Merge branch 'aenix-io:main' into main

2026-01-27 18:18:41 +00:00 · 2025-02-06 15:41:38 +03:00
parent f67816e2d3 5a47754a92
commit f02397aab5
17 changed files with 292 additions and 34 deletions
--- a/packages/core/platform/bundles/distro-full.yaml
+++ b/packages/core/platform/bundles/distro-full.yaml
@@ -31,6 +31,13 @@ releases:
      autoDirectNodeRoutes: true
      routingMode: native

+- name: cozy-proxy
+  releaseName: cozystack
+  chart: cozy-cozy-proxy
+  namespace: cozy-system
+  optional: true
+  dependsOn: [cilium]
+
 - name: cert-manager-crds
  releaseName: cert-manager-crds
  chart: cozy-cert-manager-crds
@@ -75,6 +82,10 @@ releases:
  privileged: true
  optional: true
  dependsOn: [cilium,victoria-metrics-operator]
+  values:
+    scrapeRules:
+      etcd:
+        enabled: true

 - name: metallb
  releaseName: metallb
--- a/packages/core/platform/bundles/distro-hosted.yaml
+++ b/packages/core/platform/bundles/distro-hosted.yaml
@@ -58,6 +58,10 @@ releases:
  privileged: true
  optional: true
  dependsOn: [victoria-metrics-operator]
+  values:
+    scrapeRules:
+      etcd:
+        enabled: true

 - name: etcd-operator
  releaseName: etcd-operator
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -50,6 +50,12 @@ releases:
        SVC_CIDR: "{{ index $cozyConfig.data "ipv4-svc-cidr" }}"
        JOIN_CIDR: "{{ index $cozyConfig.data "ipv4-join-cidr" }}"

+- name: cozy-proxy
+  releaseName: cozystack
+  chart: cozy-cozy-proxy
+  namespace: cozy-system
+  dependsOn: [cilium,kubeovn]
+
 - name: cert-manager-crds
  releaseName: cert-manager-crds
  chart: cozy-cert-manager-crds
@@ -97,6 +103,10 @@ releases:
  namespace: cozy-monitoring
  privileged: true
  dependsOn: [cilium,kubeovn,victoria-metrics-operator]
+  values:
+    scrapeRules:
+      etcd:
+        enabled: true

 - name: kubevirt-operator
  releaseName: kubevirt-operator
--- a/packages/core/platform/bundles/paas-hosted.yaml
+++ b/packages/core/platform/bundles/paas-hosted.yaml
@@ -70,6 +70,10 @@ releases:
  namespace: cozy-monitoring
  privileged: true
  dependsOn: [victoria-metrics-operator]
+  values:
+    scrapeRules:
+      etcd:
+        enabled: true

 - name: etcd-operator
  releaseName: etcd-operator
--- a/packages/system/cozy-proxy/Chart.yaml
+++ b/packages/system/cozy-proxy/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-cozystack-api
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process
--- a/packages/system/cozy-proxy/Makefile
+++ b/packages/system/cozy-proxy/Makefile
@@ -0,0 +1,11 @@
+NAME=cozy-proxy
+NAMESPACE=cozy-system
+
+include ../../../scripts/common-envs.mk
+include ../../../scripts/package.mk
+
+update:
+	rm -rf charts
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/aenix-io/cozy-proxy | awk -F'[/^]' 'END{print $$3}') && \
+	curl -sSL https://github.com/aenix-io/cozy-proxy/archive/refs/tags/$${tag}.tar.gz | \
+	tar xzvf - --strip 1 cozy-proxy-$${tag#*v}/charts
--- a/packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: cozy-proxy
+description: A simple kube-proxy addon for 1:1 NAT services in Kubernetes using an NFT backend
+type: application
+version: 0.1.0
+appVersion: 0.1.0
--- a/packages/system/cozy-proxy/charts/cozy-proxy/templates/_helpers.tpl
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/_helpers.tpl
@@ -0,0 +1,24 @@
+{{- define "cozy-proxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "cozy-proxy.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if .Values.fullnameOverride -}}
+  {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+  {{- if eq .Release.Name $name }}
+    {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cozy-proxy.labels" -}}
+helm.sh/chart: {{ include "cozy-proxy.name" . }}-{{ .Chart.Version | replace "+" "_" }}
+app.kubernetes.io/name: {{ include "cozy-proxy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
--- a/packages/system/cozy-proxy/charts/cozy-proxy/templates/daemonset.yaml
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/daemonset.yaml
@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ include "cozy-proxy.name" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "cozy-proxy.name" . }}
+      annotations:
+        {{- toYaml .Values.daemonset.podAnnotations | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "cozy-proxy.fullname" . }}
+      hostNetwork: {{ .Values.daemonset.hostNetwork }}
+      containers:
+        - name: cozy-proxy
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["NET_ADMIN"]
--- a/packages/system/cozy-proxy/charts/cozy-proxy/templates/role.yaml
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/role.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["services", "endpoints"]
+    verbs: ["get", "list", "watch"]
+{{- end }}
--- a/packages/system/cozy-proxy/charts/cozy-proxy/templates/rolebinding.yaml
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/rolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "cozy-proxy.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "cozy-proxy.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
--- a/packages/system/cozy-proxy/charts/cozy-proxy/templates/serviceaccount.yaml
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/templates/serviceaccount.yaml
@@ -0,0 +1,8 @@
+{{- if .Values.rbac.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "cozy-proxy.fullname" . }}
+  labels:
+    {{- include "cozy-proxy.labels" . | nindent 4 }}
+{{- end }}
--- a/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml
+++ b/packages/system/cozy-proxy/charts/cozy-proxy/values.yaml
@@ -0,0 +1,12 @@
+image:
+  repository: ghcr.io/aenix-io/cozystack/cozy-proxy
+  tag: v0.1.0
+  pullPolicy: IfNotPresent
+
+daemonset:
+  hostNetwork: true
+  podAnnotations: {}
+  podLabels: {}
+
+rbac:
+  create: true
--- a/packages/system/cozy-proxy/values.yaml
+++ b/packages/system/cozy-proxy/values.yaml
@@ -0,0 +1,2 @@
+cozy-proxy:
+  fullnameOverride: cozy-proxy
--- a/packages/system/monitoring-agents/templates/etcd-proxy-scrape.yaml
+++ b/packages/system/monitoring-agents/templates/etcd-proxy-scrape.yaml
@@ -0,0 +1,138 @@
+{{- if .Values.scrapeRules.etcd.enabled }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: kube-rbac-proxy
+  namespace: cozy-monitoring
+  labels:
+    app: kube-rbac-proxy
+spec:
+  selector:
+    matchLabels:
+      app: kube-rbac-proxy
+  template:
+    metadata:
+      labels:
+        app: kube-rbac-proxy
+    spec:
+      serviceAccountName: kube-rbac-proxy
+      hostNetwork: true
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      containers:
+      - name: kube-rbac-proxy
+        image: quay.io/brancz/kube-rbac-proxy:v0.11.0
+        args:
+        - "--secure-listen-address=$(NODE_IP):9443"
+        - "--upstream=http://127.0.0.1:2381/"
+        env:
+        - name: NODE_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.hostIP
+        ports:
+        - containerPort: 9443
+          name: etcd-metrics
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-rbac-proxy
+  namespace: cozy-monitoring
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kube-rbac-proxy-auth
+rules:
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: ["create"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kube-rbac-proxy-auth-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-rbac-proxy-auth
+subjects:
+  - kind: ServiceAccount
+    name: kube-rbac-proxy
+    namespace: cozy-monitoring
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vm-scrape
+  namespace: cozy-monitoring
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: etcd-metrics-reader
+rules:
+- nonResourceURLs: ["/metrics"]
+  verbs: ["get"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: etcd-metrics-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: etcd-metrics-reader
+subjects:
+- kind: ServiceAccount
+  name: vm-scrape
+  namespace: cozy-monitoring
+
+---
+
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: vm-token
+  annotations:
+    kubernetes.io/service-account.name: vm-scrape
+
+---
+
+apiVersion: operator.victoriametrics.com/v1beta1
+kind: VMPodScrape
+metadata:
+  name: etcd-managment-scrape
+spec:
+  podMetricsEndpoints:
+    - port: etcd-metrics
+      scheme: https
+      tlsConfig:
+        insecureSkipVerify: true
+      bearerTokenSecret:
+        name: vm-token
+        key: token
+  selector:
+    matchLabels:
+      app: kube-rbac-proxy
+{{- end }}
--- a/packages/system/monitoring-agents/templates/etcd-scrape.yaml
+++ b/packages/system/monitoring-agents/templates/etcd-scrape.yaml
@@ -1,34 +0,0 @@
-#---
-#apiVersion: operator.victoriametrics.com/v1beta1
-#kind: VMNodeScrape
-#metadata:
-#  name: kube-etcd
-#  namespace: cozy-monitoring
-#spec:
-#  selector:
-#    node-role.kubernetes.io/control-plane: ""
-#  bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-#  honorLabels: true
-#  metricRelabelConfigs:
-#  - action: labeldrop
-#    regex: (uid)
-#  - action: labeldrop
-#    regex: (id|name)
-#  - action: drop
-#    regex: (rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count)
-#    source_labels:
-#    - __name__
-#  port: "2379"
-#  relabelConfigs:
-#  - action: labelmap
-#    regex: __meta_kubernetes_node_label_(.+)
-#  - sourceLabels:
-#    - __metrics_path__
-#    targetLabel: metrics_path
-#  - replacement: etcd
-#    targetLabel: job
-#  scheme: https
-#  scrapeTimeout: 5s
-#  tlsConfig:
-#    caFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-#    insecureSkipVerify: true
--- a/packages/system/monitoring-agents/values.yaml
+++ b/packages/system/monitoring-agents/values.yaml
@@ -359,3 +359,7 @@ fluent-bit:
          Name modify
          Match *
          Add cluster root-cluster
+
+scrapeRules:
+  etcd:
+    enabled: false