scottk/cozystack
1
0
Fork 0
mirror of https://github.com/outbackdingo/cozystack.git synced 2026-03-20 22:41:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

remove sens, add some apps

Browse Source
This commit is contained in:
Andrei Kvapil
2023-12-11 21:21:20 +01:00
parent ef6696cfd2
commit c82bd2b8e3
64 changed files with 26806 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
system/mariadb-operator/.helmignore Normal file
View File

@@ -0,0 +1,3 @@
images
hack
.gitkeep

2
system/mariadb-operator/Chart.yaml Normal file
View File

@@ -0,0 +1,2 @@
name: app
version: 0.0.0

7
system/mariadb-operator/Makefile Normal file
View File

@@ -0,0 +1,7 @@
include ../../hack/app-helm.mk
update:
rm -rf charts
helm repo add mariadb-operator https://mariadb-operator.github.io/mariadb-operator
helm repo update mariadb-operator
helm pull mariadb-operator/mariadb-operator --untar --untardir charts

7
system/mariadb-operator/README.md Normal file
View File

@@ -0,0 +1,7 @@
## MariaDB Operator
Run and operate MariaDB in a cloud native way
- Docs: https://mariadb.com/kb/en/documentation/
- GitHub: https://github.com/mariadb-operator/mariadb-operator
- Telegram: t.me/mariadb_course

23
system/mariadb-operator/charts/mariadb-operator/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

17
system/mariadb-operator/charts/mariadb-operator/Chart.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v2
appVersion: v0.0.22
description: Run and operate MariaDB in a cloud native way
home: https://github.com/mariadb-operator/mariadb-operator
icon: https://mariadb-operator.github.io/mariadb-operator/assets/mariadb.png
keywords:
- mariadb
- operator
- mariadb-operator
- database
kubeVersion: '>= 1.16.0-0'
maintainers:
- email: mariadb-operator@proton.me
name: mmontes11
name: mariadb-operator
type: application
version: 0.22.0

93
system/mariadb-operator/charts/mariadb-operator/README.md Normal file
View File

@@ -0,0 +1,93 @@
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
<p align="center">
<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
</p>
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.22.0](https://img.shields.io/badge/Version-0.22.0-informational?style=flat-square) ![AppVersion: v0.0.22](https://img.shields.io/badge/AppVersion-v0.0.22-informational?style=flat-square)
Run and operate MariaDB in a cloud native way
## Installing
```bash
helm repo add mariadb-operator https://mariadb-operator.github.io/mariadb-operator
helm install mariadb-operator mariadb-operator/mariadb-operator
```
## Uninstalling
```bash
helm uninstall mariadb-operator
```
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Affinity to add to controller Pod |
| clusterName | string | `"cluster.local"` | Cluster DNS name |
| extrArgs | list | `[]` | Extra arguments to be passed to the controller entrypoint |
| extraVolumeMounts | list | `[]` | Extra volumes to mount to the container. |
| extraVolumes | list | `[]` | Extra volumes to pass to pod. |
| fullnameOverride | string | `""` | |
| ha.enabled | bool | `false` | Enable high availability |
| ha.leaseId | string | `"mariadb.mmontes.io"` | Lease resource name to be used for leader election |
| ha.replicas | int | `3` | Number of replicas |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` | |
| image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
| imagePullSecrets | list | `[]` | |
| logLevel | string | `"INFO"` | Controller log level |
| metrics.enabled | bool | `false` | Enable prometheus metrics. Prometheus must be installed in the cluster |
| metrics.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the controller ServiceMonitor |
| metrics.serviceMonitor.enabled | bool | `true` | Enable controller ServiceMonitor |
| metrics.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| metrics.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| nameOverride | string | `""` | |
| nodeSelector | object | `{}` | Node selectors to add to controller Pod |
| podAnnotations | object | `{}` | Annotations to add to controller Pod |
| podSecurityContext | object | `{}` | Security context to add to controller Pod |
| rbac.enabled | bool | `true` | Specifies whether RBAC resources should be created |
| resources | object | `{}` | Resources to add to controller container |
| securityContext | object | `{}` | Security context to add to controller container |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the Pod |
| serviceAccount.enabled | bool | `true` | Specifies whether a service account should be created |
| serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and enabled is true, a name is generated using the fullname template |
| tolerations | list | `[]` | Tolerations to add to controller Pod |
| webhook.affinity | object | `{}` | Affinity to add to controller Pod |
| webhook.annotations | object | `{}` | Annotations for webhook configurations. |
| webhook.certificate.certManager | bool | `false` | Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used. |
| webhook.certificate.default | object | `{"annotations":{},"caExpirationDays":365,"certExpirationDays":365,"hook":""}` | Default certificate generated when the chart is installed or upgraded. |
| webhook.certificate.default.annotations | object | `{}` | Annotations for certificate Secret. |
| webhook.certificate.default.caExpirationDays | int | `365` | Certificate authority expiration in days. |
| webhook.certificate.default.certExpirationDays | int | `365` | Certificate expiration in days. |
| webhook.certificate.default.hook | string | `""` | Helm hook to be added to the default certificate. |
| webhook.certificate.path | string | `"/tmp/k8s-webhook-server/serving-certs"` | Path where the certificate will be mounted. |
| webhook.extrArgs | list | `[]` | Extra arguments to be passed to the webhook entrypoint |
| webhook.extraVolumeMounts | list | `[]` | Extra volumes to mount to webhook container |
| webhook.extraVolumes | list | `[]` | Extra volumes to pass to webhook Pod |
| webhook.hostNetwork | bool | `false` | Expose the webhook server in the host network |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
| webhook.image.repository | string | `"ghcr.io/mariadb-operator/mariadb-operator"` | |
| webhook.image.tag | string | `""` | Image tag to use. By default the chart appVersion is used |
| webhook.imagePullSecrets | list | `[]` | |
| webhook.nodeSelector | object | `{}` | Node selectors to add to controller Pod |
| webhook.podAnnotations | object | `{}` | Annotations to add to webhook Pod |
| webhook.podSecurityContext | object | `{}` | Security context to add to webhook Pod |
| webhook.port | int | `10250` | Port to be used by the webhook server |
| webhook.resources | object | `{}` | Resources to add to webhook container |
| webhook.securityContext | object | `{}` | Security context to add to webhook container |
| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| webhook.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the Pod |
| webhook.serviceAccount.enabled | bool | `true` | Specifies whether a service account should be created |
| webhook.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account |
| webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and enabled is true, a name is generated using the fullname template |
| webhook.serviceMonitor.additionalLabels | object | `{}` | Labels to be added to the webhook ServiceMonitor |
| webhook.serviceMonitor.enabled | bool | `true` | Enable webhook ServiceMonitor. Metrics must be enabled |
| webhook.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| webhook.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| webhook.tolerations | list | `[]` | Tolerations to add to controller Pod |

26
system/mariadb-operator/charts/mariadb-operator/README.md.gotmpl Normal file
View File

@@ -0,0 +1,26 @@
{{ $chartRepo := "https://mariadb-operator.github.io/mariadb-operator" }}
{{ $org := "mariadb-operator" }}
{{ $release := "mariadb-operator" }}
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
<p align="center">
<img src="https://mariadb-operator.github.io/mariadb-operator/assets/mariadb-operator.png" alt="mariadb" width="250"/>
</p>
{{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.description" . }}
## Installing
```bash
helm repo add {{ $org }} {{ $chartRepo }}
helm install {{ $release }} {{ $org }}/{{ template "chart.name" . }}
```
## Uninstalling
```bash
helm uninstall {{ $release }}
```
{{ template "chart.valuesSection" . }}

16586
system/mariadb-operator/charts/mariadb-operator/crds/crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

4
system/mariadb-operator/charts/mariadb-operator/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,4 @@
mariadb-operator has been successfully deployed! 🦭
Not sure what to do next? 😅 Check out:
https://github.com/mariadb-operator/mariadb-operator#quickstart

118
system/mariadb-operator/charts/mariadb-operator/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,118 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "mariadb-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "mariadb-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "mariadb-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "mariadb-operator.labels" -}}
helm.sh/chart: {{ include "mariadb-operator.chart" . }}
{{ include "mariadb-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "mariadb-operator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "mariadb-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Webhook common labels
*/}}
{{- define "mariadb-operator-webhook.labels" -}}
helm.sh/chart: {{ include "mariadb-operator.chart" . }}
{{ include "mariadb-operator-webhook.selectorLabels" . }}
{{ if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{ end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Webhook selector labels
*/}}
{{- define "mariadb-operator-webhook.selectorLabels" -}}
app.kubernetes.io/name: {{ include "mariadb-operator.name" . }}-webhook
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Webhook certificate
*/}}
{{- define "mariadb-operator-webhook.certificate" -}}
{{- if .Values.webhook.certificate.certManager }}
{{- include "mariadb-operator.fullname" . }}-webhook-cert
{{- else }}
{{- include "mariadb-operator.fullname" . }}-webhook-default-cert
{{- end }}
{{- end }}
{{/*
Webhook certificate subject name
*/}}
{{- define "mariadb-operator-webhook.subjectName" -}}
{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
{{- end }}
{{/*
Webhook certificate subject alternative name
*/}}
{{- define "mariadb-operator-webhook.altName" -}}
{{- include "mariadb-operator.fullname" . }}-webhook.{{ .Release.Namespace }}.svc.{{ .Values.clusterName }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "mariadb-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.enabled }}
{{- default (include "mariadb-operator.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the webhook service account to use
*/}}
{{- define "mariadb-operator-webhook.serviceAccountName" -}}
{{- if .Values.webhook.serviceAccount.enabled }}
{{- default (printf "%s-webhook" (include "mariadb-operator.fullname" .)) .Values.webhook.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.webhook.serviceAccount.name }}
{{- end }}
{{- end }}

109
system/mariadb-operator/charts/mariadb-operator/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,109 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "mariadb-operator.fullname" . }}
labels:
{{ include "mariadb-operator.labels" . | nindent 4 }}
spec:
{{ if .Values.ha.enabled }}
replicas: {{ .Values.ha.replicas}}
{{ end }}
selector:
matchLabels:
{{ include "mariadb-operator.selectorLabels" . | nindent 6 }}
template:
metadata:
{{ with .Values.podAnnotations }}
annotations:
{{ toYaml . | nindent 8 }}
{{ end }}
labels:
{{ include "mariadb-operator.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "mariadb-operator.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
terminationGracePeriodSeconds: 10
{{ with .Values.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{ end }}
{{ with .Values.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{ end }}
{{ with .Values.affinity }}
affinity:
{{ toYaml . | nindent 8 }}
{{ end }}
{{ with .Values.podSecurityContext }}
securityContext:
{{ toYaml . | nindent 8 }}
{{ end }}
containers:
- image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: controller
args:
- --metrics-addr=:8080
- --log-level={{ .Values.logLevel }}
{{- if .Values.ha.enabled }}
- --leader-elect
{{- end }}
{{- if .Values.metrics.enabled }}
- --service-monitor-reconciler
{{- end }}
{{- range .Values.extrArgs }}
- {{ . }}
{{- end }}
ports:
- containerPort: 8080
protocol: TCP
name: metrics
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterName }}
- name: MARIADB_OPERATOR_NAME
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: MARIADB_OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MARIADB_OPERATOR_SA_PATH
value: /var/run/secrets/kubernetes.io/serviceaccount/token
{{- if .Values.extraVolumeMounts }}
volumeMounts:
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
{{ with .Values.resources }}
resources:
{{ toYaml . | nindent 12 }}
{{ end }}
{{ with .Values.securityContext}}
securityContext:
{{ toYaml . | nindent 12 }}
{{ end }}
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
startupProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 20
periodSeconds: 10
{{- if .Values.extraVolumes }}
volumes:
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}

434
system/mariadb-operator/charts/mariadb-operator/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,434 @@
{{- if .Values.rbac.enabled -}}
{{ $fullName := include "mariadb-operator.fullname" . }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $fullName }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $fullName }}
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- endpoints
- endpoints/restricted
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- list
- patch
- watch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- create
- list
- patch
- watch
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- list
- patch
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- list
- patch
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- create
- list
- patch
- watch
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- create
- list
- patch
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- list
- patch
- watch
- apiGroups:
- mariadb.mmontes.io
resources:
- backups
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mariadb.mmontes.io
resources:
- backups/finalizers
verbs:
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- backups/status
verbs:
- get
- patch
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- connections
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mariadb.mmontes.io
resources:
- connections
- restores
verbs:
- create
- list
- patch
- watch
- apiGroups:
- mariadb.mmontes.io
resources:
- connections/finalizers
verbs:
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- connections/status
verbs:
- get
- patch
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- databases
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mariadb.mmontes.io
resources:
- databases/finalizers
verbs:
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- databases/status
verbs:
- get
- patch
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- grants
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mariadb.mmontes.io
resources:
- grants/finalizers
verbs:
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- grants/status
verbs:
- get
- patch
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- mariadbs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mariadb.mmontes.io
resources:
- mariadbs/finalizers
verbs:
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- mariadbs/status
verbs:
- get
- patch
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- restores
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mariadb.mmontes.io
resources:
- restores/finalizers
verbs:
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- restores/status
verbs:
- get
- patch
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- sqljobs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mariadb.mmontes.io
resources:
- sqljobs/finalizers
verbs:
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- sqljobs/status
verbs:
- get
- patch
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- users
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- mariadb.mmontes.io
resources:
- users/finalizers
verbs:
- update
- apiGroups:
- mariadb.mmontes.io
resources:
- users/status
verbs:
- get
- patch
- update
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- create
- list
- patch
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- list
- patch
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- rolebindings
- roles
verbs:
- create
- list
- patch
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $fullName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $fullName }}
subjects:
- kind: ServiceAccount
name: {{ include "mariadb-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $fullName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $fullName }}
subjects:
- kind: ServiceAccount
name: {{ include "mariadb-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $fullName }}:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ include "mariadb-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

15
system/mariadb-operator/charts/mariadb-operator/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.serviceAccount.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "mariadb-operator.serviceAccountName" . }}
labels:
{{- include "mariadb-operator.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

36
system/mariadb-operator/charts/mariadb-operator/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,36 @@
{{ if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "mariadb-operator.fullname" . }}-metrics
labels:
{{ include "mariadb-operator.labels" . | nindent 4 }}
spec:
ports:
- port: 8080
protocol: TCP
name: metrics
selector:
{{ include "mariadb-operator.selectorLabels" . | nindent 4 }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "mariadb-operator.fullname" . }}
labels:
{{ include "mariadb-operator.labels" . | nindent 4 }}
{{ with .Values.metrics.serviceMonitor.additionalLabels }}
{{ toYaml . | nindent 4 }}
{{ end }}
spec:
selector:
matchLabels:
{{ include "mariadb-operator.selectorLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
endpoints:
- port: metrics
interval: {{ .Values.metrics.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{ end }}

25
system/mariadb-operator/charts/mariadb-operator/templates/webhook-certificate.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{ if .Values.webhook.certificate.certManager }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "mariadb-operator.fullname" . }}-selfsigned-issuer
labels:
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "mariadb-operator.fullname" . }}-webhook-cert
labels:
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
spec:
dnsNames:
- {{ include "mariadb-operator-webhook.subjectName" . }}
- {{ include "mariadb-operator-webhook.altName" . }}
issuerRef:
kind: Issuer
name: {{ include "mariadb-operator.fullname" . }}-selfsigned-issuer
secretName: {{ include "mariadb-operator.fullname" . }}-webhook-cert
{{ end }}

269
system/mariadb-operator/charts/mariadb-operator/templates/webhook-config.yaml Normal file
View File

@@ -0,0 +1,269 @@
{{ $fullName := include "mariadb-operator.fullname" . }}
{{ $subjectName := include "mariadb-operator-webhook.subjectName" . }}
{{ $altNames := list }}
{{ $altNames := append $altNames $subjectName }}
{{ $altNames := append $altNames (include "mariadb-operator-webhook.altName" . ) }}
{{ $ca := genCA $fullName (.Values.webhook.certificate.default.caExpirationDays | int) }}
{{ $cert := genSignedCert $subjectName nil $altNames (.Values.webhook.certificate.default.certExpirationDays | int) $ca }}
{{ if not .Values.webhook.certificate.certManager }}
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: {{ $fullName }}-webhook-default-cert
labels:
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
annotations:
{{ with .Values.webhook.certificate.default.hook }}
helm.sh/hook: {{ . }}
{{ end }}
{{ with .Values.webhook.certificate.default.annotations }}
{{ toYaml . | nindent 4 }}
{{ end }}
data:
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{ end }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ $fullName }}-webhook
labels:
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
annotations:
{{ if .Values.webhook.certificate.certManager }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
{{ end }}
{{ with .Values.webhook.certificate.default.hook }}
helm.sh/hook: {{ . }}
{{ end }}
{{ with .Values.webhook.annotations }}
{{ toYaml . | indent 4 }}
{{ end }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ $fullName }}-webhook
namespace: {{ .Release.Namespace }}
path: /mutate-mariadb-mmontes-io-v1alpha1-mariadb
{{ if not .Values.webhook.certificate.certManager }}
caBundle: {{ $ca.Cert | b64enc }}
{{ end }}
failurePolicy: Fail
name: mmariadb.kb.io
rules:
- apiGroups:
- mariadb.mmontes.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- mariadbs
sideEffects: None
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ $fullName }}-webhook
labels:
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
annotations:
{{ if .Values.webhook.certificate.certManager }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "mariadb-operator.fullname" . }}-webhook-cert
{{ end }}
{{ with .Values.webhook.certificate.default.hook }}
helm.sh/hook: {{ . }}
{{ end }}
{{ with .Values.webhook.annotations }}
{{ toYaml . | indent 4 }}
{{ end }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ $fullName }}-webhook
namespace: {{ .Release.Namespace }}
path: /validate-mariadb-mmontes-io-v1alpha1-backup
{{ if not .Values.webhook.certificate.certManager }}
caBundle: {{ $ca.Cert | b64enc }}
{{ end }}
failurePolicy: Fail
name: vbackup.kb.io
rules:
- apiGroups:
- mariadb.mmontes.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- backups
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ $fullName }}-webhook
namespace: {{ .Release.Namespace }}
path: /validate-mariadb-mmontes-io-v1alpha1-connection
{{ if not .Values.webhook.certificate.certManager }}
caBundle: {{ $ca.Cert | b64enc }}
{{ end }}
failurePolicy: Fail
name: vconnection.kb.io
rules:
- apiGroups:
- mariadb.mmontes.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- connections
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ $fullName }}-webhook
namespace: {{ .Release.Namespace }}
path: /validate-mariadb-mmontes-io-v1alpha1-database
{{ if not .Values.webhook.certificate.certManager }}
caBundle: {{ $ca.Cert | b64enc }}
{{ end }}
failurePolicy: Fail
name: vdatabase.kb.io
rules:
- apiGroups:
- mariadb.mmontes.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- databases
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ $fullName }}-webhook
namespace: {{ .Release.Namespace }}
path: /validate-mariadb-mmontes-io-v1alpha1-grant
{{ if not .Values.webhook.certificate.certManager }}
caBundle: {{ $ca.Cert | b64enc }}
{{ end }}
failurePolicy: Fail
name: vgrant.kb.io
rules:
- apiGroups:
- mariadb.mmontes.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- grants
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ $fullName }}-webhook
namespace: {{ .Release.Namespace }}
path: /validate-mariadb-mmontes-io-v1alpha1-mariadb
{{ if not .Values.webhook.certificate.certManager }}
caBundle: {{ $ca.Cert | b64enc }}
{{ end }}
failurePolicy: Fail
name: vmariadb.kb.io
rules:
- apiGroups:
- mariadb.mmontes.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- mariadbs
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ $fullName }}-webhook
namespace: {{ .Release.Namespace }}
path: /validate-mariadb-mmontes-io-v1alpha1-restore
{{ if not .Values.webhook.certificate.certManager }}
caBundle: {{ $ca.Cert | b64enc }}
{{ end }}
failurePolicy: Fail
name: vrestore.kb.io
rules:
- apiGroups:
- mariadb.mmontes.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- restores
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ $fullName }}-webhook
namespace: {{ .Release.Namespace }}
path: /validate-mariadb-mmontes-io-v1alpha1-sqljob
{{ if not .Values.webhook.certificate.certManager }}
caBundle: {{ $ca.Cert | b64enc }}
{{ end }}
failurePolicy: Fail
name: vsqljob.kb.io
rules:
- apiGroups:
- mariadb.mmontes.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- sqljobs
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: {{ $fullName }}-webhook
namespace: {{ .Release.Namespace }}
path: /validate-mariadb-mmontes-io-v1alpha1-user
{{ if not .Values.webhook.certificate.certManager }}
caBundle: {{ $ca.Cert | b64enc }}
{{ end }}
failurePolicy: Fail
name: vuser.kb.io
rules:
- apiGroups:
- mariadb.mmontes.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- users
sideEffects: None

107
system/mariadb-operator/charts/mariadb-operator/templates/webhook-deployment.yaml Normal file
View File

@@ -0,0 +1,107 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "mariadb-operator.fullname" . }}-webhook
labels:
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{ include "mariadb-operator-webhook.selectorLabels" . | nindent 6 }}
template:
metadata:
{{ with .Values.webhook.podAnnotations }}
annotations:
{{ toYaml . | nindent 8 }}
{{ end }}
labels:
{{ include "mariadb-operator-webhook.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.webhook.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "mariadb-operator-webhook.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automount }}
{{ with .Values.webhook.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{ end }}
{{ with .Values.webhook.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{ end }}
{{ with .Values.webhook.affinity }}
affinity:
{{ toYaml . | nindent 8 }}
{{ end }}
{{ with .Values.webhook.podSecurityContext }}
securityContext:
{{ toYaml . | nindent 8 }}
{{ end }}
hostNetwork: {{ .Values.webhook.hostNetwork }}
containers:
- image: "{{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
name: webhook
args:
- webhook
- --cert-dir={{ .Values.webhook.certificate.path }}
- --port={{ .Values.webhook.port }}
- --metrics-addr=:8080
- --health-addr=:8081
- --log-level={{ .Values.logLevel }}
{{- range .Values.extrArgs }}
- {{ . }}
{{- end }}
ports:
- containerPort: {{ .Values.webhook.port }}
protocol: TCP
name: https
- containerPort: 8080
protocol: TCP
name: metrics
- containerPort: 8081
protocol: TCP
name: health
volumeMounts:
- mountPath: {{ .Values.webhook.certificate.path }}
name: cert
readOnly: true
{{- if .Values.webhook.extraVolumeMounts }}
{{- toYaml .Values.webhook.extraVolumeMounts | nindent 12 }}
{{- end }}
readinessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
startupProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
{{ with .Values.webhook.resources }}
resources:
{{ toYaml . | nindent 12 }}
{{ end }}
{{ with .Values.webhook.securityContext}}
securityContext:
{{ toYaml . | nindent 12 }}
{{ end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: {{ include "mariadb-operator-webhook.certificate" . }}
{{- if .Values.webhook.extraVolumes }}
{{- toYaml .Values.webhook.extraVolumes | nindent 8 }}
{{- end }}

13
system/mariadb-operator/charts/mariadb-operator/templates/webhook-service.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "mariadb-operator.fullname" . }}-webhook
labels:
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
spec:
ports:
- port: 443
protocol: TCP
targetPort: {{ .Values.webhook.port }}
selector:
{{ include "mariadb-operator-webhook.selectorLabels" . | nindent 4 }}

13
system/mariadb-operator/charts/mariadb-operator/templates/webhook-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "mariadb-operator-webhook.serviceAccountName" . }}
labels:
{{- include "mariadb-operator-webhook.labels" . | nindent 4 }}
{{- with .Values.webhook.serviceAccount.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}

36
system/mariadb-operator/charts/mariadb-operator/templates/webhook-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,36 @@
{{ if and .Values.metrics.enabled .Values.webhook.serviceMonitor.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "mariadb-operator.fullname" . }}-webhook-metrics
labels:
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
spec:
ports:
- port: 8080
protocol: TCP
name: metrics
selector:
{{ include "mariadb-operator-webhook.selectorLabels" . | nindent 4 }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "mariadb-operator.fullname" . }}-webhook
labels:
{{ include "mariadb-operator-webhook.labels" . | nindent 4 }}
{{ with .Values.webhook.serviceMonitor.additionalLabels }}
{{ toYaml . | nindent 4 }}
{{ end }}
spec:
selector:
matchLabels:
{{ include "mariadb-operator-webhook.selectorLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
endpoints:
- port: metrics
interval: {{ .Values.webhook.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.webhook.serviceMonitor.scrapeTimeout }}
{{ end }}

161
system/mariadb-operator/charts/mariadb-operator/values.yaml Normal file
View File

@@ -0,0 +1,161 @@
nameOverride: ""
fullnameOverride: ""
image:
repository: ghcr.io/mariadb-operator/mariadb-operator
pullPolicy: IfNotPresent
# -- Image tag to use. By default the chart appVersion is used
tag: ""
imagePullSecrets: []
# -- Controller log level
logLevel: INFO
# -- Cluster DNS name
clusterName: cluster.local
ha:
# -- Enable high availability
enabled: false
# -- Number of replicas
replicas: 3
# -- Lease resource name to be used for leader election
leaseId: mariadb.mmontes.io
metrics:
# -- Enable prometheus metrics. Prometheus must be installed in the cluster
enabled: false
serviceMonitor:
# -- Enable controller ServiceMonitor
enabled: true
# -- Labels to be added to the controller ServiceMonitor
additionalLabels: {}
# release: kube-prometheus-stack
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
serviceAccount:
# -- Specifies whether a service account should be created
enabled: true
# -- Automounts the service account token in all containers of the Pod
automount: true
# -- Annotations to add to the service account
annotations: {}
# -- Extra Labels to add to the service account
extraLabels: {}
# -- The name of the service account to use.
# If not set and enabled is true, a name is generated using the fullname template
name: ""
rbac:
# -- Specifies whether RBAC resources should be created
enabled: true
# -- Extra arguments to be passed to the controller entrypoint
extrArgs: []
# -- Extra volumes to pass to pod.
extraVolumes: []
# -- Extra volumes to mount to the container.
extraVolumeMounts: []
# -- Annotations to add to controller Pod
podAnnotations: {}
# -- Security context to add to controller Pod
podSecurityContext: {}
# -- Security context to add to controller container
securityContext: {}
# -- Resources to add to controller container
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# -- Node selectors to add to controller Pod
nodeSelector: {}
# -- Tolerations to add to controller Pod
tolerations: []
# -- Affinity to add to controller Pod
affinity: {}
webhook:
# -- Annotations for webhook configurations.
annotations: {}
image:
repository: ghcr.io/mariadb-operator/mariadb-operator
pullPolicy: IfNotPresent
# -- Image tag to use. By default the chart appVersion is used
tag: ""
imagePullSecrets: []
certificate:
# -- Use cert-manager to issue and rotate the certificate. If set to false, a default certificate will be used.
certManager: false
# -- Default certificate generated when the chart is installed or upgraded.
default:
# -- Certificate authority expiration in days.
caExpirationDays: 365
# -- Certificate expiration in days.
certExpirationDays: 365
# -- Annotations for certificate Secret.
annotations: {}
# -- Helm hook to be added to the default certificate.
hook: ""
# -- Path where the certificate will be mounted.
path: /tmp/k8s-webhook-server/serving-certs
# -- Port to be used by the webhook server
port: 10250
# -- Expose the webhook server in the host network
hostNetwork: false
serviceMonitor:
# -- Enable webhook ServiceMonitor. Metrics must be enabled
enabled: true
# -- Labels to be added to the webhook ServiceMonitor
additionalLabels: {}
# release: kube-prometheus-stack
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
serviceAccount:
# -- Specifies whether a service account should be created
enabled: true
# -- Automounts the service account token in all containers of the Pod
automount: true
# -- Annotations to add to the service account
annotations: {}
# -- Extra Labels to add to the service account
extraLabels: {}
# -- The name of the service account to use.
# If not set and enabled is true, a name is generated using the fullname template
name: ""
# -- Extra arguments to be passed to the webhook entrypoint
extrArgs: []
# -- Extra volumes to pass to webhook Pod
extraVolumes: []
# -- Extra volumes to mount to webhook container
extraVolumeMounts: []
# -- Annotations to add to webhook Pod
podAnnotations: {}
# -- Security context to add to webhook Pod
podSecurityContext: {}
# -- Security context to add to webhook container
securityContext: {}
# -- Resources to add to webhook container
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# -- Node selectors to add to controller Pod
nodeSelector: {}
# -- Tolerations to add to controller Pod
tolerations: []
# -- Affinity to add to controller Pod
affinity: {}

0
system/mariadb-operator/templates/.gitkeep Normal file
View File

14
system/mariadb-operator/values.yaml Normal file
View File

@@ -0,0 +1,14 @@
_helm:
name: mariadb-operator
namespace: cozy-mariadb-operator
createNamespace: true
crds: CreateReplace
dependsOn:
- name: cert-manager
mariadb-operator:
metrics:
enabled: true
webhook:
certificate:
certManager: true

2
system/metallb/Chart.yaml Normal file
View File

@@ -0,0 +1,2 @@
name: app
version: 0.0.0

7
system/metallb/Makefile Normal file
View File

@@ -0,0 +1,7 @@
include ../../hack/app-helm.mk
update:
rm -rf charts
helm repo add metallb https://metallb.github.io/metallb
helm repo update metallb
helm pull metallb/metallb --untar --untardir charts

8
system/metallb/README.md Normal file
View File

@@ -0,0 +1,8 @@
# MetalLB
A network load-balancer implementation for Kubernetes using standard routing protocols
- GitHub: https://github.com/metallb/metallb
- Docs: https://metallb.universe.tf/
- Docs: https://habr.com/ru/articles/501842/
- Telegram: https://t.me/kubernetes_ru

23
system/metallb/charts/metallb/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
system/metallb/charts/metallb/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: crds
repository: ""
version: 0.13.10
digest: sha256:afb2e9d5b709e7ded68c21f9d033a0a14a1232be270b0966e5ef2722575afc77
generated: "2023-05-31T15:40:56.282100173+02:00"

17
system/metallb/charts/metallb/Chart.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v2
appVersion: v0.13.10
dependencies:
- condition: crds.enabled
name: crds
repository: ""
version: 0.13.10
description: A network load-balancer implementation for Kubernetes using standard
routing protocols
home: https://metallb.universe.tf
icon: https://metallb.universe.tf/images/logo/metallb-white.png
kubeVersion: '>= 1.19.0-0'
name: metallb
sources:
- https://github.com/metallb/metallb
type: application
version: 0.13.10

158
system/metallb/charts/metallb/README.md Normal file
View File

@@ -0,0 +1,158 @@
# metallb
![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square)
A network load-balancer implementation for Kubernetes using standard routing protocols
**Homepage:** <https://metallb.universe.tf>
## Source Code
* <https://github.com/metallb/metallb>
## Requirements
Kubernetes: `>= 1.19.0-0`
| Repository | Name | Version |
|------------|------|---------|
| | crds | 0.0.0 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| controller.affinity | object | `{}` | |
| controller.enabled | bool | `true` | |
| controller.image.pullPolicy | string | `nil` | |
| controller.image.repository | string | `"quay.io/metallb/controller"` | |
| controller.image.tag | string | `nil` | |
| controller.labels | object | `{}` | |
| controller.livenessProbe.enabled | bool | `true` | |
| controller.livenessProbe.failureThreshold | int | `3` | |
| controller.livenessProbe.initialDelaySeconds | int | `10` | |
| controller.livenessProbe.periodSeconds | int | `10` | |
| controller.livenessProbe.successThreshold | int | `1` | |
| controller.livenessProbe.timeoutSeconds | int | `1` | |
| controller.logLevel | string | `"info"` | Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` |
| controller.nodeSelector | object | `{}` | |
| controller.podAnnotations | object | `{}` | |
| controller.priorityClassName | string | `""` | |
| controller.readinessProbe.enabled | bool | `true` | |
| controller.readinessProbe.failureThreshold | int | `3` | |
| controller.readinessProbe.initialDelaySeconds | int | `10` | |
| controller.readinessProbe.periodSeconds | int | `10` | |
| controller.readinessProbe.successThreshold | int | `1` | |
| controller.readinessProbe.timeoutSeconds | int | `1` | |
| controller.resources | object | `{}` | |
| controller.runtimeClassName | string | `""` | |
| controller.securityContext.fsGroup | int | `65534` | |
| controller.securityContext.runAsNonRoot | bool | `true` | |
| controller.securityContext.runAsUser | int | `65534` | |
| controller.serviceAccount.annotations | object | `{}` | |
| controller.serviceAccount.create | bool | `true` | |
| controller.serviceAccount.name | string | `""` | |
| controller.strategy.type | string | `"RollingUpdate"` | |
| controller.tolerations | list | `[]` | |
| crds.enabled | bool | `true` | |
| crds.validationFailurePolicy | string | `"Fail"` | |
| fullnameOverride | string | `""` | |
| imagePullSecrets | list | `[]` | |
| loadBalancerClass | string | `""` | |
| nameOverride | string | `""` | |
| prometheus.controllerMetricsTLSSecret | string | `""` | |
| prometheus.metricsPort | int | `7472` | |
| prometheus.namespace | string | `""` | |
| prometheus.podMonitor.additionalLabels | object | `{}` | |
| prometheus.podMonitor.annotations | object | `{}` | |
| prometheus.podMonitor.enabled | bool | `false` | |
| prometheus.podMonitor.interval | string | `nil` | |
| prometheus.podMonitor.jobLabel | string | `"app.kubernetes.io/name"` | |
| prometheus.podMonitor.metricRelabelings | list | `[]` | |
| prometheus.podMonitor.relabelings | list | `[]` | |
| prometheus.prometheusRule.additionalLabels | object | `{}` | |
| prometheus.prometheusRule.addressPoolExhausted.enabled | bool | `true` | |
| prometheus.prometheusRule.addressPoolExhausted.labels.severity | string | `"alert"` | |
| prometheus.prometheusRule.addressPoolUsage.enabled | bool | `true` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[0].labels.severity | string | `"warning"` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[0].percent | int | `75` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[1].labels.severity | string | `"warning"` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[1].percent | int | `85` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[2].labels.severity | string | `"alert"` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[2].percent | int | `95` | |
| prometheus.prometheusRule.annotations | object | `{}` | |
| prometheus.prometheusRule.bgpSessionDown.enabled | bool | `true` | |
| prometheus.prometheusRule.bgpSessionDown.labels.severity | string | `"alert"` | |
| prometheus.prometheusRule.configNotLoaded.enabled | bool | `true` | |
| prometheus.prometheusRule.configNotLoaded.labels.severity | string | `"warning"` | |
| prometheus.prometheusRule.enabled | bool | `false` | |
| prometheus.prometheusRule.extraAlerts | list | `[]` | |
| prometheus.prometheusRule.staleConfig.enabled | bool | `true` | |
| prometheus.prometheusRule.staleConfig.labels.severity | string | `"warning"` | |
| prometheus.rbacPrometheus | bool | `true` | |
| prometheus.rbacProxy.pullPolicy | string | `nil` | |
| prometheus.rbacProxy.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | |
| prometheus.rbacProxy.tag | string | `"v0.12.0"` | |
| prometheus.scrapeAnnotations | bool | `false` | |
| prometheus.serviceAccount | string | `""` | |
| prometheus.serviceMonitor.controller.additionalLabels | object | `{}` | |
| prometheus.serviceMonitor.controller.annotations | object | `{}` | |
| prometheus.serviceMonitor.controller.tlsConfig.insecureSkipVerify | bool | `true` | |
| prometheus.serviceMonitor.enabled | bool | `false` | |
| prometheus.serviceMonitor.interval | string | `nil` | |
| prometheus.serviceMonitor.jobLabel | string | `"app.kubernetes.io/name"` | |
| prometheus.serviceMonitor.metricRelabelings | list | `[]` | |
| prometheus.serviceMonitor.relabelings | list | `[]` | |
| prometheus.serviceMonitor.speaker.additionalLabels | object | `{}` | |
| prometheus.serviceMonitor.speaker.annotations | object | `{}` | |
| prometheus.serviceMonitor.speaker.tlsConfig.insecureSkipVerify | bool | `true` | |
| prometheus.speakerMetricsTLSSecret | string | `""` | |
| rbac.create | bool | `true` | |
| speaker.affinity | object | `{}` | |
| speaker.enabled | bool | `true` | |
| speaker.excludeInterfaces.enabled | bool | `true` | |
| speaker.frr.enabled | bool | `true` | |
| speaker.frr.image.pullPolicy | string | `nil` | |
| speaker.frr.image.repository | string | `"quay.io/frrouting/frr"` | |
| speaker.frr.image.tag | string | `"8.4.2"` | |
| speaker.frr.metricsPort | int | `7473` | |
| speaker.frr.resources | object | `{}` | |
| speaker.frrMetrics.resources | object | `{}` | |
| speaker.image.pullPolicy | string | `nil` | |
| speaker.image.repository | string | `"quay.io/metallb/speaker"` | |
| speaker.image.tag | string | `nil` | |
| speaker.labels | object | `{}` | |
| speaker.livenessProbe.enabled | bool | `true` | |
| speaker.livenessProbe.failureThreshold | int | `3` | |
| speaker.livenessProbe.initialDelaySeconds | int | `10` | |
| speaker.livenessProbe.periodSeconds | int | `10` | |
| speaker.livenessProbe.successThreshold | int | `1` | |
| speaker.livenessProbe.timeoutSeconds | int | `1` | |
| speaker.logLevel | string | `"info"` | Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` |
| speaker.memberlist.enabled | bool | `true` | |
| speaker.memberlist.mlBindPort | int | `7946` | |
| speaker.memberlist.mlSecretKeyPath | string | `"/etc/ml_secret_key"` | |
| speaker.nodeSelector | object | `{}` | |
| speaker.podAnnotations | object | `{}` | |
| speaker.priorityClassName | string | `""` | |
| speaker.readinessProbe.enabled | bool | `true` | |
| speaker.readinessProbe.failureThreshold | int | `3` | |
| speaker.readinessProbe.initialDelaySeconds | int | `10` | |
| speaker.readinessProbe.periodSeconds | int | `10` | |
| speaker.readinessProbe.successThreshold | int | `1` | |
| speaker.readinessProbe.timeoutSeconds | int | `1` | |
| speaker.reloader.resources | object | `{}` | |
| speaker.resources | object | `{}` | |
| speaker.runtimeClassName | string | `""` | |
| speaker.serviceAccount.annotations | object | `{}` | |
| speaker.serviceAccount.create | bool | `true` | |
| speaker.serviceAccount.name | string | `""` | |
| speaker.startupProbe.enabled | bool | `true` | |
| speaker.startupProbe.failureThreshold | int | `30` | |
| speaker.startupProbe.periodSeconds | int | `5` | |
| speaker.tolerateMaster | bool | `true` | |
| speaker.tolerations | list | `[]` | |
| speaker.updateStrategy.type | string | `"RollingUpdate"` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0)

23
system/metallb/charts/metallb/charts/crds/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

10
system/metallb/charts/metallb/charts/crds/Chart.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v2
appVersion: v0.13.10
description: MetalLB CRDs
home: https://metallb.universe.tf
icon: https://metallb.universe.tf/images/logo/metallb-white.png
name: crds
sources:
- https://github.com/metallb/metallb
type: application
version: 0.13.10

14
system/metallb/charts/metallb/charts/crds/README.md Normal file
View File

@@ -0,0 +1,14 @@
# crds
![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square)
MetalLB CRDs
**Homepage:** <https://metallb.universe.tf>
## Source Code
* <https://github.com/metallb/metallb>
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0)

1233
system/metallb/charts/metallb/charts/crds/templates/crds.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

16
system/metallb/charts/metallb/policy/controller.rego Normal file
View File

@@ -0,0 +1,16 @@
package main
# validate serviceAccountName
deny[msg] {
input.kind == "Deployment"
serviceAccountName := input.spec.template.spec.serviceAccountName
not serviceAccountName == "RELEASE-NAME-metallb-controller"
msg = sprintf("controller serviceAccountName '%s' does not match expected value", [serviceAccountName])
}
# validate node selector includes builtin when custom ones are provided
deny[msg] {
input.kind == "Deployment"
not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux"
msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'"
}

27
system/metallb/charts/metallb/policy/rbac.rego Normal file
View File

@@ -0,0 +1,27 @@
package main
# Validate PSP exists in ClusterRole :controller
deny[msg] {
input.kind == "ClusterRole"
input.metadata.name == "metallb:controller"
input.rules[3] == {
"apiGroups": ["policy"],
"resources": ["podsecuritypolicies"],
"resourceNames": ["metallb-controller"],
"verbs": ["use"]
}
msg = "ClusterRole metallb:controller does not include PSP rule"
}
# Validate PSP exists in ClusterRole :speaker
deny[msg] {
input.kind == "ClusterRole"
input.metadata.name == "metallb:speaker"
input.rules[3] == {
"apiGroups": ["policy"],
"resources": ["podsecuritypolicies"],
"resourceNames": ["metallb-controller"],
"verbs": ["use"]
}
msg = "ClusterRole metallb:speaker does not include PSP rule"
}

30
system/metallb/charts/metallb/policy/speaker.rego Normal file
View File

@@ -0,0 +1,30 @@
package main
# validate serviceAccountName
deny[msg] {
input.kind == "DaemonSet"
serviceAccountName := input.spec.template.spec.serviceAccountName
not serviceAccountName == "RELEASE-NAME-metallb-speaker"
msg = sprintf("speaker serviceAccountName '%s' does not match expected value", [serviceAccountName])
}
# validate METALLB_ML_SECRET_KEY (memberlist)
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.containers[0].env[5].name == "METALLB_ML_SECRET_KEY_PATH"
msg = "speaker env does not contain METALLB_ML_SECRET_KEY_PATH at env[5]"
}
# validate node selector includes builtin when custom ones are provided
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux"
msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'"
}
# validate tolerations include the builtins when custom ones are provided
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.tolerations[0] == { "key": "node-role.kubernetes.io/master", "effect": "NoSchedule", "operator": "Exists" }
msg = "controller tolerations does not include node-role.kubernetes.io/master:NoSchedule"
}

4
system/metallb/charts/metallb/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,4 @@
MetalLB is now running in the cluster.
Now you can configure it via its CRs. Please refer to the metallb official docs
on how to use the CRs.

113
system/metallb/charts/metallb/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,113 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "metallb.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "metallb.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "metallb.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "metallb.labels" -}}
helm.sh/chart: {{ include "metallb.chart" . }}
{{ include "metallb.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "metallb.selectorLabels" -}}
app.kubernetes.io/name: {{ include "metallb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the controller service account to use
*/}}
{{- define "metallb.controller.serviceAccountName" -}}
{{- if .Values.controller.serviceAccount.create }}
{{- default (printf "%s-controller" (include "metallb.fullname" .)) .Values.controller.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.controller.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the speaker service account to use
*/}}
{{- define "metallb.speaker.serviceAccountName" -}}
{{- if .Values.speaker.serviceAccount.create }}
{{- default (printf "%s-speaker" (include "metallb.fullname" .)) .Values.speaker.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.speaker.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the settings Secret to use.
*/}}
{{- define "metallb.secretName" -}}
{{ default ( printf "%s-memberlist" (include "metallb.fullname" .)) .Values.speaker.secretName | trunc 63 | trimSuffix "-" }}
{{- end -}}
{{- define "metrics.exposedportname" -}}
{{- if .Values.prometheus.secureMetricsPort -}}
"metricshttps"
{{- else -}}
"metrics"
{{- end -}}
{{- end -}}
{{- define "metrics.exposedfrrportname" -}}
{{- if .Values.speaker.frr.secureMetricsPort -}}
"frrmetricshttps"
{{- else -}}
"frrmetrics"
{{- end }}
{{- end }}
{{- define "metrics.exposedport" -}}
{{- if .Values.prometheus.secureMetricsPort -}}
{{ .Values.prometheus.secureMetricsPort }}
{{- else -}}
{{ .Values.prometheus.metricsPort }}
{{- end -}}
{{- end }}
{{- define "metrics.exposedfrrport" -}}
{{- if .Values.speaker.frr.secureMetricsPort -}}
{{ .Values.speaker.frr.secureMetricsPort }}
{{- else -}}
{{ .Values.speaker.frr.metricsPort }}
{{- end }}
{{- end }}

181
system/metallb/charts/metallb/templates/controller.yaml Normal file
View File

@@ -0,0 +1,181 @@
{{- if .Values.controller.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "metallb.fullname" . }}-controller
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- range $key, $value := .Values.controller.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.controller.strategy }}
strategy: {{- toYaml .Values.controller.strategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "metallb.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
template:
metadata:
{{- if or .Values.prometheus.scrapeAnnotations .Values.controller.podAnnotations }}
annotations:
{{- if .Values.prometheus.scrapeAnnotations }}
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.prometheus.metricsPort }}"
{{- end }}
{{- with .Values.controller.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
labels:
{{- include "metallb.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: controller
{{- range $key, $value := .Values.controller.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- with .Values.controller.runtimeClassName }}
runtimeClassName: {{ . | quote }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "metallb.controller.serviceAccountName" . }}
terminationGracePeriodSeconds: 0
{{- if .Values.controller.securityContext }}
securityContext:
{{ toYaml .Values.controller.securityContext | indent 8 }}
{{- end }}
containers:
- name: controller
image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}
{{- if .Values.controller.image.pullPolicy }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- end }}
{{- if .Values.controller.command }}
command:
- {{ .Values.controller.command }}
{{- end }}
args:
- --port={{ .Values.prometheus.metricsPort }}
{{- with .Values.controller.logLevel }}
- --log-level={{ . }}
{{- end }}
- --cert-service-name=metallb-webhook-service
{{- if .Values.loadBalancerClass }}
- --lb-class={{ .Values.loadBalancerClass }}
{{- end }}
{{- if .Values.controller.webhookMode }}
- --webhook-mode={{ .Values.controller.webhookMode }}
{{- end }}
env:
{{- if and .Values.speaker.enabled .Values.speaker.memberlist.enabled }}
- name: METALLB_ML_SECRET_NAME
value: {{ include "metallb.secretName" . }}
- name: METALLB_DEPLOYMENT
value: {{ template "metallb.fullname" . }}-controller
{{- end }}
{{- if .Values.speaker.frr.enabled }}
- name: METALLB_BGP_TYPE
value: frr
{{- end }}
ports:
- name: monitoring
containerPort: {{ .Values.prometheus.metricsPort }}
- containerPort: 9443
name: webhook-server
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
{{- if .Values.controller.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /metrics
port: monitoring
initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.controller.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /metrics
port: monitoring
initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
{{- end }}
{{- with .Values.controller.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
{{- if .Values.prometheus.secureMetricsPort }}
- name: kube-rbac-proxy
image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag }}
imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
args:
- --logtostderr
- --secure-listen-address=:{{ .Values.prometheus.secureMetricsPort }}
- --upstream=http://127.0.0.1:{{ .Values.prometheus.metricsPort }}/
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
{{- if .Values.prometheus.controllerMetricsTLSSecret }}
- --tls-private-key-file=/etc/metrics/tls.key
- --tls-cert-file=/etc/metrics/tls.crt
{{- end }}
ports:
- containerPort: {{ .Values.prometheus.secureMetricsPort }}
name: metricshttps
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePolicy: FallbackToLogsOnError
{{- if .Values.prometheus.controllerMetricsTLSSecret }}
volumeMounts:
- name: metrics-certs
mountPath: /etc/metrics
readOnly: true
{{- end }}
{{ end }}
nodeSelector:
"kubernetes.io/os": linux
{{- with .Values.controller.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert
{{- if .Values.prometheus.controllerMetricsTLSSecret }}
- name: metrics-certs
secret:
secretName: {{ .Values.prometheus.controllerMetricsTLSSecret }}
{{- end }}
{{- end }}

3
system/metallb/charts/metallb/templates/deprecated_configInline.yaml Normal file
View File

@@ -0,0 +1,3 @@
{{- if .Values.configInline }}
{{- fail "Starting from v0.13.0 configInline is no longer supported. Please see https://metallb.universe.tf/#backward-compatibility" }}
{{- end }}

22
system/metallb/charts/metallb/templates/exclude-l2-config.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- if .Values.speaker.excludeInterfaces.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: metallb-excludel2
data:
excludel2.yaml: |
announcedInterfacesToExclude:
- docker.*
- cbr.*
- dummy.*
- virbr.*
- lxcbr.*
- veth.*
- lo
- ^cali.*
- ^tunl.*
- flannel.*
- kube-ipvs.*
- cni.*
- ^nodelocaldns.*
{{- end }}

106
system/metallb/charts/metallb/templates/podmonitor.yaml Normal file
View File

@@ -0,0 +1,106 @@
{{- if .Values.prometheus.podMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ template "metallb.fullname" . }}-controller
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.prometheus.podMonitor.additionalLabels }}
{{ toYaml .Values.prometheus.podMonitor.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.prometheus.podMonitor.annotations }}
annotations:
{{ toYaml .Values.prometheus.podMonitor.annotations | indent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.prometheus.podMonitor.jobLabel | quote }}
selector:
matchLabels:
{{- include "metallb.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
podMetricsEndpoints:
- port: monitoring
path: /metrics
{{- if .Values.prometheus.podMonitor.interval }}
interval: {{ .Values.prometheus.podMonitor.interval }}
{{- end }}
{{- if .Values.prometheus.podMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.prometheus.podMonitor.metricRelabelings | nindent 4 }}
{{- end }}
{{- if .Values.prometheus.podMonitor.relabelings }}
relabelings:
{{- toYaml .Values.prometheus.podMonitor.relabelings | nindent 4 }}
{{- end }}
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ template "metallb.fullname" . }}-speaker
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
{{- if .Values.prometheus.podMonitor.additionalLabels }}
{{ toYaml .Values.prometheus.podMonitor.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.prometheus.podMonitor.annotations }}
annotations:
{{ toYaml .Values.prometheus.podMonitor.annotations | indent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.prometheus.podMonitor.jobLabel | quote }}
selector:
matchLabels:
{{- include "metallb.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: speaker
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
podMetricsEndpoints:
- port: monitoring
path: /metrics
{{- if .Values.prometheus.podMonitor.interval }}
interval: {{ .Values.prometheus.podMonitor.interval }}
{{- end }}
{{- if .Values.prometheus.podMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.prometheus.podMonitor.metricRelabelings | nindent 4 }}
{{- end }}
{{- if .Values.prometheus.podMonitor.relabelings }}
relabelings:
{{- toYaml .Values.prometheus.podMonitor.relabelings | nindent 4 }}
{{- end }}
---
{{- if .Values.prometheus.rbacPrometheus }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "metallb.fullname" . }}-prometheus
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "metallb.fullname" . }}-prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "metallb.fullname" . }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ required ".Values.prometheus.serviceAccount must be defined when .Values.prometheus.podMonitor.enabled == true" .Values.prometheus.serviceAccount }}
namespace: {{ required ".Values.prometheus.namespace must be defined when .Values.prometheus.podMonitor.enabled == true" .Values.prometheus.namespace }}
{{- end }}
{{- end }}

84
system/metallb/charts/metallb/templates/prometheusrules.yaml Normal file
View File

@@ -0,0 +1,84 @@
{{- if .Values.prometheus.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "metallb.fullname" . }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
{{- if .Values.prometheus.prometheusRule.additionalLabels }}
{{ toYaml .Values.prometheus.prometheusRule.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.prometheus.prometheusRule.annotations }}
annotations:
{{ toYaml .Values.prometheus.prometheusRule.annotations | indent 4 }}
{{- end }}
spec:
groups:
- name: {{ template "metallb.fullname" . }}.rules
rules:
{{- if .Values.prometheus.prometheusRule.staleConfig.enabled }}
- alert: MetalLBStaleConfig
annotations:
message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
}} has a stale config for > 1 minute'`}}
expr: metallb_k8s_client_config_stale_bool{job="{{ include "metallb.name" . }}"} == 1
for: 1m
{{- with .Values.prometheus.prometheusRule.staleConfig.labels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.prometheus.prometheusRule.configNotLoaded.enabled }}
- alert: MetalLBConfigNotLoaded
annotations:
message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
}} has not loaded for > 1 minute'`}}
expr: metallb_k8s_client_config_loaded_bool{job="{{ include "metallb.name" . }}"} == 0
for: 1m
{{- with .Values.prometheus.prometheusRule.configNotLoaded.labels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.prometheus.prometheusRule.addressPoolExhausted.enabled }}
- alert: MetalLBAddressPoolExhausted
annotations:
message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
}} has exhausted address pool {{ $labels.pool }} for > 1 minute'`}}
expr: metallb_allocator_addresses_in_use_total >= on(pool) metallb_allocator_addresses_total
for: 1m
{{- with .Values.prometheus.prometheusRule.addressPoolExhausted.labels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.prometheus.prometheusRule.addressPoolUsage.enabled }}
{{- range .Values.prometheus.prometheusRule.addressPoolUsage.thresholds }}
- alert: MetalLBAddressPoolUsage{{ .percent }}Percent
annotations:
message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
}} has address pool {{ $labels.pool }} past `}}{{ .percent }}{{`% usage for > 1 minute'`}}
expr: ( metallb_allocator_addresses_in_use_total / on(pool) metallb_allocator_addresses_total ) * 100 > {{ .percent }}
{{- with .labels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.prometheus.prometheusRule.bgpSessionDown.enabled }}
- alert: MetalLBBGPSessionDown
annotations:
message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
}} has BGP session {{ $labels.peer }} down for > 1 minute'`}}
expr: metallb_bgp_session_up{job="{{ include "metallb.name" . }}"} == 0
for: 1m
{{- with .Values.prometheus.prometheusRule.bgpSessionDown.labels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- with .Values.prometheus.prometheusRule.extraAlerts }}
{{- toYaml . | nindent 4 }}
{{- end}}
{{- end }}

206
system/metallb/charts/metallb/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,206 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "metallb.fullname" . }}:controller
labels:
{{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["services", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list"]
- apiGroups: [""]
resources: ["services/status"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
resourceNames: ["metallb-webhook-configuration"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
resourceNames: ["addresspools.metallb.io","bfdprofiles.metallb.io","bgpadvertisements.metallb.io",
"bgppeers.metallb.io","ipaddresspools.metallb.io","l2advertisements.metallb.io","communities.metallb.io"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list", "watch"]
{{- if .Values.prometheus.secureMetricsPort }}
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "metallb.fullname" . }}:speaker
labels:
{{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["services", "endpoints", "nodes", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
{{- if .Values.prometheus.secureMetricsPort }}
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "metallb.fullname" . }}-pod-lister
labels: {{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["addresspools"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bfdprofiles"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bgppeers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["l2advertisements"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bgpadvertisements"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["ipaddresspools"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["communities"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "metallb.fullname" . }}-controller
labels: {{- include "metallb.labels" . | nindent 4 }}
rules:
{{- if .Values.speaker.memberlist.enabled }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: [{{ include "metallb.secretName" . | quote }}]
verbs: ["list"]
- apiGroups: ["apps"]
resources: ["deployments"]
resourceNames: ["{{ template "metallb.fullname" . }}-controller"]
verbs: ["get"]
{{- end }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["metallb.io"]
resources: ["addresspools"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["ipaddresspools"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bgppeers"]
verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
resources: ["bgpadvertisements"]
verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
resources: ["l2advertisements"]
verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
resources: ["communities"]
verbs: ["get", "list","watch"]
- apiGroups: ["metallb.io"]
resources: ["bfdprofiles"]
verbs: ["get", "list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "metallb.fullname" . }}:controller
labels:
{{- include "metallb.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "metallb.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "metallb.fullname" . }}:controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "metallb.fullname" . }}:speaker
labels:
{{- include "metallb.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "metallb.speaker.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "metallb.fullname" . }}:speaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "metallb.fullname" . }}-pod-lister
labels: {{- include "metallb.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "metallb.fullname" . }}-pod-lister
subjects:
- kind: ServiceAccount
name: {{ include "metallb.speaker.serviceAccountName" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "metallb.fullname" . }}-controller
labels: {{- include "metallb.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "metallb.fullname" . }}-controller
subjects:
- kind: ServiceAccount
name: {{ include "metallb.controller.serviceAccountName" . }}
{{- end -}}

28
system/metallb/charts/metallb/templates/service-accounts.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- if .Values.controller.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "metallb.controller.serviceAccountName" . }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.speaker.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "metallb.speaker.serviceAccountName" . }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
{{- with .Values.speaker.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

188
system/metallb/charts/metallb/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,188 @@
{{- if .Values.prometheus.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "metallb.fullname" . }}-speaker-monitor
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
{{- if .Values.prometheus.serviceMonitor.speaker.additionalLabels }}
{{ toYaml .Values.prometheus.serviceMonitor.speaker.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.prometheus.serviceMonitor.speaker.annotations }}
annotations:
{{ toYaml .Values.prometheus.serviceMonitor.speaker.annotations | indent 4 }}
{{- end }}
spec:
endpoints:
- port: {{ template "metrics.exposedportname" . }}
honorLabels: true
{{- if .Values.prometheus.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 8 }}
{{- end -}}
{{- if .Values.prometheus.serviceMonitor.relabelings }}
relabelings:
{{- toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 8 }}
{{- end }}
{{- if .Values.prometheus.serviceMonitor.interval }}
interval: {{ .Values.prometheus.serviceMonitor.interval }}
{{- end -}}
{{ if .Values.prometheus.secureMetricsPort }}
bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
scheme: "https"
{{- if .Values.prometheus.serviceMonitor.speaker.tlsConfig }}
tlsConfig:
{{ toYaml .Values.prometheus.serviceMonitor.speaker.tlsConfig | indent 8 }}
{{- end }}
{{ end }}
{{- if .Values.speaker.frr.enabled }}
- port: {{ template "metrics.exposedfrrportname" . }}
honorLabels: true
{{ if .Values.speaker.frr.secureMetricsPort }}
{{- if .Values.prometheus.serviceMonitor.interval }}
interval: {{ .Values.prometheus.serviceMonitor.interval }}
{{- end }}
bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
scheme: "https"
{{- if .Values.prometheus.serviceMonitor.speaker.tlsConfig }}
tlsConfig:
{{ toYaml .Values.prometheus.serviceMonitor.speaker.tlsConfig | indent 8 }}
{{- end }}
{{- end }}
{{- end }}
jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel | quote }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
name: {{ template "metallb.fullname" . }}-speaker-monitor-service
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/scrape: "true"
{{- if .Values.prometheus.serviceMonitor.speaker.annotations }}
{{ toYaml .Values.prometheus.serviceMonitor.speaker.annotations | indent 4 }}
{{- end }}
labels:
name: {{ template "metallb.fullname" . }}-speaker-monitor-service
name: {{ template "metallb.fullname" . }}-speaker-monitor-service
spec:
selector:
{{- include "metallb.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: speaker
clusterIP: None
ports:
- name: {{ template "metrics.exposedportname" . }}
port: {{ template "metrics.exposedport" . }}
targetPort: {{ template "metrics.exposedport" . }}
{{- if .Values.speaker.frr.enabled }}
- name: {{ template "metrics.exposedfrrportname" . }}
port: {{ template "metrics.exposedfrrport" . }}
targetPort: {{ template "metrics.exposedfrrport" . }}
{{- end }}
sessionAffinity: None
type: ClusterIP
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "metallb.fullname" . }}-controller-monitor
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
{{- if .Values.prometheus.serviceMonitor.controller.additionalLabels }}
{{ toYaml .Values.prometheus.serviceMonitor.controller.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.prometheus.serviceMonitor.controller.annotations }}
annotations:
{{ toYaml .Values.prometheus.serviceMonitor.controller.annotations | indent 4 }}
{{- end }}
spec:
endpoints:
- port: {{ template "metrics.exposedportname" . }}
{{- if .Values.prometheus.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 8 }}
{{- end -}}
{{- if .Values.prometheus.serviceMonitor.relabelings }}
relabelings:
{{- toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 8 }}
{{- end }}
{{- if .Values.prometheus.serviceMonitor.interval }}
interval: {{ .Values.prometheus.serviceMonitor.interval }}
{{- end }}
honorLabels: true
{{- if .Values.prometheus.secureMetricsPort }}
bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
scheme: "https"
{{- if .Values.prometheus.serviceMonitor.controller.tlsConfig }}
tlsConfig:
{{ toYaml .Values.prometheus.serviceMonitor.controller.tlsConfig | indent 8 }}
{{- end }}
{{- end }}
jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel | quote }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
name: {{ template "metallb.fullname" . }}-controller-monitor-service
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/scrape: "true"
{{- if .Values.prometheus.serviceMonitor.controller.annotations }}
{{ toYaml .Values.prometheus.serviceMonitor.controller.annotations | indent 4 }}
{{- end }}
labels:
name: {{ template "metallb.fullname" . }}-controller-monitor-service
name: {{ template "metallb.fullname" . }}-controller-monitor-service
spec:
selector:
{{- include "metallb.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: controller
clusterIP: None
ports:
- name: {{ template "metrics.exposedportname" . }}
port: {{ template "metrics.exposedport" . }}
targetPort: {{ template "metrics.exposedport" . }}
sessionAffinity: None
type: ClusterIP
---
{{- if .Values.prometheus.rbacPrometheus }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "metallb.fullname" . }}-prometheus
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "metallb.fullname" . }}-prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "metallb.fullname" . }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ required ".Values.prometheus.serviceAccount must be defined when .Values.prometheus.serviceMonitor.enabled == true" .Values.prometheus.serviceAccount }}
namespace: {{ required ".Values.prometheus.namespace must be defined when .Values.prometheus.serviceMonitor.enabled == true" .Values.prometheus.namespace }}
{{- end }}
{{- end }}

505
system/metallb/charts/metallb/templates/speaker.yaml Normal file
View File

@@ -0,0 +1,505 @@
{{- if .Values.speaker.frr.enabled }}
# FRR expects to have these files owned by frr:frr on startup.
# Having them in a ConfigMap allows us to modify behaviors: for example enabling more daemons on startup.
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "metallb.fullname" . }}-frr-startup
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
data:
daemons: |
# This file tells the frr package which daemons to start.
#
# Sample configurations for these daemons can be found in
# /usr/share/doc/frr/examples/.
#
# ATTENTION:
#
# When activating a daemon for the first time, a config file, even if it is
# empty, has to be present *and* be owned by the user and group "frr", else
# the daemon will not be started by /etc/init.d/frr. The permissions should
# be u=rw,g=r,o=.
# When using "vtysh" such a config file is also needed. It should be owned by
# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
#
# The watchfrr and zebra daemons are always started.
#
bgpd=yes
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
pimd=no
ldpd=no
nhrpd=no
eigrpd=no
babeld=no
sharpd=no
pbrd=no
bfdd=yes
fabricd=no
vrrpd=no
#
# If this option is set the /etc/init.d/frr script automatically loads
# the config via "vtysh -b" when the servers are started.
# Check /etc/pam.d/frr if you intend to use "vtysh"!
#
vtysh_enable=yes
zebra_options=" -A 127.0.0.1 -s 90000000"
bgpd_options=" -A 127.0.0.1 -p 0"
ospfd_options=" -A 127.0.0.1"
ospf6d_options=" -A ::1"
ripd_options=" -A 127.0.0.1"
ripngd_options=" -A ::1"
isisd_options=" -A 127.0.0.1"
pimd_options=" -A 127.0.0.1"
ldpd_options=" -A 127.0.0.1"
nhrpd_options=" -A 127.0.0.1"
eigrpd_options=" -A 127.0.0.1"
babeld_options=" -A 127.0.0.1"
sharpd_options=" -A 127.0.0.1"
pbrd_options=" -A 127.0.0.1"
staticd_options="-A 127.0.0.1"
bfdd_options=" -A 127.0.0.1"
fabricd_options="-A 127.0.0.1"
vrrpd_options=" -A 127.0.0.1"
# configuration profile
#
#frr_profile="traditional"
#frr_profile="datacenter"
#
# This is the maximum number of FD's that will be available.
# Upon startup this is read by the control files and ulimit
# is called. Uncomment and use a reasonable value for your
# setup if you are expecting a large number of peers in
# say BGP.
#MAX_FDS=1024
# The list of daemons to watch is automatically generated by the init script.
#watchfrr_options=""
# for debugging purposes, you can specify a "wrap" command to start instead
# of starting the daemon directly, e.g. to use valgrind on ospfd:
# ospfd_wrap="/usr/bin/valgrind"
# or you can use "all_wrap" for all daemons, e.g. to use perf record:
# all_wrap="/usr/bin/perf record --call-graph -"
# the normal daemon command is added to this at the end.
vtysh.conf: |+
service integrated-vtysh-config
frr.conf: |+
! This file gets overriden the first time the speaker renders a config.
! So anything configured here is only temporary.
frr version 7.5.1
frr defaults traditional
hostname Router
line vty
log file /etc/frr/frr.log informational
{{- end }}
---
{{- if .Values.speaker.enabled }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "metallb.fullname" . }}-speaker
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
{{- range $key, $value := .Values.speaker.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.speaker.updateStrategy }}
updateStrategy: {{- toYaml .Values.speaker.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "metallb.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: speaker
template:
metadata:
{{- if or .Values.prometheus.scrapeAnnotations .Values.speaker.podAnnotations }}
annotations:
{{- if .Values.prometheus.scrapeAnnotations }}
prometheus.io/scrape: "true"
{{- if not .Values.speaker.frr.enabled }}
prometheus.io/port: "{{ .Values.prometheus.metricsPort }}"
{{- end }}
{{- end }}
{{- with .Values.speaker.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
labels:
{{- include "metallb.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: speaker
{{- range $key, $value := .Values.speaker.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.speaker.runtimeClassName }}
runtimeClassName: {{ .Values.speaker.runtimeClassName }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "metallb.speaker.serviceAccountName" . }}
terminationGracePeriodSeconds: 0
hostNetwork: true
volumes:
{{- if .Values.speaker.memberlist.enabled }}
- name: memberlist
secret:
secretName: {{ include "metallb.secretName" . }}
defaultMode: 420
{{- end }}
{{- if .Values.speaker.excludeInterfaces.enabled }}
- name: metallb-excludel2
configMap:
defaultMode: 256
name: metallb-excludel2
{{- end }}
{{- if .Values.speaker.frr.enabled }}
- name: frr-sockets
emptyDir: {}
- name: frr-startup
configMap:
name: {{ template "metallb.fullname" . }}-frr-startup
- name: frr-conf
emptyDir: {}
- name: reloader
emptyDir: {}
- name: metrics
emptyDir: {}
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
- name: metrics-certs
secret:
secretName: {{ .Values.prometheus.speakerMetricsTLSSecret }}
{{- end }}
initContainers:
# Copies the initial config files with the right permissions to the shared volume.
- name: cp-frr-files
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
securityContext:
runAsUser: 100
runAsGroup: 101
command: ["/bin/sh", "-c", "cp -rLf /tmp/frr/* /etc/frr/"]
volumeMounts:
- name: frr-startup
mountPath: /tmp/frr
- name: frr-conf
mountPath: /etc/frr
# Copies the reloader to the shared volume between the speaker and reloader.
- name: cp-reloader
image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
command: ["/bin/sh", "-c", "cp -f /frr-reloader.sh /etc/frr_reloader/"]
volumeMounts:
- name: reloader
mountPath: /etc/frr_reloader
# Copies the metrics exporter
- name: cp-metrics
image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
command: ["/bin/sh", "-c", "cp -f /frr-metrics /etc/frr_metrics/"]
volumeMounts:
- name: metrics
mountPath: /etc/frr_metrics
shareProcessNamespace: true
{{- end }}
containers:
- name: speaker
image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
{{- if .Values.speaker.image.pullPolicy }}
imagePullPolicy: {{ .Values.speaker.image.pullPolicy }}
{{- end }}
{{- if .Values.speaker.command }}
command:
- {{ .Values.speaker.command }}
{{- end }}
args:
- --port={{ .Values.prometheus.metricsPort }}
{{- with .Values.speaker.logLevel }}
- --log-level={{ . }}
{{- end }}
{{- if .Values.loadBalancerClass }}
- --lb-class={{ .Values.loadBalancerClass }}
{{- end }}
env:
- name: METALLB_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: METALLB_HOST
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if .Values.speaker.memberlist.enabled }}
- name: METALLB_ML_BIND_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: METALLB_ML_LABELS
value: "app.kubernetes.io/name={{ include "metallb.name" . }},app.kubernetes.io/component=speaker"
- name: METALLB_ML_BIND_PORT
value: "{{ .Values.speaker.memberlist.mlBindPort }}"
- name: METALLB_ML_SECRET_KEY_PATH
value: "{{ .Values.speaker.memberlist.mlSecretKeyPath }}"
{{- end }}
{{- if .Values.speaker.frr.enabled }}
- name: FRR_CONFIG_FILE
value: /etc/frr_reloader/frr.conf
- name: FRR_RELOADER_PID_FILE
value: /etc/frr_reloader/reloader.pid
- name: METALLB_BGP_TYPE
value: frr
{{- end }}
ports:
- name: monitoring
containerPort: {{ .Values.prometheus.metricsPort }}
{{- if .Values.speaker.memberlist.enabled }}
- name: memberlist-tcp
containerPort: {{ .Values.speaker.memberlist.mlBindPort }}
protocol: TCP
- name: memberlist-udp
containerPort: {{ .Values.speaker.memberlist.mlBindPort }}
protocol: UDP
{{- end }}
{{- if .Values.speaker.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /metrics
port: monitoring
initialDelaySeconds: {{ .Values.speaker.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.speaker.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.speaker.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.speaker.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /metrics
port: monitoring
initialDelaySeconds: {{ .Values.speaker.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.speaker.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.speaker.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.speaker.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.speaker.readinessProbe.failureThreshold }}
{{- end }}
{{- with .Values.speaker.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- NET_RAW
{{- if or .Values.speaker.frr.enabled .Values.speaker.memberlist.enabled .Values.speaker.excludeInterfaces.enabled }}
volumeMounts:
{{- if .Values.speaker.memberlist.enabled }}
- name: memberlist
mountPath: {{ .Values.speaker.memberlist.mlSecretKeyPath }}
{{- end }}
{{- if .Values.speaker.frr.enabled }}
- name: reloader
mountPath: /etc/frr_reloader
{{- end }}
{{- if .Values.speaker.excludeInterfaces.enabled }}
- name: metallb-excludel2
mountPath: /etc/metallb
{{- end }}
{{- end }}
{{- if .Values.speaker.frr.enabled }}
- name: frr
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
- NET_BIND_SERVICE
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
{{- if .Values.speaker.frr.image.pullPolicy }}
imagePullPolicy: {{ .Values.speaker.frr.image.pullPolicy }}
{{- end }}
env:
- name: TINI_SUBREAPER
value: "true"
volumeMounts:
- name: frr-sockets
mountPath: /var/run/frr
- name: frr-conf
mountPath: /etc/frr
# The command is FRR's default entrypoint & waiting for the log file to appear and tailing it.
# If the log file isn't created in 60 seconds the tail fails and the container is restarted.
# This workaround is needed to have the frr logs as part of kubectl logs -c frr < speaker_pod_name >.
command:
- /bin/sh
- -c
- |
/sbin/tini -- /usr/lib/frr/docker-start &
attempts=0
until [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do
sleep 1
attempts=$(( $attempts + 1 ))
done
tail -f /etc/frr/frr.log
{{- with .Values.speaker.frr.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.speaker.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /livez
port: {{ .Values.speaker.frr.metricsPort }}
periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }}
failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.speaker.startupProbe.enabled }}
startupProbe:
httpGet:
path: /livez
port: {{ .Values.speaker.frr.metricsPort }}
failureThreshold: {{ .Values.speaker.startupProbe.failureThreshold }}
periodSeconds: {{ .Values.speaker.startupProbe.periodSeconds }}
{{- end }}
- name: reloader
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
{{- if .Values.speaker.frr.image.pullPolicy }}
imagePullPolicy: {{ .Values.speaker.frr.image.pullPolicy }}
{{- end }}
command: ["/etc/frr_reloader/frr-reloader.sh"]
volumeMounts:
- name: frr-sockets
mountPath: /var/run/frr
- name: frr-conf
mountPath: /etc/frr
- name: reloader
mountPath: /etc/frr_reloader
{{- with .Values.speaker.reloader.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: frr-metrics
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
command: ["/etc/frr_metrics/frr-metrics"]
args:
- --metrics-port={{ .Values.speaker.frr.metricsPort }}
ports:
- containerPort: {{ .Values.speaker.frr.metricsPort }}
name: monitoring
volumeMounts:
- name: frr-sockets
mountPath: /var/run/frr
- name: frr-conf
mountPath: /etc/frr
- name: metrics
mountPath: /etc/frr_metrics
{{- with .Values.speaker.frrMetrics.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.prometheus.secureMetricsPort }}
- name: kube-rbac-proxy
image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag }}
imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
args:
- --logtostderr
- --secure-listen-address=:{{ .Values.prometheus.secureMetricsPort }}
- --upstream=http://$(METALLB_HOST):{{ .Values.prometheus.metricsPort }}/
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
- --tls-private-key-file=/etc/metrics/tls.key
- --tls-cert-file=/etc/metrics/tls.crt
{{- end }}
ports:
- containerPort: {{ .Values.prometheus.secureMetricsPort }}
name: metricshttps
env:
- name: METALLB_HOST
valueFrom:
fieldRef:
fieldPath: status.hostIP
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePolicy: FallbackToLogsOnError
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
volumeMounts:
- name: metrics-certs
mountPath: /etc/metrics
readOnly: true
{{- end }}
{{ end }}
{{- if .Values.speaker.frr.secureMetricsPort }}
- name: kube-rbac-proxy-frr
image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag | default .Chart.AppVersion }}
imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
args:
- --logtostderr
- --secure-listen-address=:{{ .Values.speaker.frr.secureMetricsPort }}
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- --upstream=http://$(METALLB_HOST):{{ .Values.speaker.frr.metricsPort }}/
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
- --tls-private-key-file=/etc/metrics/tls.key
- --tls-cert-file=/etc/metrics/tls.crt
{{- end }}
ports:
- containerPort: {{ .Values.speaker.frr.secureMetricsPort }}
name: metricshttps
env:
- name: METALLB_HOST
valueFrom:
fieldRef:
fieldPath: status.hostIP
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePolicy: FallbackToLogsOnError
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
volumeMounts:
- name: metrics-certs
mountPath: /etc/metrics
readOnly: true
{{- end }}
{{ end }}
nodeSelector:
"kubernetes.io/os": linux
{{- with .Values.speaker.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.speaker.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.speaker.tolerateMaster .Values.speaker.tolerations }}
tolerations:
{{- if .Values.speaker.tolerateMaster }}
- key: node-role.kubernetes.io/master
effect: NoSchedule
operator: Exists
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
operator: Exists
{{- end }}
{{- with .Values.speaker.tolerations }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
{{- with .Values.speaker.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- end }}

168
system/metallb/charts/metallb/templates/webhooks.yaml Normal file
View File

@@ -0,0 +1,168 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: metallb-webhook-configuration
labels:
{{- include "metallb.labels" . | nindent 4 }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta1-addresspool
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: addresspoolvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- addresspools
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta2-bgppeer
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: bgppeervalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta2
operations:
- CREATE
- UPDATE
resources:
- bgppeers
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta1-ipaddresspool
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: ipaddresspoolvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- ipaddresspools
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta1-bgpadvertisement
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: bgpadvertisementvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- bgpadvertisements
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta1-community
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: communityvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- communities
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta1-bfdprofile
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: bfdprofilevalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- DELETE
resources:
- bfdprofiles
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta1-l2advertisement
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: l2advertisementvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- l2advertisements
sideEffects: None
---
apiVersion: v1
kind: Service
metadata:
name: metallb-webhook-service
labels:
{{- include "metallb.labels" . | nindent 4 }}
spec:
ports:
- port: 443
targetPort: 9443
selector:
{{- include "metallb.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: controller
---
apiVersion: v1
kind: Secret
metadata:
name: webhook-server-cert
labels:
{{- include "metallb.labels" . | nindent 4 }}

427
system/metallb/charts/metallb/values.schema.json Normal file
View File

@@ -0,0 +1,427 @@
{
"$schema": "https://json-schema.org/draft-07/schema#",
"title": "Values",
"type": "object",
"definitions": {
"prometheusAlert": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"labels": {
"type": "object",
"additionalProperties": { "type": "string" }
}
},
"required": [ "enabled" ]
},
"probe": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"failureThreshold": {
"type": "integer"
},
"initialDelaySeconds": {
"type": "integer"
},
"periodSeconds": {
"type": "integer"
},
"successThreshold": {
"type": "integer"
},
"timeoutSeconds": {
"type": "integer"
}
},
"required": [
"failureThreshold",
"initialDelaySeconds",
"periodSeconds",
"successThreshold",
"timeoutSeconds"
]
},
"component": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"logLevel": {
"type": "string",
"enum": [ "all", "debug", "info", "warn", "error", "none" ]
},
"image": {
"type": "object",
"properties": {
"repository": {
"type": "string"
},
"tag": {
"anyOf": [
{ "type": "string" },
{ "type": "null" }
]
},
"pullPolicy": {
"anyOf": [
{
"type": "null"
},
{
"type": "string",
"enum": [ "Always", "IfNotPresent", "Never" ]
}
]
}
}
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"name": {
"type": "string"
},
"annotations": {
"type": "object"
}
}
},
"resources": {
"type": "object"
},
"nodeSelector": {
"type": "object"
},
"tolerations": {
"type": "array",
"items": {
"type": "object"
}
},
"priorityClassName": {
"type":"string"
},
"runtimeClassName": {
"type":"string"
},
"affinity": {
"type": "object"
},
"podAnnotations": {
"type": "object"
},
"livenessProbe": {
"$ref": "#/definitions/probe"
},
"readinessProbe": {
"$ref": "#/definitions/probe"
}
},
"required": [
"image",
"serviceAccount"
]
}
},
"properties": {
"imagePullSecrets": {
"description": "Secrets used for pulling images",
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
},
"required": [ "name" ],
"additionalProperties": false
}
},
"nameOverride": {
"description": "Override chart name",
"type": "string"
},
"fullNameOverride": {
"description": "Override fully qualified app name",
"type": "string"
},
"configInLine": {
"description": "MetalLB configuration",
"type": "object"
},
"loadBalancerClass": {
"type":"string"
},
"rbac": {
"description": "RBAC configuration",
"type": "object",
"properties": {
"create": {
"description": "Enable RBAC",
"type": "boolean"
}
}
},
"prometheus": {
"description": "Prometheus monitoring config",
"type": "object",
"properties": {
"scrapeAnnotations": { "type": "boolean" },
"metricsPort": { "type": "integer" },
"secureMetricsPort": { "type": "integer" },
"rbacPrometheus": { "type": "boolean" },
"serviceAccount": { "type": "string" },
"namespace": { "type": "string" },
"rbacProxy": {
"description": "kube-rbac-proxy configuration",
"type": "object",
"properties": {
"repository": { "type": "string" },
"tag": { "type": "string" }
}
},
"podMonitor": {
"description": "Prometheus Operator PodMonitors",
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"additionalMonitors": { "type": "object" },
"jobLabel": { "type": "string" },
"interval": {
"anyOf": [
{ "type": "integer" },
{ "type": "null" }
]
},
"metricRelabelings": {
"type": "array",
"items": {
"type": "object"
}
},
"relabelings": {
"type": "array",
"items": {
"type": "object"
}
}
}
},
"serviceMonitor": {
"description": "Prometheus Operator ServiceMonitors",
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"jobLabel": { "type": "string" },
"interval": {
"anyOf": [
{ "type": "integer" },
{ "type": "null" }
]
},
"metricRelabelings": {
"type": "array",
"items": {
"type": "object"
}
},
"relabelings": {
"type": "array",
"items": {
"type": "object"
}
}
}
},
"prometheusRule": {
"description": "Prometheus Operator alertmanager alerts",
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"additionalMonitors": { "type": "object" },
"staleConfig": { "$ref": "#/definitions/prometheusAlert" },
"configNotLoaded": { "$ref": "#/definitions/prometheusAlert" },
"addressPoolExhausted": { "$ref": "#/definitions/prometheusAlert" },
"addressPoolUsage": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"thresholds": {
"type": "array",
"items": {
"type": "object",
"properties": {
"percent": {
"type": "integer",
"minimum": 0,
"maximum": 100
},
"labels": {
"type": "object",
"additionalProperties": { "type": "string" }
}
},
"required": [ "percent" ]
}
}
},
"required": [ "enabled" ]
},
"bgpSessionDown": { "$ref": "#/definitions/prometheusAlert" },
"extraAlerts": {
"type": "array",
"items": {
"type": "object"
}
}
},
"required": [
"enabled",
"staleConfig",
"configNotLoaded",
"addressPoolExhausted",
"addressPoolUsage",
"bgpSessionDown"
]
}
},
"required": [ "podMonitor", "prometheusRule" ]
},
"speaker": {
"allOf": [
{ "$ref": "#/definitions/component" },
{ "description": "MetalLB Speaker",
"type": "object",
"properties": {
"tolerateMaster": {
"type": "boolean"
},
"memberlist": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"mlBindPort": {
"type": "integer"
},
"mlSecretKeyPath": {
"type": "string"
}
}
},
"excludeInterfaces": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
}
},
"updateStrategy": {
"type": "object",
"properties": {
"type": {
"type": "string"
}
},
"required": [ "type" ]
},
"runtimeClassName": {
"type": "string"
},
"secretName": {
"type": "string"
},
"frr": {
"description": "Install FRR container in speaker deployment",
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"image": { "$ref": "#/definitions/component/properties/image" },
"metricsPort": { "type": "integer" },
"secureMetricsPort": { "type": "integer" },
"resources:": { "type": "object" }
},
"required": [ "enabled" ]
},
"command" : {
"type": "string"
},
"reloader": {
"type": "object",
"properties": {
"resources": { "type": "object" }
}
},
"frrMetrics": {
"type": "object",
"properties": {
"resources": { "type": "object" }
}
}
},
"required": [ "tolerateMaster" ]
}
]
},
"crds": {
"description": "CRD configuration",
"type": "object",
"properties": {
"enabled": {
"description": "Enable CRDs",
"type": "boolean"
},
"validationFailurePolicy": {
"description": "Failure policy to use with validating webhooks",
"type": "string",
"enum": [ "Ignore", "Fail" ]
}
}
}
},
"controller": {
"allOf": [
{ "$ref": "#/definitions/component" },
{ "description": "MetalLB Controller",
"type": "object",
"properties": {
"strategy": {
"type": "object",
"properties": {
"type": {
"type": "string"
}
},
"required": [ "type" ]
},
"command" : {
"type": "string"
},
"webhookMode" : {
"type": "string"
}
}
}
]
},
"required": [
"controller",
"speaker"
]
}

342
system/metallb/charts/metallb/values.yaml Normal file
View File

@@ -0,0 +1,342 @@
# Default values for metallb.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
loadBalancerClass: ""
# To configure MetalLB, you must specify ONE of the following two
# options.
rbac:
# create specifies whether to install and use RBAC rules.
create: true
prometheus:
# scrape annotations specifies whether to add Prometheus metric
# auto-collection annotations to pods. See
# https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml
# for a corresponding Prometheus configuration. Alternatively, you
# may want to use the Prometheus Operator
# (https://github.com/coreos/prometheus-operator) for more powerful
# monitoring configuration. If you use the Prometheus operator, this
# can be left at false.
scrapeAnnotations: false
# port both controller and speaker will listen on for metrics
metricsPort: 7472
# if set, enables rbac proxy on the controller and speaker to expose
# the metrics via tls.
# secureMetricsPort: 9120
# the name of the secret to be mounted in the speaker pod
# to expose the metrics securely. If not present, a self signed
# certificate to be used.
speakerMetricsTLSSecret: ""
# the name of the secret to be mounted in the controller pod
# to expose the metrics securely. If not present, a self signed
# certificate to be used.
controllerMetricsTLSSecret: ""
# prometheus doens't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
rbacPrometheus: true
# the service account used by prometheus
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
serviceAccount: ""
# the namespace where prometheus is deployed
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
namespace: ""
# the image to be used for the kuberbacproxy container
rbacProxy:
repository: gcr.io/kubebuilder/kube-rbac-proxy
tag: v0.12.0
pullPolicy:
# Prometheus Operator PodMonitors
podMonitor:
# enable support for Prometheus Operator
enabled: false
# optional additionnal labels for podMonitors
additionalLabels: {}
# optional annotations for podMonitors
annotations: {}
# Job label for scrape target
jobLabel: "app.kubernetes.io/name"
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval:
# metric relabel configs to apply to samples before ingestion.
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# relabel configs to apply to samples before ingestion.
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# target_label: nodename
# replacement: $1
# action: replace
# Prometheus Operator ServiceMonitors. To be used as an alternative
# to podMonitor, supports secure metrics.
serviceMonitor:
# enable support for Prometheus Operator
enabled: false
speaker:
# optional additional labels for the speaker serviceMonitor
additionalLabels: {}
# optional additional annotations for the speaker serviceMonitor
annotations: {}
# optional tls configuration for the speaker serviceMonitor, in case
# secure metrics are enabled.
tlsConfig:
insecureSkipVerify: true
controller:
# optional additional labels for the controller serviceMonitor
additionalLabels: {}
# optional additional annotations for the controller serviceMonitor
annotations: {}
# optional tls configuration for the controller serviceMonitor, in case
# secure metrics are enabled.
tlsConfig:
insecureSkipVerify: true
# Job label for scrape target
jobLabel: "app.kubernetes.io/name"
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval:
# metric relabel configs to apply to samples before ingestion.
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# relabel configs to apply to samples before ingestion.
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# target_label: nodename
# replacement: $1
# action: replace
# Prometheus Operator alertmanager alerts
prometheusRule:
# enable alertmanager alerts
enabled: false
# optional additionnal labels for prometheusRules
additionalLabels: {}
# optional annotations for prometheusRules
annotations: {}
# MetalLBStaleConfig
staleConfig:
enabled: true
labels:
severity: warning
# MetalLBConfigNotLoaded
configNotLoaded:
enabled: true
labels:
severity: warning
# MetalLBAddressPoolExhausted
addressPoolExhausted:
enabled: true
labels:
severity: alert
addressPoolUsage:
enabled: true
thresholds:
- percent: 75
labels:
severity: warning
- percent: 85
labels:
severity: warning
- percent: 95
labels:
severity: alert
# MetalLBBGPSessionDown
bgpSessionDown:
enabled: true
labels:
severity: alert
extraAlerts: []
# controller contains configuration specific to the MetalLB cluster
# controller.
controller:
enabled: true
# -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
logLevel: info
# command: /controller
# webhookMode: enabled
image:
repository: quay.io/metallb/controller
tag:
pullPolicy:
## @param controller.updateStrategy.type Metallb controller deployment strategy type.
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
## e.g:
## strategy:
## type: RollingUpdate
## rollingUpdate:
## maxSurge: 25%
## maxUnavailable: 25%
##
strategy:
type: RollingUpdate
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use. If not set and create is
# true, a name is generated using the fullname template
name: ""
annotations: {}
securityContext:
runAsNonRoot: true
# nobody
runAsUser: 65534
fsGroup: 65534
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
nodeSelector: {}
tolerations: []
priorityClassName: ""
runtimeClassName: ""
affinity: {}
podAnnotations: {}
labels: {}
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
# speaker contains configuration specific to the MetalLB speaker
# daemonset.
speaker:
enabled: true
# command: /speaker
# -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
logLevel: info
tolerateMaster: true
memberlist:
enabled: true
mlBindPort: 7946
mlSecretKeyPath: "/etc/ml_secret_key"
excludeInterfaces:
enabled: true
image:
repository: quay.io/metallb/speaker
tag:
pullPolicy:
## @param speaker.updateStrategy.type Speaker daemonset strategy type
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
##
updateStrategy:
## StrategyType
## Can be set to RollingUpdate or OnDelete
##
type: RollingUpdate
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use. If not set and create is
# true, a name is generated using the fullname template
name: ""
annotations: {}
## Defines a secret name for the controller to generate a memberlist encryption secret
## By default secretName: {{ "metallb.fullname" }}-memberlist
##
# secretName:
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
nodeSelector: {}
tolerations: []
priorityClassName: ""
affinity: {}
## Selects which runtime class will be used by the pod.
runtimeClassName: ""
podAnnotations: {}
labels: {}
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
startupProbe:
enabled: true
failureThreshold: 30
periodSeconds: 5
# frr contains configuration specific to the MetalLB FRR container,
# for speaker running alongside FRR.
frr:
enabled: true
image:
repository: quay.io/frrouting/frr
tag: 8.4.2
pullPolicy:
metricsPort: 7473
resources: {}
# if set, enables a rbac proxy sidecar container on the speaker to
# expose the frr metrics via tls.
# secureMetricsPort: 9121
reloader:
resources: {}
frrMetrics:
resources: {}
crds:
enabled: true
validationFailurePolicy: Fail

32
system/metallb/templates/ips.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: public-ips
namespace: {{ .Release.namespace }}
spec:
autoAssign: false
{{- with .Values.metallb.publicAddresses }}
addresses:
{{- toYaml . | nindent 4 }}
{{- end }}
---
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: private-ips
namespace: {{ .Release.namespace }}
spec:
{{- with .Values.metallb.privateAddresses }}
addresses:
{{- toYaml . | nindent 4 }}
{{- end }}
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: l2adv
namespace: {{ .Release.namespace }}
spec:
ipAddressPools:
- public-ips
- private-ips

18
system/metallb/values.yaml Normal file
View File

@@ -0,0 +1,18 @@
_helm:
name: metallb
namespace: cozy-metallb
createNamespace: true
privilegedNamespace: true
crds: CreateReplace
metallb:
crds:
enabled: true
speaker:
tolerateMaster: false
publicAddresses:
- 1.2.3.4
privateAddresses:
- 192.168.100.200-192.168.100.250

2
system/monitoring-hub/grafana-dashboards/db/redis.json
View File

@@ -1652,7 +1652,7 @@
]
},
"timezone": "browser",
"title": "Redis Tubes",
"title": "Redis",
"uid": "4GFbkOsZkss",
"version": 2,
"weekStart": ""

11
system/monitoring-hub/templates/grafana.yaml
View File

@@ -16,16 +16,15 @@ spec:
enabled: "true"
allow_sign_up: "true"
auto_login: "false"
client_id: c1286be57609c1456cb92703e8fecade823c7f0c35d866c5d3d7065ee326402a
client_secret: eb4ebd228ba34a028aa6811d0882db8b8f13235353ad782f5c4a59b46cee6eba
client_id: e03e8bbe-1a4f-4555-906e-710f1b148d7b
client_secret: d57d2398-ce98-4309-a799-ac6d7cf54367
scopes: api
auth_url: "https://git.example.org/oauth/authorize"
token_url: "https://git.example.org/oauth/token"
api_url: "https://git.example.org/api/v4"
#allowed_domains: 173.0.146.94.nip.io
#allowed_groups: '["aemedia/auth/infra-admins"]'
#role_attribute_path: "contains(info.groups_direct[*], 'aemedia/') && 'Admin' || contains(info.groups_direct[*], 'aemedia/auth/infra-admins') && 'Editor' || 'Viewer'"
role_attribute_path: "is_admin && 'Admin' || 'Viewer'"
#allowed_groups: '["cluster-admins"]'
role_attribute_path: "contains(info.groups_direct[*], 'grafana-admin') && 'Admin' || contains(info.groups_direct[*], 'grafana-editor') && 'Editor' || 'Viewer'"
#role_attribute_path: "is_admin && 'Admin' || 'Viewer'"
#tls_skip_verify_insecure: "false"
#use_pkce: "true"
#use_refresh_token: "true"

2
system/monitoring-hub/templates/vmalertmanager.yaml
View File

@@ -18,7 +18,7 @@ stringData:
receivers:
- name: 'webhook'
webhook_configs:
- url: http://grafana-oncall-engine.infra-grafana.svc:8080/integrations/v1/alertmanager/Kjb2NWxxSlgGtxz9F4ihovQBB/
- url: http://grafana-oncall-engine.cozy-monitoring-hub.svc:8080/integrations/v1/alertmanager/Kjb2NWxxSlgGtxz9F4ihovQBB/
---
apiVersion: operator.victoriametrics.com/v1beta1
kind: VMAlertmanager

2
system/monitoring/templates/nginx-scrape.yaml
View File

@@ -34,7 +34,7 @@ spec:
jobLabel: jobLabel
namespaceSelector:
matchNames:
- infra-ingress-nginx
- cozy-ingress-nginx
podMetricsEndpoints:
- port: metrics2
honorLabels: true

2
system/rabbitmq-operator/Chart.yaml Normal file
View File

@@ -0,0 +1,2 @@
name: app
version: 0.0.0

7
system/rabbitmq-operator/Makefile Normal file
View File

@@ -0,0 +1,7 @@
include ../../hack/app-helm.mk
update:
rm -rf templates/cluster-operator.yml
wget -O templates/cluster-operator.yml https://github.com/rabbitmq/cluster-operator/releases/latest/download/cluster-operator.yml
yq -i 'del(select(.kind=="Namespace"))' templates/cluster-operator.yml
sed -i 's/rabbitmq-system/cozy-rabbitmq-operator/g' templates/cluster-operator.yml

4
system/rabbitmq-operator/README.md Normal file
View File

@@ -0,0 +1,4 @@
# RabbitMQ Cluster Kubernetes Operator
- Github: https://github.com/rabbitmq/cluster-operator/
- Docs: https://www.rabbitmq.com/kubernetes/operator/operator-overview.html

4661
system/rabbitmq-operator/templates/cluster-operator.yml Normal file
View File

File diff suppressed because it is too large Load Diff

5
system/rabbitmq-operator/values.yaml Normal file
View File

@@ -0,0 +1,5 @@
_helm:
name: rabbitmq-operator
namespace: cozy-rabbitmq-operator
createNamespace: true
crds: CreateReplace

30
system/telepresence/templates/rbac.yaml
View File

@@ -1,30 +0,0 @@
{{- with .Values.group }}
# TODO: make more generic configuration
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: portforward
rules:
- apiGroups:
- ""
resources:
- pods/portforward
verbs:
- create
namespaces:
- infra-telepresence
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab:portforward
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: portforward
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: {{ . }}
{{- end }}