: - properties: - optional: - type: boolean - key: - type: string - name: - type: string - type: object - value: - type: string - name: - type: string - type: object - type: array - tlsSecret: - description: |- - A secret containing the TLS configuration for HTTPS. Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets. - The special value `INSECURE-DISABLE` disables https. - type: string - disableDefaultIngress: - description: Disable the default ingress. - type: boolean - image: - description: Custom Keycloak image to be used. - type: string + transaction: + description: In this section you can find all properties related to + the settings of transaction behavior. + properties: + xaEnabled: + description: Determine whether Keycloak should use a non-XA datasource + in case the database does not support XA transactions. + type: boolean + type: object + http: + description: In this section you can configure Keycloak features related + to HTTP and HTTPS + properties: + httpPort: + description: The used HTTP port. + type: integer + tlsSecret: + description: "A secret containing the TLS configuration for HTTPS.\ + \ Reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets." + type: string + httpsPort: + description: The used HTTPS port. + type: integer + httpEnabled: + description: Enables the HTTP listener. + type: boolean + type: object + hostname: + description: In this section you can configure Keycloak hostname and + related properties. + properties: + hostname: + description: Hostname for the Keycloak server. + type: string + strict: + description: Disables dynamically resolving the hostname from + request headers. + type: boolean + strictBackchannel: + description: By default backchannel URLs are dynamically resolved + from request headers to allow internal and external applications. + type: boolean + admin: + description: The hostname for accessing the administration console. + type: string + adminUrl: + description: "Set the base URL for accessing the administration\ + \ console, including scheme, host, port and path" + type: string + type: object unsupported: description: |- In this section you can configure podTemplate advanced features, not production-ready, and not supported settings. @@ -2765,9 +2778,123 @@ spec: type: object type: object type: object - required: - - hostname - - tlsSecret + ingress: + description: |- + The deployment is, by default, exposed through a basic ingress. + You can change this behaviour by setting the enabled property to false. + properties: + enabled: + type: boolean + type: object + image: + description: Custom Keycloak image to be used. + type: string + imagePullSecrets: + description: Secret(s) that might be used when pulling an image from + a private container image registry or repository. + items: + properties: + name: + type: string + type: object + type: array + additionalOptions: + description: |- + Configuration of the Keycloak server. + expressed as a keys (reference: https://www.keycloak.org/server/all-config) and values that can be either direct values or references to secrets. + items: + properties: + secret: + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + value: + type: string + name: + type: string + type: object + type: array + db: + description: In this section you can find all properties related to + connect to a database. + properties: + passwordSecret: + description: The reference to a secret holding the password of + the database user. + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + usernameSecret: + description: The reference to a secret holding the username of + the database user. + properties: + optional: + type: boolean + key: + type: string + name: + type: string + type: object + port: + description: "Sets the port of the default JDBC URL of the chosen\ + \ vendor. If the `url` option is set, this option is ignored." + type: integer + schema: + description: The database schema to be used. + type: string + host: + description: "Sets the hostname of the default JDBC URL of the\ + \ chosen vendor. If the `url` option is set, this option is\ + \ ignored." + type: string + url: + description: "The full database JDBC URL. If not provided, a default\ + \ URL is set based on the selected database vendor. For instance,\ + \ if using 'postgres', the default JDBC URL would be 'jdbc:postgresql://localhost/keycloak'. " + type: string + poolInitialSize: + description: The initial size of the connection pool. + type: integer + poolMaxSize: + description: The maximum size of the connection pool. + type: integer + vendor: + description: The database vendor. + type: string + database: + description: "Sets the database name of the default JDBC URL of\ + \ the chosen vendor. If the `url` option is set, this option\ + \ is ignored." + type: string + poolMinSize: + description: The minimal size of the connection pool. + type: integer + type: object + features: + description: "In this section you can configure Keycloak features,\ + \ which should be enabled/disabled." + properties: + disabled: + description: Disabled Keycloak features + items: + type: string + type: array + enabled: + description: Enabled Keycloak features + items: + type: string + type: array + type: object type: object status: properties: diff --git a/charts/kubezero-auth/dashboards-keycloak.yaml b/charts/kubezero-auth/dashboards-keycloak.yaml new file mode 100644 index 0000000..033324f --- /dev/null +++ b/charts/kubezero-auth/dashboards-keycloak.yaml @@ -0,0 +1,8 @@ +configmap: grafana-dashboards +condition: '.Values.keycloak.metrics.enabled' +gzip: true +# folder: +dashboards: +- name: keycloak + url: https://grafana.com/api/dashboards/10441/revisions/2/download + tags: ['Keycloak', 'Auth'] diff --git a/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml b/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml new file mode 100644 index 0000000..8528a1e --- /dev/null +++ b/charts/kubezero-auth/templates/keycloak/grafana-dashboards.yaml @@ -0,0 +1,13 @@ +{{- if .Values.keycloak.metrics.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards" | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace }} + labels: + grafana_dashboard: "1" + {{- include "kubezero-lib.labels" . | nindent 4 }} +binaryData: + keycloak.json.gz: + H4sIAAAAAAAC/+1dbVPbuBb+zq/weHvvtDspTUKA0Jn9AJS+zNKWW+Deubd0MoqtJF4c27VkIMvkv19JtmNJlh3nPVDtzNIgGUmWjp7zPEfHzuOOYZidjuMFEUbmW+P7j1pcEsKfkRNCVkZKDOOR/SR1eBRAUmoGwIOuWUuLHZsW9kHUh1mhB4bs2g9i8R0MkeN7tMZkZeOauo9+CHrAA7le5OJJP3IF19PhbnO3Xt6d+pbiNl8HDrQGIMSvpavSvi8caJzSC5S9N3YPdhvz9R4MlDfKF1eeUGUfAwjwEAT5Xj7KFZX7sQEGyI9CC8qdBaE/hHgAI6SYQkWdMIf1yQqSn7GpAs/zMcDkEmqr8UBM10F4YrnZ8EhNN3Jc/Ik216hlpdxw1cMg10APdF1aj8MIcuUDx1aUOpbvnfquH9IGw34XvKzXjGajQX7s79eMxiu+6fT+j7N7Mf5pHLswxMIQstlFg64PQttM6sa1/J0uck8zjZ5efOn8TZupc8Wu48FJG/Pc7c8IhiP5j9HAvz8nLZPyHnARP2gM+tQEvMh1pdL3DnRtuSUMH7C6onCW2b8/dpL5NqHtYGn+zL4H8SfaZKPeajXiIrpXr3zfxU6Q2l28GdKhmg6GIZsJWn/QbO0d7e8d1pstNp90Jm85cGZ7WAHMpxHC/vCC7fC3vCVYwBrAK2cI/QjnJ6iKndgQWaETJCM0P8OhH44MKwpD6GF3ZHSh4/WNCEHb6I6MP+HIcn1wu8s30aNTfep7PacvjI613gORi5FUTkee2I9YTCqGPtt0Jh4QHzXwXRuZwiXjmtQQmxvaklxD8C0gg8/mV6h7YCtZl8sdTzT22G6ysZSMGHSR70YYmjX5CoRhgDjUyv57zJVwc0PsC0Iv11wMnsCNYLLkufpxbcaOfjs7PmnvHZV31a4v3lEI7fJOjhSdSCU/Su0h8hzMvBEkdu9h3niES02f+J+QIHxsHzuKi8j8O/aFLy+6OSAFh0Jb96TkQCh5kM3IpIBXV3ZD/QzdxF+TESkQkIHKvojBt7Jlm34gesu0OHTITKQoZIII+8Ii0FWJLPhV+dcMZVxLZb7mEAJP3J3yPmPYgCQczhYcpbdauErUK1yl2+8cdGN8lKZHvu4zCG8JuUjQWznngRv1He/fMokU3EvYh1i+b2lq4EPA7BpFw5d/3Q07Q4afne4IQ9ShqPnoeAgDz4J/3Jgv0s83Zs0AIQSkjDC04MYcv/qdYNEbZSsEqqo2ciODhdnzwyFg+wETA+sgSEwByRcNlDYX2x3rDBfWEu9GFvI9sDDb3w3pAhf2oWe/nwxC7jmEPeZSzRNhn+4ozIndwPuQQb1MBEjN5cDpYVUVZl6cuFDm0YzEwX08O75QMYNY5cjca7on5RmDMFMm2dJsasTSIp9Z5DGL3FyxkytzWhOXlYAk6MtOq9Bl5eF9ursqc1Y5D1LWQbGbKnZSM3Wgdk/Fzkl0TT8KUazQKfGQpHRImQ2qnJHsimRHJLshwQllTU9zQJL7MR30Bd7nLlJ5n1LXUuBYcm5FtOsCl1LkUMaSxJjqTCq4kmzmprgRExFKzy+B0qsIczLdo9xGXRgSMUJ+D3y7Q0XXQs5l9vbEiU+9QH5JSuE/A/9jbj/sSEteDcFV+C0HMLSI0iJKi6gnJ6IOliyimntaRT07FeX53lKEFNfOL6qk1M6WzItWTFox/SqK6WBJiinzNVoyPRHJVNmTzNXkNggnGcuraCfgOgCxIz8kAKrZBWHOHtjx2jn0+njA5IFQDlWXb5GrmAdneo5L17ApFHwIgU0Jo2DKlRGp0ZQgSSgoxCQbepcxMZHnpBpgZb0UAFZsmOL4iXH0vWN0pVohWn3XV5Qm4lhRQ0d6NgzwqKDufzD0FVWxGM2VMikql4ZOf4Avlaf7FMkUpeTa/zg2M+hDPp6Gfcz2r9yDElmzpaIn6EjqhhXeJ500sgwKwgAufAIVnxMGYvmeBy3M+V21GwH02H0CyoVonPEZea2nAXVAR0WtPEJCdJCV5y2QLLcNQ8iQuuf6XDJNzKW/CpuMdwcWVKFJzk8Q4LVuc91SWhZAW5VZsKBnqeQFZMyfLiNK3EK5Ssh5jc9kS0x3HLU5bt3yh0MH4yqedZMTcOrHoyyYhdMFZ6EatdjkBFyjwps/KeUOvBL6znMKpXJk5d9gPwEh6Q9UR3MZO0lYyTXiJRXB1TSp5pHHZkDlRh6d/RBL5xwMfzsps3E827lz7IjMaA4AuYREPu/uATw4EqB2I+s2RgtJNfdUPM10/f4JQHLu1CQySyZGkToltaz2RhPnouAiI/AASwAtGyozYYl1TkYsWpUinsuPbOomyjolf8VlUZZ2mnQgKZOcpY7y68T4iIqI0PJzeMfi/5ywHs92XFDEhamFEMJ/y5w1vdn9+j/4FS4/ZiCI2o1dlDB1LlVctLGvhBKH0nphzrmrg6JVDi/mO3lQMOY5YsM938NJgqHZFqcrMxoiWIStsvSsnMOqAWU5l5JRZj5YwAG3tL4K4iyzL7F1ofYdtJwhYNK7cBvOquzjEV0l8PeNUmKD8lxzWnyc8J53xK4uUprHB9QrsFV6Yw5M+7V9L8JCGigO/dsJ2TYXiiXfJidtHQIyxCG/oqdvL8kedYfzhXdnjtI+PrLexuMVh2vP2f0ZFzA0vp0dn39WBmrLs91To/mS5PCmAi3nYYpjAYXoV4Z9SuQrwT0l6o2fUTChABILvejyEkMOq4Q5BckqIWAR/s0QTChBxGlsqEBqT4M5BchVEt0ciJGPZpku5RGtMZf65JDrpeNZ5BOCMrx9b7YGP17NHWNUY9WswUYZiQxitkYAEDbI6MzazmygVAJJ1UOUTwOWnjHOHEzFGYYjrdZUHHmeiDH1RGTlABIS7U56iR/Z2SyOFAcYyuMI3/hb2AD+aL34LPQif85SmIG0kGBs1rVgfFKC0XLpOV7HsdcmGic9rlM4np5/OvtypZWjVo7TGV3uNHpO6ZhhoZaOK5WOGYatTj4WodYCEjLGJM3hNIdbLObfaC856H/4LDjcNc3IMMSTz2dE4gRVuxQut7787mok8HgpJDAvnTUX1FywMhdsL+kY4VBzwc1zweVGApdFCYsQagtOF9aSAL2hjObGAhnN7WkZzfKpQKM1W0ZzfGZwUJ6aPGPu8SxJxGoY2UBCMC3Yrlzg5tpzgVea+hujJpltNWCigMw37DDHj77v1YeLQSbpZ060XF/SZuvhwQCebeyTf78lE4CeaPbmhjMyX7wYEK/wJ2Tvw/O7fxF68PaoXZQyrEqgTEiuONCydE4GcrnLY5TLFc+S6Km8l6Mtv5f1pZTqp6g2zTnkjKdmcyVPUS3+EJWEL8/tGSrhnSH6Iapf5iGqSmlsKga1zodmFktgWR8JS85JglzSr356Zo1crXFQLzJV6RBjhU/YqAfWmIV5beljOJozbZoz5c76V0OaDtdOmhRve6/AmaS/WillmkqMlGxE86KnyYsYpLwyFMSoBxwX2jE/6gCMITFT9BiEPnHLMPzjxkyvvDFrjLvQJ5DZhxtzvAV8Kh6LMR4bj4/sLitxq9osdHJZ02Y7gFz/GkOEydwZC4fzklG+KKeUJ9tEKY0zFsk0fM+I1y0evKaX63s4e33MUZNCTQqXEEjbW83riNo6kqYjaZoxLpDV+yjzwZqS/6yDJTZXnCyykchbkoeiuZLmSporaa5UKYC2GrLU1MeOTzghSz0KTYdmP1g0pmW1JplaVeNnxsap0WV8f7OcS9YWDTkuf8ZmiZqVBwm3JVrGZyXroNnGieAMpGx1KXCLcESdl6bDaQlDbK+CIe7taYa47eE0zR23LClNfCBK56YZc7yNSaeobQkdSp+H1fEyTYaeULxsJWyocfREMs62K1ymU850ytmUAFBtcpJHC0/ZL5/s7ThkrJ5+tjV5WPQZ98ksagalTxY1U9JMSRk2ah2s5GCxqcNGOgtLk6i5srCE8NGzTcaqLTPItq5jxorHqidbG1Ljc8/0iaMmiJogaoI4JZS2Goa419KhNB1K06G0padS6UjaKnK0dEBN86Vt5EsWCG2pYVp0AWzb8fqK98eTym9+xBwr3zj3UmSXbWWpwdOk2PztcO/k/cGR8MZ6WndpgXj3oJ/C3KW1AzhMbJxgRuC7AMMPIYSe8IZlApBkuWMqs9vKudeCt/D5BNMd4saVr2TO4AejdGfMQAiJA7FChzlEYeOsnfotL+K3r3hpKgR4CAKRcU/lcSlJOpkAjkBABoT8uJQAnSY2mn9/895+Kd3L795xZToRkh0UIvjfbHDzO2ulg/5JsA137Cj2E53Yth6pAfnU8344u8p8LvP2Liz0ven8z+t3W1P8ruFCY/1frsZmyEhnyIinxvjDSCbH+CjddZE3VUZSSelH4qV94g+HheHR1GnK82s+HOfwuMzYHmIr+hINu4xxCnecVCavTheqRvlu7OwbGgrd8xCpHXQjJ0NkRFTBZMEEBq6DJwakdAWj+MZOEndhggj7plyrnpNRbk6U3mtD+CvldQcBcZXyl1fIlFP68ojU93CCR/rCBaoU5G+gkEFG8rlmKHz7hUikxFVSeJCFm2/XF2n8t7Pjk/beUVkHRwt10Kd0obT5tty88PuPwm+giTwHc4tprtc/5wIu+60q34agiqkclWt4sv6RBb8qqhjLc628vZpDSHQxVyRuEbYLUd5DVfhaGQpLk3jCOc0yRAVvTJ9c9RmEtzBE81KCmVw+cVozu/sa8bPkc6Ne361zzv+NUaFBi6BsIX34nZ4Wbk64r5c4XEwg1fB7RjJRaMIaUh5h3ANkkNu+g7bheHSChsggKp0YEvF3ed0MIoLRWkNpDbUMDXXQ3B4NdfBsNdTF10stogpFVDw7WkVpFaVVlFZRWkVVcNGVVFSrrlXUhlRU7NKWKKMkBqF1FMqIgxZSWkhtXEgd1rdHSB0+WyH18ez4nRZSRUIqnh0tpLSQ0kJKCyktpCq46GpCqqGF1IaEVOzSliikJAahhRTKiIMWUlpIbV5ItbdHSLWf74nUtT6QKj6QutbnUVpGaRmlZZSWUQoZ1Z5XRjW1jNrUedT1ko+jrvVpVO406npJh1E7yUDprVDTovV79Xj2TESlCsisqHkQF+NRPDybGGF8JRliZkzmn8nSJl2bxxEemJOe6CvOiOaJNVlsdKZL+AtnjI+qJ5EF+0TQjR/Aze0T1sMDFr3o63fw7orMnWJrFlyo3KiDGG94GUH4sBvZ8NhVPYGcvgdU5ibEKTuKy5PnBM13GRfgUXcCVrxzNolNhOzrqIM8Z0ir/53eKF+TrXhDKO3DB/lSdOsE16F7OfIsxbBTu+IojAxIwiN8rnI70QrlODkL4NdiKmGKCZBDHFqCgWw1OjEey1/fVbuNCHfzIIaoE/h2hy4Fr1HmXnrzk4cw8MSlLDIAVq6endQ2HEVz0yxjoRtfmpkonuQlsMGWHP0rHaop1ubuiZapL06MML5priJC8CpuSCmMtsIyl2Jo34S30ixmZaHc1iImpn4Gfxw/hK9t7SnaWu6h/sXMTdXc8i0u/2ar7LUPv4IZ7qTSbxzzMIdNfsLAejFBNT3//nUjfVeCif2kzBT+LHAI5c9C4+mEdVIyzQsLc5+LYTTq3C97/C8N7oVa+9znBv8L0QBcDfdGhyb3uWHH9ONHeg9UFHDWNLUXvuEDvmG+l2aL/4V7u8WhzY83HYswfX/7Xra/M7af0mbjM8ShYyHjHUCDrg/CuEUzYsp2YtCvbbH6bsLTY5ouxYsmjVEpMelqmHRFjxtCwqeNewcPjNxILi8+3YQ3Hv1/gHGA3r550ycXRt1dyx++ATD0+xCEbyZDS5p9jQLH3Bn/H96x+Fsj4wAA +{{- end }} diff --git a/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml b/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml index 641354e..8cdbf8e 100644 --- a/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml +++ b/charts/kubezero-auth/templates/keycloak/istio-authorization-policy.yaml @@ -1,8 +1,8 @@ -{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled .Values.keycloak.istio.ipBlocks }} +{{- if and .Values.keycloak.enabled .Values.keycloak.istio.enabled }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: {{ .Release.Name }}-deny-not-in-ipblocks + name: {{ .Release.Name }}-deny-metrics-ipblocks namespace: istio-system labels: {{- include "kubezero-lib.labels" $ | nindent 4 }} @@ -12,6 +12,15 @@ spec: app: istio-ingressgateway action: DENY rules: + - to: + - operation: + hosts: ["{{ .Values.keycloak.istio.url }}"] + paths: ["/auth/realms/master/metrics"] + when: + - key: connection.sni + values: + - '*' + {{- if .Values.keycloak.istio.ipBlocks }} - from: - source: notIpBlocks: @@ -23,4 +32,5 @@ spec: - key: connection.sni values: - '*' + {{- end }} {{- end }} diff --git a/charts/kubezero-auth/templates/keycloak/keycloak.yaml b/charts/kubezero-auth/templates/keycloak/keycloak.yaml index 77c4238..f11b23f 100644 --- a/charts/kubezero-auth/templates/keycloak/keycloak.yaml +++ b/charts/kubezero-auth/templates/keycloak/keycloak.yaml @@ -4,13 +4,17 @@ kind: Keycloak metadata: name: {{ template "kubezero-lib.fullname" . }} namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} spec: - instances: 1 - disableDefaultIngress: true + instances: {{ .Values.keycloak.replicas }} - serverConfiguration: + additionalOptions: + # Needs int casting thx to https://github.com/kubernetes-sigs/yaml/issues/45 + {{- if lt (int .Values.keycloak.replicas) 2 }} - name: cache value: local + {{- end }} {{- if .Values.postgresql.enabled }} - name: db value: postgres @@ -30,15 +34,23 @@ spec: - name: hostname-strict-https value: "false" - name: proxy - value: passthrough + value: edge - name: http-enabled value: "true" + - name: log-console-output + value: json - #hostname: INSECURE-DISABLE - hostname: {{ default "keycloak" .Values.keycloak.istio.url }} - + ingress: + enabled: false + + http: + httpEnabled: true + # We use Istio Ingress to terminate TLS # mTls down the road - tlsSecret: INSECURE-DISABLE + hostname: + hostname: {{ default "keycloak" .Values.keycloak.istio.url }} + strict: false + strictBackchannel: false {{- end }} diff --git a/charts/kubezero-auth/templates/keycloak/operator.yaml b/charts/kubezero-auth/templates/keycloak/operator.yaml index 42c616a..4bdd9c6 100644 --- a/charts/kubezero-auth/templates/keycloak/operator.yaml +++ b/charts/kubezero-auth/templates/keycloak/operator.yaml @@ -4,20 +4,20 @@ apiVersion: v1 kind: ServiceAccount metadata: annotations: - app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 + app.quarkus.io/build-timestamp: 2022-12-13 - 14:29:14 +0000 labels: - app.kubernetes.io/version: 19.0.1 app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 20.0.2 name: keycloak-operator --- apiVersion: v1 kind: Service metadata: annotations: - app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 + app.quarkus.io/build-timestamp: 2022-12-13 - 14:29:14 +0000 labels: app.kubernetes.io/name: keycloak-operator - app.kubernetes.io/version: 19.0.1 + app.kubernetes.io/version: 20.0.2 name: keycloak-operator spec: ports: @@ -26,7 +26,7 @@ spec: targetPort: 8080 selector: app.kubernetes.io/name: keycloak-operator - app.kubernetes.io/version: 19.0.1 + app.kubernetes.io/version: 20.0.2 type: ClusterIP --- apiVersion: rbac.authorization.k8s.io/v1 @@ -179,24 +179,24 @@ apiVersion: apps/v1 kind: Deployment metadata: annotations: - app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 + app.quarkus.io/build-timestamp: 2022-12-13 - 14:29:14 +0000 labels: - app.kubernetes.io/version: 19.0.1 app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 20.0.2 name: keycloak-operator spec: replicas: 1 selector: matchLabels: - app.kubernetes.io/version: 19.0.1 app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 20.0.2 template: metadata: annotations: - app.quarkus.io/build-timestamp: 2022-07-29 - 11:21:21 +0000 + app.quarkus.io/build-timestamp: 2022-12-13 - 14:29:14 +0000 labels: - app.kubernetes.io/version: 19.0.1 app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 20.0.2 spec: containers: - env: @@ -205,8 +205,8 @@ spec: fieldRef: fieldPath: metadata.namespace - name: OPERATOR_KEYCLOAK_IMAGE - value: quay.io/keycloak/keycloak:19.0.1 - image: quay.io/keycloak/keycloak-operator:19.0.1 + value: quay.io/keycloak/keycloak:20.0.2 + image: quay.io/keycloak/keycloak-operator:20.0.2 imagePullPolicy: Always livenessProbe: failureThreshold: 3 diff --git a/charts/kubezero-auth/templates/keycloak/pdb.yaml b/charts/kubezero-auth/templates/keycloak/pdb.yaml new file mode 100644 index 0000000..6386d20 --- /dev/null +++ b/charts/kubezero-auth/templates/keycloak/pdb.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.keycloak.podDisruptionBudget (gt (int .Values.keycloak.replicas) 1) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "kubezero-lib.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: keycloak + app.kubernetes.io/managed-by: keycloak-operator + {{- toYaml .Values.keycloak.podDisruptionBudget | nindent 2 }} +{{- end }} diff --git a/charts/kubezero-auth/update.sh b/charts/kubezero-auth/update.sh index dbc2a47..393f71a 100755 --- a/charts/kubezero-auth/update.sh +++ b/charts/kubezero-auth/update.sh @@ -9,8 +9,11 @@ helm dep update # Operator VERSION=$(yq eval '.appVersion' Chart.yaml) -wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml -wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml +wget -O crds/keycloak.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloaks.k8s.keycloak.org-v1.yml +wget -O crds/keycloak-realmimports.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml -wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${VERSION}/kubernetes/kubernetes.yml +wget -O templates/keycloak/operator.yaml https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/"${VERSION}"/kubernetes/kubernetes.yml patch -i keycloak.patch -p0 --no-backup-if-mismatch + +# Fetch dashboards +../kubezero-metrics/sync_grafana_dashboards.py dashboards-keycloak.yaml templates/keycloak/grafana-dashboards.yaml diff --git a/charts/kubezero-auth/values.yaml b/charts/kubezero-auth/values.yaml index ec225c7..8cf95a5 100644 --- a/charts/kubezero-auth/values.yaml +++ b/charts/kubezero-auth/values.yaml @@ -1,6 +1,10 @@ keycloak: enabled: false + replicas: 1 + podDisruptionBudget: + minAvailable: 1 + istio: enabled: false gateway: istio-ingress/private-ingressgateway diff --git a/charts/kubezero-cert-manager/Chart.yaml b/charts/kubezero-cert-manager/Chart.yaml index da35efa..f8efd80 100644 --- a/charts/kubezero-cert-manager/Chart.yaml +++ b/charts/kubezero-cert-manager/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-cert-manager description: KubeZero Umbrella Chart for cert-manager type: application -version: 0.9.2 +version: 0.9.3 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -13,9 +13,9 @@ maintainers: email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: ">= 0.1.5" + version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ - name: cert-manager version: 1.9.1 repository: https://charts.jetstack.io -kubeVersion: ">= 1.20.0" +kubeVersion: ">= 1.24.0" diff --git a/charts/kubezero-cert-manager/README.md b/charts/kubezero-cert-manager/README.md index 82459cc..00bfb49 100644 --- a/charts/kubezero-cert-manager/README.md +++ b/charts/kubezero-cert-manager/README.md @@ -1,6 +1,6 @@ # kubezero-cert-manager -![Version: 0.9.2](https://img.shields.io/badge/Version-0.9.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.9.3](https://img.shields.io/badge/Version-0.9.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for cert-manager @@ -14,11 +14,11 @@ KubeZero Umbrella Chart for cert-manager ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.24.0` | Repository | Name | Version | |------------|------|---------| -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | | https://charts.jetstack.io | cert-manager | 1.9.1 | ## AWS - OIDC IAM roles @@ -35,6 +35,8 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | cert-manager.cainjector.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | cert-manager.cainjector.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.cainjector.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| cert-manager.cainjector.tolerations[1].effect | string | `"NoSchedule"` | | +| cert-manager.cainjector.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | cert-manager.enabled | bool | `true` | | | cert-manager.extraArgs[0] | string | `"--dns01-recursive-nameservers-only"` | | | cert-manager.global.leaderElection.namespace | string | `"cert-manager"` | | @@ -45,9 +47,13 @@ If your resolvers need additional sercrets like CloudFlare API tokens etc. make | cert-manager.startupapicheck.enabled | bool | `false` | | | cert-manager.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| cert-manager.tolerations[1].effect | string | `"NoSchedule"` | | +| cert-manager.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | cert-manager.webhook.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | cert-manager.webhook.tolerations[0].effect | string | `"NoSchedule"` | | | cert-manager.webhook.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| cert-manager.webhook.tolerations[1].effect | string | `"NoSchedule"` | | +| cert-manager.webhook.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | clusterIssuer | object | `{}` | | | localCA.enabled | bool | `false` | | | localCA.selfsigning | bool | `true` | | diff --git a/charts/kubezero-cert-manager/dashboards.yaml b/charts/kubezero-cert-manager/dashboards.yaml index db3fa8f..e0613f8 100644 --- a/charts/kubezero-cert-manager/dashboards.yaml +++ b/charts/kubezero-cert-manager/dashboards.yaml @@ -1,4 +1,4 @@ -configmap: cert-manager-grafana-dashboard +configmap: grafana-dashboard gzip: true folder: KubeZero condition: 'index .Values "cert-manager" "prometheus" "servicemonitor" "enabled"' diff --git a/charts/kubezero-cert-manager/jsonnetfile.lock.json b/charts/kubezero-cert-manager/jsonnetfile.lock.json index c2794e2..62435b5 100644 --- a/charts/kubezero-cert-manager/jsonnetfile.lock.json +++ b/charts/kubezero-cert-manager/jsonnetfile.lock.json @@ -18,7 +18,7 @@ "subdir": "contrib/mixin" } }, - "version": "b872757492ca70f350abd44eb95d81b95339f581", + "version": "f1842b6ecf67a8102766cc914eaa2a8c7ad97314", "sum": "W/Azptf1PoqjyMwJON96UY69MFugDA4IAYiKURscryc=" }, { @@ -28,8 +28,8 @@ "subdir": "grafonnet" } }, - "version": "6db00c292d3a1c71661fc875f90e0ec7caa538c2", - "sum": "gF8foHByYcB25jcUOBqP6jxk0OPifQMjPvKY0HaCk6w=" + "version": "30280196507e0fe6fa978a3e0eaca3a62844f817", + "sum": "342u++/7rViR/zj2jeJOjshzglkZ1SY+hFNuyCBFMdc=" }, { "source": { @@ -38,8 +38,8 @@ "subdir": "grafana-builder" } }, - "version": "5fb2525651cc6e5100e081b10ad9fbe7e3595231", - "sum": "0KkygBQd/AFzUvVzezE4qF/uDYgrwUXVpZfINBti0oc=" + "version": "15484ab1cb78eb7588e6b79ac52fc04e63f552b4", + "sum": "tDR6yT2GVfw0wTU12iZH+m01HrbIr6g/xN+/8nzNkU0=" }, { "source": { @@ -48,8 +48,8 @@ "subdir": "" } }, - "version": "b538a10c89508f8d12885680cca72a134d3127f5", - "sum": "GLt5T2k4RKg36Gfcaf9qlTfVumDitqotVD0ipz/bPJ4=" + "version": "ab104c5c406b91078d676475c14ab18644f84f2d", + "sum": "tRpIInEClWUNe5IS6uIjucFN/KqDFgg19+yo78VrLfU=" }, { "source": { @@ -58,7 +58,7 @@ "subdir": "lib/promgrafonnet" } }, - "version": "62ad10fe9ceb53c6b846871997abbfe8e0bd7cf5", + "version": "3c386687c1f8ceb6b79ff887c4a934e9cee1b90a", "sum": "zv7hXGui6BfHzE9wPatHI/AGZa4A2WKo6pq7ZdqBsps=" }, { @@ -88,8 +88,8 @@ "subdir": "jsonnet/kube-prometheus" } }, - "version": "125fb56d7495e20f504e1537ae949e8261a2f812", - "sum": "QwH53kTe1jWCeXmQe7+U1PBs/a1p4MCTEW3B8IiIxeo=" + "version": "e7eff18e7e70d7f1168105521451c4d7bd6a6d96", + "sum": "gcgf9y8wos4W8jgcJKuTDfORYDigCxx+q3QOYEijQFo=" }, { "source": { diff --git a/charts/kubezero-cert-manager/templates/grafana-dashboards.yaml b/charts/kubezero-cert-manager/templates/grafana-dashboards.yaml index 0c22829..45cfc65 100644 --- a/charts/kubezero-cert-manager/templates/grafana-dashboards.yaml +++ b/charts/kubezero-cert-manager/templates/grafana-dashboards.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "cert-manager-grafana-dashboard" | trunc 63 | trimSuffix "-" }} + name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboard" | trunc 63 | trimSuffix "-" }} namespace: {{ .Release.Namespace }} labels: grafana_dashboard: "1" diff --git a/charts/kubezero-cert-manager/templates/prometheus-rules.yaml b/charts/kubezero-cert-manager/templates/prometheus-rules.yaml index 45bd495..cbf455b 100644 --- a/charts/kubezero-cert-manager/templates/prometheus-rules.yaml +++ b/charts/kubezero-cert-manager/templates/prometheus-rules.yaml @@ -1,4 +1,3 @@ -{{- if index .Values "cert-manager" "prometheus" "servicemonitor" "enabled" }} apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: @@ -51,4 +50,4 @@ spec: for: 5m labels: severity: critical -{{- end }} + diff --git a/charts/kubezero-cert-manager/values.yaml b/charts/kubezero-cert-manager/values.yaml index 27783cf..1629bdc 100644 --- a/charts/kubezero-cert-manager/values.yaml +++ b/charts/kubezero-cert-manager/values.yaml @@ -49,6 +49,8 @@ cert-manager: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" @@ -60,6 +62,8 @@ cert-manager: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" @@ -67,6 +71,8 @@ cert-manager: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" diff --git a/charts/kubezero-ci/Chart.yaml b/charts/kubezero-ci/Chart.yaml index cb49ced..fc9ebf8 100644 --- a/charts/kubezero-ci/Chart.yaml +++ b/charts/kubezero-ci/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-ci description: KubeZero umbrella chart for all things CI type: application -version: 0.5.14 +version: 0.5.25 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,18 +15,18 @@ maintainers: email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: ">= 0.1.5" + version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ - name: gocd version: 1.40.8 repository: https://gocd.github.io/helm-chart condition: gocd.enabled - name: gitea - version: 5.0.9 + version: 6.0.5 repository: https://dl.gitea.io/charts/ condition: gitea.enabled - name: jenkins - version: 4.2.6 + version: 4.2.20 repository: https://charts.jenkins.io condition: jenkins.enabled - name: trivy diff --git a/charts/kubezero-ci/README.md b/charts/kubezero-ci/README.md index 0bf825b..dc80155 100644 --- a/charts/kubezero-ci/README.md +++ b/charts/kubezero-ci/README.md @@ -1,6 +1,6 @@ # kubezero-ci -![Version: 0.5.14](https://img.shields.io/badge/Version-0.5.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.5.24](https://img.shields.io/badge/Version-0.5.24-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things CI @@ -19,9 +19,9 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| | https://aquasecurity.github.io/helm-charts/ | trivy | 0.4.17 | -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | -| https://charts.jenkins.io | jenkins | 4.2.6 | -| https://dl.gitea.io/charts/ | gitea | 5.0.9 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | +| https://charts.jenkins.io | jenkins | 4.2.17 | +| https://dl.gitea.io/charts/ | gitea | 6.0.5 | | https://gocd.github.io/helm-chart | gocd | 1.40.8 | # Jenkins @@ -52,9 +52,8 @@ Kubernetes: `>= 1.20.0` | gitea.gitea.config.database.DB_TYPE | string | `"sqlite3"` | | | gitea.gitea.demo | bool | `false` | | | gitea.gitea.metrics.enabled | bool | `false` | | -| gitea.gitea.metrics.serviceMonitor.enabled | bool | `false` | | +| gitea.gitea.metrics.serviceMonitor.enabled | bool | `true` | | | gitea.image.rootless | bool | `true` | | -| gitea.image.tag | string | `"1.17.1"` | | | gitea.istio.enabled | bool | `false` | | | gitea.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | gitea.istio.url | string | `"git.example.com"` | | @@ -64,6 +63,9 @@ Kubernetes: `>= 1.20.0` | gitea.persistence.enabled | bool | `true` | | | gitea.persistence.size | string | `"4Gi"` | | | gitea.postgresql.enabled | bool | `false` | | +| gitea.resources.limits.memory | string | `"2048Mi"` | | +| gitea.resources.requests.cpu | string | `"150m"` | | +| gitea.resources.requests.memory | string | `"320Mi"` | | | gitea.securityContext.allowPrivilegeEscalation | bool | `false` | | | gitea.securityContext.capabilities.add[0] | string | `"SYS_CHROOT"` | | | gitea.securityContext.capabilities.drop[0] | string | `"ALL"` | | @@ -76,43 +78,40 @@ Kubernetes: `>= 1.20.0` | jenkins.agent.annotations."container.apparmor.security.beta.kubernetes.io/jnlp" | string | `"unconfined"` | | | jenkins.agent.containerCap | int | `2` | | | jenkins.agent.customJenkinsLabels[0] | string | `"podman-aws-trivy"` | | -| jenkins.agent.idleMinutes | int | `10` | | +| jenkins.agent.idleMinutes | int | `15` | | | jenkins.agent.image | string | `"public.ecr.aws/zero-downtime/jenkins-podman"` | | | jenkins.agent.podName | string | `"podman-aws"` | | | jenkins.agent.podRetention | string | `"Default"` | | -| jenkins.agent.resources.limits.cpu | string | `"4"` | | -| jenkins.agent.resources.limits.memory | string | `"6144Mi"` | | -| jenkins.agent.resources.requests.cpu | string | `"512m"` | | -| jenkins.agent.resources.requests.memory | string | `"1024Mi"` | | | jenkins.agent.showRawYaml | bool | `false` | | -| jenkins.agent.tag | string | `"v0.3.2"` | | +| jenkins.agent.tag | string | `"v0.4.1"` | | | jenkins.agent.yamlMergeStrategy | string | `"merge"` | | -| jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n securityContext:\n fsGroup: 1000\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n limits:\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n - name: host-registries-conf\n mountPath: \"/home/jenkins/.config/containers/registries.conf\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\"\n - name: host-registries-conf\n hostPath:\n path: /etc/containers/registries.conf\n type: File"` | | +| jenkins.agent.yamlTemplate | string | `"apiVersion: v1\nkind: Pod\nspec:\n securityContext:\n fsGroup: 1000\n serviceAccountName: jenkins-podman-aws\n containers:\n - name: jnlp\n resources:\n requests:\n cpu: \"512m\"\n memory: \"1024Mi\"\n limits:\n cpu: \"4\"\n memory: \"6144Mi\"\n github.com/fuse: 1\n volumeMounts:\n - name: aws-token\n mountPath: \"/var/run/secrets/sts.amazonaws.com/serviceaccount/\"\n readOnly: true\n - name: host-registries-conf\n mountPath: \"/home/jenkins/.config/containers/registries.conf\"\n readOnly: true\n volumes:\n - name: aws-token\n projected:\n sources:\n - serviceAccountToken:\n path: token\n expirationSeconds: 86400\n audience: \"sts.amazonaws.com\"\n - name: host-registries-conf\n hostPath:\n path: /etc/containers/registries.conf\n type: File"` | | | jenkins.controller.JCasC.configScripts.zdt-settings | string | `"jenkins:\n noUsageStatistics: true\n disabledAdministrativeMonitors:\n - \"jenkins.security.ResourceDomainRecommendation\"\nunclassified:\n buildDiscarders:\n configuredBuildDiscarders:\n - \"jobBuildDiscarder\"\n - defaultBuildDiscarder:\n discarder:\n logRotator:\n artifactDaysToKeepStr: \"32\"\n artifactNumToKeepStr: \"10\"\n daysToKeepStr: \"100\"\n numToKeepStr: \"10\"\n"` | | | jenkins.controller.disableRememberMe | bool | `true` | | | jenkins.controller.enableRawHtmlMarkupFormatter | bool | `true` | | -| jenkins.controller.initContainerResources.limits.cpu | string | `"1000m"` | | | jenkins.controller.initContainerResources.limits.memory | string | `"1024Mi"` | | | jenkins.controller.initContainerResources.requests.cpu | string | `"50m"` | | | jenkins.controller.initContainerResources.requests.memory | string | `"256Mi"` | | -| jenkins.controller.installPlugins[0] | string | `"kubernetes:3706.vdfb_d599579f3"` | | +| jenkins.controller.installPlugins[0] | string | `"kubernetes:3743.v1fa_4c724c3b_7"` | | +| jenkins.controller.installPlugins[10] | string | `"build-discarder:139.v05696a_7fe240"` | | +| jenkins.controller.installPlugins[11] | string | `"dark-theme:262.v0202a_4c8fb_6a"` | | +| jenkins.controller.installPlugins[12] | string | `"kubernetes-credentials-provider:1.206.v7ce2cf7b_0c8b"` | | | jenkins.controller.installPlugins[1] | string | `"workflow-aggregator:581.v0c46fa_697ffd"` | | -| jenkins.controller.installPlugins[2] | string | `"git:4.12.1"` | | -| jenkins.controller.installPlugins[3] | string | `"configuration-as-code:1512.vb_79d418d5fc8"` | | -| jenkins.controller.installPlugins[4] | string | `"antisamy-markup-formatter:2.7"` | | -| jenkins.controller.installPlugins[5] | string | `"prometheus:2.0.11"` | | -| jenkins.controller.installPlugins[6] | string | `"htmlpublisher:1.31"` | | -| jenkins.controller.installPlugins[7] | string | `"build-discarder:139.v05696a_7fe240"` | | -| jenkins.controller.installPlugins[8] | string | `"dark-theme:245.vb_a_2b_b_010ea_96"` | | -| jenkins.controller.installPlugins[9] | string | `"kubernetes-credentials-provider:1.196.va_55f5e31e3c2"` | | +| jenkins.controller.installPlugins[2] | string | `"git:4.14.3"` | | +| jenkins.controller.installPlugins[3] | string | `"basic-branch-build-strategies:71.vc1421f89888e"` | | +| jenkins.controller.installPlugins[4] | string | `"pipeline-graph-view:144.vf3924feb_7e35"` | | +| jenkins.controller.installPlugins[5] | string | `"pipeline-stage-view:2.28"` | | +| jenkins.controller.installPlugins[6] | string | `"configuration-as-code:1569.vb_72405b_80249"` | | +| jenkins.controller.installPlugins[7] | string | `"antisamy-markup-formatter:155.v795fb_8702324"` | | +| jenkins.controller.installPlugins[8] | string | `"prometheus:2.0.11"` | | +| jenkins.controller.installPlugins[9] | string | `"htmlpublisher:1.31"` | | | jenkins.controller.javaOpts | string | `"-XX:+UseContainerSupport -XX:+UseStringDeduplication -Dhudson.model.DirectoryBrowserSupport.CSP=\"sandbox allow-popups; default-src 'none'; img-src 'self' cdn.zero-downtime.net; style-src 'unsafe-inline';\""` | | | jenkins.controller.jenkinsOpts | string | `"--sessionTimeout=180 --sessionEviction=3600"` | | | jenkins.controller.prometheus.enabled | bool | `false` | | -| jenkins.controller.resources.limits.cpu | string | `"2000m"` | | | jenkins.controller.resources.limits.memory | string | `"4096Mi"` | | | jenkins.controller.resources.requests.cpu | string | `"250m"` | | | jenkins.controller.resources.requests.memory | string | `"1280Mi"` | | -| jenkins.controller.tag | string | `"2.370-alpine-jdk17"` | | +| jenkins.controller.tag | string | `"alpine-jdk17"` | | | jenkins.controller.testEnabled | bool | `false` | | | jenkins.enabled | bool | `false` | | | jenkins.istio.agent.enabled | bool | `false` | | @@ -129,7 +128,7 @@ Kubernetes: `>= 1.20.0` | jenkins.serviceAccountAgent.create | bool | `true` | | | jenkins.serviceAccountAgent.name | string | `"jenkins-podman-aws"` | | | trivy.enabled | bool | `false` | | +| trivy.image.tag | string | `"0.35.0"` | | | trivy.persistence.enabled | bool | `true` | | | trivy.persistence.size | string | `"1Gi"` | | | trivy.rbac.create | bool | `false` | | -| trivy.rbac.pspEnabled | bool | `false` | | diff --git a/charts/kubezero-ci/dashboard-gitea.yaml b/charts/kubezero-ci/dashboard-gitea.yaml new file mode 100644 index 0000000..41ad30b --- /dev/null +++ b/charts/kubezero-ci/dashboard-gitea.yaml @@ -0,0 +1,9 @@ +configmap: grafana-dashboards +gzip: true +condition: '.Values.gitea.gitea.metrics.enabled' +folder: KubeZero +dashboards: +- name: Gitea + url: https://grafana.com/api/dashboards/13192/revisions/1/download + tags: + - CI diff --git a/charts/kubezero-ci/dashboards.yaml b/charts/kubezero-ci/dashboard-jenkins.yaml similarity index 100% rename from charts/kubezero-ci/dashboards.yaml rename to charts/kubezero-ci/dashboard-jenkins.yaml diff --git a/charts/kubezero-ci/templates/gitea/grafana-dashboard.yaml b/charts/kubezero-ci/templates/gitea/grafana-dashboard.yaml new file mode 100644 index 0000000..f008aa8 --- /dev/null +++ b/charts/kubezero-ci/templates/gitea/grafana-dashboard.yaml @@ -0,0 +1,15 @@ +{{- if .Values.gitea.gitea.metrics.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards" | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace }} + labels: + grafana_dashboard: "1" + {{- include "kubezero-lib.labels" . | nindent 4 }} + annotations: + k8s-sidecar-target-directory: KubeZero +binaryData: + Gitea.json.gz: + H4sIAAAAAAAC/+1cW2/bNhR+z68QhGLYgDSwnMRJC+whS5cuaG5I2vVhDQxKomU2FKmSVBw38H8fSd2oixNjSBqrY4G61jmSeK7fR4ku7zccxx2PEUlSwd23zj/y2HHu9afUEBBDKXXfXY0vLs9P//z415+frtzNQo2BD7HSXzAaQzGFKa+UIeQBQ4lAlKhTKoWYJ/qmIRCA05QFsNIlOI0QOQ6VPum4aaY/y80yhtUnLOTn9WbmEoPfUsRgh1PF+BEDE0BAdXMUdoqLILxvKm4h47l3o629re3ciM3u4RJAZLDagyXTzqFMsTHQw2N0hRQtDSZph7FrSG9rsDX4D75xAUR7sKuatO1ZmUJACJXnSq3KYTakixEXZUYrQ6Tm1asp4NMPcK7uRf2vMBBvh4O93XIseY6fIiyO1WieITWC1h0MeQ4kwMdKL1gKDfkUhR1SFFBySDFl6oYs8sGvg01n6HnyY3d30/F+M29dBOag8tf5xTnAkImaCVWO+dSngIVurlvof6838vQ0G++UEiQoc94jAYHDIZMx1/d1YYhEwy03IlDo9vO2vTfDTKSK8SOlWKBEKgZaqFNMUoz1EUbkRndaljpdDh2dBzACXAdGp3RRloEPtGQCMIcVgEhHTyCJxFSZM6jJYdfpj6TRnSCMzdxrgWy1EEGiqmq3VEQMhRe0qrss1/JwZCRkJo/3jeO7Ijj5sarEQZGj8tayYkJIriBDHT7oqG5XBmIYQRLWzQC3UfM6KQ1SxjIvmpoY3HVJEemQ8imddYiFLEzcIb8FOK28aLkqq0Jrze7QwhkKdVKrnKpKuqCIiFOqG0oLqszRpI4DZcJPysJrjZ5AWQpEgAi2wpyxyN9N+K70yhJVF6m697Aub2dNBj6EDOpun2BqwBvXaT6XHScLClYdkikTEMCuApfAGdy0RuECJgkMpcdthwRgETQIvI6NqtXvEpbTQAA5l+zIpUFEjGMYUzYf+3MB+f1X6v/+xY0UUHxxFwb4qNIkQkKHLgO3rsmK9IiyGIi2lsFJRucHbile5N+qWIiptGhKcdiIkUAxPJKtbIBNKb+EUV4UjQuupmgi2lcIjXTuZe66k7luzEtKiLs3OwIwGLYhnlMmGv2uu2FcwDQiIbpFYSoj1ipNWVtEZj9v2Fp7GJMTcwZwB+5Qo/z9NLjJcm76qVo7byEVig6iaZydt3zDvbKzOxprDu7gA6U2KQtB3pqJRq3kM8a6EUpBoz8Ah3VqLtGrdXoGXy2x4UxVbJs9sbPVFPN20iWDRl3AreUn8LY0ujY3aE7bfn4e3n8KHh5aHrY8/Lw8HCTpmEP5uBDysc7uIxwsTeoqrp+Jnw8vPjk16rLEbInZEvNPQsze6CmYedsys2Xm52VmmkAynoQPPxRXUKUwfZw58xScXWiOQCD0a0Svz5R+LmPpHL27spRuKf3/RumPs+5SLt1pcOnokZfNo1b5aLYcPkwSgZpuFKSia9Es5AmCODzvuE5dCXBQL848n1ycUXGm+MnQXNeyEsIJSLFo3lNnN0kQieog04VZ9euMZgQ+pzgV0N1snqEYom1xs1zrocnWXNjNa78eGuO8LGq1Yqj+LBqS641l2kUtQrSTE5fPKmrXZ5hWThUoqSX1a8oFmswLtZoE5GtCxdhMzfhAsYQEUkHbyPrYHGFlytXcOgaB4t02fT7rY+0DXPcwpZ2lsQ+ZQyfOQdPuklf0AuiPBoXRaqDg7VtUsKiw/qjAYEK5Wr9G/UOGyy7bXxYdvOGKc4YdCw8WHtYfHlL5yN07XPhUM/qFAWF/NUDYtXhg8WD98QBxnvZvonBct/rHIsLOI28VvMGSJwjPQsKTQMIcYkxnFhSe8c1CVma9e7FQN/tlYWFnVVgYWFiwsNAHWNDrDr1DhZO61S8LCvsrgsLQzhUsKPQCFCiLAEHfQS9nDOedxr8sRLTeOC6dOIwsRliM6ANGyL9x77DhY83oF8aE0YqYYBcpLST0AhImVAW4d6Bw1DD7ZWFhuOqrx6F9x2BxoRe4kKQ+RsENnPcOGi605R9My9dsXWJnyXPEngWHJwGHJGUJtouVzwcOso369+OFq5rRa7YmsQwS7K+ZLCT0AhJm0J9SetM7VPjctHvN1iWWAcMbCwwWGPrxO2gMAe/jb6Abdq/basQSZLAPERYYegEMAY1jSETvgOGwafe6LUksAYZtCwwWGPoADDHCkAtK+jdnOG1bvm4LE0vAYWj/m4RFh368aAAimPYPGj43zO7ChXIHaWmWKmGl3h5k17hcXh6DKozDbI9jLuYYFtWXnSlAVEXTPTx2y/sKGCdYpotE7Y2pq22Y9ZYgpX6SOS6LY/baKzYbcWWiM5lbuyxRS0asujh3ZFzkx8xy6Zo+8OLq+67x3TMPtgemxtj5ZGh89/L9pesOfad6bx3XZ3TGi32kyzzpLaYzWZrtAU7OvnnHs9333zPpLWBI7TjNHwpctSf43sbiX1mpsRuhXgAA +{{- end }} diff --git a/charts/kubezero-ci/templates/grafana-dashboards.yaml b/charts/kubezero-ci/templates/jenkins/grafana-dashboard.yaml similarity index 100% rename from charts/kubezero-ci/templates/grafana-dashboards.yaml rename to charts/kubezero-ci/templates/jenkins/grafana-dashboard.yaml diff --git a/charts/kubezero-ci/update.sh b/charts/kubezero-ci/update.sh index 035ab68..0ded8aa 100755 --- a/charts/kubezero-ci/update.sh +++ b/charts/kubezero-ci/update.sh @@ -3,4 +3,5 @@ helm dep update # Create ZDT dashboard configmap -../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml +../kubezero-metrics/sync_grafana_dashboards.py dashboard-jenkins.yaml templates/jenkins/grafana-dashboard.yaml +../kubezero-metrics/sync_grafana_dashboards.py dashboard-gitea.yaml templates/gitea/grafana-dashboard.yaml diff --git a/charts/kubezero-ci/values.yaml b/charts/kubezero-ci/values.yaml index ec3b5d4..b39fa88 100644 --- a/charts/kubezero-ci/values.yaml +++ b/charts/kubezero-ci/values.yaml @@ -17,7 +17,7 @@ gitea: enabled: false image: - tag: 1.17.1 + #tag: 1.17.4 rootless: true securityContext: @@ -32,6 +32,13 @@ gitea: enabled: true size: 4Gi + resources: + requests: + cpu: "150m" + memory: "320Mi" + limits: + memory: "2048Mi" + gitea: admin: existingSecret: gitea-admin-secret @@ -42,7 +49,7 @@ gitea: metrics: enabled: false serviceMonitor: - enabled: false + enabled: true config: database: @@ -69,7 +76,7 @@ jenkins: enabled: false controller: - tag: 2.370-alpine-jdk17 + tag: alpine-jdk17 #tagLabel: alpine disableRememberMe: true prometheus: @@ -84,14 +91,14 @@ jenkins: cpu: "250m" memory: "1280Mi" limits: - cpu: "2000m" + #cpu: "2000m" memory: "4096Mi" initContainerResources: requests: cpu: "50m" memory: "256Mi" limits: - cpu: "1000m" + #cpu: "1000m" memory: "1024Mi" JCasC: @@ -114,16 +121,19 @@ jenkins: numToKeepStr: "10" installPlugins: - - kubernetes:3706.vdfb_d599579f3 + - kubernetes:3802.vb_b_600831fcb_3 - workflow-aggregator:581.v0c46fa_697ffd - - git:4.12.1 - - configuration-as-code:1512.vb_79d418d5fc8 - - antisamy-markup-formatter:2.7 - - prometheus:2.0.11 + - git:5.0.0 + - basic-branch-build-strategies:71.vc1421f89888e + - pipeline-graph-view:144.vf3924feb_7e35 + - pipeline-stage-view:2.28 + - configuration-as-code:1569.vb_72405b_80249 + - antisamy-markup-formatter:155.v795fb_8702324 + - prometheus:2.1.0 - htmlpublisher:1.31 - build-discarder:139.v05696a_7fe240 - - dark-theme:245.vb_a_2b_b_010ea_96 - - kubernetes-credentials-provider:1.196.va_55f5e31e3c2 + - dark-theme:262.v0202a_4c8fb_6a + - kubernetes-credentials-provider:1.208.v128ee9800c04 serviceAccountAgent: create: true @@ -132,24 +142,24 @@ jenkins: # Preconfigure agents to use zdt podman requires fuse/overlayfs agent: image: public.ecr.aws/zero-downtime/jenkins-podman - tag: v0.3.2 - resources: - requests: - cpu: "512m" - memory: "1024Mi" - limits: - cpu: "4" - memory: "6144Mi" + tag: v0.4.1 #alwaysPullImage: true podRetention: "Default" showRawYaml: false podName: "podman-aws" customJenkinsLabels: - podman-aws-trivy - idleMinutes: 10 + idleMinutes: 15 containerCap: 2 annotations: container.apparmor.security.beta.kubernetes.io/jnlp: unconfined + resources: + requests: + cpu: "" + memory: "" + limits: + cpu: "" + memory: "" # envVars: # - name: AWS_WEB_IDENTITY_TOKEN_FILE # value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" @@ -168,7 +178,12 @@ jenkins: containers: - name: jnlp resources: + requests: + cpu: "512m" + memory: "1024Mi" limits: + cpu: "4" + memory: "6144Mi" github.com/fuse: 1 volumeMounts: - name: aws-token @@ -215,9 +230,10 @@ jenkins: trivy: enabled: false + image: + tag: 0.35.0 persistence: enabled: true size: 1Gi rbac: create: false - pspEnabled: false diff --git a/charts/kubezero-istio-gateway/Chart.yaml b/charts/kubezero-istio-gateway/Chart.yaml index 3c38b1b..325ed35 100644 --- a/charts/kubezero-istio-gateway/Chart.yaml +++ b/charts/kubezero-istio-gateway/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-istio-gateway description: KubeZero Umbrella Chart for Istio gateways type: application -version: 0.8.2 +version: 0.9.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -17,6 +17,6 @@ dependencies: version: ">= 0.1.5" repository: https://cdn.zero-downtime.net/charts/ - name: gateway - version: 1.14.3 + version: 1.16.1 repository: https://istio-release.storage.googleapis.com/charts -kubeVersion: ">= 1.20.0" +kubeVersion: ">= 1.24.0" diff --git a/charts/kubezero-istio-gateway/README.md b/charts/kubezero-istio-gateway/README.md index 8470de7..09aa7d3 100644 --- a/charts/kubezero-istio-gateway/README.md +++ b/charts/kubezero-istio-gateway/README.md @@ -1,6 +1,6 @@ # kubezero-istio-gateway -![Version: 0.8.2](https://img.shields.io/badge/Version-0.8.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for Istio gateways @@ -16,12 +16,12 @@ Installs Istio Ingress Gateways, requires kubezero-istio to be installed ! ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.24.0` | Repository | Name | Version | |------------|------|---------| | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | -| https://istio-release.storage.googleapis.com/charts | gateway | 1.14.3 | +| https://istio-release.storage.googleapis.com/charts | gateway | 1.16.1 | ## Values diff --git a/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml b/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml index b3c19cd..6f57321 100644 --- a/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml +++ b/charts/kubezero-istio-gateway/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.14.3 +appVersion: 1.16.1 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - http://github.com/istio/istio type: application -version: 1.14.3 +version: 1.16.1 diff --git a/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml b/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml index f907f88..474a812 100644 --- a/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml +++ b/charts/kubezero-istio-gateway/charts/gateway/templates/deployment.yaml @@ -106,6 +106,10 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.volumes }} volumes: {{- toYaml . | nindent 8 }} diff --git a/charts/kubezero-istio-gateway/charts/gateway/values.schema.json b/charts/kubezero-istio-gateway/charts/gateway/values.schema.json index be6017e..84f0489 100644 --- a/charts/kubezero-istio-gateway/charts/gateway/values.schema.json +++ b/charts/kubezero-istio-gateway/charts/gateway/values.schema.json @@ -185,6 +185,9 @@ "tolerations": { "type": "array" }, + "topologySpreadConstraints": { + "type": "array" + }, "networkGateway": { "type": "string" }, diff --git a/charts/kubezero-istio-gateway/charts/gateway/values.yaml b/charts/kubezero-istio-gateway/charts/gateway/values.yaml index e054afb..e44610b 100644 --- a/charts/kubezero-istio-gateway/charts/gateway/values.yaml +++ b/charts/kubezero-istio-gateway/charts/gateway/values.yaml @@ -83,6 +83,8 @@ nodeSelector: {} tolerations: [] +topologySpreadConstraints: [] + affinity: {} # If specified, the gateway will act as a network gateway for the given network. diff --git a/charts/kubezero-istio-gateway/zdt.patch b/charts/kubezero-istio-gateway/zdt.patch index 84fb52d..05468ab 100644 --- a/charts/kubezero-istio-gateway/zdt.patch +++ b/charts/kubezero-istio-gateway/zdt.patch @@ -1,6 +1,6 @@ diff -tubr charts/gateway.orig/templates/deployment.yaml charts/gateway/templates/deployment.yaml ---- charts/gateway.orig/templates/deployment.yaml 2022-04-21 17:33:30.042035869 +0200 -+++ charts/gateway/templates/deployment.yaml 2022-04-21 18:17:15.130605952 +0200 +--- charts/gateway.orig/templates/deployment.yaml 2022-12-09 14:58:33.000000000 +0000 ++++ charts/gateway/templates/deployment.yaml 2022-12-13 11:43:02.196667885 +0000 @@ -11,6 +11,9 @@ {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} @@ -30,8 +30,8 @@ diff -tubr charts/gateway.orig/templates/deployment.yaml charts/gateway/template {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} -@@ -98,3 +106,7 @@ - tolerations: +@@ -102,3 +110,7 @@ + topologySpreadConstraints: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.volumes }} @@ -39,8 +39,8 @@ diff -tubr charts/gateway.orig/templates/deployment.yaml charts/gateway/template + {{- toYaml . | nindent 8 }} + {{- end }} diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/service.yaml ---- charts/gateway.orig/templates/service.yaml 2022-04-21 17:33:30.042035869 +0200 -+++ charts/gateway/templates/service.yaml 2022-04-21 17:33:41.801806959 +0200 +--- charts/gateway.orig/templates/service.yaml 2022-12-09 14:58:33.000000000 +0000 ++++ charts/gateway/templates/service.yaml 2022-12-12 22:52:27.629670669 +0000 @@ -38,7 +38,14 @@ port: 15017 targetPort: 15017 @@ -55,12 +55,12 @@ diff -tubr charts/gateway.orig/templates/service.yaml charts/gateway/templates/s + {{- end }} + {{- end }} {{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} + {{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} diff -tubr charts/gateway.orig/values.schema.json charts/gateway/values.schema.json ---- charts/gateway.orig/values.schema.json 2022-04-21 17:33:30.042035869 +0200 -+++ charts/gateway/values.schema.json 2022-04-21 17:52:51.007536238 +0200 -@@ -47,6 +47,12 @@ +--- charts/gateway.orig/values.schema.json 2022-12-09 14:58:33.000000000 +0000 ++++ charts/gateway/values.schema.json 2022-12-12 22:52:27.629670669 +0000 +@@ -51,6 +51,12 @@ "labels": { "type": "object" }, diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index e6ee906..f90bc98 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.8.4 +version: 0.9.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -13,16 +13,16 @@ maintainers: email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: ">= 0.1.5" + version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ - name: base - version: 1.14.3 + version: 1.16.1 repository: https://istio-release.storage.googleapis.com/charts - name: istiod - version: 1.14.3 + version: 1.16.1 repository: https://istio-release.storage.googleapis.com/charts - name: kiali-server - version: 1.54 + version: "1.60.0" repository: https://kiali.org/helm-charts condition: kiali-server.enabled -kubeVersion: ">= 1.20.0" +kubeVersion: ">= 1.24.0" diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index c2c16f3..088ce17 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -1,6 +1,6 @@ # kubezero-istio -![Version: 0.8.3](https://img.shields.io/badge/Version-0.8.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for Istio @@ -16,14 +16,14 @@ Installs the Istio control plane ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.24.0` | Repository | Name | Version | |------------|------|---------| -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | -| https://istio-release.storage.googleapis.com/charts | base | 1.14.3 | -| https://istio-release.storage.googleapis.com/charts | istiod | 1.14.3 | -| https://kiali.org/helm-charts | kiali-server | 1.54 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | +| https://istio-release.storage.googleapis.com/charts | base | 1.16.1 | +| https://istio-release.storage.googleapis.com/charts | istiod | 1.16.1 | +| https://kiali.org/helm-charts | kiali-server | 1.60.0 | ## Values @@ -32,7 +32,7 @@ Kubernetes: `>= 1.20.0` | global.defaultPodDisruptionBudget.enabled | bool | `false` | | | global.logAsJson | bool | `true` | | | global.priorityClassName | string | `"system-cluster-critical"` | | -| global.tag | string | `"1.14.4-distroless"` | | +| global.variant | string | `"distroless"` | | | istiod.meshConfig.accessLogEncoding | string | `"JSON"` | | | istiod.meshConfig.accessLogFile | string | `"/dev/stdout"` | | | istiod.meshConfig.tcpKeepalive.interval | string | `"60s"` | | @@ -44,6 +44,8 @@ Kubernetes: `>= 1.20.0` | istiod.pilot.resources.requests.memory | string | `"128Mi"` | | | istiod.pilot.tolerations[0].effect | string | `"NoSchedule"` | | | istiod.pilot.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| istiod.pilot.tolerations[1].effect | string | `"NoSchedule"` | | +| istiod.pilot.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | istiod.telemetry.enabled | bool | `false` | | | kiali-server.auth.strategy | string | `"anonymous"` | | | kiali-server.deployment.ingress_enabled | bool | `false` | | diff --git a/charts/kubezero-istio/dashboards.yaml b/charts/kubezero-istio/dashboards.yaml index 4d947e2..92cd245 100644 --- a/charts/kubezero-istio/dashboards.yaml +++ b/charts/kubezero-istio/dashboards.yaml @@ -1,22 +1,22 @@ -# Revision 128 = 1.14.3 +# Revision 148 = 1.16 configmap: grafana-dashboards gzip: true folder: Istio condition: '.Values.istiod.telemetry.enabled' dashboards: - name: istio-control-plane - url: https://grafana.com/api/dashboards/7645/revisions/128/download + url: https://grafana.com/api/dashboards/7645/revisions/148/download tags: - Istio - name: istio-mesh - url: https://grafana.com/api/dashboards/7639/revisions/128/download + url: https://grafana.com/api/dashboards/7639/revisions/148/download tags: - Istio - name: istio-service - url: https://grafana.com/api/dashboards/7636/revisions/128/download + url: https://grafana.com/api/dashboards/7636/revisions/148/download tags: - Istio - name: istio-workload - url: https://grafana.com/api/dashboards/7630/revisions/128/download + url: https://grafana.com/api/dashboards/7630/revisions/148/download tags: - Istio diff --git a/charts/kubezero-istio/templates/grafana-dashboards.yaml b/charts/kubezero-istio/templates/grafana-dashboards.yaml index 6c0739e..a1c2710 100644 --- a/charts/kubezero-istio/templates/grafana-dashboards.yaml +++ b/charts/kubezero-istio/templates/grafana-dashboards.yaml @@ -11,11 +11,11 @@ metadata: k8s-sidecar-target-directory: Istio binaryData: istio-control-plane.json.gz: - H4sIAAAAAAAC/+1dW1PcOBZ+z69Q+WELtoDq5pZkquaBAMlQS2YoSDJbuZRLbYtuLW7LkWToHpb97Xsk2e17X91gGL8kbclI56ZzPh1dfP8KIcu2qR+EUli/oG/wjNC9/hdqfDwkUGqdXNkXl398PP302+nnK2srrvZwj3iq/oKzIZEDEoqk0iXC4TSQlPnqlaRCjgPdqIslFizkDknqAi/sU//MVfVBSaOm/veIrFS3+oUH+PfHlmGJk58h5aSEqbj/PsfX2MdJ49QtLY6F8CFfcUu4iLg73Nnf2YuI2CrvLsA+CKvYWTAo7SpdnOpoeh9lIqWVwvSLYizr8mCns9NZgjeJex4p9vYpW1zkbaJE7PtMYmVASoumU8ujQk50mpACNb2QevJMtdTdSkpTIilnFd4hvqbpFyR5SFLlA+qWlFKH+cfMY1w1yPs9vNHZQrvdLvxzcLCFupvppmOujxJe0D/QkUe4zJCQaFAMegxz14rqHvT/P15Fws8PqzMBv9Ax8yVnHrrwQBHoJG4DRcJF3Z2usk/dAHGpjNi9xp7QnFl9n0g96l4f7h+YEmWCnxjzJA1ikYLw/Rs9ooyCtNpLRpjDPA8HgrjpPnRNn1P3giXqNGLOqewOnnf3UwUjKOiknsfqOZZP1uoOO4mvmFD3I/E9VHrGo5HAY2Pioi9GRKLonzi7K7d67FEstAVoRhIKeliXZFlWGj0nfl9qNjuZclL2+gx7ta6p56UlVi3Ug0WF2i0X6sFh4vJJn/hutit828+zoYwg5Jz4sqRmiEdlpdQvKRUDdlccghLGklfy9i32wkSmBWbAfHVtujVdeEddmbHCnKWboRx63gWjvvzItFvQBanQREBnvsR9UtBpoP6KY5eGIq0VU140ARCbSzjR/uXaYzLpQxBOifgDhjWonOToEwF2SJmlCYmdm0IvQpIgIO45sF+ok5j3SQoQZD2tciKjQJMnwuEGVS7IVt7XvXfYMGA+iOHX71ZAgfbv1sMm6o3RBggm7RiVHTM+xFJHCjoktuEt+wqIh3BQ6nvsSO1vu5lqY4zvJ+3c3yPoBj08ZFvh5NogiiNrUvwQ/Uq5hgGghQHz3ILLGJL3MAyhVCk8U35J+lF0yv3B1YBey+JfRM7nQkmmzPNM3O19egRgrj1pbgwIxmVuCGvzt2P/RX2X3lI3hJFSGAkpDJQGGiM8ojk/0gudG2MKaV7UeI1GgWK3JOLl3i4fx5Px+u1HgcQxHpEpFphYDzTNZVbjMTDNEqEqWP8dFqRgScYlFV43PqlQnGImMaitxtKZdoZllj8uah1CXL/MHevyc3I7oTqDUvKB8jFwwGEFDtidDwdcEhNs0WehPPcLBAGvcxI9nCHQ1xUYoIUALQQogwAws3SIEPYt5RJijT0kQ8bHdm8sibjHQQBIQCMEF6DAEgAAKC+zoDJwsDsVHHwx9KGPmr4KhHCWLVcCUg3P9PJ5YQCUAO34sm5pLMTxZUTEdJZ/W5HlPlNMgpqksAcEB7YYi5r4LZ1/Ly4HRRUCquZAhYvyij2POQ3kVtNVwe/JcvzWyeqCLB1N4eZ93eZL/VCQelW6su/6TemU+ttAWYUYTmsUgw4WtcphQXavFAHT+f2wIr8OgzgNcY/HHvqO8Rvq94F8GTE9eeXX/323XCocBkF3/N3aQgFzVZmRx/bOP/+rf23rCS88PqWlnMR0oo0J/ZsVMnz3yDKMpMTZaF1SXDBfcAVCdzCfQ1THDckc5CJ5mzFYKmOgbbPNGDQwY/BiZtWH882q28R6O6uuTqxzLEkSm2wnCO1Qpakg9kGpK2ytrlSQXRinfOsOf2yuPS+/CChZYDZm5BNPuZV0snLJoVbNaxOAWURxNdZYDZYtazoLw7Mljacuic6P3mYC3aeEdMcXn1s8164APSKdLZxbGM51d+fDc69bPNfiuem5kmsRReJ8hmT9SaZlIcva80dTZNLUpFHDt5iA7m5aWLG2NJFlPTGoABukQ+yJsnYSDnzmk0UZ6KS3XLQJpCdDHG/mQxz7T4048sUt5GgI5Ogzu884C6WS7GMv4f0eDnuEI3aNPkxoqAyZDZ6dl1DfRtO6J+lPHk3/xlP0x9ij2d2v2FP4Zr5Nmma/9EUoBujMN7pSx1/q26yZCTq1g4LckZ0rULhA8A5SSVrlIvXsBQWhbn8JLPEmp5A3s/RxULVpdvdl5S+ymloNTSAs0F+EsxSqqIjpzUcbGXuveb1KG7M9coVtDPpejU6AHo4rHm3B6dgLgSs+x2aOrVXZIo/I1qnvRoay8s6+2Yx5j8jYOeBS4hNewxbN2YzxR2TsEsBjJfA9rZMrUclVTHIJ0MqntojDSaV1vauTXL8GctUxcH2UVVTuDW3Sea+LXHyfPo0oxMcXNY9Iq8vE+EnJClMMFqx1V5fVsdpNXc8vJ5eD38c4kCEMfYTRLQYHL8cJBAc0xfhaIPibeSF4vSuIaq/F6TCQ4/LLDb4qPFuoaZcdX9Q2siQEAwS3OfkPcWQ+HbiJGEcbuCdAQnP+wXb2pou69/7MwFWaKOKi45MrdfvFNe2LetB+wjxZVFqk8dI6nSmtk2WlxReVFm+8tC5nSutoWWl5i0rLa7y0zmdKa8EJRG7+cMepBLQL/MCcqnRv59pnc38qEtAnQ8I8k47FuNRRU/Oq6fLhwQCSmritS+VnEXXoNAuX8udKV5eDsfim8W+sHBnLV9crXQLt9czxS+bMttoNQ0aymbagk/LHhsLp9vCv5z76NaszBv+HRmUccvpoFy7b3cXt7uL1L+vp+IWU3SIqkcQ3BMqZXt9DGDkmeoSBq1b/oBwjvbtxHVmH7uHcK3/77c7l+lIIuy8ohTCAMMvAjw/tnyH2JfXIRmfnYAvlgrS2YYVVgHKwH8cEa9u4dxOg9T1wHll/pA4OOmj1GVsp42+bzfjbzupzr3K+m87429XTPxWMN57znbdzJHOeFI0qeaEJfm4B6YqAtAWjLRhdeuN5HjNmjraV7Rbb3avYeX7QLlXViTNLNpj9Le8T1CFWzZI86kib+j0W+q7tRVuEHvFOrllZUE0YmrV3aQHklWOdhTLLuz2QMrDVkTw7Gke2dILGSOSPiN5EJGhDUYwUxSiiGAHFNdz9MFNU0M3zkhTQN7egjtcpKKWy5yUpRfFmwzHwcaSBNh3bpmPbfV4Nh8CF6x4qMXB74UO786o07oLqo2yRuhhbxchb6hTPYa49PxRfe30VEbA69Eo4ezKmZjDzbsltOcWtNSqLFzB3/QdWmO9HW7TiMx7o/h56rvyWyWlDcM3RyRX6yHwKXFK/34KbFty0x2SXPCa7V/H5rcP9+Y7Jnvq3bLymE7JPsZbuEompJxCGGaBEhju19ALOFlFfL7UPwc09xonZvd0K/Ndp8V+L/6YfgSPKcG3HHEm1w0BITvDQdkbxHZxRjQo2gD4Ah2z3eeA8/d6+f5sdvb7Z5SjqPE1bLRPHdGhfw9B/LqJB74FYdaaopuOrvgPSELGUFMpWuV/AqNAFGKC0ScCcwWOdOVZu99J0PA/gfkowaog9MXGjxaKrYdE1n6asCYk+EZVtkq3uE5GVEKvbQqwWYlXFymogAeGN3pIpEGJz3XegKZBwpKmYC0Y1+Ba0GZy0AbZN9rR7udZ/sEDQv/R9YWo4cvITLFAKhH0XHkQAA3I9t4cVDhFURurdtW0IK6uLdoS1Af7FBnhQ5caMdAEfmTvDn0Mu5TIapeidohh9BENd+RB+9kzGyxXWEVhl+gPdSy/4zWFTcs1iWkoa2tvPtJyjJSxnDsNpvESmm0dTvt6YolugKwjmLYJeDUG/a1NUDUxRVa+VZrBvZozUt4q636k64no43zLqn6Q3YOxGNHL1NCO0AsZXBR8UFDSIurOG0yD7xUVqCPsu8a+MX89TH8n+bTs1mG9qMGMewAIZRZ6U+JSFnE+mFIXe/5bHlidHNvvY88jYBg1RV++KsAMswDmtdvfol0lzAm1chc60DzoeLXHzSZFqtSBaH9VoI1qz3Gz4kp65bCfkhuqEgRY6tcnHNvlYH5bIJR2tRwUZhf32y6GMvU7tKKNFEi2SiGOyMF/+s6kfXfxmCxP4TVpktdB8Fje6HjxRpP3axP+6aX8msCL+ePSE9BZPtHjiZeCJV1GzatCp8aS43uuYdIYlnAEZ4i+ECxPozWcGwVGOzbhwMTffDQX/2E8Ub52pMzHWpGlJhoEHONzvT0i21InilKXcl4XYjFIE8fSZl4JF6g5GWl0uucahl1OYNth0bZn+49WI9NCkvuOFLjnyyiJvuRlYQ+iAlrwejbA0pErVJtE1cUtIJd3V53TVsezium9c/SXmLl2T6LKbKe2TUf5VcUODz9y7GvtO2ecZI5+TIjtjPsoFPBgdU81gpN1r438tn91td2NnBb4yKrMyfxZQcFc8+eOIejsOKWmPYh2kMm3dTuphL/3QHSa/D1K/u+mHvU66JuVSd1O/u67h+EfMg1qVSOlrZi/phg/TDad72d1PP7jJ79dumt6Yloz4/mIar1g9zu5E9BmjJHTpoajvXOXMQxce9gk6AbjfY5ibtq1Q42Frb3v74/mXr1+jEX2bjPruq4f/A5VHCen7owAA + H4sIAAAAAAAC/+1dW1PcOBZ+z69Q+WELtoDq5pZkquaBAMlQS2YoSDJbuZRLbYtuLW7LkWToHpb97Xsk2e17X91gGL8kbclI56ZzPh1dfP8KIcu2qR+EUli/oG/wjNC9/hdqfDwkUGqdXNkXl398PP302+nnK2srrvZwj3iq/oKzIZEDEoqk0iXC4TSQlPnqlaRCjgPdqIslFizkDknqAi/sU//MVfVBSaOm/veIrFS3+oUH+PfHlmGJk58h5aSEqbj/PsfX2MdJ49QtLY6F8CFfcUu4iLg73Nnf2YuI2CrvLsA+CKvYWTAo7SpdnOpoeh9lIqWVwvSLYizr8mCns9NZgjeJex4p9vYpW1zkbaJE7PtMYmVASoumU8ujQk50mpACNb2QevJMtdTdSkpTIilnFd4hvqbpFyR5SFLlA+qWlFKH+cfMY1w1yPs9vNHZQrvdLvxzcLCFupvppmOujxJe0D/QkUe4zJCQaFAMegxz14rqHvT/P15Fws8PqzMBv9Ax8yVnHrrwQBHoJG4DRcJF3Z3u/s6h7s8iLpURu9fYE5ozq+8TqUfd68P9A1OiTPATY56kQSxSEL5/o0eUUZBWe8kIc5jn4UAQN92Hrulz6l6wRJ1GzDmV3cHz7n6qYAQFndTzWD3H8sla3WEn8RUT6n4kvodKz3g0EnhsTFz0xYhIFP0TZ3flVo89ioW2AM1IQkEP65Isy0qj58TvS81mJ1NOyl6fYa/WNfW8tMSqhXqwqFC75UI9OExcPukT3812hW/7eTaUEYScE1+W1AzxqKyU+iWlYsDuikNQwljySt6+xV6YyLTADJivrk23pgvvqCszVpizdDOUQ8+7YNSXH5l2C7ogFZoI6MyXuE8KOg3UX3Hs0lCktWLKiyYAYnMJJ9q/XHtMJn0IwikRf8CwBpWTHH0iwA4pszQhsXNT6EVIEgTEPQf2C3US8z5JAYKsp1VOZBRo8kQ43KDKBdnK+7r3DhsGzAcx/PrdCijQ/t162ES9MdoAwaQdo7JjxodY6khBh8Q2vGVfAfEQDkp9jx2p/W03U22M8f2knft7BN2gh4dsK5xcG0RxZE2KH6JfKdcwALQwYJ5bcBlD8h6GIZQqhWfKL0k/ik65P7ga0GtZ/IvI+VwoyZR5nom7vU+PAMy1J82NAcG4zA1hbf527L+o79Jb6oYwUgojIYWB0kBjhEc050d6oXNjTCHNixqv0ShQ7JZEvNzb5eN4Ml6//SiQOMYjMsUCE+uBprnMajwGplkiVAXrv8OCFCzJuKTC68YnFYpTzCQGtdVYOtPOsMzyx0WtQ4jrl7ljXX5ObidUZ1BKPlA+Bg44rMABu/PhgEtigi36LJTnfoEg4HVOooczBPq6AgO0EKCFAGUQAGaWDhHCvqVcQqyxh2TI+NjujSUR9zgIAAlohOACFFgCAADlZRZUBg52p4KDL4Y+9FHTV4EQzrLlSkCq4ZlePi8MgBKgHV/WLY2FOL6MiJjO8m8rstxniklQkxT2gODAFmNRE7+l8+/F5aCoQkDVHKhwUV6x5zGngdxquir4PVmO3zpZXZCloyncvK/bfKkfClKvSlf2Xb8pnVJ/GyirEMNpjWLQwaJWOSzI7pUiYDq/H1bk12EQpyHu8dhD3zF+Q/0+kC8jpiev/Pq/75ZLhcMg6I6/W1soYK4qM/LY3vnnf/WvbT3hhcentJSTmE60MaF/s0KG7x5ZhpGUOButS4oL5guuQOgO5nOI6rghmYNcJG8zBktlDLRtthmDBmYMXsys+nC+WXWbWG9n1dWJdY4lSWKT7QShHao0FcQ+KHWFrdWVCrIL45Rv3eGPzbXn5RcBJQvMxox84im3kk5WLjnUqnltAjCLKK7GGqvBsmVNZ2F4tqTx1CXR+dHbTKD7lJDu+OJzi+faFaBHpLOFcwvDue7ufHjudYvnWjw3PVdyLaJInM+QrD/JtCxkWXv+aIpMmpo0avgWE9DdTQsr1pYmsqwnBhVgg3SIPVHWTsKBz3yyKAOd9JaLNoH0ZIjjzXyIY/+pEUe+uIUcDYEcfWb3GWehVJJ97CW838Nhj3DErtGHCQ2VIbPBs/MS6ttoWvck/cmj6d94iv4YezS7+xV7Ct/Mt0nT7Je+CMUAnflGV+r4S32bNTNBp3ZQkDuycwUKFwjeQSpJq1yknr2gINTtL4El3uQU8maWPg6qNs3uvqz8RVZTq6EJhAX6i3CWQhUVMb35aCNj7zWvV2ljtkeusI1B36vRCdDDccWjLTgdeyFwxefYzLG1KlvkEdk69d3IUFbe2TebMe8RGTsHXEp8wmvYojmbMf6IjF0CeKwEvqd1ciUquYpJLgFa+dQWcTiptK53dZLr10CuOgauj7KKyr2hTTrvdZGL79OnEYX4+KLmEWl1mRg/KVlhisGCte7qsjpWu6nr+eXkcvD7GAcyhKGPMLrF4ODlOIHggKYYXwsEfzMvBK93BVHttTgdBnJcfrnBV4VnCzXtsuOL2kaWhGCA4DYn/yGOzKcDNxHjaAP3BEhozj/Yzt50Uffenxm4ShNFXHR8cqVuv7imfVEP2k+YJ4tKizReWqczpXWyrLT4otLijZfW5UxpHS0rLW9RaXmNl9b5TGktOIHIzR/uOJWAdoEfmFOV7u1c+2zuT0UC+mRImGfSsRiXOmpqXjVdPjwYQFITt3Wp/CyiDp1m4VL+XOnqcjAW3zT+jZUjY/nqeqVLoL2eOX7JnNlWu2HISDbTFnRS/thQON0e/vXcR79mdcbg/9CojENOH+3CZbu7uN1dvP5lPR2/kLJbRCWS+IZAOdPrewgjx0SPMHDV6h+UY6R3N64j69A9nHvlb7/duVxfCmH3BaUQBhBmGfjxof0zxL6kHtno7BxsoVyQ1jassApQDvbjmGBtG/duArS+B84j64/UwUEHrT5jK2X8bbMZf9tZfe5VznfTGX+7evqngvHGc77zdo5kzpOiUSUvNMHPLSBdEZC2YLQFo0tvPM9jxszRtrLdYrt7FTvPD9qlqjpxZskGs7/lfYI6xKpZkkcdaVO/x0Lftb1oi9Aj3sk1KwuqCUOz9i4tgLxyrLNQZnm3B1IGtjqSZ0fjyJZO0BiJ/BHRm4gEbSiKkaIYRRQjoLiGux9migq6eV6SAvrmFtTxOgWlVPa8JKUo3mw4Bj6ONNCmY9t0bLvPq+EQuHDdQyUGbi98aHdelcZdUH2ULVIXY6sYeUud4jnMteeH4muvryICVodeCWdPxtQMZt4tuS2nuLVGZfEC5q7/wArz/WiLVnzGA93fQ8+V3zI5bQiuOTq5Qh+ZT4FL6vdbcNOCm/aY7JLHZPcqPr91uD/fMdlT/5aN13RC9inW0l0iMfUEwjADlMhwp5ZewNki6uul9iG4ucc4Mbu3W4H/Oi3+a/Hf9CNwRBmu7ZgjqXYYCMkJHtrOKL6DM6pRwQbQB+CQ7T4PnKff2/dvs6PXN7scRZ2naatl4pgO7WsY+s9FNOg9EKvOFNV0fNV3QBoilpJC2Sr3CxgVugADlDYJmDN4rDPHyu1emo7nAdxPCUYNsScmbrRYdDUsuubTlDUh0Seisk2y1X0ishJidVuI1UKsqlhZDSQgvNFbMgVCbK77DjQFEo40FXPBqAbfgjaDkzbAtsmedi/X+g8WCPqXvi9MDUdOfoIFSoGw78KDCGBAruf2sMIhgspIvbu2DWFlddGOsDbAv9gAD6rcmJEu4CNzZ/hzyKVcRqMUvVMUo49gqCsfws+eyXi5wjoCq0x/oHvpBb85bEquWUxLSUN7+5mWc7SE5cxhOI2XyHTzaMrXG1N0C3QFwbxF0Ksh6HdtiqqBKarqtdIM9s2MkfpWUfc7VUdcD+dbRv2T9AaM3YhGrp5mhFbA+Krgg4KCBlF31nAaZL+4SA1h3yX+lfHreeoj2b9tpwbzTQ1mzANYIKPIkxKfspDzyZSi0Pvf8tjy5MhmH3seGdugIerqXRF2gAU4p9XuHv0yaU6gjavQmfZBx6Mlbj4pUq0WROujGm1Ea5abDV/SM5fthNxQnTDQQqc2+dgmH+vDErmko/WoIKOw3345lLHXqR1ltEiiRRJxTBbmy3829aOL32xhAr9Ji6wWms/iRteDJ4q0X5v4XzftzwRWxB+PnpDe4okWT7wMPPEqalYNOjWeFNd7HZPOsIQzIEP8hXBhAr35zCA4yrEZFy7m5ruh4B/7ieKtM3Umxpo0Lckw8ACH+/0JyZY6UZyylPuyEJtRiiCePvNSsEjdwUiryyXXOPRyCtMGm64t03+8GpEemtR3vNAlR15Z5C03A2sIHdCS16MRloZUqdokuiZuCamku/qcrjqWXVz3jau/xNylaxJddjOlfTLKvypuaPCZe1dj3yn7PGPkc1JkZ8xHuYAHo2OqGYy0e238r+Wzu+1u7KzAV0ZlVubPAgruiid/HFFvxyEl7VGsg1SmrdtJPeylH7rD5PdB6nc3/bDXSdekXOpu6nfXNRz/iHlQqxIpfc3sJd3wYbrhdC+7++kHN/n92k3TG9OSEd9fTOMVq8fZnYg+Y5SELj0U9Z2rnHnowsM+QScA93sMc9O2FWo8bO1tb388//L1azSib5NR33318H/gWcmR+6MAAA== istio-mesh.json.gz: - H4sIAAAAAAAC/+1de1PbuBb/v59C1/sYugMhTggl7GtK6bbdKV2msL1zb+lkFFtJtPi1khxgGe5nv0eyHcux8iDQlqbqTEOiI+txnj89LF0/Qsjp9WiUpII7++g9/EboWn0CJcIhgVTn8KR3/PaPo+enL5//eeJsFuQA90kg6ccsDokYkZSXRJ9wj9FE0DiSWUqCuEpUoT4WmMcp80hJS4J0SKNXvqQnhkIz+pu8WVq1KsMNfH7YzLrEyN8pZcTQqaL+IcMDHOGycOobkwsmvJgmjAnjee92GzuNdt6ITXN1CY6AWfXKkpGxKj1Zq2h+HSaW0pnMjOpsNFXZaTQbzRX6JnA/IPXaTqvJ9b5NhIijKBZYKpCUYlapE1AuJjItmwKUfkoD8UqW5G6WqRpLzF2FPCRSbdpHgqVESx9R35BKvTh6FgcxkwWyYR9vNDdRy3Xho9PZRO5jveii10/LvqDv0dOAMFFpQilBPurHmPlOTrtRfz88ypk/bVavOHxDR4SP0GHxKMp5ityGK9VSPUd8KvJeDnDAVYecYUSEMrYnu+1uliI17zSOA0ETSG+qRCXPKA0C9Sug0bkyq0xKSvYGMwMuCRJJWTk/+XT8y1mEkPyCuLgKyM9nThJzKruxj3Cfx0EqyI+oHwsRh1DvmaMegEcwGjEygPwjIRK+v71NZZcbND5zkMBsSATQev0AR+eQUhQ+gNq3OP2H7KN2M7n8EQlyKbZ84sUMZ5VGcQQVelKQ+4hGI8KogFp/ouEQceYZKtwOsCBcbEOOLG2rH6QkiIfxVhT3sXc+ZHEa+VtpNGAgdr/Bx0OtSSNChyOxjzrQHqgIKdH9tI0zzmzfnkc/IpaVCN+0/rodVX7Gvkw/KEc4MrBySMUo7Te8OMw6lH2aGPtLnJAIJcCBQcxC2WokRlgg8CtjsBIoH6URlTR0ga+QiOcIbtuPPb4N+uGRRPBtTrwUeH+1baxXUYmscHORQkyVK8BfD6i3FYLTHpIQdNFcAzwQEU+oKoBNPrplPXGfEzbGfRrM7EQYR1TETLEtpB6L5RPUI7yR19VnubzeEOKjEQmSX+c1AIrfotE4DsbEN9f4e0wjkBDJFQAkHIJ8xJVsQkNXuOxv6Y+HjPrHcelwM0cIP9uat7qA360dLeGy8BX57yv5u/Bgk7IzC1AxBWxgKl647RJXVDyMSgpj5YqBFaEWaJSZVJs6MQSZ291LhFNrhqBCPaVjEoYjnmCWOSzd4U88s3Qg5ijoYW9ETmlI4lRojjL3guBfDia+Qfe+Jf0dBj9iJnEt1qE83LR2IMx0drL/zUa3EnCyHO0nEIha3U2005RZ9gx5OkBxn7QgS0eV8uRxwamS6wuDpyMtHiuRxomWPMTpcEowIb4s+uk2dV0JaVQQ9GQ+ii+meSLFATYBpMB/LcEnn5fjCLNzojgoBVpTg6U1fXeBordrRSuFbjXL3xAKwUUE09phUPQ4qQKeUhWOchMYK2ZpbVAxu6CCDmOd+FcKDmBwNSGnItbJMaOg87iAEyP4/Q9YEA4q+kL81CN/GFqmtD/wqlqajw24eBOLN9BdR6N82NSfHVAS+LxiihkolF2cyHZCudGlDOZY6VRNCCFOEhoNTzP7dU3p1XZXulUAN9UUGc+U/ddbKYs2NdBYGHiZ4YLCWmVhNXMEEzoEizwG365Ga5odOVKvFKFgSh7WiO9U8pzKmqfUEFCGGNDLqkvME38DbTjJ3Wmn+Z1Gh9hUe0alzXxEdf8IJ3PYPgAfI5+T7asySGQNd95sP50ixJMH5vBOevdzsLfpcEGDoArm2wDkXXcPPva60jG6exXfOZD11MYEsmC9mKyUlnSx3Xbl+dytGT2SAuhQTBpOD5lVfJ/DNnKZZFXLILPB03CDAs4lGwoxqLEwAFfeEzAGCa4ZSWIGDgnwQubcz5yb92744fFj2d9mszKC0bzXb9gTqoduhQwyzwbsU3LhgsghxM4coUxcNZ/qbxGhXwQArAP0NusAeid5Q+pTCRzsOYAMWGgDS2lQuiru6aqoqPNVMZatd35eUgsL+12oiCpjMYOBx0OLKWZjioRAtkhI5HpnbLH3scCFHqPuAV3sLokuXIsuLLqw6MKii0+HLiSuuBWs2ETgLRMwa9LzQHH+9b8zp9P4YQI30Da6dZH5o1UhlRFDQMjscQJ+h38eENOFyNftyv+NzmxAc5J6HuEcvYWuo40ojrY6l5cTZvHHFuLYaZN1mzZxW0sim5ZFNhbZWGRjkc2nRTb0LtDmZ4A2Oxq0ebD4xIBJdi4vuQUcFnCsHeDYWxJwtC3gsIDDAg4LOL4wwNH5QgFHxwKO+wYc37S6XW9n97YI4xt/Zwe38d0QhdxJ95Vu/dg1IwrXtZDCQgoLKdYTUkx7nYeCKUBFNhIaxKJ3vsd73mDYI2MwcH4tIywgiXeUiRQHJ9neU4koFB0o2PcBSDxGW2hj9UJ8EhBBVDkxQ7KcNEE/oOZHxSYrwZCQ/JapWsUSZPrJiA5EnZDjlrzvKO/8OmEYL2Vq86vFMV8FjtldFsfsWBxjcYzFMRbHPCAccwgBlkbK3t+mwapAZk4p649ktM4j2XsLZSyUWZdtJTOxTMdiGYtlLJaxWOYBYZkXWJALfLUihjE8vf7YJe+0hSwWsqzLxpSZkGXXQhYLWSxksZDlAUGWf8fAhRj7zyPBVgUuM8tYf/hSdB3JvlM782JhzNpvhnliUYxFMRbFWBTzgFBMvofjLiBmVhHrj2HynlsIYyHMV7EPpmuPcrMIxiIYi2AeEoI5JoQ9TcGLR4J6yuxXxDHzC1p/NFPvPzqOA+pZZGORzdpvi+nac+QstLHQxkKbhwRt8vNe7wXdLCxr/QGOkQUW41iM85Xso+naE+UsxrEYx2Kch4RxZDSWNq4sXsXiVdehFpS0/vimwoCvD9coLZ0KXssghrLP4L6+W+IKqJZ72zuguvU7oKivQNgfY8JYdr9eFU+piP1k7mVQCR6SvOkVhWAkIViYUw8pAx+cB9exdoWUx+LaQVHKNbwk2CesRomZqEECSOjodw4S7s1yLOrKqjnqhAOKub5PrKo/Ov7QezkLimrYc85phMsi1DLf7FMJ69gCdBEsrHAu/4F/W0dHW4eH6OXL/TDc51NOxiceDbFClK0KQWpC3eHnhFPllw/k9Wez80zuNSx34ZUXLtay/8nU5abbkyzbfj+/+O8if3xrQvt1jNmWRBcQ3jzy87fXvZ5HgqDX3mf44uZ7SS0eKoktRazWnGABTlapqV++pdm7MKoDhHl5lVzJ3nrHOY6oyIylTqz44vdVsRVeEyzWJ1G1XnUjx76yEyachahrotRWmQ1ilu7Q+axiyScIuBWPQTxqTIy+eXp7EUVp2IcIYhSRPIZ1eQEdd5roNXQt8q6sjGbL6OB+ZXQrCXWthJaQ0LPPKaGuldBiCR1+Pgnpt6LMFpEjoZPzdQvp+TwhVVvd6HamO4LcRrM5u9nLiFW/mW15AdsxzYwxTfWU4vpw5dtswHC/o5VZ45Hv5w5lbjVa6UFR9+xPbglt863KVuM+qcbl95tPKVyeWmqUu7xGcZMcl1EmLhiNhnb4+tFCktHuJ+7j4w5s65PLy07PB3LVsvdXTKONu15rB5RWs1neate/Qhsmpmyi+ayq0nOFf7yJzma6VtmUM6eR/TFlmk0pqz1zZi8EyFWQKnFkmLPN1wa4wJEwuZYFywYBGZLIL7Xy+trIqJubxgxK2Rd0M+VNjEsSm0urxsYIdCIeMhz2/k6hdzQgG82GNDiz0vT8lGVtC2kQUE68OPJ5r59650TMuc5Q6UxAzBqySG/URYpus9lUCzwrt/hTNdYq9L0o9ME9KnT3i1PorlXoh6fQ6G4a/ew+Nbr7xWl012r0umn04Woafe/3LK+KSO9yQ/Pqla6T+tVHjQ9CMZ/PHUPN3IiT77d5eXp6vP3i7fEzVEzo6ZttGI645Gedm5MhXpb8mXezVHaPLrWbpd1ccTuL2+yuvp/F7lyxO1c+9lSw3biyQKcPrgTh6ERuwrNavdoeiWqr77b8dHCr3ROZ8N4Sj9AxsW7p022guJ2YrGAe5OYwG84f0qLtJ4jUqy3a2nW2NV5ns6vsdpX93rZsfIxFW+ElPZYDvF5f4r2PN0Fl12kXTU3d6xqsQdIcxmFWyg9Uygd3mls8fXb8EWYVVaB6VoSc63JSq49Z7dV1R/rT1yQaCjVN2KykE1P2hbOTVE3UuYsnJbu3nZPc2Zt16nJZWybSamXAkWH0lJ8qntXfopV32tdTi/cQ65QQX5pSaWRIZXQ4EidGzdXfydVfMZdGbshtfDv9Rp9qJXx6GlQmXlA/k+28Wdnae9yVN6GLHbB4WJ/zTeRTDPs05fr8apZe1x9gqU+YmrB1BkGsvZyavYNbzC1PtU+5C5OaguV7talESCVJQvzX2YvXVdrSAVj64swN91Ma+Jl39eIwiSPgxSYCdtz7W8UGhzSpEbwQaPW1rHe5sDP/beT3H5Z6G/ktGebnL0w9MP815VeScehZ0XYumfeOMC6n9svcE3B4rVsFZsSv20U+pd+cNole4RJp5NMx9VMc1E9lKPKoQyvKBlziSzrlmLLlZl6D8U6YW4aoTlIUpyxM5Tbb9sSG33+oNfEKX85bcSh1K4OYVbWRCMI08gji4QHmpKZnmQurZc98WC25fnjAbFDzANo5dXxHzQyu6lJXEcIUGmT6azKetPqRXqj8VMVK+5OmJbvdbmYm73BvREJcKH2xBpctLamxCGbnWU6w6FLymek4k6IFCZMA8Eg0nDQZPDgXmqpcm6JWRSqcBNmpHAaMVLy/75MBToMZB4RMqMZjUXJoptsmjbwg9clT87kVRj1wQqiAGrIXB5lo4EM/TGZyQow+XnP+Tgm7Uq9v1EFKQS6OAHKq584UsnQrqUNyOZ2Vn9MExqwnV5FnOhModzpasyvqI33ATSZjGpYnhJSnkcQXW27hrYoDR0DDK48lFPwVKx/OW98rAo3uUpyOhtPcpvajrf9ww/J7R/vu6j/aTZ2i+dSW9t31sx5/KPogw6Imr4W16AXv6gXrtbR29B/ayTNPfL29RVsq7PsnVhDB6bP4gueD+ukodgT8RIeVWQsnVcDTebF38Zr9/uq/uSGPJ8beeXTzf/gB205wtAAA + H4sIAAAAAAAC/+1de1PbuBb/v59C1/sYugMhTggl7GtK6bbdKV2msL1zb+lkFFtJtPi1khxgGe5nv0eyHcux8iDQlqbqTEOiI+txnj89LF0/Qsjp9WiUpII7++g9/EboWn0CJcIhgVTn8KR3/PaPo+enL5//eeJsFuQA90kg6ccsDokYkZSXRJ9wj9FE0DiSWUqCuEpUoT4WmMcp80hJS4J0SKNXvqQnhkIz+pu8WVq1KsMNfH7YzLrEyN8pZcTQqaL+IcMDHOGycOobkwsmvJgmjAnjee92GzuNdt6ITXN1CY6AWfXKkpGxKj1Zq2h+HSaW0pnMjOpsNFXZaTQbzRX6JnA/IPXaTqvJ9b5NhIijKBZYKpCUYlapE1AuJjItmwKUfkoD8UqW5G6WqRpLzF2FPCRSbdpHgqVESx9R35BKvTh6FgcxkwWyYR9vNDdRy3Xho9PZRO5jveii10/LvqDv0dOAMFFpQilBPurHmPlOTrtRfz88ypk/bVavOHxDR4SP0GHxKMp5ityGu9PYVdU4xKci7+UAB1x1yBlGRChje7Lb7mYpUvNO4zgQNIH0pkpU8ozSIFC/AhqdK7PKpKRkbzAz4JIgkZSV85NPx7+cRQjJL4iLq4D8fOYkMaeyG/sI93kcpIL8iPqxEHEI9Z456gF4BKMRIwPIPxIi4fvb21R2uUHjMwcJzIZEAK3XD3B0DilF4QOofYvTf8g+ajeTyx+RIJdiyydezHBWaRRHUKEnBbmPaDQijAqo9ScaDhFnnqHC7QALwsU25MjStvpBSoJ4GG9FcR9750MWp5G/lUYDBmL3G3w81Jo0InQ4EvuoA+2BipAS3U/bOOPM9u159CNiWYnwTeuv21HlZ+zL9INyhCMDK4dUjNJ+w4vDrEPZp4mxv8QJiVACHBjELJStRmKEBQK/MgYrgfJRGlFJQxf4Col4juC2/djj26AfHkkE3+bES4H3V9vGehWVyAo3FynEVLkC/PWAelshOO0hCUEXzTXAAxHxhKoC2OSjW9YT9zlhY9ynwcxOhHFERcwU20LqsVg+QT3CG3ldfZbL6w0hPhqRIPl1XgOg+C0ajeNgTHxzjb/HNAIJkVwBQMIhyEdcySY0dIXL/pb+eMiofxyXDjdzhPCzrXmrC/jd2tESLgtfkf++kr8LDzYpO7MAFVPABqbihdsucUXFw6ikMFauGFgRaoFGmUm1qRNDkLndvUQ4tWYIKtRTOiZhOOIJZpnD0h3+xDNLB2KOgh72RuSUhiROheYocy8I/uVg4ht071vS32HwI2YS12IdysNNawfCTGcn+99sdCsBJ8vRfgKBqNXdRDtNmWXPkKcDFPdJC7J0VClPHhecKrm+MHg60uKxEmmcaMlDnA6nBBPiy6KfblPXlZBGBUFP5qP4YponUhxgE0AK/NcSfPJ5OY4wOyeKg1KgNTVYWtN3Fyh6u1a0UuhWs/wNoRBcRDCtHQZFj5Mq4ClV4Sg3gbFiltYGFbMLKugw1ol/peAABlcTcipinRwzCjqPCzgxgt//gAXhoKIvxE898oehZUr7A6+qpfnYgIs3sXgD3XU0yodN/dkBJYHPK6aYgULZxYlsJ5QbXcpgjpVO1YQQ4iSh0fA0s1/XlF5td6VbBXBTTZHxTNl/vZWyaFMDjYWBlxkuKKxVFlYzRzChQ7DIY/DtarSm2ZEj9UoRCqbkYY34TiXPqax5Sg0BZYgBvay6xDzxN9CGk9yddprfaXSITbVnVNrMR1T3j3Ayh+0D8DHyOdm+KoNE1nDnzfbTKUI8eWAO76R3Pwd7mw4XNAiqYL4NQN519+Bjrysdo7tX8Z0DWU9tTCAL1ovJSmlJF9ttV57P3ZrRIymADsWk4fSQWcX3OWwjl0lWtQwyGzwNNyjgXLKhEIMaCwNw5T0BY5DgmpEkZuCQAC9kzv3MuXnvhh8eP5b9bTYrIxjNe/2GPaF66FbIIPNswD4lFy6IHELszBHKxFXzqf4WEfpFAMA6QG+zDqB3kjekPpXAwZ4DyICFNrCUBqWr4p6uioo6XxVj2Xrn5yW1sLDfhYqoMhYzGHg8tJhiNqZICGSLhESud8YWex8LXOgx6h7Qxe6S6MK16MKiC4suLLr4dOhC4opbwYpNBN4yAbMmPQ8U51//O3M6jR8mcANto1sXmT9aFVIZMQSEzB4n4Hf45wExXYh83a783+jMBjQnqecRztFb6DraiOJoq3N5OWEWf2whjp02WbdpE7e1JLJpWWRjkY1FNhbZfFpkQ+8CbX4GaLOjQZsHi08MmGTn8pJbwGEBx9oBjr0lAUfbAg4LOCzgsIDjCwMcnS8UcHQs4LhvwPFNq9v1dnZvizC+8Xd2cBvfDVHInXRf6daPXTOicF0LKSyksJBiPSHFtNd5KJgCVGQjoUEseud7vOcNhj0yBgPn1zLCApJ4R5lIcXCS7T2ViELRgYJ9H4DEY7SFNlYvxCcBEUSVEzMky0kT9ANqflRsshIMCclvmapVLEGmn4zoQNQJOW7J+47yzq8ThvFSpja/WhzzVeCY3WVxzI7FMRbHWBxjccwDwjGHEGBppOz9bRqsCmTmlLL+SEbrPJK9t1DGQpl12VYyE8t0LJaxWMZiGYtlHhCWeYEFucBXK2IYw9Prj13yTlvIYiHLumxMmQlZdi1ksZDFQhYLWR4QZPl3DFyIsf88EmxV4DKzjPWHL0XXkew7tTMvFsas/WaYJxbFWBRjUYxFMQ8IxeR7OO4CYmYVsf4YJu+5hTAWwnwV+2C69ig3i2AsgrEI5iEhmGNC2NMUvHgkqKfMfkUcM7+g9Ucz9f6j4zignkU2Ftms/baYrj1HzkIbC20stHlI0CY/7/Ve0M3CstYf4BhZYDGOxThfyT6arj1RzmIci3EsxnlIGEdGY2njyuJVLF51HWpBSeuPbyoM+PpwjdLSqeC1DGIo+wzu67slroBqube9A6pbvwOK+gqE/TEmjGX361XxlIrYT+ZeBpXgIcmbXlEIRhKChTn1kDLwwXlwHWtXSHksrh0UpVzDS4J9wmqUmIkaJICEjn7nIOHeLMeirqyao044oJjr+8Sq+qPjD72Xs6Cohj3nnEa4LEIt880+lbCOLUAXwcIK5/If+Ld1dLR1eIhevtwPw30+5WR84tEQK0TZqhCkJtQdfk44VX75QF5/NjvP5F7DchdeeeFiLfufTF1uuj3Jsu3384v/LvLHtya0X8eYbUl0AeHNIz9/e93reSQIeu19hi9uvpfU4qGS2FLEas0JFuBklZr65VuavQujOkCYl1fJleytd5zjiIrMWOrEii9+XxVb4TXBYn0SVetVN3LsKzthwlmIuiZKbZXZIGbpDp3PKpZ8goBb8RjEo8bE6JuntxdRlIZ9iCBGEcljWJcX0HGniV5D1yLvyspotowO7ldGt5JQ10poCQk9+5wS6loJLZbQ4eeTkH4rymwRORI6OV+3kJ7PE1K11Y1uZ7ojyG00m7ObvYxY9ZvZlhewHdPMGNNUTymuD1e+zQYM9ztamTUe+X7uUOZWo5UeFHXP/uSW0Dbfqmw17pNqXH6/+ZTC5amlRrnLaxQ3yXEZZeKC0Whoh68fLSQZ7X7iPj7uwLY+ubzs9HwgVy17f8U02rjrtXZAaTWb5a12/Su0YWLKJprPqio9V/jHm+hspmuVTTlzGtkfU6bZlLLaM2f2QoBcBakSR4Y523xtgAscCZNrWbBsEJAhifxSK6+vjYy6uWnMoJR9QTdT3sS4JLG5tGpsjEAn4iHDYe/vFHpHA7LRbEiDMytNz09Z1raQBgHlxIsjn/f6qXdOxJzrDJXOBMSsIYv0Rl2k6DabTbXAs3KLP1VjrULfi0If3KNCd784he5ahX54Co3uptHP7lOju1+cRnetRq+bRh+uptH3fs/yqoj0Ljc0r17pOqlffdT4IBTz+dwx1MyNOPl+m5enp8fbL94eP0PFhJ6+2YbhiEt+1rk5GeJlyZ95N0tl9+hSu1nazRW3s7jN7ur7WezOFbtz5WNPBduNKwt0+uBKEI5O5CY8q9Wr7ZGotvpuy08Ht9o9kQnvLfEIHRPrlj7dBorbickK5kFuDrPh/CEt2n6CSL3aoq1dZ1vjdTa7ym5X2e9ty8bHWLQVXtJjOcDr9SXe+3gTVHaddtHU1L2uwRokzWEcZqX8QKV8cKe5xdNnxx9hVlEFqmdFyLkuJ7X6mNVeXXekP31NoqFQ04TNSjoxZV84O0nVRJ27eFKye9s5yZ29Wacul7VlIq1WBhwZRk/5qeJZ/S1aead9PbV4D7FOCfGlKZVGhlRGhyNxYtRc/Z1c/RVzaeSG3Ma302/0qVbCp6dBZeIF9TPZzpuVrb3HXXkTutgBi4f1Od9EPsWwT1Ouz69m6XX9AZb6hKkJW2cQxNrLqdk7uMXc8lT7lLswqSlYvlebSoRUkiTEf529eF2lLR2ApS/O3HA/pYGfeVcvDpM4Al5sImDHvb9VbHBIkxrBC4FWX8t6lws7899Gfv9hqbeR35Jhfv7C1APzX1N+JRmHnhVt55J57wjjcmq/zD0Bh9e6VWBG/Lpd5FP6zWmT6BUukUY+HVM/xUH9VIYijzq0omzAJb6kU44pW27mNRjvhLlliOokRXHKwlRus21PbPj9h1oTr/DlvBWHUrcyiFlVG4kgTCOPIB4eYE5qepa5sFr2zIfVkuuHB8wGNQ+gnVPHd9TM4KoudRUhTKFBpr8m40mrH+mFyk9VrLQ/aVqy2+1mZvIO90YkxIXSF2tw2dKSGotgdp7lBIsuJZ+ZjjMpWpAwCQCPRMNJk8GDc6GpyrUpalWkwkmQncphwEjF+/s+GeA0mHFAyIRqPBYlh2a6bdLIC1KfPDWfW2HUAyeECqghe3GQiQY+9MNkJifE6OM15++UsCv1+kYdpBTk4gggp3ruTCFLt5I6JJfTWfk5TWDMenIVeaYzgXKnozW7oj7SB9xkMqZheUJIeRpJfLHlFt6qOHAENLzyWELBX7Hy4bz1vSLQ6C7F6Wg4zW1qP9r6Dzcsv3e0767+o93UKZpPbWnfXT/r8YeiDzIsavJaWIte8K5esF5La0f/oZ0888TX21u0pcK+f2IFEZw+iy94PqifjmJHwE90WJm1cFIFPJ0Xexev2e+v/psb8nhi7J1HN/8HBvVxgHC0AAA= istio-service.json.gz: - H4sIAAAAAAAC/+1da1PbSBb9zq9oa2a3IEWIZTBYU5lUgSGz2WESFjOZqhmyLiE1thZZcvQgEIr57dvdekstI78k2b4fQkAtS63ue2+fc8+1+mkLIaHf14yx69jCT+gv8jdCT+wnaTHkESZHhdNe/+Ly029nV/86+70n7AbNunyDddp+YZkj7Ayxa0eNKrYVSxs7mmnQU6IG53HMLqrKjmybrqXgqG2suwPN+KDS9jHnol77R79bsduyE57Jzy+73iNZ+KurWZjzUMH9B5Z8KxtydHFN5R4OBuGXdMM9tmz/6Q73Dvb2/U7s8m83lg0yWNmbjYfcW8UPx240+R68IdVyB9PIDiPvlu295l5zhmdz5BsdZ+92lTycfbZwEmXDMB2ZGhCdRe+mgq7ZTjinUVdIy42r6c4HeiVxNzoaGxL+o5JzsMH69BNyLBfHjg81lXNUU0yja+qmRS9oDW7k7eYuaoki+dFu7yJxJ37p4KmPo2dB/0THOracRBeiGbSHN6ZsqYLf9sz+/7LlD37arT7Y5DfUw9a9pmB0Gnwa+cOKxD2RWib7KFY1x3/QW1m32TMJAwM7zN+ODvcPvSPU+K5MU3e0MTneZAc1B1uyf1OxLbXbktiSxCPpiLXqmnHHPM2bOGYOHM9TTF2XxzZWU4NKbqmpF2Y0y97op2byG/m7dRA78BD0zv/7kf4dDFvSGMXmYRRDkr1LWhHrpeFggxqZ8FbV7pGiy7b983U0Na+HWFaxhRz84LxWyKnYuhbeXRtvbXLpd72zy88fumc/oR9tb1bevmHHSfsbcrl3sVknN7vVsK52TeNWGySe3g+ht7KrO3amhfbStR1zRFueE03Pu8lrmMQSyOh6gfDLVs6J3BkIZ2E/dc30TPBmI5wRMfeebGY6UuJY0pLCwyOTeaIwdEZ6cgDNcTJAVDKN6R7mPrK3fn2OYt7RnkiCa+IcR3OYjwqpw5ZskB5Y3jMlY1IsgNCnie4fu3vSxmVliK+0ETZdejXD1fXdpA+Q+HYiK3cDy3QNNR4xkud8lnUX5zcn3YwdZxGzdUAiZfvA+9fck3bSw+mdtX9E4mlL2kUHTXpaJ+e8NmkVj1rktDa72tFOfAaSllRgPaiRW96a1khmNmyOU10cyO4AZzs3kh+CORGbaX8cEdvzG9NN9tD8xptHalpDgqOGpq6eU7xnv3TWb7J1h9nMUyOdLeIccCLOYcGAczA54Iit5DHq9/eyzvOCnGA0IeQQk//NDwT3bKBT/WNra3AG8WU5fcL/iP1ot4/hKa5jpk8xLY3EgGAxFobk7+8k1sl6xjew6ir4U05vWRTQlayH+tDedj6azkcyJEKq9ctu+jrMW+xMyPLwHR2G0GYm+gQNXYkHz53IkTwea8bgyot5Yl5b9tkyQxDgM9ZN5JhsNch5itRilnmA3IuTyD0ocPFW8uK5IYy4+CmJYhcmsV076+cCtWPWGAwmWQoNrDgEd2XOu6I94pj+2LSdW+0huwz5De+JxfW07+zy7eY/UudYmP9ZdnziR9lQ/UZA4stTd2uxQMseIzuojvdgwsc3x5xGM/xgwTGnK+8diQeciHur6XqSD+wTLiCKHfKDoBuyIImdzLp1S++dXca9oIPjl/Ou1qJLnLSfuY4ftidGWgb6ySXdkcGBFbI1wE6B4cYPY69LFBBs2+5oWyOMAG9rlIEwuo1tx+47hOboTxYemxYJrD//fS38+JX8dS3sksXO0QwWt/o+pmLN/u/XwvNf7dGXnR06Ys2muJOdtmg1dAh0oRfRsJ09LQjp72XFYcMoZk4hhuglGTjGYTt4nFpGJllGuO7ZnMENoFxXpzEbXXqjhD7TycACF8DZJHjp5CQ5GSm8KBH3nU7ad9gZxXzHpE8o/Dyl2wSBairPYR8KMjaKazEAW3uAyoGU8yDULN6dE6CqWNFGMgNjmbGpH3gdY4sSLNfQnIWC2E4ZKDYNXJYAYw9ngLEHAGMBxgKMBRgLMHYWGLsMALtL1o4xCVK4rxCTbZC29t6rENeiN2iJqLkktDwTKJYI+JEk+m+vPRkg91xFwbaNLskYoW3DNF63Hx5QMKz2zgZCZvl+8DJclnVNtrsBoH1KOs6NbHHhDkuFn2Nj4DCppZlpw3kfW6kUqsZClJg5+Islq5qXTW8uHtIl04wvYrqhpqrY6Hk+yht0Tyw5SgI7PMCM+6T6SaxhYBzbV2mxL37K/SCnJaBo/FYqiZ6Nxs7jhPY/sWXmNJM1P69FM3JaLG0wJB7MkWLTS0caiNGgmnPRXDz3nIbO2ObJLbThm6Y6w4xp5aDtDJrJrPcBS5IHfL5aRDsa0ztQu3ZpF9rZNr5xkQlXsYXZwnirm6kw6q0cnxLulkYVCs4LJCQsK3fcu9JEyxir5x4cybZPvaZvD8myahJyMup/dWXD0XS83dyjVD5n4e2rrqdq90ckIGg2JhBTtfs3rnKHnVmXY5Et9jePaFvHbNUnwLa5g0wLzd69ZfRsbsTAZ0oF8IQXt96Hd7toN4XioGN3HmOQ6m0M0soZg18jw4mxM9qCNMkWThZqC1K9bUECW5Am2EJ3JjKSWrro87z3GHgmeUDbLvHATztxPtgbarcO/5P8vP+pP20pGhPWWj2loY1sZYqlgjYyzxwBnOGafkCMNEPV7jXVlSeUpMTKIWM1hx6OlR80Dgz2bI2Xeo7VwdDxSbN8P5HE+VQ+iAuB2gSI/yg/FEmSRVbMsd2gljXbOdpoDk5kG3ON1oO03I95mJbbxE94vBzRYs8wpBZQk+fgZEVz3fGRb1WMtOSxFdp2ju/DJ9vi3aiGWtIPLUlSDg5n1Y5+UA8O5H15/aqZTqCaiZcz6EyvA3VABwIdCHQg0IFAB1qIDuQoY8KyFKzdY7V/8+jgSeIMKsqtakOphIWLOzmCzlX3gtAebxzRCR1H0G6gFh9q8TerFr8zGbxKRwBeAbwCeAXwCuB1+bX410IMrm54QT79xjS2oCAfCvKhIB8K8gsV5L+EZTuAZQHLApYFLAtYdpkF+VOj2IVV5c+Kn1e8NN+HylCaD6X5a1ya35mzNF+SoDQfSvOhNL/k0vwZ1uQy6/Pn7h4U6dfULKTVNIuNLtcvwSoksIq1KNxP6QNQuA+F+1C4D4X7ULgPpU9FC/df0IvS2XUQjEAwAsEIBCMQjOao3LdJQIKq/fmq9nv0G8tQsR/7zJdo75pgoH7BBrZiK104OhZxA+5eKSVsfiHmbX5xUNbmF93zD2cfr9Afny5/Pf90fNrb8L0vWpMh4EG7nntfTDOLK7f1BeixL+mxzQXpsYcc18lor3mu055Tj221i+mxCxBbOdhpFjF1ldVSJNvoO9WWQTVdpGpaqL7fJ1W+suBamvPYH5u6pjySiD9yHVfW+45uFyyVysJlL371v5mEd5iy6n3CUr7p2bY+JZps8IKzDDuqtKIyReoDuyj3CrsoUbdVyrcQ0rj76SndP/T8vJc9GvWatCMSZJ6SnadHt69dtbOvkp+q2Bxdnfd2hFm+BdGaSVGb05AaaUt6mULR6eNQr0nGhFbJmhZN8RZoahMF2YJ2VUdN7oOhmGT5HASqnE1YKuqx4UHHhkoOe+OAunRlmlKp467IGyfVZfNTjpwi0gtU89Lfo16yDiZwShVAzitPzgPmVVYlbGHmxS2FnZt6HVZJvZZQ5gp1rMDIZt82AhUnaGjWL7NUB6xn3NZisYNS3dOvOH+olJQu1mwa4EyLYu7gTTN509rz7pe+AhjxcaiTrbZONu/9DougpgKBhKIAHBs4dtE3o9iKpY2DMsGNJeCdgsqnKM7Lv2u1S1Q5FD3+TVSg8EDhq90lqobsVpxJNCt1B6u1GrUaUZlUTxmRye398zO6aDerTQyUsHXXZnmoBB66Xh4qTemhJ+V4aBs8dFYPbYOHrpeHtqfz0G45HiqBh87qoRJ46Hp5qDSdh56W4qFl8dAGENENGbbVZqITHPJsrWhnA3gnOOQKEM8JDvl+rVhmA2gmOOQK8MwJDvnLWpHKBrBKcMgVoJUTHPJf6/T9q/CtiFD3tZHvR4RaL6j1sqGcK1bO1VlKOVen5uVcUK8F9VpLrNeaOtXrvf8NJBgoNJrJtCQwrdU3repLZKbOv4FtQW3HPKYlgWmtQ9iquCqhVLQFqcn1VdNLxVZgSOurApcKpMCQ1le9LBU2gSGB6rYc1Y2+Xh8Ut7oobipWbjJ7JYDwBsIbCG8lCm/i4TKUt0NQ3kB5A+WtSC7If48aJBpBelt4eghsC7S3paWMwLhAfFtWFglsC9S3palvCzAuyFGC/AaWBPpbncAUWBIIcGBJoMDVSIEL9xUD5Q2UN1DeQHmDLcRi0hv3FeZHcypvneZStxCDTcBAF5tDF+PvpusoYwJcFazdY9UHriu1/9UssHUd9tGt597Mi7KmxmaZU0kWs65bPZ1QQ0OXvt2hW3InFBYgXnUvUDc0NKA/1dKfE9g8ecHMJ/scQHyA+Ey3d/L8zKcFzAeYz+oxH5uMawKnTkFwuJAWYOr6EpspjKUB1gKkZhGkpkdsDjkm0BmgM0BnSqMzW6nbRV7Z1Sk2R3/4gSia/dD8LfIYW7EJCHonKKauy2M744dcYC+kACQD9K2D2IGUisFwfBDWwrn30LnYDOG5MJYNrCdtPEHZyJrmeEBceEt8Him6bNtkNaPE68aULfX1EMsEFCIHPzivKS7F1rXw7tp4S+Kx8a53dvn5Q/cM/fHp8tfzT8envbdv2HHS/oZc7l09ydhEarXPoVbxmZioKe3n3tP7rpZUhCMEoXDojFLUwGQbFHM6XuY0pnuY+8hFmEroaanDlmyQHvgcMUO7AuejTyNAWmLutESzDnrs4ZxJCWm5cuwSvuW4yjkLJNvoO90eG3IXy89d+O/6mD5r8TLjDIkqWSyik1MfTdBR1XYYHeWdkKKk5FSPkrZDSsr7VJIZ8+oOw1pLhZhgVVyV10mfsE7uPzkJkTj0lHwMVM/UR2Fbm0m0zTU39KK9oRU2uCUUECzeGtc1tZJ+OY1Ny2NPozEK6R06NlQUFtJ26Wo3ZcKFu8pvXMYlbSoemkkcXWBSxoSkDFTXApurm8g8N50Tq6RztPlPSm9AoQaFeuEs7wXMnQ+SF1qQm8B/DdLW3ntVNyRON6erx2jVa1jWholUyoCXYFkNcMRlDxd44jI8ce3Zf89VFGzb6JIYMNo2TON1++EhTILYO3lZASi6qLbowkebrqEtniALBJiKAjB9YPrFmD6JooqlMRU+K1pv+Ottud+xbc2bBTio+dttl5AogJffQiLhr3n2up+0E1Kxve5XikqLc2p99KU2hN2IzWZzB5kWmn1MYTjr946g+dITlb+CeHvqLarAw2fzcAk8fCM9vOr3QG9PvXcYePiMHt4GD99ID6/4bdzbU2/qBh4+o4dL4OEb6eEVvxK9Bjy8AUR8oS7eAB+vGxMv8c30NaDdDeDd4NDrTbxL3CCgBiy7ATQbHHq9eXaJ+zTUgFQ3gFWDQ683rd6YDetPfTtmW2d41gUVgDWpAITv90HVH3y/r7LCvs5SCvvasG09VO7BtvWFc9v8XeZAs4LKsuVvvgoWuI4WWH3p09TpQzBBKM2pardXsMA1DYIV146UjwQhz7rJpQ3l4z6wt01W3ssHeWBvmywMlw/pwN5At6xKt+xp3zFolvXTLFWssLgC0iVIlyBdViVdiodL0S4PQbsE7RK0ywIZK//FhpA1BfGyqiQWmCCol1Wrl2CDIF9WLF+CCYJ+WbV+uSgbhIQrCJilYj8wOFAwSwV6YHAgYZYK68DgQMMsScMMd1gE7RK0S9AuQbsE7ZK7rSJ3Q4XOvNpla6nbKsLGiKAszqEs8rckd5QxQboK1u6x6iPdVd76bz6cu16bkVe9A2AJBtcAiyvdqNZ1M7sTaovo0jdNdEvuhMKS0KvuBeqGZggkqloSdQLb0i+YP2WfA+gT0KfpdqWfnz/tA38C/rR6/Mkm45qAslMwpHzUC0h2TiRb8w3SF2JPDTCoGhnUelOjHjFL5JhAioAUASkqjRRtpW4XeWVa2o2mP7R/izzHVnAZdgkakWgcoa37Te8jgq0M8UiOwF/r0DvsPHp3UmXrzjuT4MfIKIUPdMkSwks7eDTWSXg0IlJEAKvtxKw4Gp8YWH9K4kGdxBNuhCA3ePBFVMawko7NnCreyiOWQYI2FmJIQFF0V8XHOgfO51geWXNJdOOc7keDOI2MtZpsd/N0GBa+utiiBEoY8+im1/w5eLp4SzSXYuLoAD+kT7XvtPHvlt57NBROtwN7iXV7KzV2sZmTdT3oTmpYYnMaH/QCpJrOmmZonN3fZ56ywEGEKebNzn7kpUljt+t7IX2bg7F2ljJj2aWS+iabFvs/QdeEZGvmGegx/sm+PXgPGWtwbXzlXShObWc2kukdPxzeXOePzuAGgIps8dKH5TxjTD5uaItfCZSf2RADGrBU62uttvWVZxapGQ6toqvTJF24gqOPAZmYwkxsSzHsaeyE/ULLG8l1Pf4Zf2VLRo6jlI6aYh6FjDPIZ4/ueQPJ43R0H4zollyyW/jGf09152kc4c3eq4jSXgvbf/33Wvjyamfv1RtwkYpdZDrH+KZX6Bip3EquaXonUi/OM+Pluc183ZrSp8KM0nwutQ8uNZ9LpYnjTMsOy/It0bsKpS85K8ALScVpPGn6DGqxPsBStB5+M523zLEWoQW5S4Fsf04uP9+ul+xRi+rlRi9V7H+aan728nQaM0o/Q3fr6QaCYX57LQbJcsEx/WNC4mNjTbljSq7/YX8k+4HUEs9YC+1RlJEU43/sN+MtUYJeaMV+F1WPwH8JekSlnpjbvHiX+IUP4xeO36V1EP8jcmnhSI33N+hLYjC+m0aUkou9R5A6QvjFm1PZHt6YsuVdTnBZpYNw/u++++/j+5GfVr0PU6/i1vP/AaFint2UsQEA + H4sIAAAAAAAC/+1da1PbSrb9zq9oa+beghQhlrHBOpWTKjDkTGY4CYOZnKo55LqE1Ni6yJKjB4FQzG+f7tZbahn5Jcn2/hACallqde+9e629ttXPOwgJg4FmTFzHFn5Bf5K/EXpmP0mLIY8xOSqc9QeXV19+P7/+2/m/+sJ+0KzLt1in7ZeWOcbOCLt21KhiW7G0iaOZBj0lanCeJuyiquzItulaCo7aJro71IxPKm2fcC7qtX/2uxW7LTvhhfz8tu89koW/u5qFOQ8V3H9oyXeyIUcX11Tu4WAQfks3PGDL9p/u6KB9cOh3Yp9/u4lskMHK3mwy4t4qfjh2o+n34A2pljuYRnYYebfsHDQPmnM8myPf6jh7t+vk4eyzhZMoG4bpyNSA6Cx6NxV0zXbCOY26QlpuXU13PtErifvR0diQ8B+VnIMN1qdfkGO5OHZ8pKmco5piGj1TNy16QWt4K+8291FLFMmPTmcfiXvxSwdPfRI9C/pfdKJjy0l0IZpBe3RrypYq+G0v7P9vO/7gp93qk01+Q31sPWgKRmfBp5E/rEg8ENsHR+xOAlY1x3/QO1m32TMJQwM7zN+Ojw6PvCPU+K5NU3e0CTneZAc1B1uyf1OxI3U6ktiSxGPpmLXqmnHPPM2bOGYOHM9TTF2XJzZWU4NKbqmpl2Y0y97op2byB/m71Y4deAx65//9RP8Ohi1pjGLzKIohyd4lrYj10nCwQY1MeK9qD0jRZdv+9SaamrcjLKvYQg5+dN4q5FRs3Qgfboz3Nrn0h/751ddPvfNf0F9tb1bev2PHSfs7crkPsVknN7vTsK72TONOGyae3g+hd7KrO3amhfbStR1zTFteEk0v+8lrmMQSyOh6gfDbTs6J3BkIZ+Ewdc30TPBmI5wRMfeebGa6UuJY0pLCw2OTeaIwcsZ6cgDNSTJAVDKN6R7mPrK3fn2NYt7xgUiCa+IcR3OYjwqpw5ZskB5Y3jMlY1IsgNCnie4fu3vSxmVlhK+1MTZdejXD1fX9pA+Q+HYqK/dDy3QNNR4xkud8lXUX5zcn3YwdZxGz1SaRstP2/jUPpL30cHpnHR6TeNqS9lG7SU/r5pzXIa3icYuc1mFXO96Lz0DSkgqsBzVyyzvTGsvMhs1JqotD2R3ibOfG8mMwJ2Iz7Y9jYnt+Y7rJHpk/ePNITWtEcNTI1NULivfs1876XbbuMZt5aqTzRZw2J+IcFQw47ekBR2wlj1G/f5B1nhfkBKMpIYeY/O9+IHhgA53qH1tbgzOIL8vpE/6f2I929xSe4jpm+hTT0kgMCBZjYUT+/klinaxnfAOrroK/5PSWRQFdyXqoD+1t57PpfCZDIqRav+2nr8O8xc6ELA/f0WEIbWaqT9DQlXjw3Ikcy5OJZgyvvZgn5rVlny0zBAE+Y91EjslWg5ynSC1mmQfIvTiJ3MMCF28lL54bwoiLn5EodmkS27Wzfi5QO2aNwWCSpdDAikNwV+a8a9ojjulPTNu50x6zy5Df8JFYXF/7yS7faf5P6hwL8z/Ljk/9KBuq3wlIfH3q7iwWaNljZAfV8R5M+PzuhNNohh8sOOZ05b0n8YATce80XU/ygUPCBUSxS34QdEMWJLGbWbfu6L2zy7gXdHD8ct7VWnSJkw4z1/HD9tRIy0A/uaQ7NjiwQraG2Ckw3Phx4nWJAoJd2x3vaoQR4F2NMhBGt7Ht2AOH0Bz92cIT0yKB9df/3Ah//U7+uhH2yWLnaAaLWwMfU7Fm//cb4eXPzvjb3h4dsWZT3MtOW7QaOgS60Ito2M6eFoT0j7LisGEUM6cQQ/SSDBzjsB08SS0j0ywjXPdszuAGUK6n05iNrrxRQl/pZGCBC+BsErx0cpKcjBRelIj7TjftO+yMYr5j0icUfp3RbYJANZPnsA8FGRvFtRiArT1A5UDKRRBqFu8uCFBVrGhjmYGxzNjUD7xOsEUJlmtozlJBbLcMFJsGLiuAsUdzwNg2wFiAsQBjAcYCjJ0Hxq4CwO6TtWNCghQeKMRkG6Stc/AmxLXoHVohai4JLc8FiiUCfiSJ/jvoTAfIfVdRsG2jKzJGaNcwjbedx0cUDKu9t4WQWX4Yvg6XZV2T7V4AaJ+TjnMrW1y4w1LhF9gYOkxqaWbacN7H1iqFqrEQJWYO/mbJquZl05vLh3TJNOOrmG6kqSo2+p6P8gbdE0uOk8AODzHjPql+EmsYGif2dVrsi5/yMMxpCSgav5VKoufjifM0pf3f2DJzmsman9eiGTktljYcEQ/mSLHppSMNxGhQzbloLp57SUNnbPPkFtrwQ1OdUca0ctB2Bs1k1vuAJclDPl8toh1N6B2oXbu0C51sG9+4yISr2MJsYbzTzVQY9VaOLwl3S6MKBecFEhKWlXvuXWmiZYLVCw+OZNtnXtN3R2RZNQk5GQ++u7LhaDrebR5QKp+z8A5U11O1B2MSEDQbE4ip2oNbV7nHzrzLscgW+9sntKtjtuoTYNvcQ6aF5u/eKnq2MGLgM6UCeMKLWx/Du112mkJx0LG/iDFI9TYGae2Mwa+R4cTYOW1BmmYLp0u1BanetiCBLUhTbKE3FxlJLV30eT56DDyTPKBtV3jop504H+yPtDuH/0l+3v/Mn7YUjQlrrZ7T0Ea2MsVSQRuZZ44AznDNICBGmqFqD5rqylNKUmLlkLGaQw/Hyo8aBwZ7tsZLPcfqYOj4pFm+n0jifCofxIVAbQrEf5IfiyTJIivm2G5Qy5rtHG00h6eyjblG60Fa7sc8TMtt4ic8Xo9osWcYUQuoyXNwsqK57vjEtypGWvLYCm27wA/hk+3wblRDLekvLUlS2kfzakd/Udtt+VDevGqmU6hm4uUMurPrQF3QgUAHAh0IdCDQgZaiAznKhLAsBWsPWB3cPjl4mjiDinKr2lAqYeniTo6gc927JLTHG0d0SscRtBuoxYda/O2qxe9OB6/SMYBXAK8AXgG8AnhdfS3+jRCDq1tekE+/MY0tKMiHgnwoyIeC/EIF+a9h2S5gWcCygGUBywKWXWVB/swodmlV+fPi5zUvzfehMpTmQ2n+BpfmdxcszZckKM2H0nwozS+5NH+ONbnM+vyFuwdF+jU1C2k9zWKry/VLsAoJrGIjCvdT+gAU7kPhPhTuQ+E+FO5D6VPRwv1X9KJ0dh0EIxCMQDACwQgEowUq920SkKBqf7Gq/T79xjJU7Mc+8y3auyYYqN+wga3YSheOjkXcgLtXSgmbX4h5m1+0y9r8onfx6fzzNfrjy9U/Lr6cnPW3fO+L1nQI2O7Uc++LWWZx7ba+AD32NT22uSQ99ojjOhntNc91Ogvqsa1OMT12CWIrBzvNI6aus1qKZBv9pNoyqKbLVE0L1ff7pMpXFlxLc54GE1PXlCcS8ceu48r6wNHtgqVSWbjsxa/BD5PwDlNWvU9Yyg892zagRJMNXnCWYUeVVlSmSH1gH+VeYR8l6rZK+RZCGnc/P6f7h15eDrJHo16TdkSCzHOy8/To7o2rdg9V8lMVm+Pri/6eMM+3IFpzKWoLGlIjbUmvUyg6fRzqNc2Y0DpZ07Ip3hJNbaogW9Cu6qjJfTIUkyyfw0CVswlLRX02POjEUMlhbxxQj65MMyp13BV566S6bH7KkVNEeolqXvp71CvWwQROqQLIeeXJecC8yqqELcy8uKWwC1Ovoyqp1wrKXKGOFRjZ/NtGoOIEDc37ZZbqgPWc21osd1Cqe/o15w+VktLlmk0DnGlZzB28aS5v2nje/dpXACM+DnWy1dbJ5r3fYRnUVCCQUBSAYwPHLvpmFFuxtElQJri1BLxbUPkUxUX5d612iSqHose/iQoUHih8tbtE1ZDdinOJZqXuYLVRo1YjKpPqKSMyub1/eUGXnWa1iYEStu7aLg+VwEM3y0OlGT30tBwP7YCHzuuhHfDQzfLQzmwe2ivHQyXw0Hk9VAIP3SwPlWbz0LNSPLQsHtoAIrolw7beTHSKQ55vFO1sAO8Eh1wD4jnFIT9uFMtsAM0Eh1wDnjnFIX/bKFLZAFYJDrkGtHKKQ/5tk75/Fb4VEeq+tvL9iFDrBbVeNpRzxcq5uisp5+rWvJwL6rWgXmuF9Vozp3q997+BBAOFRnOZlgSmtf6mVX2JzMz5N7AtqO1YxLQkMK1NCFsVVyWUirYgNbm5anqp2AoMaXNV4FKBFBjS5qqXpcImMCRQ3VajutHX64PiVhfFTcXKbWavBBDeQHgD4a1E4U08WoXydgTKGyhvoLwVyQX571GDRCNIb0tPD4Ftgfa2spQRGBeIb6vKIoFtgfq2MvVtCcYFOUqQ38CSQH+rE5gCSwIBDiwJFLgaKXDhvmKgvIHyBsobKG+whVhMeuO+wvx4QeWt21zpFmKwCRjoYgvoYvzddB1lQoCrgrUHrPrAda32v5oHtm7CPrr13Jt5WdbU2C5zKsliNnWrp1NqaOjKtzt0R+6EwgLE694l6oWGBvSnWvpzCpsnL5n5ZJ8DiA8Qn9n2Tl6c+bSA+QDzWT/mY5NxTeDUGQgOF9ICTN1cYjODsTTAWoDULIPU9InNIccEOgN0BuhMaXRmJ3W7yCt7OsXm6A8/EEWzH5q/RR5jJzYBQe8ExdR1eWJn/JAL7IUUgGSAvtWOHUipGAzHB2EtnHsPnYvNEJ4LE9nAetLGE5SNrGmOB8SF98TnkaLLtk1WM0q8bk3ZUt+OsExAIXLwo/OW4lJs3Qgfboz3JB4bH/rnV18/9c7RH1+u/nHx5eSs//4dO07a35HLfagnGZtKrQ451Co+E1M1pcPce3rf1ZKKcIQgFI6ccYoamGyDYk7Hy5zGdA9zH7kIUwk9LXXYkg3SA58jZmhX4Hz0aQRISyyclmjWQY89WjApIa1Wjl3BtxzXOWeBZBv9pNtjQ+5i9bkL/10fs2ctXmecIVEli0V0cuqjCTqq2g6jo7wTUpSUnOpR0k5ISXmfSjJjXt1hWGupEBOsiqvyOukT1un9JychEoeek4+B6pn6KGxrc4m2ueaGXrU3tMYGt4ICguVb46amVtIvp7FpeexZNEYhvUMnhorCQtoeXe1mTLhwV/mty7ikTcVDM4mjS0zKmJCUgepaYHN1E5kXpnNilXSONv+b0htQqEGhXjrLewVz54PkpRbkJvBfg7R1Dt7UDYnTzenqMVr1GpaNYSKVMuAVWFYDHHHVwwWeuApP3Hj233cVBds2uiIGjHYN03jbeXwMkyD2Xl5WAIouqi268NGma2jLJ8gCAaaiAEwfmH4xpk+iqGJpTIXPitZb/npb7ndsW4tmAdo1f7vtChIF8PJbSCT8uche99N2Qiq21/1aUWlxQa2PvtSGsBux2WzuIdNC848pDGf93hG0WHqi8lcQ7868RRV4+HweLoGHb6WHV/0e6N2Z9w4DD5/Twzvg4Vvp4RW/jXt35k3dwMPn9HAJPHwrPbziV6LXgIc3gIgv1cUb4ON1Y+Ilvpm+BrS7AbwbHHqziXeJGwTUgGU3gGaDQ282zy5xn4YakOoGsGpw6M2m1VuzYf2Zb8ds6wzPuqACsCYVgPD9Pqj6g+/3VVbY111JYV8Htq2Hyj3Ytr5wbpu/yxxoVlBZtvrNV8ECN9ECqy99mjl9CCYIpTlV7fYKFrihQbDi2pHykSDkWbe5tKF83Af2ts3Ke/kgD+xtm4Xh8iEd2BvollXpln3tJwbNsn6apYoVFldAugTpEqTLqqRL8Wgl2uURaJegXYJ2WSBj5b/YELKmIF5WlcQCEwT1smr1EmwQ5MuK5UswQdAvq9Yvl2WDkHAFAbNU7AcGBwpmqUAPDA4kzFJhHRgcaJglaZjhDougXYJ2CdolaJegXXK3VeRuqNBdVLtsrXRbRdgYEZTFBZRF/pbkjjIhSFfB2gNWfaS7zlv/LYZzN2sz8qp3ACzB4BpgcaUb1aZuZndKbRFd+aaJ7sidUFgSet27RL3QDIFEVUuiTmFb+iXzp+xzAH0C+jTbrvSL86dD4E/An9aPP9lkXBNQdgaGlI96AckuiGRrvkH6UuypAQZVI4PabGrUJ2aJHBNIEZAiIEWlkaKd1O0ir0xLu9H0h/ZvkefYCS7DLkEjEo0jtPWw6X1EsJURHssR+GsdeYedJ+9Oqmzde2cS/BgZpfCJLllCeGkHjyc6CY9GRIoIYLWdmBVH4xMD689JPKiTeMKNEOQGj76IyhhW0rGZU8VbecQySNDGQgwJKIruqvhE58D5HMsjay6JbpzT/WgQp5GxVpPtbp4Ow8J3F1uUQAkTHt30mr8GTxdvieZSTBwd4sf0qfa9NvmXpfefDIXT7cBeYt3eSY1dbOZkXQ+6kxqW2JzGB70AqaazphkaZ/f3uacscBBhhnmzsx95bdLY7QZeSN/lYKy9lcxYdqmkvsmmxf5n0DUh2Zp5BnqMf7JvD95DxhpcG197F4pT27mNZHbHD4c31/mjM7gBoCJbvPJhOc8Yk48b2uJ3AuXnNsSABqzU+lrrbX3lmUVqhkOr6Ok0SReu4OhzQCZmMBPbUgx7Fjthv9DyRnJdj3/GX9mSkeMopaOmmEch4wzyxaN73kDyOB3dByO6JZfsFr7xf2a68yyO8O7gTURpb4TdP//vRvj2Zu/gzTtwkYpdZDbH+KFX6Bip3EquaXonUi/OM+PVuc1i3ZrRp8KM0mIudQgutZhLpYnjXMsOy/Kt0LsKpS85K8ArScVZPGn2DGqxPsBStBl+M5u3LLAWoSW5S4Fsf04uP9+uV+xRy+rlVi9V7H+aan7x8nQaM0o/Q3fn6QaCYf54KwbJcsEx/WNC4mMTTblnSq7/YX8kB4HUEs9YC51xlJEU438cNuMtUYJeaMV+F1WPwH8LekSlnpjbvHqX+IWP4heO36XVjv8RubRwrMb7G/QlMRg/TSNKycXeI0gdIfzizZlsj25N2fIuJ7is0kG4+PvA/fvJw9hPqz6EqVdx5+W/Q/SFP5SxAQA= istio-workload.json.gz: - H4sIAAAAAAAC/+1dbXPbNhL+7l8B83o3cs5xRL3YVifNTGwnbebS2Gc56UzrnIYmIYlnimT44tjx+H77AeA7CcqiXkhK2g91IwIEQWB38Ty7S+BxByFhMFB103Vs4Wf0F/mN0CP7S0p0aYLJVeGsP7i4PP/93dVv7z73hf2gWJNusEbLLyxjgp0xdu2oUMG2bKmmoxo6rRIVOA8ma1SRHMk2XEvGUZmpuSNV/6DQcpPTqFf+ye9W7LGswhP5+3XfeyULf3NVC3NeKnj+yJKGki5FjasK93IwCL+mC+6wZftvd3jQOWj7ndjnP86UdDJY2YeZY+6j4pdjD5r+DN6QqrmDqWeHkffI7kHzoDnHuznSjYazT7tKXs6+WziJkq4bjkQFiM6i91BBU20nnNOoK6TkxlU15wNtSdyPrsaGhP+qpA7WWZ9+Ro7l4tj1sapwrqqyoZ8ammHRBq3RjdRo7qOWKJI/3e4+EvfiTQdv/TZ6F/QP9FbDlpPoQjSD9vjGkCxF8Mue2P+/7viDn1arDzb5F/rDsG41Q1LQWXA78scViQciFU12L1ZUx3/ToaTZ7KWEkY4dpnBHh+2md4VK35VhaI5qkuveRdXBluQ/Vey2xXan2zkUO4ddVqqp+i1TNW/mmDxwVE82NE0ybaykRpU8UlUujGiaveFPTeV38rvViV24D3rn/36gv4NxS0pjrxvZkGTnklLEOqk7WKdCJrxW1Dska5Jt/3IdTc3LMZYUbCEH3zsvZVIVW9fCm2v9tU2afvPH+eW/Pp6/PfsZ/fTdn5aDn6gYkFIZv37FKpHKr0jbb2IiQJ48VLGmnBr6UB0lRsK3p0PJ1Rw7U0K77NqOMaElT4mip/1kGwaRCjLSnlX8upNTkTsb4Yy0U22mZ4U3M+HsiLnPZLN03EtcS0pVeHliMLUUxs5ESw6gYSatRfVzmu5u7vt7K9uXyBoeHYjE7CbqOKrDlFdIXbYknfTA8l4waa1ipoW+WvT82NOT0i/JY3ylTrDh0tZ0V9P2k9pBLN+JJN+OLMPVlbgpSdb5Imkuzi9OKiC7zmxpq0NsaLfj/dc86O2lh9Or1T4ilrbV20edJq12nFOvS0rFoxap1mWtHe3FZyApVjOsFDXS0aFhTSQm0IaZ6uJIckc427mJdB/MidhMK+eEyJ5fmC6yx8Z33jxS0RoThDU2NOUjRYL2c7V+l6xbzGaeCul85qfDMT/HM1qfznTrI7aS16gRuJM0nhbkWKYp9oeI/O++IbhjA53qH1t0gxpEl6V0hf8S+VGHD2EV1zHSVQxLJTYgWKWFMfn9gxg+ScvoBlZcGZ/n9JZZAU3OaqgP+m3nk+F8IkMipEq/7qfbYdpiZ0yWh/zoMIQyM1UnqOlKvHjuRE4k01T10ZVn88S8suy7ZYYgQG6sm8gx2NKQ8xaplS3zArmNE8s9mqHxVrLxXBNGVPyMWLELg8iundVzgcoxKwwGk6yLOpYdAsgy9a5ojziibxq2M1Tvs8uQX/CeSFxf/cGa7zb/nqpjYf697PrUW9lQ/U7Q4/NTN7SYoWWvkR1Ux3sx4dOrt5xCI7xxxjGnK+8tsQcciztUNS3JFNqEJYjiMflDoA5ZkMTjzLo1pM/OLuOe0cHx5rzWWnSJ67Uz7fhme6qlZWyANOlOdA6skKwRdmYYbnxvel2igKBhu5OGSqgCbqiUmzAijm3HHjiEAGmPFjYNixjWX/53Lfz0jfy6FvbJYueoOrNbgwBfDUJ4xWqGv3Kqs0rBj2vh6a/u5OveHh3iZlPcy85ztHw6BOsMbExMp52tFqwB7yXZYeMuZqoQyfX8FRxpsh1sptadaaIULpQ2ZzYC7PdBlw2yWo/QpTew6AudPyxwMZ9NKmqkkpQ0Lp5hiavbcVrdWI3Z1M2g7yj8UlDTAttWSNnYTYH7R3Ythnlrj2k5KHQRUJuFyAtiWgXL6kRi+C0zNvXDuya2KEFzddVZKu49LgP4prHOCpDv8RzItwPIF5AvIF9AvoB850G+tcC8+2SxMYlVwwOZyPguKewevAihMHqF6oTMS0LkcwHvHoFXvR7976D7HAjvu7KMbRtdkmFFDd3QX3bv71EwE/beFsJy6W70PCSXNFWyTwPQ/JhUzhvJ4kIq5q7/iPWRw0JDzUwZzrttrTy7KjODYubir5akqJ6Tv7l82CgeFsKNY1VRsN73tJQ36F5A5ygJHvEIM36V6ieRhpH+1r5KByfjVe5GOSUBDeSX0hjuu4npPEwp/xNbRk4xwRV5JaqeU2KpozHRYE7sOL08pcEetcM5jeZixqc0PMc2LwpEC76rijPOiFYOos8gpgymCJiYNOJz4llCWiZ9ApVrl3ahmy3jCxeZcAVbmC2+Q81ImVFv7ThPqFsaucg4z5AQsyzfcp9K3TkmVj56kCdbXhg3NMZkJTYIAZoMvrmS7qgabjQPqLsgZ60eKK4XhR9MiEFQbUxgrGIPblz5Fjszr+Bp4ICKLfNPf4kMUdw8oIaGGbQgcLu5hwwLzf9C9XiXhXEJn/HNgFo82/g+fNpFtynMDm32FxG43qYJXG8LBM5PTuKsFXPKW2+avJ0sVd56myZvPZC34vLWmyJvp3NRt9QyT9/nvecRyThzaNklHvluQM6N/bE6dPh3+iQwCMCc+TOc4nphAt1jGv9JViYDLigjIsFJXmDgbxCwR1VX1DtVcaUp6USxJNdYJqkH9qV7lcMVPLHkxQBiOUx0YNLuFt+jx7krH+mGaHYKD3qQ7mfxVkbiyxHaIEM52zlaaIxOJBtzpdXD/dzbPODPLeJ7np43l7F3GFMJqMl7cNzTuXr4wJcqxuzyKB0t+4jvwjfb4T2ohkG9v7V6PblzOG8Q729KpyO1pc3LRDvZ+ky0ZArZlFS042cSYSEgBwE5CMhBQA4CcksJyDmySYiN7gxuHhw8LeBVkF3x62dCXh4F+yfidcvCMlbvsFJl12pDCoWlB/NyAnhXpxeoT3qHLXRlScOhKkOkDnA24Ox1xtmZi7MA7S4AbQDaALQBaAPQLhdoewvvTEA2VXVF8HrZHdpOUH2q0fUIQHXynq/R7ifBYP2KdWzFlulwdCyiw9zdNkrYPUHM2T2hXdbuCR8+nZx//nSGgi/u+9u+YUJ7On7tdOu5Y0KheVy7TRIge/W57NXmkrJXDxcJsoiHC6avtrqzpa8uITeVg/3myT1d5+RSJNnoB03FhSTTZSaZzvRZtk8K/Twl11Kdh4FpaKr8QGz+xHVcSRs4mr0iN/Q+mgWRszLbkr9rz8N1Uk23o49faPZT6oYpLeyjxKc0pXxGngbtj4/p/qGnp4Ps1ajXpBwR0/SY7Dy92rh2leO2Qv4qYnNy9bG/J8zzGXtrrhTABcVvF+RvcflbNqNconBOzTmdURLrmByY3qbBRicPqM+GB73VFXLZGwd0SlfAgpmD3JV/61IHs348R0px9iVmF6a32VpxXp7AycaG9MLy0guB4pX1geLhQvG9xTneYZUcbwWfH8L3hUD95t+XAFXMBPmbGFSHxefcOKHqYaxuvNacpFTKlZcraLugsGs0jqCx82nsxjsQnttiJnIswAeI1X6AmLcz4TI4tkCgrSiAswCcBbPu6ck/fmfbPAmz7g3fai3qR6jVVkfluBriOx2BKwJcEdVudbQo515wp43lIHhxrnhhqdswbfk414gupXrKyFJu75+e0EW3Wa2Do4T9p8AKlLM3FliBtbUCvYJW4KQcK9AFK1CeFeiCFdh2K9AtZgVOy7ECPbAC5VmBHliBbbcCvWJW4KwUK1CWX2AXzEA5joFdsAN19wxMUfp3G+UGAKUvyQ8ASl97R8AUpX+/UawflL4k2g9KX3veP0Xpf90okg9KXxLLB6WvPc2fovS/bdKHluFxDJAXuZUHM0AuJORC2pDuGEt3PF5JuuNxzdMdIZ8R8hlXmM9Y2JHu7T8JQTRIq1t+Wl1hBy8I48YKY/XpXYU9jyCNkGW0qiyjwh4xEMZNNo0VZ7uUihrBKQs5FxVhRBA9iPxXBAhB9CD+XBH8A9GDKGhdoqD0CBWIgNYlAqpgmRkWCIRCIBQCoVUFQsXDVURCDyESCpFQiITO4tPyd4oEFyuEQmsQCgVphFhojWKhII4QDK1PMBSkEaKhNYqGLkEcwTsL4dCqcCLIHsRDqwKFIHsQEK0KAoLsQUS0oohoeMAmREIhEgqRUIiEwlmasVAo9wiM4wUjocfNlR6lCYdhQpxygTgl/yB6RzYJ1JWxeocVH+pu+KmO8wDdTTiCvurDHVcrf7sggNMFsCQZ29TjCE+oaKJLX1LRkDwJhUmnV6cX6DQUTaBY1VKsExPY1XLZVfY9gFwBucolV5mLy2FXLWBXwK7Wj13ZZFwTyLYAieKCYAC2QJ7mEq9dkC8gTtUQpz6RUuQYQJmAMgFlKo0y7aQeF/9e9oauKOgP3xJF0x/Kv0XeYyc2A0H3BNnQNMm0M4rIZQ9CCqUy1tDqxC6kwjEeWdhJTb5HAXphQ4Ip6VhLyniCFpJV0PHAvvCa6DySNcm2yfpHyd2NIVnKyzGWCPBEDr53XlLsi61r4c21/prYY/3N+eerk/PPn85Q/93llw+n7/qvX7HrpPwVae5NPQnfVPrW5tC3+ERMjY2JndyHeh8B9mYhIoEtHDuTFP8wTMdfZFI9L3Me0z3MfeVZ6FCoaqnLlqSTHvhENMPtAuWjbyOA72Nh30ezDoFl8WhB18fRagPLK/h+dp09I0iy0Q9sGeAhKcFD4u87E5DXOJc0LVWXVVPSKAu0TXU4xAcvnqeLz2ZGxmlpSIDJE1jVNKElw3un+i0rpJ93MmWi3ZCJcurSVv3cUZmIVVUMlNMzwkIRsRqPyQ6iejo3ZpGM3S2XjBVkFRQRm031WZy7zsiI7SZk0/zZs2hg0FtCncIE21O6dhR0YHDXzK3zYKQlxMMGiatLdHIY4OSArFsgR3ULDC/OjsQq2REt/pOyBQgrQ1h56aTpGVDMBakF4svLw8sJaEhheddD5AsiZnq649qMwcIvuwY8oFKiuFxJ2AV1WO0gbIE+bDwD7ruyjG0bXRKBQw3d0F927+9DR4C9l2LGEMivNpDvAy5XV5dPEgWCzUQB2C6w3dnYLrGYsqWywG42DrrlW/Fyvz9tL0qEWzXfiXcFXBk26gUuPSOXbhQ+fUrxj1IfTIhBUAlyNnQluxXMcnjncxmzs2bg8nG2OD0sRbdxIdRCbDabe8iw0PwjteGDtAYMvfItiBuFj9oCPSs8UqBnletZ1XsrNwqfKwZ6VnikQM+q17OKd41uFD5EDfSs8EiBnlWvZxVvh10tP9sFgrYRo7QeDK3Enb6rpWO7wMdArUojZCVuYl4t+9oF+gVqVRr/KnF/9mrJ1i6wLVCr0ujWpm49n/58Bp35cgfJQrVKFoLPYSBBCD6HqSwH6HglOUBtOI0bknzgNO6ZHaP8450g7LA16SqFfX4gMVueeFHYnQUSs+UpBIU9NSAxWx4MLxXHgENv7aK6paIWkI+1C0+WilFAPtYuzlYqIgH5gIBRoYBRcGYxBIvg4GKIGUHMCGJGwQ5qhysJGnUgaARBIwgazeBs8bd1Av8cRI1m9b+AyEDYqKBLBkQG4kYFvTQgMrUQmbWKHC1BZsC1t8mhIxAQiB2tGqiAgGxy8AgEBKJHK44ehQfxQNQIokYQNYKoERy8kw4bcbcb7i0aNTpc6bk7cHIOxHQWiOnwD5V0ZJOAUhmrd1jxQal3bEYBrxgXvpZ6asZUSFqz80ZreLLoHEKwC1IAx6RkqccJFR7UJ4YaGToK09iuTi/QaShLwEGq5SAncO7nkulH9j2AfQD7KHbs5+L04xjoB9CP9aMfNhnXBOpcqwMsgXrsVy0AuyABQDsI7bj0KSwakicB+QDyAeSjNPKxk3pc4lu2G2r6Ud8zQ9H0h/JvkffYCZphTVC7RK0JLW03vVsEWx7jiRSBrNahd9l58J6kSNatV5PgtEgohQ90pRHCph08MTViGfWIfBBgaDsxKY7GJwaKH5O4SyP2hGshyAPu/VgfYzJJxWZKFS/lEbggDh4zMcSgyJqr4LcaBzbnSB5ZFYl141T3rUGcrsVKDXZEZdoYC99cbD2wM1V5tM4r/hK8XbwkmksxcXWE79NV7VvV/Gxp/Qdd5nQ7kJdYt3dSYxebOUnTgu6khiU2p/FBn4G80llTdZVzhOfcUyZ8CuCIUGDmdN5Nz00c+wfNQSGNe0iMc2B2FspkYRTbbTdqgAfiZmpmr4CYvDp4EcNx10Ljr/9cC19f7B28eDW7BGWXbmormJjY/w6GSUiWZsaTXuNX9uXTG/BYgWvjK6+hOKVdZ6H9w5/MIjL7nXNPIZHNldnH6XKWRv1P+cKZkuzUY2bmFf4TUvX3WOuN6YqzsnfhPmzhNyqowiHPWkyBxfVW4OJIIieBK4YmohpcRFGRnbj0qTzPTiRfNzQT3wj9L2Ii2LMGHllpBK6DvZUAEF/6WrB8zCYWqRkOpeKD7lGCYBVBUzFQjpzYlqzbS4c/kfOJGkAqi2kvUMyE5XqK5rWnhSBWbbpacA1YFooDNVyyGhZTvu/a2irfcx5iZlpyMU99NHOx96gGurVBaxfT2lg2f+BTK6C4XtxihZo7Jf1r/u9SnvIDLEW0sey+FdQwXqxpMWXr1EPZ2P9pEOHJ88CqTBZ93+vQiwsJuvH9pRiEQQTH8K8JidtMVb5lsXD/Zn9QB0GULB6LELqTyNcsxn+0m/GSKPQitGL/FhWPSX0NekSjdDFlefYp8YYP4w3Hn9LqxH9ES7BwpMT7G/QlMRg/DD1ytkYed+bvjrD1mWSPbwzJ8toTXJYsIny+sft/Xp2pvsf8LvSqiztP/wfw+gQRBo4BAA== + H4sIAAAAAAAC/+1dbXPbNhL+7l8B83o3cs5xRL3YVifNTGwnbebS2Gc56UzrnIYmIYlnimT44tjx+H77AeA7CcqiXkhK2g91IwIEQWB38Ty7S+BxByFhMFB103Vs4Wf0F/mN0CP7S0p0aYLJVeGsP7i4PP/93dVv7z73hf2gWJNusEbLLyxjgp0xdu2oUMG2bKmmoxo6rRIVOA8ma1SRHMk2XEvGUZmpuSNV/6DQcpPTqFf+ye9W7LGswhP5+3XfeyULf3NVC3NeKnj+yJKGki5FjasK93IwCL+mC+6wZftvd3jQOWj7ndjnP86UdDJY2YeZY+6j4pdjD5r+DN6QqrmDqWeHkffI7kHzoDnHuznSjYazT7tKXs6+WziJkq4bjkQFiM6i91BBU20nnNOoK6TkxlU15wNtSdyPrsaGhP+qpA7WWZ9+Ro7l4tj1sapwrqqyoZ8ammHRBq3RjdRo7qOWKJI/3e4+EvfiTQdv/TZ6F/QP9FbDlpPoQjSD9vjGkCxF8Mue2P+/7viDn1arDzb5F/rDsG41Q1LQWXA78scViQdi5+CQPUrAiur4bzqUNJu9lDDSscMU7uiw3fSuUOm7MgzNUU1y3buoOtiS/KeK3bbY7nQ7h2LnsMtKNVW/ZarmzRyTB47qyYamSaaNldSokkeqyoURTbM3/Kmp/E5+tzqxC/dB7/zfD/R3MG5Jaex1IxuS7FxSilgndQfrVMiE14p6h2RNsu1frqOpeTnGkoIt5OB756VMqmLrWnhzrb+2SdNv/ji//NfH87dnP6OfvvvTcvATFQNSKuPXr1glUvkVaftNTATIk4cq1pRTQx+qo8RI+PZ0KLmaY2dKaJdd2zEmtOQpUfS0n2zDIFJBRtqzil93cipyZyOckXaqzfSs8GYmnB0x95lslo57iWtJqQovTwymlsLYmWjJATTMpLWofk7T3c19f29l+xJZw6MDkZjdRB1HdZjyCqnLlqSTHljeCyatVcy00FeLnh97elL6JXmMr9QJNlzamu5q2n5SO4jlO5Hk25FluLoSNyXJOl8kzcX5xUkFZNeZLW11iA3tdrz/mge9vfRwerXaR8TStnr7qNOk1Y5z6nVJqXjUItW6rLWjvfgMJMVqhpWiRjo6NKyJxATaMFNdHEnuCGc7N5HugzkRm2nlnBDZ8wvTRfbY+M6bRypaY4KwxoamfKRI0H6u1u+SdYvZzFMhnc/8dDjm53hG69OZbn3EVvIaNQJ3ksbTghzLNMX+EJH/3TcEd2ygU/1ji25Qg+iylK7wXyI/6vAhrOI6RrqKYanEBgSrtDAmv38QwydpGd3Aiivj85zeMiugyVkN9UG/7XwynE9kSIRU6df9dDtMW+yMyfKQHx2GUGam6gQ1XYkXz53IiWSaqj668myemFeWfbfMEATIjXUTOQZbGnLeIrWyZV4gt3FiuUczNN5KNp5rwoiKnxErdmEQ2bWzei5QOWaFwWCSdVHHskMAWabeFe0RR/RNw3aG6n12GfIL3hOJ66s/WPPd5t9TdSzMv5ddn3orG6rfCXp8fuqGFjO07DWyg+p4LyZ8evWWU2iEN8445nTlvSX2gGNxh6qmJZlCm7AEUTwmfwjUIQuSeJxZt4b02dll3DM6ON6c11qLLnG9dqYd32xPtbSMDZAm3YnOgRWSNcLODMON702vSxQQNGx30lAJVcANlXITRsSx7dgDhxAg7dHCpmERw/rL/66Fn76RX9fCPlnsHFVndmsQ4KtBCK9YzfBXTnVWKfhxLTz91Z183dujQ9xsinvZeY6WT4dgnYGNiem0s9WCNeC9JDts3MVMFSK5nr+CI022g83UujNNlMKF0ubMRoD9PuiyQVbrEbr0BhZ9ofOHBS7ms0lFjVSSksbFMyxxdTtOqxurMZu6GfQdhV8Kalpg2wopG7spcP/IrsUwb+0xLQeFLgJqsxB5QUyrYFmdSAy/ZcamfnjXxBYlaK6uOkvFvcdlAN801lkB8j2eA/l2APkC8gXkC8gXkO88yLcWmHefLDYmsWp4IBMZ3yWF3YMXIRRGr1CdkHlJiHwu4N0j8KrXo/8ddJ8D4X1XlrFto0syrKihG/rL7v09CmbC3ttCWC7djZ6H5JKmSvZpAJofk8p5I1lcSMXc9R+xPnJYaKiZKcN5t62VZ1dlZlDMXPzVkhTVc/I3lw8bxcNCuHGsKgrW+56W8gbdC+gcJcEjHmHGr1L9JNIw0t/aV+ngZLzK3SinJKCB/FIaw303MZ2HKeV/YsvIKSa4Iq9E1XNKLHU0JhrMiR2nl6c02KN2OKfRXMz4lIbn2OZFgWjBd1VxxhnRykH0GcSUwRQBE5NGfE48S0jLpE+gcu3SLnSzZXzhIhOuYAuzxXeoGSkz6q0d5wl1SyMXGecZEmKW5VvuU6k7x8TKRw/yZMsL44bGmKzEBiFAk8E3V9IdVcON5gF1F+Ss1QPF9aLwgwkxCKqNCYxV7MGNK99iZ+YVPA0cULFl/ukvkSGKmwfU0DCDFgRuN/eQYaH5X6ge77IwLuEzvhlQi2cb34dPu+g2hdmhzf4iAtfbNIHrbYHA+clJnLViTnnrTZO3k6XKW2/T5K0H8lZc3npT5O10LuqWWubp+7z3PCIZZw4tu8Qj3w3IubE/VocO/06fBAYBmDN/hlNcL0yge0zjP8nKZMAFZUQkOMkLDPwNAvao6op6pyquNCWdKJbkGssk9cC+dK9yuIInlrwYQCyHiQ5M2t3ie/Q4d+Uj3RDNTuFBD9L9LN7KSHw5QhtkKGc7RwuN0YlkY660erife5sH/LlFfM/T8+Yy9g5jKgE1eQ+OezpXDx/4UsWYXR6lo2Uf8V34Zju8B9UwqPe3Vq8ndw7nDeL9Tel0pLa0eZloJ1ufiZZMIZuSinb8TCIsBOQgIAcBOQjIQUBuKQE5RzYJsdGdwc2Dg6cFvAqyK379TMjLo2D/RLxuWVjG6h1WquxabUihsPRgXk4A7+r0AvVJ77CFrixpOFRliNQBzgacvc44O3NxFqDdBaANQBuANgBtANrlAm1v4Z0JyKaqrgheL7tD2wmqTzW6HgGoTt7zNdr9JBisX7GOrdgyHY6ORXSYu9tGCbsniDm7J7TL2j3hw6eT88+fzlDwxX1/2zdMaE/Hr51uPXdMKDSPa7dJAmSvPpe92lxS9urhIkEW8XDB9NVWd7b01SXkpnKw3zy5p+ucXIokG/2gqbiQZLrMJNOZPsv2SaGfp+RaqvMwMA1NlR+IzZ+4jitpA0ezV+SG3kezIHJWZlvyd+15uE6q6Xb08QvNfkrdMKWFfZT4lKaUz8jToP3xMd0/9PR0kL0a9ZqUI2KaHpOdp1cb165y3FbIX0VsTq4+9veEeT5jb82VArig+O2C/C0uf8tmlEsUzqk5pzNKYh2TA9PbNNjo5AH12fCgt7pCLnvjgE7pClgwc5C78m9d6mDWj+dIKc6+xOzC9DZbK87LEzjZ2JBeWF56IVC8sj5QPFwovrc4xzuskuOt4PND+L4QqN/8+xKgipkgfxOD6rD4nBsnVD2M1Y3XmpOUSrnycgVtFxR2jcYRNHY+jd14B8JzW8xEjgX4ALHaDxDzdiZcBscWCLQVBXAWgLNg1j09+cfvbJsnYda94VutRf0ItdrqqBxXQ3ynI3BFgCui2q2OFuXcC+60sRwEL84VLyx1G6YtH+ca0aVUTxlZyu390xO66DardXCUsP8UWIFy9sYCK7C2VqBX0AqclGMFumAFyrMCXbAC224FusWswGk5VqAHVqA8K9ADK7DtVqBXzAqclWIFyvIL7IIZKMcxsAt2oO6egSlK/26j3ACg9CX5AUDpa+8ImKL07zeK9YPSl0T7Qelrz/unKP2vG0XyQelLYvmg9LWn+VOU/rdN+tAyPI4B8iK38mAGyIWEXEgb0h1j6Y7HK0l3PK55uiPkM0I+4wrzGQs70r39JyGIBml1y0+rK+zgBWHcWGGsPr2rsOcRpBGyjFaVZVTYIwbCuMmmseJsl1JRIzhlIeeiIowIogeR/4oAIYgexJ8rgn8gehAFrUsUlB6hAhHQukRAFSwzwwKBUAiEQiC0qkCoeLiKSOghREIhEgqR0Fl8Wv5OkeBihVBoDUKhII0QC61RLBTEEYKh9QmGgjRCNLRG0dAliCN4ZyEcWhVOBNmDeGhVoBBkDwKiVUFAkD2IiFYUEQ0P2IRIKERCIRIKkVA4SzMWCuUegXG8YCT0uLnSozThMEyIUy4Qp+QfRO/IJoG6MlbvsOJD3Q0/1XEeoLsJR9BXfbjjauVvFwRwugCWJGObehzhCRVNdOlLKhqSJ6Ew6fTq9AKdhqIJFKtainViArtaLrvKvgeQKyBXueQqc3E57KoF7ArY1fqxK5uMawLZFiBRXBAMwBbI01zitQvyBcSpGuLUJ1KKHAMoE1AmoEylUaad1OPi38ve0BUF/eFbomj6Q/m3yHvsxGYg6J4gG5ommXZGEbnsQUihVMYaWp3YhVQ4xiMLO6nJ9yhAL2xIMCUda0kZT9BCsgo6HtgXXhOdR7Im2TZZ/yi5uzEkS3k5xhIBnsjB985Lin2xdS28udZfE3usvzn/fHVy/vnTGeq/u/zy4fRd//Urdp2UvyLNvakn4ZtK39oc+hafiKmxMbGT+1DvI8DeLEQksIVjZ5LiH4bp+ItMqudlzmO6h7mvPAsdClUtddmSdNIDn4hmuF2gfPRtBPB9LOz7aNYhsCweLej6OFptYHkF38+us2cESTb6gS0DPCQleEj8fWcC8hrnkqal6rJqShplgbapDof44MXzdPHZzMg4LQ0JMHkCq5omtGR471S/ZYX0806mTLQbMlFOXdqqnzsqE7GqioFyekZYKCJW4zHZQVRP58YskrG75ZKxgqyCImKzqT6Lc9cZGbHdhGyaP3sWDQx6S6hTmGB7SteOgg4M7pq5dR6MtIR42CBxdYlODgOcHJB1C+SoboHhxdmRWCU7osV/UrYAYWUIKy+dND0DirkgtUB8eXl4OQENKSzveoh8QcRMT3dcmzFY+GXXgAdUShSXKwm7oA6rHYQt0IeNZ8B9V5axbaNLInCooRv6y+79fegIsPdSzBgC+dUG8n3A5erq8kmiQLCZKADbBbY7G9slFlO2VBbYzcZBt3wrXu73p+1FiXCr5jvxroArw0a9wKVn5NKNwqdPKf5R6oMJMQgqQc6GrmS3glkO73wuY3bWDFw+zhanh6XoNi6EWojNZnMPGRaaf6Q2fJDWgKFXvgVxo/BRW6BnhUcK9KxyPat6b+VG4XPFQM8KjxToWfV6VvGu0Y3Ch6iBnhUeKdCz6vWs4u2wq+Vnu0DQNmKU1oOhlbjTd7V0bBf4GKhVaYSsxE3Mq2Vfu0C/QK1K418l7s9eLdnaBbYFalUa3drUrefTn8+gM1/uIFmoVslC8DkMJAjB5zCV5QAdryQHqA2ncUOSD5zGPbNjlH+8E4QdtiZdpbDPDyRmyxMvCruzQGK2PIWgsKcGJGbLg+Gl4hhw6K1dVLdU1ALysXbhyVIxCsjH2sXZSkUkIB8QMCoUMArOLIZgERxcDDEjiBlBzCjYQe1wJUGjDgSNIGgEQaMZnC3+tk7gn4Oo0az+FxAZCBsVdMmAyEDcqKCXBkSmFiKzVpGjJcgMuPY2OXQEAgKxo1UDFRCQTQ4egYBA9GjF0aPwIB6IGkHUCKJGEDWCg3fSYSPudsO9RaNGhys9dwdOzoGYzgIxHf6hko5sElAqY/UOKz4o9Y7NKOAV48LXUk/NmApJa3beaA1PFp1DCHZBCuCYlCz1OKHCg/rEUCNDR2Ea29XpBToNZQk4SLUc5ATO/Vwy/ci+B7APYB/Fjv1cnH4cA/0A+rF+9MMm45pAnWt1gCVQj/2qBWAXJABoB6Edlz6FRUPyJCAfQD6AfJRGPnZSj0t8y3ZDTT/qe2Yomv5Q/i3yHjtBM6wJapeoNaGl7aZ3i2DLYzyRIpDVOvQuOw/ekxTJuvVqEpwWCaXwga40Qti0gyemRiyjHpEPAgxtJybF0fjEQPFjEndpxJ5wLQR5wL0f62NMJqnYTKnipTwCF8TBYyaGGBRZcxX8VuPA5hzJI6sisW6c6r41iNO1WKnBjqhMG2Phm4utB3amKo/WecVfgreLl0RzKSaujvB9uqp9q5qfLa3/oMucbgfyEuv2TmrsYjMnaVrQndSwxOY0PugzkFc6a6quco7wnHvKhE8BHBEKzJzOu+m5iWP/oDkopHEPiXEOzM5CmSyMYrvtRg3wQNxMzewVEJNXBy9iOO5aaPz1n2vh64u9gxevZpeg7NJNbQUTE/vfwTAJydLMeNJr/Mq+fHoDHitwbXzlNRSntOsstH/4k1lEZr9z7ikksrky+zhdztKo/ylfOFOSnXrMzLzCf0Kq/h5rvTFdcVb2LtyHLfxGBVU45FmLKbC43gpcHEnkJHDF0ERUg4soKrITlz6V59mJ5OuGZuIbof9FTAR71sAjK43AdbC3EgDiS18Llo/ZxCI1w6FUfNA9ShCsImgqBsqRE9uSdXvp8CdyPlEDSGUx7QWKmbBcT9G89rQQxKpNVwuuActCcaCGS1bDYsr3XVtb5XvOQ8xMSy7mqY9mLvYe1UC3NmjtYloby+YPfGoFFNeLW6xQc6ekf83/XcpTfoCliDaW3beCGsaLNS2mbJ16KBv7Pw0iPHkeWJXJou97HXpxIUE3vr8UgzCI4Bj+NSFxm6nKtywW7t/sD+ogiJLFYxFCdxL5msX4j3YzXhKFXoRW7N+i4jGpr0GPaJQupizPPiXe8GG84fhTWp34j2gJFo6UeH+DviQG44ehR87WyOPO/N0Rtj6T7PGNIVlee4LLkkWEzzd2/8+rM9X3mN+FXnVx5+n/5UfvnAaOAQA= {{- end }} diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index 2f43c3a..fb380f0 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -7,7 +7,7 @@ export KIALI_VERSION=$(yq eval '.dependencies[] | select(.name=="kiali-server") helm dep update # Get matching istioctl -[ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } +# [ -x istioctl ] && [ "$(./istioctl version --remote=false)" == $ISTIO_VERSION ] || { curl -sL https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istioctl-${ISTIO_VERSION}-linux-amd64.tar.gz | tar xz; chmod +x istioctl; } # Fetch dashboards from Grafana.com and update ZDT CM ../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index c61ec4a..c9957b4 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -1,6 +1,5 @@ global: - # hub: docker.io/istio - tag: 1.14.4-distroless + variant: distroless logAsJson: true @@ -19,6 +18,8 @@ istiod: tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane resources: requests: diff --git a/charts/kubezero-lib/Chart.yaml b/charts/kubezero-lib/Chart.yaml index 8b6df41..dd0afd4 100644 --- a/charts/kubezero-lib/Chart.yaml +++ b/charts/kubezero-lib/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-lib description: KubeZero helm library - common helm functions and blocks type: library -version: 0.1.5 +version: 0.1.6 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: diff --git a/charts/kubezero-lib/templates/_helpers.tpl b/charts/kubezero-lib/templates/_helpers.tpl index 1c706d8..7aeae2b 100644 --- a/charts/kubezero-lib/templates/_helpers.tpl +++ b/charts/kubezero-lib/templates/_helpers.tpl @@ -13,7 +13,7 @@ Common naming functions {{- if .subchart }} {{- $name = default .subchart .Values.nameOverride -}} {{- end -}} -{{- if contains $name .Release.Name -}} +{{- if or (contains $name .Release.Name) (contains $name (printf "%s-%s" "kubezero" .Release.Name)) -}} {{- .Release.Name | trunc 63 | trimSuffix "-" -}} {{- else -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} diff --git a/charts/kubezero-logging/Chart.yaml b/charts/kubezero-logging/Chart.yaml index dadb87c..87a9a26 100644 --- a/charts/kubezero-logging/Chart.yaml +++ b/charts/kubezero-logging/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-logging description: KubeZero Umbrella Chart for complete EFK stack type: application -version: 0.8.3 +version: 0.8.4 appVersion: 1.6.0 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png @@ -17,7 +17,7 @@ maintainers: email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: ">= 0.1.5" + version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ - name: eck-operator version: 2.4.0 @@ -29,4 +29,4 @@ dependencies: - name: fluent-bit version: 0.20.6 condition: fluent-bit.enabled -kubeVersion: ">= 1.20.0" +kubeVersion: ">= 1.24.0" diff --git a/charts/kubezero-logging/README.md b/charts/kubezero-logging/README.md index 26ff9bf..b4f1f47 100644 --- a/charts/kubezero-logging/README.md +++ b/charts/kubezero-logging/README.md @@ -1,6 +1,6 @@ # kubezero-logging -![Version: 0.8.3](https://img.shields.io/badge/Version-0.8.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) +![Version: 0.8.4](https://img.shields.io/badge/Version-0.8.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.6.0](https://img.shields.io/badge/AppVersion-1.6.0-informational?style=flat-square) KubeZero Umbrella Chart for complete EFK stack @@ -14,14 +14,14 @@ KubeZero Umbrella Chart for complete EFK stack ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.24.0` | Repository | Name | Version | |------------|------|---------| | | eck-operator | 2.4.0 | | | fluent-bit | 0.20.6 | | | fluentd | 0.3.9 | -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | ## Changes from upstream ### ECK @@ -62,6 +62,8 @@ Kubernetes: `>= 1.20.0` | eck-operator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | eck-operator.tolerations[0].effect | string | `"NoSchedule"` | | | eck-operator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| eck-operator.tolerations[1].effect | string | `"NoSchedule"` | | +| eck-operator.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | elastic_password | string | `""` | | | es.nodeSets | list | `[]` | | | es.prometheus | bool | `false` | | diff --git a/charts/kubezero-logging/dashboards-es.yaml b/charts/kubezero-logging/dashboards-es.yaml new file mode 100644 index 0000000..7792921 --- /dev/null +++ b/charts/kubezero-logging/dashboards-es.yaml @@ -0,0 +1,9 @@ +configmap: grafana-dashboards-es +gzip: true +folder: Logging +condition: '.Values.es.prometheus' +dashboards: +- name: elasticsearch-logging + url: https://grafana.com/api/dashboards/266/revisions/4/download + tags: + - ElasticSearch diff --git a/charts/kubezero-logging/dashboards.yaml b/charts/kubezero-logging/dashboards.yaml index ef11963..1b17efe 100644 --- a/charts/kubezero-logging/dashboards.yaml +++ b/charts/kubezero-logging/dashboards.yaml @@ -1,14 +1,10 @@ configmap: grafana-dashboards gzip: true folder: Logging -condition: '.Values.es.prometheus' dashboards: - name: fluent-logging url: https://grafana.com/api/dashboards/7752/revisions/4/download #url: https://grafana.com/api/dashboards/13042/revisions/2/download tags: - - Fluent -- name: elasticsearch-logging - url: https://grafana.com/api/dashboards/266/revisions/4/download - tags: - - ECK + - fluentd + - fluent-bit diff --git a/charts/kubezero-logging/templates/eck/grafana-dashboards.yaml b/charts/kubezero-logging/templates/eck/grafana-dashboards.yaml new file mode 100644 index 0000000..e9f9dc1 --- /dev/null +++ b/charts/kubezero-logging/templates/eck/grafana-dashboards.yaml @@ -0,0 +1,15 @@ +{{- if .Values.es.prometheus }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards-es" | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace }} + labels: + grafana_dashboard: "1" + {{- include "kubezero-lib.labels" . | nindent 4 }} + annotations: + k8s-sidecar-target-directory: Logging +binaryData: + elasticsearch-logging.json.gz: + H4sIAAAAAAAC/+2dbXObSBKAv/tXTFG7VXGd4ghJfruqfNg4TtZbcTYbe3N1t5tSYRhJnBGwDDj2qny//XpmQLwNCDlYluT+EEWmYV66Z3qeaRo02yFEGw5t149Cpv2T/AF/EzITnyBxjSmFo9rbi+Gnz7+en17+fPr7hdZJxI5xRR0u9wNvSsMJjVgqtCgzA9sPbc/lp6SC8M4XhVpGaDAvCkyaynwnGtvumVVVqJR/jJv1KT1DnHAPn187sksB/SuyA6roVFL/ODBGhmukhduW8nCihPdFwQ0NWNy7wd5gT48b0VFX5xsuKKtcmT9RVpU9nKmovg6VSu1KZbplNaqq1Pe6e90H9I3Z7tihLDTCcpUXClm5l3NzGq7rwbkg5faU1WuOzUJu3a87ccM0atmhceXwGsIgouLY2KWhGE+9gwN5gOv20vOc0PbhsC4OTmyLnnhuGHgOr2FkOExeLrriRo4j/nJs91qMKNmsgI5ghE14i/tdqTwt8L4pxpzpOY7hM5otWwgm1B5PwkwdcphzfabFZIuSxRnmhF7aU+pFxWuT6rzgjWFejwMvcq2MPvKnfDGcqNSmVJxvgTgejK+MF/vdDtEPex0y2O+Q7t7x4a7WUZzW2wexDmonXX7a0XHFabyU/YH8B6XtapmTvuZalRnf6nErzlIMg1QWBF6g7PHIC6YG16bmei7Nlzg2ojGdj7z54alxm2hQ73YLfZvabiIsitjE+6ZqA59REz6iPMf6wH0rW3TWuRFcU2En3tPMSfe59s9HmQbtzHdNDPCj/CE3pMGN4ahGVn4GZDTh+zClL6U/0Ktk5QGV12jGQ9xw3ZHQIyG9DQvjhsRiXlVOcN9pVnhguOMGhffyhVcOSxgHb2FkfvJAc6w8GDSuRSE89yxRv+m5LjVDamml8y55ixSK9z0Wjuzb3FKaFbwD73Vh/y2K3+/+WDgHPJXyWnG89lKhqnPwXYtNN4L5KOYPtL2s1FB2TPv46ieF0Jtf2FDnDHwkN1HxYHANQ1QxV0e245xwpybsz/1OXwfvpB/Bx9Exdzz6Uck/jXiD1FOQ15ItTxbX457xuF8qKDvjK2epcFpQZjR1y6YKjWBMwwZWoLe+aBMMyheUDU0nYjCdh3ytjdgs/vP1n9oP8dc/tfvdskFSbxjCMjNkNLApK5+WuIp3hhkKVfRKpzh0TF3r3by8ciHgxAPbVMtggEoaVAwaaD1fwQ+63YZjZu42mXCFnV5BxXYoFg3tRGqGSJ0VToIJwYcZdUPlMpIgkYJ+Ut+SnXHgLH5UnNJsynlcAdrr6tn2/vPp6cdqD6d1taUc6ML6/n364cOv/6qpUG+5ws+nb2tq6zV1J+KKZF9hRoGw746ilTkOMxzbYCcJKs3y0/nKmC/MBYhhkw/UHYcTsVSUZFS56jdkH+7mysUuWv8H/fwiL6Zs2YdCd8fuT+wyhiuVWzRuxhWSRKlqKQfw06kf3tXI/0MDr0IMzq5KYrsVkjoKg91GleMXI4UtdOZ8fVAbkku+2ZY0fxO4KuFDaYHVfArjwg2NsRJ6fX5xYFh2xEvfL8vUDQVzWTSgYjUZOV7Bkckl4VfYtQVgmwa+SkyWGp9k5lZnxR5jKccxr63KI+WrU+xVHlad0h8V6qrb8CxgHpNWuY4YiAb5gyFsAlVDgq+dPrU+SFZSLGPL4kaZNcjr16S7S/6hfzddqNGgxB56dyF8VAy97ySQfpFAOs10plTZOqmrau400teb1vWlHmO9XfJyrbSmdAGNVHbSXGXNILewknBFvJO7tNIGk8suJvYoVAtjNC7A8DyMNiuurUDIVtXC6wVheasgF9Zhws9mNI0cI7RvqFa9YWrI4vkoqxDdGrc2K7f7KjKvpdsrqoCbMF5+uaaKG7w4sqC4KsaMogfOksQf5e0w54/c0a+VWrgzbpssvzXxrVwwv9wFLvTGbwxWiu1k2KtElhn60hSSih3xYmeQ9gOKCMLWO6K8TPZDKaruyI7KelVbieVDuhVB2wfGdMtQoozV9g95lOMYsKw2pltPbxjUXUVQt8CHGNXFqC5GdbcsquvC0GNDN5pe0eCxYrsNwbi3LnHdiqDuR66qp43lthFyRE5ATmiXE44RExATEBO2GRO460RUaIwKfD4TF3kBeQF5QRFXOEBgQGBAYNhmYPCpa8EsHIIHvUZoaAQNn6TKiFDZBnHDTqHHoDqfGqWUdHn0DIxixI90KMSfvW9nVlHER/NlrKXsElvKt9PykqSzkwP1wweLc+ozD520n1GPmISYVItJOmLSY2ISjIUL1aqO+NQ+Ps2XBJHYYckkDSVg7Q1WgViKZIoHEVbtBH/cdHyux1qy6nAl8yOpyp8+VX/1WJXpPpFK05CdMvq5yOukLXRa6nHEJmnwqoT2R8yDfyCvxNnzeVAJxHo+q1r+B8rlv999SEq9wrHJjHqFIE2oVwhbyadXlCsToRSCgKvjwrZofba94spGyfa1njrJtS9Z+vtT7SvgIZdvXx5Hq0q4bys9vNyU1vPDYe3zYPnzo2GsO/WiJ8Lur/8Hx/gXWPCeLrxQXA1nM96k+/tHeIBtLVJ7Tz79TiLGh3SzHN8p+0wZ4FG8pKknfZwGrJj2mAVczAJuMcU3nmPVybEV1m6YI1vamc9Xhm5VfmzBgT/bPF9kJQUr6chKyErISnlWmtLpMGLUGl7dhZQhLq0ZLp3TqRfcITFtCTGJSVbDS9LcWruggbSEtLQ8LfWQlpCWkJYSWtLJSwLENGJD3wgnQ+PGsB0+6Ou4qYhN5FW2CDFulrl8/agLdDKb8c6sD4DVW1NkR8znBiga2KysVbvi9p/yfmJPP+iQXrcLH4f8fmLvUHH3TL5gaFxzw7q7d7TUUvwYPekP+K3RXvwBXek9sCvHTU333Xz81mbXSMfbFU+MXLsupshN/qBwIuLxAjxehxvNd+D+p3ijuc3twH4L24HeALcDuB1Yu+1A/4neQwaej/JEK9u1bFP+T295Krv4MjS9qPGt5z9+SAD86y7GVVcVV33rAaTBkGckMR3hNl0jiORD68a2ovwrmhAivxO9Usu/YtrqGAxDrdvJVt0W2Gof0QrRakPQagWR1gVsFXMQqNtiD0As8oo8ErwRpLdV0dtZwmwOmNI17zD2t/nYVoNsHxRWRlxDXHuaUNgAeQ15DUNhVbjGqBGYk+FfEQ3uMBC29ih1IcyFwa/nEfyS1qYY+0KYWo/Y1wDvKyJMYfCrGU21H/pCWNtEWMOoF0a9ENQQ1FYZ9cKHZ5HTNuVxkMcPemUQyvLM2hds4cOza5DkJdCWvPhmhxMSUN+xTYPtYrzrOfwOYeN8sJZBq+bnCJGzkLMqE+3x7iKCFoJWVTyM05ZFHQqaXY66MGD1tAQmjIZp9s/mTiOm2SNZrRlZHSBZIVkhWVWQ1ZRCASx+KwlgFqu7H4h0tV50xY2HcPVs4OpczFUkqy1/GUY6vw3XIvJ+cNZzPsEvWCFYKnLYkCuRK9eOKw+e/tboyKaOxScxf8uwF9wNGbgqfNFwniX768GS77itCDcWkcYi3FjIkvjKYSRJjNGtCqX6yFLIUshSVTG6FKjojW3y1ZZh1v4modXcbAhWWx+kO01sjXE6pKv1oCvMLUO6wjdXKCJV4gFI0zAndCg/MVK1tnc9f+O2IsJMGKN6HjGqi6KZkaGQoZ6IoTCLDBkKGaoqQpUBKQxRbSZTYYwKY1TIV8hXT8RXh8hXyFfIV4v5amKHSFYbRVZgMYSq7Yeqn2186hF5al146gh5CnkKeWoxT01txvCdEptFVNxmFJnqGTzxKAyNVLXlTzye8Fnd/gOOel9/tk84tvKWfrzpiRC5KWn5T/kTlUA+Xggu63tf1Y/J+auiyflPScamg6+Ik1v9Xv3LcsMRIzE49yRchTc7kauQq5q9kyxhKwvhalPg6jx+LRmyFbIVstV2hOguy3MZ30O2FjSJQTqEyU15v+0KYBLA8b83U/7qseGEGv4wYoCOm/1IJ3lJeFcI78q23t79WdlB/HnLbXyuk9sacRFDcWsATxiJQ3hCeCpF4jhBjc0h37tR8aTY9vwqAMDUbDY2tzdR7v2J/N1LBKmtT497f4KpcQhSawFSPSQpJCkkqQYktXW3MZ8DUZUwAYEKb2IiTG3YTcxfvpwvunu5E7dQY+aETo0vNGCyFfpAHg7vZFmWEVyLwmBtGKeDUDt1DBba5gU1AnOizYsL6dTnM9Ydz+cVLMoszIze1OKASc4XPv5Lus9Q0Cy/Po1Vro/eigGjT/Pz+yYumwtUtNsEOgVS5eERFhFYxCz6k6Pgm3SinSULUUYI7iy0FRfFniNdvDIyz5fvK8rP/4LPYtSRPKP2xHMN7RddQ0ZJIKtyQQ+rrd+tro3Llq9NxZlq41eZv5WO7VfXtd92Xfqkul+Tlus6qK7roO26dKu6X1aurh0FDGni0dZ42HYIjKYO0acdsg//9EmHHMC/XA2cwzg8FaZyShos9Oamm3dvWV+1MudyIil6Gd9ili/JuBalbkV1Q4konPLjIoawwQgj0Hj8965az3ru6JjeFgA5YcDseeDghZbZb0kbtLy01Fh+TH1ybFrZm4wgYvRSFpRd1NfG5nkfl5r8IydPhb0L5yfmdgunL2trvqOL/IW7uHu5jcMh8IAh0Ft2CFzAhsoil7xXzQcC34VZckvVxtTnpSVvEugQXux22H4n4fh7CbK20F6MsCO5sYZJ9e3lfEGGvXF8TMtd5tuwfwzSi2OVDBO4y6KclgEyTc/wUg6esnCThQ9Y/KbZK7KSdCnXepnvydr6NekDn+BlxKyuJVvwQbbgbC29QfaPdB3WDq1se5O25NT3tyeCU1oUmvHGI9nX5PccQnYz37jIfYtFmRnYfryl0t6eMdiO3JHcleSa3hEZsmGEW5ZkZunO/f8BZCXhv9ATAQA= +{{- end }} diff --git a/charts/kubezero-logging/templates/fluent-bit/grafana-dashboards.yaml b/charts/kubezero-logging/templates/fluent-bit/grafana-dashboards.yaml new file mode 100644 index 0000000..7e6c560 --- /dev/null +++ b/charts/kubezero-logging/templates/fluent-bit/grafana-dashboards.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards" | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace }} + labels: + grafana_dashboard: "1" + {{- include "kubezero-lib.labels" . | nindent 4 }} + annotations: + k8s-sidecar-target-directory: Logging +binaryData: + fluent-logging.json.gz: + H4sIAAAAAAAC/+1d63PbNhL/nr+CZR8TdxRb1MOvmXxwkqbpjJ3mbKczN7VPA5EQhTFfJUHHjs/3tx8epAiCkCXLdiLJ20kTESDxWOzub3eJBW9eWJY9GJAoyWlm71t/s2vLuhF/s5oIhZiV2u9OBp+O/zz67fTDb59P7FZZHaAhDnj9pzQOMR3jPKsqPZy5KUkoiSN+S1VBrxPRqIcoyuI8dXFVlwS5T6I/PF6fGBqV9R+LYSndihtu2d/nLTmlFP+TkxQbJlX276dohCJUNU48Y3FJhN/1ikucZsXstjf7m51iEC1zdwmKGLGanSVjY1dqsdLR3X2YSEqmEjNqktHUpbPZ3mwvMLeMRH6AM4pos8sTQ93cszT2RtEwwM2OTuvFzT4mLIOiKGbjYbWcZ2SndkAyOuGgaiisZpiTgP7BW3JaVamyAGbCsntwJMa0b9E0x0r5mHiGUuLG0ds4iFPeYOoP0ct2y+o4Dvur329ZzobadDnrg2ou1i/WQYBTWhtCxS/ZeBij1LOLulvx7/mLgvi6EJ+OSWaxP8jKSJgE2Jo0YI3idN8aU5pk+1tbPqHjfLjpxuHWEEVfEXGDOPe2gthn0uu/ihOcIhqnVk4JozArst4HOY7oqyGhFoq84tITY7axR6hGMtuPMBVqYmen35ElXGZO4zigJGHlbVEoeCPKg0BeUd6vnIvT3912dru7vbbTlg0EJLoQ6kLyg+Ayg/pw4yBASYZ5yyMUZLjSeLMWn42ReJ/iir/kums89IVdd3pKwVU5neL6ml+XC1YXA2evUpWT8Z9XqpfQQDKI76fYRxR71js26qZyTuMvZiF0kTvGpyTEcU4V2pakidM3yL3w0ziPmgQS9Z9SPCJX5rq/EFt3TQZkTaZIISv70ev1UBepPC1ko9PdYTLR2WtZPSYm7c3dvZp8/NjZ23N72yW3n99j6Rh/h4jP2I7iSNEoPsp9XF/QEF2VE3Ha6sKFJCor1OJsHH/R6cGXYszgaxwH3iGH2eyuO45QeoEFjTjlGqwxle06OtvN4DrHzHXb1WXEROwSBTpn1GWroFKSMMk/lQznmMrri16NXdF0l5yeFo0tiq+ostRWUaUMWhn2lMZSFPkzGutUjTWYiK07F6ZPMaNCVl98m1NDVBzFQsszro4i7DIBtGv3nPKeNeLFyQSVKsIncUalHCmmVVH4Po7oCfkq+um3f1bqS9mz9bKpjwiaHDGFN30tRkxchGCwQdepRuVs7I9bB1pFPHngDoJmCeNrxjqafI1IENQhscvg0HF22V+7e1zsnd2a2I94P03x4S2r7chmOkxxOHvdWgOqhDZEQGATaycPdUMXpT6mdxAOXyWi7ywPX17kQzxIYo/Z4qP4hv14/b8ze/PXkQBCBoubv57ZLTfIMyZgr8/sn4qfZ/btRp20laKiTEsPMpwSnNVvKaX0PXKpmL1Tqw6wjyPv/aSdA5eSS6xAdL01xj/SYD+4ay0nuorTw263HLuJSoYebMoYkPMBq9CBocQqk6Ep5FVl6l2VqUXt3UwdcyPCfj0nP5fqYSZLixtL/wVd+k8EsgCkywWknfmAdBeAFIAUgPTpgNQTMMoKfxCFjHdGxH9caGU41ICqeVD3sWHUex4Y6uapmNfT4qihSgfSAhHvC6QF/j4ISN0kW1Mc7Wo42psPRzt7AKTfHkhFbP4vPSgOQGsC2l2uFXoMaDu9jgDaHRPQarHge+Os9vw14wdtKUUpiYrSJ4LkFFH8cuLJyrdNgxS7ceplAxpTFPzthOcbGw/3K1U0DPF7ucw11uXlJ2Myos2KGnzySPQffKDWsRjo46PpDqApoOl3RdOd+dC02wY0BTQFNF1ONGXKmMNpksbubEyt3FNN2SwF3v4pplIAbgaIC4i7bojrzPlGtdMHyAXIXf1I8fpBrjdg6pZJ5CpjrWcdizlYxRy2AGufDdYmmN0W0TxSX7KvN+Z253Rzu4C5gLmAuUuAuY71ykKXvsTdiLHawE3yQcbQKioR9yZkxa/PmOgG+MxuWcb3t6sCy28/fbY+i73QcnsyoDGg8bqi8facaNwDNAY0BjReEg94squKsRhFbBLcAZZaTqTaMQDKBEgzhxJnN+bdVNaWNWlLoDpHrTwboCCIXSQGOrON1QDz44Ik1ts4DAkNOc4BqAOoryuo780J6hDWBlAHUF8FUA8Iwy2A9ArSDwVBANAhT+kZJfx2zTgOvjnkKUGe0iOArwqZPLhN+MLfTH4xoDzGyLs+s1vyJlbABX4Z8pX0LOGnSgoWBLA+MkJlkNG0LMdvfEfvmvFLSp9p2vAUOO7CARyAx4DHT4/HPzwvQHZaHQMgv0EewPHzimi/ebYJxlMQtwMeMASyISVqqROMh9cUl9uz+8ubXvyGDxNiyQCl655dPA1K4dArgFKA0hXILl56QC3yhwFRIXv4eWQPT4sHdwBSAVJhm9UyZg8XgFrEmHFIJidh3UgOGhBxYuV/2BPxl/8WoWT+e2N/81f+56VsoqySVxui7iee89RfrVRkOPQDdkk/00TkafC9A/AN8A3wvSSJyBzC98WL4RCHcXo9OMLhwSUigdjcLJzifXbPAzZIF+2KplZ2j/SRmASkMQOWP8s05mlYDtFtwHLA8pVKY54Djp8bqkM+M6D7c85nnobu8J0JQHdA9xXKZwZsb2A7JDYbkH0pPvLcn7JjypnvI8+jxnfAZn3cGQUEZW9L80PRuUOUZgZSZONDHPl0XHs3LcpxtgDluPqqISIv+D1FHpEM2J5N422Nxs6sDOftBo3HxPNwdCJzM/RJyK9sV+/XZdJFfRyMin50kJ0W3yzXrRf+1c9macmODWUqdal+u9SlemlK/DETOs/UrVlVZzyZTpEGreodztzmQ2ILkKELIV9TrTGOKpmuRnjhF+LRmnyYjKaGGVHDVNVSqMbDOe5w0lRjQIVdi/ymCZ7wnjjj5fzZfr28yRWMdB5OcSqlLlZUoUzx+fMSp4xjsTYnplpdbJIgpk7di0YvDFmSBHuHEvbrdXPj5KyX0S7zVmj52cSfihv5NxPVl9NluSwsXzrfO9dpbOTU+2c63dxYk+FZt7dbN3z8t7cP3p5WU6rTUfYY+wXvaQ/MeRa3fPNtDa+tT2IWisKO44CSpM7V2ZgBsjdVlDu6QA5KtU8ij1wSL0cTkLxtQIOfomRcDeAKXRFNqIa5eyE5TbPvwkIw+cxVPVL4GNrdZnU00SAGcb1GV3f5ReYNYZJfuCPZGAKviP03KMMNBjPZrxOla7frrSszmelvTUtjfoJhNoqN42wIwHVzxQWemYCMlx/iy8mgX6iNGkwqZt1rUjJPGKIyI5lb+bP9CDaA05lpBEhDa2eGJ8qgoxhbTcQ5pT9g5AlAqMFdIaPKgBlZNKvEqzC3MayMXgd3CYEw4DipTutCKEmNK5X5b/bfq6OjV+/eWR8+7IfhfqbJTIIo08GRua1SW/A27ZlMPxlUvRER5irQvMGshhiYEvTq9VtWvyf/b2/u1ZFnvtBYdV+f+7U7HXZbX7S2s2Erd50/hIgedkmIhIHe0STXGALSKa9R3YxNtRWJ8nDI2K5WJwJ3E5VzF/jNa0TQOLl4yah1j29jcHgTW9paFvE2ptsKwmieNyN6Tkxf2EM+jRPrwPdT7LNJelbt6xn6VjU+h+YMJgsji8HrKs6H7CzidnW/udulFwpk1QrB6QKna4a+NPtbw3w0YspSLGwRSryv37UsLtccrlbrAST6J8fMjwnEoj2QRpOxvVkyN7BMXhIzBhfwYS7gsJYCBk7gsjiBz8DUaTiXi9k6PQgxg7WzmtbOjJynFNP0etE4c+VLske/X8T5mM/Bmj/O3HoQxZhTP2Cry5TmNyfYPenyGx/lDLq8XU7DSw4dRTwgzxYXLDAIwq9lEH4J9jU4u+Z4u7Nzn40NQ3U7ImxtMJB5bwHDE7Y2gN25Hnan8SQ4zYBi90xS5ksjqWVxsPy+uxniYh8DH8mKbGSYfqLdAvZTGyJYTx3Bms80ARMKQlgLWhJ7YEmAJbE2lsSUg/DAnnhKe2LKgX5gUMArMbAnVjcw0ekvYE702mBPgD2xZpGJ2kZJsCWePjYhky3AlljqlzsQmgBTYt7QxGK2hAO2BNgSaxmbAIviW0cnmicXg00BG0bApFjV6ETXWWS/LlgUYFGsnUXBt+qSu191OMtkTBzL8VoLGRWth1JphEiAvScn1j1p8l6Man6SvFleO0uQeYtPCKythawtJR+9YWjMZeRoGenrbIlNGab6CXKwxJ44uLOYKQYvisAUWztTTOb/rIwlppobYijW6gV2REYQWBqw72Q9Ijsvima55HGh4rPutuXS2Jk7xiGqDlWWZ4zK86bkSU/phbyTaeRq3bUzRovLVzw1Z9IdxWESIEoifzINBiEZVZjnxoS0N6bDXw2mScWq2g2m1S8VnCqXJHKD3MMHgQk1zUxghzlTBYbbywO1FYNKqa1wUD2+yf4nx+m1OGndNDtlvZxaqY+vNJPczi5I8jkNTq4j13RuenVsVzk4Xa5rbBaUp7Zrk1fWSCXtTCNSeCAjEhFanNwtiDuQaualOGvZTXKGS24cla8wWlZxpnLt3OlFV9EuGrPvsZSGR2at48LzerSlNuShMsEV65n9qxymXa9tzIeXmW8uGElOWKnIM3wqG1L9pGXgrtnf32xVJ9rci9f0w9NLVivzi7VDPRWO054sGa6Ww70w2y0+4cdmwjYwYW1NjIlpLS09f2G2uzejqXm0izHZfBMCtvoOuk0cs/H9eMt7CvVlntOaspf4l7tft9KYJmH1zY/q+yLxl1dO6SiWnxCRmfDVYwlhrmJaPVwQbFB69qo3Z/cVv9dpKxdd9cIJq9995bejXnTbao3iznaU344nTdHzcg48QKEwzMxe1Ia31YbVXjo99ULZBrrjqeMtx1Ij39dYBHbswgsqowaHsc8g1LfeoWw8jFGxt9TORSjSHn6M+oefKfkqSy8V/+rF7f8BlfDCy33hAAA= diff --git a/charts/kubezero-logging/templates/grafana-dashboards.yaml b/charts/kubezero-logging/templates/grafana-dashboards.yaml deleted file mode 100644 index 2cd8513..0000000 --- a/charts/kubezero-logging/templates/grafana-dashboards.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.es.prometheus }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboards" | trunc 63 | trimSuffix "-" }} - namespace: {{ .Release.Namespace }} - labels: - grafana_dashboard: "1" - {{- include "kubezero-lib.labels" . | nindent 4 }} - annotations: - k8s-sidecar-target-directory: Logging -binaryData: - fluent-logging.json.gz: - H4sIAAAAAAAC/+1d63PbNhL/nr+CZR8TdxRb1MOvmXywk6bpjJ3mHKczN7VPA5EQhTFfJUHHjs/3tx8epAiCkCXLdiLJ20kTESDxWOzub3eJBW9eWJY9GJAoyWlm71t/s2vLuhF/s5oIhZiV2m8/DT6e/Hn82+n73z5/sltldYCGOOD1H9M4xHSM86yq9HDmpiShJI74LVUFvU5Eox6iKIvz1MVVXRLkPon+8Hh9YmhU1n8ohqV0K264ZX+ft+SUUvxPTlJsmFTZv5+iEYpQ1TjxjMUlEX7XKy5xmhWz297sb3aKQbTM3SUoYsRqdpaMjV2pxUpHd/dhIimZSsyoSUZTl85me7O9wNwyEvkBziiizS4/GermnqWxN4qGAW52dFovbvYxYRkURTEbD6vlPCM7tQOS0QkHVUNhNcOcBPQP3pLTqkqVBTATlt2DIzGmfYumOVbKx8QzlBI3jt7EQZzyBlN/iF62W1bHcdhf/X7LcjbUpstZH1RzsX6xDgKc0toQKn7JxsMYpZ5d1N2Kf89fFMTXhfh0TDKL/UFWRsIkwNakAWsUp/vWmNIk29/a8gkd58NNNw63hij6iogbxLm3FcQ+k17/VZzgFNE4tXJKGIVZkfUuyHFEXw0JtVDkFZeeGLONPUI1ktl+hKlQEzs7/Y4s4TJzGscBJQkrb4tCwRtRHgTyivJ+5Vyc/u62s9vd7bWdtmwgINGFUBeSHwSXGdSHGwcBSjLMWx6hIMOVxpu1+GyMxPsYV/wl113joS/sutNTCq7K6RTX1/y6XLC6GDh7laqcjP+8Ur2EBpJBfD/FPqLYs96yUTeVcxp/MQuhi9wxPiUhjnOq0LYkTZweIvfCT+M8ahJI1H9M8Yhcmev+QmzdNRmQNZkihazsR6/XQ12k8rSQjU53h8lEZ69l9ZiYtDd392ry8WNnb8/tbZfcfn6PpWP8HSI+YzuKI0Wj+Cj3cX1BQ3RVTsRpqwsXkqisUIuzcfxFpwdfijGDr3EceEccZrO77jhG6QUWNOKUa7DGVLbr6Gw3g+scM9dtV5cRE7FLFOicUZetgkpJwiT/VDKcYyqvL3o1dkXTXXJ6WjS2KL6iylJbRZUyaGXYUxpLUeTPaKxTNdZgIrbuXJg+xowKWX3xbU4NUXEcCy3PuDqKsMsE0K7dc8p71ogXJxNUqgifxBmVcqSYVkXhuziin8hX0U+//bNSX8qerZdNfUTQ5JgpvOlrMWLiIgSDDbpONSpnY3/YOtAq4skDdxA0SxhfM9bR5GtEgqAOiV0Gh46zy/7a3eNi7+zWxH7E+2mKD29ZbUc202GKw9nr1hpQJbQhAgKbWDt5qBu6KPUxvYNw+CoRfWd5+PIiH+JBEnvMFh/FN+zH6/+d2Zu/jgQQMljc/PXMbrlBnjEBe31m/1T8PLNvN+qkrRQVZVp6kOGU4Kx+Syml75BLxeydWnWAfRx57ybtHLiUXGIFouutMf6RBvvBXWs50VWcHna75dhNVDL0YFPGgJwPWIUODCVWmQxNIa8qU++qTC1q72bqmBsR9us5+blUDzNZWtxY+i/o0n8ikAUgXS4g7cwHpLsApACkAKRPB6SegFFW+IMoZLwzIv7jQivDoQZUzYO6jw2j3vPAUDdPxbyeFkcNVTqQFoh4XyAt8PdBQOom2ZriaFfD0d58ONrZAyD99kAqYvN/6UFxAFoT0O5yrdBjQNvpdQTQ7piAVosF3xtnteevGT9oSylKSVSUPhEkp4jilxNPVr5tGqTYjVMvG9CYouBvJzzf2Hi4X6miYYjfyWWusS4v/zQmI9qsqMEnj0T/wQdqnYiBPj6a7gCaApp+VzTdmQ9Nu21AU0BTQNPlRFOmjDmcJmnszsbUyj3VlM1S4O2fYioF4GaAuIC464a4zpxvVDt9gFyA3NWPFK8f5HoDpm6ZRK4y1nrWiZiDVcxhC7D22WBtgtltEc0j9SX7emNud043twuYC5gLmLsEmOtYryx06UvcjRirDdwkH2QMraIScW9CVvz6jIlugM/slmV8f7sqsPzm42frs9gLLbcnAxoDGq8rGm/PicY9QGNAY0DjJfGAJ7uqGItRxCbBHWCp5USqHQOgTIA0cyhxdmPeTWVtWZO2BKpz1MqzAQqC2EVioDPbWA0wPylIYr2Jw5DQkOMcgDqA+rqC+t6coA5hbQB1APVVAPWAMNwCSK8g/UgQBAAd8pSeUcJv14zj4JtDnhLkKT0C+KqQyYPbhC/8zeQXA8oTjLzrM7slb2IFXOCXIV9JzxJ+qqRgQQDrAyNUBhlNy3L8xnf0rhm/pPSZpg1PgeMuHMABeAx4/PR4/MPzAmSn1TEA8iHyAI6fV0T78NkmGE9B3A54wBDIhpSopU4wHl5TXG7P7i9vevEhHybEkgFK1z27eBqUwqFXAKUApSuQXbz0gFrkDwOiQvbw88genhYP7gCkAqTCNqtlzB4uALWIMeOQTE7CupEcNCDixMr/sCfiL/8tQsn898b+5q/8z0vZRFklrzZE3U8856m/WqnIcOgH7JJ+ponI0+B7B+Ab4Bvge0kSkTmE74sXwyEO4/R6cIzDg0tEArG5WTjF++yeB2yQLtoVTa3sHuljMQlIYwYsf5ZpzNOwHKLbgOWA5SuVxjwHHD83VId8ZkD355zPPA3d4TsTgO6A7iuUzwzY3sB2SGw2IPtSfOS5P2XHlDPfR55Hje+Azfq4MwoIyt6U5oeic4cozQykyMZHOPLpuPZuWpTjbAHKcfVVQ0Re8HuKPCIZsD2bxtsajZ1ZGc7bDRqPiefh6JPMzdAnIb+yXb1fl0kX9XEwKvrRQXZafLNct174Vz+bpSU7NpSp1KX67VKX6qUp8cdM6DxTt2ZVnfFkOkUatKq3OHObD4ktQIYuhHxNtcY4qmS6GuGFX4hHa/JhMpoaZkQNU1VLoRoP57ijSVONARV2LfKbJnjCe+KMl/Nn+/XyJlcw0nk4xamUulhRhTLF589LnDKOxdqcmGp1sUmCmDp1Lxq9MGRJEuwdSdiv182Nk7NeRrvMW6HlZxN/Km7k30xUX06X5bKwfOl871ynsZFT75/pdHNjTYZn3d5u3fDx394+eHtaTalOR9kT7Be8pz0w51nc8s23Nby2PopZKAo7jgNKkjpXZ2MGyN5UUe7oAjko1T6JPHJJvBxNQPK2AQ1+ipJxNYArdEU0oRrm7oXkNM2+CwvB5DNX9UjhY2h3m9XRRIMYxPUaXd3lF5k3hEl+4Y5kYwi8IvYPUYYbDGayXydK127XW1dmMtPfmpbG/ATDbBQbx9kQgOvmigs8MwEZLz/Cl5NBv1AbNZhUzLrXpGSeMERlRjK38mf7EWwApzPTCJCG1s4MT5RBRzG2mohzSr/HyBOAUIO7QkaVATOyaFaJV2FuY1gZvQ7uEgJhwHFSndaFUJIaVyrz3+y/V8fHr96+td6/3w/D/UyTmQRRpoMjc1ultuBt2jOZfjKoeiMizFWgeYNZDTEwJejV67esfk/+397cqyPPfKGx6r4+92t3Ouy2vmhtZ8NW7jp/CBE97JIQCQO9o0muMQSkU16juhmbaisS5eGQsV2tTgTuJirnLvCb14igcXLxklHrHt/G4PAmtrS1LOJtTLcVhNE8b0b0nJi+sId8GifWge+n2GeT9Kza1zP0rWp8Ds0ZTBZGFoPXVZwP2VnE7ep+c7dLLxTIqhWC0wVO1wx9afa3hvloxJSlWNgilHhfv2tZXK45XK3WA0j0T46ZHxOIRXsgjSZjO1wyN7BMXhIzBhfwYS7gsJYCBk7gsjiBz8DUaTiXi9k6PQgxg7WzmtbOjJynFNP0etE4c+VLske/X8T5hM/Bmj/O3HoQxZhTP2Cry5TmNyfYPenyGx/lDLq8WU7DSw4dRTwgzxYXLDAIwq9lEH4J9jU4u+Z4u7Nzn40NQ3U7ImxtMJB5bwHDE7Y2gN25Hnan8SQ4zYBi90xS5ksjqWVxsPy+uxniYh8DH8mKbGSYfqLdAvZTGyJYTx3Bms80ARMKQlgLWhJ7YEmAJbE2lsSUg/DAnnhKe2LKgX5gUMArMbAnVjcw0ekvYE702mBPgD2xZpGJ2kZJsCWePjYhky3AlljqlzsQmgBTYt7QxGK2hAO2BNgSaxmbAIviW0cnmicXg00BG0bApFjV6ETXWWS/LlgUYFGsnUXBt+qSu191OMtkTJzI8VoLGRWth1JphEiAvScn1j1p8k6Man6SHC6vnSXIvMUnBNbWQtaWko/eMDTmMnK0jPR1tsSmDFP9BDlYYk8c3FnMFIMXRWCKrZ0pJvN/VsYSU80NMRRr9QI7IiMILA3Yd7IekZ0XRbNc8rhQ8Vl323Jp7Mwd4xBVhyrLM0bleVPypKf0Qt7JNHK17oXQ2JO2KQ6TAFES+ZMxM7zIqMIpNyZYvTGd9GqwQyq+1G4wLXWpzVQhJJEb5B4+CEwQaV5xO8yZ3BtuL0/PVqwnpbYCPfWsJvufHKfX4lh10+yUxXFqpT6+0uxvO7sgyec0+HQduaZD0qszusrB6UJc46mgPKJdm7yyRippZ1qMwt0YkYjQ4phuQdyB1CkvxcHKbpIzEHLjqHxf0bKKA5Rrh0wvuop20Zh9j6U0PDJrHRee16MttSHplEmpWM/sX+Uw7XptYz68zHxzwUhywkpFnuFT2ZDqFC0Dd83+2GarOr7mXrymn5ReslqZTKyd4KlwnPZkyXC1hO2F2W7xCT82E7aBCWtrYsxCa2m5+Auz3b0ZTU2aXYzJ5psQsNV30G3iTI3vx1veU6gv85zWlL3Ev9zXupXGNAmrD3xUHxOJv7xySq+w/F6ITHuvHksI8wvT6uGCYIPSjVddN7uvOLlOW7noqhdOWP3uK78d9aLbVmsU37Wj/HY8aYqel3Pg0QiFYWb2oja8rTas9tLpqRfKns8dTx1vOZYa+b7GIopjFy5PGSI4in0Gob71FmXjYYyKjaR2LuKO9vBD1D/6TMlXWXqpOFMvbv8PhpB2T2rhAAA= - elasticsearch-logging.json.gz: - H4sIAAAAAAAC/+2dbXObSBKAv/tXTFG7Ves6xRGS/HZV+ZA4TtZ3cTYbe3N1t5tSYRhJnBGwDDj2qny//XpmQLwNCDlYluT+EEVmYF66Z7qfaRo02yFEGw5t149Cpv2d/A5/EzITn1DiGlMKR7W3F8NPn385P738+fS3C62TFDvGFXV4uR94UxpOaMTSQosyM7D90PZcfkpaEN75olLLCA3mRYFJ0zLfica2e2ZVVSrLP8bd+pSeIU64h8+vHTmkgP4Z2QFVDCppfxwYI8M10sptS3k4EcL7YsENDVg8usHeYE+PO9FRN+cbLgir3Jg/UTaVPZxpqL4NlUjtSmG6ZTGqmtT3unvdB4yN2e7YoSw0wnKTF4qy8ijn6jRc14NzoZTrUzavOTYLuXa/7sQd06hlh8aVw1sIg4iKY2OXhmI+9Q4O5AEu20vPc0Lbh8O6ODixLXriuWHgObyFkeEwebkYihs5jvjLsd1rMaNktwI6ghk24T3ud6XwtMD7pphzpuc4hs9otm5RMKH2eBJm2pDTnMszrSZblazOMCf00p5SLypemzTnBW8M83oceJFrZeSRP+WL4USlPqXF+R6I48H4yvhpv9sh+mGvQwb7HdLdOz7c1TqK03r7UKyD2EmXn3Z0XHEar2V/IP9Bbbta5qSvuV5l5rd63oqzFNMgLQsCL1COeOQFU4NLU3M9l+ZrHBvRmM5n3vzw1LhNJKh3u4WxTW03KSwWsYn3TdUHvqImfEZ5jvWB21a26KxzI7imQk98pJmT7nP9n88yDfqZH5qY4Ef5Q25IgxvDUc2s/ArISML3YUlfSnugV5WVJ1ReohkLccNlR0KPhPQ2LMwbEhfzpnIF951mlQeGO25QeS9feeW0hHnwFmbmJw8kx8qTQeNSFIXnniXaNz3XpWZILa103iXvkULwvsfCkX2bc6XZgndgvS7sv0T1+90fC+eApVJeK47XXipEdQ62a7HqRrAexfqBvpeFGsqBaR9fvlYUevMLG8qcgY3kKioeDK5hiirW6sh2nBNu1IT+ud3p62Cd9CP4ODrmhkc/KtmnEe+QegnyVrL1yep63DIe90sVZVd85SoVRgvqjKZuWVWhEYxp2EAL9NYXfYJJ+RNlQ9OJGCznIfe1EZvFf776Q/sh/vqHdr9bVkhqDUNwM0NGA5uy8mmJqXhnmKEQRa90ikPH1LXezesrVwJGPLBNdRlMUEmDikkDvece/KDbbThn5maTCVPY6RVEbIfCaWgnUjJEyqxwEiwIPs2oGyrdSIJECvpJbUt2xYGx+FFxSrMl53EBaK+qV9v7z6enH6stnNbVljKgC9v79+mHD7/8q6ZBveUGP5++rWmt19SciCuSfYUZBUK/O4pe5jjMcGyDnSSoNMsv5ytj7pgLEMMmH6g7DifCVZTKqNLrN2QfbubK1S7y/4N+3smLJVu2oTDcsfuaXcZwpTKLxs24oiQRqrqUA/jp1A/vasr/QwOvohiMXVWJ7VaU1FEY7DaqDL+YKWyhMef+Qa1IXvLNtqT6m8BVCR9KDlbzKcwLNzTGSuj1+cWBYdkRr32/XKbuKKjLogEV3mTkeAVDJl3CL7BrC0A3DWyVWCw1NsnMeWfFHmMpwzFvrcoi5ZtT7FUe1pzSHhXaqtvwLGAek1aZjhiIBvmDIWwCVVOC+06fWh8kKync2LK4UWYN8uoV6e6Sv+nfTRdqNCixh95dCB8VU+87CaRfJJBOM5kpRbZO4qpaO43k9aZ1eannWG+XvFgrqSlNQCORnTQXWTPILXgSLoh3cpdW2mDysouJPQrVhTEaF2B4HkabFX0rELJV5Xi9ICxvFaRjHSb8bEbTyDFC+4Zq1Rumhiyej7KKolvj1mblfl9F5rU0e0URcBXG7pdLqrjBiyMLiqtizCha4CxJ/F7eDnP+yB39WimFO+O2ifutiW/lgvnlIfBCb/zGYKXYToa9SmSZoS9NUVKxI15sDNJxQBVB2PpAlJfJcSiLqgeyo9Je1VZi+ZBuRdD2gTHdMpQoY7X9Qx7lOAYsq43p1tMbBnVXEdQt8CFGdTGqi1HdLYvqujD12NCNplc0eKzYbkMw7q1LXLciqPuRi+ppY7lthByRE5AT2uWEY8QExATEhG3GBG46ERUaowJfz8RFXkBeQF5QxBUOEBgQGBAYthkYfOpasAqHYEGvERoaQcMnKTIiRLZB3LBTGDGIzqdGKSVdHj0DpRjxIx2K4s/etzOrWMRn82UspayLLeXbafmSZLCTA/XDB4tz6jMPnbSfUY+YhJhUi0k6YtJjYhLMhQuVV0d8ah+f5i5BJHZYMklDCVh7g1UgliKZ4kGEVbvAHzcdn8uxlqw6XMj8SCryp0/VXz1WZYZPpNA0ZKeMfC7yMmkLnZZ6HLFJGrwqof0R8+AfyCtx9nweVALhz2dV7n+gdP/97kNS6hWGTWbUKwrShHpFYSv59Ip6ZSKUoiDg4riwLVqfba+4slGyfa2lTnLtS5r+/lT7CnjI5duX59GqEu7bSg8vd6X1/HDwfR64Pz8axrJTOz0Rdn/1PzjGv4DDe7rwQtEbzma8S/f3j/AA21qk9p58+o1EjE/pZjm+U/aZMsCj2KWpF32cBqxY9pgFXMwCbjHFN15j1cmxFdpumCNb2pnPPUO3Kj+2YMCfbZ4vspKClXRkJWQlZKU8K03pdBgxag2v7kLKEJfWDJfO6dQL7pCYtoSYxCKr4SWpbq1d0EBaQlpanpZ6SEtIS0hLCS3p5AUBYhqxoW+Ek6FxY9gOn/R13FTEJvIyW4WYN8tcvn7UBTKZzfhg1gfA6rUpsiPmawMEDWxWlqpdcftPeT+xpx90SK/bhY9Dfj+xd6i4eyZfMDSuuWHd3TtayhU/xkj6A35rtBd/wFB6DxzKcVPVfTcfv7XZNdLxdsUTI9euiylylT8onIh4vACP1+FG8x2Y/yneaG5zO7DfwnagN8DtAG4H1m470H+i95CB5aM80cp2LduU/9NbnsouvgxNL2p86/n3HxIA/7qLcdVVxVXfegBpMOUZSVRHuE7XCCL51LqxrSj/iiaEyO9Er1TzL5m2OgbDUOt2slW3BbbaR7RCtNoQtFpBpHUBW8UcBOK22AMQi7wkjwRvBOltVfR2ljCbA6p0zTuM/W0+ttUg2weFlhHXENeeJhQ2QF5DXsNQWBWuMWoE5mT4Z0SDOwyErT1KXQh1YfDreQS/pLYpxr4QptYj9jXA+4oIUxj8akZT7Ye+ENY2EdYw6oVRLwQ1BLVVRr3w4VnktE15HOTxg14ZhLI8s/YFW/jw7BokeQm0JT99s8MJCajv2KbBdjHe9Rx+h7BxPljLoFXzc4TIWchZlYn2eHcRQQtBqyoexmnLog4FyS5HXRiweloCE0rDNPtnc6cR0+yRrNaMrA6QrJCskKwqyGpKoQIWv5UEMIvV3Q9EulovuuLKQ7h6NnB1LtYqktWWvwwjXd+GaxF5PzhrOZ/gF6wQLBU5bMiVyJVrx5UHT39rdGRTx+KLmL9l2AvuhgxMFb5oOM+S/fVgyXdcV4Qri0hlEa4sZEl85TCSJMboVoVSfWQpZClkqaoYXQpU9MY2ubdlmLW/SWg1VxuC1dYH6U4TXWOcDulqPegKc8uQrvDNFYpIlXgA0jTMCR3KT4xUre1dz1+5rohQE8aonkeM6qKoZmQoZKgnYijMIkOGQoaqilBlQApDVJvJVBijwhgV8hXy1RPx1SHyFfIV8tVivprYIZLVRpEVaAyhavuh6mcbn3pEnloXnjpCnkKeQp5azFNTmzF8p8RmERXXGUWmegZPPApFI1Vt+ROPJ3xVt/+Ao97Xn+0Tjq28pR9veiJEbkpa/lP+RCWQjxeCyfreV/Vjcv6qaHL+U5Kx6uAr4uRWv1f/stxxxEgMzj0JV+HNTuQq5Kpm7yRL2MpCuNoUuDqPX0uGbIVshWy1HSG6y/JaxveQrQVNYpAOYXJT3m+7ApgEcPzvzZS/emw4oYY/jBig42Y/0kleED4Uwoeyrbd3f1YOEH/echuf6+S6RlzEUNwawBNG4hCeEJ5KkThOUGNzyPduVDwptj2/CgAwNZuNze1NlHt/In/3EkFq69Pj3p9gahyC1FqAVA9JCkkKSaoBSW3dbcznQFQlTECgwpuYCFMbdhPzH1/OF9293Il7qDFzQqfGFxow2Qt9IA+Hd7IuywiuRWXgG8bpJNROT/6pzSsJ6dTn69Qdz1cTuGIWZuZsqmeAI+cLn/UliWfYZ5b3SmOVwaO3Ypro0/yqvonr5gUqxm2CmgKk8sgIrgNcl0VfOwqqSZfXWeJ+MoVgxEJbcVFsL1KXlSnzfPmWovyqL1gqRh1JMWr7O5fQftEgZIQEZVWG52Gt9bvVrfGy5VtT0aVa+VXqb2Vg+9Vt7bfdlj6pHtek5bYOqts6aLst3aoel5Vra0eBQJp4oDWeth0Cs6lD9GmH7MM/fdIhB/Av1wKnL45MhaWc8gULvbnq5sNb1latzLicSHZexraY5UsypkUpW9HcUIIJZ/u4iiFsK8IIJB7/vauWs547Oqa3BSxOyC97Hhh4IWX2a9IHLV9a6iw/pj45Vq0cTaYgYvRSVpR15Wuj87yNS1X+kfOmQt+F8xN1u4XTl9U138dF/sK9273cvOEUeMAU6C07BS5gG2WRSz6q5hOB770suZFqY+nz2pL3B3QIr3Y7dL+T0Pu9BFlbSC9G2JHcTsOi+vZi7pBhRxwf03KX+TbsGoP04lgkwwTusiinZYBM0zO8lIOnLNxk4QOc3zR7RbYkdeVaL/M98a1fkzHwBV5GzOpWshUfZCvOttIbZP9I/bB2aGX7m/QlJ76/PBGS0qLQjLcbyW7m1DFYaJsX1AhMWb92M9+uyN2KRZkZ2H68kdLenjHYjtyR3JXkmt4RGahhhGuWZFbpzv3/AaQQ113GEwEA -{{- end }} diff --git a/charts/kubezero-logging/update.sh b/charts/kubezero-logging/update.sh index d753e33..5540c8d 100755 --- a/charts/kubezero-logging/update.sh +++ b/charts/kubezero-logging/update.sh @@ -29,4 +29,5 @@ curl -L -s -o - https://github.com/fluent/helm-charts/releases/download/fluentd- patch -i fluentd.patch -p0 --no-backup-if-mismatch # Fetch dashboards from Grafana.com and update ZDT CM -../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/grafana-dashboards.yaml +../kubezero-metrics/sync_grafana_dashboards.py dashboards.yaml templates/fluent-bit/grafana-dashboards.yaml +../kubezero-metrics/sync_grafana_dashboards.py dashboards-es.yaml templates/eck/grafana-dashboards.yaml diff --git a/charts/kubezero-logging/values.yaml b/charts/kubezero-logging/values.yaml index 55399df..d039406 100644 --- a/charts/kubezero-logging/values.yaml +++ b/charts/kubezero-logging/values.yaml @@ -7,6 +7,8 @@ eck-operator: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" diff --git a/charts/kubezero-metrics/Chart.yaml b/charts/kubezero-metrics/Chart.yaml index f518871..7d1bb5f 100644 --- a/charts/kubezero-metrics/Chart.yaml +++ b/charts/kubezero-metrics/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-metrics description: KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations. type: application -version: 0.8.5 +version: 0.8.9 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,19 +15,20 @@ maintainers: email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: ">= 0.1.5" + version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ + # https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack - name: kube-prometheus-stack - version: 40.0.0 + version: 43.2.0 # Switch back to upstream once all alerts are fixed eg. etcd gpcr # repository: https://prometheus-community.github.io/helm-charts - name: prometheus-adapter - version: 3.4.0 + version: 3.5.0 repository: https://prometheus-community.github.io/helm-charts condition: prometheus-adapter.enabled - name: prometheus-pushgateway - version: 1.18.2 + version: 2.0.2 # Switch back to upstream once namespaces are supported - # repository: https://prometheus-community.github.io/helm-charts + repository: https://prometheus-community.github.io/helm-charts condition: prometheus-pushgateway.enabled -kubeVersion: ">= 1.20.0" +kubeVersion: ">= 1.24.0" diff --git a/charts/kubezero-metrics/README.md b/charts/kubezero-metrics/README.md index fb24852..82ea042 100644 --- a/charts/kubezero-metrics/README.md +++ b/charts/kubezero-metrics/README.md @@ -1,6 +1,6 @@ # kubezero-metrics -![Version: 0.8.5](https://img.shields.io/badge/Version-0.8.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.8.9](https://img.shields.io/badge/Version-0.8.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all Kubernetes integrations. @@ -14,14 +14,14 @@ KubeZero Umbrella Chart for Prometheus, Grafana and Alertmanager as well as all ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.24.0` | Repository | Name | Version | |------------|------|---------| -| | kube-prometheus-stack | 40.0.0 | -| | prometheus-pushgateway | 1.18.2 | -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | -| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 3.4.0 | +| | kube-prometheus-stack | 43.2.0 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | +| https://prometheus-community.github.io/helm-charts | prometheus-adapter | 3.5.0 | +| https://prometheus-community.github.io/helm-charts | prometheus-pushgateway | 2.0.2 | ## Values @@ -87,15 +87,15 @@ Kubernetes: `>= 1.20.0` | kube-prometheus-stack.alertmanager.config.inhibit_rules[2].equal[0] | string | `"namespace"` | | | kube-prometheus-stack.alertmanager.config.inhibit_rules[2].source_matchers[0] | string | `"alertname = InfoInhibitor"` | | | kube-prometheus-stack.alertmanager.config.inhibit_rules[2].target_matchers[0] | string | `"severity = info"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[3].source_matchers[0] | string | `"alertname = ClusterAutoscalerNodeGroupsEnabled"` | | +| kube-prometheus-stack.alertmanager.config.inhibit_rules[3].target_matchers[0] | string | `"alertname =~ \"KubeCPUOvercommit|KubeMemoryOvercommit\""` | | | kube-prometheus-stack.alertmanager.config.route.group_by[0] | string | `"severity"` | | | kube-prometheus-stack.alertmanager.config.route.group_by[1] | string | `"clusterName"` | | | kube-prometheus-stack.alertmanager.config.route.group_interval | string | `"5m"` | | -| kube-prometheus-stack.alertmanager.config.route.group_wait | string | `"30s"` | | -| kube-prometheus-stack.alertmanager.config.route.repeat_interval | string | `"6h"` | | -| kube-prometheus-stack.alertmanager.config.route.routes[0].matchers[0] | string | `"alertname = Watchdog"` | | +| kube-prometheus-stack.alertmanager.config.route.group_wait | string | `"10s"` | | +| kube-prometheus-stack.alertmanager.config.route.repeat_interval | string | `"4h"` | | +| kube-prometheus-stack.alertmanager.config.route.routes[0].matchers[0] | string | `"severity = none"` | | | kube-prometheus-stack.alertmanager.config.route.routes[0].receiver | string | `"null"` | | -| kube-prometheus-stack.alertmanager.config.route.routes[1].matchers[0] | string | `"alertname = InfoInhibitor"` | | -| kube-prometheus-stack.alertmanager.config.route.routes[1].receiver | string | `"null"` | | | kube-prometheus-stack.alertmanager.enabled | bool | `false` | | | kube-prometheus-stack.coreDns.enabled | bool | `true` | | | kube-prometheus-stack.defaultRules.create | bool | `false` | | @@ -127,6 +127,8 @@ Kubernetes: `>= 1.20.0` | kube-prometheus-stack.kube-state-metrics.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | kube-prometheus-stack.kube-state-metrics.tolerations[0].effect | string | `"NoSchedule"` | | | kube-prometheus-stack.kube-state-metrics.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| kube-prometheus-stack.kube-state-metrics.tolerations[1].effect | string | `"NoSchedule"` | | +| kube-prometheus-stack.kube-state-metrics.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | kube-prometheus-stack.kubeApiServer.enabled | bool | `true` | | | kube-prometheus-stack.kubeControllerManager.enabled | bool | `true` | | | kube-prometheus-stack.kubeControllerManager.service.port | int | `10257` | | @@ -168,10 +170,11 @@ Kubernetes: `>= 1.20.0` | kube-prometheus-stack.prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues | bool | `false` | | | kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0] | string | `"ReadWriteOnce"` | | | kube-prometheus-stack.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"16Gi"` | | -| kube-prometheus-stack.prometheus.prometheusSpec.walCompression | bool | `true` | | | kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].effect | string | `"NoSchedule"` | | | kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[1].effect | string | `"NoSchedule"` | | +| kube-prometheus-stack.prometheusOperator.admissionWebhooks.patch.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | kube-prometheus-stack.prometheusOperator.enabled | bool | `true` | | | kube-prometheus-stack.prometheusOperator.logFormat | string | `"json"` | | | kube-prometheus-stack.prometheusOperator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | @@ -180,6 +183,8 @@ Kubernetes: `>= 1.20.0` | kube-prometheus-stack.prometheusOperator.resources.requests.memory | string | `"32Mi"` | | | kube-prometheus-stack.prometheusOperator.tolerations[0].effect | string | `"NoSchedule"` | | | kube-prometheus-stack.prometheusOperator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| kube-prometheus-stack.prometheusOperator.tolerations[1].effect | string | `"NoSchedule"` | | +| kube-prometheus-stack.prometheusOperator.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | prometheus-adapter.enabled | bool | `true` | | | prometheus-adapter.logLevel | int | `1` | | | prometheus-adapter.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | @@ -200,6 +205,8 @@ Kubernetes: `>= 1.20.0` | prometheus-adapter.rules.resource.window | string | `"5m"` | | | prometheus-adapter.tolerations[0].effect | string | `"NoSchedule"` | | | prometheus-adapter.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| prometheus-adapter.tolerations[1].effect | string | `"NoSchedule"` | | +| prometheus-adapter.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | prometheus-pushgateway.enabled | bool | `false` | | | prometheus-pushgateway.serviceMonitor.enabled | bool | `true` | | diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/Chart.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/Chart.yaml index 6006712..8c4575f 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/Chart.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/Chart.yaml @@ -1,4 +1,5 @@ annotations: + artifacthub.io/license: Apache-2.0 artifacthub.io/links: | - name: Chart Source url: https://github.com/prometheus-community/helm-charts @@ -6,20 +7,20 @@ annotations: url: https://github.com/prometheus-operator/kube-prometheus artifacthub.io/operator: "true" apiVersion: v2 -appVersion: 0.59.1 +appVersion: 0.61.1 dependencies: - condition: kubeStateMetrics.enabled name: kube-state-metrics repository: https://prometheus-community.github.io/helm-charts - version: 4.18.* + version: 4.24.* - condition: nodeExporter.enabled name: prometheus-node-exporter repository: https://prometheus-community.github.io/helm-charts - version: 4.2.* + version: 4.8.* - condition: grafana.enabled name: grafana repository: https://grafana.github.io/helm-charts - version: 6.38.* + version: 6.48.* description: kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus @@ -34,8 +35,6 @@ kubeVersion: '>=1.16.0-0' maintainers: - email: andrew@quadcorps.co.uk name: andrewgkew -- email: cedric@desaintmartin.fr - name: desaintmartin - email: gianrubio@gmail.com name: gianrubio - email: github.gkarthiks@gmail.com @@ -46,9 +45,11 @@ maintainers: name: scottrigby - email: miroslav.hadzhiev@gmail.com name: Xtigyro +- email: quentin.bisson@gmail.com + name: QuentinBisson name: kube-prometheus-stack sources: - https://github.com/prometheus-community/helm-charts - https://github.com/prometheus-operator/kube-prometheus type: application -version: 40.0.0 +version: 43.2.0 diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/README.md b/charts/kubezero-metrics/charts/kube-prometheus-stack/README.md index 76982e2..e32bba5 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/README.md +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/README.md @@ -80,6 +80,67 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. +### From 42.x to 43.x + +This version upgrades Prometheus-Operator to v0.61.1, Prometheus to v2.40.5 and Thanos to v0.29.0. + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +### From 41.x to 42.x + +This includes the overridability of container registry for all containers at the global level using `global.imageRegistry` or per container image. The defaults have not changed but if you were using a custom image, you will have to override the registry of said custom container image before you upgrade. + +For instance, the prometheus-config-reloader used to be configured as follow: + +```yaml + image: + repository: quay.io/prometheus-operator/prometheus-config-reloader + tag: v0.60.1 + sha: "" +``` + +But it now moved to: + +```yaml + image: + registry: quay.io + repository: prometheus-operator/prometheus-config-reloader + tag: v0.60.1 + sha: "" +``` + +### From 40.x to 41.x + +This version upgrades Prometheus-Operator to v0.60.1, Prometheus to v2.39.1 and Thanos to v0.28.1. +This version also upgrades the Helm charts of kube-state-metrics to 4.20.2, prometheus-node-exporter to 4.3.0 and Grafana to 6.40.4. + +Run these commands to update the CRDs before applying the upgrade. + +```console +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.60.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +``` + +This version splits kubeScheduler recording and altering rules in separate config values. +Instead of `defaultRules.rules.kubeScheduler` the 2 new variables `defaultRules.rules.kubeSchedulerAlerting` and `defaultRules.rules.kubeSchedulerRecording` are used. + ### From 39.x to 40.x This version upgrades Prometheus-Operator to v0.59.1, Prometheus to v2.38.0, kube-state-metrics to v2.6.0 and Thanos to v0.28.0. diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/Chart.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/Chart.yaml index bf9e324..849916a 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/Chart.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 9.1.4 +appVersion: 9.3.1 description: The leading tool for querying and visualizing time series and metrics. home: https://grafana.net icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png @@ -19,4 +19,4 @@ name: grafana sources: - https://github.com/grafana/grafana type: application -version: 6.38.0 +version: 6.48.0 diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/README.md b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/README.md index 45046f0..d5210ca 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/README.md +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/README.md @@ -104,6 +104,7 @@ This version requires Helm >= 3.1.0. | `persistence.accessModes` | Persistence access modes | `[ReadWriteOnce]` | | `persistence.annotations` | PersistentVolumeClaim annotations | `{}` | | `persistence.finalizers` | PersistentVolumeClaim finalizers | `[ "kubernetes.io/pvc-protection" ]` | +| `persistence.extraPvcLabels` | Extra labels to apply to a PVC. | `{}` | | `persistence.subPath` | Mount a sub dir of the persistent volume (can be templated) | `nil` | | `persistence.inMemory.enabled` | If persistence is not enabled, whether to mount the local storage in-memory to improve performance | `false` | | `persistence.inMemory.sizeLimit` | SizeLimit for the in-memory local storage | `nil` | @@ -134,6 +135,7 @@ This version requires Helm >= 3.1.0. | `dashboards` | Dashboards to import | `{}` | | `dashboardsConfigMaps` | ConfigMaps reference that contains dashboards | `{}` | | `grafana.ini` | Grafana's primary configuration | `{}` | +| `global.imagePullSecrets` | Global image pull secrets (can be templated). Allows either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). | `[]` | | `ldap.enabled` | Enable LDAP authentication | `false` | | `ldap.existingSecret` | The name of an existing secret containing the `ldap.toml` file, this must have the key `ldap-toml`. | `""` | | `ldap.config` | Grafana's LDAP configuration | `""` | @@ -150,6 +152,15 @@ This version requires Helm >= 3.1.0. | `sidecar.resources` | Sidecar resources | `{}` | | `sidecar.securityContext` | Sidecar securityContext | `{}` | | `sidecar.enableUniqueFilenames` | Sets the kiwigrid/k8s-sidecar UNIQUE_FILENAMES environment variable. If set to `true` the sidecar will create unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces. | `false` | +| `sidecar.alerts.enabled` | Enables the cluster wide search for alerts and adds/updates/deletes them in grafana |`false` | +| `sidecar.alerts.label` | Label that config maps with alerts should have to be added | `grafana_alert` | +| `sidecar.alerts.labelValue` | Label value that config maps with alerts should have to be added | `""` | +| `sidecar.alerts.searchNamespace` | Namespaces list. If specified, the sidecar will search for alerts config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.alerts.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | +| `sidecar.alerts.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `sidecar.alerts.reloadURL` | Full url of datasource configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/alerting/reload"` | +| `sidecar.alerts.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | +| `sidecar.alerts.initDatasources` | Set to true to deploy the datasource sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any alerts defined at startup time. | `false` | | `sidecar.dashboards.enabled` | Enables the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false` | | `sidecar.dashboards.SCProvider` | Enables creation of sidecar provider | `true` | | `sidecar.dashboards.provider.name` | Unique name of the grafana provider | `sidecarProvider` | @@ -166,21 +177,30 @@ This version requires Helm >= 3.1.0. | `sidecar.dashboards.folder` | Folder in the pod that should hold the collected dashboards (unless `sidecar.dashboards.defaultFolderName` is set). This path will be mounted. | `/tmp/dashboards` | | `sidecar.dashboards.folderAnnotation` | The annotation the sidecar will look for in configmaps to override the destination folder for files | `nil` | | `sidecar.dashboards.defaultFolderName` | The default folder name, it will create a subfolder under the `sidecar.dashboards.folder` and put dashboards in there instead | `nil` | -| `sidecar.dashboards.searchNamespace` | Namespaces list. If specified, the sidecar will search for dashboards config-maps inside these namespaces.Otherwise the namespace in which the sidecar is running will be used.It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.dashboards.searchNamespace` | Namespaces list. If specified, the sidecar will search for dashboards config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | | `sidecar.dashboards.script` | Absolute path to shell script to execute after a configmap got reloaded. | `nil` | +| `sidecar.dashboards.reloadURL` | Full url of dashboards configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/dashboards/reload"` | +| `sidecar.dashboards.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | | `sidecar.dashboards.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | | `sidecar.dashboards.extraMounts` | Additional dashboard sidecar volume mounts. | `[]` | | `sidecar.datasources.enabled` | Enables the cluster wide search for datasources and adds/updates/deletes them in grafana |`false` | | `sidecar.datasources.label` | Label that config maps with datasources should have to be added | `grafana_datasource` | | `sidecar.datasources.labelValue` | Label value that config maps with datasources should have to be added | `""` | -| `sidecar.datasources.searchNamespace` | Namespaces list. If specified, the sidecar will search for datasources config-maps inside these namespaces.Otherwise the namespace in which the sidecar is running will be used.It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.datasources.searchNamespace` | Namespaces list. If specified, the sidecar will search for datasources config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.datasources.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | | `sidecar.datasources.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | | `sidecar.datasources.reloadURL` | Full url of datasource configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/datasources/reload"` | | `sidecar.datasources.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | +| `sidecar.datasources.initDatasources` | Set to true to deploy the datasource sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any datasources defined at startup time. | `false` | | `sidecar.notifiers.enabled` | Enables the cluster wide search for notifiers and adds/updates/deletes them in grafana | `false` | | `sidecar.notifiers.label` | Label that config maps with notifiers should have to be added | `grafana_notifier` | -| `sidecar.notifiers.searchNamespace` | Namespaces list. If specified, the sidecar will search for notifiers config-maps (or secrets) inside these namespaces.Otherwise the namespace in which the sidecar is running will be used.It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.notifiers.labelValue` | Label value that config maps with notifiers should have to be added | `""` | +| `sidecar.notifiers.searchNamespace` | Namespaces list. If specified, the sidecar will search for notifiers config-maps (or secrets) inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.notifiers.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | | `sidecar.notifiers.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `sidecar.notifiers.reloadURL` | Full url of notifier configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/notifications/reload"` | +| `sidecar.notifiers.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | +| `sidecar.notifiers.initNotifiers` | Set to true to deploy the notifier sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any notifiers defined at startup time. | `false` | | `smtp.existingSecret` | The name of an existing secret containing the SMTP credentials. | `""` | | `smtp.userKey` | The key in the existing SMTP secret containing the username. | `"user"` | | `smtp.passwordKey` | The key in the existing SMTP secret containing the password. | `"password"` | @@ -190,6 +210,7 @@ This version requires Helm >= 3.1.0. | `serviceAccount.autoMount` | Automount the service account token in the pod| `true` | | `serviceAccount.annotations` | ServiceAccount annotations | | | `serviceAccount.create` | Create service account | `true` | +| `serviceAccount.labels` | ServiceAccount labels | `{}` | | `serviceAccount.name` | Service account name to use, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `` | | `serviceAccount.nameTest` | Service account name to use for test, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `nil` | | `rbac.create` | Create and use RBAC resources | `true` | @@ -319,6 +340,14 @@ dashboards: gnetId: 2 revision: 2 datasource: Prometheus + loki-dashboard-quick-search: + gnetId: 12019 + revision: 2 + datasource: + - name: DS_PROMETHEUS + value: Prometheus + - name: DS_LOKI + value: Loki local-dashboard: url: https://raw.githubusercontent.com/user/repository/master/dashboards/dashboard.json ``` diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/ci/with-extraconfigmapmounts-values.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/ci/with-extraconfigmapmounts-values.yaml index f2d55a8..5cc44a0 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/ci/with-extraconfigmapmounts-values.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/ci/with-extraconfigmapmounts-values.yaml @@ -1,6 +1,6 @@ extraConfigmapMounts: - - name: '{{ template "grafana.fullname" . }}' - configMap: '{{ template "grafana.fullname" . }}' + - name: '{{ include "grafana.fullname" . }}' + configMap: '{{ include "grafana.fullname" . }}' mountPath: /var/lib/grafana/dashboards/test-dashboard.json # This is not a realistic test, but for this we only care about extraConfigmapMounts not being empty and pointing to an existing ConfigMap subPath: grafana.ini diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/NOTES.txt b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/NOTES.txt index 1fc8436..f399f43 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/NOTES.txt +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/NOTES.txt @@ -1,10 +1,10 @@ 1. Get your '{{ .Values.adminUser }}' user password by running: - kubectl get secret --namespace {{ template "grafana.namespace" . }} {{ template "grafana.fullname" . }} -o jsonpath="{.data.admin-password}" | base64 --decode ; echo + kubectl get secret --namespace {{ include "grafana.namespace" . }} {{ include "grafana.fullname" . }} -o jsonpath="{.data.admin-password}" | base64 --decode ; echo 2. The Grafana server can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: - {{ template "grafana.fullname" . }}.{{ template "grafana.namespace" . }}.svc.cluster.local + {{ include "grafana.fullname" . }}.{{ include "grafana.namespace" . }}.svc.cluster.local {{ if .Values.ingress.enabled }} If you bind grafana to 80, please update values in values.yaml and reinstall: ``` @@ -24,24 +24,24 @@ Or grafana would always crash. From outside the cluster, the server URL(s) are: -{{- range .Values.ingress.hosts }} + {{- range .Values.ingress.hosts }} http://{{ . }} -{{- end }} -{{ else }} + {{- end }} +{{- else }} Get the Grafana URL to visit by running these commands in the same shell: -{{ if contains "NodePort" .Values.service.type -}} - export NODE_PORT=$(kubectl get --namespace {{ template "grafana.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "grafana.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ template "grafana.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + {{- if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ include "grafana.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "grafana.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "grafana.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") echo http://$NODE_IP:$NODE_PORT -{{ else if contains "LoadBalancer" .Values.service.type -}} + {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc --namespace {{ template "grafana.namespace" . }} -w {{ template "grafana.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ template "grafana.namespace" . }} {{ template "grafana.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + You can watch the status of by running 'kubectl get svc --namespace {{ include "grafana.namespace" . }} -w {{ include "grafana.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ include "grafana.namespace" . }} {{ include "grafana.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') http://$SERVICE_IP:{{ .Values.service.port -}} -{{ else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ template "grafana.namespace" . }} -l "app.kubernetes.io/name={{ template "grafana.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace {{ template "grafana.namespace" . }} port-forward $POD_NAME 3000 -{{- end }} + {{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ include "grafana.namespace" . }} -l "app.kubernetes.io/name={{ include "grafana.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ include "grafana.namespace" . }} port-forward $POD_NAME 3000 + {{- end }} {{- end }} 3. Login with the password from step 1 and the username: {{ .Values.adminUser }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_helpers.tpl b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_helpers.tpl index 369e69f..cb41fcc 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_helpers.tpl +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_helpers.tpl @@ -3,8 +3,8 @@ Expand the name of the chart. */}} {{- define "grafana.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} {{/* Create a default fully qualified app name. @@ -12,54 +12,54 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this If release name contains chart name it will be used as a full name. */}} {{- define "grafana.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} {{/* Create chart name and version as used by the chart label. */}} {{- define "grafana.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} {{/* Create the name of the service account */}} {{- define "grafana.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "grafana.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "grafana.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} {{- define "grafana.serviceAccountNameTest" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (print (include "grafana.fullname" .) "-test") .Values.serviceAccount.nameTest }} -{{- else -}} - {{ default "default" .Values.serviceAccount.nameTest }} -{{- end -}} -{{- end -}} +{{- if .Values.serviceAccount.create }} +{{- default (print (include "grafana.fullname" .) "-test") .Values.serviceAccount.nameTest }} +{{- else }} +{{- default "default" .Values.serviceAccount.nameTest }} +{{- end }} +{{- end }} {{/* Allow the release namespace to be overridden for multi-namespace deployments in combined charts */}} {{- define "grafana.namespace" -}} - {{- if .Values.namespaceOverride -}} - {{- .Values.namespaceOverride -}} - {{- else -}} - {{- .Release.Namespace -}} - {{- end -}} -{{- end -}} +{{- if .Values.namespaceOverride }} +{{- .Values.namespaceOverride }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end }} {{/* Common labels @@ -71,10 +71,10 @@ helm.sh/chart: {{ include "grafana.chart" . }} app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- if .Values.extraLabels }} -{{ toYaml .Values.extraLabels }} +{{- with .Values.extraLabels }} +{{ toYaml . }} +{{- end }} {{- end }} -{{- end -}} {{/* Selector labels @@ -82,7 +82,7 @@ Selector labels {{- define "grafana.selectorLabels" -}} app.kubernetes.io/name: {{ include "grafana.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} +{{- end }} {{/* Common labels @@ -94,7 +94,7 @@ helm.sh/chart: {{ include "grafana.chart" . }} app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} +{{- end }} {{/* Selector labels ImageRenderer @@ -102,73 +102,98 @@ Selector labels ImageRenderer {{- define "grafana.imageRenderer.selectorLabels" -}} app.kubernetes.io/name: {{ include "grafana.name" . }}-image-renderer app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} +{{- end }} {{/* Looks if there's an existing secret and reuse its password. If not it generates new password and use it. */}} {{- define "grafana.password" -}} -{{- $secret := (lookup "v1" "Secret" (include "grafana.namespace" .) (include "grafana.fullname" .) ) -}} - {{- if $secret -}} - {{- index $secret "data" "admin-password" -}} - {{- else -}} - {{- (randAlphaNum 40) | b64enc | quote -}} - {{- end -}} -{{- end -}} +{{- $secret := (lookup "v1" "Secret" (include "grafana.namespace" .) (include "grafana.fullname" .) ) }} +{{- if $secret }} +{{- index $secret "data" "admin-password" }} +{{- else }} +{{- (randAlphaNum 40) | b64enc | quote }} +{{- end }} +{{- end }} {{/* Return the appropriate apiVersion for rbac. */}} {{- define "grafana.rbac.apiVersion" -}} - {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} - {{- print "rbac.authorization.k8s.io/v1" -}} - {{- else -}} - {{- print "rbac.authorization.k8s.io/v1beta1" -}} - {{- end -}} -{{- end -}} +{{- if $.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +{{- print "rbac.authorization.k8s.io/v1" }} +{{- else }} +{{- print "rbac.authorization.k8s.io/v1beta1" }} +{{- end }} +{{- end }} {{/* Return the appropriate apiVersion for ingress. */}} {{- define "grafana.ingress.apiVersion" -}} - {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}} - {{- print "networking.k8s.io/v1" -}} - {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} - {{- print "networking.k8s.io/v1beta1" -}} - {{- else -}} - {{- print "extensions/v1beta1" -}} - {{- end -}} -{{- end -}} +{{- if and ($.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) }} +{{- print "networking.k8s.io/v1" }} +{{- else if $.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} +{{- print "networking.k8s.io/v1beta1" }} +{{- else }} +{{- print "extensions/v1beta1" }} +{{- end }} +{{- end }} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "grafana.hpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" .Capabilities.KubeVersion.Version }} +{{- print "autoscaling/v2beta1" }} +{{- else }} +{{- print "autoscaling/v2" }} +{{- end }} +{{- end }} {{/* Return the appropriate apiVersion for podDisruptionBudget. */}} {{- define "grafana.podDisruptionBudget.apiVersion" -}} - {{- if $.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} - {{- print "policy/v1" -}} - {{- else -}} - {{- print "policy/v1beta1" -}} - {{- end -}} -{{- end -}} +{{- if $.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +{{- print "policy/v1" }} +{{- else }} +{{- print "policy/v1beta1" }} +{{- end }} +{{- end }} {{/* Return if ingress is stable. */}} {{- define "grafana.ingress.isStable" -}} - {{- eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1" -}} -{{- end -}} +{{- eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1" }} +{{- end }} {{/* Return if ingress supports ingressClassName. */}} {{- define "grafana.ingress.supportsIngressClassName" -}} - {{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} -{{- end -}} +{{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) }} +{{- end }} {{/* Return if ingress supports pathType. */}} {{- define "grafana.ingress.supportsPathType" -}} - {{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} -{{- end -}} +{{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) }} +{{- end }} + +{{/* +Formats imagePullSecrets. Input is (dict "root" . "imagePullSecrets" .{specific imagePullSecrets}) +*/}} +{{- define "grafana.imagePullSecrets" -}} +{{- $root := .root }} +{{- range (concat .root.Values.global.imagePullSecrets .imagePullSecrets) }} +{{- if eq (typeOf .) "map[string]interface {}" }} +- {{ toYaml (dict "name" (tpl .name $root)) | trim }} +{{- else }} +- name: {{ tpl . $root }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_pod.tpl b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_pod.tpl index adc025c..95ec1f8 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_pod.tpl +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/_pod.tpl @@ -1,8 +1,10 @@ {{- define "grafana.pod" -}} -{{- if .Values.schedulerName }} -schedulerName: "{{ .Values.schedulerName }}" +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} +{{- $root := . -}} +{{- with .Values.schedulerName }} +schedulerName: "{{ . }}" {{- end }} -serviceAccountName: {{ template "grafana.serviceAccountName" . }} +serviceAccountName: {{ include "grafana.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }} {{- with .Values.securityContext }} securityContext: @@ -12,10 +14,10 @@ securityContext: hostAliases: {{- toYaml . | nindent 2 }} {{- end }} -{{- if .Values.priorityClassName }} -priorityClassName: {{ .Values.priorityClassName }} +{{- with .Values.priorityClassName }} +priorityClassName: {{ . }} {{- end }} -{{- if ( or .Values.persistence.enabled .Values.dashboards .Values.sidecar.notifiers.enabled .Values.extraInitContainers (and .Values.sidecar.datasources.enabled .Values.sidecar.datasources.initDatasources)) }} +{{- if ( or .Values.persistence.enabled .Values.dashboards .Values.extraInitContainers (and .Values.sidecar.datasources.enabled .Values.sidecar.datasources.initDatasources) (and .Values.sidecar.notifiers.enabled .Values.sidecar.notifiers.initNotifiers)) }} initContainers: {{- end }} {{- if ( and .Values.persistence.enabled .Values.initChownData.enabled ) }} @@ -26,10 +28,15 @@ initContainers: image: "{{ .Values.initChownData.image.repository }}:{{ .Values.initChownData.image.tag }}" {{- end }} imagePullPolicy: {{ .Values.initChownData.image.pullPolicy }} + {{- with .Values.initChownData.securityContext }} securityContext: - runAsNonRoot: false - runAsUser: 0 - command: ["chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }}", "/var/lib/grafana"] + {{- toYaml . | nindent 6 }} + {{- end }} + command: + - chown + - -R + - {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }} + - /var/lib/grafana {{- with .Values.initChownData.resources }} resources: {{- toYaml . | nindent 6 }} @@ -37,9 +44,9 @@ initContainers: volumeMounts: - name: storage mountPath: "/var/lib/grafana" -{{- if .Values.persistence.subPath }} - subPath: {{ tpl .Values.persistence.subPath . }} -{{- end }} + {{- with .Values.persistence.subPath }} + subPath: {{ tpl . $root }} + {{- end }} {{- end }} {{- if .Values.dashboards }} - name: download-dashboards @@ -56,36 +63,41 @@ initContainers: {{- toYaml . | nindent 6 }} {{- end }} env: -{{- range $key, $value := .Values.downloadDashboards.env }} + {{- range $key, $value := .Values.downloadDashboards.env }} - name: "{{ $key }}" value: "{{ $value }}" -{{- end }} + {{- end }} + {{- range $key, $value := .Values.downloadDashboards.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} {{- with .Values.downloadDashboards.securityContext }} securityContext: {{- toYaml . | nindent 6 }} {{- end }} -{{- if .Values.downloadDashboards.envFromSecret }} + {{- with .Values.downloadDashboards.envFromSecret }} envFrom: - secretRef: - name: {{ tpl .Values.downloadDashboards.envFromSecret . }} -{{- end }} + name: {{ tpl . $root }} + {{- end }} volumeMounts: - name: config mountPath: "/etc/grafana/download_dashboards.sh" subPath: download_dashboards.sh - name: storage mountPath: "/var/lib/grafana" -{{- if .Values.persistence.subPath }} - subPath: {{ tpl .Values.persistence.subPath . }} -{{- end }} - {{- range .Values.extraSecretMounts }} + {{- with .Values.persistence.subPath }} + subPath: {{ tpl . $root }} + {{- end }} + {{- range .Values.extraSecretMounts }} - name: {{ .name }} mountPath: {{ .mountPath }} readOnly: {{ .readOnly }} - {{- end }} + {{- end }} {{- end }} {{- if and .Values.sidecar.datasources.enabled .Values.sidecar.datasources.initDatasources }} - - name: {{ template "grafana.name" . }}-init-sc-datasources + - name: {{ include "grafana.name" . }}-init-sc-datasources {{- if .Values.sidecar.image.sha }} image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" {{- else }} @@ -105,9 +117,9 @@ initContainers: value: "LIST" - name: LABEL value: "{{ .Values.sidecar.datasources.label }}" - {{- if .Values.sidecar.datasources.labelValue }} + {{- with .Values.sidecar.datasources.labelValue }} - name: LABEL_VALUE - value: {{ quote .Values.sidecar.datasources.labelValue }} + value: {{ quote . }} {{- end }} {{- if or .Values.sidecar.logLevel .Values.sidecar.datasources.logLevel }} - name: LOG_LEVEL @@ -117,17 +129,17 @@ initContainers: value: "/etc/grafana/provisioning/datasources" - name: RESOURCE value: {{ quote .Values.sidecar.datasources.resource }} - {{- if .Values.sidecar.enableUniqueFilenames }} + {{- with .Values.sidecar.enableUniqueFilenames }} - name: UNIQUE_FILENAMES - value: "{{ .Values.sidecar.enableUniqueFilenames }}" + value: "{{ . }}" {{- end }} {{- if .Values.sidecar.datasources.searchNamespace }} - name: NAMESPACE - value: "{{ .Values.sidecar.datasources.searchNamespace | join "," }}" + value: "{{ tpl (.Values.sidecar.datasources.searchNamespace | join ",") . }}" {{- end }} - {{- if .Values.sidecar.skipTlsVerify }} + {{- with .Values.sidecar.skipTlsVerify }} - name: SKIP_TLS_VERIFY - value: "{{ .Values.sidecar.skipTlsVerify }}" + value: "{{ . }}" {{- end }} {{- with .Values.sidecar.resources }} resources: @@ -141,8 +153,8 @@ initContainers: - name: sc-datasources-volume mountPath: "/etc/grafana/provisioning/datasources" {{- end }} -{{- if .Values.sidecar.notifiers.enabled }} - - name: {{ template "grafana.name" . }}-sc-notifiers +{{- if and .Values.sidecar.notifiers.enabled .Values.sidecar.notifiers.initNotifiers }} + - name: {{ include "grafana.name" . }}-init-sc-notifiers {{- if .Values.sidecar.image.sha }} image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" {{- else }} @@ -162,9 +174,9 @@ initContainers: value: LIST - name: LABEL value: "{{ .Values.sidecar.notifiers.label }}" - {{- if .Values.sidecar.notifiers.labelValue }} + {{- with .Values.sidecar.notifiers.labelValue }} - name: LABEL_VALUE - value: {{ quote .Values.sidecar.notifiers.labelValue }} + value: {{ quote . }} {{- end }} {{- if or .Values.sidecar.logLevel .Values.sidecar.notifiers.logLevel }} - name: LOG_LEVEL @@ -174,17 +186,17 @@ initContainers: value: "/etc/grafana/provisioning/notifiers" - name: RESOURCE value: {{ quote .Values.sidecar.notifiers.resource }} - {{- if .Values.sidecar.enableUniqueFilenames }} + {{- with .Values.sidecar.enableUniqueFilenames }} - name: UNIQUE_FILENAMES - value: "{{ .Values.sidecar.enableUniqueFilenames }}" + value: "{{ . }}" {{- end }} - {{- if .Values.sidecar.notifiers.searchNamespace }} + {{- with .Values.sidecar.notifiers.searchNamespace }} - name: NAMESPACE - value: "{{ .Values.sidecar.notifiers.searchNamespace | join "," }}" + value: "{{ tpl (. | join ",") $root }}" {{- end }} - {{- if .Values.sidecar.skipTlsVerify }} + {{- with .Values.sidecar.skipTlsVerify }} - name: SKIP_TLS_VERIFY - value: "{{ .Values.sidecar.skipTlsVerify }}" + value: "{{ . }}" {{- end }} {{- with .Values.sidecar.livenessProbe }} livenessProbe: @@ -206,22 +218,122 @@ initContainers: - name: sc-notifiers-volume mountPath: "/etc/grafana/provisioning/notifiers" {{- end}} -{{- if .Values.extraInitContainers }} -{{ tpl (toYaml .Values.extraInitContainers) . | indent 2 }} +{{- with .Values.extraInitContainers }} + {{- tpl (toYaml .) $root | nindent 2 }} {{- end }} -{{- if .Values.image.pullSecrets }} +{{- if or .Values.image.pullSecrets .Values.global.imagePullSecrets }} imagePullSecrets: -{{- $root := . }} -{{- range .Values.image.pullSecrets }} - - name: {{ tpl . $root }} -{{- end}} + {{- include "grafana.imagePullSecrets" (dict "root" $root "imagePullSecrets" .Values.image.pullSecrets) | nindent 2 }} {{- end }} {{- if not .Values.enableKubeBackwardCompatibility }} enableServiceLinks: {{ .Values.enableServiceLinks }} {{- end }} containers: +{{- if .Values.sidecar.alerts.enabled }} + - name: {{ include "grafana.name" . }}-sc-alerts + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.sidecar.alerts.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.sidecar.alerts.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.sidecar.alerts.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.alerts.label }}" + {{- with .Values.sidecar.alerts.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.sidecar.logLevel .Values.sidecar.alerts.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.sidecar.logLevel .Values.sidecar.alerts.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/alerting" + - name: RESOURCE + value: {{ quote .Values.sidecar.alerts.resource }} + {{- with .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.alerts.searchNamespace }} + - name: NAMESPACE + value: {{ . | join "," | quote }} + {{- end }} + {{- with .Values.sidecar.alerts.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: {{ quote . }} + {{- end }} + {{- with .Values.sidecar.alerts.script }} + - name: SCRIPT + value: {{ quote . }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.sidecar.alerts.skipReload }} + - name: REQ_URL + value: {{ .Values.sidecar.alerts.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.sidecar.alerts.watchServerTimeout }} + {{- if ne .Values.sidecar.alerts.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.alerts.watchServerTimeout with .Values.sidecar.alerts.watchMethod %s" .Values.sidecar.alerts.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.sidecar.alerts.watchServerTimeout }}" + {{- end }} + {{- if .Values.sidecar.alerts.watchClientTimeout }} + {{- if ne .Values.sidecar.alerts.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.alerts.watchClientTimeout with .Values.sidecar.alerts.watchMethod %s" .Values.sidecar.alerts.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.sidecar.alerts.watchClientTimeout }}" + {{- end }} + {{- with .Values.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-alerts-volume + mountPath: "/etc/grafana/provisioning/alerting" +{{- end}} {{- if .Values.sidecar.dashboards.enabled }} - - name: {{ template "grafana.name" . }}-sc-dashboard + - name: {{ include "grafana.name" . }}-sc-dashboard {{- if .Values.sidecar.image.sha }} image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" {{- else }} @@ -241,9 +353,9 @@ containers: value: {{ .Values.sidecar.dashboards.watchMethod }} - name: LABEL value: "{{ .Values.sidecar.dashboards.label }}" - {{- if .Values.sidecar.dashboards.labelValue }} + {{- with .Values.sidecar.dashboards.labelValue }} - name: LABEL_VALUE - value: {{ quote .Values.sidecar.dashboards.labelValue }} + value: {{ quote . }} {{- end }} {{- if or .Values.sidecar.logLevel .Values.sidecar.dashboards.logLevel }} - name: LOG_LEVEL @@ -253,25 +365,45 @@ containers: value: "{{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }}" - name: RESOURCE value: {{ quote .Values.sidecar.dashboards.resource }} - {{- if .Values.sidecar.enableUniqueFilenames }} + {{- with .Values.sidecar.enableUniqueFilenames }} - name: UNIQUE_FILENAMES - value: "{{ .Values.sidecar.enableUniqueFilenames }}" + value: "{{ . }}" {{- end }} - {{- if .Values.sidecar.dashboards.searchNamespace }} + {{- with .Values.sidecar.dashboards.searchNamespace }} - name: NAMESPACE - value: "{{ .Values.sidecar.dashboards.searchNamespace | join "," }}" + value: "{{ tpl (. | join ",") $root }}" {{- end }} - {{- if .Values.sidecar.skipTlsVerify }} + {{- with .Values.sidecar.skipTlsVerify }} - name: SKIP_TLS_VERIFY - value: "{{ .Values.sidecar.skipTlsVerify }}" + value: "{{ . }}" {{- end }} - {{- if .Values.sidecar.dashboards.folderAnnotation }} + {{- with .Values.sidecar.dashboards.folderAnnotation }} - name: FOLDER_ANNOTATION - value: "{{ .Values.sidecar.dashboards.folderAnnotation }}" + value: "{{ . }}" {{- end }} - {{- if .Values.sidecar.dashboards.script }} + {{- with .Values.sidecar.dashboards.script }} - name: SCRIPT - value: "{{ .Values.sidecar.dashboards.script }}" + value: "{{ . }}" + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.sidecar.dashboards.skipReload }} + - name: REQ_URL + value: {{ .Values.sidecar.dashboards.reloadURL }} + - name: REQ_METHOD + value: POST {{- end }} {{- if .Values.sidecar.dashboards.watchServerTimeout }} {{- if ne .Values.sidecar.dashboards.watchMethod "WATCH" }} @@ -285,7 +417,7 @@ containers: {{- fail (printf "Cannot use .Values.sidecar.dashboards.watchClientTimeout with .Values.sidecar.dashboards.watchMethod %s" .Values.sidecar.dashboards.watchMethod) }} {{- end }} - name: WATCH_CLIENT_TIMEOUT - value: "{{ .Values.sidecar.dashboards.watchClientTimeout }}" + value: {{ .Values.sidecar.dashboards.watchClientTimeout | quote }} {{- end }} {{- with .Values.sidecar.livenessProbe }} livenessProbe: @@ -306,12 +438,12 @@ containers: volumeMounts: - name: sc-dashboard-volume mountPath: {{ .Values.sidecar.dashboards.folder | quote }} - {{- if .Values.sidecar.dashboards.extraMounts }} - {{- toYaml .Values.sidecar.dashboards.extraMounts | trim | nindent 6}} + {{- with .Values.sidecar.dashboards.extraMounts }} + {{- toYaml . | trim | nindent 6 }} {{- end }} {{- end}} {{- if .Values.sidecar.datasources.enabled }} - - name: {{ template "grafana.name" . }}-sc-datasources + - name: {{ include "grafana.name" . }}-sc-datasources {{- if .Values.sidecar.image.sha }} image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" {{- else }} @@ -331,9 +463,9 @@ containers: value: {{ .Values.sidecar.datasources.watchMethod }} - name: LABEL value: "{{ .Values.sidecar.datasources.label }}" - {{- if .Values.sidecar.datasources.labelValue }} + {{- with .Values.sidecar.datasources.labelValue }} - name: LABEL_VALUE - value: {{ quote .Values.sidecar.datasources.labelValue }} + value: {{ quote . }} {{- end }} {{- if or .Values.sidecar.logLevel .Values.sidecar.datasources.logLevel }} - name: LOG_LEVEL @@ -343,13 +475,13 @@ containers: value: "/etc/grafana/provisioning/datasources" - name: RESOURCE value: {{ quote .Values.sidecar.datasources.resource }} - {{- if .Values.sidecar.enableUniqueFilenames }} + {{- with .Values.sidecar.enableUniqueFilenames }} - name: UNIQUE_FILENAMES - value: "{{ .Values.sidecar.enableUniqueFilenames }}" + value: "{{ . }}" {{- end }} - {{- if .Values.sidecar.datasources.searchNamespace }} + {{- with .Values.sidecar.datasources.searchNamespace }} - name: NAMESPACE - value: "{{ .Values.sidecar.datasources.searchNamespace | join "," }}" + value: "{{ tpl (. | join ",") $root }}" {{- end }} {{- if .Values.sidecar.skipTlsVerify }} - name: SKIP_TLS_VERIFY @@ -413,8 +545,111 @@ containers: - name: sc-datasources-volume mountPath: "/etc/grafana/provisioning/datasources" {{- end}} +{{- if .Values.sidecar.notifiers.enabled }} + - name: {{ include "grafana.name" . }}-sc-notifiers + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.sidecar.notifiers.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.sidecar.notifiers.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.sidecar.notifiers.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.notifiers.label }}" + {{- with .Values.sidecar.notifiers.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.sidecar.logLevel .Values.sidecar.notifiers.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.sidecar.logLevel .Values.sidecar.notifiers.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/notifiers" + - name: RESOURCE + value: {{ quote .Values.sidecar.notifiers.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- with .Values.sidecar.notifiers.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (. | join ",") $root }}" + {{- end }} + {{- with .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ . }}" + {{- end }} + {{- if .Values.sidecar.notifiers.script }} + - name: SCRIPT + value: "{{ .Values.sidecar.notifiers.script }}" + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.sidecar.notifiers.skipReload }} + - name: REQ_URL + value: {{ .Values.sidecar.notifiers.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.sidecar.notifiers.watchServerTimeout }} + {{- if ne .Values.sidecar.notifiers.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.notifiers.watchServerTimeout with .Values.sidecar.notifiers.watchMethod %s" .Values.sidecar.notifiers.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.sidecar.notifiers.watchServerTimeout }}" + {{- end }} + {{- if .Values.sidecar.notifiers.watchClientTimeout }} + {{- if ne .Values.sidecar.notifiers.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.notifiers.watchClientTimeout with .Values.sidecar.notifiers.watchMethod %s" .Values.sidecar.notifiers.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.sidecar.notifiers.watchClientTimeout }}" + {{- end }} + {{- with .Values.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-notifiers-volume + mountPath: "/etc/grafana/provisioning/notifiers" +{{- end}} {{- if .Values.sidecar.plugins.enabled }} - - name: {{ template "grafana.name" . }}-sc-plugins + - name: {{ include "grafana.name" . }}-sc-plugins {{- if .Values.sidecar.image.sha }} image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" {{- else }} @@ -446,21 +681,21 @@ containers: value: "/etc/grafana/provisioning/plugins" - name: RESOURCE value: {{ quote .Values.sidecar.plugins.resource }} - {{- if .Values.sidecar.enableUniqueFilenames }} + {{- with .Values.sidecar.enableUniqueFilenames }} - name: UNIQUE_FILENAMES - value: "{{ .Values.sidecar.enableUniqueFilenames }}" + value: "{{ . }}" {{- end }} - {{- if .Values.sidecar.plugins.searchNamespace }} + {{- with .Values.sidecar.plugins.searchNamespace }} - name: NAMESPACE - value: "{{ .Values.sidecar.plugins.searchNamespace | join "," }}" + value: "{{ tpl (. | join ",") $root }}" {{- end }} - {{- if .Values.sidecar.plugins.script }} + {{- with .Values.sidecar.plugins.script }} - name: SCRIPT - value: "{{ .Values.sidecar.plugins.script }}" + value: "{{ . }}" {{- end }} - {{- if .Values.sidecar.skipTlsVerify }} + {{- with .Values.sidecar.skipTlsVerify }} - name: SKIP_TLS_VERIFY - value: "{{ .Values.sidecar.skipTlsVerify }}" + value: "{{ . }}" {{- end }} {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} - name: REQ_USERNAME @@ -523,12 +758,12 @@ containers: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" {{- end }} imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.command }} + {{- if .Values.command }} command: {{- range .Values.command }} - - {{ . }} + - {{ . | quote }} {{- end }} - {{- end}} + {{- end}} {{- with .Values.containerSecurityContext }} securityContext: {{- toYaml . | nindent 6 }} @@ -542,7 +777,6 @@ containers: mountPath: "/etc/grafana/ldap.toml" subPath: ldap.toml {{- end }} - {{- $root := . }} {{- range .Values.extraConfigmapMounts }} - name: {{ tpl .name $root }} mountPath: {{ tpl .mountPath $root }} @@ -551,91 +785,95 @@ containers: {{- end }} - name: storage mountPath: "/var/lib/grafana" -{{- if .Values.persistence.subPath }} - subPath: {{ tpl .Values.persistence.subPath . }} -{{- end }} -{{- if .Values.dashboards }} -{{- range $provider, $dashboards := .Values.dashboards }} -{{- range $key, $value := $dashboards }} -{{- if (or (hasKey $value "json") (hasKey $value "file")) }} + {{- with .Values.persistence.subPath }} + subPath: {{ tpl . $root }} + {{- end }} + {{- with .Values.dashboards }} + {{- range $provider, $dashboards := . }} + {{- range $key, $value := $dashboards }} + {{- if (or (hasKey $value "json") (hasKey $value "file")) }} - name: dashboards-{{ $provider }} mountPath: "/var/lib/grafana/dashboards/{{ $provider }}/{{ $key }}.json" subPath: "{{ $key }}.json" -{{- end }} -{{- end }} -{{- end }} -{{- end -}} -{{- if .Values.dashboardsConfigMaps }} -{{- range (keys .Values.dashboardsConfigMaps | sortAlpha) }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.dashboardsConfigMaps }} + {{- range (keys . | sortAlpha) }} - name: dashboards-{{ . }} mountPath: "/var/lib/grafana/dashboards/{{ . }}" -{{- end }} -{{- end }} -{{- if .Values.datasources }} -{{- range (keys .Values.datasources | sortAlpha) }} + {{- end }} + {{- end }} + {{- with .Values.datasources }} + {{- range (keys . | sortAlpha) }} - name: config mountPath: "/etc/grafana/provisioning/datasources/{{ . }}" subPath: {{ . | quote }} -{{- end }} -{{- end }} -{{- if .Values.notifiers }} -{{- range (keys .Values.notifiers | sortAlpha) }} + {{- end }} + {{- end }} + {{- with .Values.notifiers }} + {{- range (keys . | sortAlpha) }} - name: config mountPath: "/etc/grafana/provisioning/notifiers/{{ . }}" subPath: {{ . | quote }} -{{- end }} -{{- end }} -{{- if .Values.alerting }} -{{- range (keys .Values.alerting | sortAlpha) }} + {{- end }} + {{- end }} + {{- with .Values.alerting }} + {{- range (keys . | sortAlpha) }} - name: config mountPath: "/etc/grafana/provisioning/alerting/{{ . }}" subPath: {{ . | quote }} -{{- end }} -{{- end }} -{{- if .Values.dashboardProviders }} -{{- range (keys .Values.dashboardProviders | sortAlpha) }} + {{- end }} + {{- end }} + {{- with .Values.dashboardProviders }} + {{- range (keys . | sortAlpha) }} - name: config mountPath: "/etc/grafana/provisioning/dashboards/{{ . }}" subPath: {{ . | quote }} -{{- end }} -{{- end }} -{{- if .Values.sidecar.dashboards.enabled }} + {{- end }} + {{- end }} + {{- with .Values.sidecar.alerts.enabled }} + - name: sc-alerts-volume + mountPath: "/etc/grafana/provisioning/alerting" + {{- end}} + {{- if .Values.sidecar.dashboards.enabled }} - name: sc-dashboard-volume mountPath: {{ .Values.sidecar.dashboards.folder | quote }} -{{ if .Values.sidecar.dashboards.SCProvider }} + {{- if .Values.sidecar.dashboards.SCProvider }} - name: sc-dashboard-provider mountPath: "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml" subPath: provider.yaml -{{- end}} -{{- end}} -{{- if .Values.sidecar.datasources.enabled }} + {{- end}} + {{- end}} + {{- if .Values.sidecar.datasources.enabled }} - name: sc-datasources-volume mountPath: "/etc/grafana/provisioning/datasources" -{{- end}} -{{- if .Values.sidecar.plugins.enabled }} + {{- end}} + {{- if .Values.sidecar.plugins.enabled }} - name: sc-plugins-volume mountPath: "/etc/grafana/provisioning/plugins" -{{- end}} -{{- if .Values.sidecar.notifiers.enabled }} + {{- end}} + {{- if .Values.sidecar.notifiers.enabled }} - name: sc-notifiers-volume mountPath: "/etc/grafana/provisioning/notifiers" -{{- end}} - {{- range .Values.extraSecretMounts }} + {{- end}} + {{- range .Values.extraSecretMounts }} - name: {{ .name }} mountPath: {{ .mountPath }} readOnly: {{ .readOnly }} subPath: {{ .subPath | default "" }} - {{- end }} - {{- range .Values.extraVolumeMounts }} + {{- end }} + {{- range .Values.extraVolumeMounts }} - name: {{ .name }} mountPath: {{ .mountPath }} subPath: {{ .subPath | default "" }} readOnly: {{ .readOnly }} - {{- end }} - {{- range .Values.extraEmptyDirMounts }} + {{- end }} + {{- range .Values.extraEmptyDirMounts }} - name: {{ .name }} mountPath: {{ .mountPath }} - {{- end }} + {{- end }} ports: - name: {{ .Values.podPortName }} containerPort: {{ .Values.service.targetPort }} @@ -659,7 +897,7 @@ containers: - name: GF_INSTALL_PLUGINS valueFrom: configMapKeyRef: - name: {{ template "grafana.fullname" . }} + name: {{ include "grafana.fullname" . }} key: plugins {{- end }} {{- if .Values.smtp.existingSecret }} @@ -676,9 +914,9 @@ containers: {{- end }} {{- if .Values.imageRenderer.enabled }} - name: GF_RENDERING_SERVER_URL - value: http://{{ template "grafana.fullname" . }}-image-renderer.{{ template "grafana.namespace" . }}:{{ .Values.imageRenderer.service.port }}/render + value: http://{{ include "grafana.fullname" . }}-image-renderer.{{ include "grafana.namespace" . }}:{{ .Values.imageRenderer.service.port }}/render - name: GF_RENDERING_CALLBACK_URL - value: {{ .Values.imageRenderer.grafanaProtocol }}://{{ template "grafana.fullname" . }}.{{ template "grafana.namespace" . }}:{{ .Values.service.port }}/{{ .Values.imageRenderer.grafanaSubPath }} + value: {{ .Values.imageRenderer.grafanaProtocol }}://{{ include "grafana.fullname" . }}.{{ include "grafana.namespace" . }}:{{ .Values.service.port }}/{{ .Values.imageRenderer.grafanaSubPath }} {{- end }} - name: GF_PATHS_DATA value: {{ (get .Values "grafana.ini").paths.data }} @@ -688,35 +926,35 @@ containers: value: {{ (get .Values "grafana.ini").paths.plugins }} - name: GF_PATHS_PROVISIONING value: {{ (get .Values "grafana.ini").paths.provisioning }} - {{- range $key, $value := .Values.envValueFrom }} + {{- range $key, $value := .Values.envValueFrom }} - name: {{ $key | quote }} valueFrom: -{{ tpl (toYaml $value) $ | indent 10 }} - {{- end }} -{{- range $key, $value := .Values.env }} + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} + {{- range $key, $value := .Values.env }} - name: "{{ tpl $key $ }}" value: "{{ tpl (print $value) $ }}" -{{- end }} + {{- end }} {{- if or .Values.envFromSecret (or .Values.envRenderSecret .Values.envFromSecrets) .Values.envFromConfigMaps }} envFrom: - {{- if .Values.envFromSecret }} + {{- if .Values.envFromSecret }} - secretRef: name: {{ tpl .Values.envFromSecret . }} - {{- end }} - {{- if .Values.envRenderSecret }} + {{- end }} + {{- if .Values.envRenderSecret }} - secretRef: - name: {{ template "grafana.fullname" . }}-env - {{- end }} - {{- range .Values.envFromSecrets }} + name: {{ include "grafana.fullname" . }}-env + {{- end }} + {{- range .Values.envFromSecrets }} - secretRef: name: {{ tpl .name $ }} optional: {{ .optional | default false }} - {{- end }} - {{- range .Values.envFromConfigMaps }} + {{- end }} + {{- range .Values.envFromConfigMaps }} - configMapRef: name: {{ tpl .name $ }} optional: {{ .optional | default false }} - {{- end }} + {{- end }} {{- end }} {{- with .Values.livenessProbe }} livenessProbe: @@ -726,24 +964,24 @@ containers: readinessProbe: {{- toYaml . | nindent 6 }} {{- end }} -{{- if .Values.lifecycleHooks }} - lifecycle: {{ tpl (.Values.lifecycleHooks | toYaml) . | nindent 6 }} -{{- end }} + {{- with .Values.lifecycleHooks }} + lifecycle: + {{- tpl (toYaml .) $root | nindent 6 }} + {{- end }} {{- with .Values.resources }} resources: {{- toYaml . | nindent 6 }} {{- end }} {{- with .Values.extraContainers }} -{{ tpl . $ | indent 2 }} + {{- tpl . $ | nindent 2 }} {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 2 }} {{- end }} -{{- $root := . }} {{- with .Values.affinity }} affinity: -{{ tpl (toYaml .) $root | indent 2 }} + {{- tpl (toYaml .) $root | nindent 2 }} {{- end }} {{- with .Values.topologySpreadConstraints }} topologySpreadConstraints: @@ -756,30 +994,29 @@ tolerations: volumes: - name: config configMap: - name: {{ template "grafana.fullname" . }} -{{- $root := . }} -{{- range .Values.extraConfigmapMounts }} + name: {{ include "grafana.fullname" . }} + {{- range .Values.extraConfigmapMounts }} - name: {{ tpl .name $root }} configMap: name: {{ tpl .configMap $root }} - {{- if .items }} - items: {{ toYaml .items | nindent 6 }} + {{- with .items }} + items: + {{- toYaml . | nindent 8 }} {{- end }} -{{- end }} + {{- end }} {{- if .Values.dashboards }} - {{- range (keys .Values.dashboards | sortAlpha) }} + {{- range (keys .Values.dashboards | sortAlpha) }} - name: dashboards-{{ . }} configMap: - name: {{ template "grafana.fullname" $ }}-dashboards-{{ . }} - {{- end }} + name: {{ include "grafana.fullname" $ }}-dashboards-{{ . }} + {{- end }} {{- end }} {{- if .Values.dashboardsConfigMaps }} - {{ $root := . }} - {{- range $provider, $name := .Values.dashboardsConfigMaps }} + {{- range $provider, $name := .Values.dashboardsConfigMaps }} - name: dashboards-{{ $provider }} configMap: name: {{ tpl $name $root }} - {{- end }} + {{- end }} {{- end }} {{- if .Values.ldap.enabled }} - name: ldap @@ -787,89 +1024,101 @@ volumes: {{- if .Values.ldap.existingSecret }} secretName: {{ .Values.ldap.existingSecret }} {{- else }} - secretName: {{ template "grafana.fullname" . }} + secretName: {{ include "grafana.fullname" . }} {{- end }} items: - key: ldap-toml path: ldap.toml {{- end }} -{{- if and .Values.persistence.enabled (eq .Values.persistence.type "pvc") }} + {{- if and .Values.persistence.enabled (eq .Values.persistence.type "pvc") }} - name: storage persistentVolumeClaim: claimName: {{ tpl (.Values.persistence.existingClaim | default (include "grafana.fullname" .)) . }} -{{- else if and .Values.persistence.enabled (eq .Values.persistence.type "statefulset") }} -# nothing -{{- else }} + {{- else if and .Values.persistence.enabled (has .Values.persistence.type $sts) }} + {{/* nothing */}} + {{- else }} - name: storage -{{- if .Values.persistence.inMemory.enabled }} + {{- if .Values.persistence.inMemory.enabled }} emptyDir: medium: Memory -{{- if .Values.persistence.inMemory.sizeLimit }} - sizeLimit: {{ .Values.persistence.inMemory.sizeLimit }} -{{- end -}} -{{- else }} + {{- with .Values.persistence.inMemory.sizeLimit }} + sizeLimit: {{ . }} + {{- end }} + {{- else }} emptyDir: {} -{{- end -}} -{{- end -}} -{{- if .Values.sidecar.dashboards.enabled }} - - name: sc-dashboard-volume -{{- if .Values.sidecar.dashboards.sizeLimit }} + {{- end }} + {{- end }} + {{- if .Values.sidecar.alerts.enabled }} + - name: sc-alerts-volume emptyDir: - sizeLimit: {{ .Values.sidecar.dashboards.sizeLimit }} -{{- else }} - emptyDir: {} -{{- end -}} -{{- if .Values.sidecar.dashboards.SCProvider }} + {{- with .Values.sidecar.alerts.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- if .Values.sidecar.dashboards.enabled }} + - name: sc-dashboard-volume + emptyDir: + {{- with .Values.sidecar.dashboards.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- if .Values.sidecar.dashboards.SCProvider }} - name: sc-dashboard-provider configMap: - name: {{ template "grafana.fullname" . }}-config-dashboards -{{- end }} -{{- end }} -{{- if .Values.sidecar.datasources.enabled }} + name: {{ include "grafana.fullname" . }}-config-dashboards + {{- end }} + {{- end }} + {{- if .Values.sidecar.datasources.enabled }} - name: sc-datasources-volume -{{- if .Values.sidecar.datasources.sizeLimit }} emptyDir: - sizeLimit: {{ .Values.sidecar.datasources.sizeLimit }} -{{- else }} - emptyDir: {} -{{- end -}} -{{- end -}} -{{- if .Values.sidecar.plugins.enabled }} + {{- with .Values.sidecar.datasources.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- if .Values.sidecar.plugins.enabled }} - name: sc-plugins-volume -{{- if .Values.sidecar.plugins.sizeLimit }} emptyDir: - sizeLimit: {{ .Values.sidecar.plugins.sizeLimit }} -{{- else }} - emptyDir: {} -{{- end -}} -{{- end -}} -{{- if .Values.sidecar.notifiers.enabled }} + {{- with .Values.sidecar.plugins.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- if .Values.sidecar.notifiers.enabled }} - name: sc-notifiers-volume -{{- if .Values.sidecar.notifiers.sizeLimit }} emptyDir: - sizeLimit: {{ .Values.sidecar.notifiers.sizeLimit }} -{{- else }} - emptyDir: {} -{{- end -}} -{{- end -}} -{{- range .Values.extraSecretMounts }} -{{- if .secretName }} + {{- with .Values.sidecar.notifiers.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- range .Values.extraSecretMounts }} + {{- if .secretName }} - name: {{ .name }} secret: secretName: {{ .secretName }} defaultMode: {{ .defaultMode }} - {{- if .items }} - items: {{ toYaml .items | nindent 6 }} + {{- with .items }} + items: + {{- toYaml . | nindent 8 }} {{- end }} -{{- else if .projected }} + {{- else if .projected }} - name: {{ .name }} - projected: {{- toYaml .projected | nindent 6 }} -{{- else if .csi }} + projected: + {{- toYaml .projected | nindent 6 }} + {{- else if .csi }} - name: {{ .name }} - csi: {{- toYaml .csi | nindent 6 }} -{{- end }} -{{- end }} -{{- range .Values.extraVolumeMounts }} + csi: + {{- toYaml .csi | nindent 6 }} + {{- end }} + {{- end }} + {{- range .Values.extraVolumeMounts }} - name: {{ .name }} {{- if .existingClaim }} persistentVolumeClaim: @@ -880,16 +1129,16 @@ volumes: {{- else if .csi }} csi: data: - {{ toYaml .data | nindent 6 }} + {{- toYaml .data | nindent 8 }} {{- else }} emptyDir: {} {{- end }} -{{- end }} -{{- range .Values.extraEmptyDirMounts }} + {{- end }} + {{- range .Values.extraEmptyDirMounts }} - name: {{ .name }} emptyDir: {} -{{- end -}} -{{- if .Values.extraContainerVolumes }} -{{ tpl (toYaml .Values.extraContainerVolumes) . | indent 2 }} -{{- end }} + {{- end }} + {{- with .Values.extraContainerVolumes }} + {{- tpl (toYaml .) $root | nindent 2 }} + {{- end }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrole.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrole.yaml index 154658b..3396713 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrole.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrole.yaml @@ -4,21 +4,21 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: {{- include "grafana.labels" . | nindent 4 }} -{{- with .Values.annotations }} + {{- with .Values.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} - name: {{ template "grafana.fullname" . }}-clusterrole + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "grafana.fullname" . }}-clusterrole {{- if or .Values.sidecar.dashboards.enabled (or .Values.rbac.extraClusterRoleRules (or .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled)) }} rules: -{{- if or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled) }} -- apiGroups: [""] # "" indicates the core API group - resources: ["configmaps", "secrets"] - verbs: ["get", "watch", "list"] -{{- end}} -{{- with .Values.rbac.extraClusterRoleRules }} -{{ toYaml . | indent 0 }} -{{- end}} + {{- if or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled) }} + - apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] + {{- end}} + {{- with .Values.rbac.extraClusterRoleRules }} + {{- toYaml . | nindent 2 }} + {{- end}} {{- else }} rules: [] {{- end}} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrolebinding.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrolebinding.yaml index 4accbfa..48411fe 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrolebinding.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/clusterrolebinding.yaml @@ -2,23 +2,23 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ template "grafana.fullname" . }}-clusterrolebinding + name: {{ include "grafana.fullname" . }}-clusterrolebinding labels: {{- include "grafana.labels" . | nindent 4 }} -{{- with .Values.annotations }} + {{- with .Values.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} subjects: - kind: ServiceAccount - name: {{ template "grafana.serviceAccountName" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.serviceAccountName" . }} + namespace: {{ include "grafana.namespace" . }} roleRef: kind: ClusterRole -{{- if (not .Values.rbac.useExistingRole) }} - name: {{ template "grafana.fullname" . }}-clusterrole -{{- else }} + {{- if .Values.rbac.useExistingRole }} name: {{ .Values.rbac.useExistingRole }} -{{- end }} + {{- else }} + name: {{ include "grafana.fullname" . }}-clusterrole + {{- end }} apiGroup: rbac.authorization.k8s.io -{{- end -}} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap-dashboard-provider.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap-dashboard-provider.yaml index 65d7385..1f706a8 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap-dashboard-provider.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap-dashboard-provider.yaml @@ -1,29 +1,29 @@ -{{- if .Values.sidecar.dashboards.enabled }} +{{- if and .Values.sidecar.dashboards.enabled .Values.sidecar.dashboards.SCProvider }} apiVersion: v1 kind: ConfigMap metadata: labels: {{- include "grafana.labels" . | nindent 4 }} -{{- with .Values.annotations }} + {{- with .Values.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} - name: {{ template "grafana.fullname" . }}-config-dashboards - namespace: {{ template "grafana.namespace" . }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "grafana.fullname" . }}-config-dashboards + namespace: {{ include "grafana.namespace" . }} data: provider.yaml: |- apiVersion: 1 providers: - - name: '{{ .Values.sidecar.dashboards.provider.name }}' - orgId: {{ .Values.sidecar.dashboards.provider.orgid }} - {{- if not .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} - folder: '{{ .Values.sidecar.dashboards.provider.folder }}' - {{- end}} - type: {{ .Values.sidecar.dashboards.provider.type }} - disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }} - allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }} - updateIntervalSeconds: {{ .Values.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }} - options: - foldersFromFilesStructure: {{ .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} - path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }} -{{- end}} + - name: '{{ .Values.sidecar.dashboards.provider.name }}' + orgId: {{ .Values.sidecar.dashboards.provider.orgid }} + {{- if not .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + folder: '{{ .Values.sidecar.dashboards.provider.folder }}' + {{- end }} + type: {{ .Values.sidecar.dashboards.provider.type }} + disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }} + allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }} + updateIntervalSeconds: {{ .Values.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }} + options: + foldersFromFilesStructure: {{ .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap.yaml index 3f51995..b0735a2 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/configmap.yaml @@ -1,21 +1,22 @@ {{- if .Values.createConfigmap }} +{{- $root := . -}} apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} -{{- with .Values.annotations }} + {{- with .Values.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} data: -{{- if .Values.plugins }} - plugins: {{ join "," .Values.plugins }} -{{- end }} + {{- with .Values.plugins }} + plugins: {{ join "," . }} + {{- end }} grafana.ini: | -{{- range $elem, $elemVal := index .Values "grafana.ini" }} + {{- range $elem, $elemVal := index .Values "grafana.ini" }} {{- if not (kindIs "map" $elemVal) }} {{- if kindIs "invalid" $elemVal }} {{ $elem }} = @@ -25,8 +26,8 @@ data: {{ $elem }} = {{ $elemVal }} {{- end }} {{- end }} -{{- end }} -{{- range $key, $value := index .Values "grafana.ini" }} + {{- end }} + {{- range $key, $value := index .Values "grafana.ini" }} {{- if kindIs "map" $value }} [{{ $key }}] {{- range $elem, $elemVal := $value }} @@ -39,37 +40,27 @@ data: {{- end }} {{- end }} {{- end }} -{{- end }} + {{- end }} -{{- if .Values.datasources }} -{{ $root := . }} {{- range $key, $value := .Values.datasources }} - {{ $key }}: | -{{ tpl (toYaml $value | indent 4) $root }} - {{- end -}} -{{- end -}} + {{- $key | nindent 2 }}: | + {{- tpl (toYaml $value | nindent 4) $root }} + {{- end }} -{{- if .Values.notifiers }} {{- range $key, $value := .Values.notifiers }} - {{ $key }}: | -{{ toYaml $value | indent 4 }} - {{- end -}} -{{- end -}} + {{- $key | nindent 2 }}: | + {{- toYaml $value | nindent 4 }} + {{- end }} -{{- if .Values.alerting }} -{{ $root := . }} {{- range $key, $value := .Values.alerting }} - {{ $key }}: | -{{ tpl $value $root | indent 4 }} - {{- end -}} -{{- end -}} + {{- $key | nindent 2 }}: | + {{- tpl (toYaml $value | nindent 4) $root }} + {{- end }} -{{- if .Values.dashboardProviders }} {{- range $key, $value := .Values.dashboardProviders }} - {{ $key }}: | -{{ toYaml $value | indent 4 }} - {{- end -}} -{{- end -}} + {{- $key | nindent 2 }}: | + {{- toYaml $value | nindent 4 }} + {{- end }} {{- if .Values.dashboards }} download_dashboards.sh: | @@ -101,17 +92,34 @@ data: -H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \ {{- end }} -H "Content-Type: application/json;charset=UTF-8" \ - {{ end }} - {{- $dpPath := "" -}} - {{- range $kd := (index $dashboardProviders "dashboardproviders.yaml").providers -}} - {{- if eq $kd.name $provider -}} - {{- $dpPath = $kd.options.path -}} - {{- end -}} - {{- end -}} - {{- if $value.url -}}"{{ $value.url }}"{{- else -}}"https://grafana.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download"{{- end -}}{{ if $value.datasource }} | sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g'{{ end }}{{- if $value.b64content -}} | base64 -d {{- end -}} \ - > "{{- if $dpPath -}}{{ $dpPath }}{{- else -}}/var/lib/grafana/dashboards/{{ $provider }}{{- end -}}/{{ $key }}.json" {{- end }} - {{- end -}} + {{- $dpPath := "" -}} + {{- range $kd := (index $dashboardProviders "dashboardproviders.yaml").providers }} + {{- if eq $kd.name $provider }} + {{- $dpPath = $kd.options.path }} + {{- end }} + {{- end }} + {{- if $value.url }} + "{{ $value.url }}" \ + {{- else }} + "https://grafana.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download" \ + {{- end }} + {{- if $value.datasource }} + {{- if kindIs "string" $value.datasource }} + | sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g' \ + {{- end }} + {{- if kindIs "slice" $value.datasource }} + {{- range $value.datasource }} + | sed '/-- .* --/! s/${{"{"}}{{ .name }}}/{{ .value }}/g' \ + {{- end }} + {{- end }} + {{- end }} + {{- if $value.b64content }} + | base64 -d \ + {{- end }} + > "{{- if $dpPath -}}{{ $dpPath }}{{- else -}}/var/lib/grafana/dashboards/{{ $provider }}{{- end -}}/{{ $key }}.json" + {{ end }} + {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/dashboards-json-configmap.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/dashboards-json-configmap.yaml index 59e0be6..df0ed0d 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/dashboards-json-configmap.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/dashboards-json-configmap.yaml @@ -4,8 +4,8 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "grafana.fullname" $ }}-dashboards-{{ $provider }} - namespace: {{ template "grafana.namespace" $ }} + name: {{ include "grafana.fullname" $ }}-dashboards-{{ $provider }} + namespace: {{ include "grafana.namespace" $ }} labels: {{- include "grafana.labels" $ | nindent 4 }} dashboard-provider: {{ $provider }} @@ -15,14 +15,14 @@ data: {{- range $key, $value := $dashboards }} {{- if (or (hasKey $value "json") (hasKey $value "file")) }} {{- $dashboardFound = true }} -{{ print $key | indent 2 }}.json: -{{- if hasKey $value "json" }} + {{- print $key | nindent 2 }}.json: + {{- if hasKey $value "json" }} |- -{{ $value.json | indent 6 }} -{{- end }} -{{- if hasKey $value "file" }} -{{ toYaml ( $files.Get $value.file ) | indent 4}} -{{- end }} + {{- $value.json | nindent 6 }} + {{- end }} + {{- if hasKey $value "file" }} + {{- toYaml ( $files.Get $value.file ) | nindent 4}} + {{- end }} {{- end }} {{- end }} {{- if not $dashboardFound }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/deployment.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/deployment.yaml index fee9c33..96eac4d 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/deployment.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/deployment.yaml @@ -1,18 +1,18 @@ -{{ if (and (not .Values.useStatefulSet) (or (not .Values.persistence.enabled) (eq .Values.persistence.type "pvc"))) }} +{{- if (and (not .Values.useStatefulSet) (or (not .Values.persistence.enabled) (eq .Values.persistence.type "pvc"))) }} apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} -{{- if .Values.labels }} -{{ toYaml .Values.labels | indent 4 }} -{{- end }} -{{- with .Values.annotations }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: {{- if and (not .Values.autoscaling.enabled) (.Values.replicas) }} replicas: {{ .Values.replicas }} @@ -21,30 +21,30 @@ spec: selector: matchLabels: {{- include "grafana.selectorLabels" . | nindent 6 }} -{{- with .Values.deploymentStrategy }} + {{- with .Values.deploymentStrategy }} strategy: -{{ toYaml . | trim | indent 4 }} -{{- end }} + {{- toYaml . | trim | nindent 4 }} + {{- end }} template: metadata: labels: {{- include "grafana.selectorLabels" . | nindent 8 }} -{{- with .Values.podLabels }} -{{ toYaml . | indent 8 }} -{{- end }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }} -{{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.envRenderSecret }} + {{- end }} + {{- if .Values.envRenderSecret }} checksum/secret-env: {{ include (print $.Template.BasePath "/secret-env.yaml") . | sha256sum }} -{{- end }} -{{- with .Values.podAnnotations }} -{{ toYaml . | indent 8 }} -{{- end }} + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: - {{- include "grafana.pod" . | indent 6 }} + {{- include "grafana.pod" . | nindent 6 }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/headless-service.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/headless-service.yaml index b5faddc..caaed5d 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/headless-service.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/headless-service.yaml @@ -1,15 +1,16 @@ -{{- if or .Values.headlessService (and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "statefulset"))}} +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} +{{- if or .Values.headlessService (and .Values.persistence.enabled (not .Values.persistence.existingClaim) (has .Values.persistence.type $sts)) }} apiVersion: v1 kind: Service metadata: - name: {{ template "grafana.fullname" . }}-headless - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }}-headless + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} -{{- with .Values.annotations }} + {{- with .Values.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: clusterIP: None selector: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/hpa.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/hpa.yaml index 9c186d7..f53dfc8 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/hpa.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/hpa.yaml @@ -1,20 +1,49 @@ +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} {{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: {{ include "grafana.hpa.apiVersion" . }} kind: HorizontalPodAutoscaler metadata: - name: {{ template "grafana.fullname" . }} + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} labels: - app.kubernetes.io/name: {{ template "grafana.name" . }} - helm.sh/chart: {{ template "grafana.chart" . }} + app.kubernetes.io/name: {{ include "grafana.name" . }} + helm.sh/chart: {{ include "grafana.chart" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/instance: {{ .Release.Name }} spec: scaleTargetRef: apiVersion: apps/v1 + {{- if has .Values.persistence.type $sts }} + kind: StatefulSet + {{- else }} kind: Deployment - name: {{ template "grafana.fullname" . }} + {{- end }} + name: {{ include "grafana.fullname" . }} minReplicas: {{ .Values.autoscaling.minReplicas }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: -{{ toYaml .Values.autoscaling.metrics | indent 4 }} + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" .Capabilities.KubeVersion.Version }} + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" .Capabilities.KubeVersion.Version }} + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-deployment.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-deployment.yaml index c558a86..b087179 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-deployment.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-deployment.yaml @@ -1,65 +1,65 @@ {{ if .Values.imageRenderer.enabled }} +{{- $root := . -}} apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "grafana.fullname" . }}-image-renderer - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }}-image-renderer + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.imageRenderer.labels" . | nindent 4 }} -{{- if .Values.imageRenderer.labels }} -{{ toYaml .Values.imageRenderer.labels | indent 4 }} -{{- end }} -{{- with .Values.imageRenderer.annotations }} + {{- with .Values.imageRenderer.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.imageRenderer.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.imageRenderer.replicas }} revisionHistoryLimit: {{ .Values.imageRenderer.revisionHistoryLimit }} selector: matchLabels: {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} -{{- with .Values.imageRenderer.deploymentStrategy }} + + {{- with .Values.imageRenderer.deploymentStrategy }} strategy: -{{ toYaml . | trim | indent 4 }} -{{- end }} + {{- toYaml . | trim | nindent 4 }} + {{- end }} template: metadata: labels: {{- include "grafana.imageRenderer.selectorLabels" . | nindent 8 }} -{{- with .Values.imageRenderer.podLabels }} -{{ toYaml . | indent 8 }} -{{- end }} + {{- with .Values.imageRenderer.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} -{{- with .Values.imageRenderer.podAnnotations }} -{{ toYaml . | indent 8 }} -{{- end }} + {{- with .Values.imageRenderer.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: - - {{- if .Values.imageRenderer.schedulerName }} - schedulerName: "{{ .Values.imageRenderer.schedulerName }}" + {{- with .Values.imageRenderer.schedulerName }} + schedulerName: "{{ . }}" {{- end }} - {{- if .Values.imageRenderer.serviceAccountName }} - serviceAccountName: "{{ .Values.imageRenderer.serviceAccountName }}" + {{- with .Values.imageRenderer.serviceAccountName }} + serviceAccountName: "{{ . }}" {{- end }} - {{- if .Values.imageRenderer.securityContext }} + {{- with .Values.imageRenderer.securityContext }} securityContext: - {{- toYaml .Values.imageRenderer.securityContext | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.imageRenderer.hostAliases }} + {{- with .Values.imageRenderer.hostAliases }} hostAliases: - {{- toYaml .Values.imageRenderer.hostAliases | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.imageRenderer.priorityClassName }} - priorityClassName: {{ .Values.imageRenderer.priorityClassName }} + {{- with .Values.imageRenderer.priorityClassName }} + priorityClassName: {{ . }} {{- end }} - {{- if .Values.imageRenderer.image.pullSecrets }} + {{- with .Values.imageRenderer.image.pullSecrets }} imagePullSecrets: - {{- $root := . }} - {{- range .Values.imageRenderer.image.pullSecrets }} + {{- range . }} - name: {{ tpl . $root }} - {{- end}} + {{- end}} {{- end }} containers: - name: {{ .Chart.Name }}-image-renderer @@ -69,12 +69,12 @@ spec: image: "{{ .Values.imageRenderer.image.repository }}:{{ .Values.imageRenderer.image.tag }}" {{- end }} imagePullPolicy: {{ .Values.imageRenderer.image.pullPolicy }} - {{- if .Values.imageRenderer.command }} + {{- if .Values.imageRenderer.command }} command: - {{- range .Values.imageRenderer.command }} + {{- range .Values.imageRenderer.command }} - {{ . }} - {{- end }} - {{- end}} + {{- end }} + {{- end}} ports: - name: {{ .Values.imageRenderer.service.portName }} containerPort: {{ .Values.imageRenderer.service.targetPort }} @@ -90,30 +90,28 @@ spec: - name: {{ $key | quote }} value: {{ $value | quote }} {{- end }} + {{- with .Values.imageRenderer.containerSecurityContext }} securityContext: - capabilities: - drop: ['all'] - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - mountPath: /tmp name: image-renderer-tmpfs - {{- with .Values.imageRenderer.resources }} + {{- with .Values.imageRenderer.resources }} resources: -{{ toYaml . | indent 12 }} - {{- end }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.imageRenderer.nodeSelector }} nodeSelector: -{{ toYaml . | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} - {{- $root := . }} {{- with .Values.imageRenderer.affinity }} affinity: -{{ tpl (toYaml .) $root | indent 8 }} + {{- tpl (toYaml .) $root | nindent 8 }} {{- end }} {{- with .Values.imageRenderer.tolerations }} tolerations: -{{ toYaml . | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} volumes: - name: image-renderer-tmpfs diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-network-policy.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-network-policy.yaml index 0d9bdfe..fb69445 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-network-policy.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-network-policy.yaml @@ -1,18 +1,18 @@ -{{- if and (.Values.imageRenderer.enabled) (.Values.imageRenderer.networkPolicy.limitIngress) }} +{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.networkPolicy.limitIngress }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ template "grafana.fullname" . }}-image-renderer-ingress - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }}-image-renderer-ingress + namespace: {{ include "grafana.namespace" . }} annotations: comment: Limit image-renderer ingress traffic from grafana spec: podSelector: matchLabels: {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} - {{- if .Values.imageRenderer.podLabels }} - {{ toYaml .Values.imageRenderer.podLabels | nindent 6 }} + {{- with .Values.imageRenderer.podLabels }} + {{- toYaml . | nindent 6 }} {{- end }} policyTypes: @@ -24,30 +24,30 @@ spec: from: - namespaceSelector: matchLabels: - name: {{ template "grafana.namespace" . }} - podSelector: + name: {{ include "grafana.namespace" . }} + - podSelector: matchLabels: {{- include "grafana.selectorLabels" . | nindent 14 }} - {{- if .Values.podLabels }} - {{ toYaml .Values.podLabels | nindent 14 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 14 }} {{- end }} -{{ end }} +{{- end }} -{{- if and (.Values.imageRenderer.enabled) (.Values.imageRenderer.networkPolicy.limitEgress) }} +{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.networkPolicy.limitEgress }} --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ template "grafana.fullname" . }}-image-renderer-egress - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }}-image-renderer-egress + namespace: {{ include "grafana.namespace" . }} annotations: comment: Limit image-renderer egress traffic to grafana spec: podSelector: matchLabels: {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} - {{- if .Values.imageRenderer.podLabels }} - {{ toYaml .Values.imageRenderer.podLabels | nindent 6 }} + {{- with .Values.imageRenderer.podLabels }} + {{- toYaml . | nindent 6 }} {{- end }} policyTypes: @@ -67,7 +67,7 @@ spec: - podSelector: matchLabels: {{- include "grafana.selectorLabels" . | nindent 14 }} - {{- if .Values.podLabels }} - {{ toYaml .Values.podLabels | nindent 14 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 14 }} {{- end }} -{{ end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-service.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-service.yaml index fcf707a..f8da127 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-service.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/image-renderer-service.yaml @@ -1,33 +1,31 @@ -{{ if .Values.imageRenderer.enabled }} -{{ if .Values.imageRenderer.service.enabled }} +{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.service.enabled }} apiVersion: v1 kind: Service metadata: - name: {{ template "grafana.fullname" . }}-image-renderer - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }}-image-renderer + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.imageRenderer.labels" . | nindent 4 }} -{{- if .Values.imageRenderer.service.labels }} -{{ toYaml .Values.imageRenderer.service.labels | indent 4 }} -{{- end }} -{{- with .Values.imageRenderer.service.annotations }} + {{- with .Values.imageRenderer.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.imageRenderer.service.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: ClusterIP - {{- if .Values.imageRenderer.service.clusterIP }} - clusterIP: {{ .Values.imageRenderer.service.clusterIP }} - {{end}} + {{- with .Values.imageRenderer.service.clusterIP }} + clusterIP: {{ . }} + {{- end }} ports: - name: {{ .Values.imageRenderer.service.portName }} port: {{ .Values.imageRenderer.service.port }} protocol: TCP targetPort: {{ .Values.imageRenderer.service.targetPort }} - {{- if .Values.imageRenderer.appProtocol }} - appProtocol: {{ .Values.imageRenderer.appProtocol }} + {{- with .Values.imageRenderer.appProtocol }} + appProtocol: {{ . }} {{- end }} selector: {{- include "grafana.imageRenderer.selectorLabels" . | nindent 4 }} -{{ end }} -{{ end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/ingress.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/ingress.yaml index 7699cec..063cdfa 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/ingress.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/ingress.yaml @@ -11,15 +11,15 @@ apiVersion: {{ include "grafana.ingress.apiVersion" . }} kind: Ingress metadata: name: {{ $fullName }} - namespace: {{ template "grafana.namespace" . }} + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} -{{- if .Values.ingress.labels }} -{{ toYaml .Values.ingress.labels | indent 4 }} -{{- end }} - {{- if .Values.ingress.annotations }} + {{- with .Values.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ingress.annotations }} annotations: - {{- range $key, $value := .Values.ingress.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ tpl $value $ | quote }} {{- end }} {{- end }} @@ -27,19 +27,19 @@ spec: {{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }} ingressClassName: {{ .Values.ingress.ingressClassName }} {{- end -}} -{{- if .Values.ingress.tls }} + {{- with .Values.ingress.tls }} tls: -{{ tpl (toYaml .Values.ingress.tls) $ | indent 4 }} -{{- end }} + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} rules: {{- if .Values.ingress.hosts }} {{- range .Values.ingress.hosts }} - - host: {{ tpl . $}} + - host: {{ tpl . $ }} http: paths: -{{- if $extraPaths }} -{{ toYaml $extraPaths | indent 10 }} -{{- end }} + {{- with $extraPaths }} + {{- toYaml . | nindent 10 }} + {{- end }} - path: {{ $ingressPath }} {{- if $ingressSupportsPathType }} pathType: {{ $ingressPathType }} @@ -68,8 +68,8 @@ spec: serviceName: {{ $fullName }} servicePort: {{ $servicePort }} {{- end }} - {{- if $ingressPath }} - path: {{ $ingressPath }} + {{- with $ingressPath }} + path: {{ . }} {{- end }} {{- if $ingressSupportsPathType }} pathType: {{ $ingressPathType }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/networkpolicy.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/networkpolicy.yaml index b751d94..ea4578b 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/networkpolicy.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/networkpolicy.yaml @@ -2,12 +2,12 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} {{- with .Values.labels }} - {{ toYaml . | nindent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} {{- with .Values.annotations }} annotations: @@ -23,7 +23,7 @@ spec: {{- end }} podSelector: matchLabels: - {{- include "grafana.selectorLabels" . | nindent 6 }} + {{- include "grafana.selectorLabels" . | nindent 6 }} {{- if .Values.networkPolicy.egress.enabled }} egress: @@ -38,7 +38,7 @@ spec: from: - podSelector: matchLabels: - {{ template "grafana.fullname" . }}-client: "true" + {{ include "grafana.fullname" . }}-client: "true" {{- with .Values.networkPolicy.explicitNamespacesSelector }} - namespaceSelector: {{- toYaml . | nindent 12 }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/poddisruptionbudget.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/poddisruptionbudget.yaml index 70901b7..0525121 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/poddisruptionbudget.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/poddisruptionbudget.yaml @@ -2,20 +2,20 @@ apiVersion: {{ include "grafana.podDisruptionBudget.apiVersion" . }} kind: PodDisruptionBudget metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} -{{- if .Values.labels }} -{{ toYaml .Values.labels | indent 4 }} -{{- end }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: -{{- if .Values.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} -{{- end }} -{{- if .Values.podDisruptionBudget.maxUnavailable }} - maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} -{{- end }} + {{- with .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ . }} + {{- end }} + {{- with .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} selector: matchLabels: {{- include "grafana.selectorLabels" . | nindent 6 }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/podsecuritypolicy.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/podsecuritypolicy.yaml index d9905c6..eed7af9 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/podsecuritypolicy.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/podsecuritypolicy.yaml @@ -1,9 +1,8 @@ -{{- if .Values.rbac.pspEnabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "grafana.fullname" . }} + name: {{ include "grafana.fullname" . }} labels: {{- include "grafana.labels" . | nindent 4 }} annotations: @@ -48,4 +47,3 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} -{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/pvc.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/pvc.yaml index 8d93f5c..eb8f87f 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/pvc.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/pvc.yaml @@ -2,17 +2,20 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.persistence.extraPvcLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- with .Values.persistence.annotations }} annotations: -{{ toYaml . | indent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} {{- with .Values.persistence.finalizers }} finalizers: -{{ toYaml . | indent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} spec: accessModes: @@ -22,12 +25,12 @@ spec: resources: requests: storage: {{ .Values.persistence.size | quote }} - {{- if .Values.persistence.storageClassName }} - storageClassName: {{ .Values.persistence.storageClassName }} - {{- end -}} + {{- with .Values.persistence.storageClassName }} + storageClassName: {{ . }} + {{- end }} {{- with .Values.persistence.selectorLabels }} selector: matchLabels: -{{ toYaml . | indent 6 }} + {{- toYaml . | nindent 6 }} {{- end }} -{{- end -}} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/role.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/role.yaml index ff2160f..ffdb16f 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/role.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/role.yaml @@ -1,31 +1,31 @@ {{- if and .Values.rbac.create (not .Values.rbac.useExistingRole) -}} -apiVersion: {{ template "grafana.rbac.apiVersion" . }} +apiVersion: {{ include "grafana.rbac.apiVersion" . }} kind: Role metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} -{{- with .Values.annotations }} + {{- with .Values.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} -{{- if or .Values.rbac.pspEnabled (and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled (or .Values.sidecar.plugins.enabled .Values.rbac.extraRoleRules)))) }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- if or .Values.rbac.pspEnabled (and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.rbac.extraRoleRules)) }} rules: -{{- if .Values.rbac.pspEnabled }} -- apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: [{{ template "grafana.fullname" . }}] -{{- end }} -{{- if and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled)) }} -- apiGroups: [""] # "" indicates the core API group - resources: ["configmaps", "secrets"] - verbs: ["get", "watch", "list"] -{{- end }} -{{- with .Values.rbac.extraRoleRules }} -{{ toYaml . | indent 0 }} -{{- end}} + {{- if .Values.rbac.pspEnabled }} + - apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "grafana.fullname" . }}] + {{- end }} + {{- if and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled) }} + - apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] + {{- end }} + {{- with .Values.rbac.extraRoleRules }} + {{- toYaml . | nindent 2 }} + {{- end}} {{- else }} rules: [] {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/rolebinding.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/rolebinding.yaml index e010725..cc07bd9 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/rolebinding.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/rolebinding.yaml @@ -1,25 +1,25 @@ -{{- if .Values.rbac.create -}} -apiVersion: {{ template "grafana.rbac.apiVersion" . }} +{{- if .Values.rbac.create }} +apiVersion: {{ include "grafana.rbac.apiVersion" . }} kind: RoleBinding metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} -{{- with .Values.annotations }} + {{- with .Values.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role -{{- if (not .Values.rbac.useExistingRole) }} - name: {{ template "grafana.fullname" . }} -{{- else }} + {{- if .Values.rbac.useExistingRole }} name: {{ .Values.rbac.useExistingRole }} -{{- end }} + {{- else }} + name: {{ include "grafana.fullname" . }} + {{- end }} subjects: - kind: ServiceAccount - name: {{ template "grafana.serviceAccountName" . }} - namespace: {{ template "grafana.namespace" . }} -{{- end -}} + name: {{ include "grafana.serviceAccountName" . }} + namespace: {{ include "grafana.namespace" . }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/secret-env.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/secret-env.yaml index 5c09313..c765567 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/secret-env.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/secret-env.yaml @@ -2,13 +2,13 @@ apiVersion: v1 kind: Secret metadata: - name: {{ template "grafana.fullname" . }}-env - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }}-env + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} type: Opaque data: {{- range $key, $val := .Values.envRenderSecret }} {{ $key }}: {{ $val | b64enc | quote }} -{{- end -}} +{{- end }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/secret.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/secret.yaml index c8aa750..5cbd527 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/secret.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/secret.yaml @@ -2,14 +2,14 @@ apiVersion: v1 kind: Secret metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} -{{- with .Values.annotations }} + {{- with .Values.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} type: Opaque data: {{- if and (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) }} @@ -17,7 +17,7 @@ data: {{- if .Values.adminPassword }} admin-password: {{ .Values.adminPassword | b64enc | quote }} {{- else }} - admin-password: {{ template "grafana.password" . }} + admin-password: {{ include "grafana.password" . }} {{- end }} {{- end }} {{- if not .Values.ldap.existingSecret }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/service.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/service.yaml index d0a1756..43d360b 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/service.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/service.yaml @@ -1,55 +1,55 @@ -{{ if .Values.service.enabled }} +{{- if .Values.service.enabled }} +{{- $root := . }} apiVersion: v1 kind: Service metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} -{{- if .Values.service.labels }} -{{ toYaml .Values.service.labels | indent 4 }} -{{- end }} -{{- $root := . }} -{{- with .Values.service.annotations }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.annotations }} annotations: -{{ tpl (toYaml . | indent 4) $root }} -{{- end }} -spec: -{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} - type: ClusterIP - {{- if .Values.service.clusterIP }} - clusterIP: {{ .Values.service.clusterIP }} - {{end}} -{{- else if eq .Values.service.type "LoadBalancer" }} - type: {{ .Values.service.type }} - {{- if .Values.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- tpl (toYaml . | nindent 4) $root }} {{- end }} - {{- if .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} - {{- end -}} -{{- else }} +spec: + {{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} + type: ClusterIP + {{- with .Values.service.clusterIP }} + clusterIP: {{ . }} + {{- end }} + {{- else if eq .Values.service.type "LoadBalancer" }} type: {{ .Values.service.type }} -{{- end }} -{{- if .Values.service.externalIPs }} + {{- with .Values.service.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- else }} + type: {{ .Values.service.type }} + {{- end }} + {{- with .Values.service.externalIPs }} externalIPs: -{{ toYaml .Values.service.externalIPs | indent 4 }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} ports: - name: {{ .Values.service.portName }} port: {{ .Values.service.port }} protocol: TCP targetPort: {{ .Values.service.targetPort }} - {{- if .Values.service.appProtocol }} - appProtocol: {{ .Values.service.appProtocol }} + {{- with .Values.service.appProtocol }} + appProtocol: {{ . }} {{- end }} {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} - nodePort: {{.Values.service.nodePort}} - {{ end }} - {{- if .Values.extraExposePorts }} - {{- tpl (toYaml .Values.extraExposePorts) . | nindent 4 }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + {{- with .Values.extraExposePorts }} + {{- tpl (toYaml . | nindent 4) $root }} {{- end }} selector: {{- include "grafana.selectorLabels" . | nindent 4 }} -{{ end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/serviceaccount.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/serviceaccount.yaml index 4ccee15..784e71b 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/serviceaccount.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/serviceaccount.yaml @@ -1,14 +1,17 @@ {{- if .Values.serviceAccount.create }} +{{- $root := . -}} apiVersion: v1 kind: ServiceAccount metadata: labels: {{- include "grafana.labels" . | nindent 4 }} -{{- $root := . }} -{{- with .Values.serviceAccount.annotations }} + {{- with .Values.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccount.annotations }} annotations: -{{ tpl (toYaml . | indent 4) $root }} -{{- end }} - name: {{ template "grafana.serviceAccountName" . }} - namespace: {{ template "grafana.namespace" . }} + {{- tpl (toYaml . | nindent 4) $root }} + {{- end }} + name: {{ include "grafana.serviceAccountName" . }} + namespace: {{ include "grafana.namespace" . }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/servicemonitor.yaml index 0876a63..6575fb9 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/servicemonitor.yaml @@ -3,16 +3,16 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: - name: {{ template "grafana.fullname" . }} + name: {{ include "grafana.fullname" . }} {{- if .Values.serviceMonitor.namespace }} namespace: {{ tpl .Values.serviceMonitor.namespace . }} {{- else }} - namespace: {{ template "grafana.namespace" . }} + namespace: {{ include "grafana.namespace" . }} {{- end }} labels: {{- include "grafana.labels" . | nindent 4 }} - {{- if .Values.serviceMonitor.labels }} - {{- toYaml .Values.serviceMonitor.labels | nindent 4 }} + {{- with .Values.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} {{- end }} spec: endpoints: @@ -26,19 +26,19 @@ spec: honorLabels: true path: {{ .Values.serviceMonitor.path }} scheme: {{ .Values.serviceMonitor.scheme }} - {{- if .Values.serviceMonitor.tlsConfig }} + {{- with .Values.serviceMonitor.tlsConfig }} tlsConfig: - {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 6 }} + {{- toYaml . | nindent 6 }} {{- end }} - {{- if .Values.serviceMonitor.relabelings }} + {{- with .Values.serviceMonitor.relabelings }} relabelings: - {{- toYaml .Values.serviceMonitor.relabelings | nindent 4 }} + {{- toYaml . | nindent 6 }} {{- end }} jobLabel: "{{ .Release.Name }}" selector: matchLabels: - {{- include "grafana.selectorLabels" . | nindent 8 }} + {{- include "grafana.selectorLabels" . | nindent 6 }} namespaceSelector: matchNames: - - {{ template "grafana.namespace" . }} + - {{ include "grafana.namespace" . }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/statefulset.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/statefulset.yaml index b308dec..acfab4d 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/statefulset.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/statefulset.yaml @@ -1,38 +1,39 @@ -{{- if (or (.Values.useStatefulSet) (and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "statefulset")))}} +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} +{{- if (or (.Values.useStatefulSet) (and .Values.persistence.enabled (not .Values.persistence.existingClaim) (has .Values.persistence.type $sts)))}} apiVersion: apps/v1 kind: StatefulSet metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} labels: {{- include "grafana.labels" . | nindent 4 }} -{{- with .Values.annotations }} + {{- with .Values.annotations }} annotations: -{{ toYaml . | indent 4 }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.replicas }} selector: matchLabels: {{- include "grafana.selectorLabels" . | nindent 6 }} - serviceName: {{ template "grafana.fullname" . }}-headless + serviceName: {{ include "grafana.fullname" . }}-headless template: metadata: labels: {{- include "grafana.selectorLabels" . | nindent 8 }} -{{- with .Values.podLabels }} -{{ toYaml . | indent 8 }} -{{- end }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }} - {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} -{{- end }} -{{- with .Values.podAnnotations }} -{{ toYaml . | indent 8 }} -{{- end }} + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} spec: {{- include "grafana.pod" . | nindent 6 }} {{- if .Values.persistence.enabled}} @@ -48,7 +49,7 @@ spec: {{- with .Values.persistence.selectorLabels }} selector: matchLabels: -{{ toYaml . | indent 10 }} + {{- toYaml . | nindent 10 }} {{- end }} {{- end }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-configmap.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-configmap.yaml index 772ecbb..01c96c9 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-configmap.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-configmap.yaml @@ -2,14 +2,17 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "grafana.fullname" . }}-test - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }}-test + namespace: {{ include "grafana.namespace" . }} + annotations: + "helm.sh/hook": test-success + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" labels: {{- include "grafana.labels" . | nindent 4 }} data: run.sh: |- @test "Test Health" { - url="http://{{ template "grafana.fullname" . }}/api/health" + url="http://{{ include "grafana.fullname" . }}/api/health" code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}') [ "$code" == "200" ] diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-podsecuritypolicy.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-podsecuritypolicy.yaml index 6ccc7a7..1821772 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-podsecuritypolicy.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-podsecuritypolicy.yaml @@ -1,9 +1,11 @@ -{{- if and .Values.testFramework.enabled .Values.rbac.pspEnabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.testFramework.enabled .Values.rbac.pspEnabled }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "grafana.fullname" . }}-test + name: {{ include "grafana.fullname" . }}-test + annotations: + "helm.sh/hook": test-success + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" labels: {{- include "grafana.labels" . | nindent 4 }} spec: @@ -21,11 +23,10 @@ spec: runAsUser: rule: RunAsAny volumes: - - configMap - - downwardAPI - - emptyDir - - projected - - csi - - secret -{{- end }} + - configMap + - downwardAPI + - emptyDir + - projected + - csi + - secret {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-role.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-role.yaml index 6b10677..cb4c782 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-role.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-role.yaml @@ -1,14 +1,17 @@ -{{- if and .Values.testFramework.enabled .Values.rbac.pspEnabled -}} +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.testFramework.enabled .Values.rbac.pspEnabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "grafana.fullname" . }}-test - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }}-test + namespace: {{ include "grafana.namespace" . }} + annotations: + "helm.sh/hook": test-success + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" labels: {{- include "grafana.labels" . | nindent 4 }} rules: -- apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: [{{ template "grafana.fullname" . }}-test] + - apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "grafana.fullname" . }}-test] {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-rolebinding.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-rolebinding.yaml index 58fa5e7..f40d791 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-rolebinding.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-rolebinding.yaml @@ -1,17 +1,20 @@ -{{- if and .Values.testFramework.enabled .Values.rbac.pspEnabled -}} +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.testFramework.enabled .Values.rbac.pspEnabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "grafana.fullname" . }}-test - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.fullname" . }}-test + namespace: {{ include "grafana.namespace" . }} + annotations: + "helm.sh/hook": test-success + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" labels: {{- include "grafana.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "grafana.fullname" . }}-test + name: {{ include "grafana.fullname" . }}-test subjects: -- kind: ServiceAccount - name: {{ template "grafana.serviceAccountNameTest" . }} - namespace: {{ template "grafana.namespace" . }} + - kind: ServiceAccount + name: {{ include "grafana.serviceAccountNameTest" . }} + namespace: {{ include "grafana.namespace" . }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-serviceaccount.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-serviceaccount.yaml index 5c33507..38fba35 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-serviceaccount.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test-serviceaccount.yaml @@ -4,6 +4,9 @@ kind: ServiceAccount metadata: labels: {{- include "grafana.labels" . | nindent 4 }} - name: {{ template "grafana.serviceAccountNameTest" . }} - namespace: {{ template "grafana.namespace" . }} + name: {{ include "grafana.serviceAccountNameTest" . }} + namespace: {{ include "grafana.namespace" . }} + annotations: + "helm.sh/hook": test-success + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test.yaml index ef43d80..9fb8842 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/templates/tests/test.yaml @@ -1,38 +1,36 @@ {{- if .Values.testFramework.enabled }} +{{- $root := . }} apiVersion: v1 kind: Pod metadata: - name: {{ template "grafana.fullname" . }}-test + name: {{ include "grafana.fullname" . }}-test labels: {{- include "grafana.labels" . | nindent 4 }} annotations: "helm.sh/hook": test-success "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" - namespace: {{ template "grafana.namespace" . }} + namespace: {{ include "grafana.namespace" . }} spec: - serviceAccountName: {{ template "grafana.serviceAccountNameTest" . }} - {{- if .Values.testFramework.securityContext }} - securityContext: {{ toYaml .Values.testFramework.securityContext | nindent 4 }} + serviceAccountName: {{ include "grafana.serviceAccountNameTest" . }} + {{- with .Values.testFramework.securityContext }} + securityContext: + {{- toYaml . | nindent 4 }} {{- end }} - {{- $root := . }} - {{- if .Values.image.pullSecrets }} + {{- if or .Values.image.pullSecrets .Values.global.imagePullSecrets }} imagePullSecrets: - {{- range .Values.image.pullSecrets }} - - name: {{ tpl . $root }} - {{- end}} + {{- include "grafana.imagePullSecrets" (dict "root" $root "imagePullSecrets" .Values.image.pullSecrets) | nindent 4 }} {{- end }} {{- with .Values.nodeSelector }} nodeSelector: -{{ toYaml . | indent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} - {{- $root := . }} {{- with .Values.affinity }} affinity: -{{ tpl (toYaml .) $root | indent 4 }} + {{- tpl (toYaml .) $root | nindent 4 }} {{- end }} {{- with .Values.tolerations }} tolerations: -{{ toYaml . | indent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} containers: - name: {{ .Release.Name }}-test @@ -44,8 +42,8 @@ spec: name: tests readOnly: true volumes: - - name: tests - configMap: - name: {{ template "grafana.fullname" . }}-test + - name: tests + configMap: + name: {{ include "grafana.fullname" . }}-test restartPolicy: Never {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/values.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/values.yaml index f1aaea1..bc1834f 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/values.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/grafana/values.yaml @@ -1,3 +1,18 @@ +global: + # To help compatibility with other charts which use global.imagePullSecrets. + # Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). + # Can be tempalted. + # global: + # imagePullSecrets: + # - name: pullSecret1 + # - name: pullSecret2 + # or + # global: + # imagePullSecrets: + # - pullSecret1 + # - pullSecret2 + imagePullSecrets: [] + rbac: create: true ## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true) @@ -17,6 +32,8 @@ serviceAccount: create: true name: nameTest: + ## ServiceAccount labels. + labels: {} ## Service account annotations. Can be templated. # annotations: # eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here @@ -31,17 +48,10 @@ headlessService: false # autoscaling: enabled: false -# minReplicas: 1 -# maxReplicas: 10 -# metrics: -# - type: Resource -# resource: -# name: cpu -# targetAverageUtilization: 60 -# - type: Resource -# resource: -# name: memory -# targetAverageUtilization: 60 + minReplicas: 1 + maxReplicas: 5 + targetCPU: "60" + targetMemory: "" ## See `kubectl explain poddisruptionbudget.spec` for more ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ @@ -84,7 +94,7 @@ image: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## Can be templated. ## - # pullSecrets: + pullSecrets: [] # - myRegistrKeySecretName testFramework: @@ -99,8 +109,7 @@ securityContext: runAsGroup: 472 fsGroup: 472 -containerSecurityContext: - {} +containerSecurityContext: {} # Enable creating the grafana configmap createConfigmap: true @@ -128,7 +137,7 @@ extraLabels: {} downloadDashboardsImage: repository: curlimages/curl - tag: 7.73.0 + tag: 7.85.0 sha: "" pullPolicy: IfNotPresent @@ -137,6 +146,11 @@ downloadDashboards: envFromSecret: "" resources: {} securityContext: {} + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key ## Pod Annotations # podAnnotations: {} @@ -307,6 +321,8 @@ persistence: # subPath: "" ## Name of an existing PVC. Can be templated. # existingClaim: + ## Extra labels to apply to a PVC. + extraPvcLabels: {} ## If persistence is not enabled, this allows to mount the ## local storage in-memory to improve performance @@ -321,7 +337,7 @@ persistence: initChownData: ## If false, data ownership will not be reset at startup - ## This allows the prometheus-server to be run with an arbitrary user + ## This allows the grafana-server to be run with an arbitrary user ## enabled: true @@ -343,6 +359,9 @@ initChownData: # requests: # cpu: 100m # memory: 128Mi + securityContext: + runAsNonRoot: false + runAsUser: 0 # Administrator credentials when not using an existing secret (see below) @@ -363,11 +382,6 @@ admin: # - "sh" # - "/run.sh" -## Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -# schedulerName: - ## Extra environment variables that will be pass onto deployment pods ## ## to provide grafana with access to CloudWatch on AWS EKS: @@ -522,66 +536,66 @@ datasources: {} ## ref: http://docs.grafana.org/administration/provisioning/#alerting ## alerting: {} -# rules.yaml: | -# apiVersion: 1 -# groups: -# - orgId: 1 -# name: {{ .Chart.Name }}_my_rule_group -# folder: my_first_folder -# interval: 60s -# rules: -# - uid: my_id_1 -# title: my_first_rule -# condition: A -# data: -# - refId: A -# datasourceUid: '-100' -# model: -# conditions: -# - evaluator: -# params: -# - 3 -# type: gt -# operator: -# type: and -# query: -# params: -# - A -# reducer: -# type: last -# type: query -# datasource: -# type: __expr__ -# uid: '-100' -# expression: 1==0 -# intervalMs: 1000 -# maxDataPoints: 43200 -# refId: A -# type: math -# dashboardUid: my_dashboard -# panelId: 123 -# noDataState: Alerting -# for: 60s -# annotations: -# some_key: some_value -# labels: -# team: sre_team_1 -# contactpoints.yaml: | -# apiVersion: 1 -# contactPoints: -# - orgId: 1 -# name: cp_1 -# receivers: -# - uid: first_uid -# type: pagerduty -# settings: -# integrationKey: XXX -# severity: critical -# class: ping failure -# component: Grafana -# group: app-stack -# summary: | -# {{ `{{ template "default.message" . }}` }} + # rules.yaml: + # apiVersion: 1 + # groups: + # - orgId: 1 + # name: '{{ .Chart.Name }}_my_rule_group' + # folder: my_first_folder + # interval: 60s + # rules: + # - uid: my_id_1 + # title: my_first_rule + # condition: A + # data: + # - refId: A + # datasourceUid: '-100' + # model: + # conditions: + # - evaluator: + # params: + # - 3 + # type: gt + # operator: + # type: and + # query: + # params: + # - A + # reducer: + # type: last + # type: query + # datasource: + # type: __expr__ + # uid: '-100' + # expression: 1==0 + # intervalMs: 1000 + # maxDataPoints: 43200 + # refId: A + # type: math + # dashboardUid: my_dashboard + # panelId: 123 + # noDataState: Alerting + # for: 60s + # annotations: + # some_key: some_value + # labels: + # team: sre_team_1 + # contactpoints.yaml: + # apiVersion: 1 + # contactPoints: + # - orgId: 1 + # name: cp_1 + # receivers: + # - uid: first_uid + # type: pagerduty + # settings: + # integrationKey: XXX + # severity: critical + # class: ping failure + # component: Grafana + # group: app-stack + # summary: | + # {{ `{{ include "default.message" . }}` }} ## Configure notifiers ## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels @@ -678,7 +692,7 @@ grafana.ini: grafana_net: url: https://grafana.net server: - domain: "{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ .Values.ingress.hosts | first }}{{ end }}" + domain: "{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ .Values.ingress.hosts | first }}{{ else }}''{{ end }}" ## grafana Authentication can be enabled with the following values on grafana.ini # server: # The full public facing url you use in browser, used for redirects and emails @@ -740,7 +754,7 @@ smtp: sidecar: image: repository: quay.io/kiwigrid/k8s-sidecar - tag: 1.19.2 + tag: 1.21.0 sha: "" imagePullPolicy: IfNotPresent resources: {} @@ -758,6 +772,44 @@ sidecar: livenessProbe: {} # Log level default for all sidecars. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. Defaults to INFO # logLevel: INFO + alerts: + enabled: false + # Additional environment variables for the alerts sidecar + env: {} + # Do not reprocess already processed unchanged resources on k8s API reconnect. + # ignoreAlreadyProcessed: true + # label that the configmaps with alert are marked with + label: grafana_alert + # value of label that the configmaps with alert are set to + labelValue: "" + # Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. + # logLevel: INFO + # If specified, the sidecar will search for alert config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # Endpoint to send request to reload alerts + reloadURL: "http://localhost:3000/api/admin/provisioning/alerting/reload" + # Absolute path to shell script to execute after a alert got reloaded + script: null + skipReload: false + # Deploy the alert sidecar as an initContainer in addition to a container. + # Sets the size limit of the alert sidecar emptyDir volume + sizeLimit: {} dashboards: enabled: false # Additional environment variables for the dashboards sidecar @@ -786,8 +838,11 @@ sidecar: # If specified, the sidecar will look for annotation with this name to create folder and put graph here. # You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure. folderAnnotation: null + # Endpoint to send request to reload alerts + reloadURL: "http://localhost:3000/api/admin/provisioning/dashboards/reload" # Absolute path to shell script to execute after a configmap got reloaded script: null + skipReload: false # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S # watchServerTimeout: 3600 @@ -914,8 +969,28 @@ sidecar: # Otherwise the namespace in which the sidecar is running will be used. # It's also possible to specify ALL to search in all namespaces searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH # search in configmap, secret or both resource: both + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # Endpoint to send request to reload notifiers + reloadURL: "http://localhost:3000/api/admin/provisioning/notifications/reload" + # Absolute path to shell script to execute after a notifier got reloaded + script: null + skipReload: false + # Deploy the notifier sidecar as an initContainer in addition to a container. + # This is needed if skipReload is true, to load any notifiers defined at startup time. + initNotifiers: false # Sets the size limit of the notifier sidecar emptyDir volume sizeLimit: {} @@ -929,6 +1004,7 @@ revisionHistoryLimit: 10 ## Add a seperate remote image renderer deployment/service imageRenderer: + deploymentStrategy: {} # Enable the image-renderer deployment & service enabled: false replicas: 1 @@ -951,6 +1027,12 @@ imageRenderer: serviceAccountName: "" # image-renderer deployment securityContext securityContext: {} + # image-renderer deployment container securityContext + containerSecurityContext: + capabilities: + drop: ['ALL'] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true # image-renderer deployment Host Aliases hostAliases: [] # image-renderer deployment priority class @@ -1000,6 +1082,11 @@ imageRenderer: ## affinity: {} + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: "default-scheduler" + networkPolicy: ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. ## diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/Chart.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/Chart.yaml index 6636f4f..29d6acc 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/Chart.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 2.6.0 +appVersion: 2.7.0 description: Install kube-state-metrics to generate and expose cluster-level metrics home: https://github.com/kubernetes/kube-state-metrics/ keywords: @@ -12,10 +12,10 @@ maintainers: name: tariq1890 - email: manuel@rueg.eu name: mrueg -- email: davidcalvertfr@gmail.com +- email: david@0xdc.me name: dotdc name: kube-state-metrics sources: - https://github.com/kubernetes/kube-state-metrics/ type: application -version: 4.18.0 +version: 4.24.0 diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/_helpers.tpl b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/_helpers.tpl index 976b273..0d193fb 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/_helpers.tpl +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/_helpers.tpl @@ -80,3 +80,22 @@ Selector labels app.kubernetes.io/name: {{ include "kube-state-metrics.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} + +{{/* Sets default scrape limits for servicemonitor */}} +{{- define "servicemonitor.scrapeLimits" -}} +{{- with .sampleLimit }} +sampleLimit: {{ . }} +{{- end }} +{{- with .targetLimit }} +targetLimit: {{ . }} +{{- end }} +{{- with .labelLimit }} +labelLimit: {{ . }} +{{- end }} +{{- with .labelNameLengthLimit }} +labelNameLengthLimit: {{ . }} +{{- end }} +{{- with .labelValueLengthLimit }} +labelValueLengthLimit: {{ . }} +{{- end }} +{{- end -}} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml index cdc62f1..e529d3f 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/deployment.yaml @@ -74,10 +74,17 @@ spec: {{- if .Values.metricDenylist }} - --metric-denylist={{ .Values.metricDenylist | join "," }} {{- end }} + {{- $namespaces := list }} + {{- if .Values.namespaces }} + {{- range $ns := join "," .Values.namespaces | split "," }} + {{- $namespaces = append $namespaces (tpl $ns $) }} + {{- end }} + {{- end }} {{- if .Values.releaseNamespace }} - - --namespaces={{ template "kube-state-metrics.namespace" . }} - {{- else if .Values.namespaces }} - - --namespaces={{ tpl (.Values.namespaces | join ",") $ }} + {{- $namespaces = append $namespaces ( include "kube-state-metrics.namespace" . ) }} + {{- end }} + {{- if $namespaces }} + - --namespaces={{ $namespaces | mustUniq | join "," }} {{- end }} {{- if .Values.namespacesDenylist }} - --namespaces-denylist={{ tpl (.Values.namespacesDenylist | join ",") $ }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/podsecuritypolicy.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/podsecuritypolicy.yaml index 3299056..8905e11 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/podsecuritypolicy.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/podsecuritypolicy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.podSecurityPolicy.enabled }} +{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/psp-clusterrole.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/psp-clusterrole.yaml index 69047d4..654e4a3 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/psp-clusterrole.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/psp-clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.podSecurityPolicy.enabled .Values.rbac.create -}} +{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml index 03c56d5..5b62a18 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.podSecurityPolicy.enabled .Values.rbac.create -}} +{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/role.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/role.yaml index 05d9cc2..6474914 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/role.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/role.yaml @@ -1,5 +1,5 @@ {{- if and (eq .Values.rbac.create true) (not .Values.rbac.useExistingRole) -}} -{{- range (ternary (split "," .Values.namespaces) (list "") (eq $.Values.rbac.useClusterRole false)) }} +{{- range (ternary (join "," .Values.namespaces | split "," ) (list "") (eq $.Values.rbac.useClusterRole false)) }} --- apiVersion: rbac.authorization.k8s.io/v1 {{- if eq $.Values.rbac.useClusterRole false }} @@ -69,6 +69,12 @@ rules: - jobs verbs: ["list", "watch"] {{ end -}} +{{ if has "leases" $.Values.collectors }} +- apiGroups: ["coordination.k8s.io"] + resources: + - leases + verbs: ["list", "watch"] +{{ end -}} {{ if has "limitranges" $.Values.collectors }} - apiGroups: [""] resources: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/rolebinding.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/rolebinding.yaml index 135094f..330651b 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/rolebinding.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/rolebinding.yaml @@ -1,5 +1,5 @@ {{- if and (eq .Values.rbac.create true) (eq .Values.rbac.useClusterRole false) -}} -{{- range (split "," $.Values.namespaces) }} +{{- range (join "," $.Values.namespaces) | split "," }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/service.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/service.yaml index 92c6d4f..6c486a6 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/service.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/service.yaml @@ -34,7 +34,15 @@ spec: {{- if .Values.service.loadBalancerIP }} loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" {{- end }} -{{- if .Values.service.clusterIP }} +{{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} +{{- if .Values.autosharding.enabled }} + clusterIP: None +{{- else if .Values.service.clusterIP }} clusterIP: "{{ .Values.service.clusterIP }}" {{- end }} selector: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/servicemonitor.yaml index 4deac95..e93df4c 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/servicemonitor.yaml @@ -11,11 +11,12 @@ metadata: {{- end }} spec: jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} + {{- include "servicemonitor.scrapeLimits" .Values.prometheus.monitor | indent 2 }} selector: matchLabels: - {{- if .Values.prometheus.monitor.selectorOverride -}} - {{ toYaml .Values.prometheus.monitor.selectorOverride | nindent 6 }} - {{ else }} + {{- with .Values.prometheus.monitor.selectorOverride }} + {{- toYaml . | nindent 6 }} + {{- else }} {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} {{- end }} endpoints: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml new file mode 100644 index 0000000..e825e5c --- /dev/null +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml @@ -0,0 +1,34 @@ +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.verticalPodAutoscaler.enabled) }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +spec: + resourcePolicy: + containerPolicies: + - containerName: {{ template "kube-state-metrics.name" . }} + {{- if .Values.verticalPodAutoscaler.controlledResources }} + controlledResources: {{ .Values.verticalPodAutoscaler.controlledResources }} + {{- end }} + {{- if .Values.verticalPodAutoscaler.maxAllowed }} + maxAllowed: + {{ toYaml .Values.verticalPodAutoscaler.maxAllowed | nindent 8 }} + {{- end }} + {{- if .Values.verticalPodAutoscaler.minAllowed }} + minAllowed: + {{ toYaml .Values.verticalPodAutoscaler.minAllowed | nindent 8 }} + {{- end }} + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "kube-state-metrics.fullname" . }} + {{- if .Values.verticalPodAutoscaler.updatePolicy }} + updatePolicy: + {{- if .Values.verticalPodAutoscaler.updatePolicy.updateMode }} + updateMode: {{ .Values.verticalPodAutoscaler.updatePolicy.updateMode }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/values.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/values.yaml index 1fe0660..d32b123 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/values.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/kube-state-metrics/values.yaml @@ -2,7 +2,7 @@ prometheusScrape: true image: repository: registry.k8s.io/kube-state-metrics/kube-state-metrics - tag: v2.6.0 + tag: v2.7.0 sha: "" pullPolicy: IfNotPresent @@ -29,6 +29,8 @@ service: type: ClusterIP nodePort: 0 loadBalancerIP: "" + # Only allow access to the loadBalancerIP from these IPs + loadBalancerSourceRanges: [] clusterIP: "" annotations: {} @@ -79,6 +81,25 @@ prometheus: namespace: "" jobLabel: "" interval: "" + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 scrapeTimeout: "" proxyUrl: "" selectorOverride: {} @@ -184,6 +205,7 @@ collectors: - horizontalpodautoscalers - ingresses - jobs + - leases - limitranges - mutatingwebhookconfigurations - namespaces @@ -211,10 +233,10 @@ kubeconfig: secret: # Enable only the release namespace for collecting resources. By default all namespaces are collected. -# If releaseNamespace and namespaces are both set only releaseNamespace will be used. +# If releaseNamespace and namespaces are both set a merged list will be collected. releaseNamespace: false -# Comma-separated list of namespaces to be enabled for collecting resources. By default all namespaces are collected. +# Comma-separated list(string) or yaml list of namespaces to be enabled for collecting resources. By default all namespaces are collected. namespaces: "" # Comma-separated list of namespaces not to be enabled. If namespaces and namespaces-denylist are both set, @@ -251,6 +273,26 @@ selfMonitor: # telemetryPort: 8081 # telemetryNodePort: 0 +# Enable vertical pod autoscaler support for kube-state-metrics +verticalPodAutoscaler: + enabled: false + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + controlledResources: [] + + # Define the max allowed resources for the pod + maxAllowed: {} + # cpu: 200m + # memory: 100Mi + # Define the min allowed resources for the pod + minAllowed: {} + # cpu: 200m + # memory: 100Mi + + # updatePolicy: + # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates + # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". + # updateMode: Auto + # volumeMounts are used to add custom volume mounts to deployment. # See example below volumeMounts: [] diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/Chart.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/Chart.yaml index efa2bb6..5b50a12 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/Chart.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.3.1 +appVersion: 1.5.0 description: A Helm chart for prometheus node-exporter home: https://github.com/prometheus/node_exporter/ keywords: @@ -15,4 +15,4 @@ name: prometheus-node-exporter sources: - https://github.com/prometheus/node_exporter/ type: application -version: 4.2.0 +version: 4.8.0 diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/_helpers.tpl b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/_helpers.tpl index 2103089..f5e2603 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/_helpers.tpl +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/_helpers.tpl @@ -3,8 +3,8 @@ Expand the name of the chart. */}} {{- define "prometheus-node-exporter.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} {{/* Create a default fully qualified app name. @@ -12,30 +12,39 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this If release name contains chart name it will be used as a full name. */}} {{- define "prometheus-node-exporter.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} -{{/* Generate basic labels */}} -{{- define "prometheus-node-exporter.labels" }} -helm.sh/chart: {{ template "prometheus-node-exporter.chart" . }} +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus-node-exporter.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "prometheus-node-exporter.labels" -}} +helm.sh/chart: {{ include "prometheus-node-exporter.chart" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/component: metrics -app.kubernetes.io/part-of: {{ template "prometheus-node-exporter.name" . }} -{{- include "prometheus-node-exporter.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +app.kubernetes.io/part-of: {{ include "prometheus-node-exporter.name" . }} +{{ include "prometheus-node-exporter.selectorLabels" . }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} {{- end }} -{{- if .Values.podLabels}} -{{ toYaml .Values.podLabels }} +{{- with .Values.podLabels }} +{{ toYaml . }} {{- end }} {{- if .Values.releaseLabel }} release: {{ .Release.Name }} @@ -45,37 +54,30 @@ release: {{ .Release.Name }} {{/* Selector labels */}} -{{- define "prometheus-node-exporter.selectorLabels" }} +{{- define "prometheus-node-exporter.selectorLabels" -}} +app.kubernetes.io/name: {{ include "prometheus-node-exporter.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/name: {{ template "prometheus-node-exporter.name" . }} {{- end }} -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "prometheus-node-exporter.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - {{/* Create the name of the service account to use */}} {{- define "prometheus-node-exporter.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "prometheus-node-exporter.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "prometheus-node-exporter.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} {{/* The image to use */}} {{- define "prometheus-node-exporter.image" -}} -{{- if .Values.image.sha -}} +{{- if .Values.image.sha }} {{- printf "%s:%s@%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} -{{- else -}} +{{- else }} {{- printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} {{- end }} {{- end }} @@ -84,24 +86,43 @@ The image to use Allow the release namespace to be overridden for multi-namespace deployments in combined charts */}} {{- define "prometheus-node-exporter.namespace" -}} - {{- if .Values.namespaceOverride -}} - {{- .Values.namespaceOverride -}} - {{- else -}} - {{- .Release.Namespace -}} - {{- end -}} -{{- end -}} +{{- if .Values.namespaceOverride }} +{{- .Values.namespaceOverride }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end }} {{/* Create the namespace name of the service monitor */}} {{- define "prometheus-node-exporter.monitor-namespace" -}} - {{- if .Values.namespaceOverride -}} - {{- .Values.namespaceOverride -}} - {{- else -}} - {{- if .Values.prometheus.monitor.namespace -}} - {{- .Values.prometheus.monitor.namespace -}} - {{- else -}} - {{- .Release.Namespace -}} - {{- end -}} - {{- end -}} -{{- end -}} +{{- if .Values.namespaceOverride }} +{{- .Values.namespaceOverride }} +{{- else }} +{{- if .Values.prometheus.monitor.namespace }} +{{- .Values.prometheus.monitor.namespace }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Sets default scrape limits for servicemonitor */}} +{{- define "servicemonitor.scrapeLimits" -}} +{{- with .sampleLimit }} +sampleLimit: {{ . }} +{{- end }} +{{- with .targetLimit }} +targetLimit: {{ . }} +{{- end }} +{{- with .labelLimit }} +labelLimit: {{ . }} +{{- end }} +{{- with .labelNameLengthLimit }} +labelNameLengthLimit: {{ . }} +{{- end }} +{{- with .labelValueLengthLimit }} +labelValueLengthLimit: {{ . }} +{{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/daemonset.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/daemonset.yaml index a742f24..189b2d0 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/daemonset.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/daemonset.yaml @@ -1,38 +1,44 @@ apiVersion: apps/v1 kind: DaemonSet metadata: - name: {{ template "prometheus-node-exporter.fullname" . }} - namespace: {{ template "prometheus-node-exporter.namespace" . }} - labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }} + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + {{- with .Values.daemonsetAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: selector: matchLabels: - {{- include "prometheus-node-exporter.selectorLabels" . | indent 6 }} - {{- if .Values.updateStrategy }} + {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} + {{- with .Values.updateStrategy }} updateStrategy: -{{ toYaml .Values.updateStrategy | indent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} template: metadata: - labels: {{ include "prometheus-node-exporter.labels" . | indent 8 }} - {{- if .Values.podAnnotations }} + {{- with .Values.podAnnotations }} annotations: - {{- toYaml .Values.podAnnotations | nindent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 8 }} spec: automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} - serviceAccountName: {{ template "prometheus-node-exporter.serviceAccountName" . }} -{{- if .Values.securityContext }} + {{- with .Values.securityContext }} securityContext: -{{ toYaml .Values.securityContext | indent 8 }} -{{- end }} -{{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} -{{- end }} - {{- if .Values.extraInitContainers }} - initContainers: - {{ toYaml .Values.extraInitContainers | nindent 6 }} + {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.extraInitContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "prometheus-node-exporter.serviceAccountName" . }} containers: - name: node-exporter image: {{ include "prometheus-node-exporter.image" . }} @@ -44,26 +50,27 @@ spec: - --path.rootfs=/host/root {{- end }} - --web.listen-address=[$(HOST_IP)]:{{ .Values.service.port }} -{{- if .Values.extraArgs }} -{{ toYaml .Values.extraArgs | indent 12 }} -{{- end }} + {{- with .Values.extraArgs }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.containerSecurityContext }} - securityContext: {{ toYaml . | nindent 12 }} + securityContext: + {{- toYaml . | nindent 12 }} {{- end }} env: - - name: HOST_IP - {{- if .Values.service.listenOnAllInterfaces }} - value: 0.0.0.0 - {{- else }} - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP + - name: HOST_IP + {{- if .Values.service.listenOnAllInterfaces }} + value: 0.0.0.0 + {{- else }} + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + {{- end }} + {{- range $key, $value := .Values.env }} + - name: {{ $key }} + value: {{ $value | quote }} {{- end }} - {{- range $key, $value := .Values.env }} - - name: {{ $key }} - value: {{ $value | quote }} - {{- end }} ports: - name: {{ .Values.service.portName }} containerPort: {{ .Values.service.port }} @@ -98,8 +105,10 @@ spec: periodSeconds: {{ .Values.readinessProbe.periodSeconds }} successThreshold: {{ .Values.readinessProbe.successThreshold }} timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + {{- with .Values.resources }} resources: -{{ toYaml .Values.resources | indent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - name: proc mountPath: /host/proc @@ -115,37 +124,29 @@ spec: {{- end }} readOnly: true {{- end }} - {{- if .Values.extraHostVolumeMounts }} {{- range $_, $mount := .Values.extraHostVolumeMounts }} - name: {{ $mount.name }} mountPath: {{ $mount.mountPath }} readOnly: {{ $mount.readOnly }} - {{- if $mount.mountPropagation }} - mountPropagation: {{ $mount.mountPropagation }} + {{- with $mount.mountPropagation }} + mountPropagation: {{ . }} + {{- end }} {{- end }} - {{- end }} - {{- end }} - {{- if .Values.sidecarVolumeMount }} {{- range $_, $mount := .Values.sidecarVolumeMount }} - name: {{ $mount.name }} mountPath: {{ $mount.mountPath }} readOnly: true {{- end }} - {{- end }} - {{- if .Values.configmaps }} {{- range $_, $mount := .Values.configmaps }} - name: {{ $mount.name }} mountPath: {{ $mount.mountPath }} {{- end }} - {{- if .Values.secrets }} {{- range $_, $mount := .Values.secrets }} - name: {{ .name }} mountPath: {{ .mountPath }} {{- end }} - {{- end }} - {{- end }} -{{- if .Values.sidecars }} -{{ toYaml .Values.sidecars | indent 8 }} + {{- with .Values.sidecars }} + {{- toYaml . | nindent 8 }} {{- if or .Values.sidecarVolumeMount .Values.sidecarHostVolumeMounts }} volumeMounts: {{- range $_, $mount := .Values.sidecarVolumeMount }} @@ -162,29 +163,29 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} -{{- if .Values.imagePullSecrets }} + {{- end }} + {{- with .Values.imagePullSecrets }} imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{ toYaml . | nindent 8 }} {{- end }} hostNetwork: {{ .Values.hostNetwork }} hostPID: {{ .Values.hostPID }} -{{- if .Values.affinity }} + {{- with .Values.affinity }} affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end }} -{{- with .Values.dnsConfig }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dnsConfig }} dnsConfig: -{{ toYaml . | indent 8 }} -{{- end }} -{{- if .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - {{- with .Values.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} tolerations: -{{ toYaml . | indent 8 }} - {{- end }} + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: proc hostPath: @@ -197,38 +198,28 @@ spec: hostPath: path: / {{- end }} - {{- if .Values.extraHostVolumeMounts }} {{- range $_, $mount := .Values.extraHostVolumeMounts }} - name: {{ $mount.name }} hostPath: path: {{ $mount.hostPath }} {{- end }} - {{- end }} - {{- if .Values.sidecarVolumeMount }} {{- range $_, $mount := .Values.sidecarVolumeMount }} - name: {{ $mount.name }} emptyDir: medium: Memory {{- end }} - {{- end }} - {{- if .Values.sidecarHostVolumeMounts }} {{- range $_, $mount := .Values.sidecarHostVolumeMounts }} - name: {{ $mount.name }} hostPath: path: {{ $mount.hostPath }} {{- end }} - {{- end }} - {{- if .Values.configmaps }} {{- range $_, $mount := .Values.configmaps }} - name: {{ $mount.name }} configMap: name: {{ $mount.name }} {{- end }} - {{- end }} - {{- if .Values.secrets }} {{- range $_, $mount := .Values.secrets }} - name: {{ $mount.name }} secret: secretName: {{ $mount.name }} {{- end }} - {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/endpoints.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/endpoints.yaml index ef3e270..45eeb8d 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/endpoints.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/endpoints.yaml @@ -2,9 +2,10 @@ apiVersion: v1 kind: Endpoints metadata: - name: {{ template "prometheus-node-exporter.fullname" . }} - namespace: {{ template "prometheus-node-exporter.namespace" . }} - labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }} + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} subsets: - addresses: {{- range .Values.endpoints }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml index cb43336..8957317 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml @@ -1,15 +1,14 @@ -{{- if .Values.rbac.create }} -{{- if .Values.rbac.pspEnabled }} +{{- if and .Values.rbac.create .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: psp-{{ template "prometheus-node-exporter.fullname" . }} - labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }} + name: psp-{{ include "prometheus-node-exporter.fullname" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} rules: - apiGroups: ['extensions'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: - - {{ template "prometheus-node-exporter.fullname" . }} -{{- end }} + - {{ include "prometheus-node-exporter.fullname" . }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp-clusterrolebinding.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp-clusterrolebinding.yaml index d36d93e..3333701 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp-clusterrolebinding.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp-clusterrolebinding.yaml @@ -1,17 +1,16 @@ -{{- if .Values.rbac.create }} -{{- if .Values.rbac.pspEnabled }} +{{- if and .Values.rbac.create .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: psp-{{ template "prometheus-node-exporter.fullname" . }} - labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }} + name: psp-{{ include "prometheus-node-exporter.fullname" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: psp-{{ template "prometheus-node-exporter.fullname" . }} + name: psp-{{ include "prometheus-node-exporter.fullname" . }} subjects: - kind: ServiceAccount - name: {{ template "prometheus-node-exporter.fullname" . }} - namespace: {{ template "prometheus-node-exporter.namespace" . }} -{{- end }} + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp.yaml index ea8bcba..4896c84 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/psp.yaml @@ -1,15 +1,15 @@ -{{- if .Values.rbac.create }} -{{- if .Values.rbac.pspEnabled }} +{{- if and .Values.rbac.create .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ template "prometheus-node-exporter.fullname" . }} - namespace: {{ template "prometheus-node-exporter.namespace" . }} - labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }} -{{- if .Values.rbac.pspAnnotations }} + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + {{- with .Values.rbac.pspAnnotations }} annotations: -{{ toYaml .Values.rbac.pspAnnotations | indent 4 }} -{{- end}} + {{- toYaml . | nindent 4 }} + {{- end }} spec: privileged: false # Allow core volume types. @@ -47,4 +47,3 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} -{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/service.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/service.yaml index fbed05c..c0129db 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/service.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/service.yaml @@ -1,22 +1,23 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "prometheus-node-exporter.fullname" . }} - namespace: {{ template "prometheus-node-exporter.namespace" . }} - labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }} -{{- if .Values.service.annotations }} + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" $ | nindent 4 }} + {{- with .Values.service.annotations }} annotations: -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - {{- if ( and (eq .Values.service.type "NodePort" ) (not (empty .Values.service.nodePort)) ) }} + {{- if ( and (eq .Values.service.type "NodePort" ) (not (empty .Values.service.nodePort)) ) }} nodePort: {{ .Values.service.nodePort }} - {{- end }} + {{- end }} targetPort: {{ .Values.service.targetPort }} protocol: TCP name: {{ .Values.service.portName }} selector: - {{- include "prometheus-node-exporter.selectorLabels" . | indent 4 }} + {{- include "prometheus-node-exporter.selectorLabels" . | nindent 4 }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/serviceaccount.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/serviceaccount.yaml index dc3fee6..b82630c 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/serviceaccount.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/serviceaccount.yaml @@ -1,14 +1,17 @@ -{{- if .Values.rbac.create -}} -{{- if .Values.serviceAccount.create -}} +{{- if and .Values.rbac.create .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "prometheus-node-exporter.serviceAccountName" . }} - namespace: {{ template "prometheus-node-exporter.namespace" . }} - labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }} + name: {{ include "prometheus-node-exporter.serviceAccountName" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} annotations: -{{ toYaml .Values.serviceAccount.annotations | indent 4 }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- with .Values.serviceAccount.imagePullSecrets }} imagePullSecrets: -{{ toYaml .Values.serviceAccount.imagePullSecrets | indent 2 }} -{{- end -}} + {{- toYaml . | nindent 2 }} +{{- end }} {{- end -}} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/servicemonitor.yaml index 6cf5aa4..073ce57 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/servicemonitor.yaml @@ -1,51 +1,53 @@ {{- if .Values.prometheus.monitor.enabled }} -apiVersion: monitoring.coreos.com/v1 +apiVersion: {{ .Values.prometheus.monitor.apiVersion | default "monitoring.coreos.com/v1" }} kind: ServiceMonitor metadata: - name: {{ template "prometheus-node-exporter.fullname" . }} - namespace: {{ template "prometheus-node-exporter.monitor-namespace" . }} - labels: {{ include "prometheus-node-exporter.labels" . | indent 4 }} - {{- if .Values.prometheus.monitor.additionalLabels }} - {{- toYaml .Values.prometheus.monitor.additionalLabels | nindent 4 }} - {{- end }} + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.monitor-namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + {{- with .Values.prometheus.monitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} + {{- include "servicemonitor.scrapeLimits" .Values.prometheus.monitor | nindent 2 }} selector: matchLabels: - {{- if .Values.prometheus.monitor.selectorOverride }} - {{ toYaml .Values.prometheus.monitor.selectorOverride | indent 6 }} - {{ else }} - {{ include "prometheus-node-exporter.selectorLabels" . | indent 6 }} + {{- with .Values.prometheus.monitor.selectorOverride }} + {{- toYaml . | nindent 6 }} + {{- else }} + {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} {{- end }} endpoints: - port: {{ .Values.service.portName }} scheme: {{ .Values.prometheus.monitor.scheme }} - {{- with .Values.prometheus.monitor.basicAuth }} + {{- with .Values.prometheus.monitor.basicAuth }} basicAuth: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.prometheus.monitor.bearerTokenFile }} + {{- end }} + {{- with .Values.prometheus.monitor.bearerTokenFile }} bearerTokenFile: {{ . }} - {{- end }} - {{- with .Values.prometheus.monitor.tlsConfig }} + {{- end }} + {{- with .Values.prometheus.monitor.tlsConfig }} tlsConfig: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.prometheus.monitor.proxyUrl }} + {{- end }} + {{- with .Values.prometheus.monitor.proxyUrl }} proxyUrl: {{ . }} - {{- end }} - {{- with .Values.prometheus.monitor.interval }} + {{- end }} + {{- with .Values.prometheus.monitor.interval }} interval: {{ . }} - {{- end }} - {{- with .Values.prometheus.monitor.scrapeTimeout }} + {{- end }} + {{- with .Values.prometheus.monitor.scrapeTimeout }} scrapeTimeout: {{ . }} - {{- end }} - {{- with .Values.prometheus.monitor.relabelings }} + {{- end }} + {{- with .Values.prometheus.monitor.relabelings }} relabelings: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.prometheus.monitor.metricRelabelings }} + {{- end }} + {{- with .Values.prometheus.monitor.metricRelabelings }} metricRelabelings: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/verticalpodautoscaler.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/verticalpodautoscaler.yaml new file mode 100644 index 0000000..ae8295d --- /dev/null +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/templates/verticalpodautoscaler.yaml @@ -0,0 +1,34 @@ +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.verticalPodAutoscaler.enabled) }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} +spec: + resourcePolicy: + containerPolicies: + - containerName: {{ include "prometheus-node-exporter.name" . }} + {{- with .Values.verticalPodAutoscaler.controlledResources }} + controlledResources: {{ . }} + {{- end }} + {{- with .Values.verticalPodAutoscaler.maxAllowed }} + maxAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.verticalPodAutoscaler.minAllowed }} + minAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + targetRef: + apiVersion: apps/v1 + kind: DaemonSet + name: {{ include "prometheus-node-exporter.fullname" . }} + {{- if .Values.verticalPodAutoscaler.updatePolicy }} + updatePolicy: + {{- with .Values.verticalPodAutoscaler.updatePolicy.updateMode }} + updateMode: {{ . }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/values.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/values.yaml index ac22d28..f491bdf 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/values.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/charts/prometheus-node-exporter/values.yaml @@ -51,6 +51,28 @@ prometheus: metricRelabelings: [] interval: "" scrapeTimeout: 10s + ## prometheus.monitor.apiVersion ApiVersion for the serviceMonitor Resource(defaults to "monitoring.coreos.com/v1") + apiVersion: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 ## Customize the updateStrategy if set updateStrategy: @@ -140,6 +162,9 @@ podAnnotations: # Extra labels to be added to node exporter pods podLabels: {} +# Annotations to be added to node exporter daemonset +daemonsetAnnotations: {} + ## set to true to add the release label so scraping of the servicemonitor with kube-prometheus-stack works out of the box releaseLabel: false @@ -244,3 +269,23 @@ readinessProbe: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 + +# Enable vertical pod autoscaler support for prometheus-node-exporter +verticalPodAutoscaler: + enabled: false + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + controlledResources: [] + + # Define the max allowed resources for the pod + maxAllowed: {} + # cpu: 200m + # memory: 100Mi + # Define the min allowed resources for the pod + minAllowed: {} + # cpu: 200m + # memory: 100Mi + + # updatePolicy: + # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates + # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". + # updateMode: Auto diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-alertmanagerconfigs.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-alertmanagerconfigs.yaml index 7863a2b..858e8dc 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-alertmanagerconfigs.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-alertmanagerconfigs.yaml @@ -1,4 +1,4 @@ -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -46,7 +46,7 @@ spec: properties: inhibitRules: description: List of inhibition rules. The rules will only apply to - alerts matching the resource’s namespace. + alerts matching the resource's namespace. items: description: InhibitRule defines an inhibition rule that allows to mute alerts when other alerts are already firing. See https://prometheus.io/docs/alerting/latest/configuration/#inhibit_rule @@ -60,7 +60,7 @@ spec: sourceMatch: description: Matchers for which one or more alerts have to exist for the inhibition to take effect. The operator enforces that - the alert matches the resource’s namespace. + the alert matches the resource's namespace. items: description: Matcher defines how to match on alert's labels. properties: @@ -93,7 +93,7 @@ spec: targetMatch: description: Matchers that have to be fulfilled in the alerts to be muted. The operator enforces that the alert matches - the resource’s namespace. + the resource's namespace. items: description: Matcher defines how to match on alert's labels. properties: @@ -313,8 +313,8 @@ spec: description: TLS configuration properties: ca: - description: Struct containing the CA cert to use - for the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to use @@ -361,8 +361,8 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert file - for the targets. + description: Client certificate to present when doing + client-authentication. properties: configMap: description: ConfigMap containing data to use @@ -724,8 +724,8 @@ spec: description: TLS configuration for the client. properties: ca: - description: Struct containing the CA cert to - use for the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to @@ -773,8 +773,8 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert - file for the targets. + description: Client certificate to present when + doing client-authentication. properties: configMap: description: ConfigMap containing data to @@ -1170,8 +1170,8 @@ spec: description: TLS configuration for the client. properties: ca: - description: Struct containing the CA cert to - use for the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to @@ -1219,8 +1219,8 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert - file for the targets. + description: Client certificate to present when + doing client-authentication. properties: configMap: description: ConfigMap containing data to @@ -1626,8 +1626,8 @@ spec: description: TLS configuration for the client. properties: ca: - description: Struct containing the CA cert to - use for the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to @@ -1675,8 +1675,8 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert - file for the targets. + description: Client certificate to present when + doing client-authentication. properties: configMap: description: ConfigMap containing data to @@ -1779,7 +1779,7 @@ spec: type: string token: description: The secret's key that contains the registered - application’s API token, see https://pushover.net/apps. + application's API token, see https://pushover.net/apps. The secret needs to be in the same namespace as the AlertmanagerConfig object and accessible by the Prometheus Operator. @@ -1809,7 +1809,7 @@ spec: type: string userKey: description: The secret's key that contains the recipient - user’s user key. The secret needs to be in the same + user's user key. The secret needs to be in the same namespace as the AlertmanagerConfig object and accessible by the Prometheus Operator. properties: @@ -2160,8 +2160,8 @@ spec: description: TLS configuration for the client. properties: ca: - description: Struct containing the CA cert to - use for the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to @@ -2209,8 +2209,8 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert - file for the targets. + description: Client certificate to present when + doing client-authentication. properties: configMap: description: ConfigMap containing data to @@ -2552,8 +2552,8 @@ spec: description: TLS configuration for the client. properties: ca: - description: Struct containing the CA cert to - use for the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to @@ -2601,8 +2601,8 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert - file for the targets. + description: Client certificate to present when + doing client-authentication. properties: configMap: description: ConfigMap containing data to @@ -3026,8 +3026,8 @@ spec: description: TLS configuration for the client. properties: ca: - description: Struct containing the CA cert to - use for the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to @@ -3075,8 +3075,8 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert - file for the targets. + description: Client certificate to present when + doing client-authentication. properties: configMap: description: ConfigMap containing data to @@ -3437,8 +3437,8 @@ spec: description: TLS configuration for the client. properties: ca: - description: Struct containing the CA cert to - use for the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to @@ -3486,8 +3486,8 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert - file for the targets. + description: Client certificate to present when + doing client-authentication. properties: configMap: description: ConfigMap containing data to @@ -3808,8 +3808,8 @@ spec: description: TLS configuration for the client. properties: ca: - description: Struct containing the CA cert to - use for the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to @@ -3857,8 +3857,8 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert - file for the targets. + description: Client certificate to present when + doing client-authentication. properties: configMap: description: ConfigMap containing data to @@ -4229,8 +4229,8 @@ spec: description: TLS configuration for the client. properties: ca: - description: Struct containing the CA cert to - use for the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to @@ -4278,8 +4278,8 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert - file for the targets. + description: Client certificate to present when + doing client-authentication. properties: configMap: description: ConfigMap containing data to @@ -4380,7 +4380,7 @@ spec: type: array route: description: The Alertmanager route definition for alerts matching - the resource’s namespace. If present, it will be added to the generated + the resource's namespace. If present, it will be added to the generated Alertmanager configuration as a first-level route. properties: continue: @@ -4406,7 +4406,7 @@ spec: Example: "30s"' type: string matchers: - description: 'List of matchers that the alert’s labels should + description: 'List of matchers that the alert''s labels should match. For the first level route, the operator removes any existing equality and regexp matcher on the `namespace` label and adds a `namespace: ` matcher.' diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-alertmanagers.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-alertmanagers.yaml index 236f26b..b2bc5bc 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-alertmanagers.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-alertmanagers.yaml @@ -1,4 +1,4 @@ -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -25,13 +25,18 @@ spec: jsonPath: .spec.version name: Version type: string - - description: The desired replicas number of Alertmanagers + - description: The number of desired replicas jsonPath: .spec.replicas name: Replicas type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date + - description: Whether the resource reconciliation is paused or not + jsonPath: .status.paused + name: Paused + priority: 1 + type: boolean name: v1 schema: openAPIV3Schema: @@ -887,6 +892,22 @@ spec: type: array type: object type: object + alertmanagerConfigMatcherStrategy: + description: The AlertmanagerConfigMatcherStrategy defines how AlertmanagerConfig + objects match the alerts. In the future more options may be added. + properties: + type: + default: OnNamespace + description: If set to `OnNamespace`, the operator injects a label + matcher matching the namespace of the AlertmanagerConfig object + for all its routes and inhibition rules. `None` will not add + any additional matchers other than the ones specified in the + AlertmanagerConfig. Default is `OnNamespace`. + enum: + - OnNamespace + - None + type: string + type: object alertmanagerConfigNamespaceSelector: description: Namespaces to be selected for AlertmanagerConfig discovery. If nil, only check own namespace. @@ -1200,8 +1221,8 @@ spec: description: TLS configuration for the client. properties: ca: - description: Struct containing the CA cert to use - for the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to use @@ -1248,8 +1269,8 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert file - for the targets. + description: Client certificate to present when doing + client-authentication. properties: configMap: description: ConfigMap containing data to use @@ -1342,6 +1363,51 @@ spec: and inhibition rules. minLength: 1 type: string + templates: + description: Custom notification templates. + items: + description: SecretOrConfigMap allows to specify data as a Secret + or ConfigMap. Fields are mutually exclusive. + properties: + configMap: + description: ConfigMap containing data to use for the targets. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + secret: + description: Secret containing data to use for the targets. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: array type: object baseImage: description: 'Base image that is used to deploy pods, without tag. @@ -1367,20 +1433,24 @@ spec: configMaps: description: ConfigMaps is a list of ConfigMaps in the same namespace as the Alertmanager object, which shall be mounted into the Alertmanager - Pods. The ConfigMaps are mounted into /etc/alertmanager/configmaps/. + Pods. Each ConfigMap is added to the StatefulSet definition as a + volume named `configmap-`. The ConfigMaps are mounted + into `/etc/alertmanager/configmaps/` in the 'alertmanager' + container. items: type: string type: array configSecret: description: "ConfigSecret is the name of a Kubernetes Secret in the same namespace as the Alertmanager object, which contains the configuration - for this Alertmanager instance. If empty, it defaults to 'alertmanager-'. + for this Alertmanager instance. If empty, it defaults to `alertmanager-`. \n The Alertmanager configuration should be available under the `alertmanager.yaml` key. Additional keys from the original secret - are copied to the generated secret. \n If either the secret or the - `alertmanager.yaml` key is missing, the operator provisions an Alertmanager - configuration with one empty receiver (effectively dropping alert - notifications)." + are copied to the generated secret and mounted into the `/etc/alertmanager/config` + directory in the `alertmanager` container. \n If either the secret + or the `alertmanager.yaml` key is missing, the operator provisions + a minimal Alertmanager configuration with one empty receiver (effectively + dropping alert notifications)." type: string containers: description: 'Containers allows injecting additional containers. This @@ -4019,7 +4089,9 @@ spec: secrets: description: Secrets is a list of Secrets in the same namespace as the Alertmanager object, which shall be mounted into the Alertmanager - Pods. The Secrets are mounted into /etc/alertmanager/secrets/. + Pods. Each Secret is added to the StatefulSet definition as a volume + named `secret-`. The Secrets are mounted into `/etc/alertmanager/secrets/` + in the 'alertmanager' container. items: type: string type: array diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-podmonitors.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-podmonitors.yaml index f6e208c..d39a552 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-podmonitors.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-podmonitors.yaml @@ -1,4 +1,4 @@ -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -42,8 +42,8 @@ spec: by Prometheus. properties: attachMetadata: - description: 'Attaches node metadata to discovered targets. Only valid - for role: pod. Only valid in Prometheus versions 2.35.0 and newer.' + description: Attaches node metadata to discovered targets. Requires + Prometheus v2.35.0 and above. properties: node: description: When set to true, Prometheus must have permissions @@ -187,6 +187,10 @@ spec: enableHttp2: description: Whether to enable HTTP2. type: boolean + filterRunning: + description: 'Drop pods that are not running. (Failed, Succeeded). + Enabled by default. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase' + type: boolean followRedirects: description: FollowRedirects configures whether scrape requests follow HTTP 3xx redirects. @@ -473,8 +477,8 @@ spec: description: TLS configuration to use when scraping the endpoint. properties: ca: - description: Struct containing the CA cert to use for the - targets. + description: Certificate authority used when verifying server + certificates. properties: configMap: description: ConfigMap containing data to use for the @@ -518,8 +522,7 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert file for - the targets. + description: Client certificate to present when doing client-authentication. properties: configMap: description: ConfigMap containing data to use for the diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-probes.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-probes.yaml index 014ef27..d82abd8 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-probes.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-probes.yaml @@ -1,4 +1,4 @@ -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -589,7 +589,8 @@ spec: description: TLS configuration to use when scraping the endpoint. properties: ca: - description: Struct containing the CA cert to use for the targets. + description: Certificate authority used when verifying server + certificates. properties: configMap: description: ConfigMap containing data to use for the targets. @@ -630,7 +631,7 @@ spec: x-kubernetes-map-type: atomic type: object cert: - description: Struct containing the client cert file for the targets. + description: Client certificate to present when doing client-authentication. properties: configMap: description: ConfigMap containing data to use for the targets. diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-prometheuses.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-prometheuses.yaml index e379835..7da4e7b 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-prometheuses.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-prometheuses.yaml @@ -1,4 +1,4 @@ -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -26,13 +26,28 @@ spec: jsonPath: .spec.version name: Version type: string - - description: The desired replicas number of Prometheuses + - description: The number of desired replicas jsonPath: .spec.replicas - name: Replicas + name: Desired type: integer + - description: The number of ready replicas + jsonPath: .status.availableReplicas + name: Ready + type: integer + - jsonPath: .status.conditions[?(@.type == 'Reconciled')].status + name: Reconciled + type: string + - jsonPath: .status.conditions[?(@.type == 'Available')].status + name: Available + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date + - description: Whether the resource reconciliation is paused or not + jsonPath: .status.paused + name: Paused + priority: 1 + type: boolean name: v1 schema: openAPIV3Schema: @@ -115,8 +130,8 @@ spec: the Prometheus container. It is intended for e.g. activating hidden flags which are not supported by the dedicated configuration options yet. The arguments are passed as-is to the Prometheus container - which may cause issues if they are invalid or not supporeted by - the given Prometheus version. In case of an argument conflict (e.g. + which may cause issues if they are invalid or not supported by the + given Prometheus version. In case of an argument conflict (e.g. an argument which is already set by the operator itself) or when providing an invalid argument the reconciliation will fail and an error will be logged. @@ -1040,6 +1055,9 @@ spec: description: BearerTokenFile to read from filesystem to use when authenticating to Alertmanager. type: string + enableHttp2: + description: Whether to enable HTTP2. + type: boolean name: description: Name of Endpoints object in Namespace. type: string @@ -1068,8 +1086,8 @@ spec: description: TLS Config to use for alertmanager connection. properties: ca: - description: Struct containing the CA cert to use for - the targets. + description: Certificate authority used when verifying + server certificates. properties: configMap: description: ConfigMap containing data to use for @@ -1120,8 +1138,8 @@ spec: to use for the targets. type: string cert: - description: Struct containing the client cert file - for the targets. + description: Client certificate to present when doing + client-authentication. properties: configMap: description: ConfigMap containing data to use for @@ -1314,8 +1332,8 @@ spec: description: TLS Config to use for accessing apiserver. properties: ca: - description: Struct containing the CA cert to use for the - targets. + description: Certificate authority used when verifying server + certificates. properties: configMap: description: ConfigMap containing data to use for the @@ -1363,8 +1381,7 @@ spec: to use for the targets. type: string cert: - description: Struct containing the client cert file for the - targets. + description: Client certificate to present when doing client-authentication. properties: configMap: description: ConfigMap containing data to use for the @@ -1460,7 +1477,10 @@ spec: configMaps: description: ConfigMaps is a list of ConfigMaps in the same namespace as the Prometheus object, which shall be mounted into the Prometheus - Pods. The ConfigMaps are mounted into /etc/prometheus/configmaps/. + Pods. Each ConfigMap is added to the StatefulSet definition as a + volume named `configmap-`. The ConfigMaps are mounted + into /etc/prometheus/configmaps/ in the 'prometheus' + container. items: type: string type: array @@ -2872,6 +2892,12 @@ spec: x-kubernetes-list-map-keys: - ip x-kubernetes-list-type: map + hostNetwork: + description: Use the host's network namespace if true. Make sure to + understand the security implications if you want to enable it. When + hostNetwork is enabled, this will set dnsPolicy to ClusterFirstWithHostNet + automatically. + type: boolean ignoreNamespaceSelectors: description: IgnoreNamespaceSelectors if set to true will ignore NamespaceSelector settings from all PodMonitor, ServiceMonitor and Probe objects. @@ -4551,6 +4577,11 @@ spec: bearerTokenFile: description: File to read bearer token for remote read. type: string + filterExternalLabels: + description: Whether to use the external labels as selectors + for the remote read endpoint. Requires Prometheus v2.34.0 + and above. + type: boolean headers: additionalProperties: type: string @@ -4673,8 +4704,8 @@ spec: description: TLS Config to use for remote read. properties: ca: - description: Struct containing the CA cert to use for the - targets. + description: Certificate authority used when verifying server + certificates. properties: configMap: description: ConfigMap containing data to use for the @@ -4722,8 +4753,7 @@ spec: to use for the targets. type: string cert: - description: Struct containing the client cert file for - the targets. + description: Client certificate to present when doing client-authentication. properties: configMap: description: ConfigMap containing data to use for the @@ -5124,8 +5154,8 @@ spec: description: TLS Config to use for remote write. properties: ca: - description: Struct containing the CA cert to use for the - targets. + description: Certificate authority used when verifying server + certificates. properties: configMap: description: ConfigMap containing data to use for the @@ -5173,8 +5203,7 @@ spec: to use for the targets. type: string cert: - description: Struct containing the client cert file for - the targets. + description: Client certificate to present when doing client-authentication. properties: configMap: description: ConfigMap containing data to use for the @@ -5515,7 +5544,9 @@ spec: secrets: description: Secrets is a list of Secrets in the same namespace as the Prometheus object, which shall be mounted into the Prometheus - Pods. The Secrets are mounted into /etc/prometheus/secrets/. + Pods. Each Secret is added to the StatefulSet definition as a volume + named `secret-`. The Secrets are mounted into /etc/prometheus/secrets/ + in the 'prometheus' container. items: type: string type: array @@ -6376,7 +6407,7 @@ spec: description: AdditionalArgs allows setting additional arguments for the Thanos container. The arguments are passed as-is to the Thanos container which may cause issues if they are invalid - or not supporeted the given Thanos version. In case of an argument + or not supported the given Thanos version. In case of an argument conflict (e.g. an argument which is already set by the operator itself) or when providing an invalid argument the reconciliation will fail and an error will be logged. @@ -6399,15 +6430,20 @@ spec: description: 'Thanos base image if other than default. Deprecated: use ''image'' instead' type: string + grpcListenLocal: + description: If true, the Thanos sidecar listens on the loopback + interface for the gRPC endpoints. It has no effect if `listenLocal` + is true. + type: boolean grpcServerTlsConfig: - description: 'GRPCServerTLSConfig configures the gRPC server from - which Thanos Querier reads recorded rule data. Note: Currently + description: 'GRPCServerTLSConfig configures the TLS parameters + for the gRPC server providing the StoreAPI. Note: Currently only the CAFile, CertFile, and KeyFile fields are supported. Maps to the ''--grpc-server-tls-*'' CLI args.' properties: ca: - description: Struct containing the CA cert to use for the - targets. + description: Certificate authority used when verifying server + certificates. properties: configMap: description: ConfigMap containing data to use for the @@ -6455,8 +6491,7 @@ spec: to use for the targets. type: string cert: - description: Struct containing the client cert file for the - targets. + description: Client certificate to present when doing client-authentication. properties: configMap: description: ConfigMap containing data to use for the @@ -6534,6 +6569,11 @@ spec: description: Used to verify the hostname for the targets. type: string type: object + httpListenLocal: + description: If true, the Thanos sidecar listens on the loopback + interface for the HTTP endpoints. It has no effect if `listenLocal` + is true. + type: boolean image: description: Image if specified has precedence over baseImage, tag and sha combinations. Specifying the version is still necessary @@ -6541,8 +6581,10 @@ spec: is being configured. type: string listenLocal: - description: ListenLocal makes the Thanos sidecar listen on loopback, - so that it does not bind against the Pod IP. + description: 'If true, the Thanos sidecar listens on the loopback + interface for the HTTP and gRPC endpoints. It takes precedence + over `grpcListenLocal` and `httpListenLocal`. Deprecated: use + `grpcListenLocal` and `httpListenLocal` instead.' type: boolean logFormat: description: LogFormat for Thanos sidecar to be configured with. @@ -6919,6 +6961,20 @@ spec: - whenUnsatisfiable type: object type: array + tsdb: + description: Defines the runtime reloadable configuration of the timeseries + database (TSDB). + properties: + outOfOrderTimeWindow: + description: Configures how old an out-of-order/out-of-bounds + sample can be w.r.t. the TSDB max time. An out-of-order/out-of-bounds + sample is ingested into the TSDB as long as the timestamp of + the sample is >= (TSDB.MaxTime - outOfOrderTimeWindow). Out + of order ingestion is an experimental feature and requires Prometheus + >= v2.39.0. + pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ + type: string + type: object version: description: Version of Prometheus to be deployed. type: string @@ -8711,6 +8767,14 @@ spec: description: Human-readable message indicating details for the condition's last transition. type: string + observedGeneration: + description: ObservedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + type: integer reason: description: Reason for the condition's last transition. type: string diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-prometheusrules.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-prometheusrules.yaml index b28f61c..f139ffe 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-prometheusrules.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-prometheusrules.yaml @@ -1,4 +1,4 @@ -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -44,18 +44,26 @@ spec: groups: description: Content of Prometheus rule file items: - description: 'RuleGroup is a list of sequentially evaluated recording - and alerting rules. Note: PartialResponseStrategy is only used - by ThanosRuler and will be ignored by Prometheus instances. Valid - values for this field are ''warn'' or ''abort''. More info: https://github.com/thanos-io/thanos/blob/main/docs/components/rule.md#partial-response' + description: RuleGroup is a list of sequentially evaluated recording + and alerting rules. properties: interval: + description: Interval determines how often rules in the group + are evaluated. + pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ type: string name: + description: Name of the rule group. + minLength: 1 type: string partial_response_strategy: + default: "" + description: 'PartialResponseStrategy is only used by ThanosRuler + and will be ignored by Prometheus instances. More info: https://github.com/thanos-io/thanos/blob/main/docs/components/rule.md#partial-response' + pattern: ^(?i)(abort|warn)?$ type: string rules: + description: List of alerting and recording rules. items: description: 'Rule describes an alerting or recording rule See Prometheus documentation: [alerting](https://www.prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) @@ -63,23 +71,35 @@ spec: rule' properties: alert: + description: Name of the alert. Must be a valid label + value. Only one of `record` and `alert` must be set. type: string annotations: additionalProperties: type: string + description: Annotations to add to each alert. Only valid + for alerting rules. type: object expr: anyOf: - type: integer - type: string + description: PromQL expression to evaluate. x-kubernetes-int-or-string: true for: + description: Alerts are considered firing once they have + been returned for this long. + pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ type: string labels: additionalProperties: type: string + description: Labels to add or overwrite. type: object record: + description: Name of the time series to output to. Must + be a valid metric name. Only one of `record` and `alert` + must be set. type: string required: - expr @@ -90,6 +110,9 @@ spec: - rules type: object type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object required: - spec diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-servicemonitors.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-servicemonitors.yaml index f64292b..92ecc35 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-servicemonitors.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-servicemonitors.yaml @@ -1,4 +1,4 @@ -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -41,6 +41,15 @@ spec: description: Specification of desired Service selection for target discovery by Prometheus. properties: + attachMetadata: + description: Attaches node metadata to discovered targets. Requires + Prometheus v2.37.0 and above. + properties: + node: + description: When set to true, Prometheus must have permissions + to get Nodes. + type: boolean + type: object endpoints: description: A list of endpoints allowed as part of this ServiceMonitor. items: @@ -147,6 +156,10 @@ spec: enableHttp2: description: Whether to enable HTTP2. type: boolean + filterRunning: + description: 'Drop pods that are not running. (Failed, Succeeded). + Enabled by default. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase' + type: boolean followRedirects: description: FollowRedirects configures whether scrape requests follow HTTP 3xx redirects. @@ -436,8 +449,8 @@ spec: description: TLS configuration to use when scraping the endpoint properties: ca: - description: Struct containing the CA cert to use for the - targets. + description: Certificate authority used when verifying server + certificates. properties: configMap: description: ConfigMap containing data to use for the @@ -485,8 +498,7 @@ spec: to use for the targets. type: string cert: - description: Struct containing the client cert file for - the targets. + description: Client certificate to present when doing client-authentication. properties: configMap: description: ConfigMap containing data to use for the diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-thanosrulers.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-thanosrulers.yaml index 12713a0..7559727 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-thanosrulers.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/crds/crd-thanosrulers.yaml @@ -1,4 +1,4 @@ -# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.59.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml +# https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -21,13 +21,18 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - description: The desired replicas number of Thanos Rulers + - description: The number of desired replicas jsonPath: .spec.replicas name: Replicas type: integer - jsonPath: .metadata.creationTimestamp name: Age type: date + - description: Whether the resource reconciliation is paused or not + jsonPath: .status.paused + name: Paused + priority: 1 + type: boolean name: v1 schema: openAPIV3Schema: @@ -2233,7 +2238,8 @@ spec: the ''--grpc-server-tls-*'' CLI args.' properties: ca: - description: Struct containing the CA cert to use for the targets. + description: Certificate authority used when verifying server + certificates. properties: configMap: description: ConfigMap containing data to use for the targets. @@ -2278,7 +2284,7 @@ spec: use for the targets. type: string cert: - description: Struct containing the client cert file for the targets. + description: Client certificate to present when doing client-authentication. properties: configMap: description: ConfigMap containing data to use for the targets. diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/_helpers.tpl b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/_helpers.tpl index 25eb226..b01fe6d 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/_helpers.tpl +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/_helpers.tpl @@ -38,6 +38,11 @@ The longest name that gets created adds and extra 37 characters, so truncation s {{- end }} {{- end }} +{{/* Prometheus apiVersion for networkpolicy */}} +{{- define "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} + {{/* Alertmanager custom resource instance name */}} {{- define "kube-prometheus-stack.alertmanager.crname" -}} {{- if .Values.cleanPrometheusOperatorObjectNames }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/alertmanager.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/alertmanager.yaml index 388e933..986f035 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/alertmanager.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/alertmanager.yaml @@ -13,14 +13,15 @@ metadata: {{- end }} spec: {{- if .Values.alertmanager.alertmanagerSpec.image }} + {{- $registry := .Values.global.imageRegistry | default .Values.alertmanager.alertmanagerSpec.image.registry -}} {{- if and .Values.alertmanager.alertmanagerSpec.image.tag .Values.alertmanager.alertmanagerSpec.image.sha }} - image: "{{ .Values.alertmanager.alertmanagerSpec.image.repository }}:{{ .Values.alertmanager.alertmanagerSpec.image.tag }}@sha256:{{ .Values.alertmanager.alertmanagerSpec.image.sha }}" + image: "{{ $registry }}/{{ .Values.alertmanager.alertmanagerSpec.image.repository }}:{{ .Values.alertmanager.alertmanagerSpec.image.tag }}@sha256:{{ .Values.alertmanager.alertmanagerSpec.image.sha }}" {{- else if .Values.alertmanager.alertmanagerSpec.image.sha }} - image: "{{ .Values.alertmanager.alertmanagerSpec.image.repository }}@sha256:{{ .Values.alertmanager.alertmanagerSpec.image.sha }}" + image: "{{ $registry }}/{{ .Values.alertmanager.alertmanagerSpec.image.repository }}@sha256:{{ .Values.alertmanager.alertmanagerSpec.image.sha }}" {{- else if .Values.alertmanager.alertmanagerSpec.image.tag }} - image: "{{ .Values.alertmanager.alertmanagerSpec.image.repository }}:{{ .Values.alertmanager.alertmanagerSpec.image.tag }}" + image: "{{ $registry }}/{{ .Values.alertmanager.alertmanagerSpec.image.repository }}:{{ .Values.alertmanager.alertmanagerSpec.image.tag }}" {{- else }} - image: "{{ .Values.alertmanager.alertmanagerSpec.image.repository }}" + image: "{{ $registry }}/{{ .Values.alertmanager.alertmanagerSpec.image.repository }}" {{- end }} version: {{ .Values.alertmanager.alertmanagerSpec.image.tag }} {{- if .Values.alertmanager.alertmanagerSpec.image.sha }} @@ -89,7 +90,7 @@ spec: {{- end }} {{- if .Values.alertmanager.alertmanagerSpec.storage }} storage: -{{ toYaml .Values.alertmanager.alertmanagerSpec.storage | indent 4 }} +{{ tpl (toYaml .Values.alertmanager.alertmanagerSpec.storage | indent 4) . }} {{- end }} {{- if .Values.alertmanager.alertmanagerSpec.podMetadata }} podMetadata: @@ -162,4 +163,7 @@ spec: {{- if .Values.alertmanager.alertmanagerSpec.forceEnableClusterMode }} forceEnableClusterMode: {{ .Values.alertmanager.alertmanagerSpec.forceEnableClusterMode }} {{- end }} +{{- if .Values.alertmanager.alertmanagerSpec.minReadySeconds }} + minReadySeconds: {{ .Values.alertmanager.alertmanagerSpec.minReadySeconds }} +{{- end }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp-role.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp-role.yaml index d64d1f8..e8da52e 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp-role.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp-role.yaml @@ -1,4 +1,5 @@ {{- if and .Values.alertmanager.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -19,3 +20,4 @@ rules: resourceNames: - {{ template "kube-prometheus-stack.fullname" . }}-alertmanager {{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp-rolebinding.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp-rolebinding.yaml index 9248cc8..71a8ec4 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp-rolebinding.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp-rolebinding.yaml @@ -1,4 +1,5 @@ {{- if and .Values.alertmanager.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -16,3 +17,4 @@ subjects: name: {{ template "kube-prometheus-stack.alertmanager.serviceAccountName" . }} namespace: {{ template "kube-prometheus-stack.namespace" . }} {{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp.yaml index b60fbbd..5a940af 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/psp.yaml @@ -1,4 +1,5 @@ {{- if and .Values.alertmanager.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -43,4 +44,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} - +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/servicemonitor.yaml index 2dc9b86..350ebe8 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/alertmanager/servicemonitor.yaml @@ -18,6 +18,7 @@ spec: - {{ printf "%s" (include "kube-prometheus-stack.namespace" .) | quote }} endpoints: - port: {{ .Values.alertmanager.alertmanagerSpec.portName }} + enableHttp2: {{ .Values.alertmanager.serviceMonitor.enableHttp2 }} {{- if .Values.alertmanager.serviceMonitor.interval }} interval: {{ .Values.alertmanager.serviceMonitor.interval }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/grafana/configmaps-datasources.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/grafana/configmaps-datasources.yaml index b5f0bf8..755168a 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/grafana/configmaps-datasources.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/grafana/configmaps-datasources.yaml @@ -31,7 +31,7 @@ data: url: http://{{ template "kube-prometheus-stack.fullname" . }}-prometheus.{{ template "kube-prometheus-stack.namespace" . }}:{{ .Values.prometheus.service.port }}/{{ trimPrefix "/" .Values.prometheus.prometheusSpec.routePrefix }} {{- end }} access: proxy - isDefault: true + isDefault: {{ .Values.grafana.sidecar.datasources.isDefaultDatasource }} jsonData: timeInterval: {{ $scrapeInterval }} {{- if .Values.grafana.sidecar.datasources.exemplarTraceIdDestinations }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/clusterrole.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/clusterrole.yaml index 6c91ee0..cf2787b 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/clusterrole.yaml @@ -18,7 +18,7 @@ rules: verbs: - get - update -{{- if .Values.global.rbac.pspEnabled }} +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.global.rbac.pspEnabled }} {{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }} {{- if semverCompare "> 1.15.0-0" $kubeTargetVersion }} - apiGroups: ['policy'] diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml index abe3638..1bb9b02 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-createSecret.yaml @@ -7,6 +7,9 @@ metadata: annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +{{- with .Values.prometheusOperator.admissionWebhooks.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} labels: app: {{ template "kube-prometheus-stack.name" $ }}-admission-create {{- include "kube-prometheus-stack.labels" $ | indent 4 }} @@ -31,10 +34,11 @@ spec: {{- end }} containers: - name: create + {{- $registry := .Values.global.imageRegistry | default .Values.prometheusOperator.admissionWebhooks.patch.image.registry -}} {{- if .Values.prometheusOperator.admissionWebhooks.patch.image.sha }} - image: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }}@sha256:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.sha }} + image: {{ $registry }}/{{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }}@sha256:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.sha }} {{- else }} - image: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }} + image: {{ $registry }}/{{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }} {{- end }} imagePullPolicy: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.pullPolicy }} args: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml index 560dc11..350669a 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -7,6 +7,9 @@ metadata: annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +{{- with .Values.prometheusOperator.admissionWebhooks.patch.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} labels: app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch {{- include "kube-prometheus-stack.labels" $ | indent 4 }} @@ -20,7 +23,7 @@ spec: name: {{ template "kube-prometheus-stack.fullname" . }}-admission-patch {{- with .Values.prometheusOperator.admissionWebhooks.patch.podAnnotations }} annotations: -{{ toYaml . | indent 8 }} +{{ toYaml . | indent 8 }} {{- end }} labels: app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch @@ -31,10 +34,11 @@ spec: {{- end }} containers: - name: patch + {{- $registry := .Values.global.imageRegistry | default .Values.prometheusOperator.admissionWebhooks.patch.image.registry -}} {{- if .Values.prometheusOperator.admissionWebhooks.patch.image.sha }} - image: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }}@sha256:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.sha }} + image: {{ $registry }}/{{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }}@sha256:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.sha }} {{- else }} - image: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }} + image: {{ $registry }}/{{ .Values.prometheusOperator.admissionWebhooks.patch.image.repository }}:{{ .Values.prometheusOperator.admissionWebhooks.patch.image.tag }} {{- end }} imagePullPolicy: {{ .Values.prometheusOperator.admissionWebhooks.patch.image.pullPolicy }} args: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-createSecret.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-createSecret.yaml new file mode 100644 index 0000000..270bf85 --- /dev/null +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-createSecret.yaml @@ -0,0 +1,29 @@ +{{- if .Values.prometheusOperator.networkPolicy.enabled }} +{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-admission-create + namespace: {{ template "kube-prometheus-stack.namespace" . }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + ## Ensure this is run before the job + "helm.sh/hook-weight": "-5" +{{- with .Values.prometheusOperator.admissionWebhooks.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} + labels: + app: {{ template "kube-prometheus-stack.name" $ }}-admission-create +{{- include "kube-prometheus-stack.labels" $ | indent 4 }} +spec: + podSelector: + matchLabels: + app: {{ template "kube-prometheus-stack.name" $ }}-admission-create +{{- include "kube-prometheus-stack.labels" $ | indent 6 }} + egress: + - {} + policyTypes: + - Egress +{{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-patchWebhook.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-patchWebhook.yaml new file mode 100644 index 0000000..170c651 --- /dev/null +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/networkpolicy-patchWebhook.yaml @@ -0,0 +1,29 @@ +{{- if .Values.prometheusOperator.networkPolicy.enabled }} +{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-admission-patch + namespace: {{ template "kube-prometheus-stack.namespace" . }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + ## Ensure this is run before the job + "helm.sh/hook-weight": "-5" +{{- with .Values.prometheusOperator.admissionWebhooks.patch.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} + labels: + app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch +{{- include "kube-prometheus-stack.labels" $ | indent 4 }} +spec: + podSelector: + matchLabels: + app: {{ template "kube-prometheus-stack.name" $ }}-admission-patch +{{- include "kube-prometheus-stack.labels" $ | indent 6 }} + egress: + - {} + policyTypes: + - Egress +{{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml index 9feff52..5a8c19a 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/job-patch/psp.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.prometheusOperator.enabled .Values.prometheusOperator.admissionWebhooks.enabled .Values.prometheusOperator.admissionWebhooks.patch.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml index 9242659..8d4e7d3 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/admission-webhooks/validatingWebhookConfiguration.yaml @@ -36,6 +36,7 @@ webhooks: {{- if and .Values.prometheusOperator.admissionWebhooks.caBundle (not .Values.prometheusOperator.admissionWebhooks.patch.enabled) (not .Values.prometheusOperator.admissionWebhooks.certManager.enabled) }} caBundle: {{ .Values.prometheusOperator.admissionWebhooks.caBundle }} {{- end }} + timeoutSeconds: {{ .Values.prometheusOperator.admissionWebhooks.timeoutSeconds }} admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml index 5883b76..97a78cd 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/deployment.yaml @@ -9,6 +9,9 @@ metadata: labels: app: {{ template "kube-prometheus-stack.name" . }}-operator {{ include "kube-prometheus-stack.labels" . | indent 4 }} +{{- if .Values.prometheusOperator.labels }} +{{ toYaml .Values.prometheusOperator.labels | indent 4 }} +{{- end }} {{- if .Values.prometheusOperator.annotations }} annotations: {{ toYaml .Values.prometheusOperator.annotations | indent 4 }} @@ -37,10 +40,11 @@ spec: {{- end }} containers: - name: {{ template "kube-prometheus-stack.name" . }} + {{- $registry := .Values.global.imageRegistry | default .Values.prometheusOperator.image.registry -}} {{- if .Values.prometheusOperator.image.sha }} - image: "{{ .Values.prometheusOperator.image.repository }}:{{ .Values.prometheusOperator.image.tag }}@sha256:{{ .Values.prometheusOperator.image.sha }}" + image: "{{ $registry }}/{{ .Values.prometheusOperator.image.repository }}:{{ .Values.prometheusOperator.image.tag }}@sha256:{{ .Values.prometheusOperator.image.sha }}" {{- else }} - image: "{{ .Values.prometheusOperator.image.repository }}:{{ .Values.prometheusOperator.image.tag }}" + image: "{{ $registry }}/{{ .Values.prometheusOperator.image.repository }}:{{ .Values.prometheusOperator.image.tag }}" {{- end }} imagePullPolicy: "{{ .Values.prometheusOperator.image.pullPolicy }}" args: @@ -54,26 +58,31 @@ spec: - --log-level={{ .Values.prometheusOperator.logLevel }} {{- end }} {{- if .Values.prometheusOperator.denyNamespaces }} - - --deny-namespaces={{ .Values.prometheusOperator.denyNamespaces | join "," }} + - --deny-namespaces={{ tpl (.Values.prometheusOperator.denyNamespaces | join ",") $ }} {{- end }} {{- with $.Values.prometheusOperator.namespaces }} - {{ $ns := default (list nil) .additional }} + {{- $namespaces := list }} {{- if .releaseNamespace }} - {{- $ns = append $ns $namespace }} + {{- $namespaces = append $namespaces $namespace }} {{- end }} - - --namespaces={{ $ns | join "," }} + {{- if .additional }} + {{- range $ns := .additional }} + {{- $namespaces = append $namespaces (tpl $ns $) }} + {{- end }} + {{- end }} + - --namespaces={{ $namespaces | mustUniq | join "," }} {{- end }} - --localhost=127.0.0.1 {{- if .Values.prometheusOperator.prometheusDefaultBaseImage }} - - --prometheus-default-base-image={{ .Values.prometheusOperator.prometheusDefaultBaseImage }} + - --prometheus-default-base-image={{ .Values.global.imageRegistry | default .Values.prometheusOperator.prometheusDefaultBaseImageRegistry }}/{{ .Values.prometheusOperator.prometheusDefaultBaseImage }} {{- end }} {{- if .Values.prometheusOperator.alertmanagerDefaultBaseImage }} - - --alertmanager-default-base-image={{ .Values.prometheusOperator.alertmanagerDefaultBaseImage }} + - --alertmanager-default-base-image={{ .Values.global.imageRegistry | default .Values.prometheusOperator.alertmanagerDefaultBaseImageRegistry }}/{{ .Values.prometheusOperator.alertmanagerDefaultBaseImage }} {{- end }} {{- if .Values.prometheusOperator.prometheusConfigReloader.image.sha }} - - --prometheus-config-reloader={{ .Values.prometheusOperator.prometheusConfigReloader.image.repository }}:{{ .Values.prometheusOperator.prometheusConfigReloader.image.tag }}@sha256:{{ .Values.prometheusOperator.prometheusConfigReloader.image.sha }} + - --prometheus-config-reloader={{ $registry }}/{{ .Values.prometheusOperator.prometheusConfigReloader.image.repository }}:{{ .Values.prometheusOperator.prometheusConfigReloader.image.tag }}@sha256:{{ .Values.prometheusOperator.prometheusConfigReloader.image.sha }} {{- else }} - - --prometheus-config-reloader={{ .Values.prometheusOperator.prometheusConfigReloader.image.repository }}:{{ .Values.prometheusOperator.prometheusConfigReloader.image.tag }} + - --prometheus-config-reloader={{ $registry }}/{{ .Values.prometheusOperator.prometheusConfigReloader.image.repository }}:{{ .Values.prometheusOperator.prometheusConfigReloader.image.tag }} {{- end }} - --config-reloader-cpu-request={{ .Values.prometheusOperator.prometheusConfigReloader.resources.requests.cpu }} - --config-reloader-cpu-limit={{ .Values.prometheusOperator.prometheusConfigReloader.resources.limits.cpu }} @@ -89,9 +98,9 @@ spec: - --prometheus-instance-namespaces={{ .Values.prometheusOperator.prometheusInstanceNamespaces | join "," }} {{- end }} {{- if .Values.prometheusOperator.thanosImage.sha }} - - --thanos-default-base-image={{ .Values.prometheusOperator.thanosImage.repository }}:{{ .Values.prometheusOperator.thanosImage.tag }}@sha256:{{ .Values.prometheusOperator.thanosImage.sha }} + - --thanos-default-base-image={{ $registry }}/{{ .Values.prometheusOperator.thanosImage.repository }}:{{ .Values.prometheusOperator.thanosImage.tag }}@sha256:{{ .Values.prometheusOperator.thanosImage.sha }} {{- else }} - - --thanos-default-base-image={{ .Values.prometheusOperator.thanosImage.repository }}:{{ .Values.prometheusOperator.thanosImage.tag }} + - --thanos-default-base-image={{ $registry }}/{{ .Values.prometheusOperator.thanosImage.repository }}:{{ .Values.prometheusOperator.thanosImage.tag }} {{- end }} {{- if .Values.prometheusOperator.thanosRulerInstanceNamespaces }} - --thanos-ruler-instance-namespaces={{ .Values.prometheusOperator.thanosRulerInstanceNamespaces | join "," }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml new file mode 100644 index 0000000..ebffa9c --- /dev/null +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/networkpolicy.yaml @@ -0,0 +1,26 @@ +{{- if .Values.prometheusOperator.networkPolicy.enabled }} +apiVersion: {{ template "kube-prometheus-stack.prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-operator + namespace: {{ template "kube-prometheus-stack.namespace" . }} + labels: + app: {{ template "kube-prometheus-stack.name" . }}-operator +spec: + egress: + - {} + ingress: + - ports: + {{- if .Values.prometheusOperator.tls.enabled }} + - port: {{ .Values.prometheusOperator.tls.internalPort }} + {{- else }} + - port: 8080 + {{- end }} + policyTypes: + - Egress + - Ingress + podSelector: + matchLabels: + app: {{ template "kube-prometheus-stack.name" . }}-operator + release: {{ $.Release.Name | quote }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp-clusterrole.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp-clusterrole.yaml index d667d62..f701222 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp-clusterrole.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp-clusterrole.yaml @@ -1,4 +1,5 @@ {{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -18,3 +19,4 @@ rules: resourceNames: - {{ template "kube-prometheus-stack.fullname" . }}-operator {{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp-clusterrolebinding.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp-clusterrolebinding.yaml index c538cd1..8a13fbb 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp-clusterrolebinding.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp-clusterrolebinding.yaml @@ -1,4 +1,5 @@ {{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -15,3 +16,4 @@ subjects: name: {{ template "kube-prometheus-stack.operator.serviceAccountName" . }} namespace: {{ template "kube-prometheus-stack.namespace" . }} {{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp.yaml index d9228f0..0b42e97 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/psp.yaml @@ -1,4 +1,5 @@ {{- if and .Values.prometheusOperator.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -43,3 +44,4 @@ spec: max: 65535 readOnlyRootFilesystem: false {{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/servicemonitor.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/servicemonitor.yaml index b7bd952..987b0ec 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/servicemonitor.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/servicemonitor.yaml @@ -7,6 +7,9 @@ metadata: labels: app: {{ template "kube-prometheus-stack.name" . }}-operator {{ include "kube-prometheus-stack.labels" . | indent 4 }} +{{- with .Values.prometheusOperator.serviceMonitor.additionalLabels }} +{{ toYaml . | indent 4 }} +{{- end }} spec: endpoints: {{- if .Values.prometheusOperator.tls.enabled }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/verticalpodautoscaler.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/verticalpodautoscaler.yaml new file mode 100644 index 0000000..fe2c68e --- /dev/null +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus-operator/verticalpodautoscaler.yaml @@ -0,0 +1,35 @@ +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.prometheusOperator.verticalPodAutoscaler.enabled) }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ template "kube-prometheus-stack.fullname" . }}-operator + namespace: {{ template "kube-prometheus-stack.namespace" . }} + labels: + app: {{ template "kube-prometheus-stack.name" . }}-operator +{{ include "kube-prometheus-stack.labels" . | indent 4 }} +spec: + resourcePolicy: + containerPolicies: + - containerName: {{ template "kube-prometheus-stack.name" . }} + {{- if .Values.prometheusOperator.verticalPodAutoscaler.controlledResources }} + controlledResources: {{ .Values.prometheusOperator.verticalPodAutoscaler.controlledResources }} + {{- end }} + {{- if .Values.prometheusOperator.verticalPodAutoscaler.maxAllowed }} + maxAllowed: + {{- toYaml .Values.prometheusOperator.verticalPodAutoscaler.maxAllowed | nindent 8 }} + {{- end }} + {{- if .Values.prometheusOperator.verticalPodAutoscaler.minAllowed }} + minAllowed: + {{- toYaml .Values.prometheusOperator.verticalPodAutoscaler.minAllowed | nindent 8 }} + {{- end }} + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "kube-prometheus-stack.fullname" . }}-operator + {{- if .Values.prometheusOperator.verticalPodAutoscaler.updatePolicy }} + updatePolicy: + {{- if .Values.prometheusOperator.verticalPodAutoscaler.updatePolicy.updateMode }} + updateMode: {{ .Values.prometheusOperator.verticalPodAutoscaler.updatePolicy.updateMode }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/prometheus.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/prometheus.yaml index 8e29e0c..5235f74 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/prometheus.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/prometheus.yaml @@ -12,6 +12,7 @@ metadata: {{ toYaml .Values.prometheus.annotations | indent 4 }} {{- end }} spec: +{{- if or .Values.prometheus.prometheusSpec.alertingEndpoints .Values.alertmanager.enabled }} alerting: alertmanagers: {{- if .Values.prometheus.prometheusSpec.alertingEndpoints }} @@ -24,28 +25,32 @@ spec: pathPrefix: "{{ .Values.alertmanager.alertmanagerSpec.routePrefix }}" {{- end }} apiVersion: {{ .Values.alertmanager.apiVersion }} -{{- else }} - [] +{{- end }} {{- end }} {{- if .Values.prometheus.prometheusSpec.apiserverConfig }} apiserverConfig: {{ toYaml .Values.prometheus.prometheusSpec.apiserverConfig | indent 4}} {{- end }} {{- if .Values.prometheus.prometheusSpec.image }} + {{- $registry := .Values.global.imageRegistry | default .Values.prometheus.prometheusSpec.image.registry -}} {{- if and .Values.prometheus.prometheusSpec.image.tag .Values.prometheus.prometheusSpec.image.sha }} - image: "{{ .Values.prometheus.prometheusSpec.image.repository }}:{{ .Values.prometheus.prometheusSpec.image.tag }}@sha256:{{ .Values.prometheus.prometheusSpec.image.sha }}" + image: "{{ $registry }}/{{ .Values.prometheus.prometheusSpec.image.repository }}:{{ .Values.prometheus.prometheusSpec.image.tag }}@sha256:{{ .Values.prometheus.prometheusSpec.image.sha }}" {{- else if .Values.prometheus.prometheusSpec.image.sha }} - image: "{{ .Values.prometheus.prometheusSpec.image.repository }}@sha256:{{ .Values.prometheus.prometheusSpec.image.sha }}" + image: "{{ $registry }}/{{ .Values.prometheus.prometheusSpec.image.repository }}@sha256:{{ .Values.prometheus.prometheusSpec.image.sha }}" {{- else if .Values.prometheus.prometheusSpec.image.tag }} - image: "{{ .Values.prometheus.prometheusSpec.image.repository }}:{{ .Values.prometheus.prometheusSpec.image.tag }}" + image: "{{ $registry }}/{{ .Values.prometheus.prometheusSpec.image.repository }}:{{ .Values.prometheus.prometheusSpec.image.tag }}" {{- else }} - image: "{{ .Values.prometheus.prometheusSpec.image.repository }}" + image: "{{ $registry }}/{{ .Values.prometheus.prometheusSpec.image.repository }}" {{- end }} version: {{ .Values.prometheus.prometheusSpec.image.tag }} {{- if .Values.prometheus.prometheusSpec.image.sha }} sha: {{ .Values.prometheus.prometheusSpec.image.sha }} {{- end }} {{- end }} +{{- if .Values.prometheus.prometheusSpec.additionalArgs }} + additionalArgs: +{{ toYaml .Values.prometheus.prometheusSpec.additionalArgs | indent 4}} +{{- end -}} {{- if .Values.prometheus.prometheusSpec.externalLabels }} externalLabels: {{ tpl (toYaml .Values.prometheus.prometheusSpec.externalLabels | indent 4) . }} @@ -205,6 +210,7 @@ spec: {{ else }} ruleNamespaceSelector: {} {{- end }} +{{- if not (has "agent" .Values.prometheus.prometheusSpec.enableFeatures) }} {{- if .Values.prometheus.prometheusSpec.ruleSelector }} ruleSelector: {{ toYaml .Values.prometheus.prometheusSpec.ruleSelector | indent 4}} @@ -215,9 +221,10 @@ spec: {{ else }} ruleSelector: {} {{- end }} +{{- end }} {{- if .Values.prometheus.prometheusSpec.storageSpec }} storage: -{{ toYaml .Values.prometheus.prometheusSpec.storageSpec | indent 4 }} +{{ tpl (toYaml .Values.prometheus.prometheusSpec.storageSpec | indent 4) . }} {{- end }} {{- if .Values.prometheus.prometheusSpec.podMetadata }} podMetadata: @@ -239,7 +246,7 @@ spec: labelSelector: matchExpressions: - {key: app.kubernetes.io/name, operator: In, values: [prometheus]} - - {key: prometheus, operator: In, values: [{{ template "kube-prometheus-stack.fullname" . }}-prometheus]} + - {key: prometheus, operator: In, values: [{{ template "kube-prometheus-stack.prometheus.crname" . }}]} {{- else if eq .Values.prometheus.prometheusSpec.podAntiAffinity "soft" }} podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -249,7 +256,7 @@ spec: labelSelector: matchExpressions: - {key: app.kubernetes.io/name, operator: In, values: [prometheus]} - - {key: prometheus, operator: In, values: [{{ template "kube-prometheus-stack.fullname" . }}-prometheus]} + - {key: prometheus, operator: In, values: [{{ template "kube-prometheus-stack.prometheus.crname" . }}]} {{- end }} {{- end }} {{- if .Values.prometheus.prometheusSpec.tolerations }} @@ -380,4 +387,8 @@ spec: {{- if .Values.prometheus.prometheusSpec.allowOverlappingBlocks }} allowOverlappingBlocks: {{ .Values.prometheus.prometheusSpec.allowOverlappingBlocks }} {{- end }} +{{- if .Values.prometheus.prometheusSpec.minReadySeconds }} + minReadySeconds: {{ .Values.prometheus.prometheusSpec.minReadySeconds }} +{{- end }} + hostNetwork: {{ .Values.prometheus.prometheusSpec.hostNetwork }} {{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp-clusterrole.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp-clusterrole.yaml index a279fb2..872feb6 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp-clusterrole.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp-clusterrole.yaml @@ -1,4 +1,5 @@ {{- if and .Values.prometheus.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -18,3 +19,4 @@ rules: resourceNames: - {{ template "kube-prometheus-stack.fullname" . }}-prometheus {{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp-clusterrolebinding.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp-clusterrolebinding.yaml index 27b73b7..50e3617 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp-clusterrolebinding.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp-clusterrolebinding.yaml @@ -1,4 +1,5 @@ {{- if and .Values.prometheus.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -15,4 +16,4 @@ subjects: name: {{ template "kube-prometheus-stack.prometheus.serviceAccountName" . }} namespace: {{ template "kube-prometheus-stack.namespace" . }} {{- end }} - +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp.yaml index eecf992..b53808d 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/prometheus/psp.yaml @@ -1,4 +1,5 @@ {{- if and .Values.prometheus.enabled .Values.global.rbac.create .Values.global.rbac.pspEnabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -54,3 +55,4 @@ spec: {{ toYaml .Values.prometheus.podSecurityPolicy.allowedHostPaths | indent 4 }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/thanos-ruler/ruler.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/thanos-ruler/ruler.yaml index 1f294f8..ebca08c 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/thanos-ruler/ruler.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/templates/thanos-ruler/ruler.yaml @@ -13,14 +13,15 @@ metadata: {{- end }} spec: {{- if .Values.thanosRuler.thanosRulerSpec.image }} + {{- $registry := .Values.global.imageRegistry | default .Values.thanosRuler.thanosRulerSpec.image.registry -}} {{- if and .Values.thanosRuler.thanosRulerSpec.image.tag .Values.thanosRuler.thanosRulerSpec.image.sha }} - image: "{{ .Values.thanosRuler.thanosRulerSpec.image.repository }}:{{ .Values.thanosRuler.thanosRulerSpec.image.tag }}@sha256:{{ .Values.thanosRuler.thanosRulerSpec.image.sha }}" + image: "{{ $registry }}/{{ .Values.thanosRuler.thanosRulerSpec.image.repository }}:{{ .Values.thanosRuler.thanosRulerSpec.image.tag }}@sha256:{{ .Values.thanosRuler.thanosRulerSpec.image.sha }}" {{- else if .Values.thanosRuler.thanosRulerSpec.image.sha }} - image: "{{ .Values.thanosRuler.thanosRulerSpec.image.repository }}@sha256:{{ .Values.thanosRuler.thanosRulerSpec.image.sha }}" + image: "{{ $registry }}/{{ .Values.thanosRuler.thanosRulerSpec.image.repository }}@sha256:{{ .Values.thanosRuler.thanosRulerSpec.image.sha }}" {{- else if .Values.thanosRuler.thanosRulerSpec.image.tag }} - image: "{{ .Values.thanosRuler.thanosRulerSpec.image.repository }}:{{ .Values.thanosRuler.thanosRulerSpec.image.tag }}" + image: "{{ $registry }}/{{ .Values.thanosRuler.thanosRulerSpec.image.repository }}:{{ .Values.thanosRuler.thanosRulerSpec.image.tag }}" {{- else }} - image: "{{ .Values.thanosRuler.thanosRulerSpec.image.repository }}" + image: "{{ $registry }}/{{ .Values.thanosRuler.thanosRulerSpec.image.repository }}" {{- end }} {{- if .Values.thanosRuler.thanosRulerSpec.image.sha }} sha: {{ .Values.thanosRuler.thanosRulerSpec.image.sha }} @@ -78,6 +79,10 @@ spec: queryEndpoints: {{ toYaml .Values.thanosRuler.thanosRulerSpec.queryEndpoints | indent 4 }} {{- end }} +{{- if .Values.thanosRuler.thanosRulerSpec.queryConfig }} + queryConfig: +{{ toYaml .Values.thanosRuler.thanosRulerSpec.queryConfig | indent 4 }} +{{- end }} {{- if .Values.thanosRuler.thanosRulerSpec.resources }} resources: {{ toYaml .Values.thanosRuler.thanosRulerSpec.resources | indent 4 }} diff --git a/charts/kubezero-metrics/charts/kube-prometheus-stack/values.yaml b/charts/kubezero-metrics/charts/kube-prometheus-stack/values.yaml index 74e7c6d..4ad72b4 100644 --- a/charts/kubezero-metrics/charts/kube-prometheus-stack/values.yaml +++ b/charts/kubezero-metrics/charts/kube-prometheus-stack/values.yaml @@ -51,7 +51,8 @@ defaultRules: kubernetesResources: true kubernetesStorage: true kubernetesSystem: true - kubeScheduler: true + kubeSchedulerAlerting: true + kubeSchedulerRecording: true kubeStateMetrics: true network: true node: true @@ -121,6 +122,10 @@ global: # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + ## Global image registry to use if it needs to be overriden for some specific use cases (e.g local registries, custom images, ...) + ## + imageRegistry: "" + ## Reference to one or more secrets to be used when pulling images ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## @@ -415,6 +420,10 @@ alertmanager: ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. scheme: "" + ## enableHttp2: Whether to enable HTTP2. + ## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint + enableHttp2: true + ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. ## Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig tlsConfig: {} @@ -452,8 +461,9 @@ alertmanager: ## Image of Alertmanager ## image: - repository: quay.io/prometheus/alertmanager - tag: v0.24.0 + registry: quay.io + repository: prometheus/alertmanager + tag: v0.25.0 sha: "" ## If true then the user will be responsible to provide a secret with alertmanager configuration @@ -686,6 +696,10 @@ alertmanager: ## Use case is e.g. spanning an Alertmanager cluster across Kubernetes clusters with a single replica in each. forceEnableClusterMode: false + ## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to + ## be considered available. Defaults to 0 (pod will be considered available as soon as it is ready). + minReadySeconds: 0 + ## ExtraSecret can be used to store various data in an extra secret ## (use it for example to store hashed basic auth credentials) extraSecret: @@ -784,6 +798,7 @@ grafana: datasources: enabled: true defaultDatasourceEnabled: true + isDefaultDatasource: true uid: prometheus @@ -1023,7 +1038,8 @@ kubelet: ## ## metrics_path is required to match upstream rules and charts cAdvisorRelabelings: - - sourceLabels: [__metrics_path__] + - action: replace + sourceLabels: [__metrics_path__] targetLabel: metrics_path # - sourceLabels: [__meta_kubernetes_pod_node_name] # separator: ; @@ -1036,7 +1052,8 @@ kubelet: ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig ## probesRelabelings: - - sourceLabels: [__metrics_path__] + - action: replace + sourceLabels: [__metrics_path__] targetLabel: metrics_path # - sourceLabels: [__meta_kubernetes_pod_node_name] # separator: ; @@ -1049,7 +1066,8 @@ kubelet: ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig ## resourceRelabelings: - - sourceLabels: [__metrics_path__] + - action: replace + sourceLabels: [__metrics_path__] targetLabel: metrics_path # - sourceLabels: [__meta_kubernetes_pod_node_name] # separator: ; @@ -1078,7 +1096,8 @@ kubelet: ## ## metrics_path is required to match upstream rules and charts relabelings: - - sourceLabels: [__metrics_path__] + - action: replace + sourceLabels: [__metrics_path__] targetLabel: metrics_path # - sourceLabels: [__meta_kubernetes_pod_node_name] # separator: ; @@ -1285,8 +1304,8 @@ kubeEtcd: ## service: enabled: true - port: 2379 - targetPort: 2379 + port: 2381 + targetPort: 2381 # selector: # component: etcd @@ -1607,10 +1626,14 @@ prometheusOperator: ## On chart upgrades (or if the secret exists) the cert will not be re-generated. You can use this to provide your own ## certs ahead of time if you wish. ## + annotations: {} + # argocd.argoproj.io/hook: PreSync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded patch: enabled: true image: - repository: k8s.gcr.io/ingress-nginx/kube-webhook-certgen + registry: k8s.gcr.io + repository: ingress-nginx/kube-webhook-certgen tag: v1.3.0 sha: "" pullPolicy: IfNotPresent @@ -1618,6 +1641,9 @@ prometheusOperator: ## Provide a priority class name to the webhook patching job ## priorityClassName: "" + annotations: {} + # argocd.argoproj.io/hook: PreSync + # argocd.argoproj.io/hook-delete-policy: HookSucceeded podAnnotations: {} nodeSelector: {} affinity: {} @@ -1677,6 +1703,11 @@ prometheusOperator: ## # clusterDomain: "cluster.local" + networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + ## Service account for Alertmanager to use. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @@ -1723,6 +1754,10 @@ prometheusOperator: ## externalIPs: [] + # ## Labels to add to the operator deployment + # ## + labels: {} + ## Annotations to add to the operator deployment ## annotations: {} @@ -1757,6 +1792,9 @@ prometheusOperator: ## Create a servicemonitor for the operator ## serviceMonitor: + ## Labels for ServiceMonitor + additionalLabels: {} + ## Scrape interval. If not set, the Prometheus default scrape interval is used. ## interval: "" @@ -1846,28 +1884,58 @@ prometheusOperator: allowPrivilegeEscalation: false readOnlyRootFilesystem: true + # Enable vertical pod autoscaler support for prometheus-operator + verticalPodAutoscaler: + enabled: false + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + controlledResources: [] + + # Define the max allowed resources for the pod + maxAllowed: {} + # cpu: 200m + # memory: 100Mi + # Define the min allowed resources for the pod + minAllowed: {} + # cpu: 200m + # memory: 100Mi + + updatePolicy: + # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates + # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". + updateMode: Auto + ## Prometheus-operator image ## image: - repository: quay.io/prometheus-operator/prometheus-operator - tag: v0.59.1 + registry: quay.io + repository: prometheus-operator/prometheus-operator + tag: v0.61.1 sha: "" pullPolicy: IfNotPresent ## Prometheus image to use for prometheuses managed by the operator ## - # prometheusDefaultBaseImage: quay.io/prometheus/prometheus + # prometheusDefaultBaseImage: prometheus/prometheus + + ## Prometheus image registry to use for prometheuses managed by the operator + ## + # prometheusDefaultBaseImageRegistry: quay.io ## Alertmanager image to use for alertmanagers managed by the operator ## - # alertmanagerDefaultBaseImage: quay.io/prometheus/alertmanager + # alertmanagerDefaultBaseImage: prometheus/alertmanager + + ## Alertmanager image registry to use for alertmanagers managed by the operator + ## + # alertmanagerDefaultBaseImageRegistry: quay.io ## Prometheus-config-reloader ## prometheusConfigReloader: image: - repository: quay.io/prometheus-operator/prometheus-config-reloader - tag: v0.59.1 + registry: quay.io + repository: prometheus-operator/prometheus-config-reloader + tag: v0.61.1 sha: "" # resource config for prometheusConfigReloader @@ -1882,8 +1950,9 @@ prometheusOperator: ## Thanos side-car image when configured ## thanosImage: - repository: quay.io/thanos/thanos - tag: v0.28.0 + registry: quay.io + repository: thanos/thanos + tag: v0.29.0 sha: "" ## Set a Field Selector to filter watched secrets @@ -2271,6 +2340,10 @@ prometheus: ## apiserverConfig: {} + ## Allows setting additional arguments for the Prometheus container + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.Prometheus + additionalArgs: [] + ## Interval between consecutive scrapes. ## Defaults to 30s. ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/release-0.44/pkg/prometheus/promcfg.go#L180-L183 @@ -2315,8 +2388,9 @@ prometheus: ## Image of Prometheus. ## image: - repository: quay.io/prometheus/prometheus - tag: v2.38.0 + registry: quay.io + repository: prometheus/prometheus + tag: v2.40.5 sha: "" ## Tolerations for use with node taints @@ -2856,6 +2930,16 @@ prometheus: ## in Prometheus so it may change in any upcoming release. allowOverlappingBlocks: false + ## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to + ## be considered available. Defaults to 0 (pod will be considered available as soon as it is ready). + minReadySeconds: 0 + + # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), + # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + # Use the host's network namespace if true. Make sure to understand the security implications if you want to enable it. + # When hostNetwork is enabled, this will set dnsPolicy to ClusterFirstWithHostNet automatically. + hostNetwork: false + additionalRulesForClusterRole: [] # - apiGroups: [ "" ] # resources: @@ -3146,8 +3230,9 @@ thanosRuler: ## Image of ThanosRuler ## image: - repository: quay.io/thanos/thanos - tag: v0.28.0 + registry: quay.io + repository: thanos/thanos + tag: v0.29.0 sha: "" ## Namespaces to be selected for PrometheusRules discovery. @@ -3249,6 +3334,14 @@ thanosRuler: ## When used alongside with ObjectStorageConfig, ObjectStorageConfigFile takes precedence. objectStorageConfigFile: "" + ## QueryEndpoints defines Thanos querier endpoints from which to query metrics. + ## Maps to the --query flag of thanos ruler. + queryEndpoints: [] + + ## Define configuration for connecting to thanos query instances. If this is defined, the queryEndpoints field will be ignored. + ## Maps to the query.config CLI argument. Only available with thanos v0.11.0 and higher. + queryConfig: {} + ## Labels configure the external label pairs to ThanosRuler. A default replica ## label `thanos_ruler_replica` will be always added as a label with the value ## of the pod's name and it will be dropped in the alerts. diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/.helmignore b/charts/kubezero-metrics/charts/prometheus-pushgateway/.helmignore deleted file mode 100644 index e90c9f6..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/.helmignore +++ /dev/null @@ -1,24 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj - -# OWNERS file for Kubernetes -OWNERS \ No newline at end of file diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/Chart.yaml b/charts/kubezero-metrics/charts/prometheus-pushgateway/Chart.yaml deleted file mode 100644 index f85c2c2..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/Chart.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -appVersion: 1.4.2 -description: A Helm chart for prometheus pushgateway -home: https://github.com/prometheus/pushgateway -keywords: -- pushgateway -- prometheus -maintainers: -- email: gianrubio@gmail.com - name: gianrubio -- email: christian.staude@staffbase.com - name: cstaud -name: prometheus-pushgateway -sources: -- https://github.com/prometheus/pushgateway -version: 1.18.2 diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/README.md b/charts/kubezero-metrics/charts/prometheus-pushgateway/README.md deleted file mode 100644 index 9f0ac5e..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/README.md +++ /dev/null @@ -1,63 +0,0 @@ -# Prometheus Pushgateway - -This chart bootstraps a prometheus [pushgateway](http://github.com/prometheus/pushgateway) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -An optional prometheus `ServiceMonitor` can be enabled, should you wish to use this gateway with a [Prometheus Operator](https://github.com/coreos/prometheus-operator). - -## Get Repo Info - -```console -helm repo add prometheus-community https://prometheus-community.github.io/helm-charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Install Chart - -```console -# Helm 3 -$ helm install [RELEASE_NAME] prometheus-community/prometheus-pushgateway - -# Helm 2 -$ helm install --name [RELEASE_NAME] prometheus-community/prometheus-pushgateway -``` - -_See [configuration](#configuration) below._ - -_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ - -## Uninstall Chart - -```console -# Helm 3 -$ helm uninstall [RELEASE_NAME] - -# Helm 2 -# helm delete --purge [RELEASE_NAME] -``` - -This removes all the Kubernetes components associated with the chart and deletes the release. - -_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ - -## Upgrading Chart - -```console -# Helm 3 or 2 -$ helm upgrade [RELEASE_NAME] [CHART] --install -``` - -_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ - -## Configuration - -See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: - -```console -# Helm 2 -$ helm inspect values prometheus-community/prometheus-pushgateway - -# Helm 3 -$ helm show values prometheus-community/prometheus-pushgateway -``` diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/NOTES.txt b/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/NOTES.txt deleted file mode 100644 index eca232e..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/NOTES.txt +++ /dev/null @@ -1,19 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus-pushgateway.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ template "prometheus-pushgateway.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus-pushgateway.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus-pushgateway.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:80 -{{- end }} \ No newline at end of file diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/_helpers.tpl b/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/_helpers.tpl deleted file mode 100644 index 10bf4ed..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/_helpers.tpl +++ /dev/null @@ -1,153 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "prometheus-pushgateway.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "prometheus-pushgateway.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "prometheus-pushgateway.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - - -{{/* -Create the name of the service account to use -*/}} -{{- define "prometheus-pushgateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "prometheus-pushgateway.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Create default labels -*/}} -{{- define "prometheus-pushgateway.defaultLabels" -}} -{{- $labelChart := include "prometheus-pushgateway.chart" $ -}} -{{- $labelApp := include "prometheus-pushgateway.name" $ -}} -{{- $labels := dict "app" $labelApp "chart" $labelChart "release" .Release.Name "heritage" .Release.Service -}} -{{- $indent := .indent | default 4 -}} -{{ merge .extraLabels $labels | toYaml | indent $indent }} -{{- end -}} - -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "prometheus-pushgateway.networkPolicy.apiVersion" -}} -{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Returns pod spec -*/}} -{{- define "prometheus-pushgateway.podSpec" -}} - serviceAccountName: {{ template "prometheus-pushgateway.serviceAccountName" . }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName | quote }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} - containers: - {{- if .Values.extraContainers }} -{{ toYaml .Values.extraContainers | indent 8 }} - {{- end }} - - name: pushgateway - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if .Values.extraVars }} - env: -{{ toYaml .Values.extraVars | indent 12 }} - {{- end }} - {{- if .Values.extraArgs }} - args: -{{ toYaml .Values.extraArgs | indent 12 }} - {{- end }} - ports: - - name: metrics - containerPort: 9091 - protocol: TCP -{{- if .Values.liveness.enabled }} - livenessProbe: -{{ toYaml .Values.liveness.probe | indent 12 }} - {{- end }} -{{- if .Values.readiness.enabled }} - readinessProbe: -{{ toYaml .Values.readiness.probe | indent 12 }} - {{- end }} - resources: -{{ toYaml .Values.resources | indent 12 }} - {{- if .Values.containerSecurityContext }} - securityContext: -{{ toYaml .Values.containerSecurityContext | indent 12 }} - {{- end }} - volumeMounts: - - name: storage-volume - mountPath: "{{ .Values.persistentVolume.mountPath }}" - subPath: "{{ .Values.persistentVolume.subPath }}" - {{- if .Values.extraVolumeMounts }} -{{ toYaml .Values.extraVolumeMounts | indent 12 }} - {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 8 }} - {{- end }} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} - {{- end }} - {{- if .Values.securityContext }} - securityContext: -{{ toYaml .Values.securityContext | indent 8 }} - {{- end }} - volumes: - {{- $storageVolumeAsPVCTemplate := and .Values.runAsStatefulSet .Values.persistentVolume.enabled -}} - {{- if not $storageVolumeAsPVCTemplate }} - - name: storage-volume - {{- if .Values.persistentVolume.enabled }} - persistentVolumeClaim: - claimName: {{ if .Values.persistentVolume.existingClaim }}{{ .Values.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus-pushgateway.fullname" . }}{{- end }} - {{- else }} - emptyDir: {} - {{- end -}} - {{- end -}} - {{- if .Values.extraVolumes }} -{{ toYaml .Values.extraVolumes | indent 8 }} - {{- else if $storageVolumeAsPVCTemplate }} - [] - {{- end }} - -{{- end }} diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/deployment.yaml b/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/deployment.yaml deleted file mode 100644 index 8355fa0..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/deployment.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if not .Values.runAsStatefulSet }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "prometheus-pushgateway.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.podLabels) . }} -spec: - replicas: {{ .Values.replicaCount }} - {{- if .Values.strategy }} - strategy: -{{ toYaml .Values.strategy | indent 4 }} - {{- end }} - selector: - matchLabels: - app: {{ template "prometheus-pushgateway.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.podLabels "indent" 8) . }} - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} - spec: - {{ include "prometheus-pushgateway.podSpec" . }} -{{- end -}} diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/ingress.yaml b/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/ingress.yaml deleted file mode 100644 index 1a6bad3..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/ingress.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $serviceName := include "prometheus-pushgateway.fullname" . }} -{{- $servicePort := .Values.service.port -}} -{{- $ingressPath := .Values.ingress.path -}} -{{- $ingressClassName := .Values.ingress.className -}} -{{- $ingressPathType := .Values.ingress.pathType -}} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: -{{- if .Values.ingress.annotations }} - annotations: -{{ toYaml .Values.ingress.annotations | indent 4}} -{{- end }} - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" dict) . }} - name: {{ template "prometheus-pushgateway.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }} - ingressClassName: {{ $ingressClassName }} - {{- end }} - rules: - {{- range $host := .Values.ingress.hosts }} - - host: {{ $host }} - http: - paths: - - path: {{ $ingressPath }} - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - pathType: {{ $ingressPathType }} - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- else }} - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end -}} -{{- if .Values.ingress.tls }} - tls: -{{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/networkpolicy.yaml b/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/networkpolicy.yaml deleted file mode 100644 index aa49058..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/networkpolicy.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{ if .Values.networkPolicy }} -apiVersion: {{ template "prometheus-pushgateway.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: -{{- if .Values.networkPolicy.customSelectors }} - name: ingress-allow-customselector-{{ template "prometheus-pushgateway.name" . }} -{{- else if .Values.networkPolicy.allowAll }} - name: ingress-allow-all-{{ template "prometheus-pushgateway.name" . }} -{{- else -}} -{{- fail "One of `allowAll` or `customSelectors` must be specified." }} -{{- end }} - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.podLabels) . }} -spec: - podSelector: - matchLabels: - app: {{ template "prometheus-pushgateway.name" .}} - release: {{ .Release.Name }} - ingress: - - ports: - - port: {{ .Values.service.targetPort }} -{{- if .Values.networkPolicy.customSelectors }} - from: -{{ toYaml .Values.networkPolicy.customSelectors | indent 8 }} -{{- end -}} -{{- end -}} diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/pdb.yaml b/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/pdb.yaml deleted file mode 100644 index f316d7c..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/pdb.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.podDisruptionBudget -}} -{{ if $.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} -apiVersion: policy/v1 -{{- else -}} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ template "prometheus-pushgateway.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.podLabels) . }} -spec: - selector: - matchLabels: - app: {{ template "prometheus-pushgateway.name" . }} -{{ toYaml .Values.podDisruptionBudget | indent 2 }} -{{- end -}} \ No newline at end of file diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml b/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml deleted file mode 100644 index 0640bdd..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if not .Values.runAsStatefulSet -}} -{{- if .Values.persistentVolume.enabled -}} -{{- if not .Values.persistentVolume.existingClaim -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - {{- if .Values.persistentVolume.annotations }} - annotations: -{{ toYaml .Values.persistentVolume.annotations | indent 4 }} - {{- end }} - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.persistentVolumeLabels) . }} - name: {{ template "prometheus-pushgateway.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - accessModes: -{{ toYaml .Values.persistentVolume.accessModes | indent 4 }} -{{- if .Values.persistentVolume.storageClass }} -{{- if (eq "-" .Values.persistentVolume.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.persistentVolume.storageClass }}" -{{- end }} -{{- end }} - resources: - requests: - storage: "{{ .Values.persistentVolume.size }}" -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/service.yaml b/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/service.yaml deleted file mode 100644 index a8ab0c7..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/service.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "prometheus-pushgateway.fullname" . }} - namespace: {{ .Release.Namespace }} - annotations: -{{ .Values.serviceAnnotations | toYaml | indent 4 }} - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.serviceLabels) . }} -spec: -{{- if .Values.service.clusterIP }} - clusterIP: {{ .Values.service.clusterIP }} -{{ else if .Values.runAsStatefulSet }} - clusterIP: None # Headless service -{{- end }} - type: {{ .Values.service.type }} -{{- if .Values.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} -{{- end }} -{{- if .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- range $cidr := .Values.service.loadBalancerSourceRanges }} - - {{ $cidr }} - {{- end }} -{{- end }} - ports: - - port: {{ .Values.service.port }} - targetPort: {{ .Values.service.targetPort }} - {{- if and (eq .Values.service.type "NodePort") .Values.service.nodePort }} - nodePort: {{ .Values.service.nodePort }} - {{- end }} - protocol: TCP - name: http - selector: - app: {{ template "prometheus-pushgateway.name" . }} - release: {{ .Release.Name }} diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/serviceaccount.yaml b/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/serviceaccount.yaml deleted file mode 100644 index 7ccd0dd..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "prometheus-pushgateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.serviceAccountLabels) . }} -{{- if .Values.serviceAccount.annotations }} - annotations: -{{ toYaml .Values.serviceAccount.annotations | indent 4 }} -{{- end }} -{{- end -}} diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/servicemonitor.yaml b/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/servicemonitor.yaml deleted file mode 100644 index 28e810c..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/servicemonitor.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if .Values.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "prometheus-pushgateway.fullname" . }} - {{- if .Values.serviceMonitor.namespace }} - namespace: {{ .Values.serviceMonitor.namespace }} - {{- end }} - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.serviceMonitor.additionalLabels) . }} -spec: - endpoints: - - port: http - {{- if .Values.serviceMonitor.interval }} - interval: {{ .Values.serviceMonitor.interval }} - {{- end }} - {{- if .Values.serviceMonitor.scheme }} - scheme: {{ .Values.serviceMonitor.scheme }} - {{- end }} - {{- if .Values.serviceMonitor.bearerTokenFile }} - bearerTokenFile: {{ .Values.serviceMonitor.bearerTokenFile }} - {{- end }} - {{- if .Values.serviceMonitor.tlsConfig }} - tlsConfig: {{ toYaml .Values.serviceMonitor.tlsConfig | nindent 6 }} - {{- end }} - {{- if .Values.serviceMonitor.scrapeTimeout }} - scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} - {{- end }} - path: /metrics - honorLabels: {{ .Values.serviceMonitor.honorLabels }} - {{- if .Values.serviceMonitor.metricRelabelings }} - metricRelabelings: - {{- tpl (toYaml .Values.serviceMonitor.metricRelabelings | nindent 4) . }} - {{- end }} - {{- if .Values.serviceMonitor.relabelings }} - relabelings: - {{ toYaml .Values.serviceMonitor.relabelings | nindent 4 }} - {{- end }} - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - app: {{ template "prometheus-pushgateway.name" . }} - release: {{ .Release.Name }} -{{- end -}} diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/statefulset.yaml b/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/statefulset.yaml deleted file mode 100644 index 9cffb5a..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/templates/statefulset.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{- if .Values.runAsStatefulSet }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "prometheus-pushgateway.fullname" . }} - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.podLabels) . }} -spec: - replicas: {{ .Values.replicaCount }} - serviceName: {{ template "prometheus-pushgateway.fullname" . }} - selector: - matchLabels: - app: {{ template "prometheus-pushgateway.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.podLabels "indent" 8) . }} - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} - spec: - {{ include "prometheus-pushgateway.podSpec" . }} - {{- if .Values.persistentVolume.enabled }} - volumeClaimTemplates: - - metadata: - {{- if .Values.persistentVolume.annotations }} - annotations: - {{ toYaml .Values.persistentVolume.annotations | indent 10 }} - {{- end }} - labels: -{{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.persistentVolumeLabels "indent" 10) . }} - name: storage-volume - spec: - accessModes: - {{ toYaml .Values.persistentVolume.accessModes }} - {{- if .Values.persistentVolume.storageClass }} - {{- if (eq "-" .Values.persistentVolume.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.persistentVolume.storageClass }}" - {{- end }} - {{- end }} - resources: - requests: - storage: "{{ .Values.persistentVolume.size }}" - {{- end }} -{{- end -}} diff --git a/charts/kubezero-metrics/charts/prometheus-pushgateway/values.yaml b/charts/kubezero-metrics/charts/prometheus-pushgateway/values.yaml deleted file mode 100644 index 5bb8eb2..0000000 --- a/charts/kubezero-metrics/charts/prometheus-pushgateway/values.yaml +++ /dev/null @@ -1,305 +0,0 @@ -# Default values for prometheus-pushgateway. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Provide a name in place of prometheus-pushgateway for `app:` labels -nameOverride: "" - -# Provide a name to substitute for the full names of resources -fullnameOverride: "" - -image: - repository: prom/pushgateway - tag: v1.4.2 - pullPolicy: IfNotPresent - -# Optional pod imagePullSecrets -imagePullSecrets: [] - -service: - type: ClusterIP - port: 9091 - targetPort: 9091 - - # Optional - Can be used for headless if value is "None" - clusterIP: "" - - loadBalancerIP: "" - loadBalancerSourceRanges: [] - -# Optional pod annotations -podAnnotations: {} - -# Optional pod labels -podLabels: {} - -# Optional service annotations -serviceAnnotations: {} - -# Optional service labels -serviceLabels: {} - -# Optional serviceAccount labels -serviceAccountLabels: {} - -# Optional persistentVolume labels -persistentVolumeLabels: {} - -# Optional additional environment variables -extraVars: [] - -## Additional pushgateway container arguments -## -## example: -## extraArgs: -## - --persistence.file=/data/pushgateway.data -## - --persistence.interval=5m -extraArgs: [] - -# Optional additional containers (sidecar) -extraContainers: [] - # - name: oAuth2-proxy - # args: - # - -https-address=:9092 - # - -upstream=http://localhost:9091 - # - -skip-auth-regex=^/metrics - # - -openshift-delegate-urls={"/":{"group":"monitoring.coreos.com","resource":"prometheuses","verb":"get"}} - # image: openshift/oauth-proxy:v1.1.0 - # ports: - # - containerPort: 9092 - # name: proxy - # resources: - # limits: - # memory: 16Mi - # requests: - # memory: 4Mi - # cpu: 20m - # volumeMounts: - # - mountPath: /etc/prometheus/secrets/pushgateway-tls - # name: secret-pushgateway-tls - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 200m - # memory: 50Mi - # requests: - # cpu: 100m - # memory: 30Mi - -liveness: - enabled: true - probe: - httpGet: - path: /-/ready - port: 9091 - initialDelaySeconds: 10 - timeoutSeconds: 10 - -readiness: - enabled: true - probe: - httpGet: - path: /-/ready - port: 9091 - initialDelaySeconds: 10 - timeoutSeconds: 10 - -serviceAccount: - # Specifies whether a ServiceAccount should be created - create: true - # The name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template - name: - -## Configure ingress resource that allow you to access the -## pushgateway installation. Set up the URL -## ref: http://kubernetes.io/docs/user-guide/ingress/ -## -ingress: - ## Enable Ingress. - ## - enabled: false - # AWS ALB requires path of /* - className: "" - path: / - pathType: ImplementationSpecific - - ## Annotations. - ## - # annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: 'true' - - ## Hostnames. - ## Must be provided if Ingress is enabled. - ## - # hosts: - # - pushgateway.domain.com - - ## TLS configuration. - ## Secrets must be manually created in the namespace. - ## - # tls: - # - secretName: pushgateway-tls - # hosts: - # - pushgateway.domain.com - -tolerations: {} - # - effect: NoSchedule - # operator: Exists - -## Node labels for pushgateway pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} - -replicaCount: 1 - -## When running more than one replica alongside with persistence, different volumes are needed -## per replica, since sharing a `persistence.file` across replicas does not keep metrics synced. -## For this purpose, you can enable the `runAsStatefulSet` to deploy the pushgateway as a -## StatefulSet instead of as a Deployment. -runAsStatefulSet: false - -## Security context to be added to push-gateway pods -## -securityContext: - fsGroup: 65534 - runAsUser: 65534 - runAsNonRoot: true - -## Security context to be added to push-gateway containers -## Having a separate variable as securityContext differs for pods and containers. -containerSecurityContext: {} -# allowPrivilegeEscalation: false -# readOnlyRootFilesystem: true -# runAsUser: 65534 -# runAsNonRoot: true - -## Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -affinity: {} - -# Enable this if you're using https://github.com/coreos/prometheus-operator -serviceMonitor: - enabled: false - namespace: monitoring - - # Fallback to the prometheus default unless specified - # interval: 10s - - ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. - # scheme: "" - - ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. - ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig - # tlsConfig: {} - - # bearerTokenFile: - # Fallback to the prometheus default unless specified - # scrapeTimeout: 30s - - ## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with - ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec - additionalLabels: {} - - # Retain the job and instance labels of the metrics pushed to the Pushgateway - # [Scraping Pushgateway](https://github.com/prometheus/pushgateway#configure-the-pushgateway-as-a-target-to-scrape) - honorLabels: true - - ## Metric relabel configs to apply to samples before ingestion. - ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) - metricRelabelings: [] - # - action: keep - # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' - # sourceLabels: [__name__] - - ## Relabel configs to apply to samples before ingestion. - ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) - relabelings: [] - # - sourceLabels: [__meta_kubernetes_pod_node_name] - # separator: ; - # regex: ^(.*)$ - # targetLabel: nodename - # replacement: $1 - # action: replace - -# The values to set in the PodDisruptionBudget spec (minAvailable/maxUnavailable) -# If not set then a PodDisruptionBudget will not be created -podDisruptionBudget: {} - -priorityClassName: - -# Deployment Strategy type -strategy: - type: Recreate - -persistentVolume: - ## If true, pushgateway will create/use a Persistent Volume Claim - ## If false, use emptyDir - ## - enabled: false - - ## pushgateway data Persistent Volume access modes - ## Must match those of existing PV or dynamic provisioner - ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ - ## - accessModes: - - ReadWriteOnce - - ## pushgateway data Persistent Volume Claim annotations - ## - annotations: {} - - ## pushgateway data Persistent Volume existing claim name - ## Requires pushgateway.persistentVolume.enabled: true - ## If defined, PVC must be created manually before volume will be bound - existingClaim: "" - - ## pushgateway data Persistent Volume mount root path - ## - mountPath: /data - - ## pushgateway data Persistent Volume size - ## - size: 2Gi - - ## pushgateway data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - - ## Subdirectory of pushgateway data Persistent Volume to mount - ## Useful if the volume's root directory is not empty - ## - subPath: "" - -extraVolumes: {} - # - name: extra - # emptyDir: {} -extraVolumeMounts: {} - # - name: extra - # mountPath: /usr/share/extras - # readOnly: true - -# Configuration for clusters with restrictive network policies in place: -# - allowAll allows access to the PushGateway from any namespace -# - customSelector is a list of pod/namespaceSelectors to allow access from -# These options are mutually exclusive and the latter will take precedence. -networkPolicy: {} - # allowAll: true - # customSelectors: - # - namespaceSelector: - # matchLabels: - # type: admin - # - podSelector: - # matchLabels: - # app: myapp diff --git a/charts/kubezero-metrics/jsonnet/jsonnetfile.lock.json b/charts/kubezero-metrics/jsonnet/jsonnetfile.lock.json index 3fe6e0b..abb6d35 100644 --- a/charts/kubezero-metrics/jsonnet/jsonnetfile.lock.json +++ b/charts/kubezero-metrics/jsonnet/jsonnetfile.lock.json @@ -18,7 +18,7 @@ "subdir": "contrib/mixin" } }, - "version": "19002cfc689fba2b8f56605e5797bf79f8b61fdd", + "version": "9e3966fbce6dccd2271b7ade588fefeb4ca7b247", "sum": "W/Azptf1PoqjyMwJON96UY69MFugDA4IAYiKURscryc=" }, { @@ -48,7 +48,7 @@ "subdir": "grafana-builder" } }, - "version": "dbf6fc14105c28b6fd0253005f7ca2da37d3d4e1", + "version": "d68f9a6e0b1af7c4c4056dc2b43fb8f3bac01f43", "sum": "tDR6yT2GVfw0wTU12iZH+m01HrbIr6g/xN+/8nzNkU0=" }, { @@ -68,7 +68,7 @@ "subdir": "lib/promgrafonnet" } }, - "version": "5e44626d70c2bf2d35c37f3fee5a6261a5335cc6", + "version": "3c386687c1f8ceb6b79ff887c4a934e9cee1b90a", "sum": "zv7hXGui6BfHzE9wPatHI/AGZa4A2WKo6pq7ZdqBsps=" }, { diff --git a/charts/kubezero-metrics/jsonnet/k8s-rules.yaml b/charts/kubezero-metrics/jsonnet/k8s-rules.yaml index c919591..ed9b4b0 100644 --- a/charts/kubezero-metrics/jsonnet/k8s-rules.yaml +++ b/charts/kubezero-metrics/jsonnet/k8s-rules.yaml @@ -1,4 +1,4 @@ - # cd rules; for f in *-prometheusRule; do echo "- name: ${f%%-prometheusRule}" >> ../k8s-rules.yaml; echo " url: file://rules/$f" >> ../k8s-rules.yaml; done; cd - +# cd rules; for f in *-prometheusRule; do echo "- name: ${f%%-prometheusRule}" >> ../k8s-rules.yaml; echo " url: file://rules/$f" >> ../k8s-rules.yaml; done; cd - rules: - name: alertmanager url: file://rules/alertmanager-prometheusRule diff --git a/charts/kubezero-metrics/templates/rules/zdt-inhibitors.yaml b/charts/kubezero-metrics/templates/rules/zdt-inhibitors.yaml new file mode 100644 index 0000000..30509f1 --- /dev/null +++ b/charts/kubezero-metrics/templates/rules/zdt-inhibitors.yaml @@ -0,0 +1,19 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "zdt-inhibitors" | trunc 63 | trimSuffix "-" }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +spec: + groups: + - name: zdt-inhibitors + rules: + - alert: ClusterAutoscalerNodeGroupsEnabled + annotations: + description: "This rule is meant to inhibit other rules and should not be forwarded.\nThe Cluster Autoscaler found at least one node group" + summary: Cluster Autoscaler found at least one node group. + expr: 'cluster_autoscaler_node_groups_count{job="addons-aws-cluster-autoscaler",node_group_type="autoscaled"} > 0' + for: 15m + labels: + severity: none diff --git a/charts/kubezero-metrics/update.sh b/charts/kubezero-metrics/update.sh index e938131..a0a2108 100755 --- a/charts/kubezero-metrics/update.sh +++ b/charts/kubezero-metrics/update.sh @@ -1,19 +1,16 @@ #!/bin/bash set -ex -VERSION=$(yq eval '.dependencies[] | select(.name=="kube-prometheus-stack") | .version' Chart.yaml) -PG_VER=$(yq eval '.dependencies[] | select(.name=="prometheus-pushgateway") | .version' Chart.yaml) +helm repo update +VERSION=$(yq eval '.dependencies[] | select(.name=="kube-prometheus-stack") | .version' Chart.yaml) rm -rf charts/kube-prometheus-stack helm pull prometheus-community/kube-prometheus-stack --untar --untardir charts --version $VERSION -rm -rf charts/prometheus-pushgateway -helm pull prometheus-community/prometheus-pushgateway --untar --untardir charts --version $PG_VER - # workaround for https://github.com/prometheus-community/helm-charts/issues/1500 patch -p0 -i zdt.patch --no-backup-if-mismatch -patch -p0 -i zdt-pushgateway.patch --no-backup-if-mismatch +helm dep update # Create ZDT dashboard, alerts etc configmaps cd jsonnet && make diff --git a/charts/kubezero-metrics/values.yaml b/charts/kubezero-metrics/values.yaml index 7bcd277..d8e6dac 100644 --- a/charts/kubezero-metrics/values.yaml +++ b/charts/kubezero-metrics/values.yaml @@ -52,6 +52,8 @@ kube-prometheus-stack: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" resources: @@ -66,6 +68,8 @@ kube-prometheus-stack: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" @@ -111,7 +115,6 @@ kube-prometheus-stack: memory: 4Gi # cpu: "1000m" - walCompression: true storageSpec: volumeClaimTemplate: spec: @@ -120,6 +123,27 @@ kube-prometheus-stack: resources: requests: storage: 16Gi + #volumes: + # - name: aws-token + # projected: + # sources: + # - serviceAccountToken: + # path: token + # expirationSeconds: 86400 + # audience: "sts.amazonaws.com" + #volumeMounts: + # - name: aws-token + # mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + # readOnly: true + #containers: + # - name: prometheus + # env: + # - name: AWS_ROLE_ARN + # value: "" + # - name: AWS_WEB_IDENTITY_TOKEN_FILE + # value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + # - name: AWS_STS_REGIONAL_ENDPOINTS + # value: regional # Custom Grafana tweaks grafana: @@ -188,6 +212,8 @@ kube-prometheus-stack: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" @@ -199,15 +225,12 @@ kube-prometheus-stack: resolve_timeout: 5m route: group_by: ['severity', 'clusterName'] - group_wait: 30s + group_wait: 10s group_interval: 5m - repeat_interval: 6h + repeat_interval: 4h routes: - matchers: - - alertname = Watchdog - receiver: 'null' - - matchers: - - alertname = InfoInhibitor + - severity = none receiver: 'null' inhibit_rules: - equal: @@ -230,6 +253,11 @@ kube-prometheus-stack: - alertname = InfoInhibitor target_matchers: - severity = info + # Disable cluster overcommiy alerts if we have cluster autoscaler available + - source_matchers: + - alertname = ClusterAutoscalerNodeGroupsEnabled + target_matchers: + - alertname =~ "KubeCPUOvercommit|KubeMemoryOvercommit" alertmanagerSpec: # externalUrl: logFormat: json @@ -301,6 +329,8 @@ prometheus-adapter: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" # Basic rules for HPA to work replacing heaptster, taken from kube-prometheus project diff --git a/charts/kubezero-metrics/zdt-pushgateway.patch b/charts/kubezero-metrics/zdt-pushgateway.patch deleted file mode 100644 index 14a8690..0000000 --- a/charts/kubezero-metrics/zdt-pushgateway.patch +++ /dev/null @@ -1,66 +0,0 @@ -diff -tubr charts/prometheus-pushgateway/templates/deployment.yaml charts/prometheus-pushgateway.zdt/templates/deployment.yaml ---- charts/prometheus-pushgateway/templates/deployment.yaml 2021-07-21 15:04:50.196722434 +0200 -+++ charts/prometheus-pushgateway.zdt/templates/deployment.yaml 2021-07-21 14:51:39.618598904 +0200 -@@ -2,6 +2,7 @@ - kind: Deployment - metadata: - name: {{ template "prometheus-pushgateway.fullname" . }} -+ namespace: {{ .Release.Namespace }} - labels: - {{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.podLabels) . }} - spec: -diff -tubr charts/prometheus-pushgateway/templates/ingress.yaml charts/prometheus-pushgateway.zdt/templates/ingress.yaml ---- charts/prometheus-pushgateway/templates/ingress.yaml 2021-07-21 15:04:50.196722434 +0200 -+++ charts/prometheus-pushgateway.zdt/templates/ingress.yaml 2021-07-21 14:51:49.698702493 +0200 -@@ -16,6 +16,7 @@ - labels: - {{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" dict) . }} - name: {{ template "prometheus-pushgateway.fullname" . }} -+ namespace: {{ .Release.Namespace }} - spec: - rules: - {{- range $host := .Values.ingress.hosts }} -diff -tubr charts/prometheus-pushgateway/templates/pdb.yaml charts/prometheus-pushgateway.zdt/templates/pdb.yaml ---- charts/prometheus-pushgateway/templates/pdb.yaml 2021-07-21 15:04:50.196722434 +0200 -+++ charts/prometheus-pushgateway.zdt/templates/pdb.yaml 2021-07-21 14:52:17.902325652 +0200 -@@ -3,6 +3,7 @@ - kind: PodDisruptionBudget - metadata: - name: {{ template "prometheus-pushgateway.fullname" . }} -+ namespace: {{ .Release.Namespace }} - labels: - {{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.podLabels) . }} - spec: -diff -tubr charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml charts/prometheus-pushgateway.zdt/templates/pushgateway-pvc.yaml ---- charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml 2021-07-21 15:04:50.196722434 +0200 -+++ charts/prometheus-pushgateway.zdt/templates/pushgateway-pvc.yaml 2021-07-21 14:52:31.325796911 +0200 -@@ -10,6 +10,7 @@ - labels: - {{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.persistentVolumeLabels) . }} - name: {{ template "prometheus-pushgateway.fullname" . }} -+ namespace: {{ .Release.Namespace }} - spec: - accessModes: - {{ toYaml .Values.persistentVolume.accessModes | indent 4 }} -diff -tubr charts/prometheus-pushgateway/templates/service.yaml charts/prometheus-pushgateway.zdt/templates/service.yaml ---- charts/prometheus-pushgateway/templates/service.yaml 2021-07-21 15:04:50.196722434 +0200 -+++ charts/prometheus-pushgateway.zdt/templates/service.yaml 2021-07-21 14:52:39.355879424 +0200 -@@ -2,6 +2,7 @@ - kind: Service - metadata: - name: {{ template "prometheus-pushgateway.fullname" . }} -+ namespace: {{ .Release.Namespace }} - annotations: - {{ .Values.serviceAnnotations | toYaml | indent 4 }} - labels: -diff -tubr charts/prometheus-pushgateway/templates/serviceaccount.yaml charts/prometheus-pushgateway.zdt/templates/serviceaccount.yaml ---- charts/prometheus-pushgateway/templates/serviceaccount.yaml 2021-07-21 15:04:50.196722434 +0200 -+++ charts/prometheus-pushgateway.zdt/templates/serviceaccount.yaml 2021-07-21 14:52:44.682600827 +0200 -@@ -3,6 +3,7 @@ - kind: ServiceAccount - metadata: - name: {{ template "prometheus-pushgateway.serviceAccountName" . }} -+ namespace: {{ .Release.Namespace }} - labels: - {{ template "prometheus-pushgateway.defaultLabels" merge (dict "extraLabels" .Values.serviceAccountLabels) . }} - {{- end -}} diff --git a/charts/kubezero-mq/Chart.yaml b/charts/kubezero-mq/Chart.yaml index 1528191..b06b7fd 100644 --- a/charts/kubezero-mq/Chart.yaml +++ b/charts/kubezero-mq/Chart.yaml @@ -2,26 +2,31 @@ apiVersion: v2 name: kubezero-mq description: KubeZero umbrella chart for MQ systems like NATS, RabbitMQ type: application -version: 0.2.3 +version: 0.3.4 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: - kubezero - - nats - rabbitmq + - rabbitmq-cluster-operator + - nats maintainers: - name: Stefan Reimer email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: ">= 0.1.3" + version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ - name: nats version: 0.8.4 #repository: https://nats-io.github.io/k8s/helm/charts/ condition: nats.enabled - name: rabbitmq - version: 9.0.3 + version: 11.3.2 repository: https://charts.bitnami.com/bitnami condition: rabbitmq.enabled + - name: rabbitmq-cluster-operator + version: 3.1.4 + repository: https://charts.bitnami.com/bitnami + condition: rabbitmq-cluster-operator.enabled kubeVersion: ">= 1.20.0" diff --git a/charts/kubezero-mq/README.md b/charts/kubezero-mq/README.md index ee22ba3..c203c93 100644 --- a/charts/kubezero-mq/README.md +++ b/charts/kubezero-mq/README.md @@ -1,6 +1,6 @@ # kubezero-mq -![Version: 0.2.3](https://img.shields.io/badge/Version-0.2.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.3.3](https://img.shields.io/badge/Version-0.3.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for MQ systems like NATS, RabbitMQ @@ -19,8 +19,9 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| | | nats | 0.8.4 | -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.3 | -| https://charts.bitnami.com/bitnami | rabbitmq | 9.0.3 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | +| https://charts.bitnami.com/bitnami | rabbitmq | 11.1.5 | +| https://charts.bitnami.com/bitnami | rabbitmq-cluster-operator | 3.1.4 | ## Values @@ -34,20 +35,30 @@ Kubernetes: `>= 1.20.0` | nats.nats.advertise | bool | `false` | | | nats.nats.jetstream.enabled | bool | `true` | | | nats.natsbox.enabled | bool | `false` | | -| rabbitmq.auth.erlangCookie | string | `"randomlongerlangcookie"` | | -| rabbitmq.auth.password | string | `"supersecret"` | | +| rabbitmq-cluster-operator.clusterOperator.metrics.enabled | bool | `false` | | +| rabbitmq-cluster-operator.clusterOperator.metrics.serviceMonitor.enabled | bool | `true` | | +| rabbitmq-cluster-operator.enabled | bool | `false` | | +| rabbitmq-cluster-operator.msgTopologyOperator.metrics.enabled | bool | `false` | | +| rabbitmq-cluster-operator.msgTopologyOperator.metrics.serviceMonitor.enabled | bool | `true` | | +| rabbitmq-cluster-operator.rabbitmqImage.tag | string | `"3.11.4-debian-11-r0"` | | +| rabbitmq-cluster-operator.useCertManager | bool | `true` | | +| rabbitmq.auth.existingErlangSecret | string | `"rabbitmq"` | | +| rabbitmq.auth.existingPasswordSecret | string | `"rabbitmq"` | | | rabbitmq.auth.tls.enabled | bool | `false` | | | rabbitmq.auth.tls.existingSecret | string | `"rabbitmq-server-certificate"` | | | rabbitmq.auth.tls.existingSecretFullChain | bool | `true` | | | rabbitmq.auth.tls.failIfNoPeerCert | bool | `false` | | -| rabbitmq.clustering.forceBoot | bool | `true` | | +| rabbitmq.clustering.enabled | bool | `false` | | +| rabbitmq.clustering.forceBoot | bool | `false` | | | rabbitmq.enabled | bool | `false` | | | rabbitmq.hosts | list | `[]` | hostnames of rabbitmq services, used for Istio and TLS | | rabbitmq.istio.enabled | bool | `false` | | | rabbitmq.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | +| rabbitmq.istio.mqtts | bool | `false` | | | rabbitmq.metrics.enabled | bool | `false` | | -| rabbitmq.metrics.serviceMonitor.enabled | bool | `false` | | -| rabbitmq.pdb.create | bool | `true` | | +| rabbitmq.metrics.serviceMonitor.enabled | bool | `true` | | +| rabbitmq.pdb.create | bool | `false` | | +| rabbitmq.persistence.size | string | `"2Gi"` | | | rabbitmq.podAntiAffinityPreset | string | `""` | | | rabbitmq.replicaCount | int | `1` | | | rabbitmq.resources.requests.cpu | string | `"100m"` | | diff --git a/charts/kubezero-mq/templates/rabbitmq/_secret.yaml.txt b/charts/kubezero-mq/templates/rabbitmq/_secret.yaml.txt new file mode 100644 index 0000000..19f5b33 --- /dev/null +++ b/charts/kubezero-mq/templates/rabbitmq/_secret.yaml.txt @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: rabbitmq + namespace: {{ .Release.Namespace }} + labels: + {{- include "kubezero-lib.labels" . | nindent 4 }} +data: + rabbitmq-erlang-cookie: "" + rabbitmq-password: "" diff --git a/charts/kubezero-mq/templates/rabbitmq/istio-service.yaml b/charts/kubezero-mq/templates/rabbitmq/istio-service.yaml index 038510e..ef59f2d 100644 --- a/charts/kubezero-mq/templates/rabbitmq/istio-service.yaml +++ b/charts/kubezero-mq/templates/rabbitmq/istio-service.yaml @@ -11,25 +11,36 @@ spec: - {{ .Values.rabbitmq.istio.gateway }} hosts: {{ toYaml .Values.rabbitmq.hosts | indent 2 }} - tcp: - - match: - - port: 5672 - route: + http: + - route: - destination: - host: rabbitmq-headless + host: rabbitmq port: - number: 5672 + number: 15672 + tcp: - match: - port: 5671 route: - destination: - host: rabbitmq-headless + host: rabbitmq port: - number: 5671 - http: - - route: + number: 5672 + {{- if .Values.rabbitmq.istio.mqtts }} + - match: + - port: 8883 + route: - destination: - host: rabbitmq-headless + host: rabbitmq port: - number: 15672 + number: 1883 + {{- end }} + {{- if .Values.rabbitmq.istio.mqtt }} + - match: + - port: 1883 + route: + - destination: + host: rabbitmq + port: + number: 1883 + {{- end }} {{- end }} diff --git a/charts/kubezero-mq/values.yaml b/charts/kubezero-mq/values.yaml index 7e310ba..152978c 100644 --- a/charts/kubezero-mq/values.yaml +++ b/charts/kubezero-mq/values.yaml @@ -23,6 +23,26 @@ nats: # url: "mq.example.com" gateway: istio-ingress/private-ingressgateway +# rabbitmq cluster operator +rabbitmq-cluster-operator: + enabled: false + rabbitmqImage: + tag: 3.11.4-debian-11-r0 + + useCertManager: true + + clusterOperator: + metrics: + enabled: false + serviceMonitor: + enabled: true + + msgTopologyOperator: + metrics: + enabled: false + serviceMonitor: + enabled: true + # rabbitmq rabbitmq: enabled: false @@ -36,10 +56,15 @@ rabbitmq: istio: enabled: false gateway: istio-ingress/private-ingressgateway + mqtt: false + mqtts: false + + #extraConfiguration: |- + # mqtt.durable_queue_type = quorum auth: - password: "supersecret" - erlangCookie: "randomlongerlangcookie" + existingPasswordSecret: rabbitmq + existingErlangSecret: rabbitmq tls: enabled: false failIfNoPeerCert: false @@ -47,7 +72,8 @@ rabbitmq: existingSecretFullChain: true clustering: - forceBoot: true + enabled: false + forceBoot: false resources: requests: @@ -56,6 +82,9 @@ rabbitmq: replicaCount: 1 + persistence: + size: 2Gi + podAntiAffinityPreset: "" topologySpreadConstraints: |- - maxSkew: 1 @@ -70,9 +99,9 @@ rabbitmq: matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} pdb: - create: true + create: false metrics: enabled: false serviceMonitor: - enabled: false + enabled: true diff --git a/charts/kubezero-network/Chart.yaml b/charts/kubezero-network/Chart.yaml index 6e16ac1..98a1bf9 100644 --- a/charts/kubezero-network/Chart.yaml +++ b/charts/kubezero-network/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-network description: KubeZero umbrella chart for all things network type: application -version: 0.3.4 +version: 0.4.2 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -19,14 +19,11 @@ dependencies: version: ">= 0.1.5" repository: https://cdn.zero-downtime.net/charts/ - name: cilium - version: 1.12.2 + version: 1.12.5 repository: https://helm.cilium.io/ condition: cilium.enabled - name: metallb - version: 0.13.5 + version: 0.13.7 repository: https://metallb.github.io/metallb condition: metallb.enabled - - name: calico - version: 0.2.2 - condition: calico.enabled -kubeVersion: ">= 1.20.0" +kubeVersion: ">= 1.24.0" diff --git a/charts/kubezero-network/README.md b/charts/kubezero-network/README.md index dfbb211..8b2d601 100644 --- a/charts/kubezero-network/README.md +++ b/charts/kubezero-network/README.md @@ -1,6 +1,6 @@ # kubezero-network -![Version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.4.2](https://img.shields.io/badge/Version-0.4.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things network @@ -14,51 +14,58 @@ KubeZero umbrella chart for all things network ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.24.0` | Repository | Name | Version | |------------|------|---------| -| | calico | 0.2.2 | | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | -| https://helm.cilium.io/ | cilium | 1.12.2 | -| https://metallb.github.io/metallb | metallb | 0.13.5 | +| https://helm.cilium.io/ | cilium | 1.12.5 | +| https://metallb.github.io/metallb | metallb | 0.13.7 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| calico.enabled | bool | `false` | | -| cilium.bpf.hostLegacyRouting | bool | `true` | | | cilium.cgroup.autoMount.enabled | bool | `false` | | | cilium.cgroup.hostRoot | string | `"/sys/fs/cgroup"` | | | cilium.cluster.id | int | `240` | | | cilium.cluster.name | string | `"default"` | | | cilium.cni.binPath | string | `"/usr/libexec/cni"` | | -| cilium.cni.chainingMode | string | `"generic-veth"` | | | cilium.cni.exclusive | bool | `false` | | +| cilium.cni.logFile | string | `"/var/log/cilium-cni.log"` | | | cilium.containerRuntime.integration | string | `"crio"` | | | cilium.enabled | bool | `false` | | | cilium.hubble.enabled | bool | `false` | | +| cilium.hubble.relay.enabled | bool | `false` | | +| cilium.hubble.tls.auto.certManagerIssuerRef.group | string | `"cert-manager.io"` | | +| cilium.hubble.tls.auto.certManagerIssuerRef.kind | string | `"ClusterIssuer"` | | +| cilium.hubble.tls.auto.certManagerIssuerRef.name | string | `"kubezero-local-ca-issuer"` | | +| cilium.hubble.tls.auto.method | string | `"cert-manager"` | | +| cilium.hubble.ui.enabled | bool | `false` | | | cilium.ipam.operator.clusterPoolIPv4PodCIDRList[0] | string | `"10.240.0.0/16"` | | -| cilium.l2NeighDiscovery.enabled | bool | `false` | | | cilium.l7Proxy | bool | `false` | | -| cilium.nodePort.enabled | bool | `false` | | | cilium.operator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | cilium.operator.replicas | int | `1` | | | cilium.operator.tolerations[0].effect | string | `"NoSchedule"` | | | cilium.operator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | -| cilium.policyEnforcementMode | string | `"never"` | | +| cilium.operator.tolerations[1].effect | string | `"NoSchedule"` | | +| cilium.operator.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | cilium.prometheus.enabled | bool | `false` | | | cilium.prometheus.port | int | `9091` | | +| cilium.resources.limits.memory | string | `"1024Mi"` | | +| cilium.resources.requests.cpu | string | `"10m"` | | +| cilium.resources.requests.memory | string | `"256Mi"` | | | cilium.securityContext.privileged | bool | `true` | | | cilium.tunnel | string | `"geneve"` | | | metallb.controller.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | metallb.controller.tolerations[0].effect | string | `"NoSchedule"` | | | metallb.controller.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| metallb.controller.tolerations[1].effect | string | `"NoSchedule"` | | +| metallb.controller.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | metallb.enabled | bool | `false` | | | metallb.ipAddressPools | list | `[]` | | -| multus.clusterNetwork | string | `"calico"` | | +| multus.clusterNetwork | string | `"cilium"` | | | multus.defaultNetworks | list | `[]` | | | multus.enabled | bool | `false` | | -| multus.readinessindicatorfile | string | `"/etc/cni/net.d/10-calico.conflist"` | | -| multus.tag | string | `"v3.9.1"` | | +| multus.readinessindicatorfile | string | `"/etc/cni/net.d/05-cilium.conf"` | | +| multus.tag | string | `"v3.9.2"` | | diff --git a/charts/kubezero-network/charts/calico/Chart.yaml b/charts/kubezero-network/charts/calico/Chart.yaml deleted file mode 100644 index 7357f17..0000000 --- a/charts/kubezero-network/charts/calico/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v2 -name: calico -description: KubeZero Chart for Calico -type: application -version: 0.2.2 -appVersion: v3.16.10 -home: https://kubezero.com -icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png -keywords: - - kubezero - - calico -maintainers: - - name: Quarky9 -dependencies: - - name: kubezero-lib - version: ">= 0.1.3" - repository: https://zero-down-time.github.io/kubezero/ -kubeVersion: ">= 1.20.0" diff --git a/charts/kubezero-network/charts/calico/README.md b/charts/kubezero-network/charts/calico/README.md deleted file mode 100644 index e5f04be..0000000 --- a/charts/kubezero-network/charts/calico/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# calico - -![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.16.5](https://img.shields.io/badge/AppVersion-v3.16.5-informational?style=flat-square) - -KubeZero Chart for Calico - -**Homepage:** - -## Maintainers - -| Name | Email | Url | -| ---- | ------ | --- | -| Quarky9 | | | - -## Requirements - -Kubernetes: `>= 1.20.0` - -| Repository | Name | Version | -|------------|------|---------| -| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | - -## KubeZero default configuration - -## AWS -The setup is based on the upstream calico-vxlan config from -`https://docs.projectcalico.org/v3.15/manifests/calico-vxlan.yaml` - -### Changes - -- VxLAN set to Always to not expose cluster communication to VPC - - -> EC2 SecurityGroups still apply and only need to allow UDP 4789 for VxLAN traffic - -> No need to disable source/destination check on EC2 instances - -> Prepared for optional WireGuard encryption for all inter node traffic - -- MTU set to 8941 - -- Removed migration init-container - -- Disable BGB and BIRD health checks - -- Set FELIX log level to warning - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| image.tag | string | `""` | | -| loglevel | string | `"Warning"` | | -| mtu | int | `8941` | | -| network | string | `"vxlan"` | | -| prometheus | bool | `false` | | - -## Resources - -- Grafana Dashboard: https://grafana.com/grafana/dashboards/12175 diff --git a/charts/kubezero-network/charts/calico/README.md.gotmpl b/charts/kubezero-network/charts/calico/README.md.gotmpl deleted file mode 100644 index 0aa472c..0000000 --- a/charts/kubezero-network/charts/calico/README.md.gotmpl +++ /dev/null @@ -1,42 +0,0 @@ -{{ template "chart.header" . }} -{{ template "chart.deprecationWarning" . }} - -{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} - -{{ template "chart.description" . }} - -{{ template "chart.homepageLine" . }} - -{{ template "chart.maintainersSection" . }} - -{{ template "chart.sourcesSection" . }} - -{{ template "chart.requirementsSection" . }} - -## KubeZero default configuration - -## AWS -The setup is based on the upstream calico-vxlan config from -`https://docs.projectcalico.org/v3.15/manifests/calico-vxlan.yaml` - -### Changes - -- VxLAN set to Always to not expose cluster communication to VPC - - -> EC2 SecurityGroups still apply and only need to allow UDP 4789 for VxLAN traffic - -> No need to disable source/destination check on EC2 instances - -> Prepared for optional WireGuard encryption for all inter node traffic - -- MTU set to 8941 - -- Removed migration init-container - -- Disable BGB and BIRD health checks - -- Set FELIX log level to warning - -{{ template "chart.valuesSection" . }} - -## Resources - -- Grafana Dashboard: https://grafana.com/grafana/dashboards/12175 diff --git a/charts/kubezero-network/charts/calico/calico-v3.16.5.patch b/charts/kubezero-network/charts/calico/calico-v3.16.5.patch deleted file mode 100644 index 77ff576..0000000 --- a/charts/kubezero-network/charts/calico/calico-v3.16.5.patch +++ /dev/null @@ -1,3359 +0,0 @@ ---- calico-vxlan.yaml 2020-11-17 08:12:04.783766338 -0800 -+++ templates/calico.yaml 2020-11-17 08:10:35.583765716 -0800 -@@ -10,13 +10,13 @@ - # Typha is disabled. - typha_service_name: "none" - # Configure the backend to use. -- calico_backend: "vxlan" -+ calico_backend: "{{ .Values.network }}" - # Configure the MTU to use for workload interfaces and tunnels. - # - If Wireguard is enabled, set to your network MTU - 60 - # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 - # - Otherwise, if IPIP is enabled, set to your network MTU - 20 - # - Otherwise, if not using any encapsulation, set to your network MTU. -- veth_mtu: "1410" -+ veth_mtu: "{{ .Values.mtu }}" - - # The CNI network configuration to install on each node. The special - # values in this config will be automatically populated. -@@ -55,3230 +55,6 @@ - } - - --- --# Source: calico/templates/kdd-crds.yaml -- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: bgpconfigurations.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: BGPConfiguration -- listKind: BGPConfigurationList -- plural: bgpconfigurations -- singular: bgpconfiguration -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- description: BGPConfiguration contains the configuration for any BGP routing. -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: BGPConfigurationSpec contains the values of the BGP configuration. -- properties: -- asNumber: -- description: 'ASNumber is the default AS number used by a node. [Default: -- 64512]' -- format: int32 -- type: integer -- communities: -- description: Communities is a list of BGP community values and their -- arbitrary names for tagging routes. -- items: -- description: Community contains standard or large community value -- and its name. -- properties: -- name: -- description: Name given to community value. -- type: string -- value: -- description: Value must be of format `aa:nn` or `aa:nn:mm`. -- For standard community use `aa:nn` format, where `aa` and -- `nn` are 16 bit number. For large community use `aa:nn:mm` -- format, where `aa`, `nn` and `mm` are 32 bit number. Where, -- `aa` is an AS Number, `nn` and `mm` are per-AS identifier. -- pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ -- type: string -- type: object -- type: array -- listenPort: -- description: ListenPort is the port where BGP protocol should listen. -- Defaults to 179 -- maximum: 65535 -- minimum: 1 -- type: integer -- logSeverityScreen: -- description: 'LogSeverityScreen is the log severity above which logs -- are sent to the stdout. [Default: INFO]' -- type: string -- nodeToNodeMeshEnabled: -- description: 'NodeToNodeMeshEnabled sets whether full node to node -- BGP mesh is enabled. [Default: true]' -- type: boolean -- prefixAdvertisements: -- description: PrefixAdvertisements contains per-prefix advertisement -- configuration. -- items: -- description: PrefixAdvertisement configures advertisement properties -- for the specified CIDR. -- properties: -- cidr: -- description: CIDR for which properties should be advertised. -- type: string -- communities: -- description: Communities can be list of either community names -- already defined in `Specs.Communities` or community value -- of format `aa:nn` or `aa:nn:mm`. For standard community use -- `aa:nn` format, where `aa` and `nn` are 16 bit number. For -- large community use `aa:nn:mm` format, where `aa`, `nn` and -- `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and -- `mm` are per-AS identifier. -- items: -- type: string -- type: array -- type: object -- type: array -- serviceClusterIPs: -- description: ServiceClusterIPs are the CIDR blocks from which service -- cluster IPs are allocated. If specified, Calico will advertise these -- blocks, as well as any cluster IPs within them. -- items: -- description: ServiceClusterIPBlock represents a single allowed ClusterIP -- CIDR block. -- properties: -- cidr: -- type: string -- type: object -- type: array -- serviceExternalIPs: -- description: ServiceExternalIPs are the CIDR blocks for Kubernetes -- Service External IPs. Kubernetes Service ExternalIPs will only be -- advertised if they are within one of these blocks. -- items: -- description: ServiceExternalIPBlock represents a single allowed -- External IP CIDR block. -- properties: -- cidr: -- type: string -- type: object -- type: array -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: bgppeers.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: BGPPeer -- listKind: BGPPeerList -- plural: bgppeers -- singular: bgppeer -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: BGPPeerSpec contains the specification for a BGPPeer resource. -- properties: -- asNumber: -- description: The AS Number of the peer. -- format: int32 -- type: integer -- keepOriginalNextHop: -- description: Option to keep the original nexthop field when routes -- are sent to a BGP Peer. Setting "true" configures the selected BGP -- Peers node to use the "next hop keep;" instead of "next hop self;"(default) -- in the specific branch of the Node on "bird.cfg". -- type: boolean -- node: -- description: The node name identifying the Calico node instance that -- is peering with this peer. If this is not set, this represents a -- global peer, i.e. a peer that peers with every node in the deployment. -- type: string -- nodeSelector: -- description: Selector for the nodes that should have this peering. When -- this is set, the Node field must be empty. -- type: string -- password: -- description: Optional BGP password for the peerings generated by this -- BGPPeer resource. -- properties: -- secretKeyRef: -- description: Selects a key of a secret in the node pod's namespace. -- properties: -- key: -- description: The key of the secret to select from. Must be -- a valid secret key. -- type: string -- name: -- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names -- TODO: Add other useful fields. apiVersion, kind, uid?' -- type: string -- optional: -- description: Specify whether the Secret or its key must be -- defined -- type: boolean -- required: -- - key -- type: object -- type: object -- peerIP: -- description: The IP address of the peer followed by an optional port -- number to peer with. If port number is given, format should be `[]:port` -- or `:` for IPv4. If optional port number is not set, -- and this peer IP and ASNumber belongs to a calico/node with ListenPort -- set in BGPConfiguration, then we use that port to peer. -- type: string -- peerSelector: -- description: Selector for the remote nodes to peer with. When this -- is set, the PeerIP and ASNumber fields must be empty. For each -- peering between the local node and selected remote nodes, we configure -- an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, -- and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The -- remote AS number comes from the remote node’s NodeBGPSpec.ASNumber, -- or the global default if that is not set. -- type: string -- required: -- - asNumber -- - peerIP -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: blockaffinities.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: BlockAffinity -- listKind: BlockAffinityList -- plural: blockaffinities -- singular: blockaffinity -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: BlockAffinitySpec contains the specification for a BlockAffinity -- resource. -- properties: -- cidr: -- type: string -- deleted: -- description: Deleted indicates that this block affinity is being deleted. -- This field is a string for compatibility with older releases that -- mistakenly treat this field as a string. -- type: string -- node: -- type: string -- state: -- type: string -- required: -- - cidr -- - deleted -- - node -- - state -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: clusterinformations.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: ClusterInformation -- listKind: ClusterInformationList -- plural: clusterinformations -- singular: clusterinformation -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- description: ClusterInformation contains the cluster specific information. -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: ClusterInformationSpec contains the values of describing -- the cluster. -- properties: -- calicoVersion: -- description: CalicoVersion is the version of Calico that the cluster -- is running -- type: string -- clusterGUID: -- description: ClusterGUID is the GUID of the cluster -- type: string -- clusterType: -- description: ClusterType describes the type of the cluster -- type: string -- datastoreReady: -- description: DatastoreReady is used during significant datastore migrations -- to signal to components such as Felix that it should wait before -- accessing the datastore. -- type: boolean -- variant: -- description: Variant declares which variant of Calico should be active. -- type: string -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: felixconfigurations.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: FelixConfiguration -- listKind: FelixConfigurationList -- plural: felixconfigurations -- singular: felixconfiguration -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- description: Felix Configuration contains the configuration for Felix. -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: FelixConfigurationSpec contains the values of the Felix configuration. -- properties: -- allowIPIPPacketsFromWorkloads: -- description: 'AllowIPIPPacketsFromWorkloads controls whether Felix -- will add a rule to drop IPIP encapsulated traffic from workloads -- [Default: false]' -- type: boolean -- allowVXLANPacketsFromWorkloads: -- description: 'AllowVXLANPacketsFromWorkloads controls whether Felix -- will add a rule to drop VXLAN encapsulated traffic from workloads -- [Default: false]' -- type: boolean -- awsSrcDstCheck: -- description: 'Set source-destination-check on AWS EC2 instances. Accepted -- value must be one of "DoNothing", "Enabled" or "Disabled". [Default: -- DoNothing]' -- enum: -- - DoNothing -- - Enable -- - Disable -- type: string -- bpfConnectTimeLoadBalancingEnabled: -- description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, -- controls whether Felix installs the connection-time load balancer. The -- connect-time load balancer is required for the host to be able to -- reach Kubernetes services and it improves the performance of pod-to-service -- connections. The only reason to disable it is for debugging purposes. [Default: -- true]' -- type: boolean -- bpfDataIfacePattern: -- description: 'BPFDataIfacePattern is a regular expression that controls -- which interfaces Felix should attach BPF programs to in order to -- catch traffic to/from the network. This needs to match the interfaces -- that Calico workload traffic flows over as well as any interfaces -- that handle incoming traffic to nodeports and services from outside -- the cluster. It should not match the workload interfaces (usually -- named cali...). [Default: ^(en.*|eth.*|tunl0$)]' -- type: string -- bpfDisableUnprivileged: -- description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled -- sysctl to disable unprivileged use of BPF. This ensures that unprivileged -- users cannot access Calico''s BPF maps and cannot insert their own -- BPF programs to interfere with Calico''s. [Default: true]' -- type: boolean -- bpfEnabled: -- description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. -- [Default: false]' -- type: boolean -- bpfExternalServiceMode: -- description: 'BPFExternalServiceMode in BPF mode, controls how connections -- from outside the cluster to services (node ports and cluster IPs) -- are forwarded to remote workloads. If set to "Tunnel" then both -- request and response traffic is tunneled to the remote node. If -- set to "DSR", the request traffic is tunneled but the response traffic -- is sent directly from the remote node. In "DSR" mode, the remote -- node appears to use the IP of the ingress node; this requires a -- permissive L2 network. [Default: Tunnel]' -- type: string -- bpfKubeProxyEndpointSlicesEnabled: -- description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls -- whether Felix's embedded kube-proxy accepts EndpointSlices or not. -- type: boolean -- bpfKubeProxyIptablesCleanupEnabled: -- description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF -- mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s -- iptables chains. Should only be enabled if kube-proxy is not running. [Default: -- true]' -- type: boolean -- bpfKubeProxyMinSyncPeriod: -- description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the -- minimum time between updates to the dataplane for Felix''s embedded -- kube-proxy. Lower values give reduced set-up latency. Higher values -- reduce Felix CPU usage by batching up more work. [Default: 1s]' -- type: string -- bpfLogLevel: -- description: 'BPFLogLevel controls the log level of the BPF programs -- when in BPF dataplane mode. One of "Off", "Info", or "Debug". The -- logs are emitted to the BPF trace pipe, accessible with the command -- `tc exec bpf debug`. [Default: Off].' -- type: string -- chainInsertMode: -- description: 'ChainInsertMode controls whether Felix hooks the kernel’s -- top-level iptables chains by inserting a rule at the top of the -- chain or by appending a rule at the bottom. insert is the safe default -- since it prevents Calico’s rules from being bypassed. If you switch -- to append mode, be sure that the other rules in the chains signal -- acceptance by falling through to the Calico rules, otherwise the -- Calico policy will be bypassed. [Default: insert]' -- type: string -- dataplaneDriver: -- type: string -- debugDisableLogDropping: -- type: boolean -- debugMemoryProfilePath: -- type: string -- debugSimulateCalcGraphHangAfter: -- type: string -- debugSimulateDataplaneHangAfter: -- type: string -- defaultEndpointToHostAction: -- description: 'DefaultEndpointToHostAction controls what happens to -- traffic that goes from a workload endpoint to the host itself (after -- the traffic hits the endpoint egress policy). By default Calico -- blocks traffic from workload endpoints to the host itself with an -- iptables “DROP” action. If you want to allow some or all traffic -- from endpoint to host, set this parameter to RETURN or ACCEPT. Use -- RETURN if you have your own rules in the iptables “INPUT” chain; -- Calico will insert its rules at the top of that chain, then “RETURN” -- packets to the “INPUT” chain once it has completed processing workload -- endpoint egress policy. Use ACCEPT to unconditionally accept packets -- from workloads after processing workload endpoint egress policy. -- [Default: Drop]' -- type: string -- deviceRouteProtocol: -- description: This defines the route protocol added to programmed device -- routes, by default this will be RTPROT_BOOT when left blank. -- type: integer -- deviceRouteSourceAddress: -- description: This is the source address to use on programmed device -- routes. By default the source address is left blank, leaving the -- kernel to choose the source address used. -- type: string -- disableConntrackInvalidCheck: -- type: boolean -- endpointReportingDelay: -- type: string -- endpointReportingEnabled: -- type: boolean -- externalNodesList: -- description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes -- which may source tunnel traffic and have the tunneled traffic be -- accepted at calico nodes. -- items: -- type: string -- type: array -- failsafeInboundHostPorts: -- description: 'FailsafeInboundHostPorts is a comma-delimited list of -- UDP/TCP ports that Felix will allow incoming traffic to host endpoints -- on irrespective of the security policy. This is useful to avoid -- accidentally cutting off a host with incorrect configuration. Each -- port should be specified as tcp: or udp:. -- For back-compatibility, if the protocol is not specified, it defaults -- to “tcp”. To disable all inbound host ports, use the value none. -- The default value allows ssh access and DHCP. [Default: tcp:22, -- udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' -- items: -- description: ProtoPort is combination of protocol and port, both -- must be specified. -- properties: -- port: -- type: integer -- protocol: -- type: string -- required: -- - port -- - protocol -- type: object -- type: array -- failsafeOutboundHostPorts: -- description: 'FailsafeOutboundHostPorts is a comma-delimited list -- of UDP/TCP ports that Felix will allow outgoing traffic from host -- endpoints to irrespective of the security policy. This is useful -- to avoid accidentally cutting off a host with incorrect configuration. -- Each port should be specified as tcp: or udp:. -- For back-compatibility, if the protocol is not specified, it defaults -- to “tcp”. To disable all outbound host ports, use the value none. -- The default value opens etcd’s standard ports to ensure that Felix -- does not get cut off from etcd as well as allowing DHCP and DNS. -- [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, -- udp:53, udp:67]' -- items: -- description: ProtoPort is combination of protocol and port, both -- must be specified. -- properties: -- port: -- type: integer -- protocol: -- type: string -- required: -- - port -- - protocol -- type: object -- type: array -- featureDetectOverride: -- description: FeatureDetectOverride is used to override the feature -- detection. Values are specified in a comma separated list with no -- spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". -- "true" or "false" will force the feature, empty or omitted values -- are auto-detected. -- type: string -- genericXDPEnabled: -- description: 'GenericXDPEnabled enables Generic XDP so network cards -- that don''t support XDP offload or driver modes can use XDP. This -- is not recommended since it doesn''t provide better performance -- than iptables. [Default: false]' -- type: boolean -- healthEnabled: -- type: boolean -- healthHost: -- type: string -- healthPort: -- type: integer -- interfaceExclude: -- description: 'InterfaceExclude is a comma-separated list of interfaces -- that Felix should exclude when monitoring for host endpoints. The -- default value ensures that Felix ignores Kubernetes'' IPVS dummy -- interface, which is used internally by kube-proxy. If you want to -- exclude multiple interface names using a single value, the list -- supports regular expressions. For regular expressions you must wrap -- the value with ''/''. For example having values ''/^kube/,veth1'' -- will exclude all interfaces that begin with ''kube'' and also the -- interface ''veth1''. [Default: kube-ipvs0]' -- type: string -- interfacePrefix: -- description: 'InterfacePrefix is the interface name prefix that identifies -- workload endpoints and so distinguishes them from host endpoint -- interfaces. Note: in environments other than bare metal, the orchestrators -- configure this appropriately. For example our Kubernetes and Docker -- integrations set the ‘cali’ value, and our OpenStack integration -- sets the ‘tap’ value. [Default: cali]' -- type: string -- interfaceRefreshInterval: -- description: InterfaceRefreshInterval is the period at which Felix -- rescans local interfaces to verify their state. The rescan can be -- disabled by setting the interval to 0. -- type: string -- ipipEnabled: -- type: boolean -- ipipMTU: -- description: 'IPIPMTU is the MTU to set on the tunnel device. See -- Configuring MTU [Default: 1440]' -- type: integer -- ipsetsRefreshInterval: -- description: 'IpsetsRefreshInterval is the period at which Felix re-checks -- all iptables state to ensure that no other process has accidentally -- broken Calico’s rules. Set to 0 to disable iptables refresh. [Default: -- 90s]' -- type: string -- iptablesBackend: -- description: IptablesBackend specifies which backend of iptables will -- be used. The default is legacy. -- type: string -- iptablesFilterAllowAction: -- type: string -- iptablesLockFilePath: -- description: 'IptablesLockFilePath is the location of the iptables -- lock file. You may need to change this if the lock file is not in -- its standard location (for example if you have mapped it into Felix’s -- container at a different path). [Default: /run/xtables.lock]' -- type: string -- iptablesLockProbeInterval: -- description: 'IptablesLockProbeInterval is the time that Felix will -- wait between attempts to acquire the iptables lock if it is not -- available. Lower values make Felix more responsive when the lock -- is contended, but use more CPU. [Default: 50ms]' -- type: string -- iptablesLockTimeout: -- description: 'IptablesLockTimeout is the time that Felix will wait -- for the iptables lock, or 0, to disable. To use this feature, Felix -- must share the iptables lock file with all other processes that -- also take the lock. When running Felix inside a container, this -- requires the /run directory of the host to be mounted into the calico/node -- or calico/felix container. [Default: 0s disabled]' -- type: string -- iptablesMangleAllowAction: -- type: string -- iptablesMarkMask: -- description: 'IptablesMarkMask is the mask that Felix selects its -- IPTables Mark bits from. Should be a 32 bit hexadecimal number with -- at least 8 bits set, none of which clash with any other mark bits -- in use on the system. [Default: 0xff000000]' -- format: int32 -- type: integer -- iptablesNATOutgoingInterfaceFilter: -- type: string -- iptablesPostWriteCheckInterval: -- description: 'IptablesPostWriteCheckInterval is the period after Felix -- has done a write to the dataplane that it schedules an extra read -- back in order to check the write was not clobbered by another process. -- This should only occur if another application on the system doesn’t -- respect the iptables lock. [Default: 1s]' -- type: string -- iptablesRefreshInterval: -- description: 'IptablesRefreshInterval is the period at which Felix -- re-checks the IP sets in the dataplane to ensure that no other process -- has accidentally broken Calico’s rules. Set to 0 to disable IP sets -- refresh. Note: the default for this value is lower than the other -- refresh intervals as a workaround for a Linux kernel bug that was -- fixed in kernel version 4.11. If you are using v4.11 or greater -- you may want to set this to, a higher value to reduce Felix CPU -- usage. [Default: 10s]' -- type: string -- ipv6Support: -- type: boolean -- kubeNodePortRanges: -- description: 'KubeNodePortRanges holds list of port ranges used for -- service node ports. Only used if felix detects kube-proxy running -- in ipvs mode. Felix uses these ranges to separate host and workload -- traffic. [Default: 30000:32767].' -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- logFilePath: -- description: 'LogFilePath is the full path to the Felix log. Set to -- none to disable file logging. [Default: /var/log/calico/felix.log]' -- type: string -- logPrefix: -- description: 'LogPrefix is the log prefix that Felix uses when rendering -- LOG rules. [Default: calico-packet]' -- type: string -- logSeverityFile: -- description: 'LogSeverityFile is the log severity above which logs -- are sent to the log file. [Default: Info]' -- type: string -- logSeverityScreen: -- description: 'LogSeverityScreen is the log severity above which logs -- are sent to the stdout. [Default: Info]' -- type: string -- logSeveritySys: -- description: 'LogSeveritySys is the log severity above which logs -- are sent to the syslog. Set to None for no logging to syslog. [Default: -- Info]' -- type: string -- maxIpsetSize: -- type: integer -- metadataAddr: -- description: 'MetadataAddr is the IP address or domain name of the -- server that can answer VM queries for cloud-init metadata. In OpenStack, -- this corresponds to the machine running nova-api (or in Ubuntu, -- nova-api-metadata). A value of none (case insensitive) means that -- Felix should not set up any NAT rule for the metadata path. [Default: -- 127.0.0.1]' -- type: string -- metadataPort: -- description: 'MetadataPort is the port of the metadata server. This, -- combined with global.MetadataAddr (if not ‘None’), is used to set -- up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. -- In most cases this should not need to be changed [Default: 8775].' -- type: integer -- natOutgoingAddress: -- description: NATOutgoingAddress specifies an address to use when performing -- source NAT for traffic in a natOutgoing pool that is leaving the -- network. By default the address used is an address on the interface -- the traffic is leaving on (ie it uses the iptables MASQUERADE target) -- type: string -- natPortRange: -- anyOf: -- - type: integer -- - type: string -- description: NATPortRange specifies the range of ports that is used -- for port mapping when doing outgoing NAT. When unset the default -- behavior of the network stack is used. -- pattern: ^.* -- x-kubernetes-int-or-string: true -- netlinkTimeout: -- type: string -- openstackRegion: -- description: 'OpenstackRegion is the name of the region that a particular -- Felix belongs to. In a multi-region Calico/OpenStack deployment, -- this must be configured somehow for each Felix (here in the datamodel, -- or in felix.cfg or the environment on each compute node), and must -- match the [calico] openstack_region value configured in neutron.conf -- on each node. [Default: Empty]' -- type: string -- policySyncPathPrefix: -- description: 'PolicySyncPathPrefix is used to by Felix to communicate -- policy changes to external services, like Application layer policy. -- [Default: Empty]' -- type: string -- prometheusGoMetricsEnabled: -- description: 'PrometheusGoMetricsEnabled disables Go runtime metrics -- collection, which the Prometheus client does by default, when set -- to false. This reduces the number of metrics reported, reducing -- Prometheus load. [Default: true]' -- type: boolean -- prometheusMetricsEnabled: -- description: 'PrometheusMetricsEnabled enables the Prometheus metrics -- server in Felix if set to true. [Default: false]' -- type: boolean -- prometheusMetricsHost: -- description: 'PrometheusMetricsHost is the host that the Prometheus -- metrics server should bind to. [Default: empty]' -- type: string -- prometheusMetricsPort: -- description: 'PrometheusMetricsPort is the TCP port that the Prometheus -- metrics server should bind to. [Default: 9091]' -- type: integer -- prometheusProcessMetricsEnabled: -- description: 'PrometheusProcessMetricsEnabled disables process metrics -- collection, which the Prometheus client does by default, when set -- to false. This reduces the number of metrics reported, reducing -- Prometheus load. [Default: true]' -- type: boolean -- removeExternalRoutes: -- description: Whether or not to remove device routes that have not -- been programmed by Felix. Disabling this will allow external applications -- to also add device routes. This is enabled by default which means -- we will remove externally added routes. -- type: boolean -- reportingInterval: -- description: 'ReportingInterval is the interval at which Felix reports -- its status into the datastore or 0 to disable. Must be non-zero -- in OpenStack deployments. [Default: 30s]' -- type: string -- reportingTTL: -- description: 'ReportingTTL is the time-to-live setting for process-wide -- status reports. [Default: 90s]' -- type: string -- routeRefreshInterval: -- description: 'RouterefreshInterval is the period at which Felix re-checks -- the routes in the dataplane to ensure that no other process has -- accidentally broken Calico’s rules. Set to 0 to disable route refresh. -- [Default: 90s]' -- type: string -- routeSource: -- description: 'RouteSource configures where Felix gets its routing -- information. - WorkloadIPs: use workload endpoints to construct -- routes. - CalicoIPAM: the default - use IPAM data to construct routes.' -- type: string -- routeTableRange: -- description: Calico programs additional Linux route tables for various -- purposes. RouteTableRange specifies the indices of the route tables -- that Calico should use. -- properties: -- max: -- type: integer -- min: -- type: integer -- required: -- - max -- - min -- type: object -- sidecarAccelerationEnabled: -- description: 'SidecarAccelerationEnabled enables experimental sidecar -- acceleration [Default: false]' -- type: boolean -- usageReportingEnabled: -- description: 'UsageReportingEnabled reports anonymous Calico version -- number and cluster size to projectcalico.org. Logs warnings returned -- by the usage server. For example, if a significant security vulnerability -- has been discovered in the version of Calico being used. [Default: -- true]' -- type: boolean -- usageReportingInitialDelay: -- description: 'UsageReportingInitialDelay controls the minimum delay -- before Felix makes a report. [Default: 300s]' -- type: string -- usageReportingInterval: -- description: 'UsageReportingInterval controls the interval at which -- Felix makes reports. [Default: 86400s]' -- type: string -- useInternalDataplaneDriver: -- type: boolean -- vxlanEnabled: -- type: boolean -- vxlanMTU: -- description: 'VXLANMTU is the MTU to set on the tunnel device. See -- Configuring MTU [Default: 1440]' -- type: integer -- vxlanPort: -- type: integer -- vxlanVNI: -- type: integer -- wireguardEnabled: -- description: 'WireguardEnabled controls whether Wireguard is enabled. -- [Default: false]' -- type: boolean -- wireguardInterfaceName: -- description: 'WireguardInterfaceName specifies the name to use for -- the Wireguard interface. [Default: wg.calico]' -- type: string -- wireguardListeningPort: -- description: 'WireguardListeningPort controls the listening port used -- by Wireguard. [Default: 51820]' -- type: integer -- wireguardMTU: -- description: 'WireguardMTU controls the MTU on the Wireguard interface. -- See Configuring MTU [Default: 1420]' -- type: integer -- wireguardRoutingRulePriority: -- description: 'WireguardRoutingRulePriority controls the priority value -- to use for the Wireguard routing rule. [Default: 99]' -- type: integer -- xdpEnabled: -- description: 'XDPEnabled enables XDP acceleration for suitable untracked -- incoming deny rules. [Default: true]' -- type: boolean -- xdpRefreshInterval: -- description: 'XDPRefreshInterval is the period at which Felix re-checks -- all XDP state to ensure that no other process has accidentally broken -- Calico''s BPF maps or attached programs. Set to 0 to disable XDP -- refresh. [Default: 90s]' -- type: string -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: globalnetworkpolicies.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: GlobalNetworkPolicy -- listKind: GlobalNetworkPolicyList -- plural: globalnetworkpolicies -- singular: globalnetworkpolicy -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- properties: -- applyOnForward: -- description: ApplyOnForward indicates to apply the rules in this policy -- on forward traffic. -- type: boolean -- doNotTrack: -- description: DoNotTrack indicates whether packets matched by the rules -- in this policy should go through the data plane's connection tracking, -- such as Linux conntrack. If True, the rules in this policy are -- applied before any data plane connection tracking, and packets allowed -- by this policy are marked as not to be tracked. -- type: boolean -- egress: -- description: The ordered set of egress rules. Each rule contains -- a set of packet match criteria and a corresponding action to apply. -- items: -- description: "A Rule encapsulates a set of match criteria and an -- action. Both selector-based security Policy and security Profiles -- reference rules - separated out as a list of rules for both ingress -- and egress packet matching. \n Each positive match criteria has -- a negated version, prefixed with ”Not”. All the match criteria -- within a rule must be satisfied for a packet to match. A single -- rule can contain the positive and negative version of a match -- and both must be satisfied for the rule to match." -- properties: -- action: -- type: string -- destination: -- description: Destination contains the match criteria that apply -- to destination entity. -- properties: -- namespaceSelector: -- description: "NamespaceSelector is an optional field that -- contains a selector expression. Only traffic that originates -- from (or terminates at) endpoints within the selected -- namespaces will be matched. When both NamespaceSelector -- and Selector are defined on the same rule, then only workload -- endpoints that are matched by both selectors will be selected -- by the rule. \n For NetworkPolicy, an empty NamespaceSelector -- implies that the Selector is limited to selecting only -- workload endpoints in the same namespace as the NetworkPolicy. -- \n For NetworkPolicy, `global()` NamespaceSelector implies -- that the Selector is limited to selecting only GlobalNetworkSet -- or HostEndpoint. \n For GlobalNetworkPolicy, an empty -- NamespaceSelector implies the Selector applies to workload -- endpoints across all namespaces." -- type: string -- nets: -- description: Nets is an optional field that restricts the -- rule to only apply to traffic that originates from (or -- terminates at) IP addresses in any of the given subnets. -- items: -- type: string -- type: array -- notNets: -- description: NotNets is the negated version of the Nets -- field. -- items: -- type: string -- type: array -- notPorts: -- description: NotPorts is the negated version of the Ports -- field. Since only some protocols have ports, if any ports -- are specified it requires the Protocol match in the Rule -- to be set to "TCP" or "UDP". -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- notSelector: -- description: NotSelector is the negated version of the Selector -- field. See Selector field for subtleties with negated -- selectors. -- type: string -- ports: -- description: "Ports is an optional field that restricts -- the rule to only apply to traffic that has a source (destination) -- port that matches one of these ranges/values. This value -- is a list of integers or strings that represent ranges -- of ports. \n Since only some protocols have ports, if -- any ports are specified it requires the Protocol match -- in the Rule to be set to \"TCP\" or \"UDP\"." -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- selector: -- description: "Selector is an optional field that contains -- a selector expression (see Policy for sample syntax). -- \ Only traffic that originates from (terminates at) endpoints -- matching the selector will be matched. \n Note that: in -- addition to the negated version of the Selector (see NotSelector -- below), the selector expression syntax itself supports -- negation. The two types of negation are subtly different. -- One negates the set of matched endpoints, the other negates -- the whole match: \n \tSelector = \"!has(my_label)\" matches -- packets that are from other Calico-controlled \tendpoints -- that do not have the label “my_label”. \n \tNotSelector -- = \"has(my_label)\" matches packets that are not from -- Calico-controlled \tendpoints that do have the label “my_label”. -- \n The effect is that the latter will accept packets from -- non-Calico sources whereas the former is limited to packets -- from Calico-controlled endpoints." -- type: string -- serviceAccounts: -- description: ServiceAccounts is an optional field that restricts -- the rule to only apply to traffic that originates from -- (or terminates at) a pod running as a matching service -- account. -- properties: -- names: -- description: Names is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account whose name is in the list. -- items: -- type: string -- type: array -- selector: -- description: Selector is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account that matches the given label selector. If -- both Names and Selector are specified then they are -- AND'ed. -- type: string -- type: object -- type: object -- http: -- description: HTTP contains match criteria that apply to HTTP -- requests. -- properties: -- methods: -- description: Methods is an optional field that restricts -- the rule to apply only to HTTP requests that use one of -- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple -- methods are OR'd together. -- items: -- type: string -- type: array -- paths: -- description: 'Paths is an optional field that restricts -- the rule to apply to HTTP requests that use one of the -- listed HTTP Paths. Multiple paths are OR''d together. -- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may -- ONLY specify either a `exact` or a `prefix` match. The -- validator will check for it.' -- items: -- description: 'HTTPPath specifies an HTTP path to match. -- It may be either of the form: exact: : which matches -- the path exactly or prefix: : which matches -- the path prefix' -- properties: -- exact: -- type: string -- prefix: -- type: string -- type: object -- type: array -- type: object -- icmp: -- description: ICMP is an optional field that restricts the rule -- to apply to a specific type and code of ICMP traffic. This -- should only be specified if the Protocol field is set to "ICMP" -- or "ICMPv6". -- properties: -- code: -- description: Match on a specific ICMP code. If specified, -- the Type value must also be specified. This is a technical -- limitation imposed by the kernel’s iptables firewall, -- which Calico uses to enforce the rule. -- type: integer -- type: -- description: Match on a specific ICMP type. For example -- a value of 8 refers to ICMP Echo Request (i.e. pings). -- type: integer -- type: object -- ipVersion: -- description: IPVersion is an optional field that restricts the -- rule to only match a specific IP version. -- type: integer -- metadata: -- description: Metadata contains additional information for this -- rule -- properties: -- annotations: -- additionalProperties: -- type: string -- description: Annotations is a set of key value pairs that -- give extra information about the rule -- type: object -- type: object -- notICMP: -- description: NotICMP is the negated version of the ICMP field. -- properties: -- code: -- description: Match on a specific ICMP code. If specified, -- the Type value must also be specified. This is a technical -- limitation imposed by the kernel’s iptables firewall, -- which Calico uses to enforce the rule. -- type: integer -- type: -- description: Match on a specific ICMP type. For example -- a value of 8 refers to ICMP Echo Request (i.e. pings). -- type: integer -- type: object -- notProtocol: -- anyOf: -- - type: integer -- - type: string -- description: NotProtocol is the negated version of the Protocol -- field. -- pattern: ^.* -- x-kubernetes-int-or-string: true -- protocol: -- anyOf: -- - type: integer -- - type: string -- description: "Protocol is an optional field that restricts the -- rule to only apply to traffic of a specific IP protocol. Required -- if any of the EntityRules contain Ports (because ports only -- apply to certain protocols). \n Must be one of these string -- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", -- \"UDPLite\" or an integer in the range 1-255." -- pattern: ^.* -- x-kubernetes-int-or-string: true -- source: -- description: Source contains the match criteria that apply to -- source entity. -- properties: -- namespaceSelector: -- description: "NamespaceSelector is an optional field that -- contains a selector expression. Only traffic that originates -- from (or terminates at) endpoints within the selected -- namespaces will be matched. When both NamespaceSelector -- and Selector are defined on the same rule, then only workload -- endpoints that are matched by both selectors will be selected -- by the rule. \n For NetworkPolicy, an empty NamespaceSelector -- implies that the Selector is limited to selecting only -- workload endpoints in the same namespace as the NetworkPolicy. -- \n For NetworkPolicy, `global()` NamespaceSelector implies -- that the Selector is limited to selecting only GlobalNetworkSet -- or HostEndpoint. \n For GlobalNetworkPolicy, an empty -- NamespaceSelector implies the Selector applies to workload -- endpoints across all namespaces." -- type: string -- nets: -- description: Nets is an optional field that restricts the -- rule to only apply to traffic that originates from (or -- terminates at) IP addresses in any of the given subnets. -- items: -- type: string -- type: array -- notNets: -- description: NotNets is the negated version of the Nets -- field. -- items: -- type: string -- type: array -- notPorts: -- description: NotPorts is the negated version of the Ports -- field. Since only some protocols have ports, if any ports -- are specified it requires the Protocol match in the Rule -- to be set to "TCP" or "UDP". -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- notSelector: -- description: NotSelector is the negated version of the Selector -- field. See Selector field for subtleties with negated -- selectors. -- type: string -- ports: -- description: "Ports is an optional field that restricts -- the rule to only apply to traffic that has a source (destination) -- port that matches one of these ranges/values. This value -- is a list of integers or strings that represent ranges -- of ports. \n Since only some protocols have ports, if -- any ports are specified it requires the Protocol match -- in the Rule to be set to \"TCP\" or \"UDP\"." -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- selector: -- description: "Selector is an optional field that contains -- a selector expression (see Policy for sample syntax). -- \ Only traffic that originates from (terminates at) endpoints -- matching the selector will be matched. \n Note that: in -- addition to the negated version of the Selector (see NotSelector -- below), the selector expression syntax itself supports -- negation. The two types of negation are subtly different. -- One negates the set of matched endpoints, the other negates -- the whole match: \n \tSelector = \"!has(my_label)\" matches -- packets that are from other Calico-controlled \tendpoints -- that do not have the label “my_label”. \n \tNotSelector -- = \"has(my_label)\" matches packets that are not from -- Calico-controlled \tendpoints that do have the label “my_label”. -- \n The effect is that the latter will accept packets from -- non-Calico sources whereas the former is limited to packets -- from Calico-controlled endpoints." -- type: string -- serviceAccounts: -- description: ServiceAccounts is an optional field that restricts -- the rule to only apply to traffic that originates from -- (or terminates at) a pod running as a matching service -- account. -- properties: -- names: -- description: Names is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account whose name is in the list. -- items: -- type: string -- type: array -- selector: -- description: Selector is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account that matches the given label selector. If -- both Names and Selector are specified then they are -- AND'ed. -- type: string -- type: object -- type: object -- required: -- - action -- type: object -- type: array -- ingress: -- description: The ordered set of ingress rules. Each rule contains -- a set of packet match criteria and a corresponding action to apply. -- items: -- description: "A Rule encapsulates a set of match criteria and an -- action. Both selector-based security Policy and security Profiles -- reference rules - separated out as a list of rules for both ingress -- and egress packet matching. \n Each positive match criteria has -- a negated version, prefixed with ”Not”. All the match criteria -- within a rule must be satisfied for a packet to match. A single -- rule can contain the positive and negative version of a match -- and both must be satisfied for the rule to match." -- properties: -- action: -- type: string -- destination: -- description: Destination contains the match criteria that apply -- to destination entity. -- properties: -- namespaceSelector: -- description: "NamespaceSelector is an optional field that -- contains a selector expression. Only traffic that originates -- from (or terminates at) endpoints within the selected -- namespaces will be matched. When both NamespaceSelector -- and Selector are defined on the same rule, then only workload -- endpoints that are matched by both selectors will be selected -- by the rule. \n For NetworkPolicy, an empty NamespaceSelector -- implies that the Selector is limited to selecting only -- workload endpoints in the same namespace as the NetworkPolicy. -- \n For NetworkPolicy, `global()` NamespaceSelector implies -- that the Selector is limited to selecting only GlobalNetworkSet -- or HostEndpoint. \n For GlobalNetworkPolicy, an empty -- NamespaceSelector implies the Selector applies to workload -- endpoints across all namespaces." -- type: string -- nets: -- description: Nets is an optional field that restricts the -- rule to only apply to traffic that originates from (or -- terminates at) IP addresses in any of the given subnets. -- items: -- type: string -- type: array -- notNets: -- description: NotNets is the negated version of the Nets -- field. -- items: -- type: string -- type: array -- notPorts: -- description: NotPorts is the negated version of the Ports -- field. Since only some protocols have ports, if any ports -- are specified it requires the Protocol match in the Rule -- to be set to "TCP" or "UDP". -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- notSelector: -- description: NotSelector is the negated version of the Selector -- field. See Selector field for subtleties with negated -- selectors. -- type: string -- ports: -- description: "Ports is an optional field that restricts -- the rule to only apply to traffic that has a source (destination) -- port that matches one of these ranges/values. This value -- is a list of integers or strings that represent ranges -- of ports. \n Since only some protocols have ports, if -- any ports are specified it requires the Protocol match -- in the Rule to be set to \"TCP\" or \"UDP\"." -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- selector: -- description: "Selector is an optional field that contains -- a selector expression (see Policy for sample syntax). -- \ Only traffic that originates from (terminates at) endpoints -- matching the selector will be matched. \n Note that: in -- addition to the negated version of the Selector (see NotSelector -- below), the selector expression syntax itself supports -- negation. The two types of negation are subtly different. -- One negates the set of matched endpoints, the other negates -- the whole match: \n \tSelector = \"!has(my_label)\" matches -- packets that are from other Calico-controlled \tendpoints -- that do not have the label “my_label”. \n \tNotSelector -- = \"has(my_label)\" matches packets that are not from -- Calico-controlled \tendpoints that do have the label “my_label”. -- \n The effect is that the latter will accept packets from -- non-Calico sources whereas the former is limited to packets -- from Calico-controlled endpoints." -- type: string -- serviceAccounts: -- description: ServiceAccounts is an optional field that restricts -- the rule to only apply to traffic that originates from -- (or terminates at) a pod running as a matching service -- account. -- properties: -- names: -- description: Names is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account whose name is in the list. -- items: -- type: string -- type: array -- selector: -- description: Selector is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account that matches the given label selector. If -- both Names and Selector are specified then they are -- AND'ed. -- type: string -- type: object -- type: object -- http: -- description: HTTP contains match criteria that apply to HTTP -- requests. -- properties: -- methods: -- description: Methods is an optional field that restricts -- the rule to apply only to HTTP requests that use one of -- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple -- methods are OR'd together. -- items: -- type: string -- type: array -- paths: -- description: 'Paths is an optional field that restricts -- the rule to apply to HTTP requests that use one of the -- listed HTTP Paths. Multiple paths are OR''d together. -- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may -- ONLY specify either a `exact` or a `prefix` match. The -- validator will check for it.' -- items: -- description: 'HTTPPath specifies an HTTP path to match. -- It may be either of the form: exact: : which matches -- the path exactly or prefix: : which matches -- the path prefix' -- properties: -- exact: -- type: string -- prefix: -- type: string -- type: object -- type: array -- type: object -- icmp: -- description: ICMP is an optional field that restricts the rule -- to apply to a specific type and code of ICMP traffic. This -- should only be specified if the Protocol field is set to "ICMP" -- or "ICMPv6". -- properties: -- code: -- description: Match on a specific ICMP code. If specified, -- the Type value must also be specified. This is a technical -- limitation imposed by the kernel’s iptables firewall, -- which Calico uses to enforce the rule. -- type: integer -- type: -- description: Match on a specific ICMP type. For example -- a value of 8 refers to ICMP Echo Request (i.e. pings). -- type: integer -- type: object -- ipVersion: -- description: IPVersion is an optional field that restricts the -- rule to only match a specific IP version. -- type: integer -- metadata: -- description: Metadata contains additional information for this -- rule -- properties: -- annotations: -- additionalProperties: -- type: string -- description: Annotations is a set of key value pairs that -- give extra information about the rule -- type: object -- type: object -- notICMP: -- description: NotICMP is the negated version of the ICMP field. -- properties: -- code: -- description: Match on a specific ICMP code. If specified, -- the Type value must also be specified. This is a technical -- limitation imposed by the kernel’s iptables firewall, -- which Calico uses to enforce the rule. -- type: integer -- type: -- description: Match on a specific ICMP type. For example -- a value of 8 refers to ICMP Echo Request (i.e. pings). -- type: integer -- type: object -- notProtocol: -- anyOf: -- - type: integer -- - type: string -- description: NotProtocol is the negated version of the Protocol -- field. -- pattern: ^.* -- x-kubernetes-int-or-string: true -- protocol: -- anyOf: -- - type: integer -- - type: string -- description: "Protocol is an optional field that restricts the -- rule to only apply to traffic of a specific IP protocol. Required -- if any of the EntityRules contain Ports (because ports only -- apply to certain protocols). \n Must be one of these string -- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", -- \"UDPLite\" or an integer in the range 1-255." -- pattern: ^.* -- x-kubernetes-int-or-string: true -- source: -- description: Source contains the match criteria that apply to -- source entity. -- properties: -- namespaceSelector: -- description: "NamespaceSelector is an optional field that -- contains a selector expression. Only traffic that originates -- from (or terminates at) endpoints within the selected -- namespaces will be matched. When both NamespaceSelector -- and Selector are defined on the same rule, then only workload -- endpoints that are matched by both selectors will be selected -- by the rule. \n For NetworkPolicy, an empty NamespaceSelector -- implies that the Selector is limited to selecting only -- workload endpoints in the same namespace as the NetworkPolicy. -- \n For NetworkPolicy, `global()` NamespaceSelector implies -- that the Selector is limited to selecting only GlobalNetworkSet -- or HostEndpoint. \n For GlobalNetworkPolicy, an empty -- NamespaceSelector implies the Selector applies to workload -- endpoints across all namespaces." -- type: string -- nets: -- description: Nets is an optional field that restricts the -- rule to only apply to traffic that originates from (or -- terminates at) IP addresses in any of the given subnets. -- items: -- type: string -- type: array -- notNets: -- description: NotNets is the negated version of the Nets -- field. -- items: -- type: string -- type: array -- notPorts: -- description: NotPorts is the negated version of the Ports -- field. Since only some protocols have ports, if any ports -- are specified it requires the Protocol match in the Rule -- to be set to "TCP" or "UDP". -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- notSelector: -- description: NotSelector is the negated version of the Selector -- field. See Selector field for subtleties with negated -- selectors. -- type: string -- ports: -- description: "Ports is an optional field that restricts -- the rule to only apply to traffic that has a source (destination) -- port that matches one of these ranges/values. This value -- is a list of integers or strings that represent ranges -- of ports. \n Since only some protocols have ports, if -- any ports are specified it requires the Protocol match -- in the Rule to be set to \"TCP\" or \"UDP\"." -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- selector: -- description: "Selector is an optional field that contains -- a selector expression (see Policy for sample syntax). -- \ Only traffic that originates from (terminates at) endpoints -- matching the selector will be matched. \n Note that: in -- addition to the negated version of the Selector (see NotSelector -- below), the selector expression syntax itself supports -- negation. The two types of negation are subtly different. -- One negates the set of matched endpoints, the other negates -- the whole match: \n \tSelector = \"!has(my_label)\" matches -- packets that are from other Calico-controlled \tendpoints -- that do not have the label “my_label”. \n \tNotSelector -- = \"has(my_label)\" matches packets that are not from -- Calico-controlled \tendpoints that do have the label “my_label”. -- \n The effect is that the latter will accept packets from -- non-Calico sources whereas the former is limited to packets -- from Calico-controlled endpoints." -- type: string -- serviceAccounts: -- description: ServiceAccounts is an optional field that restricts -- the rule to only apply to traffic that originates from -- (or terminates at) a pod running as a matching service -- account. -- properties: -- names: -- description: Names is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account whose name is in the list. -- items: -- type: string -- type: array -- selector: -- description: Selector is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account that matches the given label selector. If -- both Names and Selector are specified then they are -- AND'ed. -- type: string -- type: object -- type: object -- required: -- - action -- type: object -- type: array -- namespaceSelector: -- description: NamespaceSelector is an optional field for an expression -- used to select a pod based on namespaces. -- type: string -- order: -- description: Order is an optional field that specifies the order in -- which the policy is applied. Policies with higher "order" are applied -- after those with lower order. If the order is omitted, it may be -- considered to be "infinite" - i.e. the policy will be applied last. Policies -- with identical order will be applied in alphanumerical order based -- on the Policy "Name". -- type: number -- preDNAT: -- description: PreDNAT indicates to apply the rules in this policy before -- any DNAT. -- type: boolean -- selector: -- description: "The selector is an expression used to pick pick out -- the endpoints that the policy should be applied to. \n Selector -- expressions follow this syntax: \n \tlabel == \"string_literal\" -- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -- \ -> not equal; also matches if label is not present \tlabel in -- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is -- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", -- ... } -> true if the value of label X is not one of \"a\", \"b\", -- \"c\" \thas(label_name) -> True if that label is present \t! expr -- -> negation of expr \texpr && expr -> Short-circuit and \texpr -- || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() -- or the empty selector -> matches all endpoints. \n Label names are -- allowed to contain alphanumerics, -, _ and /. String literals are -- more permissive but they do not support escape characters. \n Examples -- (with made-up labels): \n \ttype == \"webserver\" && deployment -- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != -- \"dev\" \t! has(label_name)" -- type: string -- serviceAccountSelector: -- description: ServiceAccountSelector is an optional field for an expression -- used to select a pod based on service accounts. -- type: string -- types: -- description: "Types indicates whether this policy applies to ingress, -- or to egress, or to both. When not explicitly specified (and so -- the value on creation is empty or nil), Calico defaults Types according -- to what Ingress and Egress rules are present in the policy. The -- default is: \n - [ PolicyTypeIngress ], if there are no Egress rules -- (including the case where there are also no Ingress rules) \n -- - [ PolicyTypeEgress ], if there are Egress rules but no Ingress -- rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are -- both Ingress and Egress rules. \n When the policy is read back again, -- Types will always be one of these values, never empty or nil." -- items: -- description: PolicyType enumerates the possible values of the PolicySpec -- Types field. -- type: string -- type: array -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: globalnetworksets.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: GlobalNetworkSet -- listKind: GlobalNetworkSetList -- plural: globalnetworksets -- singular: globalnetworkset -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs -- that share labels to allow rules to refer to them via selectors. The labels -- of GlobalNetworkSet are not namespaced. -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: GlobalNetworkSetSpec contains the specification for a NetworkSet -- resource. -- properties: -- nets: -- description: The list of IP networks that belong to this set. -- items: -- type: string -- type: array -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: hostendpoints.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: HostEndpoint -- listKind: HostEndpointList -- plural: hostendpoints -- singular: hostendpoint -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: HostEndpointSpec contains the specification for a HostEndpoint -- resource. -- properties: -- expectedIPs: -- description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. -- If \"InterfaceName\" is not present, Calico will look for an interface -- matching any of the IPs in the list and apply policy to that. Note: -- \tWhen using the selector match criteria in an ingress or egress -- security Policy \tor Profile, Calico converts the selector into -- a set of IP addresses. For host \tendpoints, the ExpectedIPs field -- is used for that purpose. (If only the interface \tname is specified, -- Calico does not learn the IPs of the interface for use in match -- \tcriteria.)" -- items: -- type: string -- type: array -- interfaceName: -- description: "Either \"*\", or the name of a specific Linux interface -- to apply policy to; or empty. \"*\" indicates that this HostEndpoint -- governs all traffic to, from or through the default network namespace -- of the host named by the \"Node\" field; entering and leaving that -- namespace via any interface, including those from/to non-host-networked -- local workloads. \n If InterfaceName is not \"*\", this HostEndpoint -- only governs traffic that enters or leaves the host through the -- specific interface named by InterfaceName, or - when InterfaceName -- is empty - through the specific interface that has one of the IPs -- in ExpectedIPs. Therefore, when InterfaceName is empty, at least -- one expected IP must be specified. Only external interfaces (such -- as “eth0”) are supported here; it isn't possible for a HostEndpoint -- to protect traffic through a specific local workload interface. -- \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; -- initially just pre-DNAT policy. Please check Calico documentation -- for the latest position." -- type: string -- node: -- description: The node name identifying the Calico node instance. -- type: string -- ports: -- description: Ports contains the endpoint's named ports, which may -- be referenced in security policy rules. -- items: -- properties: -- name: -- type: string -- port: -- type: integer -- protocol: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- required: -- - name -- - port -- - protocol -- type: object -- type: array -- profiles: -- description: A list of identifiers of security Profile objects that -- apply to this endpoint. Each profile is applied in the order that -- they appear in this list. Profile rules are applied after the selector-based -- security policy. -- items: -- type: string -- type: array -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: ipamblocks.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: IPAMBlock -- listKind: IPAMBlockList -- plural: ipamblocks -- singular: ipamblock -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: IPAMBlockSpec contains the specification for an IPAMBlock -- resource. -- properties: -- affinity: -- type: string -- allocations: -- items: -- type: integer -- # TODO: This nullable is manually added in. We should update controller-gen -- # to handle []*int properly itself. -- nullable: true -- type: array -- attributes: -- items: -- properties: -- handle_id: -- type: string -- secondary: -- additionalProperties: -- type: string -- type: object -- type: object -- type: array -- cidr: -- type: string -- deleted: -- type: boolean -- strictAffinity: -- type: boolean -- unallocated: -- items: -- type: integer -- type: array -- required: -- - allocations -- - attributes -- - cidr -- - deleted -- - strictAffinity -- - unallocated -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: ipamconfigs.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: IPAMConfig -- listKind: IPAMConfigList -- plural: ipamconfigs -- singular: ipamconfig -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: IPAMConfigSpec contains the specification for an IPAMConfig -- resource. -- properties: -- autoAllocateBlocks: -- type: boolean -- strictAffinity: -- type: boolean -- required: -- - autoAllocateBlocks -- - strictAffinity -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: ipamhandles.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: IPAMHandle -- listKind: IPAMHandleList -- plural: ipamhandles -- singular: ipamhandle -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: IPAMHandleSpec contains the specification for an IPAMHandle -- resource. -- properties: -- block: -- additionalProperties: -- type: integer -- type: object -- handleID: -- type: string -- required: -- - block -- - handleID -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: ippools.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: IPPool -- listKind: IPPoolList -- plural: ippools -- singular: ippool -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: IPPoolSpec contains the specification for an IPPool resource. -- properties: -- blockSize: -- description: The block size to use for IP address assignments from -- this pool. Defaults to 26 for IPv4 and 112 for IPv6. -- type: integer -- cidr: -- description: The pool CIDR. -- type: string -- disabled: -- description: When disabled is true, Calico IPAM will not assign addresses -- from this pool. -- type: boolean -- ipip: -- description: 'Deprecated: this field is only used for APIv1 backwards -- compatibility. Setting this field is not allowed, this field is -- for internal use only.' -- properties: -- enabled: -- description: When enabled is true, ipip tunneling will be used -- to deliver packets to destinations within this pool. -- type: boolean -- mode: -- description: The IPIP mode. This can be one of "always" or "cross-subnet". A -- mode of "always" will also use IPIP tunneling for routing to -- destination IP addresses within this pool. A mode of "cross-subnet" -- will only use IPIP tunneling when the destination node is on -- a different subnet to the originating node. The default value -- (if not specified) is "always". -- type: string -- type: object -- ipipMode: -- description: Contains configuration for IPIP tunneling for this pool. -- If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling -- is disabled). -- type: string -- nat-outgoing: -- description: 'Deprecated: this field is only used for APIv1 backwards -- compatibility. Setting this field is not allowed, this field is -- for internal use only.' -- type: boolean -- natOutgoing: -- description: When nat-outgoing is true, packets sent from Calico networked -- containers in this pool to destinations outside of this pool will -- be masqueraded. -- type: boolean -- nodeSelector: -- description: Allows IPPool to allocate for a specific node by label -- selector. -- type: string -- vxlanMode: -- description: Contains configuration for VXLAN tunneling for this pool. -- If not specified, then this is defaulted to "Never" (i.e. VXLAN -- tunneling is disabled). -- type: string -- required: -- - cidr -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: kubecontrollersconfigurations.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: KubeControllersConfiguration -- listKind: KubeControllersConfigurationList -- plural: kubecontrollersconfigurations -- singular: kubecontrollersconfiguration -- scope: Cluster -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: KubeControllersConfigurationSpec contains the values of the -- Kubernetes controllers configuration. -- properties: -- controllers: -- description: Controllers enables and configures individual Kubernetes -- controllers -- properties: -- namespace: -- description: Namespace enables and configures the namespace controller. -- Enabled by default, set to nil to disable. -- properties: -- reconcilerPeriod: -- description: 'ReconcilerPeriod is the period to perform reconciliation -- with the Calico datastore. [Default: 5m]' -- type: string -- type: object -- node: -- description: Node enables and configures the node controller. -- Enabled by default, set to nil to disable. -- properties: -- hostEndpoint: -- description: HostEndpoint controls syncing nodes to host endpoints. -- Disabled by default, set to nil to disable. -- properties: -- autoCreate: -- description: 'AutoCreate enables automatic creation of -- host endpoints for every node. [Default: Disabled]' -- type: string -- type: object -- reconcilerPeriod: -- description: 'ReconcilerPeriod is the period to perform reconciliation -- with the Calico datastore. [Default: 5m]' -- type: string -- syncLabels: -- description: 'SyncLabels controls whether to copy Kubernetes -- node labels to Calico nodes. [Default: Enabled]' -- type: string -- type: object -- policy: -- description: Policy enables and configures the policy controller. -- Enabled by default, set to nil to disable. -- properties: -- reconcilerPeriod: -- description: 'ReconcilerPeriod is the period to perform reconciliation -- with the Calico datastore. [Default: 5m]' -- type: string -- type: object -- serviceAccount: -- description: ServiceAccount enables and configures the service -- account controller. Enabled by default, set to nil to disable. -- properties: -- reconcilerPeriod: -- description: 'ReconcilerPeriod is the period to perform reconciliation -- with the Calico datastore. [Default: 5m]' -- type: string -- type: object -- workloadEndpoint: -- description: WorkloadEndpoint enables and configures the workload -- endpoint controller. Enabled by default, set to nil to disable. -- properties: -- reconcilerPeriod: -- description: 'ReconcilerPeriod is the period to perform reconciliation -- with the Calico datastore. [Default: 5m]' -- type: string -- type: object -- type: object -- etcdV3CompactionPeriod: -- description: 'EtcdV3CompactionPeriod is the period between etcdv3 -- compaction requests. Set to 0 to disable. [Default: 10m]' -- type: string -- healthChecks: -- description: 'HealthChecks enables or disables support for health -- checks [Default: Enabled]' -- type: string -- logSeverityScreen: -- description: 'LogSeverityScreen is the log severity above which logs -- are sent to the stdout. [Default: Info]' -- type: string -- required: -- - controllers -- type: object -- status: -- description: KubeControllersConfigurationStatus represents the status -- of the configuration. It's useful for admins to be able to see the actual -- config that was applied, which can be modified by environment variables -- on the kube-controllers process. -- properties: -- environmentVars: -- additionalProperties: -- type: string -- description: EnvironmentVars contains the environment variables on -- the kube-controllers that influenced the RunningConfig. -- type: object -- runningConfig: -- description: RunningConfig contains the effective config that is running -- in the kube-controllers pod, after merging the API resource with -- any environment variables. -- properties: -- controllers: -- description: Controllers enables and configures individual Kubernetes -- controllers -- properties: -- namespace: -- description: Namespace enables and configures the namespace -- controller. Enabled by default, set to nil to disable. -- properties: -- reconcilerPeriod: -- description: 'ReconcilerPeriod is the period to perform -- reconciliation with the Calico datastore. [Default: -- 5m]' -- type: string -- type: object -- node: -- description: Node enables and configures the node controller. -- Enabled by default, set to nil to disable. -- properties: -- hostEndpoint: -- description: HostEndpoint controls syncing nodes to host -- endpoints. Disabled by default, set to nil to disable. -- properties: -- autoCreate: -- description: 'AutoCreate enables automatic creation -- of host endpoints for every node. [Default: Disabled]' -- type: string -- type: object -- reconcilerPeriod: -- description: 'ReconcilerPeriod is the period to perform -- reconciliation with the Calico datastore. [Default: -- 5m]' -- type: string -- syncLabels: -- description: 'SyncLabels controls whether to copy Kubernetes -- node labels to Calico nodes. [Default: Enabled]' -- type: string -- type: object -- policy: -- description: Policy enables and configures the policy controller. -- Enabled by default, set to nil to disable. -- properties: -- reconcilerPeriod: -- description: 'ReconcilerPeriod is the period to perform -- reconciliation with the Calico datastore. [Default: -- 5m]' -- type: string -- type: object -- serviceAccount: -- description: ServiceAccount enables and configures the service -- account controller. Enabled by default, set to nil to disable. -- properties: -- reconcilerPeriod: -- description: 'ReconcilerPeriod is the period to perform -- reconciliation with the Calico datastore. [Default: -- 5m]' -- type: string -- type: object -- workloadEndpoint: -- description: WorkloadEndpoint enables and configures the workload -- endpoint controller. Enabled by default, set to nil to disable. -- properties: -- reconcilerPeriod: -- description: 'ReconcilerPeriod is the period to perform -- reconciliation with the Calico datastore. [Default: -- 5m]' -- type: string -- type: object -- type: object -- etcdV3CompactionPeriod: -- description: 'EtcdV3CompactionPeriod is the period between etcdv3 -- compaction requests. Set to 0 to disable. [Default: 10m]' -- type: string -- healthChecks: -- description: 'HealthChecks enables or disables support for health -- checks [Default: Enabled]' -- type: string -- logSeverityScreen: -- description: 'LogSeverityScreen is the log severity above which -- logs are sent to the stdout. [Default: Info]' -- type: string -- required: -- - controllers -- type: object -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: networkpolicies.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: NetworkPolicy -- listKind: NetworkPolicyList -- plural: networkpolicies -- singular: networkpolicy -- scope: Namespaced -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- properties: -- egress: -- description: The ordered set of egress rules. Each rule contains -- a set of packet match criteria and a corresponding action to apply. -- items: -- description: "A Rule encapsulates a set of match criteria and an -- action. Both selector-based security Policy and security Profiles -- reference rules - separated out as a list of rules for both ingress -- and egress packet matching. \n Each positive match criteria has -- a negated version, prefixed with ”Not”. All the match criteria -- within a rule must be satisfied for a packet to match. A single -- rule can contain the positive and negative version of a match -- and both must be satisfied for the rule to match." -- properties: -- action: -- type: string -- destination: -- description: Destination contains the match criteria that apply -- to destination entity. -- properties: -- namespaceSelector: -- description: "NamespaceSelector is an optional field that -- contains a selector expression. Only traffic that originates -- from (or terminates at) endpoints within the selected -- namespaces will be matched. When both NamespaceSelector -- and Selector are defined on the same rule, then only workload -- endpoints that are matched by both selectors will be selected -- by the rule. \n For NetworkPolicy, an empty NamespaceSelector -- implies that the Selector is limited to selecting only -- workload endpoints in the same namespace as the NetworkPolicy. -- \n For NetworkPolicy, `global()` NamespaceSelector implies -- that the Selector is limited to selecting only GlobalNetworkSet -- or HostEndpoint. \n For GlobalNetworkPolicy, an empty -- NamespaceSelector implies the Selector applies to workload -- endpoints across all namespaces." -- type: string -- nets: -- description: Nets is an optional field that restricts the -- rule to only apply to traffic that originates from (or -- terminates at) IP addresses in any of the given subnets. -- items: -- type: string -- type: array -- notNets: -- description: NotNets is the negated version of the Nets -- field. -- items: -- type: string -- type: array -- notPorts: -- description: NotPorts is the negated version of the Ports -- field. Since only some protocols have ports, if any ports -- are specified it requires the Protocol match in the Rule -- to be set to "TCP" or "UDP". -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- notSelector: -- description: NotSelector is the negated version of the Selector -- field. See Selector field for subtleties with negated -- selectors. -- type: string -- ports: -- description: "Ports is an optional field that restricts -- the rule to only apply to traffic that has a source (destination) -- port that matches one of these ranges/values. This value -- is a list of integers or strings that represent ranges -- of ports. \n Since only some protocols have ports, if -- any ports are specified it requires the Protocol match -- in the Rule to be set to \"TCP\" or \"UDP\"." -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- selector: -- description: "Selector is an optional field that contains -- a selector expression (see Policy for sample syntax). -- \ Only traffic that originates from (terminates at) endpoints -- matching the selector will be matched. \n Note that: in -- addition to the negated version of the Selector (see NotSelector -- below), the selector expression syntax itself supports -- negation. The two types of negation are subtly different. -- One negates the set of matched endpoints, the other negates -- the whole match: \n \tSelector = \"!has(my_label)\" matches -- packets that are from other Calico-controlled \tendpoints -- that do not have the label “my_label”. \n \tNotSelector -- = \"has(my_label)\" matches packets that are not from -- Calico-controlled \tendpoints that do have the label “my_label”. -- \n The effect is that the latter will accept packets from -- non-Calico sources whereas the former is limited to packets -- from Calico-controlled endpoints." -- type: string -- serviceAccounts: -- description: ServiceAccounts is an optional field that restricts -- the rule to only apply to traffic that originates from -- (or terminates at) a pod running as a matching service -- account. -- properties: -- names: -- description: Names is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account whose name is in the list. -- items: -- type: string -- type: array -- selector: -- description: Selector is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account that matches the given label selector. If -- both Names and Selector are specified then they are -- AND'ed. -- type: string -- type: object -- type: object -- http: -- description: HTTP contains match criteria that apply to HTTP -- requests. -- properties: -- methods: -- description: Methods is an optional field that restricts -- the rule to apply only to HTTP requests that use one of -- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple -- methods are OR'd together. -- items: -- type: string -- type: array -- paths: -- description: 'Paths is an optional field that restricts -- the rule to apply to HTTP requests that use one of the -- listed HTTP Paths. Multiple paths are OR''d together. -- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may -- ONLY specify either a `exact` or a `prefix` match. The -- validator will check for it.' -- items: -- description: 'HTTPPath specifies an HTTP path to match. -- It may be either of the form: exact: : which matches -- the path exactly or prefix: : which matches -- the path prefix' -- properties: -- exact: -- type: string -- prefix: -- type: string -- type: object -- type: array -- type: object -- icmp: -- description: ICMP is an optional field that restricts the rule -- to apply to a specific type and code of ICMP traffic. This -- should only be specified if the Protocol field is set to "ICMP" -- or "ICMPv6". -- properties: -- code: -- description: Match on a specific ICMP code. If specified, -- the Type value must also be specified. This is a technical -- limitation imposed by the kernel’s iptables firewall, -- which Calico uses to enforce the rule. -- type: integer -- type: -- description: Match on a specific ICMP type. For example -- a value of 8 refers to ICMP Echo Request (i.e. pings). -- type: integer -- type: object -- ipVersion: -- description: IPVersion is an optional field that restricts the -- rule to only match a specific IP version. -- type: integer -- metadata: -- description: Metadata contains additional information for this -- rule -- properties: -- annotations: -- additionalProperties: -- type: string -- description: Annotations is a set of key value pairs that -- give extra information about the rule -- type: object -- type: object -- notICMP: -- description: NotICMP is the negated version of the ICMP field. -- properties: -- code: -- description: Match on a specific ICMP code. If specified, -- the Type value must also be specified. This is a technical -- limitation imposed by the kernel’s iptables firewall, -- which Calico uses to enforce the rule. -- type: integer -- type: -- description: Match on a specific ICMP type. For example -- a value of 8 refers to ICMP Echo Request (i.e. pings). -- type: integer -- type: object -- notProtocol: -- anyOf: -- - type: integer -- - type: string -- description: NotProtocol is the negated version of the Protocol -- field. -- pattern: ^.* -- x-kubernetes-int-or-string: true -- protocol: -- anyOf: -- - type: integer -- - type: string -- description: "Protocol is an optional field that restricts the -- rule to only apply to traffic of a specific IP protocol. Required -- if any of the EntityRules contain Ports (because ports only -- apply to certain protocols). \n Must be one of these string -- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", -- \"UDPLite\" or an integer in the range 1-255." -- pattern: ^.* -- x-kubernetes-int-or-string: true -- source: -- description: Source contains the match criteria that apply to -- source entity. -- properties: -- namespaceSelector: -- description: "NamespaceSelector is an optional field that -- contains a selector expression. Only traffic that originates -- from (or terminates at) endpoints within the selected -- namespaces will be matched. When both NamespaceSelector -- and Selector are defined on the same rule, then only workload -- endpoints that are matched by both selectors will be selected -- by the rule. \n For NetworkPolicy, an empty NamespaceSelector -- implies that the Selector is limited to selecting only -- workload endpoints in the same namespace as the NetworkPolicy. -- \n For NetworkPolicy, `global()` NamespaceSelector implies -- that the Selector is limited to selecting only GlobalNetworkSet -- or HostEndpoint. \n For GlobalNetworkPolicy, an empty -- NamespaceSelector implies the Selector applies to workload -- endpoints across all namespaces." -- type: string -- nets: -- description: Nets is an optional field that restricts the -- rule to only apply to traffic that originates from (or -- terminates at) IP addresses in any of the given subnets. -- items: -- type: string -- type: array -- notNets: -- description: NotNets is the negated version of the Nets -- field. -- items: -- type: string -- type: array -- notPorts: -- description: NotPorts is the negated version of the Ports -- field. Since only some protocols have ports, if any ports -- are specified it requires the Protocol match in the Rule -- to be set to "TCP" or "UDP". -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- notSelector: -- description: NotSelector is the negated version of the Selector -- field. See Selector field for subtleties with negated -- selectors. -- type: string -- ports: -- description: "Ports is an optional field that restricts -- the rule to only apply to traffic that has a source (destination) -- port that matches one of these ranges/values. This value -- is a list of integers or strings that represent ranges -- of ports. \n Since only some protocols have ports, if -- any ports are specified it requires the Protocol match -- in the Rule to be set to \"TCP\" or \"UDP\"." -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- selector: -- description: "Selector is an optional field that contains -- a selector expression (see Policy for sample syntax). -- \ Only traffic that originates from (terminates at) endpoints -- matching the selector will be matched. \n Note that: in -- addition to the negated version of the Selector (see NotSelector -- below), the selector expression syntax itself supports -- negation. The two types of negation are subtly different. -- One negates the set of matched endpoints, the other negates -- the whole match: \n \tSelector = \"!has(my_label)\" matches -- packets that are from other Calico-controlled \tendpoints -- that do not have the label “my_label”. \n \tNotSelector -- = \"has(my_label)\" matches packets that are not from -- Calico-controlled \tendpoints that do have the label “my_label”. -- \n The effect is that the latter will accept packets from -- non-Calico sources whereas the former is limited to packets -- from Calico-controlled endpoints." -- type: string -- serviceAccounts: -- description: ServiceAccounts is an optional field that restricts -- the rule to only apply to traffic that originates from -- (or terminates at) a pod running as a matching service -- account. -- properties: -- names: -- description: Names is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account whose name is in the list. -- items: -- type: string -- type: array -- selector: -- description: Selector is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account that matches the given label selector. If -- both Names and Selector are specified then they are -- AND'ed. -- type: string -- type: object -- type: object -- required: -- - action -- type: object -- type: array -- ingress: -- description: The ordered set of ingress rules. Each rule contains -- a set of packet match criteria and a corresponding action to apply. -- items: -- description: "A Rule encapsulates a set of match criteria and an -- action. Both selector-based security Policy and security Profiles -- reference rules - separated out as a list of rules for both ingress -- and egress packet matching. \n Each positive match criteria has -- a negated version, prefixed with ”Not”. All the match criteria -- within a rule must be satisfied for a packet to match. A single -- rule can contain the positive and negative version of a match -- and both must be satisfied for the rule to match." -- properties: -- action: -- type: string -- destination: -- description: Destination contains the match criteria that apply -- to destination entity. -- properties: -- namespaceSelector: -- description: "NamespaceSelector is an optional field that -- contains a selector expression. Only traffic that originates -- from (or terminates at) endpoints within the selected -- namespaces will be matched. When both NamespaceSelector -- and Selector are defined on the same rule, then only workload -- endpoints that are matched by both selectors will be selected -- by the rule. \n For NetworkPolicy, an empty NamespaceSelector -- implies that the Selector is limited to selecting only -- workload endpoints in the same namespace as the NetworkPolicy. -- \n For NetworkPolicy, `global()` NamespaceSelector implies -- that the Selector is limited to selecting only GlobalNetworkSet -- or HostEndpoint. \n For GlobalNetworkPolicy, an empty -- NamespaceSelector implies the Selector applies to workload -- endpoints across all namespaces." -- type: string -- nets: -- description: Nets is an optional field that restricts the -- rule to only apply to traffic that originates from (or -- terminates at) IP addresses in any of the given subnets. -- items: -- type: string -- type: array -- notNets: -- description: NotNets is the negated version of the Nets -- field. -- items: -- type: string -- type: array -- notPorts: -- description: NotPorts is the negated version of the Ports -- field. Since only some protocols have ports, if any ports -- are specified it requires the Protocol match in the Rule -- to be set to "TCP" or "UDP". -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- notSelector: -- description: NotSelector is the negated version of the Selector -- field. See Selector field for subtleties with negated -- selectors. -- type: string -- ports: -- description: "Ports is an optional field that restricts -- the rule to only apply to traffic that has a source (destination) -- port that matches one of these ranges/values. This value -- is a list of integers or strings that represent ranges -- of ports. \n Since only some protocols have ports, if -- any ports are specified it requires the Protocol match -- in the Rule to be set to \"TCP\" or \"UDP\"." -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- selector: -- description: "Selector is an optional field that contains -- a selector expression (see Policy for sample syntax). -- \ Only traffic that originates from (terminates at) endpoints -- matching the selector will be matched. \n Note that: in -- addition to the negated version of the Selector (see NotSelector -- below), the selector expression syntax itself supports -- negation. The two types of negation are subtly different. -- One negates the set of matched endpoints, the other negates -- the whole match: \n \tSelector = \"!has(my_label)\" matches -- packets that are from other Calico-controlled \tendpoints -- that do not have the label “my_label”. \n \tNotSelector -- = \"has(my_label)\" matches packets that are not from -- Calico-controlled \tendpoints that do have the label “my_label”. -- \n The effect is that the latter will accept packets from -- non-Calico sources whereas the former is limited to packets -- from Calico-controlled endpoints." -- type: string -- serviceAccounts: -- description: ServiceAccounts is an optional field that restricts -- the rule to only apply to traffic that originates from -- (or terminates at) a pod running as a matching service -- account. -- properties: -- names: -- description: Names is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account whose name is in the list. -- items: -- type: string -- type: array -- selector: -- description: Selector is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account that matches the given label selector. If -- both Names and Selector are specified then they are -- AND'ed. -- type: string -- type: object -- type: object -- http: -- description: HTTP contains match criteria that apply to HTTP -- requests. -- properties: -- methods: -- description: Methods is an optional field that restricts -- the rule to apply only to HTTP requests that use one of -- the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple -- methods are OR'd together. -- items: -- type: string -- type: array -- paths: -- description: 'Paths is an optional field that restricts -- the rule to apply to HTTP requests that use one of the -- listed HTTP Paths. Multiple paths are OR''d together. -- e.g: - exact: /foo - prefix: /bar NOTE: Each entry may -- ONLY specify either a `exact` or a `prefix` match. The -- validator will check for it.' -- items: -- description: 'HTTPPath specifies an HTTP path to match. -- It may be either of the form: exact: : which matches -- the path exactly or prefix: : which matches -- the path prefix' -- properties: -- exact: -- type: string -- prefix: -- type: string -- type: object -- type: array -- type: object -- icmp: -- description: ICMP is an optional field that restricts the rule -- to apply to a specific type and code of ICMP traffic. This -- should only be specified if the Protocol field is set to "ICMP" -- or "ICMPv6". -- properties: -- code: -- description: Match on a specific ICMP code. If specified, -- the Type value must also be specified. This is a technical -- limitation imposed by the kernel’s iptables firewall, -- which Calico uses to enforce the rule. -- type: integer -- type: -- description: Match on a specific ICMP type. For example -- a value of 8 refers to ICMP Echo Request (i.e. pings). -- type: integer -- type: object -- ipVersion: -- description: IPVersion is an optional field that restricts the -- rule to only match a specific IP version. -- type: integer -- metadata: -- description: Metadata contains additional information for this -- rule -- properties: -- annotations: -- additionalProperties: -- type: string -- description: Annotations is a set of key value pairs that -- give extra information about the rule -- type: object -- type: object -- notICMP: -- description: NotICMP is the negated version of the ICMP field. -- properties: -- code: -- description: Match on a specific ICMP code. If specified, -- the Type value must also be specified. This is a technical -- limitation imposed by the kernel’s iptables firewall, -- which Calico uses to enforce the rule. -- type: integer -- type: -- description: Match on a specific ICMP type. For example -- a value of 8 refers to ICMP Echo Request (i.e. pings). -- type: integer -- type: object -- notProtocol: -- anyOf: -- - type: integer -- - type: string -- description: NotProtocol is the negated version of the Protocol -- field. -- pattern: ^.* -- x-kubernetes-int-or-string: true -- protocol: -- anyOf: -- - type: integer -- - type: string -- description: "Protocol is an optional field that restricts the -- rule to only apply to traffic of a specific IP protocol. Required -- if any of the EntityRules contain Ports (because ports only -- apply to certain protocols). \n Must be one of these string -- values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", -- \"UDPLite\" or an integer in the range 1-255." -- pattern: ^.* -- x-kubernetes-int-or-string: true -- source: -- description: Source contains the match criteria that apply to -- source entity. -- properties: -- namespaceSelector: -- description: "NamespaceSelector is an optional field that -- contains a selector expression. Only traffic that originates -- from (or terminates at) endpoints within the selected -- namespaces will be matched. When both NamespaceSelector -- and Selector are defined on the same rule, then only workload -- endpoints that are matched by both selectors will be selected -- by the rule. \n For NetworkPolicy, an empty NamespaceSelector -- implies that the Selector is limited to selecting only -- workload endpoints in the same namespace as the NetworkPolicy. -- \n For NetworkPolicy, `global()` NamespaceSelector implies -- that the Selector is limited to selecting only GlobalNetworkSet -- or HostEndpoint. \n For GlobalNetworkPolicy, an empty -- NamespaceSelector implies the Selector applies to workload -- endpoints across all namespaces." -- type: string -- nets: -- description: Nets is an optional field that restricts the -- rule to only apply to traffic that originates from (or -- terminates at) IP addresses in any of the given subnets. -- items: -- type: string -- type: array -- notNets: -- description: NotNets is the negated version of the Nets -- field. -- items: -- type: string -- type: array -- notPorts: -- description: NotPorts is the negated version of the Ports -- field. Since only some protocols have ports, if any ports -- are specified it requires the Protocol match in the Rule -- to be set to "TCP" or "UDP". -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- notSelector: -- description: NotSelector is the negated version of the Selector -- field. See Selector field for subtleties with negated -- selectors. -- type: string -- ports: -- description: "Ports is an optional field that restricts -- the rule to only apply to traffic that has a source (destination) -- port that matches one of these ranges/values. This value -- is a list of integers or strings that represent ranges -- of ports. \n Since only some protocols have ports, if -- any ports are specified it requires the Protocol match -- in the Rule to be set to \"TCP\" or \"UDP\"." -- items: -- anyOf: -- - type: integer -- - type: string -- pattern: ^.* -- x-kubernetes-int-or-string: true -- type: array -- selector: -- description: "Selector is an optional field that contains -- a selector expression (see Policy for sample syntax). -- \ Only traffic that originates from (terminates at) endpoints -- matching the selector will be matched. \n Note that: in -- addition to the negated version of the Selector (see NotSelector -- below), the selector expression syntax itself supports -- negation. The two types of negation are subtly different. -- One negates the set of matched endpoints, the other negates -- the whole match: \n \tSelector = \"!has(my_label)\" matches -- packets that are from other Calico-controlled \tendpoints -- that do not have the label “my_label”. \n \tNotSelector -- = \"has(my_label)\" matches packets that are not from -- Calico-controlled \tendpoints that do have the label “my_label”. -- \n The effect is that the latter will accept packets from -- non-Calico sources whereas the former is limited to packets -- from Calico-controlled endpoints." -- type: string -- serviceAccounts: -- description: ServiceAccounts is an optional field that restricts -- the rule to only apply to traffic that originates from -- (or terminates at) a pod running as a matching service -- account. -- properties: -- names: -- description: Names is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account whose name is in the list. -- items: -- type: string -- type: array -- selector: -- description: Selector is an optional field that restricts -- the rule to only apply to traffic that originates -- from (or terminates at) a pod running as a service -- account that matches the given label selector. If -- both Names and Selector are specified then they are -- AND'ed. -- type: string -- type: object -- type: object -- required: -- - action -- type: object -- type: array -- order: -- description: Order is an optional field that specifies the order in -- which the policy is applied. Policies with higher "order" are applied -- after those with lower order. If the order is omitted, it may be -- considered to be "infinite" - i.e. the policy will be applied last. Policies -- with identical order will be applied in alphanumerical order based -- on the Policy "Name". -- type: number -- selector: -- description: "The selector is an expression used to pick pick out -- the endpoints that the policy should be applied to. \n Selector -- expressions follow this syntax: \n \tlabel == \"string_literal\" -- \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -- \ -> not equal; also matches if label is not present \tlabel in -- { \"a\", \"b\", \"c\", ... } -> true if the value of label X is -- one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", -- ... } -> true if the value of label X is not one of \"a\", \"b\", -- \"c\" \thas(label_name) -> True if that label is present \t! expr -- -> negation of expr \texpr && expr -> Short-circuit and \texpr -- || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() -- or the empty selector -> matches all endpoints. \n Label names are -- allowed to contain alphanumerics, -, _ and /. String literals are -- more permissive but they do not support escape characters. \n Examples -- (with made-up labels): \n \ttype == \"webserver\" && deployment -- == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != -- \"dev\" \t! has(label_name)" -- type: string -- serviceAccountSelector: -- description: ServiceAccountSelector is an optional field for an expression -- used to select a pod based on service accounts. -- type: string -- types: -- description: "Types indicates whether this policy applies to ingress, -- or to egress, or to both. When not explicitly specified (and so -- the value on creation is empty or nil), Calico defaults Types according -- to what Ingress and Egress are present in the policy. The default -- is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including -- the case where there are also no Ingress rules) \n - [ PolicyTypeEgress -- ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, -- PolicyTypeEgress ], if there are both Ingress and Egress rules. -- \n When the policy is read back again, Types will always be one -- of these values, never empty or nil." -- items: -- description: PolicyType enumerates the possible values of the PolicySpec -- Types field. -- type: string -- type: array -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- -- ----- --apiVersion: apiextensions.k8s.io/v1 --kind: CustomResourceDefinition --metadata: -- annotations: -- controller-gen.kubebuilder.io/version: (devel) -- creationTimestamp: null -- name: networksets.crd.projectcalico.org --spec: -- group: crd.projectcalico.org -- names: -- kind: NetworkSet -- listKind: NetworkSetList -- plural: networksets -- singular: networkset -- scope: Namespaced -- versions: -- - name: v1 -- schema: -- openAPIV3Schema: -- description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. -- properties: -- apiVersion: -- description: 'APIVersion defines the versioned schema of this representation -- of an object. Servers should convert recognized schemas to the latest -- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' -- type: string -- kind: -- description: 'Kind is a string value representing the REST resource this -- object represents. Servers may infer this from the endpoint the client -- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' -- type: string -- metadata: -- type: object -- spec: -- description: NetworkSetSpec contains the specification for a NetworkSet -- resource. -- properties: -- nets: -- description: The list of IP networks that belong to this set. -- items: -- type: string -- type: array -- type: object -- type: object -- served: true -- storage: true --status: -- acceptedNames: -- kind: "" -- plural: "" -- conditions: [] -- storedVersions: [] -- ----- ----- - # Source: calico/templates/calico-kube-controllers-rbac.yaml - - # Include a clusterrole for the kube-controllers component, -@@ -3563,38 +339,10 @@ - terminationGracePeriodSeconds: 0 - priorityClassName: system-node-critical - initContainers: -- # This container performs upgrade from host-local IPAM to calico-ipam. -- # It can be deleted if this is a fresh installation, or if you have already -- # upgraded to use calico-ipam. -- - name: upgrade-ipam -- image: calico/cni:v3.16.5 -- command: ["/opt/cni/bin/calico-ipam", "-upgrade"] -- envFrom: -- - configMapRef: -- # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. -- name: kubernetes-services-endpoint -- optional: true -- env: -- - name: KUBERNETES_NODE_NAME -- valueFrom: -- fieldRef: -- fieldPath: spec.nodeName -- - name: CALICO_NETWORKING_BACKEND -- valueFrom: -- configMapKeyRef: -- name: calico-config -- key: calico_backend -- volumeMounts: -- - mountPath: /var/lib/cni/networks -- name: host-local-net-dir -- - mountPath: /host/opt/cni/bin -- name: cni-bin-dir -- securityContext: -- privileged: true - # This container installs the CNI binaries - # and CNI network config file on each node. - - name: install-cni -- image: calico/cni:v3.16.5 -+ image: calico/cni:{{ default .Chart.AppVersion .Values.image.tag }} - command: ["/opt/cni/bin/install"] - envFrom: - - configMapRef: -@@ -3635,7 +383,7 @@ - # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes - # to communicate with Felix over the Policy Sync API. - - name: flexvol-driver -- image: calico/pod2daemon-flexvol:v3.16.5 -+ image: calico/pod2daemon-flexvol:{{ default .Chart.AppVersion .Values.image.tag }} - volumeMounts: - - name: flexvol-driver-host - mountPath: /host/driver -@@ -3646,7 +394,7 @@ - # container programs network policy and routes on each - # host. - - name: calico-node -- image: calico/node:v3.16.5 -+ image: calico/node:{{ default .Chart.AppVersion .Values.image.tag }} - envFrom: - - configMapRef: - # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. -@@ -3672,7 +420,7 @@ - key: calico_backend - # Cluster type to identify the deployment type - - name: CLUSTER_TYPE -- value: "k8s,bgp" -+ value: "k8s,kubeadm" - # Auto-detect the BGP IP address. - - name: IP - value: "autodetect" -@@ -3702,7 +450,7 @@ - key: veth_mtu - # Disable AWS source-destination check on nodes. - - name: FELIX_AWSSRCDSTCHECK -- value: Disable -+ value: DoNothing - # The default IPv4 pool to create on startup if none exists. Pod IPs will be - # chosen from this range. Changing this value after installation will have - # no effect. This should fall within `--cluster-cidr`. -@@ -3719,7 +467,15 @@ - value: "false" - # Set Felix logging to "info" - - name: FELIX_LOGSEVERITYSCREEN -- value: "info" -+ value: "{{ .Values.loglevel }}" -+ - name: FELIX_LOGSEVERITYFILE -+ value: "{{ .Values.loglevel }}" -+ - name: FELIX_LOGSEVERITYSYS -+ value: "" -+ - name: FELIX_PROMETHEUSGOMETRICSENABLED -+ value: "{{ .Values.prometheus }}" -+ - name: FELIX_PROMETHEUSMETRICSENABLED -+ value: "{{ .Values.prometheus }}" - - name: FELIX_HEALTHENABLED - value: "true" - securityContext: -@@ -3840,6 +596,7 @@ - spec: - nodeSelector: - kubernetes.io/os: linux -+ node-role.kubernetes.io/control-plane: "" - tolerations: - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly -@@ -3850,7 +607,7 @@ - priorityClassName: system-cluster-critical - containers: - - name: calico-kube-controllers -- image: calico/kube-controllers:v3.16.5 -+ image: calico/kube-controllers:{{ default .Chart.AppVersion .Values.image.tag }} - env: - # Choose which controllers to run. - - name: ENABLED_CONTROLLERS diff --git a/charts/kubezero-network/charts/calico/crds/crds.yaml b/charts/kubezero-network/charts/calico/crds/crds.yaml deleted file mode 100644 index afb8ee3..0000000 --- a/charts/kubezero-network/charts/calico/crds/crds.yaml +++ /dev/null @@ -1,3224 +0,0 @@ ---- -# Source: calico/templates/kdd-crds.yaml - - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: bgpconfigurations.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: BGPConfiguration - listKind: BGPConfigurationList - plural: bgpconfigurations - singular: bgpconfiguration - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: BGPConfiguration contains the configuration for any BGP routing. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BGPConfigurationSpec contains the values of the BGP configuration. - properties: - asNumber: - description: 'ASNumber is the default AS number used by a node. [Default: - 64512]' - format: int32 - type: integer - communities: - description: Communities is a list of BGP community values and their - arbitrary names for tagging routes. - items: - description: Community contains standard or large community value - and its name. - properties: - name: - description: Name given to community value. - type: string - value: - description: Value must be of format `aa:nn` or `aa:nn:mm`. - For standard community use `aa:nn` format, where `aa` and - `nn` are 16 bit number. For large community use `aa:nn:mm` - format, where `aa`, `nn` and `mm` are 32 bit number. Where, - `aa` is an AS Number, `nn` and `mm` are per-AS identifier. - pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ - type: string - type: object - type: array - listenPort: - description: ListenPort is the port where BGP protocol should listen. - Defaults to 179 - maximum: 65535 - minimum: 1 - type: integer - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: INFO]' - type: string - nodeToNodeMeshEnabled: - description: 'NodeToNodeMeshEnabled sets whether full node to node - BGP mesh is enabled. [Default: true]' - type: boolean - prefixAdvertisements: - description: PrefixAdvertisements contains per-prefix advertisement - configuration. - items: - description: PrefixAdvertisement configures advertisement properties - for the specified CIDR. - properties: - cidr: - description: CIDR for which properties should be advertised. - type: string - communities: - description: Communities can be list of either community names - already defined in `Specs.Communities` or community value - of format `aa:nn` or `aa:nn:mm`. For standard community use - `aa:nn` format, where `aa` and `nn` are 16 bit number. For - large community use `aa:nn:mm` format, where `aa`, `nn` and - `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and - `mm` are per-AS identifier. - items: - type: string - type: array - type: object - type: array - serviceClusterIPs: - description: ServiceClusterIPs are the CIDR blocks from which service - cluster IPs are allocated. If specified, Calico will advertise these - blocks, as well as any cluster IPs within them. - items: - description: ServiceClusterIPBlock represents a single allowed ClusterIP - CIDR block. - properties: - cidr: - type: string - type: object - type: array - serviceExternalIPs: - description: ServiceExternalIPs are the CIDR blocks for Kubernetes - Service External IPs. Kubernetes Service ExternalIPs will only be - advertised if they are within one of these blocks. - items: - description: ServiceExternalIPBlock represents a single allowed - External IP CIDR block. - properties: - cidr: - type: string - type: object - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: bgppeers.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: BGPPeer - listKind: BGPPeerList - plural: bgppeers - singular: bgppeer - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BGPPeerSpec contains the specification for a BGPPeer resource. - properties: - asNumber: - description: The AS Number of the peer. - format: int32 - type: integer - keepOriginalNextHop: - description: Option to keep the original nexthop field when routes - are sent to a BGP Peer. Setting "true" configures the selected BGP - Peers node to use the "next hop keep;" instead of "next hop self;"(default) - in the specific branch of the Node on "bird.cfg". - type: boolean - node: - description: The node name identifying the Calico node instance that - is peering with this peer. If this is not set, this represents a - global peer, i.e. a peer that peers with every node in the deployment. - type: string - nodeSelector: - description: Selector for the nodes that should have this peering. When - this is set, the Node field must be empty. - type: string - password: - description: Optional BGP password for the peerings generated by this - BGPPeer resource. - properties: - secretKeyRef: - description: Selects a key of a secret in the node pod's namespace. - properties: - key: - description: The key of the secret to select from. Must be - a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be - defined - type: boolean - required: - - key - type: object - type: object - peerIP: - description: The IP address of the peer followed by an optional port - number to peer with. If port number is given, format should be `[]:port` - or `:` for IPv4. If optional port number is not set, - and this peer IP and ASNumber belongs to a calico/node with ListenPort - set in BGPConfiguration, then we use that port to peer. - type: string - peerSelector: - description: Selector for the remote nodes to peer with. When this - is set, the PeerIP and ASNumber fields must be empty. For each - peering between the local node and selected remote nodes, we configure - an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, - and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The - remote AS number comes from the remote node’s NodeBGPSpec.ASNumber, - or the global default if that is not set. - type: string - required: - - asNumber - - peerIP - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: blockaffinities.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: BlockAffinity - listKind: BlockAffinityList - plural: blockaffinities - singular: blockaffinity - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BlockAffinitySpec contains the specification for a BlockAffinity - resource. - properties: - cidr: - type: string - deleted: - description: Deleted indicates that this block affinity is being deleted. - This field is a string for compatibility with older releases that - mistakenly treat this field as a string. - type: string - node: - type: string - state: - type: string - required: - - cidr - - deleted - - node - - state - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: clusterinformations.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: ClusterInformation - listKind: ClusterInformationList - plural: clusterinformations - singular: clusterinformation - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ClusterInformation contains the cluster specific information. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ClusterInformationSpec contains the values of describing - the cluster. - properties: - calicoVersion: - description: CalicoVersion is the version of Calico that the cluster - is running - type: string - clusterGUID: - description: ClusterGUID is the GUID of the cluster - type: string - clusterType: - description: ClusterType describes the type of the cluster - type: string - datastoreReady: - description: DatastoreReady is used during significant datastore migrations - to signal to components such as Felix that it should wait before - accessing the datastore. - type: boolean - variant: - description: Variant declares which variant of Calico should be active. - type: string - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: felixconfigurations.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: FelixConfiguration - listKind: FelixConfigurationList - plural: felixconfigurations - singular: felixconfiguration - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: Felix Configuration contains the configuration for Felix. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: FelixConfigurationSpec contains the values of the Felix configuration. - properties: - allowIPIPPacketsFromWorkloads: - description: 'AllowIPIPPacketsFromWorkloads controls whether Felix - will add a rule to drop IPIP encapsulated traffic from workloads - [Default: false]' - type: boolean - allowVXLANPacketsFromWorkloads: - description: 'AllowVXLANPacketsFromWorkloads controls whether Felix - will add a rule to drop VXLAN encapsulated traffic from workloads - [Default: false]' - type: boolean - awsSrcDstCheck: - description: 'Set source-destination-check on AWS EC2 instances. Accepted - value must be one of "DoNothing", "Enabled" or "Disabled". [Default: - DoNothing]' - enum: - - DoNothing - - Enable - - Disable - type: string - bpfConnectTimeLoadBalancingEnabled: - description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, - controls whether Felix installs the connection-time load balancer. The - connect-time load balancer is required for the host to be able to - reach Kubernetes services and it improves the performance of pod-to-service - connections. The only reason to disable it is for debugging purposes. [Default: - true]' - type: boolean - bpfDataIfacePattern: - description: 'BPFDataIfacePattern is a regular expression that controls - which interfaces Felix should attach BPF programs to in order to - catch traffic to/from the network. This needs to match the interfaces - that Calico workload traffic flows over as well as any interfaces - that handle incoming traffic to nodeports and services from outside - the cluster. It should not match the workload interfaces (usually - named cali...). [Default: ^(en.*|eth.*|tunl0$)]' - type: string - bpfDisableUnprivileged: - description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled - sysctl to disable unprivileged use of BPF. This ensures that unprivileged - users cannot access Calico''s BPF maps and cannot insert their own - BPF programs to interfere with Calico''s. [Default: true]' - type: boolean - bpfEnabled: - description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. - [Default: false]' - type: boolean - bpfExternalServiceMode: - description: 'BPFExternalServiceMode in BPF mode, controls how connections - from outside the cluster to services (node ports and cluster IPs) - are forwarded to remote workloads. If set to "Tunnel" then both - request and response traffic is tunneled to the remote node. If - set to "DSR", the request traffic is tunneled but the response traffic - is sent directly from the remote node. In "DSR" mode, the remote - node appears to use the IP of the ingress node; this requires a - permissive L2 network. [Default: Tunnel]' - type: string - bpfKubeProxyEndpointSlicesEnabled: - description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls - whether Felix's embedded kube-proxy accepts EndpointSlices or not. - type: boolean - bpfKubeProxyIptablesCleanupEnabled: - description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF - mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s - iptables chains. Should only be enabled if kube-proxy is not running. [Default: - true]' - type: boolean - bpfKubeProxyMinSyncPeriod: - description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the - minimum time between updates to the dataplane for Felix''s embedded - kube-proxy. Lower values give reduced set-up latency. Higher values - reduce Felix CPU usage by batching up more work. [Default: 1s]' - type: string - bpfLogLevel: - description: 'BPFLogLevel controls the log level of the BPF programs - when in BPF dataplane mode. One of "Off", "Info", or "Debug". The - logs are emitted to the BPF trace pipe, accessible with the command - `tc exec bpf debug`. [Default: Off].' - type: string - chainInsertMode: - description: 'ChainInsertMode controls whether Felix hooks the kernel’s - top-level iptables chains by inserting a rule at the top of the - chain or by appending a rule at the bottom. insert is the safe default - since it prevents Calico’s rules from being bypassed. If you switch - to append mode, be sure that the other rules in the chains signal - acceptance by falling through to the Calico rules, otherwise the - Calico policy will be bypassed. [Default: insert]' - type: string - dataplaneDriver: - type: string - debugDisableLogDropping: - type: boolean - debugMemoryProfilePath: - type: string - debugSimulateCalcGraphHangAfter: - type: string - debugSimulateDataplaneHangAfter: - type: string - defaultEndpointToHostAction: - description: 'DefaultEndpointToHostAction controls what happens to - traffic that goes from a workload endpoint to the host itself (after - the traffic hits the endpoint egress policy). By default Calico - blocks traffic from workload endpoints to the host itself with an - iptables “DROP” action. If you want to allow some or all traffic - from endpoint to host, set this parameter to RETURN or ACCEPT. Use - RETURN if you have your own rules in the iptables “INPUT” chain; - Calico will insert its rules at the top of that chain, then “RETURN” - packets to the “INPUT” chain once it has completed processing workload - endpoint egress policy. Use ACCEPT to unconditionally accept packets - from workloads after processing workload endpoint egress policy. - [Default: Drop]' - type: string - deviceRouteProtocol: - description: This defines the route protocol added to programmed device - routes, by default this will be RTPROT_BOOT when left blank. - type: integer - deviceRouteSourceAddress: - description: This is the source address to use on programmed device - routes. By default the source address is left blank, leaving the - kernel to choose the source address used. - type: string - disableConntrackInvalidCheck: - type: boolean - endpointReportingDelay: - type: string - endpointReportingEnabled: - type: boolean - externalNodesList: - description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes - which may source tunnel traffic and have the tunneled traffic be - accepted at calico nodes. - items: - type: string - type: array - failsafeInboundHostPorts: - description: 'FailsafeInboundHostPorts is a comma-delimited list of - UDP/TCP ports that Felix will allow incoming traffic to host endpoints - on irrespective of the security policy. This is useful to avoid - accidentally cutting off a host with incorrect configuration. Each - port should be specified as tcp: or udp:. - For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all inbound host ports, use the value none. - The default value allows ssh access and DHCP. [Default: tcp:22, - udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' - items: - description: ProtoPort is combination of protocol and port, both - must be specified. - properties: - port: - type: integer - protocol: - type: string - required: - - port - - protocol - type: object - type: array - failsafeOutboundHostPorts: - description: 'FailsafeOutboundHostPorts is a comma-delimited list - of UDP/TCP ports that Felix will allow outgoing traffic from host - endpoints to irrespective of the security policy. This is useful - to avoid accidentally cutting off a host with incorrect configuration. - Each port should be specified as tcp: or udp:. - For back-compatibility, if the protocol is not specified, it defaults - to “tcp”. To disable all outbound host ports, use the value none. - The default value opens etcd’s standard ports to ensure that Felix - does not get cut off from etcd as well as allowing DHCP and DNS. - [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, - udp:53, udp:67]' - items: - description: ProtoPort is combination of protocol and port, both - must be specified. - properties: - port: - type: integer - protocol: - type: string - required: - - port - - protocol - type: object - type: array - featureDetectOverride: - description: FeatureDetectOverride is used to override the feature - detection. Values are specified in a comma separated list with no - spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". - "true" or "false" will force the feature, empty or omitted values - are auto-detected. - type: string - genericXDPEnabled: - description: 'GenericXDPEnabled enables Generic XDP so network cards - that don''t support XDP offload or driver modes can use XDP. This - is not recommended since it doesn''t provide better performance - than iptables. [Default: false]' - type: boolean - healthEnabled: - type: boolean - healthHost: - type: string - healthPort: - type: integer - interfaceExclude: - description: 'InterfaceExclude is a comma-separated list of interfaces - that Felix should exclude when monitoring for host endpoints. The - default value ensures that Felix ignores Kubernetes'' IPVS dummy - interface, which is used internally by kube-proxy. If you want to - exclude multiple interface names using a single value, the list - supports regular expressions. For regular expressions you must wrap - the value with ''/''. For example having values ''/^kube/,veth1'' - will exclude all interfaces that begin with ''kube'' and also the - interface ''veth1''. [Default: kube-ipvs0]' - type: string - interfacePrefix: - description: 'InterfacePrefix is the interface name prefix that identifies - workload endpoints and so distinguishes them from host endpoint - interfaces. Note: in environments other than bare metal, the orchestrators - configure this appropriately. For example our Kubernetes and Docker - integrations set the ‘cali’ value, and our OpenStack integration - sets the ‘tap’ value. [Default: cali]' - type: string - interfaceRefreshInterval: - description: InterfaceRefreshInterval is the period at which Felix - rescans local interfaces to verify their state. The rescan can be - disabled by setting the interval to 0. - type: string - ipipEnabled: - type: boolean - ipipMTU: - description: 'IPIPMTU is the MTU to set on the tunnel device. See - Configuring MTU [Default: 1440]' - type: integer - ipsetsRefreshInterval: - description: 'IpsetsRefreshInterval is the period at which Felix re-checks - all iptables state to ensure that no other process has accidentally - broken Calico’s rules. Set to 0 to disable iptables refresh. [Default: - 90s]' - type: string - iptablesBackend: - description: IptablesBackend specifies which backend of iptables will - be used. The default is legacy. - type: string - iptablesFilterAllowAction: - type: string - iptablesLockFilePath: - description: 'IptablesLockFilePath is the location of the iptables - lock file. You may need to change this if the lock file is not in - its standard location (for example if you have mapped it into Felix’s - container at a different path). [Default: /run/xtables.lock]' - type: string - iptablesLockProbeInterval: - description: 'IptablesLockProbeInterval is the time that Felix will - wait between attempts to acquire the iptables lock if it is not - available. Lower values make Felix more responsive when the lock - is contended, but use more CPU. [Default: 50ms]' - type: string - iptablesLockTimeout: - description: 'IptablesLockTimeout is the time that Felix will wait - for the iptables lock, or 0, to disable. To use this feature, Felix - must share the iptables lock file with all other processes that - also take the lock. When running Felix inside a container, this - requires the /run directory of the host to be mounted into the calico/node - or calico/felix container. [Default: 0s disabled]' - type: string - iptablesMangleAllowAction: - type: string - iptablesMarkMask: - description: 'IptablesMarkMask is the mask that Felix selects its - IPTables Mark bits from. Should be a 32 bit hexadecimal number with - at least 8 bits set, none of which clash with any other mark bits - in use on the system. [Default: 0xff000000]' - format: int32 - type: integer - iptablesNATOutgoingInterfaceFilter: - type: string - iptablesPostWriteCheckInterval: - description: 'IptablesPostWriteCheckInterval is the period after Felix - has done a write to the dataplane that it schedules an extra read - back in order to check the write was not clobbered by another process. - This should only occur if another application on the system doesn’t - respect the iptables lock. [Default: 1s]' - type: string - iptablesRefreshInterval: - description: 'IptablesRefreshInterval is the period at which Felix - re-checks the IP sets in the dataplane to ensure that no other process - has accidentally broken Calico’s rules. Set to 0 to disable IP sets - refresh. Note: the default for this value is lower than the other - refresh intervals as a workaround for a Linux kernel bug that was - fixed in kernel version 4.11. If you are using v4.11 or greater - you may want to set this to, a higher value to reduce Felix CPU - usage. [Default: 10s]' - type: string - ipv6Support: - type: boolean - kubeNodePortRanges: - description: 'KubeNodePortRanges holds list of port ranges used for - service node ports. Only used if felix detects kube-proxy running - in ipvs mode. Felix uses these ranges to separate host and workload - traffic. [Default: 30000:32767].' - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - logFilePath: - description: 'LogFilePath is the full path to the Felix log. Set to - none to disable file logging. [Default: /var/log/calico/felix.log]' - type: string - logPrefix: - description: 'LogPrefix is the log prefix that Felix uses when rendering - LOG rules. [Default: calico-packet]' - type: string - logSeverityFile: - description: 'LogSeverityFile is the log severity above which logs - are sent to the log file. [Default: Info]' - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: Info]' - type: string - logSeveritySys: - description: 'LogSeveritySys is the log severity above which logs - are sent to the syslog. Set to None for no logging to syslog. [Default: - Info]' - type: string - maxIpsetSize: - type: integer - metadataAddr: - description: 'MetadataAddr is the IP address or domain name of the - server that can answer VM queries for cloud-init metadata. In OpenStack, - this corresponds to the machine running nova-api (or in Ubuntu, - nova-api-metadata). A value of none (case insensitive) means that - Felix should not set up any NAT rule for the metadata path. [Default: - 127.0.0.1]' - type: string - metadataPort: - description: 'MetadataPort is the port of the metadata server. This, - combined with global.MetadataAddr (if not ‘None’), is used to set - up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. - In most cases this should not need to be changed [Default: 8775].' - type: integer - natOutgoingAddress: - description: NATOutgoingAddress specifies an address to use when performing - source NAT for traffic in a natOutgoing pool that is leaving the - network. By default the address used is an address on the interface - the traffic is leaving on (ie it uses the iptables MASQUERADE target) - type: string - natPortRange: - anyOf: - - type: integer - - type: string - description: NATPortRange specifies the range of ports that is used - for port mapping when doing outgoing NAT. When unset the default - behavior of the network stack is used. - pattern: ^.* - x-kubernetes-int-or-string: true - netlinkTimeout: - type: string - openstackRegion: - description: 'OpenstackRegion is the name of the region that a particular - Felix belongs to. In a multi-region Calico/OpenStack deployment, - this must be configured somehow for each Felix (here in the datamodel, - or in felix.cfg or the environment on each compute node), and must - match the [calico] openstack_region value configured in neutron.conf - on each node. [Default: Empty]' - type: string - policySyncPathPrefix: - description: 'PolicySyncPathPrefix is used to by Felix to communicate - policy changes to external services, like Application layer policy. - [Default: Empty]' - type: string - prometheusGoMetricsEnabled: - description: 'PrometheusGoMetricsEnabled disables Go runtime metrics - collection, which the Prometheus client does by default, when set - to false. This reduces the number of metrics reported, reducing - Prometheus load. [Default: true]' - type: boolean - prometheusMetricsEnabled: - description: 'PrometheusMetricsEnabled enables the Prometheus metrics - server in Felix if set to true. [Default: false]' - type: boolean - prometheusMetricsHost: - description: 'PrometheusMetricsHost is the host that the Prometheus - metrics server should bind to. [Default: empty]' - type: string - prometheusMetricsPort: - description: 'PrometheusMetricsPort is the TCP port that the Prometheus - metrics server should bind to. [Default: 9091]' - type: integer - prometheusProcessMetricsEnabled: - description: 'PrometheusProcessMetricsEnabled disables process metrics - collection, which the Prometheus client does by default, when set - to false. This reduces the number of metrics reported, reducing - Prometheus load. [Default: true]' - type: boolean - removeExternalRoutes: - description: Whether or not to remove device routes that have not - been programmed by Felix. Disabling this will allow external applications - to also add device routes. This is enabled by default which means - we will remove externally added routes. - type: boolean - reportingInterval: - description: 'ReportingInterval is the interval at which Felix reports - its status into the datastore or 0 to disable. Must be non-zero - in OpenStack deployments. [Default: 30s]' - type: string - reportingTTL: - description: 'ReportingTTL is the time-to-live setting for process-wide - status reports. [Default: 90s]' - type: string - routeRefreshInterval: - description: 'RouterefreshInterval is the period at which Felix re-checks - the routes in the dataplane to ensure that no other process has - accidentally broken Calico’s rules. Set to 0 to disable route refresh. - [Default: 90s]' - type: string - routeSource: - description: 'RouteSource configures where Felix gets its routing - information. - WorkloadIPs: use workload endpoints to construct - routes. - CalicoIPAM: the default - use IPAM data to construct routes.' - type: string - routeTableRange: - description: Calico programs additional Linux route tables for various - purposes. RouteTableRange specifies the indices of the route tables - that Calico should use. - properties: - max: - type: integer - min: - type: integer - required: - - max - - min - type: object - sidecarAccelerationEnabled: - description: 'SidecarAccelerationEnabled enables experimental sidecar - acceleration [Default: false]' - type: boolean - usageReportingEnabled: - description: 'UsageReportingEnabled reports anonymous Calico version - number and cluster size to projectcalico.org. Logs warnings returned - by the usage server. For example, if a significant security vulnerability - has been discovered in the version of Calico being used. [Default: - true]' - type: boolean - usageReportingInitialDelay: - description: 'UsageReportingInitialDelay controls the minimum delay - before Felix makes a report. [Default: 300s]' - type: string - usageReportingInterval: - description: 'UsageReportingInterval controls the interval at which - Felix makes reports. [Default: 86400s]' - type: string - useInternalDataplaneDriver: - type: boolean - vxlanEnabled: - type: boolean - vxlanMTU: - description: 'VXLANMTU is the MTU to set on the tunnel device. See - Configuring MTU [Default: 1440]' - type: integer - vxlanPort: - type: integer - vxlanVNI: - type: integer - wireguardEnabled: - description: 'WireguardEnabled controls whether Wireguard is enabled. - [Default: false]' - type: boolean - wireguardInterfaceName: - description: 'WireguardInterfaceName specifies the name to use for - the Wireguard interface. [Default: wg.calico]' - type: string - wireguardListeningPort: - description: 'WireguardListeningPort controls the listening port used - by Wireguard. [Default: 51820]' - type: integer - wireguardMTU: - description: 'WireguardMTU controls the MTU on the Wireguard interface. - See Configuring MTU [Default: 1420]' - type: integer - wireguardRoutingRulePriority: - description: 'WireguardRoutingRulePriority controls the priority value - to use for the Wireguard routing rule. [Default: 99]' - type: integer - xdpEnabled: - description: 'XDPEnabled enables XDP acceleration for suitable untracked - incoming deny rules. [Default: true]' - type: boolean - xdpRefreshInterval: - description: 'XDPRefreshInterval is the period at which Felix re-checks - all XDP state to ensure that no other process has accidentally broken - Calico''s BPF maps or attached programs. Set to 0 to disable XDP - refresh. [Default: 90s]' - type: string - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: globalnetworkpolicies.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: GlobalNetworkPolicy - listKind: GlobalNetworkPolicyList - plural: globalnetworkpolicies - singular: globalnetworkpolicy - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - applyOnForward: - description: ApplyOnForward indicates to apply the rules in this policy - on forward traffic. - type: boolean - doNotTrack: - description: DoNotTrack indicates whether packets matched by the rules - in this policy should go through the data plane's connection tracking, - such as Linux conntrack. If True, the rules in this policy are - applied before any data plane connection tracking, and packets allowed - by this policy are marked as not to be tracked. - type: boolean - egress: - description: The ordered set of egress rules. Each rule contains - a set of packet match criteria and a corresponding action to apply. - items: - description: "A Rule encapsulates a set of match criteria and an - action. Both selector-based security Policy and security Profiles - reference rules - separated out as a list of rules for both ingress - and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria - within a rule must be satisfied for a packet to match. A single - rule can contain the positive and negative version of a match - and both must be satisfied for the rule to match." - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and Selector are defined on the same rule, then only workload - endpoints that are matched by both selectors will be selected - by the rule. \n For NetworkPolicy, an empty NamespaceSelector - implies that the Selector is limited to selecting only - workload endpoints in the same namespace as the NetworkPolicy. - \n For NetworkPolicy, `global()` NamespaceSelector implies - that the Selector is limited to selecting only GlobalNetworkSet - or HostEndpoint. \n For GlobalNetworkPolicy, an empty - NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: Methods is an optional field that restricts - the rule to apply only to HTTP requests that use one of - the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple - methods are OR'd together. - items: - type: string - type: array - paths: - description: 'Paths is an optional field that restricts - the rule to apply to HTTP requests that use one of the - listed HTTP Paths. Multiple paths are OR''d together. - e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a `exact` or a `prefix` match. The - validator will check for it.' - items: - description: 'HTTPPath specifies an HTTP path to match. - It may be either of the form: exact: : which matches - the path exactly or prefix: : which matches - the path prefix' - properties: - exact: - type: string - prefix: - type: string - type: object - type: array - type: object - icmp: - description: ICMP is an optional field that restricts the rule - to apply to a specific type and code of ICMP traffic. This - should only be specified if the Protocol field is set to "ICMP" - or "ICMPv6". - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - ipVersion: - description: IPVersion is an optional field that restricts the - rule to only match a specific IP version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: "Protocol is an optional field that restricts the - rule to only apply to traffic of a specific IP protocol. Required - if any of the EntityRules contain Ports (because ports only - apply to certain protocols). \n Must be one of these string - values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", - \"UDPLite\" or an integer in the range 1-255." - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and Selector are defined on the same rule, then only workload - endpoints that are matched by both selectors will be selected - by the rule. \n For NetworkPolicy, an empty NamespaceSelector - implies that the Selector is limited to selecting only - workload endpoints in the same namespace as the NetworkPolicy. - \n For NetworkPolicy, `global()` NamespaceSelector implies - that the Selector is limited to selecting only GlobalNetworkSet - or HostEndpoint. \n For GlobalNetworkPolicy, an empty - NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: The ordered set of ingress rules. Each rule contains - a set of packet match criteria and a corresponding action to apply. - items: - description: "A Rule encapsulates a set of match criteria and an - action. Both selector-based security Policy and security Profiles - reference rules - separated out as a list of rules for both ingress - and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria - within a rule must be satisfied for a packet to match. A single - rule can contain the positive and negative version of a match - and both must be satisfied for the rule to match." - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and Selector are defined on the same rule, then only workload - endpoints that are matched by both selectors will be selected - by the rule. \n For NetworkPolicy, an empty NamespaceSelector - implies that the Selector is limited to selecting only - workload endpoints in the same namespace as the NetworkPolicy. - \n For NetworkPolicy, `global()` NamespaceSelector implies - that the Selector is limited to selecting only GlobalNetworkSet - or HostEndpoint. \n For GlobalNetworkPolicy, an empty - NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: Methods is an optional field that restricts - the rule to apply only to HTTP requests that use one of - the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple - methods are OR'd together. - items: - type: string - type: array - paths: - description: 'Paths is an optional field that restricts - the rule to apply to HTTP requests that use one of the - listed HTTP Paths. Multiple paths are OR''d together. - e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a `exact` or a `prefix` match. The - validator will check for it.' - items: - description: 'HTTPPath specifies an HTTP path to match. - It may be either of the form: exact: : which matches - the path exactly or prefix: : which matches - the path prefix' - properties: - exact: - type: string - prefix: - type: string - type: object - type: array - type: object - icmp: - description: ICMP is an optional field that restricts the rule - to apply to a specific type and code of ICMP traffic. This - should only be specified if the Protocol field is set to "ICMP" - or "ICMPv6". - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - ipVersion: - description: IPVersion is an optional field that restricts the - rule to only match a specific IP version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: "Protocol is an optional field that restricts the - rule to only apply to traffic of a specific IP protocol. Required - if any of the EntityRules contain Ports (because ports only - apply to certain protocols). \n Must be one of these string - values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", - \"UDPLite\" or an integer in the range 1-255." - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and Selector are defined on the same rule, then only workload - endpoints that are matched by both selectors will be selected - by the rule. \n For NetworkPolicy, an empty NamespaceSelector - implies that the Selector is limited to selecting only - workload endpoints in the same namespace as the NetworkPolicy. - \n For NetworkPolicy, `global()` NamespaceSelector implies - that the Selector is limited to selecting only GlobalNetworkSet - or HostEndpoint. \n For GlobalNetworkPolicy, an empty - NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - type: object - required: - - action - type: object - type: array - namespaceSelector: - description: NamespaceSelector is an optional field for an expression - used to select a pod based on namespaces. - type: string - order: - description: Order is an optional field that specifies the order in - which the policy is applied. Policies with higher "order" are applied - after those with lower order. If the order is omitted, it may be - considered to be "infinite" - i.e. the policy will be applied last. Policies - with identical order will be applied in alphanumerical order based - on the Policy "Name". - type: number - preDNAT: - description: PreDNAT indicates to apply the rules in this policy before - any DNAT. - type: boolean - selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should be applied to. \n Selector - expressions follow this syntax: \n \tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present \tlabel in - { \"a\", \"b\", \"c\", ... } -> true if the value of label X is - one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", - ... } -> true if the value of label X is not one of \"a\", \"b\", - \"c\" \thas(label_name) -> True if that label is present \t! expr - -> negation of expr \texpr && expr -> Short-circuit and \texpr - || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() - or the empty selector -> matches all endpoints. \n Label names are - allowed to contain alphanumerics, -, _ and /. String literals are - more permissive but they do not support escape characters. \n Examples - (with made-up labels): \n \ttype == \"webserver\" && deployment - == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != - \"dev\" \t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - types: - description: "Types indicates whether this policy applies to ingress, - or to egress, or to both. When not explicitly specified (and so - the value on creation is empty or nil), Calico defaults Types according - to what Ingress and Egress rules are present in the policy. The - default is: \n - [ PolicyTypeIngress ], if there are no Egress rules - (including the case where there are also no Ingress rules) \n - - [ PolicyTypeEgress ], if there are Egress rules but no Ingress - rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are - both Ingress and Egress rules. \n When the policy is read back again, - Types will always be one of these values, never empty or nil." - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: globalnetworksets.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: GlobalNetworkSet - listKind: GlobalNetworkSetList - plural: globalnetworksets - singular: globalnetworkset - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs - that share labels to allow rules to refer to them via selectors. The labels - of GlobalNetworkSet are not namespaced. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: GlobalNetworkSetSpec contains the specification for a NetworkSet - resource. - properties: - nets: - description: The list of IP networks that belong to this set. - items: - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: hostendpoints.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: HostEndpoint - listKind: HostEndpointList - plural: hostendpoints - singular: hostendpoint - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: HostEndpointSpec contains the specification for a HostEndpoint - resource. - properties: - expectedIPs: - description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. - If \"InterfaceName\" is not present, Calico will look for an interface - matching any of the IPs in the list and apply policy to that. Note: - \tWhen using the selector match criteria in an ingress or egress - security Policy \tor Profile, Calico converts the selector into - a set of IP addresses. For host \tendpoints, the ExpectedIPs field - is used for that purpose. (If only the interface \tname is specified, - Calico does not learn the IPs of the interface for use in match - \tcriteria.)" - items: - type: string - type: array - interfaceName: - description: "Either \"*\", or the name of a specific Linux interface - to apply policy to; or empty. \"*\" indicates that this HostEndpoint - governs all traffic to, from or through the default network namespace - of the host named by the \"Node\" field; entering and leaving that - namespace via any interface, including those from/to non-host-networked - local workloads. \n If InterfaceName is not \"*\", this HostEndpoint - only governs traffic that enters or leaves the host through the - specific interface named by InterfaceName, or - when InterfaceName - is empty - through the specific interface that has one of the IPs - in ExpectedIPs. Therefore, when InterfaceName is empty, at least - one expected IP must be specified. Only external interfaces (such - as “eth0”) are supported here; it isn't possible for a HostEndpoint - to protect traffic through a specific local workload interface. - \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; - initially just pre-DNAT policy. Please check Calico documentation - for the latest position." - type: string - node: - description: The node name identifying the Calico node instance. - type: string - ports: - description: Ports contains the endpoint's named ports, which may - be referenced in security policy rules. - items: - properties: - name: - type: string - port: - type: integer - protocol: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - required: - - name - - port - - protocol - type: object - type: array - profiles: - description: A list of identifiers of security Profile objects that - apply to this endpoint. Each profile is applied in the order that - they appear in this list. Profile rules are applied after the selector-based - security policy. - items: - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: ipamblocks.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: IPAMBlock - listKind: IPAMBlockList - plural: ipamblocks - singular: ipamblock - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IPAMBlockSpec contains the specification for an IPAMBlock - resource. - properties: - affinity: - type: string - allocations: - items: - type: integer - # TODO: This nullable is manually added in. We should update controller-gen - # to handle []*int properly itself. - nullable: true - type: array - attributes: - items: - properties: - handle_id: - type: string - secondary: - additionalProperties: - type: string - type: object - type: object - type: array - cidr: - type: string - deleted: - type: boolean - strictAffinity: - type: boolean - unallocated: - items: - type: integer - type: array - required: - - allocations - - attributes - - cidr - - deleted - - strictAffinity - - unallocated - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: ipamconfigs.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: IPAMConfig - listKind: IPAMConfigList - plural: ipamconfigs - singular: ipamconfig - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IPAMConfigSpec contains the specification for an IPAMConfig - resource. - properties: - autoAllocateBlocks: - type: boolean - strictAffinity: - type: boolean - required: - - autoAllocateBlocks - - strictAffinity - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: ipamhandles.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: IPAMHandle - listKind: IPAMHandleList - plural: ipamhandles - singular: ipamhandle - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IPAMHandleSpec contains the specification for an IPAMHandle - resource. - properties: - block: - additionalProperties: - type: integer - type: object - handleID: - type: string - required: - - block - - handleID - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: ippools.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: IPPool - listKind: IPPoolList - plural: ippools - singular: ippool - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IPPoolSpec contains the specification for an IPPool resource. - properties: - blockSize: - description: The block size to use for IP address assignments from - this pool. Defaults to 26 for IPv4 and 112 for IPv6. - type: integer - cidr: - description: The pool CIDR. - type: string - disabled: - description: When disabled is true, Calico IPAM will not assign addresses - from this pool. - type: boolean - ipip: - description: 'Deprecated: this field is only used for APIv1 backwards - compatibility. Setting this field is not allowed, this field is - for internal use only.' - properties: - enabled: - description: When enabled is true, ipip tunneling will be used - to deliver packets to destinations within this pool. - type: boolean - mode: - description: The IPIP mode. This can be one of "always" or "cross-subnet". A - mode of "always" will also use IPIP tunneling for routing to - destination IP addresses within this pool. A mode of "cross-subnet" - will only use IPIP tunneling when the destination node is on - a different subnet to the originating node. The default value - (if not specified) is "always". - type: string - type: object - ipipMode: - description: Contains configuration for IPIP tunneling for this pool. - If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling - is disabled). - type: string - nat-outgoing: - description: 'Deprecated: this field is only used for APIv1 backwards - compatibility. Setting this field is not allowed, this field is - for internal use only.' - type: boolean - natOutgoing: - description: When nat-outgoing is true, packets sent from Calico networked - containers in this pool to destinations outside of this pool will - be masqueraded. - type: boolean - nodeSelector: - description: Allows IPPool to allocate for a specific node by label - selector. - type: string - vxlanMode: - description: Contains configuration for VXLAN tunneling for this pool. - If not specified, then this is defaulted to "Never" (i.e. VXLAN - tunneling is disabled). - type: string - required: - - cidr - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: kubecontrollersconfigurations.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: KubeControllersConfiguration - listKind: KubeControllersConfigurationList - plural: kubecontrollersconfigurations - singular: kubecontrollersconfiguration - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: KubeControllersConfigurationSpec contains the values of the - Kubernetes controllers configuration. - properties: - controllers: - description: Controllers enables and configures individual Kubernetes - controllers - properties: - namespace: - description: Namespace enables and configures the namespace controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - node: - description: Node enables and configures the node controller. - Enabled by default, set to nil to disable. - properties: - hostEndpoint: - description: HostEndpoint controls syncing nodes to host endpoints. - Disabled by default, set to nil to disable. - properties: - autoCreate: - description: 'AutoCreate enables automatic creation of - host endpoints for every node. [Default: Disabled]' - type: string - type: object - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - syncLabels: - description: 'SyncLabels controls whether to copy Kubernetes - node labels to Calico nodes. [Default: Enabled]' - type: string - type: object - policy: - description: Policy enables and configures the policy controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - serviceAccount: - description: ServiceAccount enables and configures the service - account controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - workloadEndpoint: - description: WorkloadEndpoint enables and configures the workload - endpoint controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform reconciliation - with the Calico datastore. [Default: 5m]' - type: string - type: object - type: object - etcdV3CompactionPeriod: - description: 'EtcdV3CompactionPeriod is the period between etcdv3 - compaction requests. Set to 0 to disable. [Default: 10m]' - type: string - healthChecks: - description: 'HealthChecks enables or disables support for health - checks [Default: Enabled]' - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which logs - are sent to the stdout. [Default: Info]' - type: string - required: - - controllers - type: object - status: - description: KubeControllersConfigurationStatus represents the status - of the configuration. It's useful for admins to be able to see the actual - config that was applied, which can be modified by environment variables - on the kube-controllers process. - properties: - environmentVars: - additionalProperties: - type: string - description: EnvironmentVars contains the environment variables on - the kube-controllers that influenced the RunningConfig. - type: object - runningConfig: - description: RunningConfig contains the effective config that is running - in the kube-controllers pod, after merging the API resource with - any environment variables. - properties: - controllers: - description: Controllers enables and configures individual Kubernetes - controllers - properties: - namespace: - description: Namespace enables and configures the namespace - controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - node: - description: Node enables and configures the node controller. - Enabled by default, set to nil to disable. - properties: - hostEndpoint: - description: HostEndpoint controls syncing nodes to host - endpoints. Disabled by default, set to nil to disable. - properties: - autoCreate: - description: 'AutoCreate enables automatic creation - of host endpoints for every node. [Default: Disabled]' - type: string - type: object - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - syncLabels: - description: 'SyncLabels controls whether to copy Kubernetes - node labels to Calico nodes. [Default: Enabled]' - type: string - type: object - policy: - description: Policy enables and configures the policy controller. - Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - serviceAccount: - description: ServiceAccount enables and configures the service - account controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - workloadEndpoint: - description: WorkloadEndpoint enables and configures the workload - endpoint controller. Enabled by default, set to nil to disable. - properties: - reconcilerPeriod: - description: 'ReconcilerPeriod is the period to perform - reconciliation with the Calico datastore. [Default: - 5m]' - type: string - type: object - type: object - etcdV3CompactionPeriod: - description: 'EtcdV3CompactionPeriod is the period between etcdv3 - compaction requests. Set to 0 to disable. [Default: 10m]' - type: string - healthChecks: - description: 'HealthChecks enables or disables support for health - checks [Default: Enabled]' - type: string - logSeverityScreen: - description: 'LogSeverityScreen is the log severity above which - logs are sent to the stdout. [Default: Info]' - type: string - required: - - controllers - type: object - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: networkpolicies.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: NetworkPolicy - listKind: NetworkPolicyList - plural: networkpolicies - singular: networkpolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - properties: - egress: - description: The ordered set of egress rules. Each rule contains - a set of packet match criteria and a corresponding action to apply. - items: - description: "A Rule encapsulates a set of match criteria and an - action. Both selector-based security Policy and security Profiles - reference rules - separated out as a list of rules for both ingress - and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria - within a rule must be satisfied for a packet to match. A single - rule can contain the positive and negative version of a match - and both must be satisfied for the rule to match." - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and Selector are defined on the same rule, then only workload - endpoints that are matched by both selectors will be selected - by the rule. \n For NetworkPolicy, an empty NamespaceSelector - implies that the Selector is limited to selecting only - workload endpoints in the same namespace as the NetworkPolicy. - \n For NetworkPolicy, `global()` NamespaceSelector implies - that the Selector is limited to selecting only GlobalNetworkSet - or HostEndpoint. \n For GlobalNetworkPolicy, an empty - NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: Methods is an optional field that restricts - the rule to apply only to HTTP requests that use one of - the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple - methods are OR'd together. - items: - type: string - type: array - paths: - description: 'Paths is an optional field that restricts - the rule to apply to HTTP requests that use one of the - listed HTTP Paths. Multiple paths are OR''d together. - e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a `exact` or a `prefix` match. The - validator will check for it.' - items: - description: 'HTTPPath specifies an HTTP path to match. - It may be either of the form: exact: : which matches - the path exactly or prefix: : which matches - the path prefix' - properties: - exact: - type: string - prefix: - type: string - type: object - type: array - type: object - icmp: - description: ICMP is an optional field that restricts the rule - to apply to a specific type and code of ICMP traffic. This - should only be specified if the Protocol field is set to "ICMP" - or "ICMPv6". - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - ipVersion: - description: IPVersion is an optional field that restricts the - rule to only match a specific IP version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: "Protocol is an optional field that restricts the - rule to only apply to traffic of a specific IP protocol. Required - if any of the EntityRules contain Ports (because ports only - apply to certain protocols). \n Must be one of these string - values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", - \"UDPLite\" or an integer in the range 1-255." - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and Selector are defined on the same rule, then only workload - endpoints that are matched by both selectors will be selected - by the rule. \n For NetworkPolicy, an empty NamespaceSelector - implies that the Selector is limited to selecting only - workload endpoints in the same namespace as the NetworkPolicy. - \n For NetworkPolicy, `global()` NamespaceSelector implies - that the Selector is limited to selecting only GlobalNetworkSet - or HostEndpoint. \n For GlobalNetworkPolicy, an empty - NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - type: object - required: - - action - type: object - type: array - ingress: - description: The ordered set of ingress rules. Each rule contains - a set of packet match criteria and a corresponding action to apply. - items: - description: "A Rule encapsulates a set of match criteria and an - action. Both selector-based security Policy and security Profiles - reference rules - separated out as a list of rules for both ingress - and egress packet matching. \n Each positive match criteria has - a negated version, prefixed with ”Not”. All the match criteria - within a rule must be satisfied for a packet to match. A single - rule can contain the positive and negative version of a match - and both must be satisfied for the rule to match." - properties: - action: - type: string - destination: - description: Destination contains the match criteria that apply - to destination entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and Selector are defined on the same rule, then only workload - endpoints that are matched by both selectors will be selected - by the rule. \n For NetworkPolicy, an empty NamespaceSelector - implies that the Selector is limited to selecting only - workload endpoints in the same namespace as the NetworkPolicy. - \n For NetworkPolicy, `global()` NamespaceSelector implies - that the Selector is limited to selecting only GlobalNetworkSet - or HostEndpoint. \n For GlobalNetworkPolicy, an empty - NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - type: object - http: - description: HTTP contains match criteria that apply to HTTP - requests. - properties: - methods: - description: Methods is an optional field that restricts - the rule to apply only to HTTP requests that use one of - the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple - methods are OR'd together. - items: - type: string - type: array - paths: - description: 'Paths is an optional field that restricts - the rule to apply to HTTP requests that use one of the - listed HTTP Paths. Multiple paths are OR''d together. - e.g: - exact: /foo - prefix: /bar NOTE: Each entry may - ONLY specify either a `exact` or a `prefix` match. The - validator will check for it.' - items: - description: 'HTTPPath specifies an HTTP path to match. - It may be either of the form: exact: : which matches - the path exactly or prefix: : which matches - the path prefix' - properties: - exact: - type: string - prefix: - type: string - type: object - type: array - type: object - icmp: - description: ICMP is an optional field that restricts the rule - to apply to a specific type and code of ICMP traffic. This - should only be specified if the Protocol field is set to "ICMP" - or "ICMPv6". - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - ipVersion: - description: IPVersion is an optional field that restricts the - rule to only match a specific IP version. - type: integer - metadata: - description: Metadata contains additional information for this - rule - properties: - annotations: - additionalProperties: - type: string - description: Annotations is a set of key value pairs that - give extra information about the rule - type: object - type: object - notICMP: - description: NotICMP is the negated version of the ICMP field. - properties: - code: - description: Match on a specific ICMP code. If specified, - the Type value must also be specified. This is a technical - limitation imposed by the kernel’s iptables firewall, - which Calico uses to enforce the rule. - type: integer - type: - description: Match on a specific ICMP type. For example - a value of 8 refers to ICMP Echo Request (i.e. pings). - type: integer - type: object - notProtocol: - anyOf: - - type: integer - - type: string - description: NotProtocol is the negated version of the Protocol - field. - pattern: ^.* - x-kubernetes-int-or-string: true - protocol: - anyOf: - - type: integer - - type: string - description: "Protocol is an optional field that restricts the - rule to only apply to traffic of a specific IP protocol. Required - if any of the EntityRules contain Ports (because ports only - apply to certain protocols). \n Must be one of these string - values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", - \"UDPLite\" or an integer in the range 1-255." - pattern: ^.* - x-kubernetes-int-or-string: true - source: - description: Source contains the match criteria that apply to - source entity. - properties: - namespaceSelector: - description: "NamespaceSelector is an optional field that - contains a selector expression. Only traffic that originates - from (or terminates at) endpoints within the selected - namespaces will be matched. When both NamespaceSelector - and Selector are defined on the same rule, then only workload - endpoints that are matched by both selectors will be selected - by the rule. \n For NetworkPolicy, an empty NamespaceSelector - implies that the Selector is limited to selecting only - workload endpoints in the same namespace as the NetworkPolicy. - \n For NetworkPolicy, `global()` NamespaceSelector implies - that the Selector is limited to selecting only GlobalNetworkSet - or HostEndpoint. \n For GlobalNetworkPolicy, an empty - NamespaceSelector implies the Selector applies to workload - endpoints across all namespaces." - type: string - nets: - description: Nets is an optional field that restricts the - rule to only apply to traffic that originates from (or - terminates at) IP addresses in any of the given subnets. - items: - type: string - type: array - notNets: - description: NotNets is the negated version of the Nets - field. - items: - type: string - type: array - notPorts: - description: NotPorts is the negated version of the Ports - field. Since only some protocols have ports, if any ports - are specified it requires the Protocol match in the Rule - to be set to "TCP" or "UDP". - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - notSelector: - description: NotSelector is the negated version of the Selector - field. See Selector field for subtleties with negated - selectors. - type: string - ports: - description: "Ports is an optional field that restricts - the rule to only apply to traffic that has a source (destination) - port that matches one of these ranges/values. This value - is a list of integers or strings that represent ranges - of ports. \n Since only some protocols have ports, if - any ports are specified it requires the Protocol match - in the Rule to be set to \"TCP\" or \"UDP\"." - items: - anyOf: - - type: integer - - type: string - pattern: ^.* - x-kubernetes-int-or-string: true - type: array - selector: - description: "Selector is an optional field that contains - a selector expression (see Policy for sample syntax). - \ Only traffic that originates from (terminates at) endpoints - matching the selector will be matched. \n Note that: in - addition to the negated version of the Selector (see NotSelector - below), the selector expression syntax itself supports - negation. The two types of negation are subtly different. - One negates the set of matched endpoints, the other negates - the whole match: \n \tSelector = \"!has(my_label)\" matches - packets that are from other Calico-controlled \tendpoints - that do not have the label “my_label”. \n \tNotSelector - = \"has(my_label)\" matches packets that are not from - Calico-controlled \tendpoints that do have the label “my_label”. - \n The effect is that the latter will accept packets from - non-Calico sources whereas the former is limited to packets - from Calico-controlled endpoints." - type: string - serviceAccounts: - description: ServiceAccounts is an optional field that restricts - the rule to only apply to traffic that originates from - (or terminates at) a pod running as a matching service - account. - properties: - names: - description: Names is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account whose name is in the list. - items: - type: string - type: array - selector: - description: Selector is an optional field that restricts - the rule to only apply to traffic that originates - from (or terminates at) a pod running as a service - account that matches the given label selector. If - both Names and Selector are specified then they are - AND'ed. - type: string - type: object - type: object - required: - - action - type: object - type: array - order: - description: Order is an optional field that specifies the order in - which the policy is applied. Policies with higher "order" are applied - after those with lower order. If the order is omitted, it may be - considered to be "infinite" - i.e. the policy will be applied last. Policies - with identical order will be applied in alphanumerical order based - on the Policy "Name". - type: number - selector: - description: "The selector is an expression used to pick pick out - the endpoints that the policy should be applied to. \n Selector - expressions follow this syntax: \n \tlabel == \"string_literal\" - \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" - \ -> not equal; also matches if label is not present \tlabel in - { \"a\", \"b\", \"c\", ... } -> true if the value of label X is - one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", - ... } -> true if the value of label X is not one of \"a\", \"b\", - \"c\" \thas(label_name) -> True if that label is present \t! expr - -> negation of expr \texpr && expr -> Short-circuit and \texpr - || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() - or the empty selector -> matches all endpoints. \n Label names are - allowed to contain alphanumerics, -, _ and /. String literals are - more permissive but they do not support escape characters. \n Examples - (with made-up labels): \n \ttype == \"webserver\" && deployment - == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != - \"dev\" \t! has(label_name)" - type: string - serviceAccountSelector: - description: ServiceAccountSelector is an optional field for an expression - used to select a pod based on service accounts. - type: string - types: - description: "Types indicates whether this policy applies to ingress, - or to egress, or to both. When not explicitly specified (and so - the value on creation is empty or nil), Calico defaults Types according - to what Ingress and Egress are present in the policy. The default - is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including - the case where there are also no Ingress rules) \n - [ PolicyTypeEgress - ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, - PolicyTypeEgress ], if there are both Ingress and Egress rules. - \n When the policy is read back again, Types will always be one - of these values, never empty or nil." - items: - description: PolicyType enumerates the possible values of the PolicySpec - Types field. - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - name: networksets.crd.projectcalico.org -spec: - group: crd.projectcalico.org - names: - kind: NetworkSet - listKind: NetworkSetList - plural: networksets - singular: networkset - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: NetworkSetSpec contains the specification for a NetworkSet - resource. - properties: - nets: - description: The list of IP networks that belong to this set. - items: - type: string - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] - ---- diff --git a/charts/kubezero-network/charts/calico/templates/calico.yaml b/charts/kubezero-network/charts/calico/templates/calico.yaml deleted file mode 100644 index d9ad1d7..0000000 --- a/charts/kubezero-network/charts/calico/templates/calico.yaml +++ /dev/null @@ -1,645 +0,0 @@ ---- -# Source: calico/templates/calico-config.yaml -# This ConfigMap is used to configure a self-hosted Calico installation. -kind: ConfigMap -apiVersion: v1 -metadata: - name: calico-config - namespace: kube-system -data: - # Typha is disabled. - typha_service_name: "none" - # Configure the backend to use. - calico_backend: "{{ .Values.network }}" - # Configure the MTU to use for workload interfaces and tunnels. - # - If Wireguard is enabled, set to your network MTU - 60 - # - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 - # - Otherwise, if IPIP is enabled, set to your network MTU - 20 - # - Otherwise, if not using any encapsulation, set to your network MTU. - veth_mtu: "{{ .Values.mtu }}" - - # The CNI network configuration to install on each node. The special - # values in this config will be automatically populated. - cni_network_config: |- - { - "name": "k8s-pod-network", - "cniVersion": "0.3.1", - "plugins": [ - { - "type": "calico", - "log_level": "info", - "log_file_path": "/var/log/calico/cni/cni.log", - "datastore_type": "kubernetes", - "nodename": "__KUBERNETES_NODE_NAME__", - "mtu": __CNI_MTU__, - "ipam": { - "type": "calico-ipam" - }, - "policy": { - "type": "k8s" - }, - "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__" - } - }, - { - "type": "portmap", - "snat": true, - "capabilities": {"portMappings": true} - }, - { - "type": "bandwidth", - "capabilities": {"bandwidth": true} - } - ] - } - ---- -# Source: calico/templates/calico-kube-controllers-rbac.yaml - -# Include a clusterrole for the kube-controllers component, -# and bind it to the calico-kube-controllers serviceaccount. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: calico-kube-controllers -rules: - # Nodes are watched to monitor for deletions. - - apiGroups: [""] - resources: - - nodes - verbs: - - watch - - list - - get - # Pods are queried to check for existence. - - apiGroups: [""] - resources: - - pods - verbs: - - get - # IPAM resources are manipulated when nodes are deleted. - - apiGroups: ["crd.projectcalico.org"] - resources: - - ippools - verbs: - - list - - apiGroups: ["crd.projectcalico.org"] - resources: - - blockaffinities - - ipamblocks - - ipamhandles - verbs: - - get - - list - - create - - update - - delete - # kube-controllers manages hostendpoints. - - apiGroups: ["crd.projectcalico.org"] - resources: - - hostendpoints - verbs: - - get - - list - - create - - update - - delete - # Needs access to update clusterinformations. - - apiGroups: ["crd.projectcalico.org"] - resources: - - clusterinformations - verbs: - - get - - create - - update - # KubeControllersConfiguration is where it gets its config - - apiGroups: ["crd.projectcalico.org"] - resources: - - kubecontrollersconfigurations - verbs: - # read its own config - - get - # create a default if none exists - - create - # update status - - update - # watch for changes - - watch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: calico-kube-controllers -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-kube-controllers -subjects: -- kind: ServiceAccount - name: calico-kube-controllers - namespace: kube-system ---- - ---- -# Source: calico/templates/calico-node-rbac.yaml -# Include a clusterrole for the calico-node DaemonSet, -# and bind it to the calico-node serviceaccount. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: calico-node -rules: - # The CNI plugin needs to get pods, nodes, and namespaces. - - apiGroups: [""] - resources: - - pods - - nodes - - namespaces - verbs: - - get - - apiGroups: [""] - resources: - - endpoints - - services - verbs: - # Used to discover service IPs for advertisement. - - watch - - list - # Used to discover Typhas. - - get - # Pod CIDR auto-detection on kubeadm needs access to config maps. - - apiGroups: [""] - resources: - - configmaps - verbs: - - get - - apiGroups: [""] - resources: - - nodes/status - verbs: - # Needed for clearing NodeNetworkUnavailable flag. - - patch - # Calico stores some configuration information in node annotations. - - update - # Watch for changes to Kubernetes NetworkPolicies. - - apiGroups: ["networking.k8s.io"] - resources: - - networkpolicies - verbs: - - watch - - list - # Used by Calico for policy information. - - apiGroups: [""] - resources: - - pods - - namespaces - - serviceaccounts - verbs: - - list - - watch - # The CNI plugin patches pods/status. - - apiGroups: [""] - resources: - - pods/status - verbs: - - patch - # Calico monitors various CRDs for config. - - apiGroups: ["crd.projectcalico.org"] - resources: - - globalfelixconfigs - - felixconfigurations - - bgppeers - - globalbgpconfigs - - bgpconfigurations - - ippools - - ipamblocks - - globalnetworkpolicies - - globalnetworksets - - networkpolicies - - networksets - - clusterinformations - - hostendpoints - - blockaffinities - verbs: - - get - - list - - watch - # Calico must create and update some CRDs on startup. - - apiGroups: ["crd.projectcalico.org"] - resources: - - ippools - - felixconfigurations - - clusterinformations - verbs: - - create - - update - # Calico stores some configuration information on the node. - - apiGroups: [""] - resources: - - nodes - verbs: - - get - - list - - watch - # These permissions are only required for upgrade from v2.6, and can - # be removed after upgrade or on fresh installations. - - apiGroups: ["crd.projectcalico.org"] - resources: - - bgpconfigurations - - bgppeers - verbs: - - create - - update - # These permissions are required for Calico CNI to perform IPAM allocations. - - apiGroups: ["crd.projectcalico.org"] - resources: - - blockaffinities - - ipamblocks - - ipamhandles - verbs: - - get - - list - - create - - update - - delete - - apiGroups: ["crd.projectcalico.org"] - resources: - - ipamconfigs - verbs: - - get - # Block affinities must also be watchable by confd for route aggregation. - - apiGroups: ["crd.projectcalico.org"] - resources: - - blockaffinities - verbs: - - watch - # The Calico IPAM migration needs to get daemonsets. These permissions can be - # removed if not upgrading from an installation using host-local IPAM. - - apiGroups: ["apps"] - resources: - - daemonsets - verbs: - - get - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: calico-node -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-node -subjects: -- kind: ServiceAccount - name: calico-node - namespace: kube-system - ---- -# Source: calico/templates/calico-node.yaml -# This manifest installs the calico-node container, as well -# as the CNI plugins and network config on -# each master and worker node in a Kubernetes cluster. -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: calico-node - namespace: kube-system - labels: - k8s-app: calico-node -spec: - selector: - matchLabels: - k8s-app: calico-node - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - template: - metadata: - labels: - k8s-app: calico-node - spec: - nodeSelector: - kubernetes.io/os: linux - hostNetwork: true - tolerations: - # Make sure calico-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - serviceAccountName: calico-node - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 0 - priorityClassName: system-node-critical - initContainers: - # This container installs the CNI binaries - # and CNI network config file on each node. - - name: install-cni - image: calico/cni:{{ default .Chart.AppVersion .Values.image.tag }} - command: ["/opt/cni/bin/install"] - envFrom: - - configMapRef: - # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. - name: kubernetes-services-endpoint - optional: true - env: - # Name of the CNI config file to create. - - name: CNI_CONF_NAME - value: "10-calico.conflist" - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: calico-config - key: cni_network_config - # Set the hostname based on the k8s node name. - - name: KUBERNETES_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - # CNI MTU Config variable - - name: CNI_MTU - valueFrom: - configMapKeyRef: - name: calico-config - key: veth_mtu - # Prevents the container from sleeping forever. - - name: SLEEP - value: "false" - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - securityContext: - privileged: true - # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes - # to communicate with Felix over the Policy Sync API. - - name: flexvol-driver - image: calico/pod2daemon-flexvol:{{ default .Chart.AppVersion .Values.image.tag }} - volumeMounts: - - name: flexvol-driver-host - mountPath: /host/driver - securityContext: - privileged: true - containers: - # Runs calico-node container on each Kubernetes node. This - # container programs network policy and routes on each - # host. - - name: calico-node - image: calico/node:{{ default .Chart.AppVersion .Values.image.tag }} - envFrom: - - configMapRef: - # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. - name: kubernetes-services-endpoint - optional: true - env: - # Use Kubernetes API as the backing datastore. - - name: DATASTORE_TYPE - value: "kubernetes" - # Wait for the datastore. - - name: WAIT_FOR_DATASTORE - value: "true" - # Set based on the k8s node name. - - name: NODENAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - # Choose the backend to use. - - name: CALICO_NETWORKING_BACKEND - valueFrom: - configMapKeyRef: - name: calico-config - key: calico_backend - # Cluster type to identify the deployment type - - name: CLUSTER_TYPE - value: "k8s,kubeadm" - # Auto-detect the BGP IP address. - - name: IP - value: "autodetect" - - name: IP_AUTODETECTION_METHOD - value: "interface=eth.*" - # Enable IPIP - - name: CALICO_IPV4POOL_IPIP - value: "Never" - # Enable or Disable VXLAN on the default IP pool. - - name: CALICO_IPV4POOL_VXLAN - value: "Always" - # Set MTU for tunnel device used if ipip is enabled - - name: FELIX_IPINIPMTU - valueFrom: - configMapKeyRef: - name: calico-config - key: veth_mtu - # Set MTU for the VXLAN tunnel device. - - name: FELIX_VXLANMTU - valueFrom: - configMapKeyRef: - name: calico-config - key: veth_mtu - # Set MTU for the Wireguard tunnel device. - - name: FELIX_WIREGUARDMTU - valueFrom: - configMapKeyRef: - name: calico-config - key: veth_mtu - # Disable AWS source-destination check on nodes. - - name: FELIX_AWSSRCDSTCHECK - value: DoNothing - # The default IPv4 pool to create on startup if none exists. Pod IPs will be - # chosen from this range. Changing this value after installation will have - # no effect. This should fall within `--cluster-cidr`. - # - name: CALICO_IPV4POOL_CIDR - # value: "192.168.0.0/16" - # Disable file logging so `kubectl logs` works. - - name: CALICO_DISABLE_FILE_LOGGING - value: "true" - # Set Felix endpoint to host default action to ACCEPT. - - name: FELIX_DEFAULTENDPOINTTOHOSTACTION - value: "ACCEPT" - # Disable IPv6 on Kubernetes. - - name: FELIX_IPV6SUPPORT - value: "false" - # Set Felix logging to "info" - - name: FELIX_LOGSEVERITYSCREEN - value: "{{ .Values.loglevel }}" - - name: FELIX_LOGSEVERITYFILE - value: "{{ .Values.loglevel }}" - - name: FELIX_LOGSEVERITYSYS - value: "" - - name: FELIX_PROMETHEUSGOMETRICSENABLED - value: "{{ .Values.prometheus }}" - - name: FELIX_PROMETHEUSMETRICSENABLED - value: "{{ .Values.prometheus }}" - - name: FELIX_HEALTHENABLED - value: "true" - securityContext: - privileged: true - resources: - requests: - cpu: 50m - livenessProbe: - exec: - command: - - /bin/calico-node - - -felix-live - periodSeconds: 10 - initialDelaySeconds: 10 - failureThreshold: 6 - readinessProbe: - exec: - command: - - /bin/calico-node - - -felix-ready - periodSeconds: 10 - volumeMounts: - - mountPath: /lib/modules - name: lib-modules - readOnly: true - - mountPath: /run/xtables.lock - name: xtables-lock - readOnly: false - - mountPath: /var/run/calico - name: var-run-calico - readOnly: false - - mountPath: /var/lib/calico - name: var-lib-calico - readOnly: false - - name: policysync - mountPath: /var/run/nodeagent - # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the - # parent directory. - - name: sysfs - mountPath: /sys/fs/ - # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host. - # If the host is known to mount that filesystem already then Bidirectional can be omitted. - # mountPropagation: Bidirectional - volumes: - # Used by calico-node. - - name: lib-modules - hostPath: - path: /lib/modules - - name: var-run-calico - hostPath: - path: /var/run/calico - - name: var-lib-calico - hostPath: - path: /var/lib/calico - - name: xtables-lock - hostPath: - path: /run/xtables.lock - type: FileOrCreate - - name: sysfs - hostPath: - path: /sys/fs/ - type: DirectoryOrCreate - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: /usr/libexec/cni - - name: cni-net-dir - hostPath: - path: /etc/cni/net.d - # Mount in the directory for host-local IPAM allocations. This is - # used when upgrading from host-local to calico-ipam, and can be removed - # if not using the upgrade-ipam init container. - - name: host-local-net-dir - hostPath: - path: /var/lib/cni/networks - # Used to create per-pod Unix Domain Sockets - - name: policysync - hostPath: - type: DirectoryOrCreate - path: /var/run/nodeagent - # Used to install Flex Volume Driver - - name: flexvol-driver-host - hostPath: - type: DirectoryOrCreate - path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: calico-node - namespace: kube-system - ---- -# Source: calico/templates/calico-kube-controllers.yaml -# See https://github.com/projectcalico/kube-controllers -apiVersion: apps/v1 -kind: Deployment -metadata: - name: calico-kube-controllers - namespace: kube-system - labels: - k8s-app: calico-kube-controllers -spec: - # The controllers can only have a single active instance. - replicas: 1 - selector: - matchLabels: - k8s-app: calico-kube-controllers - strategy: - type: Recreate - template: - metadata: - name: calico-kube-controllers - namespace: kube-system - labels: - k8s-app: calico-kube-controllers - spec: - nodeSelector: - kubernetes.io/os: linux - node-role.kubernetes.io/control-plane: "" - tolerations: - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/master - effect: NoSchedule - serviceAccountName: calico-kube-controllers - priorityClassName: system-cluster-critical - containers: - - name: calico-kube-controllers - image: calico/kube-controllers:{{ default .Chart.AppVersion .Values.image.tag }} - env: - # Choose which controllers to run. - - name: ENABLED_CONTROLLERS - value: node - - name: DATASTORE_TYPE - value: kubernetes - readinessProbe: - exec: - command: - - /usr/bin/check-status - - -r - resources: - requests: - cpu: 50m - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: calico-kube-controllers - namespace: kube-system - ---- -# Source: calico/templates/calico-etcd-secrets.yaml - ---- -# Source: calico/templates/calico-typha.yaml - ---- -# Source: calico/templates/configure-canal.yaml - - diff --git a/charts/kubezero-network/charts/calico/templates/service.yaml b/charts/kubezero-network/charts/calico/templates/service.yaml deleted file mode 100644 index 26ab6cb..0000000 --- a/charts/kubezero-network/charts/calico/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.prometheus }} -apiVersion: v1 -kind: Service -metadata: - labels: - k8s-app: calico-node - name: calico-node -spec: - clusterIP: None - ports: - - name: metrics - port: 9091 - protocol: TCP - targetPort: 9091 - selector: - k8s-app: calico-node - type: ClusterIP -{{- end }} diff --git a/charts/kubezero-network/charts/calico/templates/servicemonitor.yaml b/charts/kubezero-network/charts/calico/templates/servicemonitor.yaml deleted file mode 100644 index 130d1bf..0000000 --- a/charts/kubezero-network/charts/calico/templates/servicemonitor.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.prometheus }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: calico-node - labels: - k8s-app: calico-node - release: metrics -spec: - jobLabel: k8s-app - selector: - matchLabels: - k8s-app: calico-node - namespaceSelector: - matchNames: - - kube-system - endpoints: - - port: metrics -{{- end }} diff --git a/charts/kubezero-network/charts/calico/test-pod.yaml b/charts/kubezero-network/charts/calico/test-pod.yaml deleted file mode 100644 index e3c4f35..0000000 --- a/charts/kubezero-network/charts/calico/test-pod.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Once pod is running: -# kubectl -n NAME-SPACE-TO-TEST exec -it pod/POD_NAME /bin/sh - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: netshoot - namespace: kube-system - labels: - app: netshoot -spec: - replicas: 2 - strategy: - type: Recreate - selector: - matchLabels: - app: netshoot - template: - metadata: - labels: - app: netshoot - spec: - containers: - - name: netshoot - image: nicolaka/netshoot - imagePullPolicy: Always - command: - - /bin/sleep - args: - - "3600" - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: "kubernetes.io/hostname" diff --git a/charts/kubezero-network/charts/calico/values.yaml b/charts/kubezero-network/charts/calico/values.yaml deleted file mode 100644 index 281caa3..0000000 --- a/charts/kubezero-network/charts/calico/values.yaml +++ /dev/null @@ -1,10 +0,0 @@ -image: - tag: "" - -network: vxlan - -mtu: 8941 - -loglevel: Warning - -prometheus: false diff --git a/charts/kubezero-network/templates/multus/calico-network.yaml b/charts/kubezero-network/templates/multus/calico-network.yaml deleted file mode 100644 index e7c8062..0000000 --- a/charts/kubezero-network/templates/multus/calico-network.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if and .Values.multus.enabled .Values.calico.enabled }} -apiVersion: k8s.cni.cncf.io/v1 -kind: NetworkAttachmentDefinition -metadata: - name: calico - namespace: kube-system -spec: - config: '{ - "type": "calico", - "cniVersion": "0.3.1", - "log_level": "info", - "log_file_path": "/var/log/calico/cni/cni.log", - "datastore_type": "kubernetes", - "mtu": {{ .Values.calico.mtu }}, - "ipam": { - "type": "calico-ipam" - }, - "policy": { - "type": "k8s" - }, - "kubernetes": { - "kubeconfig": "/etc/cni/net.d/calico-kubeconfig" - } - }' -{{- end }} diff --git a/charts/kubezero-network/templates/multus/daemonset.yaml b/charts/kubezero-network/templates/multus/daemonset.yaml index c18b92f..5622293 100644 --- a/charts/kubezero-network/templates/multus/daemonset.yaml +++ b/charts/kubezero-network/templates/multus/daemonset.yaml @@ -24,6 +24,7 @@ spec: - operator: Exists effect: NoExecute serviceAccountName: multus + priorityClassName: system-node-critical containers: - name: kube-multus image: ghcr.io/k8snetworkplumbingwg/multus-cni:{{ .Values.multus.tag }} diff --git a/charts/kubezero-network/values.yaml b/charts/kubezero-network/values.yaml index 0d85cc6..0a85c94 100644 --- a/charts/kubezero-network/values.yaml +++ b/charts/kubezero-network/values.yaml @@ -5,6 +5,8 @@ metallb: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" @@ -16,12 +18,11 @@ metallb: multus: enabled: false - tag: "v3.9.1" + tag: "v3.9.2" - clusterNetwork: "calico" + clusterNetwork: "cilium" defaultNetworks: [] - # - "cilium" - readinessindicatorfile: "/etc/cni/net.d/10-calico.conflist" + readinessindicatorfile: "/etc/cni/net.d/05-cilium.conf" cilium: enabled: false @@ -33,24 +34,28 @@ cilium: securityContext: privileged: true + resources: + requests: + cpu: 10m + memory: 256Mi + limits: + memory: 1024Mi + # cpu: 4000m + cni: binPath: "/usr/libexec/cni" + logFile: /var/log/cilium-cni.log #-- Ensure this is false if multus is enabled exclusive: false - chainingMode: generic-veth - bpf: - hostLegacyRouting: true + #bpf: + # hostLegacyRouting: true # tproxy: false - # enableIPv4Masquerade: false - # enableIdentityMark: false - policyEnforcementMode: "never" - cluster: # This should match the second octet of clusterPoolIPv4PodCIDRList # to prevent IP space overlap and easy tracking - # use 240 as default, less likely to clash with 1, do NOT use 244 used by calico until 1.25 + # use 240 as default, less likely to clash with 1 id: 240 name: default @@ -59,14 +64,10 @@ cilium: clusterPoolIPv4PodCIDRList: - 10.240.0.0/16 - # Should be handled by multus - nodePort: - enabled: false - # Keep it simple for now l7Proxy: false - l2NeighDiscovery: - enabled: false + + #rollOutCiliumPods: true cgroup: autoMount: @@ -84,12 +85,21 @@ cilium: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" hubble: enabled: false - -# Legacy / Testing -calico: - enabled: false + relay: + enabled: false + ui: + enabled: false + tls: + auto: + method: cert-manager + certManagerIssuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: kubezero-local-ca-issuer diff --git a/charts/kubezero-redis/Chart.yaml b/charts/kubezero-redis/Chart.yaml index c15b606..1d24358 100644 --- a/charts/kubezero-redis/Chart.yaml +++ b/charts/kubezero-redis/Chart.yaml @@ -14,7 +14,7 @@ maintainers: email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: ">= 0.1.4" + version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ - name: redis version: 16.10.1 diff --git a/charts/kubezero-redis/README.md b/charts/kubezero-redis/README.md index a173887..3acc355 100644 --- a/charts/kubezero-redis/README.md +++ b/charts/kubezero-redis/README.md @@ -18,7 +18,7 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | | https://charts.bitnami.com/bitnami | redis | 16.10.1 | | https://charts.bitnami.com/bitnami | redis-cluster | 7.6.1 | diff --git a/charts/kubezero-sql/Chart.yaml b/charts/kubezero-sql/Chart.yaml index 4b4a786..812e169 100644 --- a/charts/kubezero-sql/Chart.yaml +++ b/charts/kubezero-sql/Chart.yaml @@ -1,14 +1,15 @@ apiVersion: v2 name: kubezero-sql -description: KubeZero umbrella chart for SQL databases like MariaDB, PostgreSQL +description: KubeZero umbrella chart for SQL databases, Percona XtraDB Cluster type: application -version: 0.2.1 +version: 0.3.1 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: - kubezero - - mariadb - - postgresql + - mysql + - percona + # - postgresql maintainers: - name: Stefan Reimer email: stefan@zero-downtime.net @@ -16,8 +17,12 @@ dependencies: - name: kubezero-lib version: ">= 0.1.5" repository: https://cdn.zero-downtime.net/charts/ + - name: pxc-operator + version: 1.12.0 + repository: https://percona.github.io/percona-helm-charts/ + condition: pxc-operator.enabled - name: mariadb-galera - version: 7.4.3 + version: 7.4.7 repository: https://charts.bitnami.com/bitnami condition: mariadb-galera.enabled kubeVersion: ">= 1.20.0" diff --git a/charts/kubezero-sql/README.md b/charts/kubezero-sql/README.md index 86a140f..c875929 100644 --- a/charts/kubezero-sql/README.md +++ b/charts/kubezero-sql/README.md @@ -1,8 +1,8 @@ # kubezero-sql -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) -KubeZero umbrella chart for SQL databases like MariaDB, PostgreSQL +KubeZero umbrella chart for SQL databases, Percona XtraDB Cluster **Homepage:** @@ -19,25 +19,35 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | -| https://charts.bitnami.com/bitnami | mariadb-galera | 7.4.2 | +| https://charts.bitnami.com/bitnami | mariadb-galera | 7.4.7 | +| https://percona.github.io/percona-helm-charts/ | pxc-operator | 1.12.0 | ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| | mariadb-galera.configurationConfigMap | string | `"{{ .Release.Name }}-mariadb-galera-configuration"` | | -| mariadb-galera.db.password | string | `"12345qwert"` | | | mariadb-galera.db.user | string | `"mariadb"` | | -| mariadb-galera.enabled | bool | `true` | | -| mariadb-galera.galera.mariabackup.password | string | `"12345qwert"` | | +| mariadb-galera.enabled | bool | `false` | | +| mariadb-galera.galera | string | `nil` | | | mariadb-galera.istio.enabled | bool | `false` | | | mariadb-galera.istio.gateway | string | `"istio-ingress/private-ingressgateway"` | | | mariadb-galera.istio.url | string | `"mariadb.example.com"` | | | mariadb-galera.metrics.enabled | bool | `false` | | +| mariadb-galera.metrics.installDashboard | bool | `true` | | | mariadb-galera.metrics.prometheusRules.enabled | bool | `false` | | | mariadb-galera.metrics.serviceMonitor.enabled | bool | `false` | | | mariadb-galera.replicaCount | int | `2` | | -| mariadb-galera.rootUser.password | string | `"12345qwert"` | | +| pxc-operator.enabled | bool | `false` | | +| pxc-operator.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | +| pxc-operator.resources.limits.memory | string | `"512Mi"` | | +| pxc-operator.resources.requests.cpu | string | `"50m"` | | +| pxc-operator.resources.requests.memory | string | `"32Mi"` | | +| pxc-operator.tolerations[0].effect | string | `"NoSchedule"` | | +| pxc-operator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| pxc-operator.tolerations[1].effect | string | `"NoSchedule"` | | +| pxc-operator.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | +| pxc-operator.watchAllNamespaces | bool | `true` | | # Changes diff --git a/charts/kubezero-sql/cr.yaml b/charts/kubezero-sql/cr.yaml new file mode 100644 index 0000000..0561116 --- /dev/null +++ b/charts/kubezero-sql/cr.yaml @@ -0,0 +1,591 @@ +apiVersion: pxc.percona.com/v1-11-0 +kind: PerconaXtraDBCluster +metadata: + name: best-db + finalizers: + - delete-pxc-pods-in-order +# - delete-ssl +# - delete-proxysql-pvc +# - delete-pxc-pvc +# annotations: +# percona.com/issue-vault-token: "true" +spec: + crVersion: 1.11.0 +# secretsName: cluster1-secrets +# vaultSecretName: keyring-secret-vault +# sslSecretName: cluster1-ssl +# sslInternalSecretName: cluster1-ssl-internal +# logCollectorSecretName: cluster1-log-collector-secrets +# initImage: percona/percona-xtradb-cluster-operator:1.12.0 +# enableCRValidationWebhook: true +# tls: +# SANs: +# - pxc-1.example.com +# - pxc-2.example.com +# - pxc-3.example.com +# issuerConf: +# name: special-selfsigned-issuer +# kind: ClusterIssuer +# group: cert-manager.io + allowUnsafeConfigurations: true +# pause: false + updateStrategy: SmartUpdate + upgradeOptions: + versionServiceEndpoint: https://check.percona.com + apply: disabled + schedule: "0 4 * * *" + pxc: + size: 1 + image: percona/percona-xtradb-cluster:8.0.27-18.1 + autoRecovery: true +# expose: +# enabled: true +# type: LoadBalancer +# trafficPolicy: Local +# loadBalancerSourceRanges: +# - 10.0.0.0/8 +# annotations: +# networking.gke.io/load-balancer-type: "Internal" +# replicationChannels: +# - name: pxc1_to_pxc2 +# isSource: true +# - name: pxc2_to_pxc1 +# isSource: false +# configuration: +# sourceRetryCount: 3 +# sourceConnectRetry: 60 +# sourcesList: +# - host: 10.95.251.101 +# port: 3306 +# weight: 100 +# schedulerName: mycustom-scheduler +# readinessDelaySec: 15 +# livenessDelaySec: 600 +# configuration: | +# [mysqld] +# wsrep_debug=CLIENT +# wsrep_provider_options="gcache.size=1G; gcache.recover=yes" +# [sst] +# xbstream-opts=--decompress +# [xtrabackup] +# compress=lz4 +# for PXC 5.7 +# [xtrabackup] +# compress +# imagePullSecrets: +# - name: private-registry-credentials +# priorityClassName: high-priority +# annotations: +# iam.amazonaws.com/role: role-arn +# labels: +# rack: rack-22 +# readinessProbes: +# initialDelaySeconds: 15 +# timeoutSeconds: 15 +# periodSeconds: 30 +# successThreshold: 1 +# failureThreshold: 5 +# livenessProbes: +# initialDelaySeconds: 300 +# timeoutSeconds: 5 +# periodSeconds: 10 +# successThreshold: 1 +# failureThreshold: 3 +# containerSecurityContext: +# privileged: false +# podSecurityContext: +# runAsUser: 1001 +# runAsGroup: 1001 +# supplementalGroups: [1001] +# serviceAccountName: percona-xtradb-cluster-operator-workload +# imagePullPolicy: Always +# runtimeClassName: image-rc +# sidecars: +# - image: busybox +# command: ["/bin/sh"] +# args: ["-c", "while true; do trap 'exit 0' SIGINT SIGTERM SIGQUIT SIGKILL; done;"] +# name: my-sidecar-1 +# resources: +# requests: +# memory: 100M +# cpu: 100m +# limits: +# memory: 200M +# cpu: 200m +# envVarsSecret: my-env-var-secrets + resources: + requests: + memory: 512M + cpu: 200m +# ephemeral-storage: 1G +# limits: +# memory: 1G +# cpu: "1" +# ephemeral-storage: 1G +# nodeSelector: +# disktype: ssd + affinity: + antiAffinityTopologyKey: "kubernetes.io/hostname" +# advanced: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: kubernetes.io/e2e-az-name +# operator: In +# values: +# - e2e-az1 +# - e2e-az2 +# tolerations: +# - key: "node.alpha.kubernetes.io/unreachable" +# operator: "Exists" +# effect: "NoExecute" +# tolerationSeconds: 6000 +# podDisruptionBudget: +# maxUnavailable: 1 +# minAvailable: 0 + volumeSpec: +# emptyDir: {} +# hostPath: +# path: /data +# type: Directory + persistentVolumeClaim: +# storageClassName: standard +# accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 2G + gracePeriod: 600 + haproxy: + enabled: true + size: 1 + image: perconalab/percona-xtradb-cluster-operator:main-haproxy +# imagePullPolicy: Always +# schedulerName: mycustom-scheduler +# readinessDelaySec: 15 +# livenessDelaySec: 600 +# configuration: | +# +# the actual default configuration file can be found here https://github.com/percona/percona-docker/blob/main/haproxy/dockerdir/etc/haproxy/haproxy-global.cfg +# +# global +# maxconn 2048 +# external-check +# insecure-fork-wanted +# stats socket /etc/haproxy/pxc/haproxy.sock mode 600 expose-fd listeners level admin +# +# defaults +# default-server init-addr last,libc,none +# log global +# mode tcp +# retries 10 +# timeout client 28800s +# timeout connect 100500 +# timeout server 28800s +# +# frontend galera-in +# bind *:3309 accept-proxy +# bind *:3306 +# mode tcp +# option clitcpka +# default_backend galera-nodes +# +# frontend galera-admin-in +# bind *:33062 +# mode tcp +# option clitcpka +# default_backend galera-admin-nodes +# +# frontend galera-replica-in +# bind *:3307 +# mode tcp +# option clitcpka +# default_backend galera-replica-nodes +# +# frontend galera-mysqlx-in +# bind *:33060 +# mode tcp +# option clitcpka +# default_backend galera-mysqlx-nodes +# +# frontend stats +# bind *:8404 +# mode http +# option http-use-htx +# http-request use-service prometheus-exporter if { path /metrics } +# imagePullSecrets: +# - name: private-registry-credentials +# annotations: +# iam.amazonaws.com/role: role-arn +# labels: +# rack: rack-22 +# readinessProbes: +# initialDelaySeconds: 15 +# timeoutSeconds: 1 +# periodSeconds: 5 +# successThreshold: 1 +# failureThreshold: 3 +# livenessProbes: +# initialDelaySeconds: 60 +# timeoutSeconds: 5 +# periodSeconds: 30 +# successThreshold: 1 +# failureThreshold: 4 +# serviceType: ClusterIP +# externalTrafficPolicy: Cluster +# loadbalancersourceranges: +# - 10.0.0.0/8 +# loadBalancerIP: 127.0.0.1 +# serviceAnnotations: +# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http +# serviceLabels: +# rack: rack-23 +# replicasServiceEnabled: false +# replicasLoadBalancerSourceRanges: +# - 10.0.0.0/8 +# replicasLoadBalancerIP: 127.0.0.1 +# replicasServiceType: ClusterIP +# replicasExternalTrafficPolicy: Cluster +# replicasServiceAnnotations: +# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http +# replicasServiceLabels: +# rack: rack-23 +# runtimeClassName: image-rc +# sidecars: +# - image: busybox +# command: ["/bin/sh"] +# args: ["-c", "while true; do trap 'exit 0' SIGINT SIGTERM SIGQUIT SIGKILL; done;"] +# name: my-sidecar-1 +# resources: +# requests: +# memory: 100M +# cpu: 100m +# limits: +# memory: 200M +# cpu: 200m +# envVarsSecret: my-env-var-secrets + resources: + requests: + memory: 100M + cpu: 100m +# limits: +# memory: 1G +# cpu: 700m +# priorityClassName: high-priority +# nodeSelector: +# disktype: ssd +# sidecarResources: +# requests: +# memory: 1G +# cpu: 500m +# limits: +# memory: 2G +# cpu: 600m +# containerSecurityContext: +# privileged: false +# podSecurityContext: +# runAsUser: 1001 +# runAsGroup: 1001 +# supplementalGroups: [1001] +# serviceAccountName: percona-xtradb-cluster-operator-workload + affinity: + antiAffinityTopologyKey: "kubernetes.io/hostname" +# advanced: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: kubernetes.io/e2e-az-name +# operator: In +# values: +# - e2e-az1 +# - e2e-az2 +# tolerations: +# - key: "node.alpha.kubernetes.io/unreachable" +# operator: "Exists" +# effect: "NoExecute" +# tolerationSeconds: 6000 +# podDisruptionBudget: +# maxUnavailable: 1 +# minAvailable: 0 + gracePeriod: 30 + proxysql: + enabled: false + size: 3 + image: perconalab/percona-xtradb-cluster-operator:main-proxysql +# imagePullPolicy: Always +# configuration: | +# datadir="/var/lib/proxysql" +# +# admin_variables = +# { +# admin_credentials="proxyadmin:admin_password" +# mysql_ifaces="0.0.0.0:6032" +# refresh_interval=2000 +# +# cluster_username="proxyadmin" +# cluster_password="admin_password" +# checksum_admin_variables=false +# checksum_ldap_variables=false +# checksum_mysql_variables=false +# cluster_check_interval_ms=200 +# cluster_check_status_frequency=100 +# cluster_mysql_query_rules_save_to_disk=true +# cluster_mysql_servers_save_to_disk=true +# cluster_mysql_users_save_to_disk=true +# cluster_proxysql_servers_save_to_disk=true +# cluster_mysql_query_rules_diffs_before_sync=1 +# cluster_mysql_servers_diffs_before_sync=1 +# cluster_mysql_users_diffs_before_sync=1 +# cluster_proxysql_servers_diffs_before_sync=1 +# } +# +# mysql_variables= +# { +# monitor_password="monitor" +# monitor_galera_healthcheck_interval=1000 +# threads=2 +# max_connections=2048 +# default_query_delay=0 +# default_query_timeout=10000 +# poll_timeout=2000 +# interfaces="0.0.0.0:3306" +# default_schema="information_schema" +# stacksize=1048576 +# connect_timeout_server=10000 +# monitor_history=60000 +# monitor_connect_interval=20000 +# monitor_ping_interval=10000 +# ping_timeout_server=200 +# commands_stats=true +# sessions_sort=true +# have_ssl=true +# ssl_p2s_ca="/etc/proxysql/ssl-internal/ca.crt" +# ssl_p2s_cert="/etc/proxysql/ssl-internal/tls.crt" +# ssl_p2s_key="/etc/proxysql/ssl-internal/tls.key" +# ssl_p2s_cipher="ECDHE-RSA-AES128-GCM-SHA256" +# } +# readinessDelaySec: 15 +# livenessDelaySec: 600 +# schedulerName: mycustom-scheduler +# imagePullSecrets: +# - name: private-registry-credentials +# annotations: +# iam.amazonaws.com/role: role-arn +# labels: +# rack: rack-22 +# serviceType: ClusterIP +# loadbalancersourceranges: +# - 10.0.0.0/8 +# loadBalancerIP: 127.0.0.1 +# externalTrafficPolicy: Cluster +# runtimeClassName: image-rc +# sidecars: +# - image: busybox +# command: ["/bin/sh"] +# args: ["-c", "while true; do trap 'exit 0' SIGINT SIGTERM SIGQUIT SIGKILL; done;"] +# name: my-sidecar-1 +# resources: +# requests: +# memory: 100M +# cpu: 100m +# limits: +# memory: 200M +# cpu: 200m +# envVarsSecret: my-env-var-secrets + resources: + requests: + memory: 1G + cpu: 600m +# limits: +# memory: 1G +# cpu: 700m +# priorityClassName: high-priority +# nodeSelector: +# disktype: ssd +# sidecarResources: +# requests: +# memory: 1G +# cpu: 500m +# limits: +# memory: 2G +# cpu: 600m +# containerSecurityContext: +# privileged: false +# podSecurityContext: +# runAsUser: 1001 +# runAsGroup: 1001 +# supplementalGroups: [1001] +# serviceAccountName: percona-xtradb-cluster-operator-workload + affinity: + antiAffinityTopologyKey: "kubernetes.io/hostname" +# advanced: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: kubernetes.io/e2e-az-name +# operator: In +# values: +# - e2e-az1 +# - e2e-az2 +# tolerations: +# - key: "node.alpha.kubernetes.io/unreachable" +# operator: "Exists" +# effect: "NoExecute" +# tolerationSeconds: 6000 + volumeSpec: +# emptyDir: {} +# hostPath: +# path: /data +# type: Directory + persistentVolumeClaim: +# storageClassName: standard +# accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 2G + podDisruptionBudget: + maxUnavailable: 1 +# minAvailable: 0 + gracePeriod: 30 +# loadBalancerSourceRanges: +# - 10.0.0.0/8 +# serviceAnnotations: +# service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http +# serviceLabels: +# rack: rack-23 + logcollector: + enabled: false + image: perconalab/percona-xtradb-cluster-operator:main-logcollector +# configuration: | +# [OUTPUT] +# Name es +# Match * +# Host 192.168.2.3 +# Port 9200 +# Index my_index +# Type my_type + resources: + requests: + memory: 100M + cpu: 200m + pmm: + enabled: false + image: percona/pmm-client:2.28.0 + serverHost: monitoring-service +# serverUser: admin +# pxcParams: "--disable-tablestats-limit=2000" +# proxysqlParams: "--custom-labels=CUSTOM-LABELS" + resources: + requests: + memory: 150M + cpu: 300m + backup: + enabled: false + image: perconalab/percona-xtradb-cluster-operator:main-pxc8.0-backup +# backoffLimit: 6 +# serviceAccountName: percona-xtradb-cluster-operator +# imagePullSecrets: +# - name: private-registry-credentials + pitr: + enabled: false + storageName: STORAGE-NAME-HERE + timeBetweenUploads: 60 +# resources: +# requests: +# memory: 0.1G +# cpu: 100m +# limits: +# memory: 1G +# cpu: 700m + storages: + s3-us-west: + type: s3 + verifyTLS: true +# nodeSelector: +# storage: tape +# backupWorker: 'True' +# resources: +# requests: +# memory: 1G +# cpu: 600m +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: backupWorker +# operator: In +# values: +# - 'True' +# tolerations: +# - key: "backupWorker" +# operator: "Equal" +# value: "True" +# effect: "NoSchedule" +# annotations: +# testName: scheduled-backup +# labels: +# backupWorker: 'True' +# schedulerName: 'default-scheduler' +# priorityClassName: 'high-priority' +# containerSecurityContext: +# privileged: true +# podSecurityContext: +# fsGroup: 1001 +# supplementalGroups: [1001, 1002, 1003] + s3: + bucket: S3-BACKUP-BUCKET-NAME-HERE + credentialsSecret: my-cluster-name-backup-s3 + region: us-west-2 + fs-pvc: + type: filesystem +# nodeSelector: +# storage: tape +# backupWorker: 'True' +# resources: +# requests: +# memory: 1G +# cpu: 600m +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: backupWorker +# operator: In +# values: +# - 'True' +# tolerations: +# - key: "backupWorker" +# operator: "Equal" +# value: "True" +# effect: "NoSchedule" +# annotations: +# testName: scheduled-backup +# labels: +# backupWorker: 'True' +# schedulerName: 'default-scheduler' +# priorityClassName: 'high-priority' +# containerSecurityContext: +# privileged: true +# podSecurityContext: +# fsGroup: 1001 +# supplementalGroups: [1001, 1002, 1003] + volume: + persistentVolumeClaim: +# storageClassName: standard + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 6G + schedule: + - name: "sat-night-backup" + schedule: "0 0 * * 6" + keep: 3 + storageName: s3-us-west + - name: "daily-backup" + schedule: "0 0 * * *" + keep: 5 + storageName: fs-pvc diff --git a/charts/kubezero-sql/files/mariadb/my.cnf b/charts/kubezero-sql/files/mariadb/my.cnf index 34c89a0..7bd5a59 100644 --- a/charts/kubezero-sql/files/mariadb/my.cnf +++ b/charts/kubezero-sql/files/mariadb/my.cnf @@ -78,7 +78,7 @@ innodb_file_format=Barracuda ## log_error=/opt/bitnami/mariadb/logs/mysqld.log slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log -log_queries_not_using_indexes=0 +log_queries_not_using_indexes=1 slow_query_log=1 ## SSL diff --git a/charts/kubezero-sql/templates/mariadb/grafana-dashboards.yaml b/charts/kubezero-sql/templates/mariadb/grafana-dashboards.yaml index e37e1d5..a24bae0 100644 --- a/charts/kubezero-sql/templates/mariadb/grafana-dashboards.yaml +++ b/charts/kubezero-sql/templates/mariadb/grafana-dashboards.yaml @@ -6,7 +6,7 @@ metadata: namespace: {{ .Release.Namespace }} labels: grafana_dashboard: "1" -{{ include "kubezero-lib.labels" . | indent 4 }} + {{- include "kubezero-lib.labels" . | nindent 4 }} binaryData: mariadb-galera.json.gz: H4sIAAAAAAAC/+2dWW/buBaA3/MrBGFw0QJuKrtZOn1r0kmnmGSSTtKZe1EEBi3RMicyqZJUErfIf79ctJNeszkpX1qYlEmehed8XGL92PA8v99HOM048995X8Vnz/uh/hU1GIyhKPU/nPZP/jo++u3s99++nPqdojoBA5jI+pSSMeQjmLGqMoIspCjliGD5SFXBJ6lqNAIcMJLREFZ1aZLFCH+KpjWq6//Mh3VSPaEeuBH/nne0SBR+yxCFFqGK/lOAxejLppHqNAZZXBtPoYCPzeJLSFkhl+65Y+8jpmAIMDB6aReX/bQraj3tbvY2g9nd2UWiIB1Zu6oXLyySzWxoqsGwaSpbl93NYCXZGAfc7Oy0UbqwZNYeOBgkFoc4axabfZSuCDAmYjyiVvqi7tRPEOOlZ1ZDETWDDCX8k2yp26lKa0q3K1M8A7Ea0zuP0wzWykcospSikOB9khAqG6TxALwIOl6v2xX/bG93vO7LetOF1O8rWbz/eO8TSHljCJWPsNGAABr5ed2N+v98I1d+OziMAUUgGngxEE0CL0wyxiH1iFDrJYJXm54Ql6KQeUMhuTeesG9J5MHrlFDx2KYagQ8jxFsK8GMMuQom3TfdYEcXSbc/IyThKBUVgSpUpsZZkuhPolGQD627E3R/3Q223m4HO1uqNkH4QkUVbV7lNJYoM9di/hDBJNoneIji0jHyyDkEWcJZo1SUh0IrZNwqlR6WoBjXBKhVDYUzCWG0WoYgYbBWf1N/WNggTRGOWc0t285ZNErVKHy/065RegyMYg6vpbf7X07Mr3Bibyp3pa5RcQmSTOm06zeqbjq3GnV36qg/HP/z512OO2iNu/bpvGERPhL5a0SSiJk2HxM1qX0wYCTJOGwNRARGmJqmNNUi3aqIAjGFEBsS1YYuHaxVe9NZogMKo1nNB+22G5/PN2w1tf59GS6oCHZtuduqAzwcQWrotAz5g8mZNKJhQZIWUdzH2XggmpjlgDIdpiJAIrigHXTnepJvRoilCZgcSTPPUJnW7asBCC9iSjIc+SvYJ090lbfN6ND8+nxnnOOS08a1mPfMd9Epili022mzotVx196rpfR8Y95Tixst95YrFPHRLLP1glUmV1FajkcoA0UnpBmP/JH4uF2bh1dSHb1awXUzK/iT2mS/afJW+bXabKt1JRz06ncIIjV9W0TDBA3sTVRmNtrW64a/2zBdrUkAjSFvemcj9wrYUN6g2KOfpQ1l+0NCRVQxcVHLhQWlYm4MWFWJ7CxsZKSSsuYAhFz5YSOh+AmMIY4Oym6bX6ZwqJdQ76twUFj1vJIZjeGBTop1clDlpyM05GYFTzRfSywLoSc5u040nALMtC5y003RpnZeDScHEoPY3kQt6hpi2DwgV44gxMgWjhSp2oNMbofQGk//VvNkY9ZEvbHnH1OtOQNrT7AuOJ40G/7cjPLWQYpoOcOIz8QS5j9GSus4yHrekGXMvltR1gMTUKNgBgJtLYlA9w07cUIGIOkzlewF+kg+uG/8WQ+++dKU1fHNOvDNomQyBnLSvWmWIdzeoHpwgpkDGLfllwlMEnI1q4fuZhAE3dv0MRfCetYubkNK97kU3bbH4Z3ZcVjYMQvhsXUO+yFIQtMx/AQw7k/d71OTgpnhTmmVGZBe15VMCmeFIx/KY7ny+WlPHQF6IVLEoySRK0Zh2s+3+fsMfZ+eUEQA7jNIJaBOSSstKdc4r+zn5xqndYGXzSrq0JWdEZ1XFswoyoUOi+PaMlMsGfL14ahb0j6phDA3WK9tnDaAeUqgfjs7UCtNHOWG00LX2lXngUUtoBDUK/8VLoiGk7I646ReTURYwrw4KjSqV8kQYwjwvWQIeZrVkONRI35z4/DpB/TbbYQ+RkiXI0yFvxsrszLaq7sV1mAvIjBg6vIAaxC5PwDU4A51GeAQ4pjLSd8NGuXQ9vgaLB7ctubdJgGRmJP6IYYq+EhBhLQDBvPTxe6yWN8191dGKIogPtU42XY8fQ2gon4dWpoDAZexhavDjOYTqV2jF6FGqVqGtkspikf81HpZR4K7pVQ8+4/aJlW7ofVgT7gKlu0urHmiUk+CMGTtcCALr/JeKvtJfzwhIi4XOUUW+LMTsbzcw8v1x9SFBxRTX2TVGBoWmpehUjkg6VQZaxwlqnLT4MJmEaRqH80fJqR2ZUwvOI4bPl1VpiCEtoAmAmZ4YfQiw0EKo0OhRqNu4ZRKAYcvbHn1W6aG+rU7Pn/pr5gzf/zwivTh3dyslEHr4fLrYpn1LxgXufF8mZSr55r3+aR2EZWX97kaG6VARj3rOXErXKh50S8SH8IRukRRJnRneGftYmf99uQ1uEYtbx9k4YW2bXOhUuaP1j5qccmu9bR96pcT2RJrJ+AaznCpam0tmqa85Ro5T7TXVn5C4j3AjJtNeYAzHtcRziiuCWPLIus9TsPrJ6bRi7VpO/Cq8kN4WQ66cS/S8ZXjq/XnK2M5vhpgBbMBS06U9+zMfpXZ4VdVetFKnU+AyLafEZHZYEy4Wz9jMOqHBGMYaoUvv7F9R3fCClJ65S0NeJ0lZL+Ud/fFbNXir4XkR+B6Uan31gRrj6RKvX2L9hzcOrh1cLsWcPtkdr52VwGzntv5cui1GHrZg5qa2fL7VxS1lm3ViYhSD4wBR5fw1f9mZd/HoDo0daMNYUyiQV8GmD6FIGJfu4Gx5/aQkKMGcQ9wt5gKlIkfXQdqFE8N9ZRqPS9C7MLTRrxkntangz4HfQ76HPStth23EvVtOepz1Hcn1PeaiTG/fmbYN5iItCyAL4Ri4NHX7UdGPj2MB6U+rQFp20eWni2xmblerIchvyJU0l5uPwF8UhqHew73HO453KvfYc5xr7c1Z4+vt7UK7b19OrTn7rA9sztsnKQXL7Y73lTSCMl4DHDE+sr0ijZWvtO2T8Z9QQp5k+t/re2MpN5+Pth9kkk53W6QwwOHB/eABxEM0Rgkzfj6DJhh7rngm94KzNC7/YWtVuE8oGg9rn34bpjBmq0dMjy5a+8khRhGfTFnfqa770eT08+H3oEQ2jsWClBXax0jOEZwjOAYYVVGMI6RVoOEnoMEBwnrcxNb8oGmg1XBQCZYlWrZw12grkbdT9C49RN7q439ULazyqlJZ3ml5/eDcDa+A/1/Eo192POWN8P+WsFaNX5Hao7UHKndK6l1f6rdnK1V/vyut3V/oNZGsumcNutwyPajZQ7injvETb9/whJydSc/c3AqGvI+64Y8gr0nuPVTF8HxxCo88csvI5Fo/oAygPpk8C8M+btft6Zdalpv5rDKsr3msrhLKM9ps2g1BtlZi80iBxoONOqgAQbydXLlH+/fDjbe68aKv+hm3gvAORynnL2U7PGQF3hLuRIZCe5ILN2W90KmcZLxZYTaWyukahnK/en9XZJVL9h5PmjVC3Z/XrYqX2cqprGcoVLqN4GeKj4LR3AMqmyiE7yI15Mkfx0ovdBPimRUuZB/JHe+P+zlitMT0i97kuEyARzheJH3pi7yhlT989Dtn6MqXpBan7jlm41tb0E9yJupz6YLlH6hyekEhxbdFpMbRCMSTnslqpq2paDF2yoxuXrVLQJC/tJJUeY3vpYiERJoCbmq7DtRWdLP9V4EvY/qDauvc82LkH2cv2NVP5flb/L9b/w9+HbwMbda9Xbb3sbN/wH5nSdeM3oAAA== diff --git a/charts/kubezero-sql/update.sh b/charts/kubezero-sql/update.sh index 8cdcf32..a5e3feb 100755 --- a/charts/kubezero-sql/update.sh +++ b/charts/kubezero-sql/update.sh @@ -1,8 +1,9 @@ #!/bin/bash set -ex -### MariaDB +helm dep update +### MariaDB # Fetch dashboards ../kubezero-metrics/sync_grafana_dashboards.py dashboards-mariadb.yaml templates/mariadb/grafana-dashboards.yaml diff --git a/charts/kubezero-sql/values.yaml b/charts/kubezero-sql/values.yaml index 768a889..d00b3e5 100644 --- a/charts/kubezero-sql/values.yaml +++ b/charts/kubezero-sql/values.yaml @@ -1,17 +1,34 @@ +pxc-operator: + enabled: false + + # we want a clusterwide operator + watchAllNamespaces: true + + # running on the control-plane + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + nodeSelector: + node-role.kubernetes.io/control-plane: "" + + resources: + limits: + #cpu: 200m + memory: 512Mi + requests: + cpu: 50m + memory: 32Mi + mariadb-galera: enabled: false replicaCount: 2 - # Passwords should be fixed otherwise helm will create random new ones each time we template|apply - rootUser: - password: 12345qwert db: user: mariadb - password: 12345qwert galera: - mariabackup: - password: 12345qwert # For a single node "cluster" force bootstrap #bootstrap: # bootstrapFromNode: 0 @@ -19,6 +36,8 @@ mariadb-galera: metrics: enabled: false + # set to false for any subsequent installation of the chart in the same cluster to prevent overwriting each other + installDashboard: true serviceMonitor: enabled: false diff --git a/charts/kubezero-storage/Chart.yaml b/charts/kubezero-storage/Chart.yaml index 5aa039c..0d8a987 100644 --- a/charts/kubezero-storage/Chart.yaml +++ b/charts/kubezero-storage/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero-storage description: KubeZero umbrella chart for all things storage incl. AWS EBS/EFS, openEBS-lvm, gemini type: application -version: 0.7.2 +version: 0.7.5 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -17,7 +17,7 @@ maintainers: email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: ">= 0.1.5" + version: ">= 0.1.6" repository: https://cdn.zero-downtime.net/charts/ - name: lvm-localpv version: 1.0.0 @@ -28,11 +28,11 @@ dependencies: condition: gemini.enabled # repository: https://charts.fairwinds.com/stable - name: aws-ebs-csi-driver - version: 2.12.0 + version: 2.14.1 condition: aws-ebs-csi-driver.enabled - # repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver + repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver - name: aws-efs-csi-driver - version: 2.2.9 + version: 2.3.2 condition: aws-efs-csi-driver.enabled # repository: https://kubernetes-sigs.github.io/aws-ebs-csi-driver -kubeVersion: ">= 1.20.0" +kubeVersion: ">= 1.24.0" diff --git a/charts/kubezero-storage/README.md b/charts/kubezero-storage/README.md index 601ce88..1372cb2 100644 --- a/charts/kubezero-storage/README.md +++ b/charts/kubezero-storage/README.md @@ -1,6 +1,6 @@ # kubezero-storage -![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.7.5](https://img.shields.io/badge/Version-0.7.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero umbrella chart for all things storage incl. AWS EBS/EFS, openEBS-lvm, gemini @@ -14,15 +14,15 @@ KubeZero umbrella chart for all things storage incl. AWS EBS/EFS, openEBS-lvm, g ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.24.0` | Repository | Name | Version | |------------|------|---------| -| | aws-ebs-csi-driver | 2.11.0 | -| | aws-efs-csi-driver | 2.2.7 | +| | aws-efs-csi-driver | 2.3.2 | | | gemini | 1.0.0 | | | lvm-localpv | 1.0.0 | -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | +| https://kubernetes-sigs.github.io/aws-ebs-csi-driver | aws-ebs-csi-driver | 2.14.1 | ## Values @@ -37,13 +37,29 @@ Kubernetes: `>= 1.20.0` | aws-ebs-csi-driver.controller.resources.requests.memory | string | `"24Mi"` | | | aws-ebs-csi-driver.controller.tolerations[0].effect | string | `"NoSchedule"` | | | aws-ebs-csi-driver.controller.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| aws-ebs-csi-driver.controller.tolerations[1].effect | string | `"NoSchedule"` | | +| aws-ebs-csi-driver.controller.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | +| aws-ebs-csi-driver.controller.volumeMounts[0].mountPath | string | `"/var/run/secrets/sts.amazonaws.com/serviceaccount/"` | | +| aws-ebs-csi-driver.controller.volumeMounts[0].name | string | `"aws-token"` | | +| aws-ebs-csi-driver.controller.volumeMounts[0].readOnly | bool | `true` | | +| aws-ebs-csi-driver.controller.volumes[0].name | string | `"aws-token"` | | +| aws-ebs-csi-driver.controller.volumes[0].projected.sources[0].serviceAccountToken.audience | string | `"sts.amazonaws.com"` | | +| aws-ebs-csi-driver.controller.volumes[0].projected.sources[0].serviceAccountToken.expirationSeconds | int | `86400` | | +| aws-ebs-csi-driver.controller.volumes[0].projected.sources[0].serviceAccountToken.path | string | `"token"` | | | aws-ebs-csi-driver.enabled | bool | `false` | | | aws-ebs-csi-driver.node.resources.limits.memory | string | `"32Mi"` | | | aws-ebs-csi-driver.node.resources.requests.cpu | string | `"10m"` | | | aws-ebs-csi-driver.node.resources.requests.memory | string | `"16Mi"` | | +| aws-ebs-csi-driver.node.tolerateAllTaints | bool | `false` | | | aws-ebs-csi-driver.node.tolerations[0].effect | string | `"NoSchedule"` | | | aws-ebs-csi-driver.node.tolerations[0].key | string | `"kubezero-workergroup"` | | | aws-ebs-csi-driver.node.tolerations[0].operator | string | `"Exists"` | | +| aws-ebs-csi-driver.node.tolerations[1].effect | string | `"NoSchedule"` | | +| aws-ebs-csi-driver.node.tolerations[1].key | string | `"nvidia.com/gpu"` | | +| aws-ebs-csi-driver.node.tolerations[1].operator | string | `"Exists"` | | +| aws-ebs-csi-driver.node.tolerations[2].effect | string | `"NoSchedule"` | | +| aws-ebs-csi-driver.node.tolerations[2].key | string | `"aws.amazon.com/neuron"` | | +| aws-ebs-csi-driver.node.tolerations[2].operator | string | `"Exists"` | | | aws-ebs-csi-driver.storageClasses[0].allowVolumeExpansion | bool | `true` | | | aws-ebs-csi-driver.storageClasses[0].name | string | `"ebs-sc-gp2-xfs"` | | | aws-ebs-csi-driver.storageClasses[0].parameters."csi.storage.k8s.io/fstype" | string | `"xfs"` | | @@ -62,6 +78,8 @@ Kubernetes: `>= 1.20.0` | aws-efs-csi-driver.controller.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | aws-efs-csi-driver.controller.tolerations[0].effect | string | `"NoSchedule"` | | | aws-efs-csi-driver.controller.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| aws-efs-csi-driver.controller.tolerations[1].effect | string | `"NoSchedule"` | | +| aws-efs-csi-driver.controller.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | aws-efs-csi-driver.enabled | bool | `false` | | | aws-efs-csi-driver.node.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].key | string | `"node.kubernetes.io/csi.efs.fs"` | | | aws-efs-csi-driver.node.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[0].matchExpressions[0].operator | string | `"Exists"` | | @@ -72,6 +90,12 @@ Kubernetes: `>= 1.20.0` | aws-efs-csi-driver.node.tolerations[0].effect | string | `"NoSchedule"` | | | aws-efs-csi-driver.node.tolerations[0].key | string | `"kubezero-workergroup"` | | | aws-efs-csi-driver.node.tolerations[0].operator | string | `"Exists"` | | +| aws-efs-csi-driver.node.tolerations[1].effect | string | `"NoSchedule"` | | +| aws-efs-csi-driver.node.tolerations[1].key | string | `"nvidia.com/gpu"` | | +| aws-efs-csi-driver.node.tolerations[1].operator | string | `"Exists"` | | +| aws-efs-csi-driver.node.tolerations[2].effect | string | `"NoSchedule"` | | +| aws-efs-csi-driver.node.tolerations[2].key | string | `"aws.amazon.com/neuron"` | | +| aws-efs-csi-driver.node.tolerations[2].operator | string | `"Exists"` | | | aws-efs-csi-driver.replicaCount | int | `1` | | | gemini.enabled | bool | `false` | | | gemini.resources.limits.cpu | string | `"400m"` | | @@ -84,6 +108,8 @@ Kubernetes: `>= 1.20.0` | lvm-localpv.lvmController.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | lvm-localpv.lvmController.tolerations[0].effect | string | `"NoSchedule"` | | | lvm-localpv.lvmController.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| lvm-localpv.lvmController.tolerations[1].effect | string | `"NoSchedule"` | | +| lvm-localpv.lvmController.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | | lvm-localpv.lvmNode.logLevel | int | `2` | | | lvm-localpv.lvmNode.nodeSelector."node.kubernetes.io/lvm" | string | `"openebs"` | | | lvm-localpv.lvmNode.tolerations[0].effect | string | `"NoSchedule"` | | @@ -92,7 +118,7 @@ Kubernetes: `>= 1.20.0` | lvm-localpv.prometheus.enabled | bool | `false` | | | lvm-localpv.storageClass.default | bool | `false` | | | lvm-localpv.storageClass.vgpattern | string | `""` | | -| snapshotController.enabled | bool | `true` | | +| snapshotController.enabled | bool | `false` | | | snapshotController.logLevel | int | `2` | | | snapshotController.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | | snapshotController.replicas | int | `1` | | @@ -102,9 +128,12 @@ Kubernetes: `>= 1.20.0` | snapshotController.resources.requests.memory | string | `"16Mi"` | | | snapshotController.tolerations[0].effect | string | `"NoSchedule"` | | | snapshotController.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | | +| snapshotController.tolerations[1].effect | string | `"NoSchedule"` | | +| snapshotController.tolerations[1].key | string | `"node-role.kubernetes.io/control-plane"` | | # Snapshotter - https://kubernetes-csi.github.io/docs/snapshot-controller.html#deployment ## Resources - https://github.com/openebs/monitoring/blob/develop/docs/openebs-mixin-user-guide.md#install-openebs-mixin-in-existing-prometheus-stack +- https://quay.io/organization/fairwinds diff --git a/charts/kubezero-storage/README.md.gotmpl b/charts/kubezero-storage/README.md.gotmpl index 1b593cb..689e72b 100644 --- a/charts/kubezero-storage/README.md.gotmpl +++ b/charts/kubezero-storage/README.md.gotmpl @@ -20,3 +20,4 @@ ## Resources - https://github.com/openebs/monitoring/blob/develop/docs/openebs-mixin-user-guide.md#install-openebs-mixin-in-existing-prometheus-stack +- https://quay.io/organization/fairwinds diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/.helmignore b/charts/kubezero-storage/charts/aws-ebs-csi-driver/.helmignore deleted file mode 100644 index 50af031..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/CHANGELOG.md b/charts/kubezero-storage/charts/aws-ebs-csi-driver/CHANGELOG.md deleted file mode 100644 index 6a74365..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/CHANGELOG.md +++ /dev/null @@ -1,168 +0,0 @@ -# Helm chart - -## v2.12.0 -* Bump app/driver to version `v1.12.0` -* Move default toleration to values.yaml so it can be overriden if desired by users ([#1400](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1400), [@cnmcavoy](https://github.com/cnmcavoy)) -* Add enableMetrics configuration ([#1380](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1380), [@torredil](https://github.com/torredil)) -* add initContainer to the controller's template ([#1379](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1379), [@InsomniaCoder](https://github.com/InsomniaCoder)) -* Add controller nodeAffinity to prefer EC2 over Fargate ([#1360](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1360), [@torredil](https://github.com/torredil)) - -## v2.11.1 -* Add `useOldCSIDriver` parameter to use old `CSIDriver` object. - -## v2.11.0 - -**Important Notice:** This version updates the `CSIDriver` object in order to fix [a bug with static volumes and the `fsGroup` parameter](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/1365). This upgrade will fail on existing clusters because the associated field in `CSIDriver` is immutable. - -Users upgrading to this version should pre-delete the existing `CSIDriver` object (example: `kubectl delete csidriver ebs.csi.aws.com`). This will not affect any existing volumes, but will cause the EBS CSI Driver to be unavailable to handle future requests, and should be immediately followed by an upgrade. For users that cannot delete the `CSIDriver` object, v2.11.1 implements a new parameter `useOldCSIDriver` that will use the previous `CSIDriver`. - -* Bump app/driver to version `v1.11.3` -* Add support for leader election tuning for `csi-provisioner` and `csi-attacher` ([#1371](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1371), [@moogzy](https://github.com/moogzy)) -* Change `fsGroupPolicy` to `File` ([#1377](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1377), [@ConnorJC3](https://github.com/ConnorJC3)) -* Allow all taint for `csi-node` by default ([#1381](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1381), [@gtxu](https://github.com/gtxu)) - -## v2.10.1 -* Bump app/driver to version `v1.11.2` - -## v2.10.0 -* Implement securityContext for containers -* Add securityContext for node pod -* Utilize more secure defaults for securityContext - -## v2.9.0 -* Bump app/driver to version `v1.10.0` -* Feature: Reference `configMaps` across multiple resources using `envFrom` ([#1312](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1312), [@jebbens](https://github.com/jebbens)) - -## v2.8.1 -* Bump app/driver to version `v1.9.0` -* Update livenessprobe to version `v2.6.0` - -## v2.8.0 -* Feature: Support custom affinity definition on node daemon set ([#1277](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1277), [@vauchok](https://github.com/vauchok)) - -## v2.7.1 -* Bump app/driver to version `v1.8.0` - -## v2.7.0 -* Support optional ec2 endpoint configuration. -* Fix node driver registrar socket path. -* Fix hardcoded kubelet path. - -## v2.6.11 -* Bump app/driver to version `v1.7.0` -* Set handle-volume-inuse-error to `false` - -## v2.6.10 - -* Add quotes around the `extra-tags` argument in order to prevent special characters such as `":"` from breaking the manifest YAML after template rendering. - -## v2.6.9 - -* Update csi-snapshotter to version `v6.0.1` -* Update external-attacher to version `v3.4.0` -* Update external-resizer to version `v1.4.0` -* Update external-provisioner to version `v3.1.0` -* Update node-driver-registrar to version `v2.5.1` -* Update livenessprobe to version `v2.5.0` - -## v2.6.8 - -* Bump app/driver to version `v1.6.2` -* Bump sidecar version for nodeDriverRegistrar, provisioner to be consistent with EKS CSI Driver Add-on - -## v2.6.7 - -* Bump app/driver to version `v1.6.1` - -## v2.6.6 - -* Bump app/driver to version `v1.6.0` - -## v2.6.5 - -* Bump app/driver to version `v1.5.3` - -## v2.6.4 - -* Remove exposure all secrets to external-snapshotter-role - -## v2.6.3 - -* Bump app/driver to version `v1.5.1` - -## v2.6.2 - -* Update csi-resizer version to v1.1.0 - -## v2.6.1 - -* Add securityContext support for controller Deployment - -## v2.5.0 - -* Bump app/driver version to `v1.5.0` - -## v2.4.1 - -* Replace deprecated arg `--extra-volume-tags` by `--extra-tags` - -## v2.4.0 - -* Bump app/driver version to `v1.4.0` - -## v2.3.1 - -* Bump app/driver version to `v1.3.1` - -## v2.3.0 - -* Support overriding controller `--default-fstype` flag via values - -## v2.2.1 - -* Bump app/driver version to `v1.3.0` - -## v2.2.0 - -* Support setting imagePullPolicy for all containers - -## v2.1.1 - -* Bump app/driver version to `v1.2.1` - -## v2.1.0 - -* Custom `controller.updateStrategy` to set controller deployment strategy. - -## v2.0.4 - -* Use chart app version as default image tag -* Add updateStrategy to daemonsets - -## v2.0.3 - -* Bump app/driver version to `v1.2.0` - -## v2.0.2 - -* Bump app/driver version to `v1.1.3` - -## v2.0.1 - -* Only create Windows daemonset if enableWindows is true -* Update Windows daemonset to align better to the Linux one - -## v2.0.0 - -* Remove support for Helm 2 -* Remove deprecated values -* No longer install snapshot controller or its CRDs -* Reorganize additional values - -[Upgrade instructions](/docs/README.md#upgrading-from-version-1x-to-2x-of-the-helm-chart) - -## v1.2.4 - -* Bump app/driver version to `v1.1.1` -* Install VolumeSnapshotClass, VolumeSnapshotContent, VolumeSnapshot CRDs if enableVolumeSnapshot is true -* Only run csi-snapshotter sidecar if enableVolumeSnapshot is true or if CRDs are already installed diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/Chart.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/Chart.yaml deleted file mode 100644 index d3a0d4f..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ -annotations: - artifacthub.io/changes: | - - kind: added - description: Custom controller.updateStrategy to set controller deployment strategy. -apiVersion: v2 -appVersion: 1.12.0 -description: A Helm chart for AWS EBS CSI Driver -home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver -keywords: -- aws -- ebs -- csi -kubeVersion: '>=1.17.0-0' -maintainers: -- email: chengpan@amazon.com - name: leakingtapan -- name: krmichel - url: https://github.com/krmichel -name: aws-ebs-csi-driver -sources: -- https://github.com/kubernetes-sigs/aws-ebs-csi-driver -version: 2.12.0 diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/NOTES.txt b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/NOTES.txt deleted file mode 100644 index 5d79084..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -To verify that aws-ebs-csi-driver has started, run: - - kubectl get pod -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" - -NOTE: The [CSI Snapshotter](https://github.com/kubernetes-csi/external-snapshotter) controller and CRDs will no longer be installed as part of this chart and moving forward will be a prerequisite of using the snap shotting functionality. \ No newline at end of file diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/_helpers.tpl b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/_helpers.tpl deleted file mode 100644 index 42fc138..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/_helpers.tpl +++ /dev/null @@ -1,85 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "aws-ebs-csi-driver.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "aws-ebs-csi-driver.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "aws-ebs-csi-driver.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "aws-ebs-csi-driver.labels" -}} -{{ include "aws-ebs-csi-driver.selectorLabels" . }} -{{- if ne .Release.Name "kustomize" }} -helm.sh/chart: {{ include "aws-ebs-csi-driver.chart" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/component: csi-driver -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels }} -{{- end }} -{{- end -}} - -{{/* -Common selector labels -*/}} -{{- define "aws-ebs-csi-driver.selectorLabels" -}} -app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }} -{{- if ne .Release.Name "kustomize" }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} -{{- end -}} - -{{/* -Convert the `--extra-tags` command line arg from a map. -*/}} -{{- define "aws-ebs-csi-driver.extra-volume-tags" -}} -{{- $result := dict "pairs" (list) -}} -{{- range $key, $value := .Values.controller.extraVolumeTags -}} -{{- $noop := printf "%s=%v" $key $value | append $result.pairs | set $result "pairs" -}} -{{- end -}} -{{- if gt (len $result.pairs) 0 -}} -{{- printf "- \"--extra-tags=%s\"" (join "," $result.pairs) -}} -{{- end -}} -{{- end -}} - -{{/* -Handle http proxy env vars -*/}} -{{- define "aws-ebs-csi-driver.http-proxy" -}} -- name: HTTP_PROXY - value: {{ .Values.proxy.http_proxy | quote }} -- name: HTTPS_PROXY - value: {{ .Values.proxy.http_proxy | quote }} -- name: NO_PROXY - value: {{ .Values.proxy.no_proxy | quote }} -{{- end -}} diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml deleted file mode 100644 index 816fdf6..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-attacher-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "nodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "csi.storage.k8s.io" ] - resources: [ "csinodeinfos" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments/status" ] - verbs: [ "patch" ] diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml deleted file mode 100644 index 3ca368e..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-node-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get"] diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml deleted file mode 100644 index 0fb7ded..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-provisioner-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "create", "delete" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims" ] - verbs: [ "get", "list", "watch", "update" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "storageclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshots" ] - verbs: [ "get", "list" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents" ] - verbs: [ "get", "list" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "csinodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "nodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "coordination.k8s.io" ] - resources: [ "leases" ] - verbs: [ "get", "watch", "list", "delete", "update", "create" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments" ] - verbs: [ "get", "list", "watch" ] diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml deleted file mode 100644 index 065f3ab..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-resizer-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - # The following rule should be uncommented for plugins that require secrets - # for provisioning. - # - apiGroups: [""] - # resources: ["secrets"] - # verbs: ["get", "list", "watch"] - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims/status" ] - verbs: [ "update", "patch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "storageclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "pods" ] - verbs: [ "get", "list", "watch" ] diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml deleted file mode 100644 index 38e688a..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-external-snapshotter-role - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -rules: - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] - # Secret permission is optional. - # Enable it if your driver needs secret. - # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. - # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. - # - apiGroups: [ "" ] - # resources: [ "secrets" ] - # verbs: [ "get", "list" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents" ] - verbs: [ "create", "get", "list", "watch", "update", "delete", "patch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents/status" ] - verbs: [ "update" ] diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml deleted file mode 100644 index bb23044..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-attacher-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ .Values.controller.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: ebs-external-attacher-role - apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml deleted file mode 100644 index 5523135..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-node-getter-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ .Values.node.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: ebs-csi-node-role - apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml deleted file mode 100644 index 9d2749a..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-provisioner-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ .Values.controller.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: ebs-external-provisioner-role - apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml deleted file mode 100644 index 88cb47d..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-resizer-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ .Values.controller.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: ebs-external-resizer-role - apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml deleted file mode 100644 index 2d42905..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: ebs-csi-snapshotter-binding - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ .Values.controller.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: ebs-external-snapshotter-role - apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/controller.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/controller.yaml deleted file mode 100644 index 9c01bb6..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/controller.yaml +++ /dev/null @@ -1,362 +0,0 @@ -# Controller Service -kind: Deployment -apiVersion: apps/v1 -metadata: - name: ebs-csi-controller - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.controller.replicaCount }} - {{- with .Values.controller.updateStrategy }} - strategy: - {{ toYaml . | nindent 4 }} - {{- end }} - selector: - matchLabels: - app: ebs-csi-controller - {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - app: ebs-csi-controller - {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} - {{- if .Values.controller.podLabels }} - {{- toYaml .Values.controller.podLabels | nindent 8 }} - {{- end }} - {{- if .Values.controller.podAnnotations }} - annotations: - {{- toYaml .Values.controller.podAnnotations | nindent 8 }} - {{- end }} - spec: - nodeSelector: - kubernetes.io/os: linux - {{- with .Values.controller.nodeSelector }} - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ .Values.controller.serviceAccount.name }} - priorityClassName: {{ .Values.controller.priorityClassName }} - {{- with default .Values.controller.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - operator: Exists - effect: NoExecute - tolerationSeconds: 300 - {{- with .Values.controller.tolerations }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.controller.topologySpreadConstraints }} - {{- $tscLabelSelector := dict "labelSelector" ( dict "matchLabels" ( dict "app" "ebs-csi-controller" ) ) }} - {{- $constraints := list }} - {{- range .Values.controller.topologySpreadConstraints }} - {{- $constraints = mustAppend $constraints (mergeOverwrite . $tscLabelSelector) }} - {{- end }} - topologySpreadConstraints: - {{- $constraints | toYaml | nindent 8 }} - {{- end }} - {{- with .Values.controller.securityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.controller.initContainers }} - initContainers: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: ebs-plugin - image: {{ printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (.Values.image.tag | toString)) }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - {{- if ne .Release.Name "kustomize" }} - - controller - {{- else }} - # - {all,controller,node} # specify the driver mode - {{- end }} - - --endpoint=$(CSI_ENDPOINT) - {{- if .Values.controller.extraVolumeTags }} - {{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }} - {{- end }} - {{- with .Values.controller.k8sTagClusterId }} - - --k8s-tag-cluster-id={{ . }} - {{- end }} - {{- if and (.Values.controller.enableMetrics) (not .Values.controller.httpEndpoint) }} - - --http-endpoint=0.0.0.0:3301 - {{- end}} - {{- with .Values.controller.httpEndpoint }} - - --http-endpoint={{ . }} - {{- end }} - - --logtostderr - - --v={{ .Values.controller.logLevel }} - {{- range .Values.controller.additionalArgs }} - - {{ . }} - {{- end }} - env: - - name: CSI_ENDPOINT - value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - - name: CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: aws-secret - key: key_id - optional: true - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: aws-secret - key: access_key - optional: true - - name: AWS_EC2_ENDPOINT - valueFrom: - configMapKeyRef: - name: aws-meta - key: endpoint - optional: true - {{- with .Values.controller.region }} - - name: AWS_REGION - value: {{ . }} - {{- end }} - {{- if .Values.proxy.http_proxy }} - {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} - {{- end }} - {{- with .Values.controller.env }} - {{- . | toYaml | nindent 12 }} - {{- end }} - envFrom: - {{- with .Values.controller.envFrom }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - name: aws-token - mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" - readOnly: true - ports: - - name: healthz - containerPort: 9808 - protocol: TCP - {{- if .Values.controller.enableMetrics }} - - name: metrics - containerPort: 3301 - protocol: TCP - {{- end}} - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 5 - {{- with .Values.controller.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.controller.containerSecurityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - - name: csi-provisioner - image: {{ printf "%s:%s" .Values.sidecars.provisioner.image.repository .Values.sidecars.provisioner.image.tag }} - imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.provisioner.image.pullPolicy }} - args: - - --csi-address=$(ADDRESS) - - --v={{ .Values.sidecars.provisioner.logLevel }} - - --feature-gates=Topology=true - {{- if .Values.controller.extraCreateMetadata }} - - --extra-create-metadata - {{- end}} - - --leader-election={{ .Values.sidecars.provisioner.leaderElection.enabled | required "leader election state for csi-provisioner is required, must be set to true || false." }} - {{- if .Values.sidecars.provisioner.leaderElection.enabled }} - {{- if .Values.sidecars.provisioner.leaderElection.leaseDuration }} - - --leader-election-lease-duration={{ .Values.sidecars.provisioner.leaderElection.leaseDuration }} - {{- end }} - {{- if .Values.sidecars.provisioner.leaderElection.renewDeadline}} - - --leader-election-renew-deadline={{ .Values.sidecars.provisioner.leaderElection.renewDeadline }} - {{- end }} - {{- if .Values.sidecars.provisioner.leaderElection.retryPeriod }} - - --leader-election-retry-period={{ .Values.sidecars.provisioner.leaderElection.retryPeriod }} - {{- end }} - {{- end }} - - --default-fstype={{ .Values.controller.defaultFsType }} - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - {{- if .Values.proxy.http_proxy }} - {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.provisioner.env }} - {{- . | toYaml | nindent 12 }} - {{- end }} - envFrom: - {{- with .Values.controller.envFrom }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- with default .Values.controller.resources .Values.sidecars.provisioner.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.provisioner.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - - name: csi-attacher - image: {{ printf "%s:%s" .Values.sidecars.attacher.image.repository .Values.sidecars.attacher.image.tag }} - imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.attacher.image.pullPolicy }} - args: - - --csi-address=$(ADDRESS) - - --v={{ .Values.sidecars.attacher.logLevel }} - - --leader-election={{ .Values.sidecars.attacher.leaderElection.enabled | required "leader election state for csi-attacher is required, must be set to true || false." }} - {{- if .Values.sidecars.attacher.leaderElection.enabled }} - {{- if .Values.sidecars.attacher.leaderElection.leaseDuration }} - - --leader-election-lease-duration={{ .Values.sidecars.attacher.leaderElection.leaseDuration }} - {{- end }} - {{- if .Values.sidecars.attacher.leaderElection.renewDeadline}} - - --leader-election-renew-deadline={{ .Values.sidecars.attacher.leaderElection.renewDeadline }} - {{- end }} - {{- if .Values.sidecars.attacher.leaderElection.retryPeriod }} - - --leader-election-retry-period={{ .Values.sidecars.attacher.leaderElection.retryPeriod }} - {{- end }} - {{- end }} - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - {{- if .Values.proxy.http_proxy }} - {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.attacher.env }} - {{- . | toYaml | nindent 12 }} - {{- end }} - envFrom: - {{- with .Values.controller.envFrom }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- with default .Values.controller.resources .Values.sidecars.attacher.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.attacher.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- if or (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1") }} - - name: csi-snapshotter - image: {{ printf "%s:%s" .Values.sidecars.snapshotter.image.repository .Values.sidecars.snapshotter.image.tag }} - imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.snapshotter.image.pullPolicy }} - args: - - --csi-address=$(ADDRESS) - - --leader-election=true - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - {{- if .Values.proxy.http_proxy }} - {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.snapshotter.env }} - {{- . | toYaml | nindent 12 }} - {{- end }} - envFrom: - {{- with .Values.controller.envFrom }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- with default .Values.controller.resources .Values.sidecars.snapshotter.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.snapshotter.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- end }} - - name: csi-resizer - image: {{ printf "%s:%s" .Values.sidecars.resizer.image.repository .Values.sidecars.resizer.image.tag }} - imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.resizer.image.pullPolicy }} - args: - - --csi-address=$(ADDRESS) - - --v={{ .Values.sidecars.resizer.logLevel }} - - --handle-volume-inuse-error=false - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - {{- if .Values.proxy.http_proxy }} - {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.resizer.env }} - {{- . | toYaml | nindent 12 }} - {{- end }} - envFrom: - {{- with .Values.controller.envFrom }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - {{- with default .Values.controller.resources .Values.sidecars.resizer.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.resizer.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - - name: liveness-probe - image: {{ printf "%s:%s" .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }} - imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.livenessProbe.image.pullPolicy }} - args: - - --csi-address=/csi/csi.sock - envFrom: - {{- with .Values.controller.envFrom }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: socket-dir - mountPath: /csi - {{- with default .Values.controller.resources .Values.sidecars.livenessProbe.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.livenessProbe.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - volumes: - - name: socket-dir - emptyDir: {} - - name: aws-token - projected: - sources: - - serviceAccountToken: - path: token - expirationSeconds: 86400 - audience: "sts.amazonaws.com" diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/csidriver.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/csidriver.yaml deleted file mode 100644 index a46d4b5..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/csidriver.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: {{ ternary "storage.k8s.io/v1" "storage.k8s.io/v1beta1" (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) }} -kind: CSIDriver -metadata: - name: ebs.csi.aws.com - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - attachRequired: true - podInfoOnMount: false - {{- if not .Values.useOldCSIDriver }} - fsGroupPolicy: File - {{- end }} diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/metrics.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/metrics.yaml deleted file mode 100644 index db4ac0d..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/metrics.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.controller.enableMetrics -}} ---- -apiVersion: v1 -kind: Service -metadata: - name: ebs-csi-controller - namespace: kube-system - labels: - app: ebs-csi-controller -spec: - selector: - app: ebs-csi-controller - ports: - - name: metrics - port: 3301 - targetPort: 3301 - type: ClusterIP ---- -{{- if (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") -}} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: ebs-csi-controller - namespace: kube-system - labels: - app: ebs-csi-controller - release: prometheus -spec: - selector: - matchLabels: - app: ebs-csi-controller - namespaceSelector: - matchNames: - - kube-system - endpoints: - - targetPort: 3301 - path: /metrics - interval: 15s -{{- end }} -{{- end }} diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/node-windows.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/node-windows.yaml deleted file mode 100644 index 5c98fab..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/node-windows.yaml +++ /dev/null @@ -1,170 +0,0 @@ -{{- if .Values.node.enableWindows }} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ebs-csi-node-windows - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - app: ebs-csi-node - {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} - updateStrategy: - {{ toYaml .Values.node.updateStrategy | nindent 4 }} - template: - metadata: - labels: - app: ebs-csi-node - {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} - {{- if .Values.node.podLabels }} - {{- toYaml .Values.node.podLabels | nindent 8 }} - {{- end }} - {{- with .Values.node.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- with .Values.node.affinity }} - affinity: {{- toYaml . | nindent 8 }} - {{- end }} - nodeSelector: - kubernetes.io/os: windows - {{- with .Values.node.nodeSelector }} - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ .Values.node.serviceAccount.name }} - priorityClassName: {{ .Values.node.priorityClassName | default "system-node-critical" }} - tolerations: - {{- if .Values.node.tolerateAllTaints }} - - operator: Exists - {{- else }} - {{- with .Values.node.tolerations }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - containers: - - name: ebs-plugin - image: {{ printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - node - - --endpoint=$(CSI_ENDPOINT) - {{- with .Values.node.volumeAttachLimit }} - - --volume-attach-limit={{ . }} - {{- end }} - - --logtostderr - - --v={{ .Values.node.logLevel }} - env: - - name: CSI_ENDPOINT - value: unix:/csi/csi.sock - - name: CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.proxy.http_proxy }} - {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} - {{- end }} - {{- with .Values.node.env }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: kubelet-dir - mountPath: C:\var\lib\kubelet - mountPropagation: "None" - - name: plugin-dir - mountPath: C:\csi - - name: csi-proxy-disk-pipe - mountPath: \\.\pipe\csi-proxy-disk-v1 - - name: csi-proxy-volume-pipe - mountPath: \\.\pipe\csi-proxy-volume-v1 - - name: csi-proxy-filesystem-pipe - mountPath: \\.\pipe\csi-proxy-filesystem-v1 - ports: - - name: healthz - containerPort: 9808 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 5 - {{- with .Values.node.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - - name: node-driver-registrar - image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrar.image.repository .Values.sidecars.nodeDriverRegistrar.image.tag }} - imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.nodeDriverRegistrar.image.pullPolicy }} - args: - - --csi-address=$(ADDRESS) - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --v={{ .Values.sidecars.nodeDriverRegistrar.logLevel }} - env: - - name: ADDRESS - value: unix:/csi/csi.sock - - name: DRIVER_REG_SOCK_PATH - value: C:\var\lib\kubelet\plugins\ebs.csi.aws.com\csi.sock - {{- if .Values.proxy.http_proxy }} - {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.nodeDriverRegistrar.env }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: plugin-dir - mountPath: C:\csi - - name: registration-dir - mountPath: C:\registration - {{- with default .Values.node.resources .Values.sidecars.nodeDriverRegistrar.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - - name: liveness-probe - image: {{ printf "%s:%s" .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }} - imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.livenessProbe.image.pullPolicy }} - args: - - --csi-address=unix:/csi/csi.sock - volumeMounts: - - name: plugin-dir - mountPath: C:\csi - {{- with default .Values.node.resources .Values.sidecars.livenessProbe.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - volumes: - - name: kubelet-dir - hostPath: - path: C:\var\lib\kubelet - type: Directory - - name: plugin-dir - hostPath: - path: C:\var\lib\kubelet\plugins\ebs.csi.aws.com - type: DirectoryOrCreate - - name: registration-dir - hostPath: - path: C:\var\lib\kubelet\plugins_registry - type: Directory - - name: csi-proxy-disk-pipe - hostPath: - path: \\.\pipe\csi-proxy-disk-v1 - type: "" - - name: csi-proxy-volume-pipe - hostPath: - path: \\.\pipe\csi-proxy-volume-v1 - type: "" - - name: csi-proxy-filesystem-pipe - hostPath: - path: \\.\pipe\csi-proxy-filesystem-v1 - type: "" -{{- end }} diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/node.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/node.yaml deleted file mode 100644 index ab1db91..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/node.yaml +++ /dev/null @@ -1,185 +0,0 @@ -# Node Service -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ebs-csi-node - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - app: ebs-csi-node - {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} - updateStrategy: - {{- toYaml .Values.node.updateStrategy | nindent 4 }} - template: - metadata: - labels: - app: ebs-csi-node - {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} - {{- if .Values.node.podLabels }} - {{- toYaml .Values.node.podLabels | nindent 8 }} - {{- end }} - {{- with .Values.node.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- with .Values.node.affinity }} - affinity: {{- toYaml . | nindent 8 }} - {{- end }} - nodeSelector: - kubernetes.io/os: linux - {{- with .Values.node.nodeSelector }} - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ .Values.node.serviceAccount.name }} - priorityClassName: {{ .Values.node.priorityClassName | default "system-node-critical" }} - tolerations: - {{- if .Values.node.tolerateAllTaints }} - - operator: Exists - {{- else }} - {{- with .Values.node.tolerations }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- end }} - {{- with .Values.node.securityContext }} - securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: ebs-plugin - image: {{ printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - node - - --endpoint=$(CSI_ENDPOINT) - {{- with .Values.node.volumeAttachLimit }} - - --volume-attach-limit={{ . }} - {{- end }} - - --logtostderr - - --v={{ .Values.node.logLevel }} - env: - - name: CSI_ENDPOINT - value: unix:/csi/csi.sock - - name: CSI_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.proxy.http_proxy }} - {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} - {{- end }} - {{- with .Values.node.env }} - {{- . | toYaml | nindent 12 }} - {{- end }} - envFrom: - {{- with .Values.controller.envFrom }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: kubelet-dir - mountPath: {{ .Values.node.kubeletPath }} - mountPropagation: "Bidirectional" - - name: plugin-dir - mountPath: /csi - - name: device-dir - mountPath: /dev - ports: - - name: healthz - containerPort: 9808 - protocol: TCP - livenessProbe: - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - failureThreshold: 5 - {{- with .Values.node.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.node.containerSecurityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - - name: node-driver-registrar - image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrar.image.repository .Values.sidecars.nodeDriverRegistrar.image.tag }} - imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.nodeDriverRegistrar.image.pullPolicy }} - args: - - --csi-address=$(ADDRESS) - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --v={{ .Values.sidecars.nodeDriverRegistrar.logLevel }} - env: - - name: ADDRESS - value: /csi/csi.sock - - name: DRIVER_REG_SOCK_PATH - value: {{ printf "%s/plugins/ebs.csi.aws.com/csi.sock" (trimSuffix "/" .Values.node.kubeletPath) }} - {{- if .Values.proxy.http_proxy }} - {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.nodeDriverRegistrar.env }} - {{- . | toYaml | nindent 12 }} - {{- end }} - envFrom: - {{- with .Values.controller.envFrom }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: plugin-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - {{- with default .Values.node.resources .Values.sidecars.nodeDriverRegistrar.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.nodeDriverRegistrar.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - - name: liveness-probe - image: {{ printf "%s:%s" .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }} - imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.livenessProbe.image.pullPolicy }} - args: - - --csi-address=/csi/csi.sock - envFrom: - {{- with .Values.controller.envFrom }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: plugin-dir - mountPath: /csi - {{- with default .Values.node.resources .Values.sidecars.livenessProbe.resources }} - resources: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.sidecars.livenessProbe.securityContext }} - securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} - volumes: - - name: kubelet-dir - hostPath: - path: {{ .Values.node.kubeletPath }} - type: Directory - - name: plugin-dir - hostPath: - path: {{ printf "%s/plugins/ebs.csi.aws.com/" (trimSuffix "/" .Values.node.kubeletPath) }} - type: DirectoryOrCreate - - name: registration-dir - hostPath: - path: {{ printf "%s/plugins_registry/" (trimSuffix "/" .Values.node.kubeletPath) }} - type: Directory - - name: device-dir - hostPath: - path: /dev - type: Directory diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml deleted file mode 100644 index 6f73fa2..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: ebs-csi-controller - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - app: ebs-csi-controller - {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} - {{- if le (.Values.controller.replicaCount | int) 2 }} - maxUnavailable: 1 - {{- else }} - minAvailable: 2 - {{- end }} diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml deleted file mode 100644 index a5b1102..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.controller.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Values.controller.serviceAccount.name }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} - {{- with .Values.controller.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- if eq .Release.Name "kustomize" }} - #Enable if EKS IAM roles for service accounts (IRSA) is used. See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html for details. - #annotations: - # eks.amazonaws.com/role-arn: arn::iam:::role/ebs-csi-role - {{- end }} -{{- end -}} diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml deleted file mode 100644 index fb85abe..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.node.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Values.node.serviceAccount.name }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} - {{- with .Values.node.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end -}} diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/storageclass.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/storageclass.yaml deleted file mode 100644 index 847f5e2..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/templates/storageclass.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- range .Values.storageClasses }} ---- -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: {{ .name }} - {{- with .annotations }} - annotations: {{- . | toYaml | trim | nindent 4 }} - {{- end }} - {{- with .labels }} - labels: {{- . | toYaml | trim | nindent 4 }} - {{- end }} -provisioner: ebs.csi.aws.com -{{ omit (dict "volumeBindingMode" "WaitForFirstConsumer" | merge .) "name" "annotations" "labels" | toYaml }} -{{- end }} diff --git a/charts/kubezero-storage/charts/aws-ebs-csi-driver/values.yaml b/charts/kubezero-storage/charts/aws-ebs-csi-driver/values.yaml deleted file mode 100644 index 047f3fc..0000000 --- a/charts/kubezero-storage/charts/aws-ebs-csi-driver/values.yaml +++ /dev/null @@ -1,279 +0,0 @@ -# Default values for aws-ebs-csi-driver. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -image: - repository: public.ecr.aws/ebs-csi-driver/aws-ebs-csi-driver - # Overrides the image tag whose default is v{{ .Chart.AppVersion }} - tag: "" - pullPolicy: IfNotPresent - -# -- Custom labels to add into metadata -customLabels: - {} - # k8s-app: aws-ebs-csi-driver - -sidecars: - provisioner: - env: [] - image: - pullPolicy: IfNotPresent - repository: k8s.gcr.io/sig-storage/csi-provisioner - tag: "v3.1.0" - logLevel: 2 - resources: {} - # Tune leader lease election for csi-provisioner. - # Leader election is on by default. - leaderElection: - enabled: true - # Optional values to tune lease behavior. - # The arguments provided must be in an acceptable time.ParseDuration format. - # Ref: https://pkg.go.dev/flag#Duration - # leaseDuration: "15s" - # renewDeadline: "10s" - # retryPeriod: "5s" - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - attacher: - env: [] - image: - pullPolicy: IfNotPresent - repository: k8s.gcr.io/sig-storage/csi-attacher - tag: "v3.4.0" - # Tune leader lease election for csi-attacher. - # Leader election is on by default. - leaderElection: - enabled: true - # Optional values to tune lease behavior. - # The arguments provided must be in an acceptable time.ParseDuration format. - # Ref: https://pkg.go.dev/flag#Duration - # leaseDuration: "15s" - # renewDeadline: "10s" - # retryPeriod: "5s" - logLevel: 2 - resources: {} - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - snapshotter: - env: [] - image: - pullPolicy: IfNotPresent - repository: k8s.gcr.io/sig-storage/csi-snapshotter - tag: "v6.0.1" - logLevel: 2 - resources: {} - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - livenessProbe: - image: - pullPolicy: IfNotPresent - repository: k8s.gcr.io/sig-storage/livenessprobe - tag: "v2.6.0" - resources: {} - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - resizer: - env: [] - image: - pullPolicy: IfNotPresent - repository: k8s.gcr.io/sig-storage/csi-resizer - tag: "v1.4.0" - logLevel: 2 - resources: {} - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - nodeDriverRegistrar: - env: [] - image: - pullPolicy: IfNotPresent - repository: k8s.gcr.io/sig-storage/csi-node-driver-registrar - tag: "v2.5.1" - logLevel: 2 - resources: {} - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - -proxy: - http_proxy: - no_proxy: - -imagePullSecrets: [] -nameOverride: -fullnameOverride: - -controller: - # If arbitrary args like "--aws-sdk-debug-log=true" need to be passed, use this value - additionalArgs: [] - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - # The default filesystem type of the volume to provision when fstype is unspecified in the StorageClass. - # If the default is not set and fstype is unset in the StorageClass, then no fstype will be set - defaultFsType: ext4 - env: [] - # Use envFrom to reference ConfigMaps and Secrets across all containers in the deployment - envFrom: [] - # If set, add pv/pvc metadata to plugin create requests as parameters. - extraCreateMetadata: true - # Extra volume tags to attach to each dynamically provisioned volume. - # --- - # extraVolumeTags: - # key1: value1 - # key2: value2 - extraVolumeTags: {} - httpEndpoint: - # (deprecated) The TCP network address where the prometheus metrics endpoint - # will run (example: `:8080` which corresponds to port 8080 on local host). - # The default is empty string, which means metrics endpoint is disabled. - # --- - enableMetrics: false - # If set to true, AWS API call metrics will be exported to the following - # TCP endpoint: "0.0.0.0:3301" - # --- - # ID of the Kubernetes cluster used for tagging provisioned EBS volumes (optional). - k8sTagClusterId: - logLevel: 2 - nodeSelector: {} - podAnnotations: {} - podLabels: {} - priorityClassName: system-cluster-critical - # AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata - # service. - # --- - # region: us-east-1 - region: - replicaCount: 2 - updateStrategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 - resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # Note that you will need to set resource requests if you want the cluster autoscaler to - # scale your nodes when you increase/decrease the number of ebs-csi-controller replicas. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - serviceAccount: - create: true # A service account will be created for you if set to true. Set to false if you want to use your own. - name: ebs-csi-controller-sa # Name of the service-account to be used/created. - annotations: {} - tolerations: [] - # TSCs without the label selector stanza - # - # Example: - # - # topologySpreadConstraints: - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: ScheduleAnyway - # - maxSkew: 1 - # topologyKey: kubernetes.io/hostname - # whenUnsatisfiable: ScheduleAnyway - topologySpreadConstraints: [] - # securityContext on the controller pod - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - # securityContext on the controller container (see sidecars for securityContext on sidecar containers) - containerSecurityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - initContainers: [] - # containers to be run before the controller's container starts. - # - # Example: - # - # - name: wait - # image: busybox - # command: [ 'sh', '-c', "sleep 20" ] - -node: - env: [] - envFrom: [] - kubeletPath: /var/lib/kubelet - logLevel: 2 - priorityClassName: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - nodeSelector: {} - podAnnotations: {} - podLabels: {} - tolerateAllTaints: true - tolerations: - - operator: Exists - effect: NoExecute - tolerationSeconds: 300 - resources: {} - serviceAccount: - create: true - name: ebs-csi-node-sa - annotations: {} - enableWindows: false - # The "maximum number of attachable volumes" per node - volumeAttachLimit: - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: "10%" - # securityContext on the node pod - securityContext: - # The node pod must be run as root to bind to the registration/driver sockets - runAsNonRoot: false - runAsUser: 0 - runAsGroup: 0 - fsGroup: 0 - # securityContext on the node container (see sidecars for securityContext on sidecar containers) - containerSecurityContext: - readOnlyRootFilesystem: true - privileged: true - -storageClasses: [] -# Add StorageClass resources like: -# - name: ebs-sc -# # annotation metadata -# annotations: -# storageclass.kubernetes.io/is-default-class: "true" -# # label metadata -# labels: -# my-label-is: supercool -# # defaults to WaitForFirstConsumer -# volumeBindingMode: WaitForFirstConsumer -# # defaults to Delete -# reclaimPolicy: Retain -# parameters: -# encrypted: "true" - -# Use old CSIDriver without an fsGroupPolicy set -# Intended for use with older clusters that cannot easily replace the CSIDriver object -# This parameter should always be false for new installations -useOldCSIDriver: false diff --git a/charts/kubezero-storage/charts/aws-efs-csi-driver/CHANGELOG.md b/charts/kubezero-storage/charts/aws-efs-csi-driver/CHANGELOG.md index 23d892c..d913522 100644 --- a/charts/kubezero-storage/charts/aws-efs-csi-driver/CHANGELOG.md +++ b/charts/kubezero-storage/charts/aws-efs-csi-driver/CHANGELOG.md @@ -1,4 +1,12 @@ # Helm chart +# v2.3.2 +* Bump app/driver version to `v1.4.5` + +# v2.3.1 +* Bump app/driver version to `v1.4.4` + +# v2.3.0 +* Bump app/driver version to `v1.4.3` # v2.2.9 * Bump app/driver version to `v1.4.2` diff --git a/charts/kubezero-storage/charts/aws-efs-csi-driver/Chart.yaml b/charts/kubezero-storage/charts/aws-efs-csi-driver/Chart.yaml index 0ca18ea..9482e6c 100644 --- a/charts/kubezero-storage/charts/aws-efs-csi-driver/Chart.yaml +++ b/charts/kubezero-storage/charts/aws-efs-csi-driver/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.4.2 +appVersion: 1.4.5 description: A Helm chart for AWS EFS CSI Driver home: https://github.com/kubernetes-sigs/aws-efs-csi-driver keywords: @@ -15,4 +15,4 @@ maintainers: name: aws-efs-csi-driver sources: - https://github.com/kubernetes-sigs/aws-efs-csi-driver -version: 2.2.9 +version: 2.3.2 diff --git a/charts/kubezero-storage/charts/aws-efs-csi-driver/templates/node-daemonset.yaml b/charts/kubezero-storage/charts/aws-efs-csi-driver/templates/node-daemonset.yaml index d7cd908..3d9a17a 100644 --- a/charts/kubezero-storage/charts/aws-efs-csi-driver/templates/node-daemonset.yaml +++ b/charts/kubezero-storage/charts/aws-efs-csi-driver/templates/node-daemonset.yaml @@ -36,7 +36,7 @@ spec: {{- end }} {{- end }} nodeSelector: - beta.kubernetes.io/os: linux + kubernetes.io/os: linux {{- with .Values.node.nodeSelector }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/charts/kubezero-storage/charts/aws-efs-csi-driver/values.yaml b/charts/kubezero-storage/charts/aws-efs-csi-driver/values.yaml index f49beb1..615c791 100644 --- a/charts/kubezero-storage/charts/aws-efs-csi-driver/values.yaml +++ b/charts/kubezero-storage/charts/aws-efs-csi-driver/values.yaml @@ -11,7 +11,7 @@ useFIPS: false image: repository: amazon/aws-efs-csi-driver - tag: "v1.4.2" + tag: "v1.4.5" pullPolicy: IfNotPresent sidecars: diff --git a/charts/kubezero-storage/charts/gemini/templates/deployment.yaml b/charts/kubezero-storage/charts/gemini/templates/deployment.yaml index d435c6d..2486654 100644 --- a/charts/kubezero-storage/charts/gemini/templates/deployment.yaml +++ b/charts/kubezero-storage/charts/gemini/templates/deployment.yaml @@ -24,6 +24,8 @@ spec: tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane containers: - command: - gemini diff --git a/charts/kubezero-storage/ebs.patch b/charts/kubezero-storage/ebs.patch deleted file mode 100644 index a607f1a..0000000 --- a/charts/kubezero-storage/ebs.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -tuNr charts/aws-ebs-csi-driver.orig/templates/controller.yaml charts/aws-ebs-csi-driver/templates/controller.yaml ---- charts/aws-ebs-csi-driver.orig/templates/controller.yaml 2021-08-12 10:46:10.000000000 +0200 -+++ charts/aws-ebs-csi-driver/templates/controller.yaml 2021-09-07 15:13:47.497732918 +0200 -@@ -114,6 +114,9 @@ - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ -+ - name: aws-token -+ mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" -+ readOnly: true - ports: - - name: healthz - containerPort: 9808 -@@ -252,3 +255,10 @@ - volumes: - - name: socket-dir - emptyDir: {} -+ - name: aws-token -+ projected: -+ sources: -+ - serviceAccountToken: -+ path: token -+ expirationSeconds: 86400 -+ audience: "sts.amazonaws.com" diff --git a/charts/kubezero-storage/gemini.patch b/charts/kubezero-storage/gemini.patch index 26177f3..f29eacc 100644 --- a/charts/kubezero-storage/gemini.patch +++ b/charts/kubezero-storage/gemini.patch @@ -1,7 +1,7 @@ diff -rtubN charts/gemini/templates/deployment.yaml charts/gemini.zdt/templates/deployment.yaml --- charts/gemini/templates/deployment.yaml 2021-04-19 12:00:43.605005861 +0200 +++ charts/gemini.zdt/templates/deployment.yaml 2021-04-19 12:00:08.365005781 +0200 -@@ -19,6 +19,11 @@ +@@ -19,6 +19,13 @@ {{- else }} serviceAccountName: {{ .Values.rbac.serviceAccountName }} {{- end }} @@ -10,6 +10,8 @@ diff -rtubN charts/gemini/templates/deployment.yaml charts/gemini.zdt/templates/ + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master ++ - effect: NoSchedule ++ key: node-role.kubernetes.io/control-plane containers: - command: - gemini diff --git a/charts/kubezero-storage/jsonnet/dashboards.yaml b/charts/kubezero-storage/jsonnet/dashboards.yaml index e4afcb5..c9c6b5c 100644 --- a/charts/kubezero-storage/jsonnet/dashboards.yaml +++ b/charts/kubezero-storage/jsonnet/dashboards.yaml @@ -1,4 +1,4 @@ -configmap: openebs-lvmlocalpv-grafana-dashboard +configmap: grafana-dashboard-lvmlocalpv gzip: true folder: KubeZero condition: 'index .Values "lvm-localpv" "prometheus" "enabled"' diff --git a/charts/kubezero-storage/jsonnet/jsonnetfile.lock.json b/charts/kubezero-storage/jsonnet/jsonnetfile.lock.json index 926e4f0..fe1c4ed 100644 --- a/charts/kubezero-storage/jsonnet/jsonnetfile.lock.json +++ b/charts/kubezero-storage/jsonnet/jsonnetfile.lock.json @@ -18,7 +18,7 @@ "subdir": "contrib/mixin" } }, - "version": "acc7463fb2dc7037f571a02e65afd6e573a6344c", + "version": "9e3966fbce6dccd2271b7ade588fefeb4ca7b247", "sum": "W/Azptf1PoqjyMwJON96UY69MFugDA4IAYiKURscryc=" }, { @@ -38,7 +38,7 @@ "subdir": "grafana-builder" } }, - "version": "d73aff453c9784cd6922119f3ce33d8d355a79e1", + "version": "d68f9a6e0b1af7c4c4056dc2b43fb8f3bac01f43", "sum": "tDR6yT2GVfw0wTU12iZH+m01HrbIr6g/xN+/8nzNkU0=" }, { @@ -58,7 +58,7 @@ "subdir": "lib/promgrafonnet" } }, - "version": "7b559e800a32a2a80caf4c968f37c4999ec44689", + "version": "3c386687c1f8ceb6b79ff887c4a934e9cee1b90a", "sum": "zv7hXGui6BfHzE9wPatHI/AGZa4A2WKo6pq7ZdqBsps=" }, { diff --git a/charts/kubezero-storage/templates/lvm/grafana-dashboards.yaml b/charts/kubezero-storage/templates/lvm/grafana-dashboards.yaml index 5a90fa8..8a4d5aa 100644 --- a/charts/kubezero-storage/templates/lvm/grafana-dashboards.yaml +++ b/charts/kubezero-storage/templates/lvm/grafana-dashboards.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "openebs-lvmlocalpv-grafana-dashboard" | trunc 63 | trimSuffix "-" }} + name: {{ printf "%s-%s" (include "kubezero-lib.fullname" $) "grafana-dashboard-lvmlocalpv" | trunc 63 | trimSuffix "-" }} namespace: {{ .Release.Namespace }} labels: grafana_dashboard: "1" diff --git a/charts/kubezero-storage/templates/snapshot-controller/controller.yaml b/charts/kubezero-storage/templates/snapshot-controller/controller.yaml index 2d6357e..b1def12 100644 --- a/charts/kubezero-storage/templates/snapshot-controller/controller.yaml +++ b/charts/kubezero-storage/templates/snapshot-controller/controller.yaml @@ -1,3 +1,4 @@ +{{- if .Values.snapshotController.enabled }} kind: StatefulSet apiVersion: apps/v1 metadata: @@ -46,3 +47,4 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} +{{- end }} diff --git a/charts/kubezero-storage/templates/snapshot-controller/rbac.yaml b/charts/kubezero-storage/templates/snapshot-controller/rbac.yaml index c335413..b3ca826 100644 --- a/charts/kubezero-storage/templates/snapshot-controller/rbac.yaml +++ b/charts/kubezero-storage/templates/snapshot-controller/rbac.yaml @@ -1,3 +1,4 @@ +{{- if .Values.snapshotController.enabled }} # RBAC file for the snapshot controller. # # The snapshot controller implements the control loop for CSI snapshot functionality. @@ -83,4 +84,4 @@ roleRef: kind: Role name: snapshot-controller-leaderelection apiGroup: rbac.authorization.k8s.io - +{{- end }} diff --git a/charts/kubezero-storage/update.sh b/charts/kubezero-storage/update.sh index 5961372..4824a2a 100755 --- a/charts/kubezero-storage/update.sh +++ b/charts/kubezero-storage/update.sh @@ -1,6 +1,8 @@ #!/bin/bash set -ex +helm dependencies update + ### Gemini rm -rf charts/gemini helm pull fairwinds-stable/gemini --untar --untardir charts @@ -16,10 +18,10 @@ mv charts/lvm-localpv/crds/volumesnapshot* crds patch -i lvm.patch -p0 --no-backup-if-mismatch ### EBS -VERSION=$(yq eval '.dependencies[] | select(.name=="aws-ebs-csi-driver") | .version' Chart.yaml) -rm -rf charts/aws-ebs-csi-driver -curl -L -s -o - https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/download/helm-chart-aws-ebs-csi-driver-${VERSION}/aws-ebs-csi-driver-${VERSION}.tgz | tar xfz - -C charts -patch -i ebs.patch -p0 --no-backup-if-mismatch +#VERSION=$(yq eval '.dependencies[] | select(.name=="aws-ebs-csi-driver") | .version' Chart.yaml) +#rm -rf charts/aws-ebs-csi-driver +#curl -L -s -o - https://github.com/kubernetes-sigs/aws-ebs-csi-driver/releases/download/helm-chart-aws-ebs-csi-driver-${VERSION}/aws-ebs-csi-driver-${VERSION}.tgz | tar xfz - -C charts +#patch -i ebs.patch -p0 --no-backup-if-mismatch ### EFS VERSION=$(yq eval '.dependencies[] | select(.name=="aws-efs-csi-driver") | .version' Chart.yaml) diff --git a/charts/kubezero-storage/values.yaml b/charts/kubezero-storage/values.yaml index 852b176..4846c12 100644 --- a/charts/kubezero-storage/values.yaml +++ b/charts/kubezero-storage/values.yaml @@ -1,11 +1,13 @@ snapshotController: - enabled: true + enabled: false replicas: 1 logLevel: 2 tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" @@ -34,6 +36,8 @@ lvm-localpv: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" @@ -51,6 +55,9 @@ gemini: enabled: false # verbosity: 1 + #image: + # tag: build_500 + resources: requests: memory: 32Mi @@ -74,6 +81,8 @@ aws-ebs-csi-driver: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule # k8sTagClusterId: # region: @@ -86,6 +95,20 @@ aws-ebs-csi-driver: # value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" #- name: AWS_STS_REGIONAL_ENDPOINTS # value: regional + + volumeMounts: + - name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + readOnly: true + volumes: + - name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" + resources: requests: cpu: 10m @@ -146,6 +169,8 @@ aws-efs-csi-driver: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" diff --git a/charts/kubezero/Chart.yaml b/charts/kubezero/Chart.yaml index 8e26a5d..6d3cc36 100644 --- a/charts/kubezero/Chart.yaml +++ b/charts/kubezero/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: kubezero description: KubeZero - Root App of Apps chart type: application -version: 1.23.11 +version: 1.24.9 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -15,4 +15,4 @@ dependencies: - name: kubezero-lib version: ">= 0.1.5" repository: https://cdn.zero-downtime.net/charts -kubeVersion: ">= 1.20.0" +kubeVersion: ">= 1.24.0" diff --git a/charts/kubezero/README.md b/charts/kubezero/README.md index 5924217..5d5cfe2 100644 --- a/charts/kubezero/README.md +++ b/charts/kubezero/README.md @@ -1,6 +1,6 @@ # kubezero -![Version: 1.23.11](https://img.shields.io/badge/Version-1.23.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 1.24.9](https://img.shields.io/badge/Version-1.24.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) KubeZero - Root App of Apps chart @@ -14,7 +14,7 @@ KubeZero - Root App of Apps chart ## Requirements -Kubernetes: `>= 1.20.0` +Kubernetes: `>= 1.24.0` | Repository | Name | Version | |------------|------|---------| @@ -24,55 +24,61 @@ Kubernetes: `>= 1.20.0` | Key | Type | Default | Description | |-----|------|---------|-------------| +| addons.aws-eks-asg-rolling-update-handler.enabled | bool | `false` | | | addons.aws-node-termination-handler.enabled | bool | `false` | | | addons.cluster-autoscaler.enabled | bool | `false` | | | addons.clusterBackup.enabled | bool | `false` | | | addons.enabled | bool | `true` | | | addons.external-dns.enabled | bool | `false` | | | addons.forseti.enabled | bool | `false` | | -| addons.targetRevision | string | `"0.6.3"` | | +| addons.sealed-secrets.enabled | bool | `false` | | +| addons.targetRevision | string | `"0.7.3"` | | +| argocd.argocd-image-updater.enabled | bool | `false` | | | argocd.enabled | bool | `false` | | | argocd.istio.enabled | bool | `false` | | | argocd.namespace | string | `"argocd"` | | -| argocd.targetRevision | string | `"0.10.2"` | | +| argocd.targetRevision | string | `"0.11.2"` | | | cert-manager.enabled | bool | `false` | | | cert-manager.namespace | string | `"cert-manager"` | | -| cert-manager.targetRevision | string | `"0.9.2"` | | +| cert-manager.targetRevision | string | `"0.9.3"` | | | global.clusterName | string | `"zdt-trial-cluster"` | | | global.highAvailable | bool | `false` | | | istio-ingress.chart | string | `"kubezero-istio-gateway"` | | | istio-ingress.enabled | bool | `false` | | | istio-ingress.gateway.service | object | `{}` | | | istio-ingress.namespace | string | `"istio-ingress"` | | -| istio-ingress.targetRevision | string | `"0.8.2"` | | +| istio-ingress.targetRevision | string | `"0.9.0"` | | | istio-private-ingress.chart | string | `"kubezero-istio-gateway"` | | | istio-private-ingress.enabled | bool | `false` | | | istio-private-ingress.gateway.service | object | `{}` | | | istio-private-ingress.namespace | string | `"istio-ingress"` | | -| istio-private-ingress.targetRevision | string | `"0.8.2"` | | +| istio-private-ingress.targetRevision | string | `"0.9.0"` | | | istio.enabled | bool | `false` | | | istio.namespace | string | `"istio-system"` | | -| istio.targetRevision | string | `"0.8.3"` | | +| istio.targetRevision | string | `"0.9.0"` | | | kubezero.defaultTargetRevision | string | `"*"` | | | kubezero.gitSync | object | `{}` | | | kubezero.repoURL | string | `"https://cdn.zero-downtime.net/charts"` | | | kubezero.server | string | `"https://kubernetes.default.svc"` | | | logging.enabled | bool | `false` | | | logging.namespace | string | `"logging"` | | -| logging.targetRevision | string | `"0.8.3"` | | +| logging.targetRevision | string | `"0.8.4"` | | | metrics.enabled | bool | `false` | | | metrics.istio.grafana | object | `{}` | | | metrics.istio.prometheus | object | `{}` | | | metrics.namespace | string | `"monitoring"` | | -| metrics.targetRevision | string | `"0.8.5"` | | +| metrics.targetRevision | string | `"0.8.9"` | | | network.cilium.cluster | object | `{}` | | | network.enabled | bool | `true` | | | network.retain | bool | `true` | | -| network.targetRevision | string | `"0.3.4"` | | +| network.targetRevision | string | `"0.4.2"` | | | storage.aws-ebs-csi-driver.enabled | bool | `false` | | | storage.aws-efs-csi-driver.enabled | bool | `false` | | | storage.enabled | bool | `false` | | -| storage.targetRevision | string | `"0.7.1"` | | +| storage.gemini.enabled | bool | `false` | | +| storage.snapshotController.enabled | bool | `false` | | +| storage.targetRevision | string | `"0.7.4"` | | +| storage.velero.enabled | bool | `false` | | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/kubezero/templates/addons.yaml b/charts/kubezero/templates/addons.yaml index 1362e86..f0edc0f 100644 --- a/charts/kubezero/templates/addons.yaml +++ b/charts/kubezero/templates/addons.yaml @@ -28,32 +28,6 @@ forseti: iamRoleArn: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.kubezeroForseti" {{- end }} -aws-node-termination-handler: - enabled: {{ ternary "true" "false" (or (hasKey .Values.global "aws") (index .Values "addons" "aws-node-termination-handler" "enabled")) }} - - {{- with omit (index .Values "addons" "aws-node-termination-handler") "enabled" }} - {{- toYaml . | nindent 2 }} - {{- end }} - - {{- with .Values.metrics }} - enablePrometheusServer: {{ .enabled }} - {{- end }} - - {{- if .Values.global.aws }} - # AWS - queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth" - managedAsgTag: "aws-node-termination-handler/{{ .Values.global.clusterName }}" - extraEnv: - - name: AWS_ROLE_ARN - value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth" - - name: AWS_WEB_IDENTITY_TOKEN_FILE - value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" - - name: AWS_STS_REGIONAL_ENDPOINTS - value: "regional" - - name: METADATA_TRIES - value: "0" - {{- end }} - external-dns: enabled: {{ ternary "true" "false" (or (hasKey .Values.global "aws") (index .Values "addons" "external-dns" "enabled")) }} @@ -77,10 +51,22 @@ external-dns: value: "regional" - name: METADATA_TRIES value: "0" + extraVolumes: + - name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" + extraVolumeMounts: + - name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + readOnly: true {{- end }} cluster-autoscaler: - enabled: {{ default "false" (index .Values "addons" "cluster-autoscaler" "enabled") }} + enabled: {{ ternary "true" "false" (or (hasKey .Values.global "aws") (index .Values "addons" "cluster-autoscaler" "enabled")) }} {{- with omit (index .Values "addons" "cluster-autoscaler") "enabled" }} {{- toYaml . | nindent 2 }} @@ -134,6 +120,69 @@ nvidia-device-plugin: {{- toYaml . | nindent 2 }} {{- end }} +{{- with index .Values "addons" "sealed-secrets" }} +sealed-secrets: + {{- toYaml . | nindent 2 }} + + {{- with $.Values.metrics }} + metrics: + serviceMonitor: + enabled: {{ .enabled }} + {{- end }} +{{- end }} + +{{- if .Values.global.aws }} +# AWS only +aws-node-termination-handler: + enabled: {{ default "true" (index .Values "addons" "aws-node-termination-handler" "enabled") }} + + {{- with omit (index .Values "addons" "aws-node-termination-handler") "enabled" }} + {{- toYaml . | nindent 2 }} + {{- end }} + + {{- with .Values.metrics }} + enablePrometheusServer: {{ .enabled }} + {{- end }} + + queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth" + managedTag: "aws-node-termination-handler/{{ .Values.global.clusterName }}" + extraEnv: + - name: AWS_ROLE_ARN + value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth" + - name: AWS_WEB_IDENTITY_TOKEN_FILE + value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + - name: AWS_STS_REGIONAL_ENDPOINTS + value: "regional" + - name: METADATA_TRIES + value: "0" + +aws-eks-asg-rolling-update-handler: + enabled: {{ default "true" (index .Values "addons" "aws-eks-asg-rolling-update-handler" "enabled") }} + + {{- with omit (index .Values "addons" "aws-eks-asg-rolling-update-handler") "enabled" }} + {{- toYaml . | nindent 2 }} + {{- end }} + + environmentVars: + - name: CLUSTER_NAME + value: {{ .Values.global.clusterName }} + - name: AWS_REGION + value: {{ .Values.global.aws.region }} + - name: EXECUTION_INTERVAL + value: "60" + - name: METRICS + value: "{{ .Values.metrics.enabled }}" + - name: EAGER_CORDONING + value: "true" + - name: SLOW_MODE + value: "true" + - name: AWS_ROLE_ARN + value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsRuh" + - name: AWS_WEB_IDENTITY_TOKEN_FILE + value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + - name: AWS_STS_REGIONAL_ENDPOINTS +{{- end }} + {{- end }} {{- define "addons-argo" }} diff --git a/charts/kubezero/templates/argocd.yaml b/charts/kubezero/templates/argocd.yaml index 797f33d..705fb9e 100644 --- a/charts/kubezero/templates/argocd.yaml +++ b/charts/kubezero/templates/argocd.yaml @@ -1,6 +1,11 @@ {{- define "argocd-values" }} argo-cd: + {{- with index .Values "argocd" "configs" }} + configs: + {{- toYaml . | nindent 4 }} + {{- end }} + controller: metrics: enabled: {{ .Values.metrics.enabled }} @@ -10,10 +15,9 @@ argo-cd: server: metrics: enabled: {{ .Values.metrics.enabled }} - {{- with index .Values "argocd" "server" }} - {{- toYaml . | nindent 4 }} - {{- end }} - additionalProjects: + +argocd-apps: + projects: - name: kubezero namespace: argocd description: KubeZero - ZeroDownTime Kubernetes Platform @@ -28,7 +32,7 @@ argo-cd: clusterResourceWhitelist: - group: '*' kind: '*' - additionalApplications: + applications: - name: kubezero-git-sync namespace: argocd project: kubezero @@ -47,13 +51,44 @@ argo-cd: {{- with .Values.kubezero.syncPolicy }} syncPolicy: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} - {{- with index .Values "argocd" "configs" }} - configs: - {{- toYaml . | nindent 4 }} +argocd-image-updater: + enabled: {{ default "false" (index .Values "argocd" "argocd-image-updater" "enabled") }} + + {{- with omit (index .Values "argocd" "argocd-image-updater") "enabled" }} + {{- toYaml . | nindent 2 }} {{- end }} + {{- if .Values.global.aws }} + extraEnv: + - name: AWS_ROLE_ARN + value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater" + - name: AWS_WEB_IDENTITY_TOKEN_FILE + value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" + - name: AWS_STS_REGIONAL_ENDPOINTS + value: "regional" + - name: METADATA_TRIES + value: "0" + - name: AWS_REGION + value: {{ .Values.global.aws.region }} + volumes: + - name: aws-token + projected: + sources: + - serviceAccountToken: + path: token + expirationSeconds: 86400 + audience: "sts.amazonaws.com" + volumeMounts: + - name: aws-token + mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" + readOnly: true + {{- end }} + + metrics: + enabled: {{ .Values.metrics.enabled }} + {{- if and ( index .Values "argocd" "istio" "enabled" ) .Values.istio.enabled }} istio: {{- with index .Values "argocd" "istio" }} diff --git a/charts/kubezero/templates/istio-ingress.yaml b/charts/kubezero/templates/istio-ingress.yaml index 0e3a9d8..5dd839a 100644 --- a/charts/kubezero/templates/istio-ingress.yaml +++ b/charts/kubezero/templates/istio-ingress.yaml @@ -2,9 +2,6 @@ gateway: name: istio-ingressgateway - labels: - app: istio-ingressgateway - istio: ingressgateway {{- with index .Values "istio-ingress" "gateway" "replicaCount" }} replicaCount: {{ . }} @@ -19,17 +16,24 @@ gateway: - matchExpressions: - key: node.kubernetes.io/ingress.public operator: Exists - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - istio-ingressgateway - topologyKey: "kubernetes.io/hostname" {{- end }} + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + service: {{- with index .Values "istio-ingress" "gateway" "service" "type" }} type: {{ . }} diff --git a/charts/kubezero/templates/istio-private-ingress.yaml b/charts/kubezero/templates/istio-private-ingress.yaml index 1d68f90..f33389d 100644 --- a/charts/kubezero/templates/istio-private-ingress.yaml +++ b/charts/kubezero/templates/istio-private-ingress.yaml @@ -2,9 +2,6 @@ gateway: name: istio-private-ingressgateway - labels: - app: istio-private-ingressgateway - istio: private-ingressgateway {{- with index .Values "istio-private-ingress" "gateway" "replicaCount" }} replicaCount: {{ . }} @@ -19,17 +16,24 @@ gateway: - matchExpressions: - key: node.kubernetes.io/ingress.private operator: Exists - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - istio-private-ingressgateway - topologyKey: "kubernetes.io/hostname" {{- end }} + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app: istio-private-ingressgateway + istio: private-ingressgateway + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app: istio-private-ingressgateway + istio: private-ingressgateway + service: ports: - name: status-port diff --git a/charts/kubezero/templates/network.yaml b/charts/kubezero/templates/network.yaml index 2a258f7..4a8f66a 100644 --- a/charts/kubezero/templates/network.yaml +++ b/charts/kubezero/templates/network.yaml @@ -1,16 +1,9 @@ {{- define "network-values" }} -# until 1.24 -calico: - enabled: true - -# since 1.22 multus: enabled: true - defaultNetworks: - - "cilium" + clusterNetwork: "cilium" -# since 1.23 cilium: enabled: true diff --git a/charts/kubezero/templates/storage.yaml b/charts/kubezero/templates/storage.yaml index ddd79df..a240f8e 100644 --- a/charts/kubezero/templates/storage.yaml +++ b/charts/kubezero/templates/storage.yaml @@ -12,6 +12,14 @@ gemini: {{- toYaml . | nindent 2 }} {{- end }} +{{- with .Values.storage.velero }} +velero: + {{- toYaml . | nindent 2 }} +{{- end }} + +snapshotController: + enabled: {{ default false (or (index .Values "storage" "velero" "enabled") (index .Values "storage" "gemini" "enabled")) }} + aws-ebs-csi-driver: enabled: {{ default false (index .Values "storage" "aws-ebs-csi-driver" "enabled")}} controller: diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 3d43478..6c39133 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -10,48 +10,58 @@ global: addons: enabled: true - targetRevision: 0.6.3 + targetRevision: 0.7.3 external-dns: enabled: false forseti: enabled: false clusterBackup: enabled: false + cluster-autoscaler: + enabled: false + sealed-secrets: + enabled: false aws-node-termination-handler: enabled: false - cluster-autoscaler: + aws-eks-asg-rolling-update-handler: enabled: false network: enabled: true retain: true - targetRevision: 0.3.4 + targetRevision: 0.4.2 cilium: cluster: {} cert-manager: enabled: false namespace: cert-manager - targetRevision: 0.9.2 + targetRevision: 0.9.3 storage: enabled: false - targetRevision: 0.7.2 + targetRevision: 0.7.4 aws-ebs-csi-driver: enabled: false aws-efs-csi-driver: enabled: false + velero: + enabled: false + gemini: + enabled: false + snapshotController: + enabled: false istio: enabled: false namespace: istio-system - targetRevision: 0.8.3 + targetRevision: 0.9.0 istio-ingress: enabled: false chart: kubezero-istio-gateway namespace: istio-ingress - targetRevision: 0.8.2 + targetRevision: 0.9.0 gateway: service: {} @@ -59,14 +69,14 @@ istio-private-ingress: enabled: false chart: kubezero-istio-gateway namespace: istio-ingress - targetRevision: 0.8.2 + targetRevision: 0.9.0 gateway: service: {} metrics: enabled: false namespace: monitoring - targetRevision: 0.8.5 + targetRevision: 0.8.9 istio: grafana: {} prometheus: {} @@ -74,11 +84,13 @@ metrics: logging: enabled: false namespace: logging - targetRevision: 0.8.3 + targetRevision: 0.8.4 argocd: enabled: false namespace: argocd - targetRevision: 0.10.2 + targetRevision: 0.11.2 + argocd-image-updater: + enabled: false istio: enabled: false diff --git a/charts/manticore/Chart.yaml b/charts/manticore/Chart.yaml index 7335630..f8c61cb 100644 --- a/charts/manticore/Chart.yaml +++ b/charts/manticore/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: manticore description: Chart for Manticore type: application -version: 5.0.02 -appVersion: 5.0.02 +version: 5.0.25 +appVersion: 5.0.25 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -17,5 +17,6 @@ dependencies: version: ">= 0.1.4" repository: https://cdn.zero-downtime.net/charts - name: manticoresearch - version: "=5.0.02" + version: "5.0.25" + repository: https://helm.manticoresearch.com kubeVersion: ">= 1.20.0" diff --git a/charts/manticore/README.md b/charts/manticore/README.md index aa20dec..52f4fb5 100644 --- a/charts/manticore/README.md +++ b/charts/manticore/README.md @@ -1,6 +1,6 @@ # manticore -![Version: 5.0.02](https://img.shields.io/badge/Version-5.0.02-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.02](https://img.shields.io/badge/AppVersion-5.0.02-informational?style=flat-square) +![Version: 5.0.25](https://img.shields.io/badge/Version-5.0.25-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.25](https://img.shields.io/badge/AppVersion-5.0.25-informational?style=flat-square) Chart for Manticore @@ -18,8 +18,8 @@ Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| | manticoresearch | =5.0.02 | | https://cdn.zero-downtime.net/charts | kubezero-lib | >= 0.1.4 | +| https://helm.manticoresearch.com | manticoresearch | 5.0.25 | ## Values diff --git a/charts/uptime-kuma/Chart.yaml b/charts/uptime-kuma/Chart.yaml index 4883d74..e1000a3 100644 --- a/charts/uptime-kuma/Chart.yaml +++ b/charts/uptime-kuma/Chart.yaml @@ -1,18 +1,19 @@ apiVersion: v2 name: uptime-kuma -description: Chart for deploying uptime-kuma +description: Chart for deploying uptime-kuma on KubeZero type: application -version: 0.1.10 -appVersion: 1.9.1 +version: 0.2.0 +appVersion: 1.18.5 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: - kubezero - uptime-kuma maintainers: - - name: Quarky9 + - name: Stefan Reimer + email: stefan@zero-downtime.net dependencies: - name: kubezero-lib - version: ">= 0.1.4" + version: ">= 0.1.5" repository: https://cdn.zero-downtime.net/charts/ -kubeVersion: ">= 1.18.0" +kubeVersion: ">= 1.20.0" diff --git a/charts/uptime-kuma/README.md b/charts/uptime-kuma/README.md index 5b9f050..67f3ff0 100644 --- a/charts/uptime-kuma/README.md +++ b/charts/uptime-kuma/README.md @@ -1,8 +1,8 @@ # uptime-kuma -![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.1](https://img.shields.io/badge/AppVersion-1.9.1-informational?style=flat-square) +![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.18.5](https://img.shields.io/badge/AppVersion-1.18.5-informational?style=flat-square) -Chart for deploying uptime-kuma +Chart for deploying uptime-kuma on KubeZero **Homepage:** @@ -10,15 +10,15 @@ Chart for deploying uptime-kuma | Name | Email | Url | | ---- | ------ | --- | -| Quarky9 | | | +| Stefan Reimer | | | ## Requirements -Kubernetes: `>= 1.18.0` +Kubernetes: `>= 1.20.0` | Repository | Name | Version | |------------|------|---------| -| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.4 | +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.5 | ## Values diff --git a/charts/uptime-kuma/templates/service.yml b/charts/uptime-kuma/templates/service.yaml similarity index 100% rename from charts/uptime-kuma/templates/service.yml rename to charts/uptime-kuma/templates/service.yaml diff --git a/charts/uptime-kuma/templates/statefulset.yaml b/charts/uptime-kuma/templates/statefulset.yaml index 67a4265..97e99b9 100644 --- a/charts/uptime-kuma/templates/statefulset.yaml +++ b/charts/uptime-kuma/templates/statefulset.yaml @@ -21,7 +21,7 @@ spec: {{- if .Values.version }} image: "{{ .Values.image }}:{{ .Values.version }}" {{- else }} - image: "{{ .Values.image }}:{{ .Chart.AppVersion }}-alpine" + image: "{{ .Values.image }}:{{ .Chart.AppVersion }}" {{- end }} env: - name: UPTIME_KUMA_PORT diff --git a/docs/inf1-test.yaml b/docs/inf1-test.yaml deleted file mode 100644 index f125ced..0000000 --- a/docs/inf1-test.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - labels: - app: neuron-top - name: neuron-top - namespace: default -spec: - containers: - - image: public.ecr.aws/zero-downtime/dumpster:latest - command: - - "bash" - - "-c" - - "sleep 3600" - imagePullPolicy: IfNotPresent - name: neuron-top - resources: - limits: - #hugepages-2Mi: 256Mi - aws.amazon.com/neuron: 1 - requests: - memory: 1024Mi - tolerations: - - effect: NoSchedule - key: kubezero-workergroup - operator: Equal - value: public diff --git a/docs/nvidia-test.yaml b/docs/nvidia-test.yaml new file mode 100644 index 0000000..ac8f8e7 --- /dev/null +++ b/docs/nvidia-test.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nvidia-test + namespace: default +spec: + containers: + - image: nvidia/cuda:10.1-runtime-ubuntu16.04 + command: + - "bash" + - "-c" + - "sleep 3600" + imagePullPolicy: IfNotPresent + name: nvidia-test + resources: + limits: + nvidia.com/gpu: 1 + requests: + memory: 1024Mi diff --git a/docs/v1.24.md b/docs/v1.24.md new file mode 100644 index 0000000..cd7be4f --- /dev/null +++ b/docs/v1.24.md @@ -0,0 +1,65 @@ +# KubeZero 1.24 + +## TODO + +## What's new - Major themes +- Cilium is now the default CNI, calico gets removed +- cluster-autoscaler is enabled by default on AWS +- worker nodes are now fully automatically updated to latest AMI and config in a rolling fashion +- integrated Bitnami Sealed Secrets controller +- reduced avg. CPU load on controller nodes, well below the 20% threshold to prevent extra costs from CPU credits in most cases + +## Version upgrades +- cilium +- metallb +- nvidia-device-plugin +- aws-node-termination-handler +- aws-ebs-csi-driver +- aws-efs-csi-driver +- istio 1.16 +- argocd 2.5.5 + tweaks +- all things prometheus incl. automated muting of certain alarms, eg. CPUOverCommit when cluster-autoscaler is available + +### FeatureGates +- PodAndContainerStatsFromCRI +- DelegateFSGroupToCSIDriver + +# Upgrade +`(No, really, you MUST read this before you upgrade)` + +Ensure your Kube context points to the correct cluster ! + +1. Review CFN config for controller and workers, no mandatory changes during this release though + +2. Upgrade CFN stacks for the control plane *ONLY* ! + Updating the workers CFN stacks would trigger rolling updates right away ! + +3. Trigger cluster upgrade: + `./admin/upgrade_cluster.sh ` + +4. Review the kubezero-config and if all looks good commit the ArgoApp resouce for Kubezero via regular git + git add / commit / push `` + *DO NOT yet re-enable ArgoCD before all pre v1.24 workers have been replaced !!!* + +5. Reboot controller(s) one by one +Wait each time for controller to join and all pods running. +Might take a while ... + +6. Upgrade CFN stacks for the workers. + This in turn will trigger automated worker updates by evicting pods and launching new workers in a rolling fashion. + Grab a coffee and keep an eye on the cluster to be safe ... + Depending on your cluster size it might take a while to roll over all workers! + +7. Re-enable ArgoCD by hitting on the still waiting upgrade script + +8. Quickly head over to ArgoCD and sync the KubeZero main module as soon as possible to reduce potential back and forth in case ArgoCD has legacy state + + +## Known issues + +### existing EFS volumes +If pods are getting stuck in `Pending` during the worker upgrade, check the status of any EFS PVC. +In case any PVC is in status `Lost`, edit the PVC and remove the following annotation: +``` pv.kubernetes.io/bind-completed: "yes" ``` +This will instantly rebind the PVC to its PV and allow the pods to migrate. +Going to be fixed during the v1.25 cycle by a planned rework of the EFS storage module. diff --git a/scripts/publish.sh b/scripts/publish.sh index f49c660..8989d45 100755 --- a/scripts/publish.sh +++ b/scripts/publish.sh @@ -18,6 +18,8 @@ function reset_index() { aws s3 sync $REPO_URL_S3/ $TMPDIR/ helm repo index $TMPDIR --url $REPO_URL aws s3 cp $TMPDIR/index.yaml $REPO_URL_S3/ --cache-control max-age=1 + + exit 0 } @@ -49,9 +51,10 @@ function publish_chart() { } +#reset_index + publish_chart CF_DIST=E1YFUJXMCXT2RN aws cloudfront create-invalidation --distribution $CF_DIST --paths "/charts/*" -#reset_index diff --git a/scripts/run_cluster_gc_cgroups.sh b/scripts/run_cluster_gc_cgroups.sh new file mode 100755 index 0000000..7b560e6 --- /dev/null +++ b/scripts/run_cluster_gc_cgroups.sh @@ -0,0 +1,106 @@ +#!/bin/bash -e + +echo "Deploy all node upgrade daemonSet(busybox)" +cat <<'EOF' | kubectl apply -f - +apiVersion: v1 +metadata: + name: kubezero-admin-script + namespace: kube-system +kind: ConfigMap +data: + script: |- + #!/bin/bash + #set -x + + POD_IDS=($(crictl pods -q)) + POD_UIDS=() + + for POD_ID in ${POD_IDS[@]}; do + JSONDUMP="`crictl inspectp ${POD_ID}`" + POD_NAME="`echo ${JSONDUMP} | jq -r '.status.metadata.name'`" + POD_UID="`echo ${JSONDUMP} | jq -r '.info.runtimeSpec.annotations."io.kubernetes.pod.uid"'`" + POD_UIDS+=($POD_UID) + done + + # echo ${POD_UIDS[*]} + + CGROUPS=($(find /sys/fs/cgroup/pids/kubepods/*/pod* -type d -depth || true)) + CGROUPS+=($(find /sys/fs/cgroup/kubepods/*/pod* -type d -depth || true)) + + DELETED=0 + for cg in ${CGROUPS[*]}; do + valid=0 + for uid in ${POD_UIDS[*]}; do + echo $cg | grep -q $uid && { valid=1; break; } + done + + if [ $valid -eq 0 ]; then + rmdir $cg + ((DELETED=DELETED+1)) + fi + done + + echo "Removed $DELETED left over cgroup folders." +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kubezero-run-all-nodes + namespace: kube-system + labels: + app: kubezero-admin-all-nodes +spec: + selector: + matchLabels: + name: kubezero-admin-all-nodes + template: + metadata: + labels: + name: kubezero-admin-all-nodes + spec: + hostNetwork: true + hostIPC: true + hostPID: true + tolerations: + - operator: Exists + initContainers: + - name: kubezero-run-all-nodes + image: busybox + command: ["/bin/sh"] + args: ["-c", "cp /tmp/admin-script.sh /host/tmp/admin-script.sh && chmod +x /host/tmp/admin-script.sh && chroot /host /tmp/admin-script.sh"] + volumeMounts: + - name: host + mountPath: /host + - name: hostproc + mountPath: /hostproc + - name: admin-script + mountPath: "/tmp/admin-script.sh" + subPath: script + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + containers: + - name: node-upgrade-wait + image: busybox + command: ["sleep", "3600"] + volumes: + - name: host + hostPath: + path: / + type: Directory + - name: hostproc + hostPath: + path: /proc + type: Directory + - name: admin-script + configMap: + name: kubezero-admin-script +EOF + +kubectl rollout status daemonset -n kube-system kubezero-run-all-nodes --timeout 300s + +kubectl logs --selector name=kubezero-admin-all-nodes -c kubezero-run-all-nodes -n kube-system + +kubectl delete ds kubezero-run-all-nodes -n kube-system +kubectl delete cm kubezero-admin-script -n kube-system diff --git a/scripts/update_helm.sh b/scripts/update_helm.sh index 3054f6d..38dd53b 100755 --- a/scripts/update_helm.sh +++ b/scripts/update_helm.sh @@ -5,16 +5,23 @@ CHARTS=${1:-'.*'} SRCROOT="$(cd "$(dirname "$0")/.." && pwd)" +helm repo update + for dir in $(find -L $SRCROOT/charts -mindepth 1 -maxdepth 1 -type d); do name=$(basename $dir) [[ $name =~ $CHARTS ]] || continue - if [ $(helm dep list $dir 2>/dev/null| wc -l) -gt 1 ] - then - echo "Processing chart dependencies" - rm -rf $dir/tmpcharts - rm -rf $dir/charts/*.tgz - helm dependency update --skip-refresh $dir + + if [ -x $dir/update.sh ]; then + { cd $dir && ./update.sh; } + else + if [ $(helm dep list $dir 2>/dev/null| wc -l) -gt 1 ] + then + echo "Processing chart dependencies" + rm -rf $dir/tmpcharts + rm -rf $dir/charts/*.tgz + helm dependency update --skip-refresh $dir + fi fi echo "Processing $dir"