From dc95f4fbcd92e06898de738177b135f14d0bc4a3 Mon Sep 17 00:00:00 2001 From: Andrei Kvapil Date: Thu, 28 Dec 2023 22:41:42 +0100 Subject: [PATCH] integrate helmwave Signed-off-by: Andrei Kvapil --- README.md | 68 +- TODO | 2 + apps/monitoring-hub/.helmignore | 24 +- .../monitoring-hub/.helmignore.backup | 0 .../monitoring-hub/.helmignore.bak | 0 apps/monitoring-hub/Chart.yaml | 27 +- {system => apps}/monitoring-hub/Makefile | 0 .../monitoring-hub/charts/oncall/.helmignore | 0 .../monitoring-hub/charts/oncall/Chart.lock | 0 .../monitoring-hub/charts/oncall/Chart.yaml | 0 .../monitoring-hub/charts/oncall/README.md | 0 .../charts/oncall/templates/NOTES.txt | 0 .../charts/oncall/templates/_env.tpl | 0 .../charts/oncall/templates/_helpers.tpl | 0 .../oncall/templates/celery/_helpers.tpl | 0 .../oncall/templates/celery/deployment.yaml | 0 .../charts/oncall/templates/cert-issuer.yaml | 0 .../templates/engine/_helpers-engine.tpl | 0 .../oncall/templates/engine/deployment.yaml | 0 .../oncall/templates/engine/job-migrate.yaml | 0 .../templates/engine/service-external.yaml | 0 .../templates/engine/service-internal.yaml | 0 .../oncall/templates/ingress-regular.yaml | 0 .../templates/integrations/_helpers.tpl | 0 .../templates/integrations/deployment.yaml | 0 .../integrations/service-external.yaml | 0 .../integrations/service-internal.yaml | 0 .../charts/oncall/templates/secrets.yaml | 0 .../oncall/templates/serviceaccount.yaml | 0 .../templates/telegram-polling/_helpers.tpl | 0 .../telegram-polling/deployment.yaml | 0 .../charts/oncall/templates/ui/_helpers.tpl | 0 .../oncall/templates/ui/deployment.yaml | 0 .../monitoring-hub/charts/oncall/values.yaml | 0 .../cache/nginx-vts-stats.json | 0 .../control-plane/control-plane-status.json | 0 .../control-plane-status.json.tmp | 0 .../control-plane/deprecated-resources.json | 0 .../deprecated-resources.json.tmp | 0 .../control-plane/dns-coredns.json | 0 .../control-plane/dns-coredns.json.tmp | 0 .../control-plane/kube-etcd3.json | 0 .../control-plane/kube-etcd3.json.tmp | 0 .../grafana-dashboards/db/cloudnativepg.json | 0 .../grafana-dashboards/db/maria-db.json | 0 .../grafana-dashboards/db/redis.json | 0 .../dotdc/k8s-system-coredns.json | 0 .../dotdc/k8s-views-global.json | 0 .../dotdc/k8s-views-namespaces.json | 0 .../dotdc/k8s-views-pods.json | 0 .../ingress/controller-detail.json | 0 .../ingress/controller-detail.json.tmp | 0 .../ingress/controllers.json | 0 .../ingress/controllers.json.tmp | 0 .../ingress/namespace-detail.json | 0 .../ingress/namespace-detail.json.tmp | 0 .../ingress/namespaces.json | 0 .../ingress/namespaces.json.tmp | 0 .../ingress/vhost-detail.json | 0 .../ingress/vhost-detail.json.tmp | 0 .../grafana-dashboards/ingress/vhosts.json | 0 .../ingress/vhosts.json.tmp | 0 .../main/capacity-planning.json | 0 .../main/capacity-planning.json.tmp | 0 .../grafana-dashboards/main/controller.json | 0 .../main/controller.json.tmp | 0 .../grafana-dashboards/main/namespace.json | 0 .../main/namespace.json.tmp | 0 .../grafana-dashboards/main/namespaces.json | 0 .../main/namespaces.json.tmp | 0 .../grafana-dashboards/main/node.json | 0 .../grafana-dashboards/main/node.json.tmp | 0 .../grafana-dashboards/main/nodes.json | 0 .../grafana-dashboards/main/nodes.json.tmp | 0 .../grafana-dashboards/main/ntp.json | 0 .../grafana-dashboards/main/ntp.json.tmp | 0 .../grafana-dashboards/main/pod.json | 0 .../grafana-dashboards/main/pod.json.tmp | 0 .../grafana-dashboards/main/volumes.json | 0 .../victoria-metrics/backupmanager.json | 0 .../victoria-metrics/operator.json | 0 .../victoriametrics-cluster.json | 0 .../victoria-metrics/victoriametrics.json | 0 .../victoria-metrics/vmagent.json | 0 .../victoria-metrics/vmalert.json | 0 .../hack/download-dashboards.sh | 0 .../monitoring-hub/oncall/mariadb.yaml | 0 .../monitoring-hub/oncall/oncall-mariadb.yaml | 0 .../monitoring-hub/oncall/oncall-redis.yaml | 0 {system => apps}/monitoring-hub/releases.yaml | 0 apps/monitoring-hub/templates/NOTES.txt | 22 - apps/monitoring-hub/templates/_helpers.tpl | 51 - .../monitoring-hub/templates/dashboards.yaml | 0 .../monitoring-hub/templates/db.yaml | 0 apps/monitoring-hub/templates/deployment.yaml | 72 - .../grafana-datasource-longterm.yaml | 0 .../templates/grafana-datasource.yaml | 0 .../monitoring-hub/templates/grafana.yaml | 0 apps/monitoring-hub/templates/hpa.yaml | 32 - apps/monitoring-hub/templates/ingress.yaml | 61 - .../monitoring-hub/templates/oncall-db.yaml | 0 .../templates/oncall-redis.yaml | 0 apps/monitoring-hub/templates/service.yaml | 15 - .../templates/serviceaccount.yaml | 13 - .../templates/tests/test-connection.yaml | 15 - .../templates/vmalert-scrape.yaml | 0 .../monitoring-hub/templates/vmalert.yaml | 0 .../templates/vmalertmanager.yaml | 0 .../templates/vmcluster-longterm-scrape.yaml | 0 .../templates/vmcluster-longterm.yaml | 0 .../templates/vmcluster-scrape.yaml | 0 .../monitoring-hub/templates/vmcluster.yaml | 0 apps/monitoring-hub/values.yaml | 132 +- cozystack.yaml | 63 + system/.gitignore | 1 + system/Dockerfile | 17 + system/cert-manager-issuers/.helmignore | 2 + .../Chart.yaml | 0 system/cert-manager-issuers/Makefile | 1 + .../templates/cluster-issuers.yaml | 0 system/cert-manager-issuers/values.yaml | 2 + system/cert-manager/README.md | 5 - system/cert-manager/values.yaml | 6 - system/cilium/README.md | 6 - system/cilium/charts/cilium/Chart.yaml | 4 +- system/cilium/charts/cilium/README.md | 23 +- .../configmap/bootstrap-config.json | 8 +- .../templates/cilium-agent/daemonset.yaml | 24 +- .../cilium/templates/cilium-configmap.yaml | 3 + .../cilium-preflight/deployment.yaml | 9 + .../clustermesh-apiserver/deployment.yaml | 6 + .../templates/hubble-relay/deployment.yaml | 6 + .../templates/spire/agent/daemonset.yaml | 16 + system/cilium/charts/cilium/values.yaml | 56 +- system/cilium/charts/cilium/values.yaml.tmpl | 26 +- system/cilium/templates/cni.yaml | 29 + system/cilium/values.yaml | 20 +- system/fluxcd/values.yaml | 5 - system/grafana-operator/README.md | 7 - system/grafana-operator/values.yaml | 6 - system/helmwave.yml | 249 + system/ingress-nginx/values.yaml | 7 - system/kubeapps/templates/.gitkeep | 0 system/kubeapps/values.yaml | 9 - system/kubeovn/Makefile | 24 +- system/kubeovn/charts/kube-ovn/README.md | 20 + system/kubeovn/charts/kube-ovn/values.yaml | 174 + system/kubeovn/install.sh | 4583 ----------------- system/kubeovn/values.yaml | 26 +- system/kubevirt-operator/Chart.yaml | 2 + system/kubevirt-operator/Makefile | 9 + .../templates/kubevirt-operator.yaml | 0 .../values.yaml} | 0 system/kubevirt/Makefile | 4 +- system/kubevirt/values.yaml | 7 +- system/linstor/README.md | 9 - system/linstor/values.yaml | 10 +- system/mariadb-operator/README.md | 7 - system/mariadb-operator/templates/.gitkeep | 0 system/mariadb-operator/values.yaml | 8 - system/metallb-addresses/Chart.yaml | 2 + system/metallb-addresses/Makefile | 1 + .../templates/ips.yaml | 0 system/metallb-addresses/values.yaml | 5 + system/metallb/README.md | 8 - system/metallb/values.yaml | 16 +- system/monitoring-hub/.helmignore | 1 - system/monitoring-hub/README.md | 18 - system/monitoring-hub/values.yaml | 52 - system/monitoring/README.md | 9 - system/monitoring/templates/vmagent.yaml | 2 +- system/monitoring/values.yaml | 8 - system/namespaces.yaml | 97 + system/piraeus-operator/README.md | 12 - system/piraeus-operator/values.yaml | 9 - system/postgres-operator/README.md | 7 - system/postgres-operator/templates/.gitkeep | 0 system/postgres-operator/values.yaml | 8 - system/rabbitmq-operator/README.md | 4 - system/rabbitmq-operator/values.yaml | 5 - system/reconcile.sh | 39 + system/redis-operator/README.md | 6 - system/redis-operator/values.yaml | 6 - system/telepresence/values.yaml | 5 +- system/victoria-metrics-operator/README.md | 7 - system/victoria-metrics-operator/values.yaml | 6 - 186 files changed, 969 insertions(+), 5397 deletions(-) rename {system => apps}/monitoring-hub/.helmignore.backup (100%) rename {system => apps}/monitoring-hub/.helmignore.bak (100%) rename {system => apps}/monitoring-hub/Makefile (100%) rename {system => apps}/monitoring-hub/charts/oncall/.helmignore (100%) rename {system => apps}/monitoring-hub/charts/oncall/Chart.lock (100%) rename {system => apps}/monitoring-hub/charts/oncall/Chart.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/README.md (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/NOTES.txt (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/_env.tpl (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/_helpers.tpl (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/celery/_helpers.tpl (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/celery/deployment.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/cert-issuer.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/engine/_helpers-engine.tpl (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/engine/deployment.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/engine/job-migrate.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/engine/service-external.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/engine/service-internal.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/ingress-regular.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/integrations/_helpers.tpl (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/integrations/deployment.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/integrations/service-external.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/integrations/service-internal.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/secrets.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/serviceaccount.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/telegram-polling/_helpers.tpl (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/telegram-polling/deployment.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/ui/_helpers.tpl (100%) rename {system => apps}/monitoring-hub/charts/oncall/templates/ui/deployment.yaml (100%) rename {system => apps}/monitoring-hub/charts/oncall/values.yaml (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/cache/nginx-vts-stats.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/control-plane/control-plane-status.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/control-plane/control-plane-status.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/control-plane/deprecated-resources.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/control-plane/deprecated-resources.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/control-plane/dns-coredns.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/control-plane/dns-coredns.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/control-plane/kube-etcd3.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/control-plane/kube-etcd3.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/db/cloudnativepg.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/db/maria-db.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/db/redis.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/dotdc/k8s-system-coredns.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/dotdc/k8s-views-global.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/dotdc/k8s-views-namespaces.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/dotdc/k8s-views-pods.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/controller-detail.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/controller-detail.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/controllers.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/controllers.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/namespace-detail.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/namespace-detail.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/namespaces.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/namespaces.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/vhost-detail.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/vhost-detail.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/vhosts.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/ingress/vhosts.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/capacity-planning.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/capacity-planning.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/controller.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/controller.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/namespace.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/namespace.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/namespaces.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/namespaces.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/node.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/node.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/nodes.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/nodes.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/ntp.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/ntp.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/pod.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/pod.json.tmp (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/main/volumes.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/victoria-metrics/backupmanager.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/victoria-metrics/operator.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/victoria-metrics/victoriametrics-cluster.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/victoria-metrics/victoriametrics.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/victoria-metrics/vmagent.json (100%) rename {system => apps}/monitoring-hub/grafana-dashboards/victoria-metrics/vmalert.json (100%) rename {system => apps}/monitoring-hub/hack/download-dashboards.sh (100%) rename {system => apps}/monitoring-hub/oncall/mariadb.yaml (100%) rename {system => apps}/monitoring-hub/oncall/oncall-mariadb.yaml (100%) rename {system => apps}/monitoring-hub/oncall/oncall-redis.yaml (100%) rename {system => apps}/monitoring-hub/releases.yaml (100%) delete mode 100644 apps/monitoring-hub/templates/NOTES.txt delete mode 100644 apps/monitoring-hub/templates/_helpers.tpl rename {system => apps}/monitoring-hub/templates/dashboards.yaml (100%) rename {system => apps}/monitoring-hub/templates/db.yaml (100%) delete mode 100644 apps/monitoring-hub/templates/deployment.yaml rename {system => apps}/monitoring-hub/templates/grafana-datasource-longterm.yaml (100%) rename {system => apps}/monitoring-hub/templates/grafana-datasource.yaml (100%) rename {system => apps}/monitoring-hub/templates/grafana.yaml (100%) delete mode 100644 apps/monitoring-hub/templates/hpa.yaml delete mode 100644 apps/monitoring-hub/templates/ingress.yaml rename {system => apps}/monitoring-hub/templates/oncall-db.yaml (100%) rename {system => apps}/monitoring-hub/templates/oncall-redis.yaml (100%) delete mode 100644 apps/monitoring-hub/templates/service.yaml delete mode 100644 apps/monitoring-hub/templates/serviceaccount.yaml delete mode 100644 apps/monitoring-hub/templates/tests/test-connection.yaml rename {system => apps}/monitoring-hub/templates/vmalert-scrape.yaml (100%) rename {system => apps}/monitoring-hub/templates/vmalert.yaml (100%) rename {system => apps}/monitoring-hub/templates/vmalertmanager.yaml (100%) rename {system => apps}/monitoring-hub/templates/vmcluster-longterm-scrape.yaml (100%) rename {system => apps}/monitoring-hub/templates/vmcluster-longterm.yaml (100%) rename {system => apps}/monitoring-hub/templates/vmcluster-scrape.yaml (100%) rename {system => apps}/monitoring-hub/templates/vmcluster.yaml (100%) create mode 100644 cozystack.yaml create mode 100644 system/.gitignore create mode 100644 system/Dockerfile create mode 100644 system/cert-manager-issuers/.helmignore rename system/{monitoring-hub => cert-manager-issuers}/Chart.yaml (100%) create mode 100644 system/cert-manager-issuers/Makefile rename system/{cert-manager => cert-manager-issuers}/templates/cluster-issuers.yaml (100%) create mode 100644 system/cert-manager-issuers/values.yaml delete mode 100644 system/cert-manager/README.md delete mode 100644 system/cilium/README.md create mode 100644 system/cilium/templates/cni.yaml delete mode 100644 system/grafana-operator/README.md create mode 100644 system/helmwave.yml delete mode 100644 system/kubeapps/templates/.gitkeep create mode 100644 system/kubeovn/charts/kube-ovn/README.md create mode 100644 system/kubeovn/charts/kube-ovn/values.yaml delete mode 100644 system/kubeovn/install.sh create mode 100644 system/kubevirt-operator/Chart.yaml create mode 100644 system/kubevirt-operator/Makefile rename system/{kubevirt => kubevirt-operator}/templates/kubevirt-operator.yaml (100%) rename system/{telepresence/README.md => kubevirt-operator/values.yaml} (100%) delete mode 100644 system/linstor/README.md delete mode 100644 system/mariadb-operator/README.md delete mode 100644 system/mariadb-operator/templates/.gitkeep create mode 100644 system/metallb-addresses/Chart.yaml create mode 100644 system/metallb-addresses/Makefile rename system/{metallb => metallb-addresses}/templates/ips.yaml (100%) create mode 100644 system/metallb-addresses/values.yaml delete mode 100644 system/metallb/README.md delete mode 100644 system/monitoring-hub/.helmignore delete mode 100644 system/monitoring-hub/README.md delete mode 100644 system/monitoring-hub/values.yaml delete mode 100644 system/monitoring/README.md create mode 100644 system/namespaces.yaml delete mode 100644 system/piraeus-operator/README.md delete mode 100644 system/postgres-operator/README.md delete mode 100644 system/postgres-operator/templates/.gitkeep delete mode 100644 system/rabbitmq-operator/README.md create mode 100755 system/reconcile.sh delete mode 100644 system/redis-operator/README.md delete mode 100644 system/victoria-metrics-operator/README.md diff --git a/README.md b/README.md index ff3d7c85..2634fb60 100644 --- a/README.md +++ b/README.md @@ -103,25 +103,29 @@ Write configuration for Cozystack: ```yaml cat > patch.yaml <=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "monitoring-gateway.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }} - port: - number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/system/monitoring-hub/templates/oncall-db.yaml b/apps/monitoring-hub/templates/oncall-db.yaml similarity index 100% rename from system/monitoring-hub/templates/oncall-db.yaml rename to apps/monitoring-hub/templates/oncall-db.yaml diff --git a/system/monitoring-hub/templates/oncall-redis.yaml b/apps/monitoring-hub/templates/oncall-redis.yaml similarity index 100% rename from system/monitoring-hub/templates/oncall-redis.yaml rename to apps/monitoring-hub/templates/oncall-redis.yaml diff --git a/apps/monitoring-hub/templates/service.yaml b/apps/monitoring-hub/templates/service.yaml deleted file mode 100644 index 09a58f80..00000000 --- a/apps/monitoring-hub/templates/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "monitoring-gateway.fullname" . }} - labels: - {{- include "monitoring-gateway.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - {{- include "monitoring-gateway.selectorLabels" . | nindent 4 }} diff --git a/apps/monitoring-hub/templates/serviceaccount.yaml b/apps/monitoring-hub/templates/serviceaccount.yaml deleted file mode 100644 index 33b69819..00000000 --- a/apps/monitoring-hub/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "monitoring-gateway.serviceAccountName" . }} - labels: - {{- include "monitoring-gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automount }} -{{- end }} diff --git a/apps/monitoring-hub/templates/tests/test-connection.yaml b/apps/monitoring-hub/templates/tests/test-connection.yaml deleted file mode 100644 index 840e1cc1..00000000 --- a/apps/monitoring-hub/templates/tests/test-connection.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "monitoring-gateway.fullname" . }}-test-connection" - labels: - {{- include "monitoring-gateway.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "monitoring-gateway.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/system/monitoring-hub/templates/vmalert-scrape.yaml b/apps/monitoring-hub/templates/vmalert-scrape.yaml similarity index 100% rename from system/monitoring-hub/templates/vmalert-scrape.yaml rename to apps/monitoring-hub/templates/vmalert-scrape.yaml diff --git a/system/monitoring-hub/templates/vmalert.yaml b/apps/monitoring-hub/templates/vmalert.yaml similarity index 100% rename from system/monitoring-hub/templates/vmalert.yaml rename to apps/monitoring-hub/templates/vmalert.yaml diff --git a/system/monitoring-hub/templates/vmalertmanager.yaml b/apps/monitoring-hub/templates/vmalertmanager.yaml similarity index 100% rename from system/monitoring-hub/templates/vmalertmanager.yaml rename to apps/monitoring-hub/templates/vmalertmanager.yaml diff --git a/system/monitoring-hub/templates/vmcluster-longterm-scrape.yaml b/apps/monitoring-hub/templates/vmcluster-longterm-scrape.yaml similarity index 100% rename from system/monitoring-hub/templates/vmcluster-longterm-scrape.yaml rename to apps/monitoring-hub/templates/vmcluster-longterm-scrape.yaml diff --git a/system/monitoring-hub/templates/vmcluster-longterm.yaml b/apps/monitoring-hub/templates/vmcluster-longterm.yaml similarity index 100% rename from system/monitoring-hub/templates/vmcluster-longterm.yaml rename to apps/monitoring-hub/templates/vmcluster-longterm.yaml diff --git a/system/monitoring-hub/templates/vmcluster-scrape.yaml b/apps/monitoring-hub/templates/vmcluster-scrape.yaml similarity index 100% rename from system/monitoring-hub/templates/vmcluster-scrape.yaml rename to apps/monitoring-hub/templates/vmcluster-scrape.yaml diff --git a/system/monitoring-hub/templates/vmcluster.yaml b/apps/monitoring-hub/templates/vmcluster.yaml similarity index 100% rename from system/monitoring-hub/templates/vmcluster.yaml rename to apps/monitoring-hub/templates/vmcluster.yaml diff --git a/apps/monitoring-hub/values.yaml b/apps/monitoring-hub/values.yaml index 5da1f29c..1aade8e4 100644 --- a/apps/monitoring-hub/values.yaml +++ b/apps/monitoring-hub/values.yaml @@ -1,98 +1,52 @@ -# Default values for monitoring-hub. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. +_helm: + name: monitoring-hub + namespace: cozy-monitoring-hub + createNamespace: true + dependsOn: + - name: grafana-operator + - name: postgres-operator -replicaCount: 1 +adminPassword: Moh4ooN9phaech6Sai9aoGiezu4doh2i # TODO -image: - repository: nginx - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: "" +oncall: + fullnameOverride: grafana-oncall + #base_url: oncall.grafana.example.org + database: + type: postgresql -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" + ingress: + enabled: false -serviceAccount: - # Specifies whether a service account should be created - create: true - # Automatically mount a ServiceAccount's API credentials? - automount: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" + externalGrafana: + url: "https://grafana.example.org/" -podAnnotations: {} -podLabels: {} + broker: + type: redis -podSecurityContext: {} - # fsGroup: 2000 + cert-manager: + enabled: false -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + externalPostgresql: + host: grafana-oncall-db-rw + port: 5432 + db_name: app + user: app + existingSecret: grafana-oncall-db-app + passwordKey: password -service: - type: ClusterIP - port: 80 + externalRedis: + host: rfrm-grafana-oncall + password: "" + #existingSecret: grafana-oncall-keydb + #passwordKey: password -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -# Additional volumes on the output Deployment definition. -volumes: [] -# - name: foo -# secret: -# secretName: mysecret -# optional: false - -# Additional volumeMounts on the output Deployment definition. -volumeMounts: [] -# - name: foo -# mountPath: "/etc/foo" -# readOnly: true - -nodeSelector: {} - -tolerations: [] - -affinity: {} + mariadb: + enabled: false + postgresql: + enabled: false + rabbitmq: + enabled: false + redis: + enabled: false + grafana: + enabled: false diff --git a/cozystack.yaml b/cozystack.yaml new file mode 100644 index 00000000..ca2d4d12 --- /dev/null +++ b/cozystack.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-system + labels: + pod-security.kubernetes.io/enforce: privileged +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cozystack + namespace: cozy-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cozystack + namespace: cozy-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cozystack +subjects: +- kind: ServiceAccount + name: cozystack + namespace: cozy-system +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cozystack + namespace: cozy-system +spec: + replicas: 1 + selector: + matchLabels: + app: cozystack + template: + metadata: + labels: + app: cozystack + spec: + hostNetwork: true + serviceAccountName: cozystack + containers: + - name: cozystack + image: ghcr.io/kvaps/test:cozystack-7 + command: [ "/cozystack-system/reconcile.sh" ] + env: + - name: KUBERNETES_SERVICE_HOST + value: localhost + - name: KUBERNETES_SERVICE_PORT + value: "7445" + tolerations: + - key: "node.kubernetes.io/not-ready" + operator: "Exists" + effect: "NoSchedule" diff --git a/system/.gitignore b/system/.gitignore new file mode 100644 index 00000000..e1cf0905 --- /dev/null +++ b/system/.gitignore @@ -0,0 +1 @@ +.helmwave diff --git a/system/Dockerfile b/system/Dockerfile new file mode 100644 index 00000000..c2c6da78 --- /dev/null +++ b/system/Dockerfile @@ -0,0 +1,17 @@ +FROM alpine:3.19 + + +ARG HELMWAVE_VERSION=0.33.0 +RUN wget -c https://github.com/helmwave/helmwave/releases/download/v$HELMWAVE_VERSION/helmwave_${HELMWAVE_VERSION}_linux_amd64.tar.gz -O - | tar -xz \ + && mv helmwave /usr/local/bin/ + +ARG KUBECTL_VERSION=1.29.0 +RUN wget https://dl.k8s.io/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl \ + && chmod +x kubectl \ + && mv kubectl /usr/local/bin/ + + +COPY . /cozystack-system +WORKDIR /cozystack-system + +CMD [ "reconcile.sh" ] diff --git a/system/cert-manager-issuers/.helmignore b/system/cert-manager-issuers/.helmignore new file mode 100644 index 00000000..216b462f --- /dev/null +++ b/system/cert-manager-issuers/.helmignore @@ -0,0 +1,2 @@ +images +hack diff --git a/system/monitoring-hub/Chart.yaml b/system/cert-manager-issuers/Chart.yaml similarity index 100% rename from system/monitoring-hub/Chart.yaml rename to system/cert-manager-issuers/Chart.yaml diff --git a/system/cert-manager-issuers/Makefile b/system/cert-manager-issuers/Makefile new file mode 100644 index 00000000..f6bd5a15 --- /dev/null +++ b/system/cert-manager-issuers/Makefile @@ -0,0 +1 @@ +include ../../hack/app-helm.mk diff --git a/system/cert-manager/templates/cluster-issuers.yaml b/system/cert-manager-issuers/templates/cluster-issuers.yaml similarity index 100% rename from system/cert-manager/templates/cluster-issuers.yaml rename to system/cert-manager-issuers/templates/cluster-issuers.yaml diff --git a/system/cert-manager-issuers/values.yaml b/system/cert-manager-issuers/values.yaml new file mode 100644 index 00000000..0b21fc93 --- /dev/null +++ b/system/cert-manager-issuers/values.yaml @@ -0,0 +1,2 @@ +cert-manager: + installCRDs: true diff --git a/system/cert-manager/README.md b/system/cert-manager/README.md deleted file mode 100644 index 76214ef2..00000000 --- a/system/cert-manager/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Cert-manager - -Cloud native X.509 certificate management for Kubernetes and OpenShift. - -- Docs: https://cert-manager.io/docs/ diff --git a/system/cert-manager/values.yaml b/system/cert-manager/values.yaml index 13db1228..0b21fc93 100644 --- a/system/cert-manager/values.yaml +++ b/system/cert-manager/values.yaml @@ -1,8 +1,2 @@ -_helm: - name: cert-manager - namespace: cozy-cert-manager - createNamespace: true - crds: CreateReplace - cert-manager: installCRDs: true diff --git a/system/cilium/README.md b/system/cilium/README.md deleted file mode 100644 index 9748b286..00000000 --- a/system/cilium/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# Cilium - -Cloud Native, eBPF-based Networking, Observability, and Security. - -- Docs https://docs.cilium.io -- Telegram: https://t.me/ciliumproject diff --git a/system/cilium/charts/cilium/Chart.yaml b/system/cilium/charts/cilium/Chart.yaml index c5c7ab59..1b4e38a8 100644 --- a/system/cilium/charts/cilium/Chart.yaml +++ b/system/cilium/charts/cilium/Chart.yaml @@ -122,7 +122,7 @@ annotations: description: | CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode). apiVersion: v2 -appVersion: 1.14.4 +appVersion: 1.14.5 description: eBPF-based Networking, Security, and Observability home: https://cilium.io/ icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg @@ -138,4 +138,4 @@ kubeVersion: '>= 1.16.0-0' name: cilium sources: - https://github.com/cilium/cilium -version: 1.14.4 +version: 1.14.5 diff --git a/system/cilium/charts/cilium/README.md b/system/cilium/charts/cilium/README.md index 55e7a280..aaa41fee 100644 --- a/system/cilium/charts/cilium/README.md +++ b/system/cilium/charts/cilium/README.md @@ -1,6 +1,6 @@ # cilium -![Version: 1.14.4](https://img.shields.io/badge/Version-1.14.4-informational?style=flat-square) ![AppVersion: 1.14.4](https://img.shields.io/badge/AppVersion-1.14.4-informational?style=flat-square) +![Version: 1.14.5](https://img.shields.io/badge/Version-1.14.5-informational?style=flat-square) ![AppVersion: 1.14.5](https://img.shields.io/badge/AppVersion-1.14.5-informational?style=flat-square) Cilium is open source software for providing and transparently securing network connectivity and loadbalancing between application workloads such as @@ -67,9 +67,13 @@ contributors across the globe, there is almost always someone available to help. | authentication.mutual.spire.agentSocketPath | string | `"/run/spire/sockets/agent/agent.sock"` | SPIRE socket path where the SPIRE workload agent is listening. Applies to both the Cilium Agent and Operator | | authentication.mutual.spire.connectionTimeout | string | `"30s"` | SPIRE connection timeout | | authentication.mutual.spire.enabled | bool | `false` | Enable SPIRE integration (beta) | +| authentication.mutual.spire.install.agent.affinity | object | `{}` | SPIRE agent affinity configuration | | authentication.mutual.spire.install.agent.annotations | object | `{}` | SPIRE agent annotations | | authentication.mutual.spire.install.agent.image | string | `"ghcr.io/spiffe/spire-agent:1.6.3@sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823"` | SPIRE agent image | | authentication.mutual.spire.install.agent.labels | object | `{}` | SPIRE agent labels | +| authentication.mutual.spire.install.agent.nodeSelector | object | `{}` | SPIRE agent nodeSelector configuration ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | +| authentication.mutual.spire.install.agent.podSecurityContext | object | `{}` | Security context to be added to spire agent pods. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | +| authentication.mutual.spire.install.agent.securityContext | object | `{}` | Security context to be added to spire agent containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container | | authentication.mutual.spire.install.agent.serviceAccount | object | `{"create":true,"name":"spire-agent"}` | SPIRE agent service account | | authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. | | authentication.mutual.spire.install.agent.tolerations | list | `[]` | SPIRE agent tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | @@ -151,12 +155,12 @@ contributors across the globe, there is almost always someone available to help. | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. | | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. | | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. | -| clustermesh.apiserver.image | object | `{"digest":"sha256:828a74eea2a15c4196633dc50e4b92ba3a5e3ed8418c2a33e255a9281a1ce42f","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.4","useDigest":true}` | Clustermesh API server image. | +| clustermesh.apiserver.image | object | `{"digest":"sha256:7eaa35cf5452c43b1f7d0cde0d707823ae7e49965bcb54c053e31ea4e04c3d96","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.5","useDigest":true}` | Clustermesh API server image. | | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. | | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. | | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. | | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. | -| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:492cde62cb2def832b3213211cb99d59bd9fe9789be32a181fb24554077368b0","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.4","useDigest":true}` | KVStoreMesh image. | +| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:d7137edd0efa2b1407b20088af3980a9993bb616d85bf9b55ea2891d1b99023a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.5","useDigest":true}` | KVStoreMesh image. | | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container | | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context | | clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. | @@ -308,7 +312,7 @@ contributors across the globe, there is almost always someone available to help. | envoy.extraVolumes | list | `[]` | Additional envoy volumes. | | envoy.healthPort | int | `9878` | TCP port for the health API. | | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s | -| envoy.image | object | `{"digest":"sha256:6b0f2591fef922bf17a46517d5152ea7d6270524bb0e307c77986986677dbcea","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.6-ff0d5d3f77d610040e93c7c7a430d61a0c0b90c1","useDigest":true}` | Envoy container image. | +| envoy.image | object | `{"digest":"sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b","useDigest":true}` | Envoy container image. | | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe | | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe | | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. | @@ -410,9 +414,11 @@ contributors across the globe, there is almost always someone available to help. | hubble.relay.dialTimeout | string | `nil` | Dial timeout to connect to the local hubble instance to receive peer information (e.g. "30s"). | | hubble.relay.enabled | bool | `false` | Enable Hubble Relay (requires hubble.enabled=true) | | hubble.relay.extraEnv | list | `[]` | Additional hubble-relay environment variables. | +| hubble.relay.extraVolumeMounts | list | `[]` | Additional hubble-relay volumeMounts. | +| hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. | | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay | | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay | -| hubble.relay.image | object | `{"digest":"sha256:ca81622fd9f04c1316bf4144bde5dbce613758810f6022f6c706b14c9c0815db","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.4","useDigest":true}` | Hubble-relay container image. | +| hubble.relay.image | object | `{"digest":"sha256:dbef89f924a927043d02b40c18e417c1ea0e8f58b44523b80fef7e3652db24d4","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.5","useDigest":true}` | Hubble-relay container image. | | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. | | hubble.relay.listenPort | string | `"4245"` | Port to listen to. | | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | @@ -504,7 +510,7 @@ contributors across the globe, there is almost always someone available to help. | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. | | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). | | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. | -| image | object | `{"digest":"sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.4","useDigest":true}` | Agent container image. | +| image | object | `{"digest":"sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.5","useDigest":true}` | Agent container image. | | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images | | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set | | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. | @@ -527,6 +533,7 @@ contributors across the globe, there is almost always someone available to help. | ingressController.service.name | string | `"cilium-ingress"` | Service name | | ingressController.service.secureNodePort | string | `nil` | Configure a specific nodePort for secure HTTPS traffic on the shared LB service | | ingressController.service.type | string | `"LoadBalancer"` | Service type for the shared LB service | +| initResources | object | `{}` | resources & limits for the agent init containers | | installNoConntrackIptablesRules | bool | `false` | Install Iptables rules to skip netfilter connection tracking on all pod traffic. This option is only effective when Cilium is running in direct routing and full KPR mode. Moreover, this option cannot be enabled when Cilium is running in a managed Kubernetes environment or in a chained CNI setup. | | ipMasqAgent | object | `{"enabled":false}` | Configure the eBPF-based ip-masq-agent | | ipam.ciliumNodeUpdateRate | string | `"15s"` | Maximum rate at which the CiliumNode custom resource is updated. | @@ -611,7 +618,7 @@ contributors across the globe, there is almost always someone available to help. | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. | | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. | | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. | -| operator.image | object | `{"alibabacloudDigest":"sha256:2b2c71930db7901e754d5aac119c166faad10e938f73294f1c840cf36d564a3e","awsDigest":"sha256:757966ce5c13055089b092a86c8322a0694b0461a19b65e545e61897f6c9446c","azureDigest":"sha256:f9d1b8663b905fc2af656e61abc54667779081dde2fdbbb90a48200e7b05ff41","genericDigest":"sha256:f0f05e4ba3bb1fe0e4b91144fa4fea637701aba02e6c00b23bd03b4a7e1dfd55","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.4","useDigest":true}` | cilium-operator image. | +| operator.image | object | `{"alibabacloudDigest":"sha256:e0152c498ba73c56a82eee2a706c8f400e9a6999c665af31a935bdf08e659bc3","awsDigest":"sha256:785ccf1267d0ed3ba9e4bd8166577cb4f9e4ce996af26b27c9d5c554a0d5b09a","azureDigest":"sha256:9203f5583aa34e716d7a6588ebd144e43ce3b77873f578fc12b2679e33591353","genericDigest":"sha256:303f9076bdc73b3fc32aaedee64a14f6f44c8bb08ee9e3956d443021103ebe7a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.5","useDigest":true}` | cilium-operator image. | | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. | | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods | @@ -658,7 +665,7 @@ contributors across the globe, there is almost always someone available to help. | preflight.extraEnv | list | `[]` | Additional preflight environment variables. | | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. | | preflight.extraVolumes | list | `[]` | Additional preflight volumes. | -| preflight.image | object | `{"digest":"sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.4","useDigest":true}` | Cilium pre-flight image. | +| preflight.image | object | `{"digest":"sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.5","useDigest":true}` | Cilium pre-flight image. | | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods | | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ | diff --git a/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json b/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json index 3d8656c3..ea8984db 100644 --- a/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json +++ b/system/cilium/charts/cilium/files/cilium-envoy/configmap/bootstrap-config.json @@ -36,7 +36,7 @@ "prefix": "/metrics" }, "route": { - "cluster": "envoy-admin", + "cluster": "/envoy-admin", "prefix_rewrite": "/stats/prometheus" } } @@ -102,7 +102,7 @@ "prefix": "/healthz" }, "route": { - "cluster": "envoy-admin", + "cluster": "/envoy-admin", "prefix_rewrite": "/ready" } } @@ -245,11 +245,11 @@ } }, { - "name": "envoy-admin", + "name": "/envoy-admin", "type": "STATIC", "connectTimeout": "{{ .Values.envoy.connectTimeoutSeconds }}s", "loadAssignment": { - "clusterName": "envoy-admin", + "clusterName": "/envoy-admin", "endpoints": [ { "lbEndpoints": [ diff --git a/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml b/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml index a560f01b..32c9e2c0 100644 --- a/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml +++ b/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml @@ -395,6 +395,9 @@ spec: volumeMounts: - name: cilium-run mountPath: /var/run/cilium + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.monitor.resources }} resources: {{- toYaml . | trim | nindent 10 }} @@ -497,6 +500,10 @@ spec: - name: apply-sysctl-overwrites image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} env: - name: BIN_PATH value: {{ .Values.cni.binPath }} @@ -542,6 +549,10 @@ spec: - name: mount-bpf-fs image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} args: - 'mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf' command: @@ -563,6 +574,10 @@ spec: - name: wait-for-node-init image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} command: - sh - -c @@ -634,7 +649,10 @@ spec: mountPropagation: HostToContainer - name: cilium-run mountPath: /var/run/cilium - {{- with .Values.nodeinit.resources }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initResources }} resources: {{- toYaml . | trim | nindent 10 }} {{- end }} @@ -642,6 +660,10 @@ spec: - name: wait-for-kube-proxy image: {{ include "cilium.image" .Values.image | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.initResources }} + resources: + {{- toYaml . | trim | nindent 10 }} + {{- end }} securityContext: privileged: true command: diff --git a/system/cilium/charts/cilium/templates/cilium-configmap.yaml b/system/cilium/charts/cilium/templates/cilium-configmap.yaml index d7eeea8b..09043940 100644 --- a/system/cilium/charts/cilium/templates/cilium-configmap.yaml +++ b/system/cilium/charts/cilium/templates/cilium-configmap.yaml @@ -792,6 +792,9 @@ data: {{- if (not (kindIs "invalid" .Values.cni.chainingTarget)) }} cni-chaining-target: {{ .Values.cni.chainingTarget | quote }} {{- end}} +{{- if (not (kindIs "invalid" .Values.cni.externalRouting)) }} + cni-external-routing: {{ .Values.cni.externalRouting | quote }} +{{- end}} {{- if .Values.kubeConfigPath }} k8s-kubeconfig-path: {{ .Values.kubeConfigPath | quote }} {{- end }} diff --git a/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml b/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml index cbb9b60a..b4f542ea 100644 --- a/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml +++ b/system/cilium/charts/cilium/templates/cilium-preflight/deployment.yaml @@ -56,6 +56,10 @@ spec: - /tmp/ready-validate-cnp initialDelaySeconds: 5 periodSeconds: 5 + {{- with .Values.preflight.extraVolumeMounts }} + volumeMounts: + {{- toYaml . | nindent 10 }} + {{- end }} env: {{- if .Values.k8sServiceHost }} - name: KUBERNETES_SERVICE_HOST @@ -73,11 +77,16 @@ spec: {{- toYaml . | trim | nindent 12 }} {{- end }} terminationMessagePolicy: FallbackToLogsOnError + {{- with .Values.preflight.extraVolumes }} + volumes: + {{- toYaml . | trim | nindent 6 }} + {{- end }} hostNetwork: true restartPolicy: Always priorityClassName: {{ include "cilium.priorityClass" (list $ .Values.preflight.priorityClassName "system-cluster-critical") }} serviceAccount: {{ .Values.serviceAccounts.preflight.name | quote }} serviceAccountName: {{ .Values.serviceAccounts.preflight.name | quote }} + automountServiceAccountToken: {{ .Values.serviceAccounts.preflight.automount }} terminationGracePeriodSeconds: {{ .Values.preflight.terminationGracePeriodSeconds }} {{- with .Values.preflight.affinity }} affinity: diff --git a/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml b/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml index 7c0ce675..7783a9e5 100644 --- a/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml +++ b/system/cilium/charts/cilium/templates/clustermesh-apiserver/deployment.yaml @@ -82,6 +82,9 @@ spec: volumeMounts: - name: etcd-data-dir mountPath: /var/run/etcd + {{- with .Values.clustermesh.apiserver.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} terminationMessagePolicy: FallbackToLogsOnError {{- with .Values.clustermesh.apiserver.etcd.init.resources }} resources: @@ -132,6 +135,9 @@ spec: readOnly: true - name: etcd-data-dir mountPath: /var/run/etcd + {{- with .Values.clustermesh.apiserver.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} terminationMessagePolicy: FallbackToLogsOnError {{- with .Values.clustermesh.apiserver.etcd.resources }} resources: diff --git a/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml b/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml index 5a4148e9..c72d9af8 100644 --- a/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml +++ b/system/cilium/charts/cilium/templates/hubble-relay/deployment.yaml @@ -89,6 +89,9 @@ spec: mountPath: /var/lib/hubble-relay/tls readOnly: true {{- end }} + {{- with .Values.hubble.relay.extraVolumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} terminationMessagePolicy: FallbackToLogsOnError restartPolicy: Always priorityClassName: {{ .Values.hubble.relay.priorityClassName }} @@ -159,4 +162,7 @@ spec: path: server.key {{- end }} {{- end }} + {{- with .Values.hubble.relay.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} diff --git a/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml b/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml index 758b17c1..f186eaef 100644 --- a/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml +++ b/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml @@ -30,6 +30,10 @@ spec: hostNetwork: true dnsPolicy: ClusterFirstWithHostNet serviceAccountName: {{ .Values.authentication.mutual.spire.install.agent.serviceAccount.name }} + {{- with .Values.authentication.mutual.spire.install.agent.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} initContainers: - name: init image: docker.io/library/busybox:1.35.0@sha256:223ae047b1065bd069aac01ae3ac8088b3ca4a527827e283b85112f29385fb1b @@ -42,6 +46,10 @@ spec: - name: spire-agent image: {{ .Values.authentication.mutual.spire.install.agent.image }} args: ["-config", "/run/spire/config/agent.conf"] + {{- with .Values.authentication.mutual.spire.install.agent.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - name: spire-config mountPath: /run/spire/config @@ -72,6 +80,14 @@ spec: port: 4251 initialDelaySeconds: 5 periodSeconds: 5 + {{- with .Values.authentication.mutual.spire.install.agent.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.authentication.mutual.spire.install.agent.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.authentication.mutual.spire.install.agent.tolerations }} tolerations: {{- toYaml . | trim | nindent 8 }} diff --git a/system/cilium/charts/cilium/values.yaml b/system/cilium/charts/cilium/values.yaml index 56294bc4..243991c2 100644 --- a/system/cilium/charts/cilium/values.yaml +++ b/system/cilium/charts/cilium/values.yaml @@ -143,10 +143,10 @@ rollOutCiliumPods: false image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.14.4" + tag: "v1.14.5" pullPolicy: "IfNotPresent" # cilium-digest - digest: "sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e" + digest: "sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b" useDigest: true # -- Affinity for cilium-agent. @@ -230,6 +230,9 @@ resources: {} # cpu: 100m # memory: 512Mi +# -- resources & limits for the agent init containers +initResources: {} + securityContext: # -- User to run the pod with # runAsUser: 0 @@ -1106,9 +1109,9 @@ hubble: image: override: ~ repository: "quay.io/cilium/hubble-relay" - tag: "v1.14.4" + tag: "v1.14.5" # hubble-relay-digest - digest: "sha256:ca81622fd9f04c1316bf4144bde5dbce613758810f6022f6c706b14c9c0815db" + digest: "sha256:dbef89f924a927043d02b40c18e417c1ea0e8f58b44523b80fef7e3652db24d4" useDigest: true pullPolicy: "IfNotPresent" @@ -1174,6 +1177,12 @@ hubble: rollingUpdate: maxUnavailable: 1 + # -- Additional hubble-relay volumes. + extraVolumes: [] + + # -- Additional hubble-relay volumeMounts. + extraVolumeMounts: [] + # -- hubble-relay pod security context podSecurityContext: fsGroup: 65532 @@ -1844,9 +1853,9 @@ envoy: image: override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.26.6-ff0d5d3f77d610040e93c7c7a430d61a0c0b90c1" + tag: "v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b" pullPolicy: "IfNotPresent" - digest: "sha256:6b0f2591fef922bf17a46517d5152ea7d6270524bb0e307c77986986677dbcea" + digest: "sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -2241,15 +2250,15 @@ operator: image: override: ~ repository: "quay.io/cilium/operator" - tag: "v1.14.4" + tag: "v1.14.5" # operator-generic-digest - genericDigest: "sha256:f0f05e4ba3bb1fe0e4b91144fa4fea637701aba02e6c00b23bd03b4a7e1dfd55" + genericDigest: "sha256:303f9076bdc73b3fc32aaedee64a14f6f44c8bb08ee9e3956d443021103ebe7a" # operator-azure-digest - azureDigest: "sha256:f9d1b8663b905fc2af656e61abc54667779081dde2fdbbb90a48200e7b05ff41" + azureDigest: "sha256:9203f5583aa34e716d7a6588ebd144e43ce3b77873f578fc12b2679e33591353" # operator-aws-digest - awsDigest: "sha256:757966ce5c13055089b092a86c8322a0694b0461a19b65e545e61897f6c9446c" + awsDigest: "sha256:785ccf1267d0ed3ba9e4bd8166577cb4f9e4ce996af26b27c9d5c554a0d5b09a" # operator-alibabacloud-digest - alibabacloudDigest: "sha256:2b2c71930db7901e754d5aac119c166faad10e938f73294f1c840cf36d564a3e" + alibabacloudDigest: "sha256:e0152c498ba73c56a82eee2a706c8f400e9a6999c665af31a935bdf08e659bc3" useDigest: true pullPolicy: "IfNotPresent" suffix: "" @@ -2526,9 +2535,9 @@ preflight: image: override: ~ repository: "quay.io/cilium/cilium" - tag: "v1.14.4" + tag: "v1.14.5" # cilium-digest - digest: "sha256:4981767b787c69126e190e33aee93d5a076639083c21f0e7c29596a519c64a2e" + digest: "sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b" useDigest: true pullPolicy: "IfNotPresent" @@ -2676,9 +2685,9 @@ clustermesh: image: override: ~ repository: "quay.io/cilium/clustermesh-apiserver" - tag: "v1.14.4" + tag: "v1.14.5" # clustermesh-apiserver-digest - digest: "sha256:828a74eea2a15c4196633dc50e4b92ba3a5e3ed8418c2a33e255a9281a1ce42f" + digest: "sha256:7eaa35cf5452c43b1f7d0cde0d707823ae7e49965bcb54c053e31ea4e04c3d96" useDigest: true pullPolicy: "IfNotPresent" @@ -2723,9 +2732,9 @@ clustermesh: image: override: ~ repository: "quay.io/cilium/kvstoremesh" - tag: "v1.14.4" + tag: "v1.14.5" # kvstoremesh-digest - digest: "sha256:492cde62cb2def832b3213211cb99d59bd9fe9789be32a181fb24554077368b0" + digest: "sha256:d7137edd0efa2b1407b20088af3980a9993bb616d85bf9b55ea2891d1b99023a" useDigest: true pullPolicy: "IfNotPresent" @@ -3129,6 +3138,19 @@ authentication: # -- SPIRE agent tolerations configuration # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] + # -- SPIRE agent affinity configuration + affinity: {} + # -- SPIRE agent nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- Security context to be added to spire agent pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire agent containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} server: # -- SPIRE server image image: ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f diff --git a/system/cilium/charts/cilium/values.yaml.tmpl b/system/cilium/charts/cilium/values.yaml.tmpl index 5c72fefa..f1d9a819 100644 --- a/system/cilium/charts/cilium/values.yaml.tmpl +++ b/system/cilium/charts/cilium/values.yaml.tmpl @@ -227,6 +227,9 @@ resources: {} # cpu: 100m # memory: 512Mi +# -- resources & limits for the agent init containers +initResources: {} + securityContext: # -- User to run the pod with # runAsUser: 0 @@ -1175,6 +1178,12 @@ hubble: rollingUpdate: maxUnavailable: 1 + # -- Additional hubble-relay volumes. + extraVolumes: [] + + # -- Additional hubble-relay volumeMounts. + extraVolumeMounts: [] + # -- hubble-relay pod security context podSecurityContext: fsGroup: 65532 @@ -1845,9 +1854,9 @@ envoy: image: override: ~ repository: "quay.io/cilium/cilium-envoy" - tag: "v1.26.6-ff0d5d3f77d610040e93c7c7a430d61a0c0b90c1" + tag: "v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b" pullPolicy: "${PULL_POLICY}" - digest: "sha256:6b0f2591fef922bf17a46517d5152ea7d6270524bb0e307c77986986677dbcea" + digest: "sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca" useDigest: true # -- Additional containers added to the cilium Envoy DaemonSet. @@ -3132,6 +3141,19 @@ authentication: # -- SPIRE agent tolerations configuration # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] + # -- SPIRE agent affinity configuration + affinity: {} + # -- SPIRE agent nodeSelector configuration + # ref: ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector + nodeSelector: {} + # -- Security context to be added to spire agent pods. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # -- Security context to be added to spire agent containers. + # SecurityContext holds pod-level security attributes and common container settings. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + securityContext: {} server: # -- SPIRE server image image: ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f diff --git a/system/cilium/templates/cni.yaml b/system/cilium/templates/cni.yaml new file mode 100644 index 00000000..4cde9b51 --- /dev/null +++ b/system/cilium/templates/cni.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cni-configuration + namespace: cozy-cilium +data: + cni-config: |- + { + "name": "generic-veth", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "kube-ovn", + "server_socket": "/run/openvswitch/kube-ovn-daemon.sock", + "ipam": { + "type": "kube-ovn", + "server_socket": "/run/openvswitch/kube-ovn-daemon.sock" + } + }, + { + "type": "portmap", + "snat": true, + "capabilities": {"portMappings": true} + }, + { + "type": "cilium-cni" + } + ] + } diff --git a/system/cilium/values.yaml b/system/cilium/values.yaml index ee66383e..2c054039 100644 --- a/system/cilium/values.yaml +++ b/system/cilium/values.yaml @@ -1,16 +1,10 @@ -_helm: - name: cilium - namespace: cozy-cilium - createNamespace: true - privilegedNamespace: true - cilium: hubble: enabled: false externalIPs: enabled: true tunnel: disabled - autoDirectNodeRoutes: true + autoDirectNodeRoutes: false kubeProxyReplacement: strict bpf: masquerade: true @@ -22,6 +16,12 @@ cilium: hostRoot: /sys/fs/cgroup ipam: mode: "kubernetes" - k8sServiceHost: 192.168.100.10 - k8sServicePort: 6443 - ipv4NativeRoutingCIDR: 10.244.0.0/16 + k8sServiceHost: localhost + k8sServicePort: 7445 + + cni: + chainingMode: generic-veth + customConf: true + configMap: cni-configuration + routingMode: native + enableIPv4Masquerade: false diff --git a/system/fluxcd/values.yaml b/system/fluxcd/values.yaml index 8f26768a..e69de29b 100644 --- a/system/fluxcd/values.yaml +++ b/system/fluxcd/values.yaml @@ -1,5 +0,0 @@ -_helm: - name: kubeapps - namespace: cozy-fluxcd - createNamespace: true - crds: CreateReplace diff --git a/system/grafana-operator/README.md b/system/grafana-operator/README.md deleted file mode 100644 index 91bf6d1a..00000000 --- a/system/grafana-operator/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# Grafana Operator - -An operator for Grafana that installs and manages Grafana instances, Dashboards and Datasources through Kubernetes CRs - -- Github: https://github.com/grafana-operator/grafana-operator -- Telegram: https://t.me/metrics_ru -- Docs: https://github.com/grafana-operator/grafana-operator/tree/master/docs diff --git a/system/grafana-operator/values.yaml b/system/grafana-operator/values.yaml index adb43f30..52c84cae 100644 --- a/system/grafana-operator/values.yaml +++ b/system/grafana-operator/values.yaml @@ -1,8 +1,2 @@ -_helm: - name: grafana-operator - namespace: cozy-grafana-operator - createNamespace: true - crds: CreateReplace - grafana-operator: fullnameOverride: grafana-operator diff --git a/system/helmwave.yml b/system/helmwave.yml new file mode 100644 index 00000000..c2a6ffa3 --- /dev/null +++ b/system/helmwave.yml @@ -0,0 +1,249 @@ +project: cozystack +version: "0.0.0" + +.options: &options + wait: true + wait_for_jobs: true + force: false + timeout: 10m + atomic: true + max_history: 3 + create_namespace: true + offline_kube_version: 1.25.2 + pending_release_strategy: rollback + +releases: + - name: cilium + chart: cilium + namespace: cozy-cilium + <<: *options + tags: + - cilium + values: + - cilium/values.yaml + + - name: kubeovn + chart: kubeovn + namespace: cozy-kubeovn + <<: *options + tags: + - kubeovn + values: + - kubeovn/values.yaml + - kubeovn/values-runtime.yaml + depends_on: + - cilium@cozy-cilium + + - name: fluxcd + chart: fluxcd + namespace: cozy-fluxcd + <<: *options + tags: + - fluxcd + values: + - fluxcd/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + + - name: cert-manager + chart: cert-manager + namespace: cozy-cert-manager + <<: *options + tags: + - cert-manager + values: + - cert-manager/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + + - name: cert-manager-issuers + chart: cert-manager-issuers + namespace: cozy-cert-manager + <<: *options + tags: + - cert-manager + values: + - cert-manager-issuers/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + - cert-manager@cozy-cert-manager + + - name: victoria-metrics-operator + chart: victoria-metrics-operator + namespace: cozy-victoria-metrics-operator + <<: *options + tags: + - victoria-metrics-operator + values: + - victoria-metrics-operator/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + - cert-manager@cozy-cert-manager + + - name: monitoring + chart: monitoring + namespace: cozy-monitoring + <<: *options + tags: + - monitoring + values: + - monitoring/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + - victoria-metrics-operator@cozy-victoria-metrics-operator + + - name: kubevirt-operator + chart: kubevirt-operator + namespace: cozy-kubevirt + <<: *options + tags: + - kubevirt + values: + - kubevirt-operator/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + + - name: kubevirt + chart: kubevirt + namespace: cozy-kubevirt + <<: *options + tags: + - kubevirt + values: + - kubevirt/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + - kubevirt-operator@cozy-kubevirt + + - name: metallb + chart: metallb + namespace: cozy-metallb + <<: *options + tags: + - metallb + values: + - metallb/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + + - name: grafana-operator + chart: grafana-operator + namespace: cozy-grafana-operator + <<: *options + tags: + - grafana-operator + values: + - grafana-operator/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + + - name: mariadb-operator + chart: mariadb-operator + namespace: cozy-mariadb-operator + <<: *options + tags: + - mariadb-operator + values: + - mariadb-operator/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + - cert-manager@cozy-cert-manager + - victoria-metrics-operator@cozy-victoria-metrics-operator + + - name: postgres-operator + chart: postgres-operator + namespace: cozy-postgres-operator + <<: *options + tags: + - postgres-operator + values: + - postgres-operator/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + - cert-manager@cozy-cert-manager + + - name: rabbitmq-operator + chart: rabbitmq-operator + namespace: cozy-rabbitmq-operator + <<: *options + tags: + - rabbitmq-operator + values: + - rabbitmq-operator/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + + - name: redis-operator + chart: redis-operator + namespace: cozy-redis-operator + <<: *options + tags: + - redis-operator + values: + - redis-operator/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + + - name: piraeus-operator + chart: piraeus-operator + namespace: cozy-linstor + <<: *options + tags: + - piraeus-operator + values: + - piraeus-operator/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + - cert-manager@cozy-cert-manager + + - name: linstor + chart: linstor + namespace: cozy-linstor + <<: *options + tags: + - linstor + values: + - linstor/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + - piraeus-operator@cozy-linstor + + - name: traffic-manager + chart: telepresence + namespace: cozy-telepresence + <<: *options + tags: + - telepresence + values: + - telepresence/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + + - name: ingress-nginx + chart: ingress-nginx + namespace: cozy-ingress-nginx + <<: *options + tags: + - ingress-nginx + values: + - ingress-nginx/values.yaml + depends_on: + - cilium@cozy-cilium + - kubeovn@cozy-kubeovn + - cert-manager@cozy-cert-manager diff --git a/system/ingress-nginx/values.yaml b/system/ingress-nginx/values.yaml index 5519bc0b..7df539b0 100644 --- a/system/ingress-nginx/values.yaml +++ b/system/ingress-nginx/values.yaml @@ -1,10 +1,3 @@ -_helm: - name: ingress-nginx - namespace: cozy-ingress-nginx - createNamespace: true - dependsOn: - - name: cert-manager - ingress-nginx: controller: image: diff --git a/system/kubeapps/templates/.gitkeep b/system/kubeapps/templates/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/system/kubeapps/values.yaml b/system/kubeapps/values.yaml index 9250a20d..5f1efc54 100644 --- a/system/kubeapps/values.yaml +++ b/system/kubeapps/values.yaml @@ -1,12 +1,3 @@ -_helm: - name: kubeapps - namespace: cozy-kubeapps - createNamespace: true - crds: CreateReplace - dependsOn: - - name: postgres-operator - - name: redis-operator - kubeapps: postgresql: diff --git a/system/kubeovn/Makefile b/system/kubeovn/Makefile index bdb17164..14311eee 100644 --- a/system/kubeovn/Makefile +++ b/system/kubeovn/Makefile @@ -1,16 +1,12 @@ +include ../../hack/app-helm.mk + update: + rm -rf charts && mkdir -p charts/kube-ovn tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/kubeovn/kube-ovn | awk -F'[/^]' 'END{print $$3}') && \ - wget https://raw.githubusercontent.com/kubeovn/kube-ovn/$$tag/dist/images/install.sh -O install.sh - patch -p3 < patches/talos.patch - sed -i '/path:/ s|/etc/origin/|/var/lib/|' install.sh - sed -i '/mountPath:/ s|/usr/local/bin|/opt/bin|' install.sh - sed -i 's/kube-system/cozy-kubeovn/g' install.sh - sed -i '/deployment\/coredns/,$$d' install.sh - -apply: - kubectl get ns cozy-kubeovn >/dev/null 2>&1 || kubectl create namespace cozy-kubeovn - kubectl label namespace cozy-kubeovn pod-security.kubernetes.io/enforce=privileged --overwrite - ENABLE_SSL=true ENABLE_LB=false ENABLE_NP=false bash install.sh - -clean: - rm -f *.yaml install.sh.orig + curl -sSL https://github.com/kubeovn/kube-ovn/archive/refs/tags/$${tag}.tar.gz | \ + tar -C charts/kube-ovn -xzvf - --strip 2 kube-ovn-$${tag#*v}/charts + sed -i 's/kube-system/cozy-kubeovn/g' `grep -lr kube-system charts | grep -v values.yaml` + sed -i ./charts/kube-ovn/templates/*.yaml \ + -e '/path:/ s|/etc/origin/|/var/lib/|' \ + -e '/mountPath:/ s|/usr/local/bin|/opt/bin|' + diff --git a/system/kubeovn/charts/kube-ovn/README.md b/system/kubeovn/charts/kube-ovn/README.md new file mode 100644 index 00000000..bd0d5c6c --- /dev/null +++ b/system/kubeovn/charts/kube-ovn/README.md @@ -0,0 +1,20 @@ +# Kube-OVN-helm + +Currently supported version: 1.9 + +Installation : + +```bash +$ kubectl label node -lbeta.kubernetes.io/os=linux kubernetes.io/os=linux --overwrite +$ kubectl label node -lnode-role.kubernetes.io/control-plane kube-ovn/role=master --overwrite +$ kubectl label node -lovn.kubernetes.io/ovs_dp_type!=userspace ovn.kubernetes.io/ovs_dp_type=kernel --overwrite + +# standard install +$ helm install --debug kubeovn ./charts --set MASTER_NODES=${Node0}, + +# high availability install +$ helm install --debug kubeovn ./charts --set MASTER_NODES=${Node0},${Node1},${Node2}, --set replicaCount=3 + +# upgrade to this version +$ helm upgrade --debug kubeovn ./charts --set MASTER_NODES=${Node0},${Node1},${Node2}, --set replicaCount=3 +``` diff --git a/system/kubeovn/charts/kube-ovn/values.yaml b/system/kubeovn/charts/kube-ovn/values.yaml new file mode 100644 index 00000000..b25e8ebf --- /dev/null +++ b/system/kubeovn/charts/kube-ovn/values.yaml @@ -0,0 +1,174 @@ +# Default values for kubeovn. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + registry: + address: docker.io/kubeovn + imagePullSecrets: [] + images: + kubeovn: + repository: kube-ovn + dpdkRepository: kube-ovn-dpdk + vpcRepository: vpc-nat-gateway + tag: v1.12.4 + support_arm: true + thirdparty: true + +image: + pullPolicy: IfNotPresent + +namespace: kube-system +replicaCount: 1 +MASTER_NODES: "" + +networking: + # NET_STACK could be dual_stack, ipv4, ipv6 + NET_STACK: ipv4 + ENABLE_SSL: false + # network type could be geneve or vlan + NETWORK_TYPE: geneve + # tunnel type could be geneve, vxlan or stt + TUNNEL_TYPE: geneve + IFACE: "" + DPDK_TUNNEL_IFACE: "br-phy" + EXCLUDE_IPS: "" + POD_NIC_TYPE: "veth-pair" + vlan: + PROVIDER_NAME: "provider" + VLAN_INTERFACE_NAME: "" + VLAN_NAME: "ovn-vlan" + VLAN_ID: "100" + ENABLE_EIP_SNAT: true + EXCHANGE_LINK_NAME: false + POD_DEFAULT_FIP_TYPE: "" + DEFAULT_SUBNET: "ovn-default" + DEFAULT_VPC: "ovn-cluster" + NODE_SUBNET: "join" + ENABLE_ECMP: false + ENABLE_METRICS: true + NODE_LOCAL_DNS_IP: "" + PROBE_INTERVAL: 180000 + OVN_LEADER_PROBE_INTERVAL: 5 + OVN_REMOTE_PROBE_INTERVAL: 10000 + OVN_REMOTE_OPENFLOW_INTERVAL: 180 + OVN_NORTHD_N_THREADS: 1 + ENABLE_COMPACT: false + +func: + ENABLE_LB: true + ENABLE_NP: true + ENABLE_EXTERNAL_VPC: true + HW_OFFLOAD: false + ENABLE_LB_SVC: false + ENABLE_KEEP_VM_IP: true + LS_DNAT_MOD_DL_DST: true + ENABLE_BIND_LOCAL_IP: true + U2O_INTERCONNECTION: false + ENABLE_TPROXY: false + +ipv4: + POD_CIDR: "10.16.0.0/16" + POD_GATEWAY: "10.16.0.1" + SVC_CIDR: "10.96.0.0/12" + JOIN_CIDR: "100.64.0.0/16" + PINGER_EXTERNAL_ADDRESS: "114.114.114.114" + PINGER_EXTERNAL_DOMAIN: "alauda.cn." + +ipv6: + POD_CIDR: "fd00:10:16::/112" + POD_GATEWAY: "fd00:10:16::1" + SVC_CIDR: "fd00:10:96::/112" + JOIN_CIDR: "fd00:100:64::/112" + PINGER_EXTERNAL_ADDRESS: "2400:3200::1" + PINGER_EXTERNAL_DOMAIN: "google.com." + +dual_stack: + POD_CIDR: "10.16.0.0/16,fd00:10:16::/112" + POD_GATEWAY: "10.16.0.1,fd00:10:16::1" + SVC_CIDR: "10.96.0.0/12,fd00:10:96::/112" + JOIN_CIDR: "100.64.0.0/16,fd00:100:64::/112" + PINGER_EXTERNAL_ADDRESS: "114.114.114.114,2400:3200::1" + PINGER_EXTERNAL_DOMAIN: "google.com." + +performance: + MODULES: "kube_ovn_fastpath.ko" + RPMS: "openvswitch-kmod" + GC_INTERVAL: 360 + INSPECT_INTERVAL: 20 + OVS_VSCTL_CONCURRENCY: 100 + +debug: + ENABLE_MIRROR: false + MIRROR_IFACE: "mirror0" + +cni_conf: + CHECK_GATEWAY: true + LOGICAL_GATEWAY: false + CNI_CONFIG_PRIORITY: "01" + CNI_CONF_DIR: "/etc/cni/net.d" + CNI_BIN_DIR: "/opt/cni/bin" + CNI_CONF_FILE: "/kube-ovn/01-kube-ovn.conflist" + +kubelet_conf: + KUBELET_DIR: "/var/lib/kubelet" + +log_conf: + LOG_DIR: "/var/log" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +# hybrid dpdk +HYBRID_DPDK: false +HUGEPAGE_SIZE_TYPE: hugepages-2Mi # Default +HUGEPAGES: 1Gi + +# DPDK +DPDK: false +DPDK_VERSION: "19.11" +DPDK_CPU: "1000m" # Default CPU configuration +DPDK_MEMORY: "2Gi" # Default Memory configuration + +ovn-central: + requests: + cpu: "300m" + memory: "200Mi" + limits: + cpu: "3" + memory: "4Gi" +ovs-ovn: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "1000m" + memory: "1000Mi" +kube-ovn-controller: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "1000m" + memory: "1Gi" +kube-ovn-cni: + requests: + cpu: "100m" + memory: "100Mi" + limits: + cpu: "1000m" + memory: "1Gi" +kube-ovn-pinger: + requests: + cpu: "100m" + memory: "100Mi" + limits: + cpu: "200m" + memory: "400Mi" +kube-ovn-monitor: + requests: + cpu: "200m" + memory: "200Mi" + limits: + cpu: "200m" + memory: "200Mi" diff --git a/system/kubeovn/install.sh b/system/kubeovn/install.sh deleted file mode 100644 index 1565cd5e..00000000 --- a/system/kubeovn/install.sh +++ /dev/null @@ -1,4583 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -IPV6=${IPV6:-false} -DUAL_STACK=${DUAL_STACK:-false} -ENABLE_SSL=${ENABLE_SSL:-false} -ENABLE_VLAN=${ENABLE_VLAN:-false} -CHECK_GATEWAY=${CHECK_GATEWAY:-true} -LOGICAL_GATEWAY=${LOGICAL_GATEWAY:-false} -U2O_INTERCONNECTION=${U2O_INTERCONNECTION:-false} -ENABLE_MIRROR=${ENABLE_MIRROR:-false} -VLAN_NIC=${VLAN_NIC:-} -HW_OFFLOAD=${HW_OFFLOAD:-false} -ENABLE_LB=${ENABLE_LB:-true} -ENABLE_NP=${ENABLE_NP:-true} -ENABLE_EIP_SNAT=${ENABLE_EIP_SNAT:-true} -LS_DNAT_MOD_DL_DST=${LS_DNAT_MOD_DL_DST:-true} -ENABLE_EXTERNAL_VPC=${ENABLE_EXTERNAL_VPC:-true} -CNI_CONFIG_PRIORITY=${CNI_CONFIG_PRIORITY:-01} -ENABLE_LB_SVC=${ENABLE_LB_SVC:-false} -ENABLE_NAT_GW=${ENABLE_NAT_GW:-false} -ENABLE_KEEP_VM_IP=${ENABLE_KEEP_VM_IP:-true} -ENABLE_ARP_DETECT_IP_CONFLICT=${ENABLE_ARP_DETECT_IP_CONFLICT:-true} -NODE_LOCAL_DNS_IP=${NODE_LOCAL_DNS_IP:-} -# exchange link names of OVS bridge and the provider nic -# in the default provider-network -EXCHANGE_LINK_NAME=${EXCHANGE_LINK_NAME:-false} -# The nic to support container network can be a nic name or a group of regex -# separated by comma, if empty will use the nic that the default route use -IFACE=${IFACE:-} -# Specifies the name of the dpdk tunnel iface. -# Note that the dpdk tunnel iface and tunnel ip cidr should be diffierent with Kubernetes api cidr, otherwise the route will be a problem. -DPDK_TUNNEL_IFACE=${DPDK_TUNNEL_IFACE:-br-phy} -ENABLE_BIND_LOCAL_IP=${ENABLE_BIND_LOCAL_IP:-true} -ENABLE_TPROXY=${ENABLE_TPROXY:-false} -OVS_VSCTL_CONCURRENCY=${OVS_VSCTL_CONCURRENCY:-100} -ENABLE_COMPACT=${ENABLE_COMPACT:-false} - -# debug -DEBUG_WRAPPER=${DEBUG_WRAPPER:-} - -KUBELET_DIR=${KUBELET_DIR:-/var/lib/kubelet} -LOG_DIR=${LOG_DIR:-/var/log} - -CNI_CONF_DIR="/etc/cni/net.d" -CNI_BIN_DIR="/opt/cni/bin" - -REGISTRY="docker.io/kubeovn" -VPC_NAT_IMAGE="vpc-nat-gateway" -VERSION="v1.12.4" -IMAGE_PULL_POLICY="IfNotPresent" -POD_CIDR="10.244.0.0/16" # Do NOT overlap with NODE/SVC/JOIN CIDR -POD_GATEWAY="10.244.0.1" -SVC_CIDR="10.96.0.0/16" # Do NOT overlap with NODE/POD/JOIN CIDR -JOIN_CIDR="100.64.0.0/16" # Do NOT overlap with NODE/POD/SVC CIDR -PINGER_EXTERNAL_ADDRESS="114.114.114.114" # Pinger check external ip probe -PINGER_EXTERNAL_DOMAIN="alauda.cn." # Pinger check external domain probe -SVC_YAML_IPFAMILYPOLICY="" -if [ "$IPV6" = "true" ]; then - POD_CIDR="fd00:10:16::/112" # Do NOT overlap with NODE/SVC/JOIN CIDR - POD_GATEWAY="fd00:10:16::1" - SVC_CIDR="fd00:10:96::/112" # Do NOT overlap with NODE/POD/JOIN CIDR - JOIN_CIDR="fd00:100:64::/112" # Do NOT overlap with NODE/POD/SVC CIDR - PINGER_EXTERNAL_ADDRESS="2400:3200::1" - PINGER_EXTERNAL_DOMAIN="google.com." -fi -if [ "$DUAL_STACK" = "true" ]; then - POD_CIDR="10.16.0.0/16,fd00:10:16::/112" # Do NOT overlap with NODE/SVC/JOIN CIDR - POD_GATEWAY="10.16.0.1,fd00:10:16::1" - SVC_CIDR="10.96.0.0/12,fd00:10:96::/112" # Do NOT overlap with NODE/POD/JOIN CIDR - JOIN_CIDR="100.64.0.0/16,fd00:100:64::/112" # Do NOT overlap with NODE/POD/SVC CIDR - PINGER_EXTERNAL_ADDRESS="114.114.114.114,2400:3200::1" - PINGER_EXTERNAL_DOMAIN="google.com." - SVC_YAML_IPFAMILYPOLICY="ipFamilyPolicy: PreferDualStack" -fi - -EXCLUDE_IPS="" # EXCLUDE_IPS for default subnet -LABEL="node-role.kubernetes.io/control-plane" # The node label to deploy OVN DB -DEPRECATED_LABEL="node-role.kubernetes.io/master" # The node label to deploy OVN DB in earlier versions -NETWORK_TYPE="geneve" # geneve or vlan -TUNNEL_TYPE="geneve" # geneve, vxlan or stt. ATTENTION: some networkpolicy cannot take effect when using vxlan and stt need custom compile ovs kernel module -POD_NIC_TYPE="veth-pair" # veth-pair or internal-port -POD_DEFAULT_FIP_TYPE="" # iptables, pod can set iptables fip automatically by enable fip annotation - -# VLAN Config only take effect when NETWORK_TYPE is vlan -VLAN_INTERFACE_NAME="" -VLAN_ID="100" - -if [ "$ENABLE_VLAN" = "true" ]; then - NETWORK_TYPE="vlan" - if [ "$VLAN_NIC" != "" ]; then - VLAN_INTERFACE_NAME="$VLAN_NIC" - fi -fi - -# hybrid dpdk -HYBRID_DPDK="false" - -# DPDK -DPDK="false" -DPDK_SUPPORTED_VERSIONS=("19.11") -DPDK_VERSION="" -DPDK_CPU="1000m" # Default CPU configuration for if --dpdk-cpu flag is not included -DPDK_MEMORY="2Gi" # Default Memory configuration for it --dpdk-memory flag is not included - -# performance -MODULES="kube_ovn_fastpath.ko" -RPMS="openvswitch-kmod" -GC_INTERVAL=360 -INSPECT_INTERVAL=20 - -display_help() { - echo "Usage: $0 [option...]" - echo - echo " -h, --help Print Help (this message) and exit" - echo " --with-hybrid-dpdk Install Kube-OVN with nodes which run ovs-dpdk or ovs-kernel" - echo " --with-dpdk= Install Kube-OVN with OVS-DPDK instead of kernel OVS" - echo " --dpdk-cpu=m Configure DPDK to use a specific amount of CPU" - echo " --dpdk-memory=Gi Configure DPDK to use a specific amount of memory" - echo - exit 0 -} - -if [ -n "${1-}" ] -then - set +u - while :; do - case $1 in - -h|--help) - display_help - ;; - --with-hybrid-dpdk) - HYBRID_DPDK="true" - ;; - --with-dpdk=*) - DPDK=true - DPDK_VERSION="${1#*=}" - if [[ ! "${DPDK_SUPPORTED_VERSIONS[*]}" = "${DPDK_VERSION}" ]] || [[ -z "${DPDK_VERSION}" ]]; then - echo "Unsupported DPDK version: ${DPDK_VERSION}" - echo "Supported DPDK versions: ${DPDK_SUPPORTED_VERSIONS[*]}" - exit 1 - fi - ;; - --dpdk-cpu=*) - DPDK_CPU="${1#*=}" - if [[ $DPDK_CPU =~ ^[0-9]+(m)$ ]] - then - echo "CPU $DPDK_CPU" - else - echo "$DPDK_CPU is not valid, please use the format --dpdk-cpu=m" - exit 1 - fi - ;; - --dpdk-memory=*) - DPDK_MEMORY="${1#*=}" - if [[ $DPDK_MEMORY =~ ^[0-9]+(Gi)$ ]] - then - echo "MEMORY $DPDK_MEMORY" - else - echo "$DPDK_MEMORY is not valid, please use the format --dpdk-memory=Gi" - exit 1 - fi - ;; - -?*) - echo "Unknown argument $1" - exit 1 - ;; - *) break - esac - shift - done - set -u -fi - -echo "-------------------------------" -echo "Kube-OVN Version: $VERSION" -echo "Default Network Mode: $NETWORK_TYPE" -if [[ $NETWORK_TYPE = "vlan" ]];then - echo "Default Vlan Nic: $VLAN_INTERFACE_NAME" - echo "Default Vlan ID: $VLAN_ID" -fi -echo "Default Subnet CIDR: $POD_CIDR" -echo "Join Subnet CIDR: $JOIN_CIDR" -echo "Enable SVC LB: $ENABLE_LB" -echo "Enable Networkpolicy: $ENABLE_NP" -echo "Enable EIP and SNAT: $ENABLE_EIP_SNAT" -echo "Enable Mirror: $ENABLE_MIRROR" -echo "-------------------------------" - -if [[ $ENABLE_SSL = "true" ]];then - echo "[Step 0/6] Generate SSL key and cert" - exist=$(kubectl get secret -n cozy-kubeovn kube-ovn-tls --ignore-not-found) - if [[ $exist == "" ]];then - docker run --rm -v "$PWD":/etc/ovn $REGISTRY/kube-ovn:$VERSION bash generate-ssl.sh - kubectl create secret generic -n cozy-kubeovn kube-ovn-tls --from-file=cacert=cacert.pem --from-file=cert=ovn-cert.pem --from-file=key=ovn-privkey.pem - rm -rf cacert.pem ovn-cert.pem ovn-privkey.pem ovn-req.pem - fi - echo "-------------------------------" - echo "" -fi - -echo "[Step 1/6] Label kube-ovn-master node and label datapath type" -count=$(kubectl get no -l$LABEL --no-headers | wc -l) -node_label="$LABEL" -if [ "${count}" -eq 0 ]; then - count=$(kubectl get no -l$DEPRECATED_LABEL --no-headers | wc -l) - node_label="$DEPRECATED_LABEL" - if [ "${count}" -eq 0 ]; then - echo "ERROR: No node with label $LABEL or $DEPRECATED_LABEL found" - exit 1 - fi -fi -kubectl label no -l$node_label kube-ovn/role=master --overwrite - -if [ "$DPDK" = "true" ] || [ "$HYBRID_DPDK" = "true" ]; then - kubectl label no -lovn.kubernetes.io/ovs_dp_type!=userspace ovn.kubernetes.io/ovs_dp_type=kernel --overwrite -fi - -echo "-------------------------------" -echo "" - -echo "[Step 2/6] Install OVN components" -addresses=$(kubectl get no -lkube-ovn/role=master --no-headers -o wide | awk '{print $6}' | tr \\n ',' | sed 's/,$//') -count=$(kubectl get no -lkube-ovn/role=master --no-headers | wc -l) -echo "Install OVN DB in $addresses" - -cat < kube-ovn-crd.yaml -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vpc-dnses.kubeovn.io -spec: - group: kubeovn.io - names: - plural: vpc-dnses - singular: vpc-dns - shortNames: - - vpc-dns - kind: VpcDns - listKind: VpcDnsList - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .status.active - name: Active - type: boolean - - jsonPath: .spec.vpc - name: Vpc - type: string - - jsonPath: .spec.subnet - name: Subnet - type: string - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - vpc: - type: string - subnet: - type: string - replicas: - type: integer - minimum: 1 - maximum: 3 - status: - type: object - properties: - active: - type: boolean - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: switch-lb-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: switch-lb-rules - singular: switch-lb-rule - shortNames: - - slr - kind: SwitchLBRule - listKind: SwitchLBRuleList - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.vip - name: vip - type: string - - jsonPath: .status.ports - name: port(s) - type: string - - jsonPath: .status.service - name: service - type: string - - jsonPath: .metadata.creationTimestamp - name: age - type: date - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - namespace: - type: string - vip: - type: string - sessionAffinity: - type: string - ports: - items: - properties: - name: - type: string - port: - type: integer - minimum: 1 - maximum: 65535 - protocol: - type: string - targetPort: - type: integer - minimum: 1 - maximum: 65535 - type: object - type: array - selector: - items: - type: string - type: array - endpoints: - items: - type: string - type: array - status: - type: object - properties: - ports: - type: string - service: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vpc-nat-gateways.kubeovn.io -spec: - group: kubeovn.io - names: - plural: vpc-nat-gateways - singular: vpc-nat-gateway - shortNames: - - vpc-nat-gw - kind: VpcNatGateway - listKind: VpcNatGatewayList - scope: Cluster - versions: - - additionalPrinterColumns: - - jsonPath: .spec.vpc - name: Vpc - type: string - - jsonPath: .spec.subnet - name: Subnet - type: string - - jsonPath: .spec.lanIp - name: LanIP - type: string - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - externalSubnets: - items: - type: string - type: array - selector: - type: array - items: - type: string - qosPolicy: - type: string - tolerations: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - enum: - - Equal - - Exists - value: - type: string - effect: - type: string - enum: - - NoExecute - - NoSchedule - - PreferNoSchedule - tolerationSeconds: - type: integer - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - spec: - type: object - properties: - lanIp: - type: string - subnet: - type: string - externalSubnets: - items: - type: string - type: array - vpc: - type: string - selector: - type: array - items: - type: string - qosPolicy: - type: string - tolerations: - type: array - items: - type: object - properties: - key: - type: string - operator: - type: string - enum: - - Equal - - Exists - value: - type: string - effect: - type: string - enum: - - NoExecute - - NoSchedule - - PreferNoSchedule - tolerationSeconds: - type: integer - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - weight: - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - x-kubernetes-patch-strategy: merge - x-kubernetes-patch-merge-key: key - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-eips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-eips - singular: iptables-eip - shortNames: - - eip - kind: IptablesEIP - listKind: IptablesEIPList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.ip - name: IP - type: string - - jsonPath: .spec.macAddress - name: Mac - type: string - - jsonPath: .status.nat - name: Nat - type: string - - jsonPath: .spec.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - ip: - type: string - nat: - type: string - redo: - type: string - qosPolicy: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - v4ip: - type: string - v6ip: - type: string - macAddress: - type: string - natGwDp: - type: string - qosPolicy: - type: string - externalSubnet: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-fip-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-fip-rules - singular: iptables-fip-rule - shortNames: - - fip - kind: IptablesFIPRule - listKind: IptablesFIPRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.eip - name: Eip - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .spec.internalIp - name: InternalIp - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .status.natGwDp - name: NatGwDp - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - natGwDp: - type: string - redo: - type: string - internalIp: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - eip: - type: string - internalIp: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-dnat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-dnat-rules - singular: iptables-dnat-rule - shortNames: - - dnat - kind: IptablesDnatRule - listKind: IptablesDnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.eip - name: Eip - type: string - - jsonPath: .spec.protocol - name: Protocol - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .spec.internalIp - name: InternalIp - type: string - - jsonPath: .spec.externalPort - name: ExternalPort - type: string - - jsonPath: .spec.internalPort - name: InternalPort - type: string - - jsonPath: .status.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - natGwDp: - type: string - redo: - type: string - protocol: - type: string - internalIp: - type: string - internalPort: - type: string - externalPort: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - eip: - type: string - externalPort: - type: string - protocol: - type: string - internalIp: - type: string - internalPort: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: iptables-snat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: iptables-snat-rules - singular: iptables-snat-rule - shortNames: - - snat - kind: IptablesSnatRule - listKind: IptablesSnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.eip - name: EIP - type: string - - jsonPath: .status.v4ip - name: V4ip - type: string - - jsonPath: .status.v6ip - name: V6ip - type: string - - jsonPath: .spec.internalCIDR - name: InternalCIDR - type: string - - jsonPath: .status.natGwDp - name: NatGwDp - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - natGwDp: - type: string - redo: - type: string - internalCIDR: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - eip: - type: string - internalCIDR: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-eips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-eips - singular: ovn-eip - shortNames: - - oeip - kind: OvnEip - listKind: OvnEipList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.v4Ip - name: V4IP - type: string - - jsonPath: .status.v6Ip - name: V6IP - type: string - - jsonPath: .status.macAddress - name: Mac - type: string - - jsonPath: .status.type - name: Type - type: string - - jsonPath: .status.nat - name: Nat - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - type: - type: string - nat: - type: string - ready: - type: boolean - v4Ip: - type: string - v6Ip: - type: string - macAddress: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - externalSubnet: - type: string - type: - type: string - v4Ip: - type: string - v6Ip: - type: string - macAddress: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-fips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-fips - singular: ovn-fip - shortNames: - - ofip - kind: OvnFip - listKind: OvnFipList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.vpc - name: Vpc - type: string - - jsonPath: .status.v4Eip - name: V4Eip - type: string - - jsonPath: .status.v4Ip - name: V4Ip - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .spec.ipType - name: IpType - type: string - - jsonPath: .spec.ipName - name: IpName - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4Eip: - type: string - v4Ip: - type: string - vpc: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - ovnEip: - type: string - ipType: - type: string - ipName: - type: string - vpc: - type: string - v4Ip: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-snat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-snat-rules - singular: ovn-snat-rule - shortNames: - - osnat - kind: OvnSnatRule - listKind: OvnSnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.vpc - name: Vpc - type: string - - jsonPath: .status.v4Eip - name: V4Eip - type: string - - jsonPath: .status.v4IpCidr - name: V4IpCidr - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4Eip: - type: string - v4IpCidr: - type: string - vpc: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - ovnEip: - type: string - vpcSubnet: - type: string - ipName: - type: string - vpc: - type: string - v4IpCidr: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ovn-dnat-rules.kubeovn.io -spec: - group: kubeovn.io - names: - plural: ovn-dnat-rules - singular: ovn-dnat-rule - shortNames: - - odnat - kind: OvnDnatRule - listKind: OvnDnatRuleList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .status.vpc - name: Vpc - type: string - - jsonPath: .spec.ovnEip - name: Eip - type: string - - jsonPath: .status.protocol - name: Protocol - type: string - - jsonPath: .status.v4Eip - name: V4Eip - type: string - - jsonPath: .status.v4Ip - name: V4Ip - type: string - - jsonPath: .status.internalPort - name: InternalPort - type: string - - jsonPath: .status.externalPort - name: ExternalPort - type: string - - jsonPath: .spec.ipName - name: IpName - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - ready: - type: boolean - v4Eip: - type: string - v4Ip: - type: string - vpc: - type: string - externalPort: - type: string - internalPort: - type: string - protocol: - type: string - ipName: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - ovnEip: - type: string - ipType: - type: string - ipName: - type: string - externalPort: - type: string - internalPort: - type: string - protocol: - type: string - vpc: - type: string - v4Ip: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vpcs.kubeovn.io -spec: - group: kubeovn.io - versions: - - additionalPrinterColumns: - - jsonPath: .status.enableExternal - name: EnableExternal - type: boolean - - jsonPath: .status.enableBfd - name: EnableBfd - type: boolean - - jsonPath: .status.standby - name: Standby - type: boolean - - jsonPath: .status.subnets - name: Subnets - type: string - - jsonPath: .status.extraExternalSubnets - name: ExtraExternalSubnets - type: string - - jsonPath: .spec.namespaces - name: Namespaces - type: string - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - enableExternal: - type: boolean - enableBfd: - type: boolean - namespaces: - items: - type: string - type: array - extraExternalSubnets: - items: - type: string - type: array - staticRoutes: - items: - properties: - policy: - type: string - cidr: - type: string - nextHopIP: - type: string - ecmpMode: - type: string - bfdId: - type: string - routeTable: - type: string - type: object - type: array - policyRoutes: - items: - properties: - priority: - type: integer - action: - type: string - match: - type: string - nextHopIP: - type: string - type: object - type: array - vpcPeerings: - items: - properties: - remoteVpc: - type: string - localConnectIP: - type: string - type: object - type: array - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - type: string - lastUpdateTime: - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - type: object - type: array - default: - type: boolean - defaultLogicalSwitch: - type: string - router: - type: string - standby: - type: boolean - enableExternal: - type: boolean - enableBfd: - type: boolean - subnets: - items: - type: string - type: array - extraExternalSubnets: - items: - type: string - type: array - vpcPeerings: - items: - type: string - type: array - tcpLoadBalancer: - type: string - tcpSessionLoadBalancer: - type: string - udpLoadBalancer: - type: string - udpSessionLoadBalancer: - type: string - sctpLoadBalancer: - type: string - sctpSessionLoadBalancer: - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} - names: - kind: Vpc - listKind: VpcList - plural: vpcs - shortNames: - - vpc - singular: vpc - scope: Cluster ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ips.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - name: V4IP - type: string - jsonPath: .spec.v4IpAddress - - name: V6IP - type: string - jsonPath: .spec.v6IpAddress - - name: Mac - type: string - jsonPath: .spec.macAddress - - name: Node - type: string - jsonPath: .spec.nodeName - - name: Subnet - type: string - jsonPath: .spec.subnet - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - podName: - type: string - namespace: - type: string - subnet: - type: string - attachSubnets: - type: array - items: - type: string - nodeName: - type: string - ipAddress: - type: string - v4IpAddress: - type: string - v6IpAddress: - type: string - attachIps: - type: array - items: - type: string - macAddress: - type: string - attachMacs: - type: array - items: - type: string - containerID: - type: string - podType: - type: string - scope: Cluster - names: - plural: ips - singular: ip - kind: IP - shortNames: - - ip ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vips.kubeovn.io -spec: - group: kubeovn.io - names: - plural: vips - singular: vip - shortNames: - - vip - kind: Vip - listKind: VipList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - additionalPrinterColumns: - - name: V4IP - type: string - jsonPath: .status.v4ip - - name: V6IP - type: string - jsonPath: .status.v6ip - - name: Mac - type: string - jsonPath: .status.mac - - name: PMac - type: string - jsonPath: .spec.parentMac - - name: Subnet - type: string - jsonPath: .spec.subnet - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .status.type - name: Type - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - type: - type: string - ready: - type: boolean - v4ip: - type: string - v6ip: - type: string - mac: - type: string - pv4ip: - type: string - pv6ip: - type: string - pmac: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - namespace: - type: string - subnet: - type: string - type: - type: string - attachSubnets: - type: array - items: - type: string - v4ip: - type: string - macAddress: - type: string - v6ip: - type: string - parentV4ip: - type: string - parentMac: - type: string - parentV6ip: - type: string ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: subnets.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Provider - type: string - jsonPath: .spec.provider - - name: Vpc - type: string - jsonPath: .spec.vpc - - name: Protocol - type: string - jsonPath: .spec.protocol - - name: CIDR - type: string - jsonPath: .spec.cidrBlock - - name: Private - type: boolean - jsonPath: .spec.private - - name: NAT - type: boolean - jsonPath: .spec.natOutgoing - - name: Default - type: boolean - jsonPath: .spec.default - - name: GatewayType - type: string - jsonPath: .spec.gatewayType - - name: V4Used - type: number - jsonPath: .status.v4usingIPs - - name: V4Available - type: number - jsonPath: .status.v4availableIPs - - name: V6Used - type: number - jsonPath: .status.v6usingIPs - - name: V6Available - type: number - jsonPath: .status.v6availableIPs - - name: ExcludeIPs - type: string - jsonPath: .spec.excludeIps - - name: U2OInterconnectionIP - type: string - jsonPath: .status.u2oInterconnectionIP - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - v4availableIPs: - type: number - v4usingIPs: - type: number - v6availableIPs: - type: number - v6usingIPs: - type: number - activateGateway: - type: string - dhcpV4OptionsUUID: - type: string - dhcpV6OptionsUUID: - type: string - u2oInterconnectionIP: - type: string - u2oInterconnectionVPC: - type: string - v4usingIPrange: - type: string - v4availableIPrange: - type: string - v6usingIPrange: - type: string - v6availableIPrange: - type: string - natOutgoingPolicyRules: - type: array - items: - type: object - properties: - ruleID: - type: string - action: - type: string - enum: - - nat - - forward - match: - type: object - properties: - srcIPs: - type: string - dstIPs: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - vpc: - type: string - default: - type: boolean - protocol: - type: string - enum: - - IPv4 - - IPv6 - - Dual - cidrBlock: - type: string - namespaces: - type: array - items: - type: string - gateway: - type: string - provider: - type: string - excludeIps: - type: array - items: - type: string - vips: - type: array - items: - type: string - gatewayType: - type: string - allowSubnets: - type: array - items: - type: string - gatewayNode: - type: string - natOutgoing: - type: boolean - externalEgressGateway: - type: string - policyRoutingPriority: - type: integer - minimum: 1 - maximum: 32765 - policyRoutingTableID: - type: integer - minimum: 1 - maximum: 2147483647 - not: - enum: - - 252 # compat - - 253 # default - - 254 # main - - 255 # local - mtu: - type: integer - minimum: 68 - maximum: 65535 - private: - type: boolean - vlan: - type: string - logicalGateway: - type: boolean - disableGatewayCheck: - type: boolean - disableInterConnection: - type: boolean - enableDHCP: - type: boolean - dhcpV4Options: - type: string - dhcpV6Options: - type: string - enableIPv6RA: - type: boolean - ipv6RAConfigs: - type: string - acls: - type: array - items: - type: object - properties: - direction: - type: string - enum: - - from-lport - - to-lport - priority: - type: integer - minimum: 0 - maximum: 32767 - match: - type: string - action: - type: string - enum: - - allow-related - - allow-stateless - - allow - - drop - - reject - natOutgoingPolicyRules: - type: array - items: - type: object - properties: - action: - type: string - enum: - - nat - - forward - match: - type: object - properties: - srcIPs: - type: string - dstIPs: - type: string - u2oInterconnection: - type: boolean - u2oInterconnectionIP: - type: string - enableLb: - type: boolean - enableEcmp: - type: boolean - routeTable: - type: string - scope: Cluster - names: - plural: subnets - singular: subnet - kind: Subnet - shortNames: - - subnet ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ippools.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Subnet - type: string - jsonPath: .spec.subnet - - name: IPs - type: string - jsonPath: .spec.ips - - name: V4Used - type: number - jsonPath: .status.v4UsingIPs - - name: V4Available - type: number - jsonPath: .status.v4AvailableIPs - - name: V6Used - type: number - jsonPath: .status.v6UsingIPs - - name: V6Available - type: number - jsonPath: .status.v6AvailableIPs - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - subnet: - type: string - x-kubernetes-validations: - - rule: "self == oldSelf" - message: "This field is immutable." - namespaces: - type: array - x-kubernetes-list-type: set - items: - type: string - ips: - type: array - minItems: 1 - x-kubernetes-list-type: set - items: - type: string - anyOf: - - format: ipv4 - - format: ipv6 - - format: cidr - - pattern: ^(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.\.(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])$ - - pattern: ^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))\.\.((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|:)))$ - required: - - subnet - - ips - status: - type: object - properties: - v4AvailableIPs: - type: number - v4UsingIPs: - type: number - v6AvailableIPs: - type: number - v6UsingIPs: - type: number - v4AvailableIPRange: - type: string - v4UsingIPRange: - type: string - v6AvailableIPRange: - type: string - v6UsingIPRange: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - scope: Cluster - names: - plural: ippools - singular: ippool - kind: IPPool - shortNames: - - ippool ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: vlans.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - id: - type: integer - minimum: 0 - maximum: 4095 - provider: - type: string - vlanId: - type: integer - description: Deprecated in favor of id - providerInterfaceName: - type: string - description: Deprecated in favor of provider - required: - - provider - status: - type: object - properties: - subnets: - type: array - items: - type: string - additionalPrinterColumns: - - name: ID - type: string - jsonPath: .spec.id - - name: Provider - type: string - jsonPath: .spec.provider - scope: Cluster - names: - plural: vlans - singular: vlan - kind: Vlan - shortNames: - - vlan ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: provider-networks.kubeovn.io -spec: - group: kubeovn.io - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - properties: - metadata: - type: object - properties: - name: - type: string - maxLength: 12 - not: - enum: - - int - spec: - type: object - properties: - defaultInterface: - type: string - maxLength: 15 - pattern: '^[^/\s]+$' - customInterfaces: - type: array - items: - type: object - properties: - interface: - type: string - maxLength: 15 - pattern: '^[^/\s]+$' - nodes: - type: array - items: - type: string - exchangeLinkName: - type: boolean - excludeNodes: - type: array - items: - type: string - required: - - defaultInterface - status: - type: object - properties: - ready: - type: boolean - readyNodes: - type: array - items: - type: string - notReadyNodes: - type: array - items: - type: string - vlans: - type: array - items: - type: string - conditions: - type: array - items: - type: object - properties: - node: - type: string - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - additionalPrinterColumns: - - name: DefaultInterface - type: string - jsonPath: .spec.defaultInterface - - name: Ready - type: boolean - jsonPath: .status.ready - scope: Cluster - names: - plural: provider-networks - singular: provider-network - kind: ProviderNetwork - listKind: ProviderNetworkList ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: security-groups.kubeovn.io -spec: - group: kubeovn.io - names: - plural: security-groups - singular: security-group - shortNames: - - sg - kind: SecurityGroup - listKind: SecurityGroupList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - schema: - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - ingressRules: - type: array - items: - type: object - properties: - ipVersion: - type: string - protocol: - type: string - priority: - type: integer - remoteType: - type: string - remoteAddress: - type: string - remoteSecurityGroup: - type: string - portRangeMin: - type: integer - portRangeMax: - type: integer - policy: - type: string - egressRules: - type: array - items: - type: object - properties: - ipVersion: - type: string - protocol: - type: string - priority: - type: integer - remoteType: - type: string - remoteAddress: - type: string - remoteSecurityGroup: - type: string - portRangeMin: - type: integer - portRangeMax: - type: integer - policy: - type: string - allowSameGroupTraffic: - type: boolean - status: - type: object - properties: - portGroup: - type: string - allowSameGroupTraffic: - type: boolean - ingressMd5: - type: string - egressMd5: - type: string - ingressLastSyncSuccess: - type: boolean - egressLastSyncSuccess: - type: boolean - subresources: - status: {} - conversion: - strategy: None ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: qos-policies.kubeovn.io -spec: - group: kubeovn.io - names: - plural: qos-policies - singular: qos-policy - shortNames: - - qos - kind: QoSPolicy - listKind: QoSPolicyList - scope: Cluster - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - jsonPath: .spec.shared - name: Shared - type: string - - jsonPath: .spec.bindingType - name: BindingType - type: string - schema: - openAPIV3Schema: - type: object - properties: - status: - type: object - properties: - shared: - type: boolean - bindingType: - type: string - bandwidthLimitRules: - type: array - items: - type: object - properties: - name: - type: string - interface: - type: string - rateMax: - type: string - burstMax: - type: string - priority: - type: integer - direction: - type: string - matchType: - type: string - matchValue: - type: string - conditions: - type: array - items: - type: object - properties: - type: - type: string - status: - type: string - reason: - type: string - message: - type: string - lastUpdateTime: - type: string - lastTransitionTime: - type: string - spec: - type: object - properties: - shared: - type: boolean - bindingType: - type: string - bandwidthLimitRules: - type: array - items: - type: object - properties: - name: - type: string - interface: - type: string - rateMax: - type: string - burstMax: - type: string - priority: - type: integer - direction: - type: string - matchType: - type: string - matchValue: - type: string - required: - - name - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map -EOF - -cat < ovn-ovs-sa.yaml ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ovn-ovs - namespace: cozy-kubeovn ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:ovn-ovs -rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - patch - - apiGroups: - - "" - - networking.k8s.io - - apps - resources: - - services - - endpoints - verbs: - - get - - apiGroups: - - apps - resources: - - controllerrevisions - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn-ovs -roleRef: - name: system:ovn-ovs - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovn-ovs - namespace: cozy-kubeovn -EOF - -cat < kube-ovn-sa.yaml ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ovn - namespace: cozy-kubeovn ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:ovn -rules: - - apiGroups: - - "kubeovn.io" - resources: - - vpcs - - vpcs/status - - vpc-nat-gateways - - vpc-nat-gateways/status - - subnets - - subnets/status - - ippools - - ippools/status - - ips - - vips - - vips/status - - vlans - - vlans/status - - provider-networks - - provider-networks/status - - security-groups - - security-groups/status - - iptables-eips - - iptables-fip-rules - - iptables-dnat-rules - - iptables-snat-rules - - iptables-eips/status - - iptables-fip-rules/status - - iptables-dnat-rules/status - - iptables-snat-rules/status - - ovn-eips - - ovn-fips - - ovn-snat-rules - - ovn-eips/status - - ovn-fips/status - - ovn-snat-rules/status - - ovn-dnat-rules - - ovn-dnat-rules/status - - switch-lb-rules - - switch-lb-rules/status - - vpc-dnses - - vpc-dnses/status - - qos-policies - - qos-policies/status - verbs: - - "*" - - apiGroups: - - "" - resources: - - pods - - pods/exec - - namespaces - - nodes - - configmaps - verbs: - - create - - get - - list - - watch - - patch - - update - - apiGroups: - - "k8s.cni.cncf.io" - resources: - - network-attachment-definitions - verbs: - - get - - apiGroups: - - "" - - networking.k8s.io - - apps - resources: - - networkpolicies - - daemonsets - verbs: - - get - - list - - watch - - apiGroups: - - "" - - apps - resources: - - services/status - verbs: - - update - - apiGroups: - - "" - - networking.k8s.io - - apps - - extensions - resources: - - services - - endpoints - - statefulsets - - deployments - - deployments/scale - verbs: - - create - - delete - - update - - patch - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - "*" - - apiGroups: - - "kubevirt.io" - resources: - - virtualmachines - - virtualmachineinstances - verbs: - - get - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ovn -roleRef: - name: system:ovn - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: ovn - namespace: cozy-kubeovn -EOF - -cat < kube-ovn-cni-sa.yaml ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-ovn-cni - namespace: cozy-kubeovn ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:kube-ovn-cni -rules: - - apiGroups: - - "kubeovn.io" - resources: - - subnets - - provider-networks - - ovn-eips - - ovn-eips/status - - ips - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - pods - - nodes - - configmaps - verbs: - - get - - list - - patch - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-ovn-cni -roleRef: - name: system:kube-ovn-cni - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: kube-ovn-cni - namespace: cozy-kubeovn -EOF - -cat < kube-ovn-app-sa.yaml ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-ovn-app - namespace: cozy-kubeovn ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.k8s.io/system-only: "true" - name: system:kube-ovn-app -rules: - - apiGroups: - - "" - resources: - - pods - - nodes - verbs: - - get - - list - - apiGroups: - - "" - - networking.k8s.io - - apps - resources: - - daemonsets - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kube-ovn-app -roleRef: - name: system:kube-ovn-app - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: kube-ovn-app - namespace: cozy-kubeovn -EOF - -kubectl apply -f kube-ovn-crd.yaml -kubectl apply -f ovn-ovs-sa.yaml -kubectl apply -f kube-ovn-sa.yaml -kubectl apply -f kube-ovn-cni-sa.yaml -kubectl apply -f kube-ovn-app-sa.yaml - -cat < ovn.yaml ---- -kind: Service -apiVersion: v1 -metadata: - name: ovn-nb - namespace: cozy-kubeovn -spec: - ports: - - name: ovn-nb - protocol: TCP - port: 6641 - targetPort: 6641 - type: ClusterIP - ${SVC_YAML_IPFAMILYPOLICY} - selector: - app: ovn-central - ovn-nb-leader: "true" - sessionAffinity: None - ---- -kind: Service -apiVersion: v1 -metadata: - name: ovn-sb - namespace: cozy-kubeovn -spec: - ports: - - name: ovn-sb - protocol: TCP - port: 6642 - targetPort: 6642 - type: ClusterIP - ${SVC_YAML_IPFAMILYPOLICY} - selector: - app: ovn-central - ovn-sb-leader: "true" - sessionAffinity: None - ---- -kind: Service -apiVersion: v1 -metadata: - name: ovn-northd - namespace: cozy-kubeovn -spec: - ports: - - name: ovn-northd - protocol: TCP - port: 6643 - targetPort: 6643 - type: ClusterIP - ${SVC_YAML_IPFAMILYPOLICY} - selector: - app: ovn-central - ovn-northd-leader: "true" - sessionAffinity: None ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - name: ovn-central - namespace: cozy-kubeovn - annotations: - kubernetes.io/description: | - OVN components: northd, nb and sb. -spec: - replicas: $count - strategy: - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 - type: RollingUpdate - selector: - matchLabels: - app: ovn-central - template: - metadata: - labels: - app: ovn-central - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: ovn-central - topologyKey: kubernetes.io/hostname - priorityClassName: system-cluster-critical - serviceAccountName: ovn-ovs - hostNetwork: true - containers: - - name: ovn-central - image: "$REGISTRY/kube-ovn:$VERSION" - imagePullPolicy: $IMAGE_PULL_POLICY - command: - - /kube-ovn/start-db.sh - securityContext: - capabilities: - add: ["SYS_NICE"] - env: - - name: ENABLE_SSL - value: "$ENABLE_SSL" - - name: NODE_IPS - value: $addresses - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "$ENABLE_BIND_LOCAL_IP" - - name: DEBUG_WRAPPER - value: "$DEBUG_WRAPPER" - - name: PROBE_INTERVAL - value: "180000" - - name: OVN_LEADER_PROBE_INTERVAL - value: "5" - - name: OVN_NORTHD_N_THREADS - value: "1" - - name: ENABLE_COMPACT - value: "$ENABLE_COMPACT" - resources: - requests: - cpu: 300m - memory: 300Mi - limits: - cpu: 3 - memory: 4Gi - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /sys - name: host-sys - readOnly: true - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - readinessProbe: - exec: - command: - - bash - - /kube-ovn/ovn-healthcheck.sh - periodSeconds: 15 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - bash - - /kube-ovn/ovn-healthcheck.sh - initialDelaySeconds: 30 - periodSeconds: 15 - failureThreshold: 5 - timeoutSeconds: 45 - nodeSelector: - kubernetes.io/os: "linux" - kube-ovn/role: "master" - volumes: - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-sys - hostPath: - path: /sys - - name: host-config-openvswitch - hostPath: - path: /var/lib/openvswitch - - name: host-config-ovn - hostPath: - path: /var/lib/ovn - - name: host-log-ovs - hostPath: - path: $LOG_DIR/openvswitch - - name: host-log-ovn - hostPath: - path: $LOG_DIR/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls -EOF - -kubectl apply -f ovn.yaml - -if $DPDK; then - cat < ovs-ovn-ds.yaml -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ovs-ovn - namespace: cozy-kubeovn - annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. -spec: - selector: - matchLabels: - app: ovs-dpdk - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: ovs-dpdk - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: ovn-ovs - hostNetwork: true - hostPID: true - containers: - - name: openvswitch - image: "$REGISTRY/kube-ovn-dpdk:$DPDK_VERSION-$VERSION" - imagePullPolicy: $IMAGE_PULL_POLICY - command: ["/kube-ovn/start-ovs-dpdk.sh"] - securityContext: - runAsUser: 0 - privileged: true - env: - - name: ENABLE_SSL - value: "$ENABLE_SSL" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: OVN_DB_IPS - value: $addresses - - name: OVN_REMOTE_PROBE_INTERVAL - value: "10000" - - name: OVN_REMOTE_OPENFLOW_INTERVAL - value: "180" - volumeMounts: - - mountPath: /var/run/netns - name: host-ns - mountPropagation: HostToContainer - - mountPath: /lib/modules - name: host-modules - readOnly: true - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /sys - name: host-sys - readOnly: true - - mountPath: /etc/cni/net.d - name: cni-conf - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /opt/ovs-config - name: host-config-ovs - - mountPath: /dev/hugepages - name: hugepage - - mountPath: /etc/localtime - name: localtime - - mountPath: /var/run/tls - name: kube-ovn-tls - readinessProbe: - exec: - command: - - bash - - /kube-ovn/ovs-dpdk-healthcheck.sh - periodSeconds: 5 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - bash - - /kube-ovn/ovs-dpdk-healthcheck.sh - initialDelaySeconds: 60 - periodSeconds: 5 - failureThreshold: 5 - timeoutSeconds: 45 - resources: - requests: - cpu: $DPDK_CPU - memory: $DPDK_MEMORY - limits: - cpu: $DPDK_CPU - memory: $DPDK_MEMORY - hugepages-1Gi: 1Gi - nodeSelector: - kubernetes.io/os: "linux" - ovn.kubernetes.io/ovs_dp_type: "kernel" - volumes: - - name: host-modules - hostPath: - path: /lib/modules - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-sys - hostPath: - path: /sys - - name: host-ns - hostPath: - path: /var/run/netns - - name: cni-conf - hostPath: - path: /etc/cni/net.d - - name: host-config-openvswitch - hostPath: - path: /var/lib/openvswitch - - name: host-config-ovn - hostPath: - path: /var/lib/ovn - - name: host-log-ovs - hostPath: - path: $LOG_DIR/openvswitch - - name: host-log-ovn - hostPath: - path: $LOG_DIR/ovn - - name: host-config-ovs - hostPath: - path: /opt/ovs-config - type: DirectoryOrCreate - - name: hugepage - emptyDir: - medium: HugePages - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls -EOF - -else - cat < ovs-ovn-ds.yaml ---- -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ovs-ovn - namespace: cozy-kubeovn - annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. -spec: - selector: - matchLabels: - app: ovs - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: ovs - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: ovn-ovs - hostNetwork: true - hostPID: true - containers: - - name: openvswitch - image: "$REGISTRY/kube-ovn:$VERSION" - imagePullPolicy: $IMAGE_PULL_POLICY - command: - - /bin/bash - - -c - - | - ln -sf /bin/true /usr/sbin/modinfo - ln -sf /bin/true /usr/sbin/modprobe - exec /kube-ovn/start-ovs.sh - securityContext: - runAsUser: 0 - privileged: true - env: - - name: ENABLE_SSL - value: "$ENABLE_SSL" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: HW_OFFLOAD - value: "$HW_OFFLOAD" - - name: TUNNEL_TYPE - value: "$TUNNEL_TYPE" - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: OVN_DB_IPS - value: $addresses - - name: DEBUG_WRAPPER - value: "$DEBUG_WRAPPER" - - name: OVN_REMOTE_PROBE_INTERVAL - value: "10000" - - name: OVN_REMOTE_OPENFLOW_INTERVAL - value: "180" - volumeMounts: - - mountPath: /var/run/netns - name: host-ns - mountPropagation: HostToContainer - - mountPath: /lib/modules - name: host-modules - readOnly: true - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /sys - name: host-sys - readOnly: true - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - - mountPath: /var/run/containerd - name: cruntime - readOnly: true - readinessProbe: - exec: - command: - - bash - - -c - - LOG_ROTATE=true /kube-ovn/ovs-healthcheck.sh - initialDelaySeconds: 10 - periodSeconds: 5 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - bash - - /kube-ovn/ovs-healthcheck.sh - initialDelaySeconds: 60 - periodSeconds: 5 - failureThreshold: 5 - timeoutSeconds: 45 - resources: - requests: - cpu: 200m - memory: 200Mi - limits: - cpu: 1000m - memory: 1000Mi - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: host-modules - hostPath: - path: /lib/modules - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-sys - hostPath: - path: /sys - - name: host-ns - hostPath: - path: /var/run/netns - - name: host-config-openvswitch - hostPath: - path: /var/lib/openvswitch - - name: host-config-ovn - hostPath: - path: /var/lib/ovn - - name: host-log-ovs - hostPath: - path: $LOG_DIR/openvswitch - - name: host-log-ovn - hostPath: - path: $LOG_DIR/ovn - - name: localtime - hostPath: - path: /etc/localtime - - hostPath: - path: /var/run/containerd - name: cruntime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls -EOF -fi - -kubectl apply -f ovs-ovn-ds.yaml - -if $HYBRID_DPDK; then - -cat < ovn-dpdk.yaml -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: ovs-ovn-dpdk - namespace: cozy-kubeovn - annotations: - kubernetes.io/description: | - This daemon set launches the openvswitch daemon. -spec: - selector: - matchLabels: - app: ovs-dpdk - updateStrategy: - type: OnDelete - template: - metadata: - labels: - app: ovs-dpdk - component: network - type: infra - spec: - tolerations: - - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: ovn-ovs - hostNetwork: true - hostPID: true - containers: - - name: openvswitch - image: "$REGISTRY/kube-ovn:${VERSION}-dpdk" - imagePullPolicy: $IMAGE_PULL_POLICY - command: ["/kube-ovn/start-ovs-dpdk-v2.sh"] - securityContext: - runAsUser: 0 - privileged: true - env: - - name: ENABLE_SSL - value: "$ENABLE_SSL" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: HW_OFFLOAD - value: "$HW_OFFLOAD" - - name: TUNNEL_TYPE - value: "$TUNNEL_TYPE" - - name: DPDK_TUNNEL_IFACE - value: "$DPDK_TUNNEL_IFACE" - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: OVN_DB_IPS - value: $addresses - - name: OVN_REMOTE_PROBE_INTERVAL - value: "10000" - - name: OVN_REMOTE_OPENFLOW_INTERVAL - value: "180" - volumeMounts: - - mountPath: /opt/ovs-config - name: host-config-ovs - - name: shareddir - mountPath: $KUBELET_DIR/pods - - name: hugepage - mountPath: /dev/hugepages - - mountPath: /lib/modules - name: host-modules - readOnly: true - - mountPath: /var/run/openvswitch - name: host-run-ovs - mountPropagation: HostToContainer - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /sys - name: host-sys - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: $LOG_DIR/openvswitch - name: host-log-ovs - - mountPath: $LOG_DIR/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - readinessProbe: - exec: - command: - - bash - - -c - - LOG_ROTATE=true /kube-ovn/ovs-healthcheck.sh - periodSeconds: 5 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - bash - - /kube-ovn/ovs-healthcheck.sh - initialDelaySeconds: 60 - periodSeconds: 5 - failureThreshold: 5 - timeoutSeconds: 45 - resources: - requests: - cpu: 200m - hugepages-2Mi: 1Gi - memory: 200Mi - limits: - cpu: 1000m - hugepages-2Mi: 1Gi - memory: 800Mi - nodeSelector: - kubernetes.io/os: "linux" - ovn.kubernetes.io/ovs_dp_type: "userspace" - volumes: - - name: host-config-ovs - hostPath: - path: /opt/ovs-config - type: DirectoryOrCreate - - name: shareddir - hostPath: - path: $KUBELET_DIR/pods - type: '' - - name: hugepage - emptyDir: - medium: HugePages - - name: host-modules - hostPath: - path: /lib/modules - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-sys - hostPath: - path: /sys - - name: host-config-openvswitch - hostPath: - path: /var/lib/openvswitch - - name: host-config-ovn - hostPath: - path: /var/lib/ovn - - name: host-log-ovs - hostPath: - path: $LOG_DIR/openvswitch - - name: host-log-ovn - hostPath: - path: $LOG_DIR/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls -EOF -kubectl apply -f ovn-dpdk.yaml -fi -kubectl rollout status deployment/ovn-central -n cozy-kubeovn --timeout 300s -kubectl rollout status daemonset/ovs-ovn -n cozy-kubeovn --timeout 120s -echo "-------------------------------" -echo "" - -echo "[Step 3/6] Install Kube-OVN" - -cat < kube-ovn.yaml ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: ovn-vpc-nat-config - namespace: cozy-kubeovn - annotations: - kubernetes.io/description: | - kube-ovn vpc-nat common config -data: - image: $REGISTRY/$VPC_NAT_IMAGE:$VERSION ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: ovn-vpc-nat-gw-config - namespace: cozy-kubeovn -data: - enable-vpc-nat-gw: "$ENABLE_NAT_GW" ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - name: kube-ovn-controller - namespace: cozy-kubeovn - annotations: - kubernetes.io/description: | - kube-ovn controller -spec: - replicas: $count - selector: - matchLabels: - app: kube-ovn-controller - strategy: - rollingUpdate: - maxSurge: 0% - maxUnavailable: 100% - type: RollingUpdate - template: - metadata: - labels: - app: kube-ovn-controller - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: "ovn.kubernetes.io/ic-gw" - operator: NotIn - values: - - "true" - weight: 100 - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: kube-ovn-controller - topologyKey: kubernetes.io/hostname - priorityClassName: system-cluster-critical - serviceAccountName: ovn - hostNetwork: true - containers: - - name: kube-ovn-controller - image: "$REGISTRY/kube-ovn:$VERSION" - imagePullPolicy: $IMAGE_PULL_POLICY - args: - - /kube-ovn/start-controller.sh - - --default-cidr=$POD_CIDR - - --default-gateway=$POD_GATEWAY - - --default-gateway-check=$CHECK_GATEWAY - - --default-logical-gateway=$LOGICAL_GATEWAY - - --default-u2o-interconnection=$U2O_INTERCONNECTION - - --default-exclude-ips=$EXCLUDE_IPS - - --node-switch-cidr=$JOIN_CIDR - - --service-cluster-ip-range=$SVC_CIDR - - --network-type=$NETWORK_TYPE - - --default-interface-name=$VLAN_INTERFACE_NAME - - --default-exchange-link-name=$EXCHANGE_LINK_NAME - - --default-vlan-id=$VLAN_ID - - --ls-dnat-mod-dl-dst=$LS_DNAT_MOD_DL_DST - - --pod-nic-type=$POD_NIC_TYPE - - --enable-lb=$ENABLE_LB - - --enable-np=$ENABLE_NP - - --enable-eip-snat=$ENABLE_EIP_SNAT - - --enable-external-vpc=$ENABLE_EXTERNAL_VPC - - --logtostderr=false - - --alsologtostderr=true - - --gc-interval=$GC_INTERVAL - - --inspect-interval=$INSPECT_INTERVAL - - --log_file=/var/log/kube-ovn/kube-ovn-controller.log - - --log_file_max_size=0 - - --enable-lb-svc=$ENABLE_LB_SVC - - --keep-vm-ip=$ENABLE_KEEP_VM_IP - - --pod-default-fip-type=$POD_DEFAULT_FIP_TYPE - - --node-local-dns-ip=$NODE_LOCAL_DNS_IP - env: - - name: ENABLE_SSL - value: "$ENABLE_SSL" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KUBE_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: OVN_DB_IPS - value: $addresses - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "$ENABLE_BIND_LOCAL_IP" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - # ovn-ic log directory - - mountPath: /var/log/ovn - name: ovn-log - - mountPath: /var/run/tls - name: kube-ovn-tls - readinessProbe: - exec: - command: - - /kube-ovn/kube-ovn-controller-healthcheck - periodSeconds: 3 - timeoutSeconds: 45 - livenessProbe: - exec: - command: - - /kube-ovn/kube-ovn-controller-healthcheck - initialDelaySeconds: 300 - periodSeconds: 7 - failureThreshold: 5 - timeoutSeconds: 45 - resources: - requests: - cpu: 200m - memory: 200Mi - limits: - cpu: 1000m - memory: 1Gi - nodeSelector: - kubernetes.io/os: "linux" - kube-ovn/role: master - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-log - hostPath: - path: $LOG_DIR/kube-ovn - - name: ovn-log - hostPath: - path: $LOG_DIR/ovn - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls - ---- -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: kube-ovn-cni - namespace: cozy-kubeovn - annotations: - kubernetes.io/description: | - This daemon set launches the kube-ovn cni daemon. -spec: - selector: - matchLabels: - app: kube-ovn-cni - template: - metadata: - labels: - app: kube-ovn-cni - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - effect: NoExecute - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: kube-ovn-cni - hostNetwork: true - hostPID: true - initContainers: - - name: install-cni - image: "$REGISTRY/kube-ovn:$VERSION" - imagePullPolicy: $IMAGE_PULL_POLICY - command: ["/kube-ovn/install-cni.sh"] - securityContext: - runAsUser: 0 - privileged: true - volumeMounts: - - mountPath: /opt/cni/bin - name: cni-bin - - mountPath: /opt/bin - name: local-bin - containers: - - name: cni-server - image: "$REGISTRY/kube-ovn:$VERSION" - imagePullPolicy: $IMAGE_PULL_POLICY - command: - - bash - - /kube-ovn/start-cniserver.sh - args: - - --enable-mirror=$ENABLE_MIRROR - - --enable-arp-detect-ip-conflict=$ENABLE_ARP_DETECT_IP_CONFLICT - - --encap-checksum=true - - --service-cluster-ip-range=$SVC_CIDR - - --iface=${IFACE} - - --dpdk-tunnel-iface=${DPDK_TUNNEL_IFACE} - - --network-type=$TUNNEL_TYPE - - --default-interface-name=$VLAN_INTERFACE_NAME - - --cni-conf-name=${CNI_CONFIG_PRIORITY}-kube-ovn.conflist - - --logtostderr=false - - --alsologtostderr=true - - --log_file=/var/log/kube-ovn/kube-ovn-cni.log - - --log_file_max_size=0 - - --kubelet-dir=$KUBELET_DIR - - --enable-tproxy=$ENABLE_TPROXY - - --ovs-vsctl-concurrency=$OVS_VSCTL_CONCURRENCY - securityContext: - runAsUser: 0 - privileged: true - env: - - name: ENABLE_SSL - value: "$ENABLE_SSL" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: MODULES - value: $MODULES - - name: RPMS - value: $RPMS - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "$ENABLE_BIND_LOCAL_IP" - - name: DBUS_SYSTEM_BUS_ADDRESS - value: "unix:path=/host/var/run/dbus/system_bus_socket" - volumeMounts: - - name: host-modules - mountPath: /lib/modules - readOnly: true - - name: shared-dir - mountPath: $KUBELET_DIR/pods - - mountPath: /etc/openvswitch - name: systemid - readOnly: true - - mountPath: /etc/cni/net.d - name: cni-conf - - mountPath: /run/openvswitch - name: host-run-ovs - mountPropagation: Bidirectional - - mountPath: /run/ovn - name: host-run-ovn - - mountPath: /host/var/run/dbus - name: host-dbus - mountPropagation: HostToContainer - - mountPath: /var/run/netns - name: host-ns - mountPropagation: Bidirectional - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - - mountPath: /var/log/openvswitch - name: host-log-ovs - - mountPath: /var/log/ovn - name: host-log-ovn - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /tmp - name: tmp - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10665 - timeoutSeconds: 3 - readinessProbe: - failureThreshold: 3 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10665 - timeoutSeconds: 3 - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 1000m - memory: 1Gi - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: host-modules - hostPath: - path: /lib/modules - - name: shared-dir - hostPath: - path: $KUBELET_DIR/pods - - name: systemid - hostPath: - path: /var/lib/openvswitch - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: cni-conf - hostPath: - path: $CNI_CONF_DIR - - name: cni-bin - hostPath: - path: $CNI_BIN_DIR - - name: host-ns - hostPath: - path: /var/run/netns - - name: host-dbus - hostPath: - path: /var/run/dbus - - name: host-log-ovs - hostPath: - path: $LOG_DIR/openvswitch - - name: kube-ovn-log - hostPath: - path: $LOG_DIR/kube-ovn - - name: host-log-ovn - hostPath: - path: $LOG_DIR/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: tmp - hostPath: - path: /tmp - - name: local-bin - hostPath: - path: /usr/local/bin - ---- -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: kube-ovn-pinger - namespace: cozy-kubeovn - annotations: - kubernetes.io/description: | - This daemon set launches the pinger daemon. -spec: - selector: - matchLabels: - app: kube-ovn-pinger - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app: kube-ovn-pinger - component: network - type: infra - spec: - priorityClassName: system-node-critical - serviceAccountName: kube-ovn-app - hostPID: true - containers: - - name: pinger - image: "$REGISTRY/kube-ovn:$VERSION" - command: - - /kube-ovn/kube-ovn-pinger - args: - - --external-address=$PINGER_EXTERNAL_ADDRESS - - --external-dns=$PINGER_EXTERNAL_DOMAIN - - --ds-namespace=cozy-kubeovn - - --logtostderr=false - - --alsologtostderr=true - - --log_file=/var/log/kube-ovn/kube-ovn-pinger.log - - --log_file_max_size=0 - imagePullPolicy: $IMAGE_PULL_POLICY - securityContext: - runAsUser: 0 - privileged: false - env: - - name: ENABLE_SSL - value: "$ENABLE_SSL" - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /var/log/openvswitch - name: host-log-ovs - readOnly: true - - mountPath: /var/log/ovn - name: host-log-ovn - readOnly: true - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 200m - memory: 400Mi - nodeSelector: - kubernetes.io/os: "linux" - volumes: - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-config-openvswitch - hostPath: - path: /var/lib/openvswitch - - name: host-log-ovs - hostPath: - path: $LOG_DIR/openvswitch - - name: kube-ovn-log - hostPath: - path: $LOG_DIR/kube-ovn - - name: host-log-ovn - hostPath: - path: $LOG_DIR/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls ---- -kind: Deployment -apiVersion: apps/v1 -metadata: - name: kube-ovn-monitor - namespace: cozy-kubeovn - annotations: - kubernetes.io/description: | - Metrics for OVN components: northd, nb and sb. -spec: - replicas: 1 - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - type: RollingUpdate - selector: - matchLabels: - app: kube-ovn-monitor - template: - metadata: - labels: - app: kube-ovn-monitor - component: network - type: infra - spec: - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchLabels: - app: kube-ovn-monitor - topologyKey: kubernetes.io/hostname - priorityClassName: system-cluster-critical - serviceAccountName: kube-ovn-app - hostNetwork: true - containers: - - name: kube-ovn-monitor - image: "$REGISTRY/kube-ovn:$VERSION" - imagePullPolicy: $IMAGE_PULL_POLICY - command: ["/kube-ovn/start-ovn-monitor.sh"] - args: - - --log_file=/var/log/kube-ovn/kube-ovn-monitor.log - - --logtostderr=false - - --alsologtostderr=true - - --log_file_max_size=0 - securityContext: - runAsUser: 0 - privileged: false - env: - - name: ENABLE_SSL - value: "$ENABLE_SSL" - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: POD_IPS - valueFrom: - fieldRef: - fieldPath: status.podIPs - - name: ENABLE_BIND_LOCAL_IP - value: "$ENABLE_BIND_LOCAL_IP" - resources: - requests: - cpu: 200m - memory: 200Mi - limits: - cpu: 200m - memory: 200Mi - volumeMounts: - - mountPath: /var/run/openvswitch - name: host-run-ovs - - mountPath: /var/run/ovn - name: host-run-ovn - - mountPath: /etc/openvswitch - name: host-config-openvswitch - - mountPath: /etc/ovn - name: host-config-ovn - - mountPath: /var/log/ovn - name: host-log-ovn - readOnly: true - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/tls - name: kube-ovn-tls - - mountPath: /var/log/kube-ovn - name: kube-ovn-log - livenessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10661 - timeoutSeconds: 3 - readinessProbe: - failureThreshold: 3 - initialDelaySeconds: 30 - periodSeconds: 7 - successThreshold: 1 - tcpSocket: - port: 10661 - timeoutSeconds: 3 - nodeSelector: - kubernetes.io/os: "linux" - kube-ovn/role: "master" - volumes: - - name: host-run-ovs - hostPath: - path: /run/openvswitch - - name: host-run-ovn - hostPath: - path: /run/ovn - - name: host-config-openvswitch - hostPath: - path: /var/lib/openvswitch - - name: host-config-ovn - hostPath: - path: /var/lib/ovn - - name: host-log-ovn - hostPath: - path: $LOG_DIR/ovn - - name: localtime - hostPath: - path: /etc/localtime - - name: kube-ovn-tls - secret: - optional: true - secretName: kube-ovn-tls - - name: kube-ovn-log - hostPath: - path: $LOG_DIR/kube-ovn ---- -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-monitor - namespace: cozy-kubeovn - labels: - app: kube-ovn-monitor -spec: - ports: - - name: metrics - port: 10661 - type: ClusterIP - ${SVC_YAML_IPFAMILYPOLICY} - selector: - app: kube-ovn-monitor - sessionAffinity: None ---- -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-pinger - namespace: cozy-kubeovn - labels: - app: kube-ovn-pinger -spec: - ${SVC_YAML_IPFAMILYPOLICY} - selector: - app: kube-ovn-pinger - ports: - - port: 8080 - name: metrics ---- -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-controller - namespace: cozy-kubeovn - labels: - app: kube-ovn-controller -spec: - ${SVC_YAML_IPFAMILYPOLICY} - selector: - app: kube-ovn-controller - ports: - - port: 10660 - name: metrics ---- -kind: Service -apiVersion: v1 -metadata: - name: kube-ovn-cni - namespace: cozy-kubeovn - labels: - app: kube-ovn-cni -spec: - ${SVC_YAML_IPFAMILYPOLICY} - selector: - app: kube-ovn-cni - ports: - - port: 10665 - name: metrics -EOF - -kubectl apply -f kube-ovn.yaml -kubectl rollout status deployment/kube-ovn-controller -n cozy-kubeovn --timeout 300s -kubectl rollout status daemonset/kube-ovn-cni -n cozy-kubeovn --timeout 300s -echo "-------------------------------" -echo "" - -echo "[Step 4/6] Delete pod that not in host network mode" -for ns in $(kubectl get ns --no-headers -o custom-columns=NAME:.metadata.name); do - for pod in $(kubectl get pod --no-headers -n "$ns" --field-selector spec.restartPolicy=Always -o custom-columns=NAME:.metadata.name,HOST:spec.hostNetwork | awk '{if ($2!="true") print $1}'); do - kubectl delete pod "$pod" -n "$ns" --ignore-not-found --wait=false - done -done - -kubectl rollout status daemonset/kube-ovn-pinger -n cozy-kubeovn --timeout 300s diff --git a/system/kubeovn/values.yaml b/system/kubeovn/values.yaml index 7c3bfd94..d837893e 100644 --- a/system/kubeovn/values.yaml +++ b/system/kubeovn/values.yaml @@ -1,8 +1,20 @@ -_helm: - name: kubeovn +kube-ovn: + global: + registry: + address: ghcr.io/kvaps + images: + kubeovn: + repository: test + tag: kube-ovn-static-v1.13.0-5 + namespace: cozy-kubeovn - createNamespace: true - privilegedNamespace: true - crds: CreateReplace - dependsOn: - - name: cilium + ipv4: + POD_CIDR: "10.244.0.0/16" + POD_GATEWAY: "10.244.0.1" + SVC_CIDR: "10.96.0.0/16" + + func: + ENABLE_NP: false + + cni_conf: + CNI_CONFIG_PRIORITY: "10" diff --git a/system/kubevirt-operator/Chart.yaml b/system/kubevirt-operator/Chart.yaml new file mode 100644 index 00000000..29d365da --- /dev/null +++ b/system/kubevirt-operator/Chart.yaml @@ -0,0 +1,2 @@ +name: cozystack +version: 0.0.0 diff --git a/system/kubevirt-operator/Makefile b/system/kubevirt-operator/Makefile new file mode 100644 index 00000000..4f1583aa --- /dev/null +++ b/system/kubevirt-operator/Makefile @@ -0,0 +1,9 @@ +include ../../hack/app-helm.mk + +update: + rm -rf templates + mkdir templates + export RELEASE=$$(curl https://storage.googleapis.com/kubevirt-prow/release/kubevirt/kubevirt/stable.txt) && \ + wget https://github.com/kubevirt/kubevirt/releases/download/$${RELEASE}/kubevirt-operator.yaml -O templates/kubevirt-operator.yaml && \ + sed -i 's/namespace: kubevirt/namespace: cozy-kubevirt/g' templates/kubevirt-operator.yaml + awk -i inplace -v RS="---" '!/kind: Namespace/{printf "%s", $$0 RS}' templates/kubevirt-operator.yaml diff --git a/system/kubevirt/templates/kubevirt-operator.yaml b/system/kubevirt-operator/templates/kubevirt-operator.yaml similarity index 100% rename from system/kubevirt/templates/kubevirt-operator.yaml rename to system/kubevirt-operator/templates/kubevirt-operator.yaml diff --git a/system/telepresence/README.md b/system/kubevirt-operator/values.yaml similarity index 100% rename from system/telepresence/README.md rename to system/kubevirt-operator/values.yaml diff --git a/system/kubevirt/Makefile b/system/kubevirt/Makefile index ab71f1de..07851c7a 100644 --- a/system/kubevirt/Makefile +++ b/system/kubevirt/Makefile @@ -4,7 +4,5 @@ update: rm -rf templates mkdir templates export RELEASE=$$(curl https://storage.googleapis.com/kubevirt-prow/release/kubevirt/kubevirt/stable.txt) && \ - wget https://github.com/kubevirt/kubevirt/releases/download/$${RELEASE}/kubevirt-operator.yaml -O templates/kubevirt-operator.yaml && \ wget https://github.com/kubevirt/kubevirt/releases/download/$${RELEASE}/kubevirt-cr.yaml -O templates/kubevirt-cr.yaml - sed -i 's/namespace: kubevirt/namespace: cozy-kubevirt/g' templates/kubevirt-cr.yaml templates/kubevirt-operator.yaml - awk -i inplace -v RS="---" '!/kind: Namespace/{printf "%s", $$0 RS}' templates/kubevirt-operator.yaml + sed -i 's/namespace: kubevirt/namespace: cozy-kubevirt/g' templates/kubevirt-cr.yaml diff --git a/system/kubevirt/values.yaml b/system/kubevirt/values.yaml index 04651274..8b137891 100644 --- a/system/kubevirt/values.yaml +++ b/system/kubevirt/values.yaml @@ -1,6 +1 @@ -_helm: - name: kubevirt - namespace: cozy-kubevirt - createNamespace: true - privilegedNamespace: true - crds: CreateReplace + diff --git a/system/linstor/README.md b/system/linstor/README.md deleted file mode 100644 index 1708af21..00000000 --- a/system/linstor/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# LINSTOR - -DRBD and LVM storage provisioner - -- Docs: https://linbit.com/drbd-user-guide/linstor-guide-1_0-en/ -- Docs: https://habr.com/ru/companies/flant/articles/680286/ -- Github: https://github.com/LINBIT/linstor-server -- Docs: https://piraeus.io/site/docs/intro/ -- Github: https://github.com/piraeusdatastore/piraeus-operator diff --git a/system/linstor/values.yaml b/system/linstor/values.yaml index e80703b8..8b137891 100644 --- a/system/linstor/values.yaml +++ b/system/linstor/values.yaml @@ -1,9 +1 @@ -_helm: - name: linstor - namespace: cozy-linstor - createNamespace: true - privilegedNamespace: true - crds: CreateReplace - dependsOn: - - name: cert-manager - - name: piraeus-operator + diff --git a/system/mariadb-operator/README.md b/system/mariadb-operator/README.md deleted file mode 100644 index 02c860ca..00000000 --- a/system/mariadb-operator/README.md +++ /dev/null @@ -1,7 +0,0 @@ -## MariaDB Operator - -Run and operate MariaDB in a cloud native way - -- Docs: https://mariadb.com/kb/en/documentation/ -- GitHub: https://github.com/mariadb-operator/mariadb-operator -- Telegram: t.me/mariadb_course diff --git a/system/mariadb-operator/templates/.gitkeep b/system/mariadb-operator/templates/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/system/mariadb-operator/values.yaml b/system/mariadb-operator/values.yaml index 73095b16..8ec0bfce 100644 --- a/system/mariadb-operator/values.yaml +++ b/system/mariadb-operator/values.yaml @@ -1,11 +1,3 @@ -_helm: - name: mariadb-operator - namespace: cozy-mariadb-operator - createNamespace: true - crds: CreateReplace - dependsOn: - - name: cert-manager - mariadb-operator: metrics: enabled: true diff --git a/system/metallb-addresses/Chart.yaml b/system/metallb-addresses/Chart.yaml new file mode 100644 index 00000000..29d365da --- /dev/null +++ b/system/metallb-addresses/Chart.yaml @@ -0,0 +1,2 @@ +name: cozystack +version: 0.0.0 diff --git a/system/metallb-addresses/Makefile b/system/metallb-addresses/Makefile new file mode 100644 index 00000000..f6bd5a15 --- /dev/null +++ b/system/metallb-addresses/Makefile @@ -0,0 +1 @@ +include ../../hack/app-helm.mk diff --git a/system/metallb/templates/ips.yaml b/system/metallb-addresses/templates/ips.yaml similarity index 100% rename from system/metallb/templates/ips.yaml rename to system/metallb-addresses/templates/ips.yaml diff --git a/system/metallb-addresses/values.yaml b/system/metallb-addresses/values.yaml new file mode 100644 index 00000000..276f7e20 --- /dev/null +++ b/system/metallb-addresses/values.yaml @@ -0,0 +1,5 @@ +metallb: + publicAddresses: + - 1.2.3.4 + privateAddresses: + - 192.168.100.200-192.168.100.250 diff --git a/system/metallb/README.md b/system/metallb/README.md deleted file mode 100644 index 20934ab3..00000000 --- a/system/metallb/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# MetalLB - -A network load-balancer implementation for Kubernetes using standard routing protocols - -- GitHub: https://github.com/metallb/metallb -- Docs: https://metallb.universe.tf/ -- Docs: https://habr.com/ru/articles/501842/ -- Telegram: https://t.me/kubernetes_ru diff --git a/system/metallb/values.yaml b/system/metallb/values.yaml index b19ac2dd..737f17cf 100644 --- a/system/metallb/values.yaml +++ b/system/metallb/values.yaml @@ -1,18 +1,6 @@ -_helm: - name: metallb - namespace: cozy-metallb - createNamespace: true - privilegedNamespace: true - crds: CreateReplace - metallb: crds: enabled: true - speaker: - tolerateMaster: false - - publicAddresses: - - 1.2.3.4 - privateAddresses: - - 192.168.100.200-192.168.100.250 + #speaker: + # tolerateMaster: false diff --git a/system/monitoring-hub/.helmignore b/system/monitoring-hub/.helmignore deleted file mode 100644 index 70528e63..00000000 --- a/system/monitoring-hub/.helmignore +++ /dev/null @@ -1 +0,0 @@ -grafana-dashboards diff --git a/system/monitoring-hub/README.md b/system/monitoring-hub/README.md deleted file mode 100644 index e6fc4527..00000000 --- a/system/monitoring-hub/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Grafana and Grafana OnCall - -Grafana is the open source analytics & monitoring solution for every database. - -- Docs: https://grafana.com/docs/grafana/ -- Telegram: https://t.me/metrics_ru -- Telegram: https://t.me/grafana_ru -- Telegram: https://t.me/amixr_ru - -# How to apply dashboards - -Dashboards are generated by helm but applied separately due to limitation for resource size in Kuberentes -To apply dashboards run: - -``` -make dashboards-diff -make dashboards-apply -``` diff --git a/system/monitoring-hub/values.yaml b/system/monitoring-hub/values.yaml deleted file mode 100644 index 1aade8e4..00000000 --- a/system/monitoring-hub/values.yaml +++ /dev/null @@ -1,52 +0,0 @@ -_helm: - name: monitoring-hub - namespace: cozy-monitoring-hub - createNamespace: true - dependsOn: - - name: grafana-operator - - name: postgres-operator - -adminPassword: Moh4ooN9phaech6Sai9aoGiezu4doh2i # TODO - -oncall: - fullnameOverride: grafana-oncall - #base_url: oncall.grafana.example.org - database: - type: postgresql - - ingress: - enabled: false - - externalGrafana: - url: "https://grafana.example.org/" - - broker: - type: redis - - cert-manager: - enabled: false - - externalPostgresql: - host: grafana-oncall-db-rw - port: 5432 - db_name: app - user: app - existingSecret: grafana-oncall-db-app - passwordKey: password - - externalRedis: - host: rfrm-grafana-oncall - password: "" - #existingSecret: grafana-oncall-keydb - #passwordKey: password - - mariadb: - enabled: false - postgresql: - enabled: false - rabbitmq: - enabled: false - redis: - enabled: false - grafana: - enabled: false diff --git a/system/monitoring/README.md b/system/monitoring/README.md deleted file mode 100644 index 28e51f92..00000000 --- a/system/monitoring/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# Monitroing components - -Prometheus community Helm charts and components. -Scrape configs for collecting cluster metrics. - -- Docs: https://docs.victoriametrics.com/ -- Telegram: https://t.me/kubernetes_ru -- Telegram: https://t.me/metrics_ru -- Github: https://github.com/prometheus-community/helm-charts diff --git a/system/monitoring/templates/vmagent.yaml b/system/monitoring/templates/vmagent.yaml index 12205dd8..fa67c6d7 100644 --- a/system/monitoring/templates/vmagent.yaml +++ b/system/monitoring/templates/vmagent.yaml @@ -5,7 +5,7 @@ metadata: namespace: cozy-monitoring spec: externalLabels: - cluster: sc-dfw1-admin # TODO: {{ .Values._helm.contextName }} + cluster: cozystack extraArgs: promscrape.streamParse: "true" remoteWrite: diff --git a/system/monitoring/values.yaml b/system/monitoring/values.yaml index 46f87c54..249ef7b3 100644 --- a/system/monitoring/values.yaml +++ b/system/monitoring/values.yaml @@ -1,11 +1,3 @@ -_helm: - name: monitoring - namespace: cozy-monitoring - createNamespace: true - privilegedNamespace: true - dependsOn: - - name: victoria-metrics-operator - metrics-server: defaultArgs: - --cert-dir=/tmp diff --git a/system/namespaces.yaml b/system/namespaces.yaml new file mode 100644 index 00000000..993942a2 --- /dev/null +++ b/system/namespaces.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-cert-manager +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: privileged + name: cozy-cilium +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-fluxcd +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-grafana-operator +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-ingress-nginx +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-kubeapps +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: privileged + name: cozy-kubeovn +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: privileged + name: cozy-kubevirt +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: privileged + name: cozy-linstor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-mariadb-operator +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: privileged + name: cozy-metallb +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: privileged + name: cozy-monitoring +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-postgres-operator +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-rabbitmq-operator +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-redis-operator +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-telepresence +--- +apiVersion: v1 +kind: Namespace +metadata: + name: cozy-victoria-metrics-operator diff --git a/system/piraeus-operator/README.md b/system/piraeus-operator/README.md deleted file mode 100644 index 34a9b9ff..00000000 --- a/system/piraeus-operator/README.md +++ /dev/null @@ -1,12 +0,0 @@ -# Piraeus Operator - -The Piraeus Operator manages LINSTOR clusters in Kubernetes. - -We use v2 with [patches](https://github.com/piraeusdatastore/piraeus-operator/blob/v2/docs/how-to/talos.md) for Talos - -- Docs: https://linbit.com/drbd-user-guide/linstor-guide-1_0-en/ -- Docs: https://habr.com/ru/companies/flant/articles/680286/ -- Docs: https://github.com/piraeusdatastore/piraeus-operator/tree/v2/docs -- Github: https://github.com/LINBIT/linstor-server -- Docs: https://piraeus.io/site/docs/intro/ -- Github: https://github.com/piraeusdatastore/piraeus-operator diff --git a/system/piraeus-operator/values.yaml b/system/piraeus-operator/values.yaml index f4300f0a..4cb448d1 100644 --- a/system/piraeus-operator/values.yaml +++ b/system/piraeus-operator/values.yaml @@ -1,12 +1,3 @@ -_helm: - name: piraeus-operator - namespace: cozy-linstor # must be same namespace as linstor - createNamespace: true - privilegedNamespace: false - crds: CreateReplace - dependsOn: - - name: cert-manager - piraeus: installCRDs: true autogenerate: false diff --git a/system/postgres-operator/README.md b/system/postgres-operator/README.md deleted file mode 100644 index b24a58a1..00000000 --- a/system/postgres-operator/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# CloudNativePG - -CloudNativePG is a Kubernetes operator that covers the full lifecycle of a PostgreSQL database cluster with a primary/standby architecture, using native streaming replication - -- Docs: https://cloudnative-pg.io/documentation/ -- Telegram: https://t.me/pgsql -- Github: https://github.com/cloudnative-pg/cloudnative-pg diff --git a/system/postgres-operator/templates/.gitkeep b/system/postgres-operator/templates/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/system/postgres-operator/values.yaml b/system/postgres-operator/values.yaml index 14dfa626..6bc9595b 100644 --- a/system/postgres-operator/values.yaml +++ b/system/postgres-operator/values.yaml @@ -1,11 +1,3 @@ -_helm: - name: postgres-operator - namespace: cozy-postgres-operator - createNamespace: true - crds: CreateReplace - dependsOn: - - name: cert-manager - cloudnative-pg: crds: create: true diff --git a/system/rabbitmq-operator/README.md b/system/rabbitmq-operator/README.md deleted file mode 100644 index a9590379..00000000 --- a/system/rabbitmq-operator/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# RabbitMQ Cluster Kubernetes Operator - -- Github: https://github.com/rabbitmq/cluster-operator/ -- Docs: https://www.rabbitmq.com/kubernetes/operator/operator-overview.html diff --git a/system/rabbitmq-operator/values.yaml b/system/rabbitmq-operator/values.yaml index 7d065e90..e69de29b 100644 --- a/system/rabbitmq-operator/values.yaml +++ b/system/rabbitmq-operator/values.yaml @@ -1,5 +0,0 @@ -_helm: - name: rabbitmq-operator - namespace: cozy-rabbitmq-operator - createNamespace: true - crds: CreateReplace diff --git a/system/reconcile.sh b/system/reconcile.sh new file mode 100755 index 00000000..7109474b --- /dev/null +++ b/system/reconcile.sh @@ -0,0 +1,39 @@ +#!/bin/sh +# The script reacts to changes in the number of IP addresses for master nodes, and then starts reconciliation. + +get_ips() { + kubectl get nodes -lnode-role.kubernetes.io/control-plane -o jsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address}' +} + +reconcile() { + kubectl apply -f namespaces.yaml + kubectl label node -lnode-role.kubernetes.io/control-plane kube-ovn/role=master --overwrite + + MASTER_NODES=$(get_ips | tr ' ' ',') + MASTER_COUNT=$(echo "$MASTER_NODES" | awk -F, '{ print NF }') + + echo "kube-ovn: + MASTER_NODES: \"${MASTER_NODES}\" + replicaCount: ${MASTER_COUNT}" > kubeovn/values-runtime.yaml + + helmwave --log-format text up --build || exit $? +} + +wait_for_new_ips() { + OLD_MASTER_NODES="$MASTER_NODES" + MASTER_NODES=$(get_ips | tr ' ' ',') + if [ "$MASTER_NODES" != "$MASTER_NODES" ]; then + return + fi + kubectl get nodes --watch-only=true -w --selector=kubernetes.io/role!=master -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}{"\n"}' | \ + while read address; do + if [ -n "$address" ] && ! echo ",$MASTER_NODES," | grep -q ",$address,"; then + return + fi + done +} + +reconcile +while wait_for_new_ips; do + reconcile +done diff --git a/system/redis-operator/README.md b/system/redis-operator/README.md deleted file mode 100644 index 06176000..00000000 --- a/system/redis-operator/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# Redis-operator - -Redis Operator creates/configures/manages redis-failovers atop Kubernetes. - -- Docs: https://redis.io/docs/ -- GitHub: https://github.com/spotahome/redis-operator diff --git a/system/redis-operator/values.yaml b/system/redis-operator/values.yaml index 80bf438d..eb8c61a9 100644 --- a/system/redis-operator/values.yaml +++ b/system/redis-operator/values.yaml @@ -1,9 +1,3 @@ -_helm: - name: redis-operator - namespace: cozy-redis-operator - createNamespace: true - crds: CreateReplace - redis-operator: image: tag: v1.3.0-rc1 diff --git a/system/telepresence/values.yaml b/system/telepresence/values.yaml index 834662c4..8b137891 100644 --- a/system/telepresence/values.yaml +++ b/system/telepresence/values.yaml @@ -1,4 +1 @@ -_helm: - name: traffic-manager - namespace: cozy-telepresence - createNamespace: true + diff --git a/system/victoria-metrics-operator/README.md b/system/victoria-metrics-operator/README.md deleted file mode 100644 index 4be96859..00000000 --- a/system/victoria-metrics-operator/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# Victoria Metrics Operator - -VictoriaMetrics is a fast, cost-effective and scalable monitoring solution and time series database. - -- Docs: https://docs.victoriametrics.com/ -- Telegram: https://t.me/VictoriaMetrics_ru1 -- Telegram: https://t.me/metrics_ru diff --git a/system/victoria-metrics-operator/values.yaml b/system/victoria-metrics-operator/values.yaml index 7c573f16..90ad9085 100644 --- a/system/victoria-metrics-operator/values.yaml +++ b/system/victoria-metrics-operator/values.yaml @@ -1,9 +1,3 @@ -_helm: - name: victoria-metrics-operator - namespace: cozy-victoria-metrics-operator - createNamespace: true - crds: CreateReplace - victoria-metrics-operator: fullnameOverride: victoria-metrics-operator admissionWebhooks: