github-personal/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-01-27 18:18:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update etcd-operator v0.3.0

Browse Source 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
This commit is contained in:
Andrei Kvapil
2024-07-03 14:14:21 +02:00
parent a2cc83ddc4
commit a798afc7e8
8 changed files with 215 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
packages/system/etcd-operator/charts/etcd-operator/Chart.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: v0.2.0
appVersion: v0.3.0
name: etcd-operator
type: application
version: 0.2.0
version: 0.3.0

85
packages/system/etcd-operator/charts/etcd-operator/README.md
View File

@@ -1,63 +1,54 @@
# etcd-operator
![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | |
| affinity | object | `{}` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity |
| etcdOperator.args[0] | string | `"--health-probe-bind-address=:8081"` | |
| etcdOperator.args[1] | string | `"--metrics-bind-address=127.0.0.1:8080"` | |
| etcdOperator.args[2] | string | `"--leader-elect"` | |
| etcdOperator.envVars | object | `{}` | |
| etcdOperator.image.pullPolicy | string | `"IfNotPresent"` | |
| etcdOperator.image.repository | string | `"ghcr.io/aenix-io/etcd-operator"` | |
| etcdOperator.image.tag | string | `""` | |
| etcdOperator.livenessProbe.httpGet.path | string | `"/healthz"` | |
| etcdOperator.livenessProbe.httpGet.port | int | `8081` | |
| etcdOperator.livenessProbe.initialDelaySeconds | int | `15` | |
| etcdOperator.livenessProbe.periodSeconds | int | `20` | |
| etcdOperator.readinessProbe.httpGet.path | string | `"/readyz"` | |
| etcdOperator.readinessProbe.httpGet.port | int | `8081` | |
| etcdOperator.readinessProbe.initialDelaySeconds | int | `5` | |
| etcdOperator.readinessProbe.periodSeconds | int | `10` | |
| etcdOperator.resources.limits.cpu | string | `"500m"` | |
| etcdOperator.resources.limits.memory | string | `"128Mi"` | |
| etcdOperator.resources.requests.cpu | string | `"100m"` | |
| etcdOperator.resources.requests.memory | string | `"64Mi"` | |
| etcdOperator.securityContext.allowPrivilegeEscalation | bool | `false` | |
| etcdOperator.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| etcdOperator.service.port | int | `9443` | |
| etcdOperator.service.type | string | `"ClusterIP"` | |
| fullnameOverride | string | `""` | |
| etcdOperator.envVars | object | `{}` | Empty environment variables section |
| etcdOperator.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| etcdOperator.image.repository | string | `"ghcr.io/aenix-io/etcd-operator"` | Image repository |
| etcdOperator.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
| etcdOperator.livenessProbe.httpGet.path | string | `"/healthz"` | Healthcheck liveness probe path |
| etcdOperator.livenessProbe.httpGet.port | int | `8081` | Healthcheck port |
| etcdOperator.livenessProbe.initialDelaySeconds | int | `15` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes |
| etcdOperator.livenessProbe.periodSeconds | int | `20` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes |
| etcdOperator.readinessProbe.httpGet.path | string | `"/readyz"` | Healthcheck readiness probe path |
| etcdOperator.readinessProbe.httpGet.port | int | `8081` | Healthcheck port |
| etcdOperator.readinessProbe.initialDelaySeconds | int | `5` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes |
| etcdOperator.readinessProbe.periodSeconds | int | `10` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes |
| etcdOperator.resources | object | `{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| etcdOperator.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| etcdOperator.service.port | int | `9443` | Service port |
| etcdOperator.service.type | string | `"ClusterIP"` | Service type |
| fullnameOverride | string | `""` | Override a full name of helm release |
| imagePullSecrets | list | `[]` | |
| kubeRbacProxy.args[0] | string | `"--secure-listen-address=0.0.0.0:8443"` | |
| kubeRbacProxy.args[1] | string | `"--upstream=http://127.0.0.1:8080/"` | |
| kubeRbacProxy.args[2] | string | `"--logtostderr=true"` | |
| kubeRbacProxy.args[3] | string | `"--v=0"` | |
| kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | |
| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | |
| kubeRbacProxy.image.tag | string | `"v0.16.0"` | |
| kubeRbacProxy.livenessProbe | object | `{}` | |
| kubeRbacProxy.readinessProbe | object | `{}` | |
| kubeRbacProxy.resources.limits.cpu | string | `"500m"` | |
| kubeRbacProxy.resources.limits.memory | string | `"128Mi"` | |
| kubeRbacProxy.resources.requests.cpu | string | `"100m"` | |
| kubeRbacProxy.resources.requests.memory | string | `"64Mi"` | |
| kubeRbacProxy.securityContext.allowPrivilegeEscalation | bool | `false` | |
| kubeRbacProxy.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| kubeRbacProxy.service.port | int | `8443` | |
| kubeRbacProxy.service.type | string | `"ClusterIP"` | |
| kubernetesClusterDomain | string | `"cluster.local"` | |
| nameOverride | string | `""` | |
| nodeSelector | object | `{}` | |
| podAnnotations | object | `{}` | |
| podLabels | object | `{}` | |
| podSecurityContext | object | `{}` | |
| replicaCount | int | `1` | |
| securityContext.runAsNonRoot | bool | `true` | |
| serviceAccount.annotations | object | `{}` | |
| serviceAccount.create | bool | `true` | |
| tolerations | list | `[]` | |
| kubeRbacProxy.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| kubeRbacProxy.image.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | Image repository |
| kubeRbacProxy.image.tag | string | `"v0.16.0"` | Version of image |
| kubeRbacProxy.livenessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
| kubeRbacProxy.readinessProbe | object | `{}` | https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
| kubeRbacProxy.resources | object | `{"limits":{"cpu":"250m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
| kubeRbacProxy.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| kubeRbacProxy.service.port | int | `8443` | Service port |
| kubeRbacProxy.service.type | string | `"ClusterIP"` | Service type |
| kubernetesClusterDomain | string | `"cluster.local"` | Kubernetes cluster domain prefix |
| nameOverride | string | `""` | Override a name of helm release |
| nodeSelector | object | `{}` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ |
| podAnnotations | object | `{}` | ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
| podLabels | object | `{}` | ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
| podSecurityContext | object | `{}` | ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| replicaCount | int | `1` | Count of pod replicas |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| tolerations | list | `[]` | ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |

19
packages/system/etcd-operator/charts/etcd-operator/README.md.gotmpl Normal file
View File

@@ -0,0 +1,19 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.typeBadge" . }}
{{ template "chart.description" . }}
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.valuesSection" . }}
{{ template "helm-docs.versionFooter" . }}

29
packages/system/etcd-operator/charts/etcd-operator/crds/etcd-cluster.yaml
View File

@@ -3,7 +3,7 @@ kind: CustomResourceDefinition
metadata:
annotations:
cert-manager.io/inject-ca-from: etcd-operator-system/etcd-operator-serving-cert
controller-gen.kubebuilder.io/version: v0.14.0
controller-gen.kubebuilder.io/version: v0.15.0
name: etcdclusters.etcd.aenix.io
spec:
conversion:
@@ -202,25 +202,43 @@ spec:
security:
description: Security describes security settings of etcd (authentication, certificates, rbac)
properties:
enableAuth:
description: Section to enable etcd auth
type: boolean
tls:
description: Section for user-managed tls certificates
properties:
clientSecret:
description: Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret.
description: |-
Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret.
This secret must be created in the namespace with etcdCluster CR.
type: string
clientTrustedCASecret:
description: Trusted CA for client certificates that are provided by client to etcd. It is expected to have tls.crt field in the secret.
description: |-
Trusted CA for client certificates that are provided by client to etcd. It is expected to have ca.crt field in the secret.
This secret must be created in the namespace with etcdCluster CR.
type: string
peerSecret:
description: Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret.
description: |-
Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret.
This secret must be created in the namespace with etcdCluster CR.
type: string
peerTrustedCASecret:
description: Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt field in the secret.
description: |-
Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have ca.crt field in the secret.
This secret must be created in the namespace with etcdCluster CR.
type: string
serverSecret:
description: |-
Server certificate secret to secure client-server communication. Is provided to the client who connects to etcd by client port (2379 by default).
It is expected to have tls.crt and tls.key fields in the secret.
This secret must be created in the namespace with etcdCluster CR.
type: string
serverTrustedCASecret:
description: |-
Trusted CA for etcd server certificates for client-server communication. Is necessary to set trust between operator and etcd.
It is expected to have ca.crt field in the secret. If it is not specified, then insecure communication will be used.
This secret must be created in the namespace with etcdCluster CR.
type: string
type: object
type: object
@@ -581,6 +599,7 @@ spec:
not set, the implementation will apply its default routing strategy. If set
to "PreferClose", implementations should prioritize endpoints that are
topologically close (e.g., same zone).
This is an alpha field and requires enabling ServiceTrafficDistribution feature.
type: string
type:
description: |-

16
packages/system/etcd-operator/charts/etcd-operator/templates/rbac/clusterrole-manager-role.yml
View File

@@ -17,6 +17,22 @@ rules:
- patch
- update
- watch
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- get
- watch
- apiGroups:
- ""
resources:

6
packages/system/etcd-operator/charts/etcd-operator/templates/workload/deployment.yml
View File

@@ -58,6 +58,12 @@ spec:
- configMapRef:
name: {{ include "etcd-operator.fullname" . }}-env
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert

10
packages/system/etcd-operator/charts/etcd-operator/values.schema.json
View File

@@ -256,14 +256,6 @@
"replicaCount": {
"type": "integer"
},
"securityContext": {
"properties": {
"runAsNonRoot": {
"type": "boolean"
}
},
"type": "object"
},
"serviceAccount": {
"properties": {
"annotations": {
@@ -281,4 +273,4 @@
}
},
"type": "object"
}
}

132
packages/system/etcd-operator/charts/etcd-operator/values.yaml
View File

@@ -1,98 +1,184 @@
etcdOperator:
image:
# -- Image repository
repository: ghcr.io/aenix-io/etcd-operator
# -- Image pull policy
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
# -- Overrides the image tag whose default is the chart appVersion.
tag: ""
args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
- --leader-elect
service:
# -- Service type
type: ClusterIP
# -- Service port
port: 9443
# -- Empty environment variables section
envVars: {}
livenessProbe:
httpGet:
# -- Healthcheck liveness probe path
path: /healthz
# -- Healthcheck port
port: 8081
# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
initialDelaySeconds: 15
# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
periodSeconds: 20
readinessProbe:
httpGet:
# -- Healthcheck readiness probe path
path: /readyz
# -- Healthcheck port
port: 8081
# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
initialDelaySeconds: 5
# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
periodSeconds: 10
# -- ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
kubeRbacProxy:
image:
# -- Image repository
repository: gcr.io/kubebuilder/kube-rbac-proxy
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Version of image
tag: v0.16.0
args:
- --secure-listen-address=0.0.0.0:8443
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
service:
type: ClusterIP
port: 8443
livenessProbe: {}
readinessProbe: {}
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
service:
# -- Service type
type: ClusterIP
# -- Service port
port: 8443
# -- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe: {}
# -- https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
readinessProbe: {}
# -- ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
limits:
cpu: 250m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi
# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# -- Kubernetes cluster domain prefix
kubernetesClusterDomain: cluster.local
# -- Count of pod replicas
replicaCount: 1
imagePullSecrets: []
# -- Override a name of helm release
nameOverride: ""
# -- Override a full name of helm release
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
# -- Specifies whether a service account should be created
create: true
# Annotations to add to the service account
# -- Annotations to add to the service account
annotations: {}
# -- ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# -- ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
# -- ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
podSecurityContext: {}
# fsGroup: 2000
securityContext:
runAsNonRoot: true
# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
nodeSelector: {}
# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
tolerations: []
# -- ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
affinity: {}