master #9
|
@ -0,0 +1,15 @@
|
||||||
|
# CFN / Platform
|
||||||
|
- Kube to 1.17
|
||||||
|
- Kube-proxy uses ipvs
|
||||||
|
- metrics support for kube-proxy
|
||||||
|
- no reliance on custom resource for S3 buckets anymore
|
||||||
|
|
||||||
|
|
||||||
|
# Kubezero
|
||||||
|
- fully automated one command bootstrap incl. all kubezero components
|
||||||
|
- migrated from kube-prometheuss to prometheus-operator helm charts for metrics
|
||||||
|
- latest Grafana incl. peristence
|
||||||
|
- kube-prometheus adapter improvements / customizations
|
||||||
|
- integrated EFS CSI driver into Kubezero
|
||||||
|
- prometheus itself can be exposed via istio ingress on demand to ease development of custom metrics
|
||||||
|
- backup script to export all cert-manager items between clusters
|
|
@ -1,31 +0,0 @@
|
||||||
# Calico CNI
|
|
||||||
|
|
||||||
Current top-level still contains the deprecated Canal implementation.
|
|
||||||
Removed once new AWS config is tested and rolled out to all existing clusters.
|
|
||||||
|
|
||||||
## AWS
|
|
||||||
Calico is setup based on the upstream calico-vxlan config from
|
|
||||||
`https://docs.projectcalico.org/v3.15/manifests/calico-vxlan.yaml`
|
|
||||||
|
|
||||||
Changes:
|
|
||||||
|
|
||||||
- VxLAN set to Always to not expose cluster communication to VPC
|
|
||||||
|
|
||||||
-> EC2 SecurityGroups still apply and only need to allow UDP 4789 for VxLAN traffic
|
|
||||||
-> No need to disable source/destination check on EC2 instances
|
|
||||||
-> Prepared for optional WireGuard encryption for all inter node traffic
|
|
||||||
|
|
||||||
- MTU set to 8941
|
|
||||||
|
|
||||||
- Removed migration init-container
|
|
||||||
|
|
||||||
- Disable BGB and BIRD health checks
|
|
||||||
|
|
||||||
- Set FELIX log level to warning
|
|
||||||
|
|
||||||
- Enable Prometheus metrics
|
|
||||||
|
|
||||||
|
|
||||||
## Prometheus
|
|
||||||
|
|
||||||
See: https://grafana.com/grafana/dashboards/12175
|
|
|
@ -1,101 +0,0 @@
|
||||||
--- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100
|
|
||||||
+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100
|
|
||||||
@@ -10,13 +10,13 @@
|
|
||||||
# Typha is disabled.
|
|
||||||
typha_service_name: "none"
|
|
||||||
# Configure the backend to use.
|
|
||||||
- calico_backend: "bird"
|
|
||||||
+ calico_backend: "vxlan"
|
|
||||||
# Configure the MTU to use for workload interfaces and tunnels.
|
|
||||||
# - If Wireguard is enabled, set to your network MTU - 60
|
|
||||||
# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
|
|
||||||
# - Otherwise, if IPIP is enabled, set to your network MTU - 20
|
|
||||||
# - Otherwise, if not using any encapsulation, set to your network MTU.
|
|
||||||
- veth_mtu: "1410"
|
|
||||||
+ veth_mtu: "8941"
|
|
||||||
|
|
||||||
# The CNI network configuration to install on each node. The special
|
|
||||||
# values in this config will be automatically populated.
|
|
||||||
@@ -3451,29 +3451,6 @@
|
|
||||||
terminationGracePeriodSeconds: 0
|
|
||||||
priorityClassName: system-node-critical
|
|
||||||
initContainers:
|
|
||||||
- # This container performs upgrade from host-local IPAM to calico-ipam.
|
|
||||||
- # It can be deleted if this is a fresh installation, or if you have already
|
|
||||||
- # upgraded to use calico-ipam.
|
|
||||||
- - name: upgrade-ipam
|
|
||||||
- image: calico/cni:v3.15.0
|
|
||||||
- command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
|
|
||||||
- env:
|
|
||||||
- - name: KUBERNETES_NODE_NAME
|
|
||||||
- valueFrom:
|
|
||||||
- fieldRef:
|
|
||||||
- fieldPath: spec.nodeName
|
|
||||||
- - name: CALICO_NETWORKING_BACKEND
|
|
||||||
- valueFrom:
|
|
||||||
- configMapKeyRef:
|
|
||||||
- name: calico-config
|
|
||||||
- key: calico_backend
|
|
||||||
- volumeMounts:
|
|
||||||
- - mountPath: /var/lib/cni/networks
|
|
||||||
- name: host-local-net-dir
|
|
||||||
- - mountPath: /host/opt/cni/bin
|
|
||||||
- name: cni-bin-dir
|
|
||||||
- securityContext:
|
|
||||||
- privileged: true
|
|
||||||
# This container installs the CNI binaries
|
|
||||||
# and CNI network config file on each node.
|
|
||||||
- name: install-cni
|
|
||||||
@@ -3545,7 +3522,7 @@
|
|
||||||
key: calico_backend
|
|
||||||
# Cluster type to identify the deployment type
|
|
||||||
- name: CLUSTER_TYPE
|
|
||||||
- value: "k8s,bgp"
|
|
||||||
+ value: "k8s,kubeadm"
|
|
||||||
# Auto-detect the BGP IP address.
|
|
||||||
- name: IP
|
|
||||||
value: "autodetect"
|
|
||||||
@@ -3554,7 +3531,7 @@
|
|
||||||
value: "Never"
|
|
||||||
# Enable or Disable VXLAN on the default IP pool.
|
|
||||||
- name: CALICO_IPV4POOL_VXLAN
|
|
||||||
- value: "CrossSubnet"
|
|
||||||
+ value: "Always"
|
|
||||||
# Set MTU for tunnel device used if ipip is enabled
|
|
||||||
- name: FELIX_IPINIPMTU
|
|
||||||
valueFrom:
|
|
||||||
@@ -3595,9 +3572,17 @@
|
|
||||||
value: "false"
|
|
||||||
# Set Felix logging to "info"
|
|
||||||
- name: FELIX_LOGSEVERITYSCREEN
|
|
||||||
- value: "info"
|
|
||||||
+ value: "Warning"
|
|
||||||
+ - name: FELIX_LOGSEVERITYFILE
|
|
||||||
+ value: "Warning"
|
|
||||||
+ - name: FELIX_LOGSEVERITYSYS
|
|
||||||
+ value: ""
|
|
||||||
- name: FELIX_HEALTHENABLED
|
|
||||||
value: "true"
|
|
||||||
+ - name: FELIX_PROMETHEUSGOMETRICSENABLED
|
|
||||||
+ value: "false"
|
|
||||||
+ - name: FELIX_PROMETHEUSMETRICSENABLED
|
|
||||||
+ value: "true"
|
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
resources:
|
|
||||||
@@ -3608,7 +3593,6 @@
|
|
||||||
command:
|
|
||||||
- /bin/calico-node
|
|
||||||
- -felix-live
|
|
||||||
- - -bird-live
|
|
||||||
periodSeconds: 10
|
|
||||||
initialDelaySeconds: 10
|
|
||||||
failureThreshold: 6
|
|
||||||
@@ -3617,7 +3601,6 @@
|
|
||||||
command:
|
|
||||||
- /bin/calico-node
|
|
||||||
- -felix-ready
|
|
||||||
- - -bird-ready
|
|
||||||
periodSeconds: 10
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /lib/modules
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -1,8 +0,0 @@
|
||||||
namespace: kube-system
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- canal.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- logging.yaml
|
|
||||||
- prometheus.yaml
|
|
|
@ -1,16 +0,0 @@
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: DaemonSet
|
|
||||||
metadata:
|
|
||||||
name: canal
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: calico-node
|
|
||||||
env:
|
|
||||||
- name: FELIX_LOGSEVERITYSCREEN
|
|
||||||
value: "Warning"
|
|
||||||
- name: FELIX_LOGSEVERITYFILE
|
|
||||||
value: "Warning"
|
|
||||||
- name: FELIX_LOGSEVERITYSYS
|
|
||||||
value: ""
|
|
|
@ -1,14 +0,0 @@
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: DaemonSet
|
|
||||||
metadata:
|
|
||||||
name: canal
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: calico-node
|
|
||||||
env:
|
|
||||||
- name: FELIX_PROMETHEUSGOMETRICSENABLED
|
|
||||||
value: "false"
|
|
||||||
- name: FELIX_PROMETHEUSMETRICSENABLED
|
|
||||||
value: "true"
|
|
|
@ -1,50 +0,0 @@
|
||||||
--- canal.yaml.orig 2020-07-02 16:56:37.279169481 +0100
|
|
||||||
+++ canal.yaml 2020-07-02 16:56:37.285169542 +0100
|
|
||||||
@@ -5,7 +5,6 @@
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: canal-config
|
|
||||||
- namespace: kube-system
|
|
||||||
data:
|
|
||||||
# Typha is disabled.
|
|
||||||
typha_service_name: "none"
|
|
||||||
@@ -3438,7 +3437,6 @@
|
|
||||||
apiVersion: apps/v1
|
|
||||||
metadata:
|
|
||||||
name: canal
|
|
||||||
- namespace: kube-system
|
|
||||||
labels:
|
|
||||||
k8s-app: canal
|
|
||||||
spec:
|
|
||||||
@@ -3683,7 +3681,6 @@
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: canal
|
|
||||||
- namespace: kube-system
|
|
||||||
|
|
||||||
---
|
|
||||||
# Source: calico/templates/calico-kube-controllers.yaml
|
|
||||||
@@ -3692,7 +3689,6 @@
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: calico-kube-controllers
|
|
||||||
- namespace: kube-system
|
|
||||||
labels:
|
|
||||||
k8s-app: calico-kube-controllers
|
|
||||||
spec:
|
|
||||||
@@ -3706,7 +3702,6 @@
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
name: calico-kube-controllers
|
|
||||||
- namespace: kube-system
|
|
||||||
labels:
|
|
||||||
k8s-app: calico-kube-controllers
|
|
||||||
spec:
|
|
||||||
@@ -3741,7 +3736,6 @@
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: calico-kube-controllers
|
|
||||||
- namespace: kube-system
|
|
||||||
|
|
||||||
---
|
|
||||||
# Source: calico/templates/calico-etcd-secrets.yaml
|
|
|
@ -0,0 +1 @@
|
||||||
|
../../helm-charts/charts/fluent-bit
|
|
@ -1,7 +1,7 @@
|
||||||
apiVersion: v2
|
apiVersion: v2
|
||||||
description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
description: KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
||||||
name: kubezero-argo-cd
|
name: kubezero-argo-cd
|
||||||
version: 0.3.5
|
version: 0.4.1
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -13,9 +13,9 @@ maintainers:
|
||||||
dependencies:
|
dependencies:
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.1"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: argo-cd
|
- name: argo-cd
|
||||||
version: 2.5.0
|
version: 2.6.0
|
||||||
repository: https://argoproj.github.io/argo-helm
|
repository: https://argoproj.github.io/argo-helm
|
||||||
kubeVersion: ">= 1.16.0"
|
kubeVersion: ">= 1.16.0"
|
||||||
|
|
|
@ -2,7 +2,7 @@ kubezero-argo-cd
|
||||||
================
|
================
|
||||||
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
KubeZero ArgoCD Helm chart to install ArgoCD itself and the KubeZero ArgoCD Application
|
||||||
|
|
||||||
Current chart version is `0.3.5`
|
Current chart version is `0.4.1`
|
||||||
|
|
||||||
Source code can be found [here](https://kubezero.com)
|
Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
|
@ -10,29 +10,45 @@ Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://argoproj.github.io/argo-helm | argo-cd | 2.5.0 |
|
| https://argoproj.github.io/argo-helm | argo-cd | 2.6.0 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.1 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## Chart Values
|
## Chart Values
|
||||||
|
|
||||||
| Key | Type | Default | Description |
|
| Key | Type | Default | Description |
|
||||||
|-----|------|---------|-------------|
|
|-----|------|---------|-------------|
|
||||||
|
| argo-cd.controller.args.appResyncPeriod | string | `"300"` | |
|
||||||
|
| argo-cd.controller.args.operationProcessors | string | `"1"` | |
|
||||||
|
| argo-cd.controller.args.statusProcessors | string | `"2"` | |
|
||||||
|
| argo-cd.controller.metrics.enabled | bool | `false` | |
|
||||||
|
| argo-cd.controller.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||||
|
| argo-cd.controller.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||||
|
| argo-cd.controller.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||||
| argo-cd.controller.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
| argo-cd.controller.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
| argo-cd.controller.tolerations[0].effect | string | `"NoSchedule"` | |
|
| argo-cd.controller.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| argo-cd.controller.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| argo-cd.controller.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
| argo-cd.dex.enabled | bool | `false` | |
|
| argo-cd.dex.enabled | bool | `false` | |
|
||||||
| argo-cd.installCRDs | bool | `false` | |
|
| argo-cd.installCRDs | bool | `false` | |
|
||||||
| argo-cd.istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
|
| argo-cd.istio.enabled | bool | `false` | Deploy Istio VirtualService to expose ArgoCD |
|
||||||
| argo-cd.istio.gateway | string | `"ingressgateway.istio-system.svc.cluster.local"` | Name of the Istio gateway to add the VirtualService to |
|
| argo-cd.istio.gateway | string | `"istio-system/ingressgateway"` | Name of the Istio gateway to add the VirtualService to |
|
||||||
| argo-cd.istio.ipBlocks | list | `[]` | |
|
| argo-cd.istio.ipBlocks | list | `[]` | |
|
||||||
| argo-cd.redis.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
| argo-cd.redis.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
| argo-cd.redis.tolerations[0].effect | string | `"NoSchedule"` | |
|
| argo-cd.redis.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| argo-cd.redis.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| argo-cd.redis.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
|
| argo-cd.repoServer.metrics.enabled | bool | `false` | |
|
||||||
|
| argo-cd.repoServer.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||||
|
| argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||||
|
| argo-cd.repoServer.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||||
| argo-cd.repoServer.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
| argo-cd.repoServer.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
| argo-cd.repoServer.tolerations[0].effect | string | `"NoSchedule"` | |
|
| argo-cd.repoServer.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
| argo-cd.repoServer.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
| argo-cd.repoServer.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
|
| argo-cd.server.config."resource.customizations" | string | `"cert-manager.io/Certificate:\n # Lua script for customizing the health status assessment\n health.lua: |\n hs = {}\n if obj.status ~= nil then\n if obj.status.conditions ~= nil then\n for i, condition in ipairs(obj.status.conditions) do\n if condition.type == \"Ready\" and condition.status == \"False\" then\n hs.status = \"Degraded\"\n hs.message = condition.message\n return hs\n end\n if condition.type == \"Ready\" and condition.status == \"True\" then\n hs.status = \"Healthy\"\n hs.message = condition.message\n return hs\n end\n end\n end\n end\n hs.status = \"Progressing\"\n hs.message = \"Waiting for certificate\"\n return hs\n"` | |
|
||||||
| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio |
|
| argo-cd.server.config.url | string | `"argocd.example.com"` | ArgoCD hostname to be exposed via Istio |
|
||||||
| argo-cd.server.extraArgs[0] | string | `"--insecure"` | |
|
| argo-cd.server.extraArgs[0] | string | `"--insecure"` | |
|
||||||
|
| argo-cd.server.metrics.enabled | bool | `false` | |
|
||||||
|
| argo-cd.server.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||||
|
| argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||||
|
| argo-cd.server.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||||
| argo-cd.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
| argo-cd.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |
|
| argo-cd.server.service.servicePortHttpsName | string | `"grpc"` | |
|
||||||
| argo-cd.server.tolerations[0].effect | string | `"NoSchedule"` | |
|
| argo-cd.server.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
|
@ -41,3 +57,7 @@ Source code can be found [here](https://kubezero.com)
|
||||||
| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees |
|
| kubezero.global.defaultSource.pathPrefix | string | `""` | optional path prefix within repoURL to support eg. remote subtrees |
|
||||||
| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications |
|
| kubezero.global.defaultSource.repoURL | string | `"https://github.com/zero-down-time/kubezero"` | default repository for argocd applications |
|
||||||
| kubezero.global.defaultSource.targetRevision | string | `"HEAD"` | default tracking of repoURL |
|
| kubezero.global.defaultSource.targetRevision | string | `"HEAD"` | default tracking of repoURL |
|
||||||
|
|
||||||
|
## Resources
|
||||||
|
- https://argoproj.github.io/argo-cd/operator-manual/metrics/
|
||||||
|
- https://raw.githubusercontent.com/argoproj/argo-cd/master/examples/dashboard.json
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
{{ template "chart.header" . }}
|
||||||
|
{{ template "chart.description" . }}
|
||||||
|
|
||||||
|
{{ template "chart.versionLine" . }}
|
||||||
|
|
||||||
|
{{ template "chart.sourceLinkLine" . }}
|
||||||
|
|
||||||
|
{{ template "chart.requirementsSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.valuesSection" . }}
|
||||||
|
|
||||||
|
## Resources
|
||||||
|
- https://argoproj.github.io/argo-cd/operator-manual/metrics/
|
||||||
|
- https://raw.githubusercontent.com/argoproj/argo-cd/master/examples/dashboard.json
|
|
@ -14,12 +14,13 @@ spec:
|
||||||
|
|
||||||
helm:
|
helm:
|
||||||
values: |
|
values: |
|
||||||
{{- toYaml .Values.kubezero | nindent 8 }}
|
{{- toYaml .Values.kubezero | nindent 8 }}
|
||||||
|
|
||||||
destination:
|
destination:
|
||||||
server: {{ .Values.kubezero.global.defaultDestination.server }}
|
server: {{ .Values.kubezero.global.defaultDestination.server }}
|
||||||
namespace: argocd
|
namespace: argocd
|
||||||
|
|
||||||
|
{{- if .Values.kubezero.global.syncPolicy }}
|
||||||
syncPolicy:
|
syncPolicy:
|
||||||
automated:
|
{{- toYaml .Values.kubezero.global.syncPolicy | nindent 4 }}
|
||||||
prune: true
|
{{- end }}
|
||||||
selfHeal: false
|
|
||||||
|
|
|
@ -1,25 +1,26 @@
|
||||||
{{- if index .Values "argo-cd" "istio" "enabled" }}
|
{{- if index .Values "argo-cd" "istio" "enabled" }}
|
||||||
|
{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
|
||||||
apiVersion: security.istio.io/v1beta1
|
apiVersion: security.istio.io/v1beta1
|
||||||
kind: AuthorizationPolicy
|
kind: AuthorizationPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: argocd-allow-only
|
name: argocd-deny-not-in-ipblocks
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: istio-ingressgateway
|
app: istio-ingressgateway
|
||||||
|
action: DENY
|
||||||
rules:
|
rules:
|
||||||
{{- if index .Values "argo-cd" "istio" "ipBlocks" }}
|
|
||||||
- from:
|
- from:
|
||||||
- source:
|
- source:
|
||||||
ipBlocks:
|
notIpBlocks:
|
||||||
{{- with index .Values "argo-cd" "istio" "ipBlocks" }}
|
{{- with index .Values "argo-cd" "istio" "ipBlocks" }}
|
||||||
{{- . | toYaml | nindent 8 }}
|
{{- . | toYaml | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
to:
|
to:
|
||||||
- operation:
|
- operation:
|
||||||
hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"]
|
hosts: ["{{ index .Values "argo-cd" "server" "config" "url" }}"]
|
||||||
{{- else }}
|
{{- end }}
|
||||||
- {}
|
|
||||||
{{- end }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
|
@ -24,6 +24,12 @@ spec:
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
- namespace: istio-system
|
- namespace: istio-system
|
||||||
server: https://kubernetes.default.svc
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: monitoring
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: elastic-system
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
- namespace: logging
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
|
||||||
clusterResourceWhitelist:
|
clusterResourceWhitelist:
|
||||||
- group: '*'
|
- group: '*'
|
||||||
|
|
|
@ -15,6 +15,11 @@ kubezero:
|
||||||
# kubezero.global.defaultSource.pathPrefix -- optional path prefix within repoURL to support eg. remote subtrees
|
# kubezero.global.defaultSource.pathPrefix -- optional path prefix within repoURL to support eg. remote subtrees
|
||||||
pathPrefix: ''
|
pathPrefix: ''
|
||||||
|
|
||||||
|
# syncPolicy, details see: https://argoproj.github.io/argo-cd/user-guide/auto_sync
|
||||||
|
#syncPolicy:
|
||||||
|
# automated:
|
||||||
|
# prune: true
|
||||||
|
|
||||||
argo-cd:
|
argo-cd:
|
||||||
installCRDs: false
|
installCRDs: false
|
||||||
|
|
||||||
|
@ -24,8 +29,21 @@ argo-cd:
|
||||||
# argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG"
|
# argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG"
|
||||||
# argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST"
|
# argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST"
|
||||||
|
|
||||||
# Run Argo on the controllers
|
|
||||||
controller:
|
controller:
|
||||||
|
args:
|
||||||
|
statusProcessors: "2"
|
||||||
|
operationProcessors: "1"
|
||||||
|
appResyncPeriod: "300"
|
||||||
|
|
||||||
|
metrics:
|
||||||
|
enabled: false
|
||||||
|
serviceMonitor:
|
||||||
|
enabled: true
|
||||||
|
namespace: monitoring
|
||||||
|
additionalLabels:
|
||||||
|
release: metrics
|
||||||
|
|
||||||
|
# controller to masters
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/master: ""
|
node-role.kubernetes.io/master: ""
|
||||||
tolerations:
|
tolerations:
|
||||||
|
@ -33,6 +51,14 @@ argo-cd:
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
|
|
||||||
repoServer:
|
repoServer:
|
||||||
|
metrics:
|
||||||
|
enabled: false
|
||||||
|
serviceMonitor:
|
||||||
|
enabled: true
|
||||||
|
namespace: monitoring
|
||||||
|
additionalLabels:
|
||||||
|
release: metrics
|
||||||
|
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
node-role.kubernetes.io/master: ""
|
node-role.kubernetes.io/master: ""
|
||||||
tolerations:
|
tolerations:
|
||||||
|
@ -44,10 +70,43 @@ argo-cd:
|
||||||
# argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio
|
# argo-cd.server.config.url -- ArgoCD hostname to be exposed via Istio
|
||||||
url: argocd.example.com
|
url: argocd.example.com
|
||||||
|
|
||||||
|
resource.customizations: |
|
||||||
|
cert-manager.io/Certificate:
|
||||||
|
# Lua script for customizing the health status assessment
|
||||||
|
health.lua: |
|
||||||
|
hs = {}
|
||||||
|
if obj.status ~= nil then
|
||||||
|
if obj.status.conditions ~= nil then
|
||||||
|
for i, condition in ipairs(obj.status.conditions) do
|
||||||
|
if condition.type == "Ready" and condition.status == "False" then
|
||||||
|
hs.status = "Degraded"
|
||||||
|
hs.message = condition.message
|
||||||
|
return hs
|
||||||
|
end
|
||||||
|
if condition.type == "Ready" and condition.status == "True" then
|
||||||
|
hs.status = "Healthy"
|
||||||
|
hs.message = condition.message
|
||||||
|
return hs
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
hs.status = "Progressing"
|
||||||
|
hs.message = "Waiting for certificate"
|
||||||
|
return hs
|
||||||
|
|
||||||
# Rename former https port to grpc, works with istio + insecure
|
# Rename former https port to grpc, works with istio + insecure
|
||||||
service:
|
service:
|
||||||
servicePortHttpsName: grpc
|
servicePortHttpsName: grpc
|
||||||
|
|
||||||
|
metrics:
|
||||||
|
enabled: false
|
||||||
|
serviceMonitor:
|
||||||
|
enabled: true
|
||||||
|
namespace: monitoring
|
||||||
|
additionalLabels:
|
||||||
|
release: metrics
|
||||||
|
|
||||||
extraArgs:
|
extraArgs:
|
||||||
- --insecure
|
- --insecure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
@ -70,5 +129,5 @@ argo-cd:
|
||||||
# argo-cd.istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
|
# argo-cd.istio.enabled -- Deploy Istio VirtualService to expose ArgoCD
|
||||||
enabled: false
|
enabled: false
|
||||||
# argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
|
# argo-cd.istio.gateway -- Name of the Istio gateway to add the VirtualService to
|
||||||
gateway: ingressgateway.istio-system.svc.cluster.local
|
gateway: istio-system/ingressgateway
|
||||||
ipBlocks: []
|
ipBlocks: []
|
||||||
|
|
|
@ -2,7 +2,8 @@ apiVersion: v2
|
||||||
name: kubezero-aws-ebs-csi-driver
|
name: kubezero-aws-ebs-csi-driver
|
||||||
description: KubeZero Umbrella Chart for aws-ebs-csi-driver
|
description: KubeZero Umbrella Chart for aws-ebs-csi-driver
|
||||||
type: application
|
type: application
|
||||||
version: 0.1.1
|
version: 0.3.1
|
||||||
|
appVersion: 0.6.0
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
sources:
|
sources:
|
||||||
|
@ -17,6 +18,6 @@ maintainers:
|
||||||
- name: Quarky9
|
- name: Quarky9
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.1"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
kubeVersion: ">= 1.16.0"
|
kubeVersion: ">= 1.16.0"
|
||||||
|
|
|
@ -2,7 +2,7 @@ kubezero-aws-ebs-csi-driver
|
||||||
===========================
|
===========================
|
||||||
KubeZero Umbrella Chart for aws-ebs-csi-driver
|
KubeZero Umbrella Chart for aws-ebs-csi-driver
|
||||||
|
|
||||||
Current chart version is `0.1.1`
|
Current chart version is `0.3.1`
|
||||||
|
|
||||||
Source code can be found [here](https://kubezero.com)
|
Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
|
@ -10,7 +10,7 @@ Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.1 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## IAM Role
|
## IAM Role
|
||||||
If you use kiam or kube2iam and restrict access on nodes running this controller please adjust:
|
If you use kiam or kube2iam and restrict access on nodes running this controller please adjust:
|
||||||
|
|
|
@ -1,16 +1,16 @@
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
appVersion: "0.5.0"
|
appVersion: 0.6.0
|
||||||
name: aws-ebs-csi-driver
|
|
||||||
description: A Helm chart for AWS EBS CSI Driver
|
description: A Helm chart for AWS EBS CSI Driver
|
||||||
version: 0.3.0
|
|
||||||
kubeVersion: ">=1.13.0-0"
|
|
||||||
home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
|
home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver
|
||||||
sources:
|
|
||||||
- https://github.com/kubernetes-sigs/aws-ebs-csi-driver
|
|
||||||
keywords:
|
keywords:
|
||||||
- aws
|
- aws
|
||||||
- ebs
|
- ebs
|
||||||
- csi
|
- csi
|
||||||
|
kubeVersion: '>=1.13.0-0'
|
||||||
maintainers:
|
maintainers:
|
||||||
- name: leakingtapan
|
- email: chengpan@amazon.com
|
||||||
email: chengpan@amazon.com
|
name: leakingtapan
|
||||||
|
name: aws-ebs-csi-driver
|
||||||
|
sources:
|
||||||
|
- https://github.com/kubernetes-sigs/aws-ebs-csi-driver
|
||||||
|
version: 0.5.0
|
||||||
|
|
|
@ -35,13 +35,24 @@ Create chart name and version as used by the chart label.
|
||||||
Common labels
|
Common labels
|
||||||
*/}}
|
*/}}
|
||||||
{{- define "aws-ebs-csi-driver.labels" -}}
|
{{- define "aws-ebs-csi-driver.labels" -}}
|
||||||
app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }}
|
{{ include "aws-ebs-csi-driver.selectorLabels" . }}
|
||||||
|
{{- if ne .Release.Name "kustomize" }}
|
||||||
helm.sh/chart: {{ include "aws-ebs-csi-driver.chart" . }}
|
helm.sh/chart: {{ include "aws-ebs-csi-driver.chart" . }}
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
{{- if .Chart.AppVersion }}
|
{{- if .Chart.AppVersion }}
|
||||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Common selector labels
|
||||||
|
*/}}
|
||||||
|
{{- define "aws-ebs-csi-driver.selectorLabels" -}}
|
||||||
|
app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }}
|
||||||
|
{{- if ne .Release.Name "kustomize" }}
|
||||||
|
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||||
|
{{- end }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{/*
|
{{/*
|
||||||
|
@ -53,6 +64,6 @@ Convert the `--extra-volume-tags` command line arg from a map.
|
||||||
{{- $noop := printf "%s=%s" $key $value | append $result.pairs | set $result "pairs" -}}
|
{{- $noop := printf "%s=%s" $key $value | append $result.pairs | set $result "pairs" -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- if gt (len $result.pairs) 0 -}}
|
{{- if gt (len $result.pairs) 0 -}}
|
||||||
- --extra-volume-tags={{- join "," $result.pairs -}}
|
{{- printf "%s=%s" "- --extra-volume-tags" (join "," $result.pairs) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-external-attacher-role
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["persistentvolumes"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["nodes"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["csi.storage.k8s.io"]
|
||||||
|
resources: ["csinodeinfos"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["storage.k8s.io"]
|
||||||
|
resources: ["volumeattachments"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
|
@ -0,0 +1,35 @@
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-external-provisioner-role
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["persistentvolumes"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["persistentvolumeclaims"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
- apiGroups: ["storage.k8s.io"]
|
||||||
|
resources: ["storageclasses"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["list", "watch", "create", "update", "patch"]
|
||||||
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
|
resources: ["volumesnapshots"]
|
||||||
|
verbs: ["get", "list"]
|
||||||
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
|
resources: ["volumesnapshotcontents"]
|
||||||
|
verbs: ["get", "list"]
|
||||||
|
- apiGroups: ["storage.k8s.io"]
|
||||||
|
resources: ["csinodes"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["nodes"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
|
resources: ["leases"]
|
||||||
|
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
|
@ -0,0 +1,31 @@
|
||||||
|
{{- if .Values.enableVolumeResizing }}
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-external-resizer-role
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
# The following rule should be uncommented for plugins that require secrets
|
||||||
|
# for provisioning.
|
||||||
|
# - apiGroups: [""]
|
||||||
|
# resources: ["secrets"]
|
||||||
|
# verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["persistentvolumes"]
|
||||||
|
verbs: ["get", "list", "watch", "update", "patch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["persistentvolumeclaims"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["persistentvolumeclaims/status"]
|
||||||
|
verbs: ["update", "patch"]
|
||||||
|
- apiGroups: ["storage.k8s.io"]
|
||||||
|
resources: ["storageclasses"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["list", "watch", "create", "update", "patch"]
|
||||||
|
|
||||||
|
{{- end}}
|
|
@ -0,0 +1,35 @@
|
||||||
|
{{- if .Values.enableVolumeSnapshot }}
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-snapshot-controller-role
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["persistentvolumes"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["persistentvolumeclaims"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
- apiGroups: ["storage.k8s.io"]
|
||||||
|
resources: ["storageclasses"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["list", "watch", "create", "update", "patch"]
|
||||||
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
|
resources: ["volumesnapshotclasses"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
|
resources: ["volumesnapshotcontents"]
|
||||||
|
verbs: ["create", "get", "list", "watch", "update", "delete"]
|
||||||
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
|
resources: ["volumesnapshots"]
|
||||||
|
verbs: ["get", "list", "watch", "update"]
|
||||||
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
|
resources: ["volumesnapshots/status"]
|
||||||
|
verbs: ["update"]
|
||||||
|
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,25 @@
|
||||||
|
{{- if .Values.enableVolumeSnapshot }}
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-external-snapshotter-role
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["events"]
|
||||||
|
verbs: ["list", "watch", "create", "update", "patch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list"]
|
||||||
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
|
resources: ["volumesnapshotclasses"]
|
||||||
|
verbs: ["get", "list", "watch"]
|
||||||
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
|
resources: ["volumesnapshotcontents"]
|
||||||
|
verbs: ["create", "get", "list", "watch", "update", "delete"]
|
||||||
|
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||||
|
resources: ["volumesnapshotcontents/status"]
|
||||||
|
verbs: ["update"]
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-csi-attacher-binding
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: ebs-csi-controller-sa
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: ebs-external-attacher-role
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-csi-provisioner-binding
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: ebs-csi-controller-sa
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: ebs-external-provisioner-role
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- if .Values.enableVolumeResizing }}
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-csi-resizer-binding
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: ebs-csi-controller-sa
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: ebs-external-resizer-role
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
||||||
|
{{- end}}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- if .Values.enableVolumeSnapshot }}
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-csi-snapshot-controller-binding
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: ebs-snapshot-controller
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: ebs-snapshot-controller-role
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- if .Values.enableVolumeSnapshot }}
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-csi-snapshotter-binding
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: ebs-csi-controller-sa
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: ebs-external-snapshotter-role
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
||||||
|
{{- end }}
|
|
@ -4,25 +4,26 @@ apiVersion: apps/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: ebs-csi-controller
|
name: ebs-csi-controller
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
spec:
|
spec:
|
||||||
replicas: {{ .Values.replicaCount }}
|
replicas: {{ .Values.replicaCount }}
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: ebs-csi-controller
|
app: ebs-csi-controller
|
||||||
app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }}
|
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: ebs-csi-controller
|
app: ebs-csi-controller
|
||||||
app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }}
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
{{- if .Values.podAnnotations }}
|
{{- if .Values.podAnnotations }}
|
||||||
annotations: {{ toYaml .Values.podAnnotations | nindent 8 }}
|
annotations: {{ toYaml .Values.podAnnotations | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
spec:
|
spec:
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
beta.kubernetes.io/os: linux
|
kubernetes.io/os: linux
|
||||||
|
kubernetes.io/arch: amd64
|
||||||
{{- with .Values.nodeSelector }}
|
{{- with .Values.nodeSelector }}
|
||||||
{{ toYaml . | indent 8 }}
|
{{ toYaml . | indent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
@ -38,12 +39,18 @@ spec:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
containers:
|
containers:
|
||||||
- name: ebs-plugin
|
- name: ebs-plugin
|
||||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||||
args:
|
args:
|
||||||
|
{{- if ne .Release.Name "kustomize" }}
|
||||||
- controller
|
- controller
|
||||||
|
{{ else }}
|
||||||
|
# - {all,controller,node} # specify the driver mode
|
||||||
|
{{- end }}
|
||||||
- --endpoint=$(CSI_ENDPOINT)
|
- --endpoint=$(CSI_ENDPOINT)
|
||||||
{{ include "aws-ebs-csi-driver.extra-volume-tags" . }}
|
{{- if .Values.extraVolumeTags }}
|
||||||
|
{{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }}
|
||||||
|
{{- end }}
|
||||||
- --logtostderr
|
- --logtostderr
|
||||||
- --v=5
|
- --v=5
|
||||||
env:
|
env:
|
|
@ -2,6 +2,8 @@ apiVersion: storage.k8s.io/v1beta1
|
||||||
kind: CSIDriver
|
kind: CSIDriver
|
||||||
metadata:
|
metadata:
|
||||||
name: ebs.csi.aws.com
|
name: ebs.csi.aws.com
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
spec:
|
spec:
|
||||||
attachRequired: true
|
attachRequired: true
|
||||||
podInfoOnMount: false
|
podInfoOnMount: false
|
||||||
|
|
|
@ -4,24 +4,34 @@ apiVersion: apps/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: ebs-csi-node
|
name: ebs-csi-node
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: ebs-csi-node
|
app: ebs-csi-node
|
||||||
app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }}
|
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: ebs-csi-node
|
app: ebs-csi-node
|
||||||
app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }}
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
|
||||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
|
||||||
{{- if .Values.node.podAnnotations }}
|
{{- if .Values.node.podAnnotations }}
|
||||||
annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }}
|
annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
spec:
|
spec:
|
||||||
|
affinity:
|
||||||
|
nodeAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
nodeSelectorTerms:
|
||||||
|
- matchExpressions:
|
||||||
|
- key: eks.amazonaws.com/compute-type
|
||||||
|
operator: NotIn
|
||||||
|
values:
|
||||||
|
- fargate
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
beta.kubernetes.io/os: linux
|
kubernetes.io/os: linux
|
||||||
|
kubernetes.io/arch: amd64
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
priorityClassName: system-node-critical
|
priorityClassName: system-node-critical
|
||||||
tolerations:
|
tolerations:
|
||||||
|
@ -33,7 +43,7 @@ spec:
|
||||||
- name: ebs-plugin
|
- name: ebs-plugin
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
|
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
||||||
args:
|
args:
|
||||||
- node
|
- node
|
||||||
- --endpoint=$(CSI_ENDPOINT)
|
- --endpoint=$(CSI_ENDPOINT)
|
|
@ -1,251 +0,0 @@
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-external-provisioner-role
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumes"]
|
|
||||||
verbs: ["get", "list", "watch", "create", "delete"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumeclaims"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
|
||||||
resources: ["storageclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["events"]
|
|
||||||
verbs: ["list", "watch", "create", "update", "patch"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshots"]
|
|
||||||
verbs: ["get", "list"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotcontents"]
|
|
||||||
verbs: ["get", "list"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
|
||||||
resources: ["csinodes"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["nodes"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["coordination.k8s.io"]
|
|
||||||
resources: ["leases"]
|
|
||||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
|
||||||
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-provisioner-binding
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-csi-controller-sa
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: ebs-external-provisioner-role
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-external-attacher-role
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumes"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["nodes"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["csi.storage.k8s.io"]
|
|
||||||
resources: ["csinodeinfos"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
|
||||||
resources: ["volumeattachments"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-attacher-binding
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-csi-controller-sa
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: ebs-external-attacher-role
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
|
|
||||||
{{- if .Values.enableVolumeSnapshot }}
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-external-snapshotter-role
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumes"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumeclaims"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
|
||||||
resources: ["storageclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["events"]
|
|
||||||
verbs: ["list", "watch", "create", "update", "patch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["secrets"]
|
|
||||||
verbs: ["get", "list"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotcontents"]
|
|
||||||
verbs: ["create", "get", "list", "watch", "update", "delete"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshots"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotcontents"]
|
|
||||||
verbs: ["create", "get", "list", "watch", "update", "delete"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotcontents/status"]
|
|
||||||
verbs: ["update"]
|
|
||||||
- apiGroups: ["apiextensions.k8s.io"]
|
|
||||||
resources: ["customresourcedefinitions"]
|
|
||||||
verbs: ["create", "list", "watch", "delete"]
|
|
||||||
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-snapshotter-binding
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-csi-controller-sa
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: ebs-external-snapshotter-role
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-snapshot-controller-role
|
|
||||||
rules:
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumes"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumeclaims"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
|
||||||
resources: ["storageclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["events"]
|
|
||||||
verbs: ["list", "watch", "create", "update", "patch"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshotcontents"]
|
|
||||||
verbs: ["create", "get", "list", "watch", "update", "delete"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshots"]
|
|
||||||
verbs: ["get", "list", "watch", "update"]
|
|
||||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
|
||||||
resources: ["volumesnapshots/status"]
|
|
||||||
verbs: ["update"]
|
|
||||||
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-snapshot-controller-binding
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-snapshot-controller
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: ebs-snapshot-controller-role
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
|
|
||||||
---
|
|
||||||
kind: Role
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-snapshot-controller-leaderelection
|
|
||||||
namespace: kube-system
|
|
||||||
rules:
|
|
||||||
- apiGroups: ["coordination.k8s.io"]
|
|
||||||
resources: ["leases"]
|
|
||||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
|
||||||
|
|
||||||
---
|
|
||||||
kind: RoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: snapshot-controller-leaderelection
|
|
||||||
namespace: kube-system
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-snapshot-controller
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: Role
|
|
||||||
name: snapshot-controller-leaderelection
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
{{- if .Values.enableVolumeResizing }}
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-external-resizer-role
|
|
||||||
rules:
|
|
||||||
# The following rule should be uncommented for plugins that require secrets
|
|
||||||
# for provisioning.
|
|
||||||
# - apiGroups: [""]
|
|
||||||
# resources: ["secrets"]
|
|
||||||
# verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumes"]
|
|
||||||
verbs: ["get", "list", "watch", "update", "patch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumeclaims"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["persistentvolumeclaims/status"]
|
|
||||||
verbs: ["update", "patch"]
|
|
||||||
- apiGroups: ["storage.k8s.io"]
|
|
||||||
resources: ["storageclasses"]
|
|
||||||
verbs: ["get", "list", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["events"]
|
|
||||||
verbs: ["list", "watch", "create", "update", "patch"]
|
|
||||||
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-resizer-binding
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: ebs-csi-controller-sa
|
|
||||||
namespace: kube-system
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: ebs-external-resizer-role
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
{{- end}}
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
{{- if .Values.enableVolumeSnapshot }}
|
||||||
|
---
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: ebs-snapshot-controller-leaderelection
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["coordination.k8s.io"]
|
||||||
|
resources: ["leases"]
|
||||||
|
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
||||||
|
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,19 @@
|
||||||
|
{{- if .Values.enableVolumeSnapshot }}
|
||||||
|
---
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: snapshot-controller-leaderelection
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: ebs-snapshot-controller
|
||||||
|
namespace: kube-system
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: snapshot-controller-leaderelection
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,15 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: ebs-csi-controller-sa
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
|
{{- with .Values.serviceAccount.controller.annotations }}
|
||||||
|
annotations: {{ toYaml . | nindent 4 }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if eq .Release.Name "kustomize" }}
|
||||||
|
#Enable if EKS IAM for SA is used
|
||||||
|
#annotations:
|
||||||
|
# eks.amazonaws.com/role-arn: arn:aws:iam::586565787010:role/ebs-csi-role
|
||||||
|
{{- end }}
|
|
@ -1,18 +1,13 @@
|
||||||
apiVersion: v1
|
{{- if .Values.enableVolumeSnapshot }}
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: ebs-csi-controller-sa
|
|
||||||
namespace: kube-system
|
|
||||||
{{- with .Values.serviceAccount.controller.annotations }}
|
|
||||||
annotations: {{ toYaml . | nindent 4 }}
|
|
||||||
{{- end }}
|
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ServiceAccount
|
kind: ServiceAccount
|
||||||
metadata:
|
metadata:
|
||||||
name: ebs-snapshot-controller
|
name: ebs-snapshot-controller
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
{{- with .Values.serviceAccount.snapshot.annotations }}
|
{{- with .Values.serviceAccount.snapshot.annotations }}
|
||||||
annotations: {{ toYaml . | nindent 4 }}
|
annotations: {{ toYaml . | nindent 4 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -5,21 +5,25 @@ apiVersion: apps/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: ebs-snapshot-controller
|
name: ebs-snapshot-controller
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
|
||||||
spec:
|
spec:
|
||||||
serviceName: ebs-snapshot-controller
|
serviceName: ebs-snapshot-controller
|
||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: ebs-snapshot-controller
|
app: ebs-snapshot-controller
|
||||||
|
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: ebs-snapshot-controller
|
app: ebs-snapshot-controller
|
||||||
|
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccount: ebs-snapshot-controller
|
serviceAccountName: ebs-snapshot-controller
|
||||||
containers:
|
containers:
|
||||||
- name: snapshot-controller
|
- name: snapshot-controller
|
||||||
image: quay.io/k8scsi/snapshot-controller:v2.0.1
|
image: quay.io/k8scsi/snapshot-controller:v2.1.1
|
||||||
args:
|
args:
|
||||||
- --v=5
|
- --v=5
|
||||||
- --leader-election=false
|
- --leader-election=false
|
||||||
|
|
|
@ -6,7 +6,7 @@ replicaCount: 2
|
||||||
|
|
||||||
image:
|
image:
|
||||||
repository: amazon/aws-ebs-csi-driver
|
repository: amazon/aws-ebs-csi-driver
|
||||||
tag: "v0.5.0"
|
tag: "v0.6.0"
|
||||||
pullPolicy: IfNotPresent
|
pullPolicy: IfNotPresent
|
||||||
|
|
||||||
sidecars:
|
sidecars:
|
||||||
|
@ -18,7 +18,7 @@ sidecars:
|
||||||
tag: "v1.2.0"
|
tag: "v1.2.0"
|
||||||
snapshotterImage:
|
snapshotterImage:
|
||||||
repository: quay.io/k8scsi/csi-snapshotter
|
repository: quay.io/k8scsi/csi-snapshotter
|
||||||
tag: "v2.0.1"
|
tag: "v2.1.1"
|
||||||
livenessProbeImage:
|
livenessProbeImage:
|
||||||
repository: quay.io/k8scsi/livenessprobe
|
repository: quay.io/k8scsi/livenessprobe
|
||||||
tag: "v1.1.0"
|
tag: "v1.1.0"
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
|
# Upstream doesnt have proper Helm repo yet so we just download latest release and stuff it into charts
|
||||||
|
|
||||||
REPO="kubernetes-sigs/aws-ebs-csi-driver"
|
REPO="kubernetes-sigs/aws-ebs-csi-driver"
|
||||||
LATEST_RELEASE=$(curl -sL -s https://api.github.com/repos/${REPO}/releases | grep '"tag_name":' | cut -d'"' -f4 | grep -v -E "(alpha|beta|rc)" | sort -t"." -k 1,1 -k 2,2 -k 3,3 -k 4,4 | tail -n 1)
|
LATEST_RELEASE=$(curl -sL -s https://api.github.com/repos/${REPO}/releases | grep '"tag_name":' | cut -d'"' -f4 | grep -v -E "(alpha|beta|rc)" | sort -t"." -k 1,1 -k 2,2 -k 3,3 -k 4,4 | tail -n 1)
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
apiVersion: v2
|
apiVersion: v2
|
||||||
name: kubezero-aws-efs-csi-driver
|
name: kubezero-aws-efs-csi-driver
|
||||||
description: KubeZero Umbrella Chart for aws-efs-csi-driver
|
description: KubeZero Umbrella Chart for aws-efs-csi-driver
|
||||||
version: 0.1.0
|
version: 0.1.1
|
||||||
appVersion: 1.0.0
|
appVersion: 1.0.0
|
||||||
kubeVersion: ">=1.16.0-0"
|
kubeVersion: ">=1.16.0-0"
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
|
@ -18,7 +18,7 @@ maintainers:
|
||||||
- name: Quarky9
|
- name: Quarky9
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.1"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
# Once they properly update upstream
|
# Once they properly update upstream
|
||||||
# - name: aws-ebs-csi-driver
|
# - name: aws-ebs-csi-driver
|
||||||
|
|
|
@ -2,7 +2,7 @@ kubezero-aws-efs-csi-driver
|
||||||
===========================
|
===========================
|
||||||
KubeZero Umbrella Chart for aws-efs-csi-driver
|
KubeZero Umbrella Chart for aws-efs-csi-driver
|
||||||
|
|
||||||
Current chart version is `0.1.0`
|
Current chart version is `0.1.1`
|
||||||
|
|
||||||
Source code can be found [here](https://kubezero.com)
|
Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
|
@ -10,7 +10,7 @@ Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.1 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## Storage Class
|
## Storage Class
|
||||||
Optionally creates the *efs-cs* storage class.
|
Optionally creates the *efs-cs* storage class.
|
||||||
|
|
|
@ -2,8 +2,8 @@ apiVersion: v2
|
||||||
name: kubezero-calico
|
name: kubezero-calico
|
||||||
description: KubeZero Umbrella Chart for Calico
|
description: KubeZero Umbrella Chart for Calico
|
||||||
type: application
|
type: application
|
||||||
version: 0.1.7
|
version: 0.1.9
|
||||||
appVersion: 3.15
|
appVersion: 3.15.1
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -13,6 +13,6 @@ maintainers:
|
||||||
- name: Quarky9
|
- name: Quarky9
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.1"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
kubeVersion: ">= 1.16.0"
|
kubeVersion: ">= 1.16.0"
|
||||||
|
|
|
@ -2,7 +2,7 @@ kubezero-calico
|
||||||
===============
|
===============
|
||||||
KubeZero Umbrella Chart for Calico
|
KubeZero Umbrella Chart for Calico
|
||||||
|
|
||||||
Current chart version is `0.1.7`
|
Current chart version is `0.1.9`
|
||||||
|
|
||||||
Source code can be found [here](https://kubezero.com)
|
Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
|
@ -10,7 +10,7 @@ Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.1 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## KubeZero default configuration
|
## KubeZero default configuration
|
||||||
|
|
||||||
|
|
|
@ -322,10 +322,6 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
kubernetes.io/os: linux
|
kubernetes.io/os: linux
|
||||||
{{- if .Values.migration }}
|
|
||||||
# Only run Calico on nodes that have been migrated.
|
|
||||||
projectcalico.org/node-network-during-migration: calico
|
|
||||||
{{- end }}
|
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
tolerations:
|
tolerations:
|
||||||
# Make sure calico-node gets scheduled on all nodes.
|
# Make sure calico-node gets scheduled on all nodes.
|
||||||
|
@ -345,7 +341,7 @@ spec:
|
||||||
# This container installs the CNI binaries
|
# This container installs the CNI binaries
|
||||||
# and CNI network config file on each node.
|
# and CNI network config file on each node.
|
||||||
- name: install-cni
|
- name: install-cni
|
||||||
image: calico/cni:v3.15.0
|
image: calico/cni:v3.15.1
|
||||||
command: ["/install-cni.sh"]
|
command: ["/install-cni.sh"]
|
||||||
env:
|
env:
|
||||||
# Name of the CNI config file to create.
|
# Name of the CNI config file to create.
|
||||||
|
@ -381,7 +377,7 @@ spec:
|
||||||
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
|
# Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
|
||||||
# to communicate with Felix over the Policy Sync API.
|
# to communicate with Felix over the Policy Sync API.
|
||||||
- name: flexvol-driver
|
- name: flexvol-driver
|
||||||
image: calico/pod2daemon-flexvol:v3.15.0
|
image: calico/pod2daemon-flexvol:v3.15.1
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: flexvol-driver-host
|
- name: flexvol-driver-host
|
||||||
mountPath: /host/driver
|
mountPath: /host/driver
|
||||||
|
@ -392,7 +388,7 @@ spec:
|
||||||
# container programs network policy and routes on each
|
# container programs network policy and routes on each
|
||||||
# host.
|
# host.
|
||||||
- name: calico-node
|
- name: calico-node
|
||||||
image: calico/node:v3.15.0
|
image: calico/node:v3.15.1
|
||||||
env:
|
env:
|
||||||
# Use Kubernetes API as the backing datastore.
|
# Use Kubernetes API as the backing datastore.
|
||||||
- name: DATASTORE_TYPE
|
- name: DATASTORE_TYPE
|
||||||
|
@ -594,7 +590,7 @@ spec:
|
||||||
priorityClassName: system-cluster-critical
|
priorityClassName: system-cluster-critical
|
||||||
containers:
|
containers:
|
||||||
- name: calico-kube-controllers
|
- name: calico-kube-controllers
|
||||||
image: calico/kube-controllers:v3.15.0
|
image: calico/kube-controllers:v3.15.1
|
||||||
env:
|
env:
|
||||||
# Choose which controllers to run.
|
# Choose which controllers to run.
|
||||||
- name: ENABLED_CONTROLLERS
|
- name: ENABLED_CONTROLLERS
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
{{- if .Values.prometheus }}
|
{{- if .Values.prometheus }}
|
||||||
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
|
|
|
@ -5,7 +5,7 @@ metadata:
|
||||||
name: calico-node
|
name: calico-node
|
||||||
labels:
|
labels:
|
||||||
k8s-app: calico-node
|
k8s-app: calico-node
|
||||||
prometheus: kube-prometheus
|
release: metrics
|
||||||
spec:
|
spec:
|
||||||
jobLabel: k8s-app
|
jobLabel: k8s-app
|
||||||
selector:
|
selector:
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
# Once pod is running:
|
||||||
|
# kubectl -n NAME-SPACE-TO-TEST exec -it pod/POD_NAME /bin/sh
|
||||||
|
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: netshoot
|
||||||
|
namespace: kube-system
|
||||||
|
labels:
|
||||||
|
app: netshoot
|
||||||
|
spec:
|
||||||
|
replicas: 2
|
||||||
|
strategy:
|
||||||
|
type: Recreate
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: netshoot
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: netshoot
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: netshoot
|
||||||
|
image: nicolaka/netshoot
|
||||||
|
imagePullPolicy: Always
|
||||||
|
command:
|
||||||
|
- /bin/sleep
|
||||||
|
args:
|
||||||
|
- "3600"
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- topologyKey: "kubernetes.io/hostname"
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
||||||
name: kubezero-cert-manager
|
name: kubezero-cert-manager
|
||||||
description: KubeZero Umbrella Chart for cert-manager
|
description: KubeZero Umbrella Chart for cert-manager
|
||||||
type: application
|
type: application
|
||||||
version: 0.3.5
|
version: 0.3.6
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -12,7 +12,7 @@ maintainers:
|
||||||
- name: Quarky9
|
- name: Quarky9
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.1"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: cert-manager
|
- name: cert-manager
|
||||||
version: 0.15.1
|
version: 0.15.1
|
||||||
|
|
|
@ -2,7 +2,7 @@ kubezero-cert-manager
|
||||||
=====================
|
=====================
|
||||||
KubeZero Umbrella Chart for cert-manager
|
KubeZero Umbrella Chart for cert-manager
|
||||||
|
|
||||||
Current chart version is `0.3.5`
|
Current chart version is `0.3.6`
|
||||||
|
|
||||||
Source code can be found [here](https://kubezero.com)
|
Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Source code can be found [here](https://kubezero.com)
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://charts.jetstack.io | cert-manager | 0.15.1 |
|
| https://charts.jetstack.io | cert-manager | 0.15.1 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.1 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## AWS - IAM Role
|
## AWS - IAM Role
|
||||||
If you use kiam or kube2iam and restrict access on nodes running cert-manager please adjust:
|
If you use kiam or kube2iam and restrict access on nodes running cert-manager please adjust:
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
kubectl get -A -o yaml issuer,clusterissuer,certificates,certificaterequests > cert-manager-backup.yaml
|
||||||
|
echo '---' >> cert-manager-backup.yaml
|
||||||
|
kubectl get -A -o yaml secrets --field-selector type=kubernetes.io/tls >> cert-manager-backup.yaml
|
||||||
|
echo '---' >> cert-manager-backup.yaml
|
||||||
|
kubectl get -o yaml secrets -n cert-manager letsencrypt-dns-prod >> cert-manager-backup.yaml
|
|
@ -2,8 +2,8 @@ apiVersion: v2
|
||||||
name: kubezero-istio
|
name: kubezero-istio
|
||||||
description: KubeZero Umbrella Chart for Istio
|
description: KubeZero Umbrella Chart for Istio
|
||||||
type: application
|
type: application
|
||||||
version: 0.2.0
|
version: 0.2.3
|
||||||
appVersion: 1.6.5
|
appVersion: 1.6.7
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
|
@ -13,7 +13,7 @@ maintainers:
|
||||||
- name: Quarky9
|
- name: Quarky9
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.1"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: istio-operator
|
- name: istio-operator
|
||||||
version: ">= 1.6"
|
version: ">= 1.6"
|
||||||
|
|
|
@ -5,7 +5,7 @@ KubeZero Umbrella Chart for Istio
|
||||||
Installs Istio Operator and KubeZero Istio profile
|
Installs Istio Operator and KubeZero Istio profile
|
||||||
|
|
||||||
|
|
||||||
Current chart version is `0.2.0`
|
Current chart version is `0.2.3`
|
||||||
|
|
||||||
Source code can be found [here](https://kubezero.com)
|
Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
|
@ -14,7 +14,7 @@ Source code can be found [here](https://kubezero.com)
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| | istio-operator | >= 1.6 |
|
| | istio-operator | >= 1.6 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.1 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## KubeZero default configuration
|
## KubeZero default configuration
|
||||||
- mapped istio-operator to run on the controller nodes only
|
- mapped istio-operator to run on the controller nodes only
|
||||||
|
@ -24,11 +24,12 @@ Source code can be found [here](https://kubezero.com)
|
||||||
| Key | Type | Default | Description |
|
| Key | Type | Default | Description |
|
||||||
|-----|------|---------|-------------|
|
|-----|------|---------|-------------|
|
||||||
| ingress.autoscaleEnabled | bool | `false` | |
|
| ingress.autoscaleEnabled | bool | `false` | |
|
||||||
| ingress.private | bool | `true` | |
|
| ingress.private.enabled | bool | `true` | |
|
||||||
|
| ingress.private.nodeSelector | string | `"31080_31443_30671_30672_31224"` | |
|
||||||
| ingress.replicaCount | int | `2` | |
|
| ingress.replicaCount | int | `2` | |
|
||||||
| ingress.type | string | `"NodePort"` | |
|
| ingress.type | string | `"NodePort"` | |
|
||||||
| istio-operator.hub | string | `"docker.io/istio"` | |
|
| istio-operator.hub | string | `"docker.io/istio"` | |
|
||||||
| istio-operator.tag | string | `"1.6.5"` | |
|
| istio-operator.tag | string | `"1.6.7"` | |
|
||||||
| istiod.autoscaleEnabled | bool | `false` | |
|
| istiod.autoscaleEnabled | bool | `false` | |
|
||||||
| istiod.replicaCount | int | `1` | |
|
| istiod.replicaCount | int | `1` | |
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# First delete old 1.4
|
||||||
|
kubectl delete -f ingress-gateway.yaml
|
||||||
|
kubectl delete -f istio.yaml
|
||||||
|
kubectl delete -f istio-init.yaml
|
||||||
|
kubectl delete -f namespace.yaml
|
|
@ -4,6 +4,8 @@ kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: public-ingress-cert
|
name: public-ingress-cert
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
secretName: public-ingress-cert
|
secretName: public-ingress-cert
|
||||||
issuerRef:
|
issuerRef:
|
||||||
|
|
|
@ -3,6 +3,8 @@ kind: Gateway
|
||||||
metadata:
|
metadata:
|
||||||
name: ingressgateway
|
name: ingressgateway
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
istio: ingressgateway
|
istio: ingressgateway
|
||||||
|
@ -27,12 +29,15 @@ spec:
|
||||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||||
credentialName: public-ingress-cert
|
credentialName: public-ingress-cert
|
||||||
|
|
||||||
|
{{- if .Values.ingress.private.enabled }}
|
||||||
---
|
---
|
||||||
apiVersion: networking.istio.io/v1alpha3
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
kind: Gateway
|
kind: Gateway
|
||||||
metadata:
|
metadata:
|
||||||
name: private-ingressgateway
|
name: private-ingressgateway
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
istio: private-ingressgateway
|
istio: private-ingressgateway
|
||||||
|
@ -56,9 +61,22 @@ spec:
|
||||||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||||||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||||||
credentialName: public-ingress-cert
|
credentialName: public-ingress-cert
|
||||||
|
- port:
|
||||||
|
number: 5672
|
||||||
|
name: amqp
|
||||||
|
protocol: TCP
|
||||||
|
hosts:
|
||||||
|
- "*"
|
||||||
|
- port:
|
||||||
|
number: 5671
|
||||||
|
name: amqps
|
||||||
|
protocol: TCP
|
||||||
|
hosts:
|
||||||
|
- "*"
|
||||||
- port:
|
- port:
|
||||||
number: 24224
|
number: 24224
|
||||||
name: fluentd-forward
|
name: fluentd-forward
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
hosts:
|
hosts:
|
||||||
- "*"
|
- "*"
|
||||||
|
{{- end }}
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
{{- if .Values.ingress.private }}
|
{{- if .Values.ingress.private.enabled }}
|
||||||
apiVersion: install.istio.io/v1alpha1
|
apiVersion: install.istio.io/v1alpha1
|
||||||
kind: IstioOperator
|
kind: IstioOperator
|
||||||
metadata:
|
metadata:
|
||||||
name: kubezero-istio-private-ingress
|
name: kubezero-istio-private-ingress
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
profile: empty
|
profile: empty
|
||||||
components:
|
components:
|
||||||
|
@ -28,25 +30,40 @@ spec:
|
||||||
name: istio-private-ingressgateway
|
name: istio-private-ingressgateway
|
||||||
{{- end }}
|
{{- end }}
|
||||||
env:
|
env:
|
||||||
|
# https://github.com/istio/istio/issues/26524
|
||||||
|
#- name: TERMINATION_DRAIN_DURATION_SECONDS
|
||||||
|
# value: "60"
|
||||||
- name: ISTIO_META_HTTP10
|
- name: ISTIO_META_HTTP10
|
||||||
value: '"1"'
|
value: '"1"'
|
||||||
- name: ISTIO_META_ROUTER_MODE
|
- name: ISTIO_META_ROUTER_MODE
|
||||||
value: standard
|
value: standard
|
||||||
|
- name: ISTIO_META_IDLE_TIMEOUT
|
||||||
|
value: "3600s"
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
{{- if eq .Values.ingress.type "NodePort" }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
node.kubernetes.io/ingress.private: "31080_31443_30671_30672_31224"
|
node.kubernetes.io/ingress.private: "{{ .Values.ingress.private.nodeSelector }}"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: 2000m
|
# cpu: 2000m
|
||||||
memory: 1024Mi
|
memory: 1024Mi
|
||||||
requests:
|
requests:
|
||||||
cpu: 100m
|
cpu: 100m
|
||||||
memory: 128Mi
|
memory: 64Mi
|
||||||
strategy:
|
strategy:
|
||||||
rollingUpdate:
|
rollingUpdate:
|
||||||
maxSurge: 100%
|
maxSurge: 100%
|
||||||
maxUnavailable: 25%
|
maxUnavailable: 25%
|
||||||
|
overlays:
|
||||||
|
- apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: istio-private-ingressgateway
|
||||||
|
patches:
|
||||||
|
- path: spec.template.spec.containers.[name:istio-proxy].lifecycle
|
||||||
|
value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}}
|
||||||
|
- path: spec.template.spec.terminationGracePeriodSeconds
|
||||||
|
value: 90
|
||||||
|
|
||||||
values:
|
values:
|
||||||
gateways:
|
gateways:
|
||||||
istio-ingressgateway:
|
istio-ingressgateway:
|
||||||
|
@ -63,6 +80,11 @@ spec:
|
||||||
values: istio-private-ingressgateway
|
values: istio-private-ingressgateway
|
||||||
type: {{ default "NodePort" .Values.ingress.type }}
|
type: {{ default "NodePort" .Values.ingress.type }}
|
||||||
ports:
|
ports:
|
||||||
|
- name: http-status
|
||||||
|
port: 15021
|
||||||
|
{{- if eq .Values.ingress.type "NodePort" }}
|
||||||
|
nodePort: 31021
|
||||||
|
{{- end }}
|
||||||
- name: http2
|
- name: http2
|
||||||
port: 80
|
port: 80
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
{{- if eq .Values.ingress.type "NodePort" }}
|
||||||
|
@ -73,21 +95,21 @@ spec:
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
{{- if eq .Values.ingress.type "NodePort" }}
|
||||||
nodePort: 31443
|
nodePort: 31443
|
||||||
{{- end }}
|
{{- end }}
|
||||||
- name: amqp
|
|
||||||
port: 5672
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 30672
|
|
||||||
{{- end }}
|
|
||||||
- name: amqps
|
|
||||||
port: 5671
|
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
|
||||||
nodePort: 30671
|
|
||||||
{{- end }}
|
|
||||||
- name: fluentd-forward
|
- name: fluentd-forward
|
||||||
port: 24224
|
port: 24224
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
{{- if eq .Values.ingress.type "NodePort" }}
|
||||||
nodePort: 31224
|
nodePort: 31224
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
- name: amqps
|
||||||
|
port: 5671
|
||||||
|
{{- if eq .Values.ingress.type "NodePort" }}
|
||||||
|
nodePort: 31671
|
||||||
|
{{- end }}
|
||||||
|
- name: amqp
|
||||||
|
port: 5672
|
||||||
|
{{- if eq .Values.ingress.type "NodePort" }}
|
||||||
|
nodePort: 31672
|
||||||
|
{{- end }}
|
||||||
sds:
|
sds:
|
||||||
enabled: true
|
enabled: true
|
||||||
image: node-agent-k8s
|
image: node-agent-k8s
|
||||||
|
|
|
@ -3,6 +3,8 @@ kind: IstioOperator
|
||||||
metadata:
|
metadata:
|
||||||
name: kubezero-istio
|
name: kubezero-istio
|
||||||
namespace: istio-system
|
namespace: istio-system
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
spec:
|
spec:
|
||||||
profile: empty
|
profile: empty
|
||||||
addonComponents:
|
addonComponents:
|
||||||
|
@ -32,25 +34,40 @@ spec:
|
||||||
name: istio-ingressgateway
|
name: istio-ingressgateway
|
||||||
{{- end }}
|
{{- end }}
|
||||||
env:
|
env:
|
||||||
|
# https://github.com/istio/istio/issues/26524
|
||||||
|
#- name: TERMINATION_DRAIN_DURATION_SECONDS
|
||||||
|
# value: "60"
|
||||||
- name: ISTIO_META_HTTP10
|
- name: ISTIO_META_HTTP10
|
||||||
value: '"1"'
|
value: '"1"'
|
||||||
- name: ISTIO_META_ROUTER_MODE
|
- name: ISTIO_META_ROUTER_MODE
|
||||||
value: standard
|
value: standard
|
||||||
|
- name: ISTIO_META_IDLE_TIMEOUT
|
||||||
|
value: "3600s"
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
{{- if eq .Values.ingress.type "NodePort" }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
node.kubernetes.io/ingress.public: "30080_30443"
|
node.kubernetes.io/ingress.public: "30080_30443"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
resources:
|
resources:
|
||||||
limits:
|
limits:
|
||||||
cpu: 2000m
|
# cpu: 2000m
|
||||||
memory: 1024Mi
|
memory: 1024Mi
|
||||||
requests:
|
requests:
|
||||||
cpu: 100m
|
cpu: 100m
|
||||||
memory: 128Mi
|
memory: 64Mi
|
||||||
strategy:
|
strategy:
|
||||||
rollingUpdate:
|
rollingUpdate:
|
||||||
maxSurge: 100%
|
maxSurge: 100%
|
||||||
maxUnavailable: 25%
|
maxUnavailable: 25%
|
||||||
|
overlays:
|
||||||
|
- apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
name: istio-ingressgateway
|
||||||
|
patches:
|
||||||
|
- path: spec.template.spec.containers.[name:istio-proxy].lifecycle
|
||||||
|
value: {"preStop": {"exec": {"command": ["sh", "-c", "curl -X POST http://localhost:15000/healthcheck/fail && sleep 30"]}}}
|
||||||
|
- path: spec.template.spec.terminationGracePeriodSeconds
|
||||||
|
value: 90
|
||||||
|
|
||||||
name: istio-ingressgateway
|
name: istio-ingressgateway
|
||||||
pilot:
|
pilot:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
@ -95,6 +112,11 @@ spec:
|
||||||
values: istio-ingressgateway
|
values: istio-ingressgateway
|
||||||
type: {{ default "NodePort" .Values.ingress.type }}
|
type: {{ default "NodePort" .Values.ingress.type }}
|
||||||
ports:
|
ports:
|
||||||
|
- name: http-status
|
||||||
|
port: 15021
|
||||||
|
{{- if eq .Values.ingress.type "NodePort" }}
|
||||||
|
nodePort: 30021
|
||||||
|
{{- end }}
|
||||||
- name: http2
|
- name: http2
|
||||||
port: 80
|
port: 80
|
||||||
{{- if eq .Values.ingress.type "NodePort" }}
|
{{- if eq .Values.ingress.type "NodePort" }}
|
||||||
|
|
|
@ -4,3 +4,4 @@ metadata:
|
||||||
name: istio-system
|
name: istio-system
|
||||||
labels:
|
labels:
|
||||||
istio-injection: disabled
|
istio-injection: disabled
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -ex
|
set -ex
|
||||||
|
|
||||||
ISTIO_VERSION=1.6.5
|
ISTIO_VERSION=1.6.7
|
||||||
|
|
||||||
NAME="istio-$ISTIO_VERSION"
|
NAME="istio-$ISTIO_VERSION"
|
||||||
URL="https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz"
|
URL="https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz"
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# First delete old 1.4
|
|
||||||
kubectl delete -f ingress-gateway.yaml
|
|
||||||
kubectl delete -f istio.yaml
|
|
||||||
kubectl delete -f istio-init.yaml
|
|
||||||
kubectl delete -f namespace.yaml
|
|
||||||
|
|
||||||
# Now we need to install the new Istio Operator via KubeZero
|
|
||||||
|
|
||||||
# deploy the CR for 1.6
|
|
||||||
kubectl apply -f istio-1.6.yaml
|
|
||||||
|
|
||||||
# add the additiona private ingress gateway as dedicated CR
|
|
||||||
kubectl apply -f istio-1.6-private-ingress.yaml
|
|
|
@ -6,10 +6,12 @@ ingress:
|
||||||
autoscaleEnabled: false
|
autoscaleEnabled: false
|
||||||
replicaCount: 2
|
replicaCount: 2
|
||||||
type: NodePort
|
type: NodePort
|
||||||
private: true
|
private:
|
||||||
|
enabled: true
|
||||||
|
nodeSelector: "31080_31443_30671_30672_31224"
|
||||||
#dnsNames:
|
#dnsNames:
|
||||||
#- "*.example.com"
|
#- "*.example.com"
|
||||||
|
|
||||||
istio-operator:
|
istio-operator:
|
||||||
hub: docker.io/istio
|
hub: docker.io/istio
|
||||||
tag: 1.6.5
|
tag: 1.6.7
|
||||||
|
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
||||||
name: kubezero-kiam
|
name: kubezero-kiam
|
||||||
description: KubeZero Umbrella Chart for Kiam
|
description: KubeZero Umbrella Chart for Kiam
|
||||||
type: application
|
type: application
|
||||||
version: 0.2.6
|
version: 0.2.8
|
||||||
appVersion: 3.6
|
appVersion: 3.6
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
|
@ -13,7 +13,7 @@ maintainers:
|
||||||
- name: Quarky9
|
- name: Quarky9
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.1"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
- name: kiam
|
- name: kiam
|
||||||
version: 5.8.1
|
version: 5.8.1
|
||||||
|
|
|
@ -2,7 +2,7 @@ kubezero-kiam
|
||||||
=============
|
=============
|
||||||
KubeZero Umbrella Chart for Kiam
|
KubeZero Umbrella Chart for Kiam
|
||||||
|
|
||||||
Current chart version is `0.2.6`
|
Current chart version is `0.2.8`
|
||||||
|
|
||||||
Source code can be found [here](https://kubezero.com)
|
Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ Source code can be found [here](https://kubezero.com)
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.8.1 |
|
| https://uswitch.github.io/kiam-helm-charts/charts/ | kiam | 5.8.1 |
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.1 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## KubeZero default configuration
|
## KubeZero default configuration
|
||||||
We run agents on the controllers as well, so we force eg. ebs csi controllers and others to assume roles etc.
|
We run agents on the controllers as well, so we force eg. ebs csi controllers and others to assume roles etc.
|
||||||
|
@ -25,7 +25,8 @@ The required certificates for Kiam server and agents are provided by a local cer
|
||||||
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
||||||
|
|
||||||
## Metadata restrictions
|
## Metadata restrictions
|
||||||
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
|
Some services require access to some basic AWS information. One example is the `aws-ebs-csi` controller.
|
||||||
|
By default all access to the meta-data service is blocked, expect for:
|
||||||
|
|
||||||
- `/latest/meta-data/instance-id`
|
- `/latest/meta-data/instance-id`
|
||||||
- `/latest/dynamic/instance-identity/document`
|
- `/latest/dynamic/instance-identity/document`
|
||||||
|
@ -40,6 +41,8 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
|
||||||
| kiam.agent.image.tag | string | `"v3.6"` | |
|
| kiam.agent.image.tag | string | `"v3.6"` | |
|
||||||
| kiam.agent.log.level | string | `"warn"` | |
|
| kiam.agent.log.level | string | `"warn"` | |
|
||||||
| kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | |
|
| kiam.agent.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||||
|
| kiam.agent.prometheus.servicemonitor.interval | string | `"30s"` | |
|
||||||
|
| kiam.agent.prometheus.servicemonitor.labels.release | string | `"metrics"` | |
|
||||||
| kiam.agent.sslCertHostPath | string | `"/etc/ssl/certs"` | |
|
| kiam.agent.sslCertHostPath | string | `"/etc/ssl/certs"` | |
|
||||||
| kiam.agent.tlsCerts.caFileName | string | `"ca.crt"` | |
|
| kiam.agent.tlsCerts.caFileName | string | `"ca.crt"` | |
|
||||||
| kiam.agent.tlsCerts.certFileName | string | `"tls.crt"` | |
|
| kiam.agent.tlsCerts.certFileName | string | `"tls.crt"` | |
|
||||||
|
@ -56,6 +59,8 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
|
||||||
| kiam.server.log.level | string | `"warn"` | |
|
| kiam.server.log.level | string | `"warn"` | |
|
||||||
| kiam.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
| kiam.server.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
| kiam.server.prometheus.servicemonitor.enabled | bool | `false` | |
|
| kiam.server.prometheus.servicemonitor.enabled | bool | `false` | |
|
||||||
|
| kiam.server.prometheus.servicemonitor.interval | string | `"30s"` | |
|
||||||
|
| kiam.server.prometheus.servicemonitor.labels.release | string | `"metrics"` | |
|
||||||
| kiam.server.service.port | int | `6444` | |
|
| kiam.server.service.port | int | `6444` | |
|
||||||
| kiam.server.service.targetPort | int | `6444` | |
|
| kiam.server.service.targetPort | int | `6444` | |
|
||||||
| kiam.server.sslCertHostPath | string | `"/etc/ssl/certs"` | |
|
| kiam.server.sslCertHostPath | string | `"/etc/ssl/certs"` | |
|
||||||
|
@ -76,3 +81,5 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
|
||||||
## Resources
|
## Resources
|
||||||
- https://github.com/uswitch/kiam
|
- https://github.com/uswitch/kiam
|
||||||
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
||||||
|
- [Grafana Dashboard](https://raw.githubusercontent.com/uswitch/kiam/master/docs/dashboard-prom.json)
|
||||||
|
![Kiam overview](./kiam_architecure.png)
|
||||||
|
|
|
@ -19,7 +19,8 @@ The required certificates for Kiam server and agents are provided by a local cer
|
||||||
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
||||||
|
|
||||||
## Metadata restrictions
|
## Metadata restrictions
|
||||||
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
|
Some services require access to some basic AWS information. One example is the `aws-ebs-csi` controller.
|
||||||
|
By default all access to the meta-data service is blocked, expect for:
|
||||||
|
|
||||||
- `/latest/meta-data/instance-id`
|
- `/latest/meta-data/instance-id`
|
||||||
- `/latest/dynamic/instance-identity/document`
|
- `/latest/dynamic/instance-identity/document`
|
||||||
|
@ -34,3 +35,5 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
|
||||||
## Resources
|
## Resources
|
||||||
- https://github.com/uswitch/kiam
|
- https://github.com/uswitch/kiam
|
||||||
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
||||||
|
- [Grafana Dashboard](https://raw.githubusercontent.com/uswitch/kiam/master/docs/dashboard-prom.json)
|
||||||
|
![Kiam overview](./kiam_architecure.png)
|
||||||
|
|
Binary file not shown.
After Width: | Height: | Size: 43 KiB |
|
@ -26,6 +26,9 @@ kiam:
|
||||||
prometheus:
|
prometheus:
|
||||||
servicemonitor:
|
servicemonitor:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
interval: 30s
|
||||||
|
labels:
|
||||||
|
release: metrics
|
||||||
log:
|
log:
|
||||||
level: warn
|
level: warn
|
||||||
|
|
||||||
|
@ -51,6 +54,9 @@ kiam:
|
||||||
prometheus:
|
prometheus:
|
||||||
servicemonitor:
|
servicemonitor:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
interval: 30s
|
||||||
|
labels:
|
||||||
|
release: metrics
|
||||||
log:
|
log:
|
||||||
level: warn
|
level: warn
|
||||||
# extraEnv:
|
# extraEnv:
|
||||||
|
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
||||||
name: kubezero-lib
|
name: kubezero-lib
|
||||||
description: KubeZero helm library - common helm functions and blocks
|
description: KubeZero helm library - common helm functions and blocks
|
||||||
type: library
|
type: library
|
||||||
version: 0.1.2
|
version: 0.1.3
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
keywords:
|
keywords:
|
||||||
|
|
|
@ -2,7 +2,32 @@
|
||||||
Common set of labels
|
Common set of labels
|
||||||
*/ -}}
|
*/ -}}
|
||||||
{{- define "kubezero-lib.labels" -}}
|
{{- define "kubezero-lib.labels" -}}
|
||||||
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
|
helm.sh/chart: {{ include "kubezero-lib.chart" . }}
|
||||||
|
app.kubernetes.io/name: {{ include "kubezero-lib.name" . }}
|
||||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||||
app.kubernetes.io/part-of: kubezero
|
app.kubernetes.io/part-of: kubezero
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- /*
|
||||||
|
Common naming functions
|
||||||
|
*/ -}}
|
||||||
|
{{- define "kubezero-lib.name" -}}
|
||||||
|
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "kubezero-lib.fullname" -}}
|
||||||
|
{{- if .Values.fullnameOverride -}}
|
||||||
|
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||||
|
{{- if contains $name .Release.Name -}}
|
||||||
|
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "kubezero-lib.chart" -}}
|
||||||
|
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
|
@ -2,7 +2,7 @@ apiVersion: v2
|
||||||
name: kubezero-local-volume-provisioner
|
name: kubezero-local-volume-provisioner
|
||||||
description: KubeZero Umbrella Chart for local-static-provisioner
|
description: KubeZero Umbrella Chart for local-static-provisioner
|
||||||
type: application
|
type: application
|
||||||
version: 0.0.1
|
version: 0.1.0
|
||||||
appVersion: 2.3.4
|
appVersion: 2.3.4
|
||||||
home: https://kubezero.com
|
home: https://kubezero.com
|
||||||
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
|
@ -13,6 +13,6 @@ maintainers:
|
||||||
- name: Quarky9
|
- name: Quarky9
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kubezero-lib
|
- name: kubezero-lib
|
||||||
version: ">= 0.1.1"
|
version: ">= 0.1.3"
|
||||||
repository: https://zero-down-time.github.io/kubezero/
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
kubeVersion: ">= 1.16.0"
|
kubeVersion: ">= 1.16.0"
|
||||||
|
|
|
@ -4,7 +4,7 @@ KubeZero Umbrella Chart for local-static-provisioner
|
||||||
|
|
||||||
Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles.
|
Provides persistent volumes backed by local volumes, eg. additional SSDs or spindles.
|
||||||
|
|
||||||
Current chart version is `0.0.1`
|
Current chart version is `0.1.0`
|
||||||
|
|
||||||
Source code can be found [here](https://kubezero.com)
|
Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
|
@ -12,7 +12,7 @@ Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
| Repository | Name | Version |
|
| Repository | Name | Version |
|
||||||
|------------|------|---------|
|
|------------|------|---------|
|
||||||
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.1 |
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
## KubeZero default configuration
|
## KubeZero default configuration
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*.orig
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
||||||
|
.vscode/
|
|
@ -0,0 +1,30 @@
|
||||||
|
apiVersion: v2
|
||||||
|
name: kubezero-logging
|
||||||
|
description: KubeZero Umbrella Chart for complete EFK stack
|
||||||
|
type: application
|
||||||
|
version: 0.3.1
|
||||||
|
appVersion: 1.2.1
|
||||||
|
home: https://kubezero.com
|
||||||
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
|
keywords:
|
||||||
|
- kubezero
|
||||||
|
- elasticsearch
|
||||||
|
- kibana
|
||||||
|
- fluentd
|
||||||
|
- fluent-bit
|
||||||
|
maintainers:
|
||||||
|
- name: Quarky9
|
||||||
|
dependencies:
|
||||||
|
- name: kubezero-lib
|
||||||
|
version: ">= 0.1.3"
|
||||||
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
|
- name: fluentd
|
||||||
|
version: 2.5.1
|
||||||
|
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||||
|
condition: fluentd.enabled
|
||||||
|
- name: fluent-bit
|
||||||
|
version: 0.6.3
|
||||||
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
|
# repository: https://fluent.github.io/helm-charts
|
||||||
|
condition: fluent-bit.enabled
|
||||||
|
kubeVersion: ">= 1.16.0"
|
|
@ -0,0 +1,106 @@
|
||||||
|
kubezero-logging
|
||||||
|
================
|
||||||
|
KubeZero Umbrella Chart for complete EFK stack
|
||||||
|
|
||||||
|
Current chart version is `0.3.1`
|
||||||
|
|
||||||
|
Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
|
## Chart Requirements
|
||||||
|
|
||||||
|
| Repository | Name | Version |
|
||||||
|
|------------|------|---------|
|
||||||
|
| https://kubernetes-charts.storage.googleapis.com/ | fluentd | 2.5.1 |
|
||||||
|
| https://zero-down-time.github.io/kubezero/ | fluent-bit | 0.6.3 |
|
||||||
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
|
## Changes from upstream
|
||||||
|
### ECK
|
||||||
|
- Operator mapped to controller nodes
|
||||||
|
|
||||||
|
### ES
|
||||||
|
|
||||||
|
- SSL disabled ( Todo: provide cluster certs and setup Kibana/Fluentd to use https incl. client certs )
|
||||||
|
|
||||||
|
- Installed Plugins:
|
||||||
|
- repository-s3
|
||||||
|
- elasticsearch-prometheus-exporter
|
||||||
|
|
||||||
|
- [Cross AZ Zone awareness](https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-advanced-node-scheduling.html#k8s-availability-zone-awareness) is implemented via nodeSets
|
||||||
|
|
||||||
|
### Kibana
|
||||||
|
|
||||||
|
- increased timeout to ES to 3 minutes
|
||||||
|
|
||||||
|
|
||||||
|
## Manual tasks ATM
|
||||||
|
|
||||||
|
- Install index template
|
||||||
|
- setup Kibana
|
||||||
|
- create `logstash-*` Index Pattern
|
||||||
|
|
||||||
|
|
||||||
|
## Chart Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| elastic_password | string | `""` | |
|
||||||
|
| es.nodeSets | list | `[]` | |
|
||||||
|
| es.prometheus | bool | `false` | |
|
||||||
|
| es.s3Snapshot.enabled | bool | `false` | |
|
||||||
|
| es.s3Snapshot.iamrole | string | `""` | |
|
||||||
|
| fluent-bit.config.customParsers | string | `"[PARSER]\n # http://rubular.com/r/tjUt3Awgg4\n Name cri\n Format regex\n Regex ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]*) (?<log>.*)$\n Time_Key time\n Time_Format %Y-%m-%dT%H:%M:%S.%L%z\n # Decode_Field_As json log\n"` | |
|
||||||
|
| fluent-bit.config.filters | string | `"[FILTER]\n Name kubernetes\n Match kube.*\n Merge_Log On\n Keep_Log Off\n K8S-Logging.Parser On\n K8S-Logging.Exclude On\n\n[FILTER]\n Name lua\n Match kube.*\n script /fluent-bit/etc/functions.lua\n call dedot\n"` | |
|
||||||
|
| fluent-bit.config.inputs | string | `"[INPUT]\n Name tail\n Path /var/log/containers/*.log\n Parser cri\n Tag kube.*\n Mem_Buf_Limit 5MB\n Skip_Long_Lines On\n Refresh_Interval 10\n DB /var/log/flb_kube.db\n DB.Sync Normal\n"` | |
|
||||||
|
| fluent-bit.config.lua | string | `"function dedot(tag, timestamp, record)\n if record[\"kubernetes\"] == nil then\n return 0, 0, 0\n end\n dedot_keys(record[\"kubernetes\"][\"annotations\"])\n dedot_keys(record[\"kubernetes\"][\"labels\"])\n return 1, timestamp, record\nend\n\nfunction dedot_keys(map)\n if map == nil then\n return\n end\n local new_map = {}\n local changed_keys = {}\n for k, v in pairs(map) do\n local dedotted = string.gsub(k, \"%.\", \"_\")\n if dedotted ~= k then\n new_map[dedotted] = v\n changed_keys[k] = true\n end\n end\n for k in pairs(changed_keys) do\n map[k] = nil\n end\n for k, v in pairs(new_map) do\n map[k] = v\n end\nend\n"` | |
|
||||||
|
| fluent-bit.config.outputs | string | `"[OUTPUT]\n Match *\n Name forward\n Host fluentd\n Port 24224\n tls on\n tls.verify off\n Shared_Key cloudbender\n"` | |
|
||||||
|
| fluent-bit.config.service | string | `"[SERVICE]\n Flush 5\n Daemon Off\n Log_Level warn\n Parsers_File parsers.conf\n Parsers_File custom_parsers.conf\n HTTP_Server On\n HTTP_Listen 0.0.0.0\n HTTP_Port 2020\n"` | |
|
||||||
|
| fluent-bit.enabled | bool | `true` | |
|
||||||
|
| fluent-bit.serviceMonitor.enabled | bool | `true` | |
|
||||||
|
| fluent-bit.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||||
|
| fluent-bit.serviceMonitor.selector.release | string | `"metrics"` | |
|
||||||
|
| fluent-bit.test.enabled | bool | `false` | |
|
||||||
|
| fluent-bit.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
|
| fluent-bit.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
|
| fluentd.configMaps."forward-input.conf" | string | `"<source>\n @type forward\n port 24224\n bind 0.0.0.0\n skip_invalid_event true\n <transport tls>\n cert_path /mnt/fluentd-certs/tls.crt\n private_key_path /mnt/fluentd-certs/tls.key\n </transport>\n <security>\n self_hostname \"#{ENV['HOSTNAME']}\"\n shared_key \"#{ENV['FLUENTD_SHARED_KEY']}\"\n </security>\n</source>\n"` | |
|
||||||
|
| fluentd.configMaps."output.conf" | string | `"<match **>\n @id elasticsearch\n @type elasticsearch\n @log_level info\n include_tag_key true\n id_key id\n remove_keys id\n\n # KubeZero pipeline incl. GeoIP etc.\n pipeline fluentd\n\n host \"#{ENV['OUTPUT_HOST']}\"\n port \"#{ENV['OUTPUT_PORT']}\"\n scheme \"#{ENV['OUTPUT_SCHEME']}\"\n ssl_version \"#{ENV['OUTPUT_SSL_VERSION']}\"\n ssl_verify \"#{ENV['OUTPUT_SSL_VERIFY']}\"\n user \"#{ENV['OUTPUT_USER']}\"\n password \"#{ENV['OUTPUT_PASSWORD']}\"\n\n logstash_format true\n reload_connections false\n reconnect_on_error true\n reload_on_failure true\n request_timeout 15s\n\n <buffer>\n @type file\n path /var/log/fluentd-buffers/kubernetes.system.buffer\n flush_mode interval\n flush_thread_count 2\n flush_interval 5s\n flush_at_shutdown true\n retry_type exponential_backoff\n retry_timeout 60m\n retry_max_interval 30\n chunk_limit_size \"#{ENV['OUTPUT_BUFFER_CHUNK_LIMIT']}\"\n queue_limit_length \"#{ENV['OUTPUT_BUFFER_QUEUE_LIMIT']}\"\n overflow_action drop_oldest_chunk\n </buffer>\n</match>\n"` | |
|
||||||
|
| fluentd.enabled | bool | `false` | |
|
||||||
|
| fluentd.env.OUTPUT_SSL_VERIFY | string | `"false"` | |
|
||||||
|
| fluentd.env.OUTPUT_USER | string | `"elastic"` | |
|
||||||
|
| fluentd.extraEnvVars[0].name | string | `"OUTPUT_PASSWORD"` | |
|
||||||
|
| fluentd.extraEnvVars[0].valueFrom.secretKeyRef.key | string | `"elastic"` | |
|
||||||
|
| fluentd.extraEnvVars[0].valueFrom.secretKeyRef.name | string | `"logging-es-elastic-user"` | |
|
||||||
|
| fluentd.extraEnvVars[1].name | string | `"FLUENTD_SHARED_KEY"` | |
|
||||||
|
| fluentd.extraEnvVars[1].valueFrom.secretKeyRef.key | string | `"shared_key"` | |
|
||||||
|
| fluentd.extraEnvVars[1].valueFrom.secretKeyRef.name | string | `"logging-fluentd-secret"` | |
|
||||||
|
| fluentd.extraVolumeMounts[0].mountPath | string | `"/mnt/fluentd-certs"` | |
|
||||||
|
| fluentd.extraVolumeMounts[0].name | string | `"fluentd-certs"` | |
|
||||||
|
| fluentd.extraVolumeMounts[0].readOnly | bool | `true` | |
|
||||||
|
| fluentd.extraVolumes[0].name | string | `"fluentd-certs"` | |
|
||||||
|
| fluentd.extraVolumes[0].secret.secretName | string | `"fluentd-certificate"` | |
|
||||||
|
| fluentd.istio.enabled | bool | `false` | |
|
||||||
|
| fluentd.metrics.enabled | bool | `false` | |
|
||||||
|
| fluentd.metrics.serviceMonitor.additionalLabels.release | string | `"metrics"` | |
|
||||||
|
| fluentd.metrics.serviceMonitor.enabled | bool | `true` | |
|
||||||
|
| fluentd.metrics.serviceMonitor.namespace | string | `"monitoring"` | |
|
||||||
|
| fluentd.output.host | string | `"logging-es-http"` | |
|
||||||
|
| fluentd.plugins.enabled | bool | `false` | |
|
||||||
|
| fluentd.plugins.pluginsList | string | `nil` | |
|
||||||
|
| fluentd.replicaCount | int | `2` | |
|
||||||
|
| fluentd.service.ports[0].containerPort | int | `24224` | |
|
||||||
|
| fluentd.service.ports[0].name | string | `"tcp-forward"` | |
|
||||||
|
| fluentd.service.ports[0].protocol | string | `"TCP"` | |
|
||||||
|
| fluentd.service.ports[1].containerPort | int | `9880` | |
|
||||||
|
| fluentd.service.ports[1].name | string | `"http-fluentd"` | |
|
||||||
|
| fluentd.service.ports[1].protocol | string | `"TCP"` | |
|
||||||
|
| fluentd.shared_key | string | `"cloudbender"` | |
|
||||||
|
| kibana.count | int | `1` | |
|
||||||
|
| kibana.istio.enabled | bool | `false` | |
|
||||||
|
| kibana.istio.gateway | string | `"istio-system/ingressgateway"` | |
|
||||||
|
| kibana.istio.url | string | `""` | |
|
||||||
|
| version | string | `"7.8.1"` | |
|
||||||
|
|
||||||
|
## Resources:
|
||||||
|
|
||||||
|
- https://www.elastic.co/downloads/elastic-cloud-kubernetes
|
||||||
|
- https://github.com/elastic/cloud-on-k8s
|
|
@ -0,0 +1,41 @@
|
||||||
|
{{ template "chart.header" . }}
|
||||||
|
{{ template "chart.description" . }}
|
||||||
|
|
||||||
|
{{ template "chart.versionLine" . }}
|
||||||
|
|
||||||
|
{{ template "chart.sourceLinkLine" . }}
|
||||||
|
|
||||||
|
{{ template "chart.requirementsSection" . }}
|
||||||
|
|
||||||
|
## Changes from upstream
|
||||||
|
### ECK
|
||||||
|
- Operator mapped to controller nodes
|
||||||
|
|
||||||
|
### ES
|
||||||
|
|
||||||
|
- SSL disabled ( Todo: provide cluster certs and setup Kibana/Fluentd to use https incl. client certs )
|
||||||
|
|
||||||
|
- Installed Plugins:
|
||||||
|
- repository-s3
|
||||||
|
- elasticsearch-prometheus-exporter
|
||||||
|
|
||||||
|
- [Cross AZ Zone awareness](https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-advanced-node-scheduling.html#k8s-availability-zone-awareness) is implemented via nodeSets
|
||||||
|
|
||||||
|
### Kibana
|
||||||
|
|
||||||
|
- increased timeout to ES to 3 minutes
|
||||||
|
|
||||||
|
|
||||||
|
## Manual tasks ATM
|
||||||
|
|
||||||
|
- Install index template
|
||||||
|
- setup Kibana
|
||||||
|
- create `logstash-*` Index Pattern
|
||||||
|
|
||||||
|
|
||||||
|
{{ template "chart.valuesSection" . }}
|
||||||
|
|
||||||
|
## Resources:
|
||||||
|
|
||||||
|
- https://www.elastic.co/downloads/elastic-cloud-kubernetes
|
||||||
|
- https://github.com/elastic/cloud-on-k8s
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# We only need to delete the service monitor and virtual service, others will be taken over by the new chart and we dont loose data
|
||||||
|
kubectl delete -n logging VirtualService kibana-logging
|
||||||
|
kubectl delete -n logging ServiceMonitor es-logging
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,6 @@
|
||||||
|
resources:
|
||||||
|
- all-in-one.yaml
|
||||||
|
|
||||||
|
# map operator to controller nodes
|
||||||
|
patchesStrategicMerge:
|
||||||
|
- map-operator.yaml
|
|
@ -0,0 +1,14 @@
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: StatefulSet
|
||||||
|
metadata:
|
||||||
|
name: elastic-operator
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
nodeSelector:
|
||||||
|
node-role.kubernetes.io/master: ""
|
||||||
|
tolerations:
|
||||||
|
- key: CriticalAddonsOnly
|
||||||
|
operator: Exists
|
||||||
|
- key: node-role.kubernetes.io/master
|
||||||
|
effect: NoSchedule
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ECK_VERSION=1.2.1
|
||||||
|
|
||||||
|
curl -o all-in-one.yaml https://download.elastic.co/downloads/eck/${ECK_VERSION}/all-in-one.yaml
|
||||||
|
|
||||||
|
kubectl kustomize . > ../templates/eck-operator.yaml
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,91 @@
|
||||||
|
{{- if .Values.es.nodeSets }}
|
||||||
|
apiVersion: elasticsearch.k8s.elastic.co/v1
|
||||||
|
kind: Elasticsearch
|
||||||
|
metadata:
|
||||||
|
name: {{ template "kubezero-lib.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
spec:
|
||||||
|
version: {{ .Values.version }}
|
||||||
|
nodeSets:
|
||||||
|
{{- range .Values.es.nodeSets }}
|
||||||
|
- name: {{ .name }}
|
||||||
|
config:
|
||||||
|
node.master: true
|
||||||
|
node.data: true
|
||||||
|
node.ingest: true
|
||||||
|
node.ml: false
|
||||||
|
{{- if $.Values.es.prometheus }}
|
||||||
|
prometheus.indices: false
|
||||||
|
{{- end }}
|
||||||
|
{{- if .zone }}
|
||||||
|
node.attr.zone: {{ .zone }}
|
||||||
|
cluster.routing.allocation.awareness.attributes: zone
|
||||||
|
{{- end }}
|
||||||
|
podTemplate:
|
||||||
|
{{- if $.Values.es.s3Snapshot.iamrole }}
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
iam.amazonaws.com/role: {{ $.Values.es.s3Snapshot.iamrole }}
|
||||||
|
{{- end }}
|
||||||
|
spec:
|
||||||
|
{{- if or $.Values.es.prometheus $.Values.es.s3Snapshot.enabled }}
|
||||||
|
initContainers:
|
||||||
|
- name: install-plugins
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
{{- if $.Values.es.s3Snapshot.enabled }}
|
||||||
|
bin/elasticsearch-plugin install --batch repository-s3;
|
||||||
|
{{- end }}
|
||||||
|
{{- if $.Values.es.prometheus }}
|
||||||
|
bin/elasticsearch-plugin install --batch https://github.com/vvanholl/elasticsearch-prometheus-exporter/releases/download/{{ $.Values.version }}.0/prometheus-exporter-{{ $.Values.version }}.0.zip;
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
containers:
|
||||||
|
- name: elasticsearch
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 2500Mi
|
||||||
|
limits:
|
||||||
|
memory: 4Gi
|
||||||
|
env:
|
||||||
|
- name: ES_JAVA_OPTS
|
||||||
|
value: "-Xms2g -Xmx2g"
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
elasticsearch.k8s.elastic.co/cluster-name: {{ template "kubezero-lib.fullname" $ }}
|
||||||
|
topologyKey: kubernetes.io/hostname
|
||||||
|
{{- if .zone }}
|
||||||
|
nodeAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
nodeSelectorTerms:
|
||||||
|
- matchExpressions:
|
||||||
|
- key: failure-domain.beta.kubernetes.io/zone
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- {{ .zone }}
|
||||||
|
{{- end }}
|
||||||
|
count: {{ .count }}
|
||||||
|
volumeClaimTemplates:
|
||||||
|
- metadata:
|
||||||
|
name: elasticsearch-data
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: {{ .storage.size }}
|
||||||
|
storageClassName: {{ .storage.class }}
|
||||||
|
{{- end }}
|
||||||
|
http:
|
||||||
|
tls:
|
||||||
|
selfSignedCertificate:
|
||||||
|
disabled: true
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
{{- if .Values.kibana.istio.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: VirtualService
|
||||||
|
metadata:
|
||||||
|
name: {{ template "kubezero-lib.fullname" . }}-kibana
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
spec:
|
||||||
|
hosts:
|
||||||
|
- {{ .Values.kibana.istio.url }}
|
||||||
|
gateways:
|
||||||
|
- {{ default "istio-system/ingressgateway" .Values.kibana.istio.gateway }}
|
||||||
|
http:
|
||||||
|
- route:
|
||||||
|
- destination:
|
||||||
|
host: {{ template "kubezero-lib.fullname" . }}-kb-http
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,36 @@
|
||||||
|
{{- if .Values.es.nodeSets }}
|
||||||
|
# Only deploy Kibana if we have local ES cluster
|
||||||
|
apiVersion: kibana.k8s.elastic.co/v1
|
||||||
|
kind: Kibana
|
||||||
|
metadata:
|
||||||
|
name: {{ template "kubezero-lib.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
spec:
|
||||||
|
version: {{ .Values.version }}
|
||||||
|
count: {{ .Values.kibana.count }}
|
||||||
|
elasticsearchRef:
|
||||||
|
name: {{ template "kubezero-lib.fullname" . }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
config:
|
||||||
|
elasticsearch.requestTimeout: 180000
|
||||||
|
elasticsearch.shardTimeout: 180000
|
||||||
|
#xpack.monitoring.enabled: false
|
||||||
|
#xpack.monitoring.ui.enabled: false
|
||||||
|
#xpack.ml.enabled: false
|
||||||
|
podTemplate:
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: kibana
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 1Gi
|
||||||
|
cpu: 100m
|
||||||
|
limits:
|
||||||
|
memory: 2Gi
|
||||||
|
http:
|
||||||
|
tls:
|
||||||
|
selfSignedCertificate:
|
||||||
|
disabled: true
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,16 @@
|
||||||
|
{{- if .Values.es.nodeSets }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
type: Opaque
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
common.k8s.elastic.co/type: elasticsearch
|
||||||
|
elasticsearch.k8s.elastic.co/cluster-name: {{ template "kubezero-lib.fullname" $ }}
|
||||||
|
name: {{ template "kubezero-lib.fullname" $ }}-es-elastic-user
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
data:
|
||||||
|
username: {{ "elastic" | b64enc | quote }}
|
||||||
|
elastic: {{ .Values.elastic_password | b64enc | quote }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,28 @@
|
||||||
|
{{- if .Values.es.prometheus }}
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: ServiceMonitor
|
||||||
|
metadata:
|
||||||
|
name: {{ template "kubezero-lib.fullname" . }}-es
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
release: metrics
|
||||||
|
spec:
|
||||||
|
endpoints:
|
||||||
|
- basicAuth:
|
||||||
|
username:
|
||||||
|
name: {{ template "kubezero-lib.fullname" $ }}-es-elastic-user
|
||||||
|
key: username
|
||||||
|
password:
|
||||||
|
name: {{ template "kubezero-lib.fullname" $ }}-es-elastic-user
|
||||||
|
key: elastic
|
||||||
|
port: http
|
||||||
|
path: /_prometheus/metrics
|
||||||
|
selector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: elasticsearch.k8s.elastic.co/statefulset-name
|
||||||
|
operator: DoesNotExist
|
||||||
|
matchLabels:
|
||||||
|
common.k8s.elastic.co/type: elasticsearch
|
||||||
|
elasticsearch.k8s.elastic.co/cluster-name: {{ template "kubezero-lib.fullname" $ }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,16 @@
|
||||||
|
{{- if .Values.fluentd.enabled }}
|
||||||
|
apiVersion: cert-manager.io/v1alpha2
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: fluentd-ingress-cert
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
spec:
|
||||||
|
secretName: fluentd-certificate
|
||||||
|
issuerRef:
|
||||||
|
name: letsencrypt-dns-prod
|
||||||
|
kind: ClusterIssuer
|
||||||
|
dnsNames:
|
||||||
|
- "{{ .Values.fluentd.url }}"
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,28 @@
|
||||||
|
{{- if .Values.fluentd.istio.enabled }}
|
||||||
|
apiVersion: networking.istio.io/v1alpha3
|
||||||
|
kind: VirtualService
|
||||||
|
metadata:
|
||||||
|
name: {{ template "kubezero-lib.fullname" $ }}-fluentd
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
spec:
|
||||||
|
gateways:
|
||||||
|
- {{ .Values.fluentd.istio.gateway }}
|
||||||
|
hosts:
|
||||||
|
- {{ .Values.fluentd.url }}
|
||||||
|
tcp:
|
||||||
|
- match:
|
||||||
|
- port: 24224
|
||||||
|
route:
|
||||||
|
- destination:
|
||||||
|
host: {{ template "kubezero-lib.fullname" $ }}-fluentd
|
||||||
|
port:
|
||||||
|
number: 24224
|
||||||
|
http:
|
||||||
|
- route:
|
||||||
|
- destination:
|
||||||
|
host: {{ template "kubezero-lib.fullname" $ }}-fluentd
|
||||||
|
port:
|
||||||
|
number: 9880
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,12 @@
|
||||||
|
{{- if .Values.fluentd.enabled }}
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
type: Opaque
|
||||||
|
metadata:
|
||||||
|
name: {{ template "kubezero-lib.fullname" $ }}-fluentd-secret
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
labels:
|
||||||
|
{{ include "kubezero-lib.labels" . | indent 4 }}
|
||||||
|
data:
|
||||||
|
shared_key: {{ .Values.fluentd.shared_key | b64enc | quote }}
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,34 @@
|
||||||
|
# Default values for zdt-logging.
|
||||||
|
# This is a YAML-formatted file.
|
||||||
|
# Declare variables to be passed into your templates.
|
||||||
|
|
||||||
|
# This is for backwards compatibility with older zdt-logging setup
|
||||||
|
fullnameOverride: logging
|
||||||
|
|
||||||
|
# Version for ElasticSearch and Kibana have to match so we define it at top-level
|
||||||
|
version: 7.6.0
|
||||||
|
|
||||||
|
elastic_password: "dsfsfs" # super_secret_elastic_password
|
||||||
|
|
||||||
|
es:
|
||||||
|
nodeSets:
|
||||||
|
- name: default-zone-0
|
||||||
|
count: 2
|
||||||
|
storage:
|
||||||
|
size: 512Gi
|
||||||
|
class: ebs-sc-gp2-xfs
|
||||||
|
zone: us-west-2a
|
||||||
|
s3Snapshot:
|
||||||
|
enabled: true
|
||||||
|
iamrole: "dfsf" # INSERT_CLOUDFORMATION_OUTPUT_ElasticSearchSnapshots
|
||||||
|
|
||||||
|
prometheus: true
|
||||||
|
|
||||||
|
kibana:
|
||||||
|
istio:
|
||||||
|
enabled: true
|
||||||
|
url: kibana.example.com
|
||||||
|
gateway: istio-system/private-ingressgateway
|
||||||
|
|
||||||
|
fluentd:
|
||||||
|
enabled: true
|
|
@ -0,0 +1,8 @@
|
||||||
|
fluent-bit:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
metrics:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
url: fluentd.example.com
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
fluentd:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
metrics:
|
||||||
|
enabled: true
|
||||||
|
|
||||||
|
url: fluentd.example.com
|
||||||
|
istio:
|
||||||
|
enabled: true
|
||||||
|
gateway: istio-system/private-ingressgateway
|
||||||
|
|
|
@ -0,0 +1,292 @@
|
||||||
|
# use this for backwards compatability
|
||||||
|
# fullnameOverride: ""
|
||||||
|
|
||||||
|
# Version for ElasticSearch and Kibana have to match so we define it at top-level
|
||||||
|
version: 7.8.1
|
||||||
|
|
||||||
|
elastic_password: "" # super_secret_elastic_password
|
||||||
|
|
||||||
|
es:
|
||||||
|
nodeSets: []
|
||||||
|
#- count: 2
|
||||||
|
# storage:
|
||||||
|
# size: 16Gi
|
||||||
|
# class: local-sc-xfs
|
||||||
|
# zone: us-west-2a
|
||||||
|
s3Snapshot:
|
||||||
|
enabled: false
|
||||||
|
iamrole: "" # INSERT_CLOUDFORMATION_OUTPUT_ElasticSearchSnapshots
|
||||||
|
|
||||||
|
prometheus: false
|
||||||
|
|
||||||
|
kibana:
|
||||||
|
count: 1
|
||||||
|
#servicename: kibana.example.com
|
||||||
|
istio:
|
||||||
|
enabled: false
|
||||||
|
gateway: "istio-system/ingressgateway"
|
||||||
|
url: "" # kibana.example.com
|
||||||
|
|
||||||
|
fluentd:
|
||||||
|
enabled: false
|
||||||
|
image:
|
||||||
|
repository: quay.io/fluentd_elasticsearch/fluentd
|
||||||
|
tag: v2.9.0
|
||||||
|
istio:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
# broken as of 2.5.1 ;-(
|
||||||
|
# useStatefulSet: true
|
||||||
|
replicaCount: 2
|
||||||
|
|
||||||
|
plugins:
|
||||||
|
enabled: false
|
||||||
|
pluginsList:
|
||||||
|
#- fluent-plugin-detect-exceptions
|
||||||
|
#- fluent-plugin-s3
|
||||||
|
#- fluent-plugin-grok-parser
|
||||||
|
|
||||||
|
#persistence:
|
||||||
|
# enabled: true
|
||||||
|
# storageClass: "ebs-sc-gp2-xfs"
|
||||||
|
# accessMode: ReadWriteOnce
|
||||||
|
# size: 4Gi
|
||||||
|
|
||||||
|
service:
|
||||||
|
ports:
|
||||||
|
- name: tcp-forward
|
||||||
|
protocol: TCP
|
||||||
|
containerPort: 24224
|
||||||
|
- name: http-fluentd
|
||||||
|
protocol: TCP
|
||||||
|
containerPort: 9880
|
||||||
|
|
||||||
|
metrics:
|
||||||
|
enabled: false
|
||||||
|
serviceMonitor:
|
||||||
|
enabled: true
|
||||||
|
additionalLabels:
|
||||||
|
release: metrics
|
||||||
|
namespace: monitoring
|
||||||
|
|
||||||
|
output:
|
||||||
|
host: logging-es-http
|
||||||
|
|
||||||
|
shared_key: "cloudbender"
|
||||||
|
|
||||||
|
env:
|
||||||
|
OUTPUT_USER: elastic
|
||||||
|
OUTPUT_SSL_VERIFY: "false"
|
||||||
|
|
||||||
|
extraEnvVars:
|
||||||
|
- name: OUTPUT_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: logging-es-elastic-user
|
||||||
|
key: elastic
|
||||||
|
- name: FLUENTD_SHARED_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: logging-fluentd-secret
|
||||||
|
key: shared_key
|
||||||
|
|
||||||
|
extraVolumes:
|
||||||
|
- name: fluentd-certs
|
||||||
|
secret:
|
||||||
|
secretName: fluentd-certificate
|
||||||
|
extraVolumeMounts:
|
||||||
|
- name: fluentd-certs
|
||||||
|
mountPath: /mnt/fluentd-certs
|
||||||
|
readOnly: true
|
||||||
|
|
||||||
|
configMaps:
|
||||||
|
forward-input.conf: |
|
||||||
|
<source>
|
||||||
|
@type forward
|
||||||
|
port 24224
|
||||||
|
bind 0.0.0.0
|
||||||
|
skip_invalid_event true
|
||||||
|
<transport tls>
|
||||||
|
cert_path /mnt/fluentd-certs/tls.crt
|
||||||
|
private_key_path /mnt/fluentd-certs/tls.key
|
||||||
|
</transport>
|
||||||
|
<security>
|
||||||
|
self_hostname "#{ENV['HOSTNAME']}"
|
||||||
|
shared_key "#{ENV['FLUENTD_SHARED_KEY']}"
|
||||||
|
</security>
|
||||||
|
</source>
|
||||||
|
|
||||||
|
output.conf: |
|
||||||
|
<match **>
|
||||||
|
@id elasticsearch
|
||||||
|
@type elasticsearch
|
||||||
|
@log_level info
|
||||||
|
include_tag_key true
|
||||||
|
id_key id
|
||||||
|
remove_keys id
|
||||||
|
|
||||||
|
# KubeZero pipeline incl. GeoIP etc.
|
||||||
|
pipeline fluentd
|
||||||
|
|
||||||
|
host "#{ENV['OUTPUT_HOST']}"
|
||||||
|
port "#{ENV['OUTPUT_PORT']}"
|
||||||
|
scheme "#{ENV['OUTPUT_SCHEME']}"
|
||||||
|
ssl_version "#{ENV['OUTPUT_SSL_VERSION']}"
|
||||||
|
ssl_verify "#{ENV['OUTPUT_SSL_VERIFY']}"
|
||||||
|
user "#{ENV['OUTPUT_USER']}"
|
||||||
|
password "#{ENV['OUTPUT_PASSWORD']}"
|
||||||
|
|
||||||
|
logstash_format true
|
||||||
|
reload_connections false
|
||||||
|
reconnect_on_error true
|
||||||
|
reload_on_failure true
|
||||||
|
request_timeout 30s
|
||||||
|
suppress_type_name true
|
||||||
|
|
||||||
|
<buffer>
|
||||||
|
@type file
|
||||||
|
path /var/log/fluentd-buffers/kubernetes.system.buffer
|
||||||
|
flush_mode interval
|
||||||
|
flush_thread_count 2
|
||||||
|
flush_interval 5s
|
||||||
|
flush_at_shutdown true
|
||||||
|
retry_type exponential_backoff
|
||||||
|
retry_timeout 60m
|
||||||
|
retry_max_interval 30
|
||||||
|
chunk_limit_size "#{ENV['OUTPUT_BUFFER_CHUNK_LIMIT']}"
|
||||||
|
queue_limit_length "#{ENV['OUTPUT_BUFFER_QUEUE_LIMIT']}"
|
||||||
|
overflow_action drop_oldest_chunk
|
||||||
|
</buffer>
|
||||||
|
</match>
|
||||||
|
|
||||||
|
# filter.conf: |
|
||||||
|
# <filter auth system.auth>
|
||||||
|
# @type parser
|
||||||
|
# key_name message
|
||||||
|
# reserve_data true
|
||||||
|
# reserve_time true
|
||||||
|
# <parse>
|
||||||
|
# @type grok
|
||||||
|
#
|
||||||
|
# # SSH
|
||||||
|
# <grok>
|
||||||
|
# pattern %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?
|
||||||
|
# </grok>
|
||||||
|
# <grok>
|
||||||
|
# pattern %{DATA:system.auth.ssh.event} user %{DATA:system.auth.user} from %{IPORHOST:system.auth.ip}
|
||||||
|
# </grok>
|
||||||
|
#
|
||||||
|
# # sudo
|
||||||
|
# <grok>
|
||||||
|
# pattern \s*%{DATA:system.auth.user} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}
|
||||||
|
# </grok>
|
||||||
|
#
|
||||||
|
# # Users
|
||||||
|
# <grok>
|
||||||
|
# pattern new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}
|
||||||
|
# </grok>
|
||||||
|
# <grok>
|
||||||
|
# pattern new user: name=%{DATA:system.auth.useradd.name}, UID=%{NUMBER:system.auth.useradd.uid}, GID=%{NUMBER:system.auth.useradd.gid}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$
|
||||||
|
# </grok>
|
||||||
|
#
|
||||||
|
# <grok>
|
||||||
|
# pattern %{GREEDYDATA:message}
|
||||||
|
# </grok>
|
||||||
|
# </parse>
|
||||||
|
# </filter>
|
||||||
|
|
||||||
|
|
||||||
|
fluent-bit:
|
||||||
|
enabled: false
|
||||||
|
test:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
config:
|
||||||
|
outputs: |
|
||||||
|
[OUTPUT]
|
||||||
|
Match *
|
||||||
|
Name forward
|
||||||
|
Host logging-fluentd
|
||||||
|
Port 24224
|
||||||
|
tls on
|
||||||
|
tls.verify off
|
||||||
|
Shared_Key cloudbender
|
||||||
|
|
||||||
|
inputs: |
|
||||||
|
[INPUT]
|
||||||
|
Name tail
|
||||||
|
Path /var/log/containers/*.log
|
||||||
|
Parser cri
|
||||||
|
Tag kube.*
|
||||||
|
Mem_Buf_Limit 5MB
|
||||||
|
Skip_Long_Lines On
|
||||||
|
Refresh_Interval 10
|
||||||
|
DB /var/log/flb_kube.db
|
||||||
|
DB.Sync Normal
|
||||||
|
|
||||||
|
filters: |
|
||||||
|
[FILTER]
|
||||||
|
Name kubernetes
|
||||||
|
Match kube.*
|
||||||
|
Merge_Log On
|
||||||
|
Keep_Log Off
|
||||||
|
K8S-Logging.Parser On
|
||||||
|
K8S-Logging.Exclude On
|
||||||
|
|
||||||
|
[FILTER]
|
||||||
|
Name lua
|
||||||
|
Match kube.*
|
||||||
|
script /fluent-bit/etc/functions.lua
|
||||||
|
call dedot
|
||||||
|
|
||||||
|
service: |
|
||||||
|
[SERVICE]
|
||||||
|
Flush 5
|
||||||
|
Daemon Off
|
||||||
|
Log_Level warn
|
||||||
|
Parsers_File parsers.conf
|
||||||
|
Parsers_File custom_parsers.conf
|
||||||
|
HTTP_Server On
|
||||||
|
HTTP_Listen 0.0.0.0
|
||||||
|
HTTP_Port 2020
|
||||||
|
|
||||||
|
lua: |
|
||||||
|
function dedot(tag, timestamp, record)
|
||||||
|
if record["kubernetes"] == nil then
|
||||||
|
return 0, 0, 0
|
||||||
|
end
|
||||||
|
dedot_keys(record["kubernetes"]["annotations"])
|
||||||
|
dedot_keys(record["kubernetes"]["labels"])
|
||||||
|
return 1, timestamp, record
|
||||||
|
end
|
||||||
|
|
||||||
|
function dedot_keys(map)
|
||||||
|
if map == nil then
|
||||||
|
return
|
||||||
|
end
|
||||||
|
local new_map = {}
|
||||||
|
local changed_keys = {}
|
||||||
|
for k, v in pairs(map) do
|
||||||
|
local dedotted = string.gsub(k, "%.", "_")
|
||||||
|
if dedotted ~= k then
|
||||||
|
new_map[dedotted] = v
|
||||||
|
changed_keys[k] = true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
for k in pairs(changed_keys) do
|
||||||
|
map[k] = nil
|
||||||
|
end
|
||||||
|
for k, v in pairs(new_map) do
|
||||||
|
map[k] = v
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
serviceMonitor:
|
||||||
|
enabled: true
|
||||||
|
namespace: monitoring
|
||||||
|
selector:
|
||||||
|
release: metrics
|
||||||
|
|
||||||
|
tolerations:
|
||||||
|
- key: node-role.kubernetes.io/master
|
||||||
|
effect: NoSchedule
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*.orig
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
||||||
|
.vscode/
|
|
@ -0,0 +1,24 @@
|
||||||
|
apiVersion: v2
|
||||||
|
name: kubezero-metrics
|
||||||
|
description: KubeZero Umbrella Chart for prometheus-operator
|
||||||
|
type: application
|
||||||
|
version: 0.1.3
|
||||||
|
home: https://kubezero.com
|
||||||
|
icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
|
||||||
|
keywords:
|
||||||
|
- kubezero
|
||||||
|
- prometheus
|
||||||
|
- grafana
|
||||||
|
maintainers:
|
||||||
|
- name: Quarky9
|
||||||
|
dependencies:
|
||||||
|
- name: kubezero-lib
|
||||||
|
version: ">= 0.1.3"
|
||||||
|
repository: https://zero-down-time.github.io/kubezero/
|
||||||
|
- name: prometheus-operator
|
||||||
|
version: 9.3.0
|
||||||
|
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||||
|
- name: prometheus-adapter
|
||||||
|
version: 2.5.0
|
||||||
|
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||||
|
kubeVersion: ">= 1.16.0"
|
|
@ -0,0 +1,98 @@
|
||||||
|
kubezero-metrics
|
||||||
|
================
|
||||||
|
KubeZero Umbrella Chart for prometheus-operator
|
||||||
|
|
||||||
|
Current chart version is `0.1.3`
|
||||||
|
|
||||||
|
Source code can be found [here](https://kubezero.com)
|
||||||
|
|
||||||
|
## Chart Requirements
|
||||||
|
|
||||||
|
| Repository | Name | Version |
|
||||||
|
|------------|------|---------|
|
||||||
|
| https://kubernetes-charts.storage.googleapis.com/ | prometheus-adapter | 2.5.0 |
|
||||||
|
| https://kubernetes-charts.storage.googleapis.com/ | prometheus-operator | 9.3.0 |
|
||||||
|
| https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 |
|
||||||
|
|
||||||
|
## Chart Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| grafana.istio.enabled | bool | `false` | |
|
||||||
|
| grafana.istio.gateway | string | `"istio-system/ingressgateway"` | |
|
||||||
|
| grafana.istio.ipBlocks | list | `[]` | |
|
||||||
|
| grafana.istio.url | string | `""` | |
|
||||||
|
| prometheus-adapter.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
|
| prometheus-adapter.prometheus.url | string | `"http://metrics-prometheus-operato-prometheus"` | |
|
||||||
|
| prometheus-adapter.rules.default | bool | `false` | |
|
||||||
|
| prometheus-adapter.rules.resource.cpu.containerLabel | string | `"container"` | |
|
||||||
|
| prometheus-adapter.rules.resource.cpu.containerQuery | string | `"sum(irate(container_cpu_usage_seconds_total{<<.LabelMatchers>>,container!=\"POD\",container!=\"\",pod!=\"\"}[5m])) by (<<.GroupBy>>)"` | |
|
||||||
|
| prometheus-adapter.rules.resource.cpu.nodeQuery | string | `"sum(1 - irate(node_cpu_seconds_total{mode=\"idle\"}[5m]) * on(namespace, pod) group_left(node) node_namespace_pod:kube_pod_info:{<<.LabelMatchers>>}) by (<<.GroupBy>>)"` | |
|
||||||
|
| prometheus-adapter.rules.resource.cpu.resources.overrides.namespace.resource | string | `"namespace"` | |
|
||||||
|
| prometheus-adapter.rules.resource.cpu.resources.overrides.node.resource | string | `"node"` | |
|
||||||
|
| prometheus-adapter.rules.resource.cpu.resources.overrides.pod.resource | string | `"pod"` | |
|
||||||
|
| prometheus-adapter.rules.resource.memory.containerLabel | string | `"container"` | |
|
||||||
|
| prometheus-adapter.rules.resource.memory.containerQuery | string | `"sum(container_memory_working_set_bytes{<<.LabelMatchers>>,container!=\"POD\",container!=\"\",pod!=\"\"}) by (<<.GroupBy>>)"` | |
|
||||||
|
| prometheus-adapter.rules.resource.memory.nodeQuery | string | `"sum(node_memory_MemTotal_bytes{job=\"node-exporter\",<<.LabelMatchers>>} - node_memory_MemAvailable_bytes{job=\"node-exporter\",<<.LabelMatchers>>}) by (<<.GroupBy>>)"` | |
|
||||||
|
| prometheus-adapter.rules.resource.memory.resources.overrides.namespace.resource | string | `"namespace"` | |
|
||||||
|
| prometheus-adapter.rules.resource.memory.resources.overrides.node.resource | string | `"node"` | |
|
||||||
|
| prometheus-adapter.rules.resource.memory.resources.overrides.pod.resource | string | `"pod"` | |
|
||||||
|
| prometheus-adapter.rules.resource.window | string | `"5m"` | |
|
||||||
|
| prometheus-adapter.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
|
| prometheus-adapter.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
|
| prometheus-operator.alertmanager.enabled | bool | `false` | |
|
||||||
|
| prometheus-operator.coreDns.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.defaultRules.create | bool | `true` | |
|
||||||
|
| prometheus-operator.grafana.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.grafana.initChownData.enabled | bool | `false` | |
|
||||||
|
| prometheus-operator.grafana.persistence.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.grafana.persistence.size | string | `"4Gi"` | |
|
||||||
|
| prometheus-operator.grafana.persistence.storageClassName | string | `"ebs-sc-gp2-xfs"` | |
|
||||||
|
| prometheus-operator.grafana.plugins[0] | string | `"grafana-piechart-panel"` | |
|
||||||
|
| prometheus-operator.grafana.service.portName | string | `"http-grafana"` | |
|
||||||
|
| prometheus-operator.grafana.testFramework.enabled | bool | `false` | |
|
||||||
|
| prometheus-operator.kubeApiServer.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.kubeControllerManager.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.kubeControllerManager.service.port | int | `10257` | |
|
||||||
|
| prometheus-operator.kubeControllerManager.service.targetPort | int | `10257` | |
|
||||||
|
| prometheus-operator.kubeControllerManager.serviceMonitor.https | bool | `true` | |
|
||||||
|
| prometheus-operator.kubeControllerManager.serviceMonitor.insecureSkipVerify | bool | `true` | |
|
||||||
|
| prometheus-operator.kubeDns.enabled | bool | `false` | |
|
||||||
|
| prometheus-operator.kubeEtcd.enabled | bool | `false` | |
|
||||||
|
| prometheus-operator.kubeProxy.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.kubeScheduler.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.kubeScheduler.service.port | int | `10259` | |
|
||||||
|
| prometheus-operator.kubeScheduler.service.targetPort | int | `10259` | |
|
||||||
|
| prometheus-operator.kubeScheduler.serviceMonitor.https | bool | `true` | |
|
||||||
|
| prometheus-operator.kubeScheduler.serviceMonitor.insecureSkipVerify | bool | `true` | |
|
||||||
|
| prometheus-operator.kubeStateMetrics.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.kubelet.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.kubelet.serviceMonitor.cAdvisor | bool | `true` | |
|
||||||
|
| prometheus-operator.nodeExporter.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.nodeExporter.serviceMonitor.relabelings[0].action | string | `"replace"` | |
|
||||||
|
| prometheus-operator.nodeExporter.serviceMonitor.relabelings[0].regex | string | `"^(.*)$"` | |
|
||||||
|
| prometheus-operator.nodeExporter.serviceMonitor.relabelings[0].replacement | string | `"$1"` | |
|
||||||
|
| prometheus-operator.nodeExporter.serviceMonitor.relabelings[0].separator | string | `";"` | |
|
||||||
|
| prometheus-operator.nodeExporter.serviceMonitor.relabelings[0].sourceLabels[0] | string | `"__meta_kubernetes_pod_node_name"` | |
|
||||||
|
| prometheus-operator.nodeExporter.serviceMonitor.relabelings[0].targetLabel | string | `"node"` | |
|
||||||
|
| prometheus-operator.prometheus.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.prometheus.prometheusSpec.portName | string | `"http-prometheus"` | |
|
||||||
|
| prometheus-operator.prometheus.prometheusSpec.resources.requests.memory | string | `"512Mi"` | |
|
||||||
|
| prometheus-operator.prometheus.prometheusSpec.retention | string | `"8d"` | |
|
||||||
|
| prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.accessModes[0] | string | `"ReadWriteOnce"` | |
|
||||||
|
| prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage | string | `"8Gi"` | |
|
||||||
|
| prometheus-operator.prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName | string | `"ebs-sc-gp2-xfs"` | |
|
||||||
|
| prometheus-operator.prometheusOperator.admissionWebhooks.enabled | bool | `false` | |
|
||||||
|
| prometheus-operator.prometheusOperator.createCustomResource | bool | `true` | |
|
||||||
|
| prometheus-operator.prometheusOperator.enabled | bool | `true` | |
|
||||||
|
| prometheus-operator.prometheusOperator.manageCrds | bool | `false` | |
|
||||||
|
| prometheus-operator.prometheusOperator.namespaces.additional[0] | string | `"kube-system"` | |
|
||||||
|
| prometheus-operator.prometheusOperator.namespaces.additional[1] | string | `"logging"` | |
|
||||||
|
| prometheus-operator.prometheusOperator.namespaces.releaseNamespace | bool | `true` | |
|
||||||
|
| prometheus-operator.prometheusOperator.nodeSelector."node-role.kubernetes.io/master" | string | `""` | |
|
||||||
|
| prometheus-operator.prometheusOperator.tlsProxy.enabled | bool | `false` | |
|
||||||
|
| prometheus-operator.prometheusOperator.tolerations[0].effect | string | `"NoSchedule"` | |
|
||||||
|
| prometheus-operator.prometheusOperator.tolerations[0].key | string | `"node-role.kubernetes.io/master"` | |
|
||||||
|
| prometheus.istio.enabled | bool | `false` | |
|
||||||
|
| prometheus.istio.gateway | string | `"istio-system/ingressgateway"` | |
|
||||||
|
| prometheus.istio.url | string | `""` | |
|
|
@ -0,0 +1,10 @@
|
||||||
|
{{ template "chart.header" . }}
|
||||||
|
{{ template "chart.description" . }}
|
||||||
|
|
||||||
|
{{ template "chart.versionLine" . }}
|
||||||
|
|
||||||
|
{{ template "chart.sourceLinkLine" . }}
|
||||||
|
|
||||||
|
{{ template "chart.requirementsSection" . }}
|
||||||
|
|
||||||
|
{{ template "chart.valuesSection" . }}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue