From 8b71c2f6a379805dfc12e9df3b7fb0ea61bd6309 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Thu, 5 Mar 2020 15:15:00 +0100 Subject: [PATCH 01/49] added objectstorageConfig to the sidecar container --- .../templates/prometheus/prometheus.yaml | 11 +++++++++++ bitnami/prometheus-operator/values.yaml | 6 ++++++ 2 files changed, 17 insertions(+) diff --git a/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml b/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml index 01591ad1e6268d..209282cc7e740e 100644 --- a/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml +++ b/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml @@ -152,9 +152,20 @@ spec: - --prometheus.url=http://localhost:9090 - --grpc-address=0.0.0.0:10901 - --http-address=0.0.0.0:10902 + {{- if .Values.prometheus.thanos.objectStorageConfig }} + - --objstore.config=$(OBJSTORE_CONFIG) + {{- end }} {{- if .Values.prometheus.thanos.extraArgs }} {{ toYaml .Values.prometheus.thanos.extraArgs | indent 8 | trim }} {{- end }} + {{- if .Values.prometheus.thanos.objectStorageConfig }} + env: + - name: OBJSTORE_CONFIG + valueFrom: + secretKeyRef: + name: {{ .Values.prometheus.thanos.objectStorageConfig.secretName }} + key: {{ .Values.prometheus.thanos.objectStorageConfig.secretKey |default "thanos.yaml" }} + {{- end }} ports: - name: grpc containerPort: 10901 diff --git a/bitnami/prometheus-operator/values.yaml b/bitnami/prometheus-operator/values.yaml index f495f1f8fc6b27..5d439c82099d2c 100644 --- a/bitnami/prometheus-operator/values.yaml +++ b/bitnami/prometheus-operator/values.yaml @@ -555,6 +555,12 @@ prometheus: # - --log.level=debug # - --tsdb.path=/data/ + ## Support mounting a ConfigMap for the objectStorageConfig of the sideCar container. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/thanos.md + objectStorageConfig: {} + # secretName: thanos-objstore-config + # secretKey: thanos.yaml + ## Thanos Sidecar Service ## service: From 9320720e72943a8fd39ab732788f6fc6348f064e Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Thu, 5 Mar 2020 15:21:07 +0100 Subject: [PATCH 02/49] Bumped version and added documentation of the added values. --- bitnami/prometheus-operator/Chart.yaml | 2 +- bitnami/prometheus-operator/README.md | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bitnami/prometheus-operator/Chart.yaml b/bitnami/prometheus-operator/Chart.yaml index 725d2502189953..0c03aac82acba1 100644 --- a/bitnami/prometheus-operator/Chart.yaml +++ b/bitnami/prometheus-operator/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: 0.37.0 description: The Prometheus Operator for Kubernetes provides easy monitoring definitions for Kubernetes services and deployment and management of Prometheus instances. name: prometheus-operator -version: 0.13.1 +version: 0.13.2 keywords: - prometheus - alertmanager diff --git a/bitnami/prometheus-operator/README.md b/bitnami/prometheus-operator/README.md index 7f717b876ab00f..2d97b3507d6100 100644 --- a/bitnami/prometheus-operator/README.md +++ b/bitnami/prometheus-operator/README.md @@ -218,6 +218,8 @@ The following table lists the configurable parameters of the Prometheus Operator | `prometheus.thanos.image.pullPolicy` | Thanos image pull policy | `IfNotPresent` | | `prometheus.thanos.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | | `prometheus.thanos.extraArgs` | Additional arguments passed to the thanos sidecar container | `[]` | +| `prometheus.thanos.objectStorageConfig.secretName` | Defines the secretName to load. | `nil` | +| `prometheus.thanos.objectStorageConfig.secretKey` | Defines the key inside the secret which references the objectStorageConfig for the thanos sideCar | `nil` | | `prometheus.thanos.service.port` | Thanos service port | `10901` | | `prometheus.thanos.service.clusterIP` | Specific cluster IP when service type is cluster IP. Use `None` for headless service | `nil` | | `prometheus.thanos.service.nodePort` | Kubernetes Service nodePort | `nil` | From 1e016194506cae5a19fe84be934128177f7604ab Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Thu, 5 Mar 2020 15:26:00 +0100 Subject: [PATCH 03/49] Fixed indentation of environment variables --- .../templates/prometheus/prometheus.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml b/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml index 209282cc7e740e..cf2dc1c991fa5c 100644 --- a/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml +++ b/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml @@ -160,11 +160,11 @@ spec: {{- end }} {{- if .Values.prometheus.thanos.objectStorageConfig }} env: - - name: OBJSTORE_CONFIG - valueFrom: - secretKeyRef: - name: {{ .Values.prometheus.thanos.objectStorageConfig.secretName }} - key: {{ .Values.prometheus.thanos.objectStorageConfig.secretKey |default "thanos.yaml" }} + - name: OBJSTORE_CONFIG + valueFrom: + secretKeyRef: + name: {{ .Values.prometheus.thanos.objectStorageConfig.secretName }} + key: {{ .Values.prometheus.thanos.objectStorageConfig.secretKey |default "thanos.yaml" }} {{- end }} ports: - name: grpc From c29ff2480ccca00e47a0608dd5483e2bcdd365db Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Thu, 5 Mar 2020 15:31:03 +0100 Subject: [PATCH 04/49] Rename ConfigMap to Secret and added to production-values --- bitnami/prometheus-operator/values-production.yaml | 6 ++++++ bitnami/prometheus-operator/values.yaml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/bitnami/prometheus-operator/values-production.yaml b/bitnami/prometheus-operator/values-production.yaml index 637d61ca56895a..98719e54a42338 100644 --- a/bitnami/prometheus-operator/values-production.yaml +++ b/bitnami/prometheus-operator/values-production.yaml @@ -549,6 +549,12 @@ prometheus: # pullSecrets: # - myRegistryKeySecretName + ## Support mounting a Secret for the objectStorageConfig of the sideCar container. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/thanos.md + objectStorageConfig: {} + # secretName: thanos-objstore-config + # secretKey: thanos.yaml + ## Thanos Sidecar Service ## service: diff --git a/bitnami/prometheus-operator/values.yaml b/bitnami/prometheus-operator/values.yaml index 045a740aed93dd..c06ee2c803a333 100644 --- a/bitnami/prometheus-operator/values.yaml +++ b/bitnami/prometheus-operator/values.yaml @@ -555,7 +555,7 @@ prometheus: # - --log.level=debug # - --tsdb.path=/data/ - ## Support mounting a ConfigMap for the objectStorageConfig of the sideCar container. + ## Support mounting a Secret for the objectStorageConfig of the sideCar container. ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/thanos.md objectStorageConfig: {} # secretName: thanos-objstore-config From aed0b296ee5534f3d1c80a0590f6410b325720a4 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Thu, 5 Mar 2020 15:31:53 +0100 Subject: [PATCH 05/49] Fixed missing space --- .../prometheus-operator/templates/prometheus/prometheus.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml b/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml index cf2dc1c991fa5c..470e838954dded 100644 --- a/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml +++ b/bitnami/prometheus-operator/templates/prometheus/prometheus.yaml @@ -164,7 +164,7 @@ spec: valueFrom: secretKeyRef: name: {{ .Values.prometheus.thanos.objectStorageConfig.secretName }} - key: {{ .Values.prometheus.thanos.objectStorageConfig.secretKey |default "thanos.yaml" }} + key: {{ .Values.prometheus.thanos.objectStorageConfig.secretKey | default "thanos.yaml" }} {{- end }} ports: - name: grpc From dd14741575f512e8e6f52b5e05ad2a8bc22617f7 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 17 Mar 2020 16:34:07 +0100 Subject: [PATCH 06/49] added the metallb chart --- bitnami/metallb/.helmignore | 22 ++ bitnami/metallb/Chart.yaml | 31 +++ bitnami/metallb/README.md | 124 ++++++++++++ bitnami/metallb/templates/NOTES.txt | 11 + bitnami/metallb/templates/_helpers.tpl | 189 ++++++++++++++++++ bitnami/metallb/templates/configmap.yaml | 10 + bitnami/metallb/templates/daemonset.yaml | 81 ++++++++ bitnami/metallb/templates/deployment.yaml | 68 +++++++ .../templates/prometheus/metallb.alerts.yaml | 31 +++ bitnami/metallb/templates/psp.yaml | 29 +++ bitnami/metallb/templates/rbac.yaml | 123 ++++++++++++ .../metallb/templates/service-accounts.yaml | 16 ++ bitnami/metallb/templates/servicemonitor.yaml | 92 +++++++++ .../templates/tests/test-connection.yaml | 14 ++ bitnami/metallb/values.yaml | 155 ++++++++++++++ 15 files changed, 996 insertions(+) create mode 100644 bitnami/metallb/.helmignore create mode 100644 bitnami/metallb/Chart.yaml create mode 100644 bitnami/metallb/README.md create mode 100644 bitnami/metallb/templates/NOTES.txt create mode 100644 bitnami/metallb/templates/_helpers.tpl create mode 100644 bitnami/metallb/templates/configmap.yaml create mode 100644 bitnami/metallb/templates/daemonset.yaml create mode 100644 bitnami/metallb/templates/deployment.yaml create mode 100644 bitnami/metallb/templates/prometheus/metallb.alerts.yaml create mode 100644 bitnami/metallb/templates/psp.yaml create mode 100644 bitnami/metallb/templates/rbac.yaml create mode 100644 bitnami/metallb/templates/service-accounts.yaml create mode 100644 bitnami/metallb/templates/servicemonitor.yaml create mode 100644 bitnami/metallb/templates/tests/test-connection.yaml create mode 100644 bitnami/metallb/values.yaml diff --git a/bitnami/metallb/.helmignore b/bitnami/metallb/.helmignore new file mode 100644 index 00000000000000..50af0317254197 --- /dev/null +++ b/bitnami/metallb/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/bitnami/metallb/Chart.yaml b/bitnami/metallb/Chart.yaml new file mode 100644 index 00000000000000..75915648b5fc6d --- /dev/null +++ b/bitnami/metallb/Chart.yaml @@ -0,0 +1,31 @@ +apiVersion: v2 +name: metallb +description: The Metal LB for Kubernetes +appVersion: 0.8.3 +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application +keywords: + - "load-balancer" + - "balancer" + - "lb" + - "bgp" + - "arp" + - "vrrp" + - "vip" +home: https://metallb.universe.tf +icon: https://metallb.universe.tf/images/logo.png +sources: +- https://github.com/metallb/metallb +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 0.1.3 +maintainers: + - name: cellebyte + url: https://github.com/Cellebyte diff --git a/bitnami/metallb/README.md b/bitnami/metallb/README.md new file mode 100644 index 00000000000000..dd2de47d7663d9 --- /dev/null +++ b/bitnami/metallb/README.md @@ -0,0 +1,124 @@ +# metallb + +[MetalLB](https://metallb.universe.tf/faq/) is an open source, rock solid LoadBalancer. It handles the `ServiceType: Loadbalancer`. + +## TL;DR; + +```console +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/metallb +``` + +## Introduction + +This chart bootstraps a [MetalLB Controller](https://metallb.universe.tf/community/) Controller Deployment and a [MetalLB Speaker](https://metallb.universe.tf/community/) Daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 2.11+ or Helm 3.0-beta3+ +- Virtual IPs for Layer 2 or Route Reflector for BGP setup. + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/metallb +``` + +These commands deploy metallb on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` helm release: + +```console +$ helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +The following tables lists the configurable parameters of the metallb chart and their default values. + +| Parameter | Description | Default | +|----------------------------------------------------|--------------------------------------------------------------------------------------------------------|---------------------------------------------------------| +| `global.imageRegistry` | Global Docker image registry | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `controller.image.registry` | MetalLB Controller image registry | `docker.io` | +| `controller.image.repository` | MetalLB Controller image name | `metallb/controller` | +| `controller.image.tag` | MetalLB Controller image tag | `{TAG_NAME}` | +| `controller.pullPolicy` | MetalLB Controller image pull policy | `IfNotPresent` | +| `controller.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `controller.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` (does not add resource limits to deployed pods) | +| `controller.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` (does not add resource limits to deployed pods) | +| `controller.nodeSelector` | Node labels for controller pod assignment | `{}` | +| `controller.tolerations` | Tolerations for controller pod assignment | `[]` | +| `controller.affinity` | Affinity for controller pod assignment | `{}` | +| `controller.podAnnotations` | Controller Pod annotations | `{}` | +| `controller.serviceAccount.create` | create a serviceAccount for the controller pod | `true` | +| `controller.serviceAccount.name` | use the serviceAccount with the specified name | "" | +| `speaker.image.registry` | MetalLB Speaker image registry | `docker.io` | +| `speaker.image.repository` | MetalLB Speaker image name | `metallb/speaker` | +| `speaker.image.tag` | MetalLB Speaker image tag | `{TAG_NAME}` | +| `speaker.pullPolicy` | MetalLB Speaker image pull policy | `IfNotPresent` | +| `speaker.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `speaker.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` (does not add resource limits to deployed pods) | +| `speaker.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` (does not add resource limits to deployed pods) | +| `speaker.nodeSelector` | Node labels for speaker pod assignment | `{}` | +| `speaker.tolerations` | Tolerations for speaker pod assignment | `[]` | +| `speaker.affinity` | Affinity for speaker pod assignment | `{}` | +| `speaker.podAnnotations` | Speaker Pod annotations | `{}` | +| `speaker.serviceAccount.create` | create a serviceAccount for the speaker pod | `true` | +| `speaker.serviceAccount.name` | use the serviceAccount with the specified name | "" | +| `nameOverride` | String to partially override metallb.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override metallb.fullname template with a string | `nil` | +| `livenessProbe.enabled` | Enable/disable the Liveness probe | `true` | +| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `60` | +| `livenessProbe.periodSeconds` | How often to perform the probe | `10` | +| `livenessProbe.timeoutSeconds` | When the probe times out | `5` | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` | +| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `6` | +| `existingConfigMap` | Specify an existing configMapName to use. (this mutually exclusive with existingConfigMap) | `metallb-config` | +| `configInline` | Specify the config for metallb as a new configMap inline. | `{}` (does not create configMap) | +| `rbac.create` | Specify if an rbac authorization should be created with the necessarry Rolebindings. | `true` | +| `prometheus.serviceMonitor.enabled` | Specify if a servicemonitor will be deployed for prometheus-operator. | `true` | +| `prometheus.serviceMonitor.jobLabel` | Specify the jobLabel to use for the prometheus-operator | `metallb` | +| `prometheus.serviceMonitor.interval` | Specify the scrape interval if not specified use defaul prometheus scrapeIntervall | `""` | +| `prometheus.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics. | `[]` | +| `prometheus.serviceMonitor.relabelings` | Specify general relabeling. | `[]` | +| `prometheus.serviceMonitor.prometheusRule.enabled` | Enable prometheus alertmanager basic alerts. | `true` | + +## Configuration + +To configure [MetalLB](https://metallb.universe.tf) please look into the configuration section [MetalLB Configuration](https://metallb.universe.tf/configuration/). + +### Example Layer 2 configuration + +```yaml +configInline: + # The address-pools section lists the IP addresses that MetalLB is + # allowed to allocate, along with settings for how to advertise + # those addresses over BGP once assigned. You can have as many + # address pools as you want. + address-pools: + - # A name for the address pool. Services can request allocation + # from a specific address pool using this name, by listing this + # name under the 'metallb.universe.tf/address-pool' annotation. + name: generic-cluster-pool + # Protocol can be used to select how the announcement is done. + # Supported values are bgp and layer2. + protocol: layer2 + # A list of IP address ranges over which MetalLB has + # authority. You can list multiple ranges in a single pool, they + # will all share the same settings. Each range can be either a + # CIDR prefix, or an explicit start-end range of IPs. + addresses: + - 10.27.50.30-10.27.50.35 +``` \ No newline at end of file diff --git a/bitnami/metallb/templates/NOTES.txt b/bitnami/metallb/templates/NOTES.txt new file mode 100644 index 00000000000000..573e3e02492ed2 --- /dev/null +++ b/bitnami/metallb/templates/NOTES.txt @@ -0,0 +1,11 @@ + +MetalLB is now running in the cluster. +{{- if .Values.configInline }} +LoadBalancer Services in your cluster are now available on the IPs you +defined in MetalLB's configuration. To see IP assignments, +try `kubectl get services`. +{{- else }} +WARNING: you specified a ConfigMap that isn't managed by +Helm. LoadBalancer services will not function until you add that +ConfigMap to your cluster yourself. +{{- end }} \ No newline at end of file diff --git a/bitnami/metallb/templates/_helpers.tpl b/bitnami/metallb/templates/_helpers.tpl new file mode 100644 index 00000000000000..c184736d1784f6 --- /dev/null +++ b/bitnami/metallb/templates/_helpers.tpl @@ -0,0 +1,189 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "metallb.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper metallb controller image name +*/}} +{{- define "metallb.controller.image" -}} +{{- $registryName := .Values.controller.image.registry -}} +{{- $repositoryName := .Values.controller.image.repository -}} +{{- $tag := .Values.controller.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper metallb speaker image name +*/}} +{{- define "metallb.speaker.image" -}} +{{- $registryName := .Values.speaker.image.registry -}} +{{- $repositoryName := .Values.speaker.image.repository -}} +{{- $tag := .Values.speaker.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "metallb.labels" -}} +app: {{ include "metallb.name" . }} +app.kubernetes.io/name: {{ include "metallb.name" . }} +helm.sh/chart: {{ include "metallb.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "metallb.matchLabels" -}} +app.kubernetes.io/name: {{ include "metallb.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "metallb.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "metallb.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "metallb.controller.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if .Values.controller.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.controller.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if .Values.controller.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.controller.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "metallb.speaker.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if .Values.speaker.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.speaker.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if .Values.speaker.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.speaker.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the controller service account to use +*/}} +{{- define "metallb.controllerServiceAccountName" -}} +{{- if .Values.controller.serviceAccount.create -}} + {{ default (printf "%s-controller" (include "metallb.fullname" .)) .Values.controller.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.controller.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the speaker service account to use +*/}} +{{- define "metallb.speakerServiceAccountName" -}} +{{- if .Values.speaker.serviceAccount.create -}} + {{ default (printf "%s-speaker" (include "metallb.fullname" .)) .Values.speaker.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.speaker.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the settings ConfigMap to use. +*/}} +{{- define "metallb.configMapName" -}} +{{- if .Values.configInline -}} + {{ include "metallb.fullname" . }} +{{- else -}} + {{ .Values.existingConfigMap }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/bitnami/metallb/templates/configmap.yaml b/bitnami/metallb/templates/configmap.yaml new file mode 100644 index 00000000000000..c9c9fb9e722e4e --- /dev/null +++ b/bitnami/metallb/templates/configmap.yaml @@ -0,0 +1,10 @@ +{{- if .Values.configInline }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "metallb.fullname" . }} + labels: {{- include "metallb.labels" . | nindent 4}} +data: + config: | +{{ toYaml .Values.configInline | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml new file mode 100644 index 00000000000000..018603b9d13e6a --- /dev/null +++ b/bitnami/metallb/templates/daemonset.yaml @@ -0,0 +1,81 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "metallb.fullname" . }}-speaker + labels: {{- include "metallb.labels" . | nindent 4 }} + component: speaker +spec: + selector: + matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} + component: speaker + template: + metadata: + labels: {{- include "metallb.labels" . | nindent 8 }} + component: speaker + {{- if .Values.controller.podAnnotations }} + annotations: {{- toYaml .Values.controller.podAnnotations | nindent 8 }} + {{- end }} + spec: +{{- include "metallb.speaker.imagePullSecrets" . | nindent 6 }} + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: {{ include "metallb.speakerServiceAccountName" . }} + terminationGracePeriodSeconds: 0 + hostNetwork: true + containers: + - name: speaker + image: {{ include "metallb.speaker.image" . }} + imagePullPolicy: {{ .Values.speaker.image.pullPolicy }} + args: + - --port=7472 + - --config={{ include "metallb.configMapName" . }} + env: + - name: METALLB_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: METALLB_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + ports: + - name: http-metrics + containerPort: 7472 + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /metrics + port: http-metrics + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + resources: +{{ toYaml .Values.speaker.resources | indent 10 }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + nodeSelector: + "beta.kubernetes.io/os": linux + {{- with .Values.speaker.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.speaker.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.speaker.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml new file mode 100644 index 00000000000000..5ddda726cc3956 --- /dev/null +++ b/bitnami/metallb/templates/deployment.yaml @@ -0,0 +1,68 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "metallb.fullname" . }}-controller + labels: {{- include "metallb.labels" . | nindent 4 }} + component: controller +spec: + revisionHistoryLimit: 3 + selector: + matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} + component: controller + template: + metadata: + labels: {{- include "metallb.labels" . | nindent 8 }} + component: controller + {{- if .Values.controller.podAnnotations }} + annotations: {{- toYaml .Values.controller.podAnnotations | nindent 8 }} + {{- end }} + spec: +{{- include "metallb.controller.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "metallb.controllerServiceAccountName" . }} + terminationGracePeriodSeconds: 0 + securityContext: + runAsNonRoot: true + runAsUser: 65534 # nobody + nodeSelector: + "beta.kubernetes.io/os": linux + {{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + containers: + - name: controller + image: {{ include "metallb.controller.image" . }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: + - --port=7472 + - --config={{ include "metallb.configMapName" . }} + ports: + - name: http-metrics + containerPort: 7472 + {{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /metrics + port: http-metrics + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + {{- end }} + resources: +{{ toYaml .Values.controller.resources | indent 10 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true diff --git a/bitnami/metallb/templates/prometheus/metallb.alerts.yaml b/bitnami/metallb/templates/prometheus/metallb.alerts.yaml new file mode 100644 index 00000000000000..d05ba41b3acede --- /dev/null +++ b/bitnami/metallb/templates/prometheus/metallb.alerts.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.prometheus.prometheusRule.enabled .Values.prometheus.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "metallb.fullname" . }} + labels: + heritage: {{ .Release.Service | quote }} + release: {{ .Release.Name | quote }} + chart: {{ include "metallb.chart" . }} + app: {{ include "metallb.name" . }} +spec: + groups: + - name: {{ include "metallb.fullname" . }}.alerts + rules: + - alert: MetalLBStaleConfig + annotations: + message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container_name }} on {{ $labels.instance + }} has a stale config for > 1 minute'`}} + expr: metallb_k8s_client_config_stale_bool{job="{{ .Values.prometheus.serviceMonitor.jobLabel }}"} == 1 + for: 1m + labels: + severity: warning + - alert: MetalLBConfigNotLoaded + annotations: + message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container_name }} on {{ $labels.instance + }} has not loaded for > 1 minute'`}} + expr: metallb_k8s_client_config_loaded_bool{job="{{ .Values.prometheus.serviceMonitor.jobLabel }}"} == 0 + for: 1m + labels: + severity: warning +{{- end }} \ No newline at end of file diff --git a/bitnami/metallb/templates/psp.yaml b/bitnami/metallb/templates/psp.yaml new file mode 100644 index 00000000000000..8685370fa7bbe8 --- /dev/null +++ b/bitnami/metallb/templates/psp.yaml @@ -0,0 +1,29 @@ +{{- if .Values.rbac.create -}} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "metallb.fullname" . }}-speaker + labels: {{- include "metallb.labels" . | nindent 4}} +spec: + hostNetwork: true + hostPorts: + - max: 7472 + min: 7472 + privileged: true + allowPrivilegeEscalation: false + allowedCapabilities: + - 'NET_ADMIN' + - 'NET_RAW' + - 'SYS_ADMIN' + volumes: + - '*' + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny +{{- end -}} \ No newline at end of file diff --git a/bitnami/metallb/templates/rbac.yaml b/bitnami/metallb/templates/rbac.yaml new file mode 100644 index 00000000000000..f3c64bcf2493dd --- /dev/null +++ b/bitnami/metallb/templates/rbac.yaml @@ -0,0 +1,123 @@ +{{- if .Values.rbac.create -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "metallb.fullname" . }}:controller + labels: {{- include "metallb.labels" . | nindent 4 }} +rules: + - apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - update + - apiGroups: + - '' + resources: + - services/status + verbs: + - update + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "metallb.fullname" . }}:speaker + labels: {{- include "metallb.labels" . | nindent 4 }} +rules: + - apiGroups: + - '' + resources: + - services + - endpoints + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - extensions + resourceNames: + - speaker + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "metallb.fullname" . }}-config-watcher + labels: {{- include "metallb.labels" . | nindent 4 }} +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch +--- + +## Role bindings +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "metallb.fullname" . }}:controller + labels: {{- include "metallb.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "metallb.controllerServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "metallb.fullname" . }}:controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "metallb.fullname" . }}:speaker + labels: {{- include "metallb.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "metallb.speakerServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "metallb.fullname" . }}:speaker +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "metallb.fullname" . }}-config-watcher + labels: {{- include "metallb.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "metallb.controllerServiceAccountName" . }} +- kind: ServiceAccount + name: {{ include "metallb.speakerServiceAccountName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "metallb.fullname" . }}-config-watcher +{{- end -}} \ No newline at end of file diff --git a/bitnami/metallb/templates/service-accounts.yaml b/bitnami/metallb/templates/service-accounts.yaml new file mode 100644 index 00000000000000..410dcaeb7d9fc7 --- /dev/null +++ b/bitnami/metallb/templates/service-accounts.yaml @@ -0,0 +1,16 @@ +{{- if .Values.controller.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "metallb.controllerServiceAccountName" . }} + labels: {{- include "metallb.labels" . | nindent 4 }} +{{- end }} +{{- if .Values.speaker.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "metallb.speakerServiceAccountName" . }} + labels: {{- include "metallb.labels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/bitnami/metallb/templates/servicemonitor.yaml b/bitnami/metallb/templates/servicemonitor.yaml new file mode 100644 index 00000000000000..de982d37c06464 --- /dev/null +++ b/bitnami/metallb/templates/servicemonitor.yaml @@ -0,0 +1,92 @@ +{{- if .Values.prometheus.serviceMonitor.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "metallb.fullname" . }}-controller-metrics + labels: {{- include "metallb.labels" . | nindent 4 }} + jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel }} + component: controller +spec: + type: ClusterIP + selector: {{- include "metallb.matchLabels" . | nindent 4 }} + component: controller + ports: + - name: http-metrics + port: 7472 + protocol: TCP + targetPort: 7472 +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "metallb.fullname" . }}-speaker-metrics + labels: {{- include "metallb.labels" . | nindent 4 }} + jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel }} + component: speaker +spec: + type: ClusterIP + selector: {{- include "metallb.matchLabels" . | nindent 4 }} + component: speaker + ports: + - name: http-metrics + port: 7472 + protocol: TCP + targetPort: 7472 + +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "metallb.fullname" . }}-controller + labels: {{- include "metallb.labels" . | nindent 4 }} + component: controller +spec: + jobLabel: jobLabel + selector: + matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} + component: controller + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: http-metrics + {{- if .Values.prometheus.serviceMonitor.interval }} + interval: {{ .Values.prometheus.serviceMonitor.interval }} + {{- end }} +{{- if .Values.prometheus.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ toYaml .Values.prometheus.serviceMonitor.metricRelabelings | indent 4 }} +{{- end }} +{{- if .Values.prometheus.serviceMonitor.relabelings }} + relabelings: +{{ toYaml .Values.prometheus.serviceMonitor.relabelings | indent 4 }} +{{- end }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "metallb.fullname" . }}-speaker + labels: {{- include "metallb.labels" . | nindent 4}} + component: speaker +spec: + jobLabel: jobLabel + selector: + matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} + component: speaker + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: http-metrics + {{- if .Values.prometheus.serviceMonitor.interval }} + interval: {{ .Values.prometheus.serviceMonitor.interval }} + {{- end }} +{{- if .Values.prometheus.serviceMonitor.metricRelabelings }} + metricRelabelings: +{{ toYaml .Values.prometheus.serviceMonitor.metricRelabelings | indent 4 }} +{{- end }} +{{- if .Values.prometheus.serviceMonitor.relabelings }} + relabelings: +{{ toYaml .Values.prometheus.serviceMonitor.relabelings | indent 4 }} +{{- end }} +{{- end }} diff --git a/bitnami/metallb/templates/tests/test-connection.yaml b/bitnami/metallb/templates/tests/test-connection.yaml new file mode 100644 index 00000000000000..f8333b57a2499e --- /dev/null +++ b/bitnami/metallb/templates/tests/test-connection.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "metallb.fullname" . }}-test-connection" + labels: {{- include "metallb.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "metallb.fullname" . }}:7472'] + restartPolicy: Never diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml new file mode 100644 index 00000000000000..88a2717d8e5c6d --- /dev/null +++ b/bitnami/metallb/values.yaml @@ -0,0 +1,155 @@ +## Default values for metallb. +## This is a YAML-formatted file. +## Declare variables to be passed into your templates. + +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName + +## To configure MetalLB, you must specify ONE of the following two +## options. +# +## existingConfigMap specifies the name of an externally-defined +## ConfigMap to use as the configuration. Helm will not manage the +## contents of this ConfigMap, it is your responsibility to create it. +# +existingConfigMap: metallb-config +# +## configInline specifies MetalLB's configuration directly, in yaml +## format. When configInline is used, Helm manages MetalLB's +## configuration ConfigMap as part of the release, and +## existingConfigMap is ignored. +## Refer to https://metallb.universe.tf/configuration/ for +## available options. +# +configInline: {} + +## String to partially override metallb.fullname include (will maintain the release name) +## +# nameOverride: + +## String to fully override metallb.fullname template +## +# fullnameOverride: + +rbac: + # create specifies whether to install and use RBAC rules. + create: true + +prometheus: + # Prometheus Operator service monitors + serviceMonitor: + # enable support for Prometheus Operator + enabled: true + # Job label for scrape target + jobLabel: metallb + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + metricRelabelings: [] + relabelings: [] + + # Prometheus Operator alertmanager alerts + prometheusRule: + enabled: true + +## Metallb Controller deployment. +## ref: https://hub.docker.com/r/metallb/controller/tags +controller: + image: + registry: docker.io + repository: metallb/controller + tag: v0.8.3 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Controller container resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: {} + # cpu: 100m + # memory: 100Mi + requests: {} + # memory: 25Mi + # cpu: 25m + nodeSelector: {} + tolerations: [] + affinity: {} + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. If not set and create is + # true, a name is generated using the fullname template + name: "" + +## Metallb Speaker daemonset. +## ref: https://hub.docker.com/r/metallb/speaker/tags +speaker: + image: + registry: docker.io + repository: metallb/speaker + tag: v0.8.3 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Speaker container resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: {} + # cpu: 100m + # memory: 100Mi + requests: {} + # memory: 25Mi + # cpu: 25m + nodeSelector: {} + tolerations: [] + affinity: {} + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. If not set and create is + # true, a name is generated using the fullname template + name: "" + + +## Configure extra options for liveness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) +livenessProbe: + enabled: true + initialDelaySeconds: 180 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 \ No newline at end of file From 2a63ad75ba6bcff11d6cbf2d170717f0d20b697d Mon Sep 17 00:00:00 2001 From: Marcel Fest Date: Wed, 18 Mar 2020 15:13:33 +0100 Subject: [PATCH 07/49] Update bitnami/metallb/Chart.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Carlos Rodríguez Hernández --- bitnami/metallb/Chart.yaml | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/bitnami/metallb/Chart.yaml b/bitnami/metallb/Chart.yaml index 75915648b5fc6d..cd7c87549bace7 100644 --- a/bitnami/metallb/Chart.yaml +++ b/bitnami/metallb/Chart.yaml @@ -1,16 +1,7 @@ -apiVersion: v2 +apiVersion: v1 name: metallb description: The Metal LB for Kubernetes appVersion: 0.8.3 -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application keywords: - "load-balancer" - "balancer" @@ -22,10 +13,11 @@ keywords: home: https://metallb.universe.tf icon: https://metallb.universe.tf/images/logo.png sources: -- https://github.com/metallb/metallb -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. + - https://github.com/metallb/metallb + - https://github.com/bitnami/bitnami-docker-metallb version: 0.1.3 maintainers: - name: cellebyte url: https://github.com/Cellebyte + - name: Bitnami + email: containers@bitnami.com From 27cdbbee2cb48bde6369a3baff26a104be2d2d64 Mon Sep 17 00:00:00 2001 From: Marcel Fest Date: Wed, 18 Mar 2020 15:14:33 +0100 Subject: [PATCH 08/49] Update bitnami/metallb/README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Carlos Rodríguez Hernández --- bitnami/metallb/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bitnami/metallb/README.md b/bitnami/metallb/README.md index dd2de47d7663d9..b9e84469f1709e 100644 --- a/bitnami/metallb/README.md +++ b/bitnami/metallb/README.md @@ -10,9 +10,11 @@ $ helm install my-release bitnami/metallb ``` ## Introduction +Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads. This chart bootstraps a [MetalLB Controller](https://metallb.universe.tf/community/) Controller Deployment and a [MetalLB Speaker](https://metallb.universe.tf/community/) Daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. ## Prerequisites @@ -121,4 +123,4 @@ configInline: # CIDR prefix, or an explicit start-end range of IPs. addresses: - 10.27.50.30-10.27.50.35 -``` \ No newline at end of file +``` From 767ada91ea0f18fe7a9c0ce74cf5e4b8d1955952 Mon Sep 17 00:00:00 2001 From: Marcel Fest Date: Wed, 18 Mar 2020 15:15:00 +0100 Subject: [PATCH 09/49] Update bitnami/metallb/templates/tests/test-connection.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Carlos Rodríguez Hernández --- bitnami/metallb/templates/tests/test-connection.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/metallb/templates/tests/test-connection.yaml b/bitnami/metallb/templates/tests/test-connection.yaml index f8333b57a2499e..0a1cc3d73b667f 100644 --- a/bitnami/metallb/templates/tests/test-connection.yaml +++ b/bitnami/metallb/templates/tests/test-connection.yaml @@ -8,7 +8,7 @@ metadata: spec: containers: - name: wget - image: busybox + image: bitnami/minideb:buster command: ['wget'] args: ['{{ include "metallb.fullname" . }}:7472'] restartPolicy: Never From 9e982a24366dc4222f7a15d48e6e1c8ab9300bdc Mon Sep 17 00:00:00 2001 From: Marcel Fest Date: Wed, 18 Mar 2020 15:15:07 +0100 Subject: [PATCH 10/49] Update bitnami/metallb/values.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Carlos Rodríguez Hernández --- bitnami/metallb/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index 88a2717d8e5c6d..6c28746b795e57 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -62,8 +62,8 @@ prometheus: controller: image: registry: docker.io - repository: metallb/controller - tag: v0.8.3 + repository: bitnami/metallb-controller + tag: 0.8.3-debian-10-r0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -152,4 +152,4 @@ livenessProbe: periodSeconds: 20 timeoutSeconds: 5 failureThreshold: 6 - successThreshold: 1 \ No newline at end of file + successThreshold: 1 From 9304c192377f214a40c27e79ec3f1f6f4f1c157a Mon Sep 17 00:00:00 2001 From: Marcel Fest Date: Wed, 18 Mar 2020 15:15:16 +0100 Subject: [PATCH 11/49] Update bitnami/metallb/values.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Carlos Rodríguez Hernández --- bitnami/metallb/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index 6c28746b795e57..927edd4492e6db 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -105,8 +105,8 @@ controller: speaker: image: registry: docker.io - repository: metallb/speaker - tag: v0.8.3 + repository: bitnami/metallb-speaker + tag: 0.8.3-debian-10-r0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images From 6ce2a0c6547ddb71b65d8a421a6d0b5462bd747f Mon Sep 17 00:00:00 2001 From: Marcel Fest Date: Wed, 18 Mar 2020 17:31:30 +0100 Subject: [PATCH 12/49] Update README.md --- bitnami/metallb/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/bitnami/metallb/README.md b/bitnami/metallb/README.md index b9e84469f1709e..2f1769f675f87f 100644 --- a/bitnami/metallb/README.md +++ b/bitnami/metallb/README.md @@ -97,6 +97,15 @@ The following tables lists the configurable parameters of the metallb chart and | `prometheus.serviceMonitor.relabelings` | Specify general relabeling. | `[]` | | `prometheus.serviceMonitor.prometheusRule.enabled` | Enable prometheus alertmanager basic alerts. | `true` | +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release \ + --set livenessProbe.successThreshold=5 \ + bitnami/metallb +``` +The above command sets the `livenessProbe.successThreshold` to `5`. + ## Configuration To configure [MetalLB](https://metallb.universe.tf) please look into the configuration section [MetalLB Configuration](https://metallb.universe.tf/configuration/). From 67f34eba1c083af8a736daecc9c5c48479b403d1 Mon Sep 17 00:00:00 2001 From: Marcel Fest Date: Wed, 18 Mar 2020 17:34:49 +0100 Subject: [PATCH 13/49] Update bitnami/metallb/README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Carlos Rodríguez Hernández --- bitnami/metallb/README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/bitnami/metallb/README.md b/bitnami/metallb/README.md index 2f1769f675f87f..237c3cd0b15ad2 100644 --- a/bitnami/metallb/README.md +++ b/bitnami/metallb/README.md @@ -106,7 +106,13 @@ $ helm install my-release \ ``` The above command sets the `livenessProbe.successThreshold` to `5`. -## Configuration +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. To configure [MetalLB](https://metallb.universe.tf) please look into the configuration section [MetalLB Configuration](https://metallb.universe.tf/configuration/). From b36ec66726942767a4e85fedcded3482f12ffa2e Mon Sep 17 00:00:00 2001 From: Marcel Fest Date: Fri, 20 Mar 2020 12:41:26 +0100 Subject: [PATCH 14/49] fixed `---` --- bitnami/metallb/templates/deployment.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index 5ddda726cc3956..808bcf3be9b62f 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apps/v1 kind: Deployment metadata: From f104ce4d2cc02377a14c63749dbcb3be2a4d733c Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Sat, 21 Mar 2020 09:29:24 +0100 Subject: [PATCH 15/49] Added templating --- bitnami/metallb/templates/_helpers.tpl | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/bitnami/metallb/templates/_helpers.tpl b/bitnami/metallb/templates/_helpers.tpl index c184736d1784f6..ffa3ce78635cc7 100644 --- a/bitnami/metallb/templates/_helpers.tpl +++ b/bitnami/metallb/templates/_helpers.tpl @@ -186,4 +186,17 @@ Create the name of the settings ConfigMap to use. {{- else -}} {{ .Values.existingConfigMap }} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "metallb.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "metallb.tplValue" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} From e0827e68c35c8973ca6d31a3591721b029fc79fe Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Sat, 21 Mar 2020 11:36:17 +0100 Subject: [PATCH 16/49] Fixed some bugs and added securityContext also bumped metallb appVersion --- bitnami/metallb/templates/daemonset.yaml | 23 +++++-------- bitnami/metallb/templates/deployment.yaml | 26 +++++++------- bitnami/metallb/values.yaml | 41 +++++++++++++++++++++-- 3 files changed, 60 insertions(+), 30 deletions(-) diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index 018603b9d13e6a..14f4de874c3986 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -13,8 +13,8 @@ spec: metadata: labels: {{- include "metallb.labels" . | nindent 8 }} component: speaker - {{- if .Values.controller.podAnnotations }} - annotations: {{- toYaml .Values.controller.podAnnotations | nindent 8 }} + {{- if .Values.speaker.podAnnotations }} + annotations: {{- toYaml .Values.speaker.podAnnotations | nindent 8 }} {{- end }} spec: {{- include "metallb.speaker.imagePullSecrets" . | nindent 6 }} @@ -66,16 +66,11 @@ spec: - NET_ADMIN - NET_RAW - SYS_ADMIN - nodeSelector: + nodeSelector: {{- include "metallb.tplValue" (dict "value" .Values.speaker.nodeSelector "context" $) | nindent 8 }} "beta.kubernetes.io/os": linux - {{- with .Values.speaker.nodeSelector }} -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.speaker.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.speaker.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} + {{- if .Values.speaker.affinity }} + affinity: {{- include "metallb.tplValue" (dict "value" .Values.speaker.affinity "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.speaker.tolerations}} + tolerations: {{- include "metallb.tplValue" (dict "value" .Values.speaker.tolerations "context" $) | nindent 8 }} + {{- end }} diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index 808bcf3be9b62f..8c8871e6d5c5dc 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -20,22 +20,20 @@ spec: {{- include "metallb.controller.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "metallb.controllerServiceAccountName" . }} terminationGracePeriodSeconds: 0 + {{- if .Values.controller.securityContext.enabled }} securityContext: - runAsNonRoot: true - runAsUser: 65534 # nobody - nodeSelector: + runAsUser: {{ .Values.controller.securityContext.runAsUser }} + fsGroup: {{ .Values.controller.securityContext.fsGroup }} + runAsNonRoot: {{ .Values.controller.securityContext.runAsNonRoot }} + {{- end }} + nodeSelector: {{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }} "beta.kubernetes.io/os": linux - {{- with .Values.controller.nodeSelector }} -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.controller.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.controller.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} + {{- if .Values.controller.affinity }} + affinity: {{- include "metallb.tplValue" (dict "value" .Values.controller.affinity "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.controller.tolerations}} + tolerations: {{- include "metallb.tplValue" (dict "value" .Values.controller.tolerations "context" $) | nindent 8 }} + {{- end }} containers: - name: controller image: {{ include "metallb.controller.image" . }} diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index 927edd4492e6db..a9793d682a25ec 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -63,7 +63,7 @@ controller: image: registry: docker.io repository: bitnami/metallb-controller - tag: 0.8.3-debian-10-r0 + tag: 0.9.2-debian-10-r0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -90,15 +90,36 @@ controller: requests: {} # memory: 25Mi # cpu: 25m + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## nodeSelector: {} + + ## Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## tolerations: [] + + ## Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## affinity: {} + + ## Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} serviceAccount: # Specifies whether a ServiceAccount should be created create: true # The name of the ServiceAccount to use. If not set and create is # true, a name is generated using the fullname template name: "" + securityContext: + enabled: true + runAsNonRoot: true + runAsUser: 65534 # nobody + fsGroup: 65534 ## Metallb Speaker daemonset. ## ref: https://hub.docker.com/r/metallb/speaker/tags @@ -106,7 +127,7 @@ speaker: image: registry: docker.io repository: bitnami/metallb-speaker - tag: 0.8.3-debian-10-r0 + tag: 0.9.2-debian-10-r0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -133,9 +154,25 @@ speaker: requests: {} # memory: 25Mi # cpu: 25m + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## nodeSelector: {} + + ## Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## tolerations: [] + + ## Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## affinity: {} + + ## Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} serviceAccount: # Specifies whether a ServiceAccount should be created create: true From 7f9bcaf8041021b1750f62a3a350a0ca8cc8986c Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Sat, 21 Mar 2020 11:36:46 +0100 Subject: [PATCH 17/49] Bumped versions --- bitnami/metallb/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bitnami/metallb/Chart.yaml b/bitnami/metallb/Chart.yaml index cd7c87549bace7..b3b2828448a0cd 100644 --- a/bitnami/metallb/Chart.yaml +++ b/bitnami/metallb/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: metallb description: The Metal LB for Kubernetes -appVersion: 0.8.3 +appVersion: 0.92 keywords: - "load-balancer" - "balancer" @@ -15,7 +15,7 @@ icon: https://metallb.universe.tf/images/logo.png sources: - https://github.com/metallb/metallb - https://github.com/bitnami/bitnami-docker-metallb -version: 0.1.3 +version: 0.1.4 maintainers: - name: cellebyte url: https://github.com/Cellebyte From a8ab8153f470fdca3b860b74249d10b51a25a2c6 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 23 Mar 2020 11:22:44 +0100 Subject: [PATCH 18/49] Added metallb templates --- bitnami/metallb/templates/daemonset.yaml | 41 +++++--- bitnami/metallb/templates/deployment.yaml | 41 +++++--- bitnami/metallb/templates/psp.yaml | 5 +- bitnami/metallb/templates/servicemonitor.yaml | 16 +-- .../templates/tests/test-connection.yaml | 8 +- bitnami/metallb/values.yaml | 97 +++++++++++++------ 6 files changed, 137 insertions(+), 71 deletions(-) diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index 14f4de874c3986..ea2c0df13f827c 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -29,7 +29,7 @@ spec: image: {{ include "metallb.speaker.image" . }} imagePullPolicy: {{ .Values.speaker.image.pullPolicy }} args: - - --port=7472 + - --port={{ .Values.speaker.daemonset.hostPorts.metrics }} - --config={{ include "metallb.configMapName" . }} env: - name: METALLB_NODE_NAME @@ -41,21 +41,33 @@ spec: fieldRef: fieldPath: status.hostIP ports: - - name: http-metrics - containerPort: 7472 - {{- if .Values.livenessProbe.enabled }} + - name: metrics + containerPort: {{ .Values.speaker.daemonset.hostPorts.metrics }} + {{- if .Values.speaker.livenessProbe.enabled }} livenessProbe: httpGet: path: /metrics - port: http-metrics - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + port: metrics + initialDelaySeconds: {{ .Values.speaker.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.speaker.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.speaker.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.speaker.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /metrics + port: metrics + initialDelaySeconds: {{ .Values.speaker.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.speaker.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.speaker.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.speaker.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.speaker.readinessProbe.failureThreshold }} + {{- end }} + {{- if .Values.speaker.resources }} + resources: {{- toYaml .Values.speaker.resources | nindent 10 }} {{- end }} - resources: -{{ toYaml .Values.speaker.resources | indent 10 }} securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -66,7 +78,10 @@ spec: - NET_ADMIN - NET_RAW - SYS_ADMIN - nodeSelector: {{- include "metallb.tplValue" (dict "value" .Values.speaker.nodeSelector "context" $) | nindent 8 }} + nodeSelector: + {{- if .Values.controller.nodeSelector }} +{{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | indent 8 }} + {{- end }} "beta.kubernetes.io/os": linux {{- if .Values.speaker.affinity }} affinity: {{- include "metallb.tplValue" (dict "value" .Values.speaker.affinity "context" $) | nindent 8 }} diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index 8c8871e6d5c5dc..72493afd9e7ade 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -26,7 +26,10 @@ spec: fsGroup: {{ .Values.controller.securityContext.fsGroup }} runAsNonRoot: {{ .Values.controller.securityContext.runAsNonRoot }} {{- end }} - nodeSelector: {{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }} + nodeSelector: + {{- if .Values.controller.nodeSelector }} +{{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | indent 8 }} + {{- end }} "beta.kubernetes.io/os": linux {{- if .Values.controller.affinity }} affinity: {{- include "metallb.tplValue" (dict "value" .Values.controller.affinity "context" $) | nindent 8 }} @@ -39,24 +42,36 @@ spec: image: {{ include "metallb.controller.image" . }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} args: - - --port=7472 + - --port={{ .Values.controller.containerPort.metrics }} - --config={{ include "metallb.configMapName" . }} ports: - - name: http-metrics - containerPort: 7472 - {{- if .Values.livenessProbe.enabled }} + - name: metrics + containerPort: {{ .Values.controller.containerPort.metrics }} + {{- if .Values.controller.livenessProbe.enabled }} livenessProbe: httpGet: path: /metrics - port: http-metrics - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - successThreshold: {{ .Values.livenessProbe.successThreshold }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + port: metrics + initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.controller.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /metrics + port: metrics + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + {{- end }} + {{- if .Values.controller.resources }} + resources: {{- toYaml .Values.controller.resources | nindent 10 }} {{- end }} - resources: -{{ toYaml .Values.controller.resources | indent 10 }} securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/bitnami/metallb/templates/psp.yaml b/bitnami/metallb/templates/psp.yaml index 8685370fa7bbe8..7e7655f607dfab 100644 --- a/bitnami/metallb/templates/psp.yaml +++ b/bitnami/metallb/templates/psp.yaml @@ -1,5 +1,4 @@ {{- if .Values.rbac.create -}} ---- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -8,8 +7,8 @@ metadata: spec: hostNetwork: true hostPorts: - - max: 7472 - min: 7472 + - max: {{ .Values.speaker.daemonset.hostPorts.metrics }} + min: {{ .Values.speaker.daemonset.hostPorts.metrics }} privileged: true allowPrivilegeEscalation: false allowedCapabilities: diff --git a/bitnami/metallb/templates/servicemonitor.yaml b/bitnami/metallb/templates/servicemonitor.yaml index de982d37c06464..2bdeb180de619a 100644 --- a/bitnami/metallb/templates/servicemonitor.yaml +++ b/bitnami/metallb/templates/servicemonitor.yaml @@ -11,10 +11,10 @@ spec: selector: {{- include "metallb.matchLabels" . | nindent 4 }} component: controller ports: - - name: http-metrics - port: 7472 + - name: metrics + port: {{ .Values.controller.containerPort.metrics }} protocol: TCP - targetPort: 7472 + targetPort: {{ .Values.controller.containerPort.metrics }} --- apiVersion: v1 kind: Service @@ -28,10 +28,10 @@ spec: selector: {{- include "metallb.matchLabels" . | nindent 4 }} component: speaker ports: - - name: http-metrics - port: 7472 + - name: metrics + port: {{ .Values.speaker.daemonset.hostPorts.metrics }} protocol: TCP - targetPort: 7472 + targetPort: {{ .Values.speaker.daemonset.hostPorts.metrics }} --- apiVersion: monitoring.coreos.com/v1 @@ -49,7 +49,7 @@ spec: matchNames: - {{ .Release.Namespace }} endpoints: - - port: http-metrics + - port: metrics {{- if .Values.prometheus.serviceMonitor.interval }} interval: {{ .Values.prometheus.serviceMonitor.interval }} {{- end }} @@ -77,7 +77,7 @@ spec: matchNames: - {{ .Release.Namespace }} endpoints: - - port: http-metrics + - port: metrics {{- if .Values.prometheus.serviceMonitor.interval }} interval: {{ .Values.prometheus.serviceMonitor.interval }} {{- end }} diff --git a/bitnami/metallb/templates/tests/test-connection.yaml b/bitnami/metallb/templates/tests/test-connection.yaml index 0a1cc3d73b667f..67cef93fae71de 100644 --- a/bitnami/metallb/templates/tests/test-connection.yaml +++ b/bitnami/metallb/templates/tests/test-connection.yaml @@ -7,8 +7,12 @@ metadata: "helm.sh/hook": test-success spec: containers: - - name: wget + - name: wget-controller image: bitnami/minideb:buster command: ['wget'] - args: ['{{ include "metallb.fullname" . }}:7472'] + args: ['{{ include "metallb.fullname" . }}-controller-metrics:{{ .Values.controller.containerPort.metrics }}'] + - name: wget-controller + image: bitnami/minideb:buster + command: ['wget'] + args: ['{{ include "metallb.fullname" . }}-speaker-metrics:{{ .Values.speaker.daemonset.hostPorts.metrics }}'] restartPolicy: Never diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index a9793d682a25ec..46da6039c788f6 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -79,17 +79,17 @@ controller: ## Controller container resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## - resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: {} - # cpu: 100m - # memory: 100Mi - requests: {} - # memory: 25Mi - # cpu: 25m + resources: {} + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 100Mi + # requests: + # memory: 25Mi + # cpu: 25m ## Node labels for pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## @@ -121,6 +121,27 @@ controller: runAsUser: 65534 # nobody fsGroup: 65534 + ## Configures the ports the MetalLB Controller listens on for metrics + ## + containerPort: + metrics: 7472 + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ## Metallb Speaker daemonset. ## ref: https://hub.docker.com/r/metallb/speaker/tags speaker: @@ -143,17 +164,17 @@ speaker: ## Speaker container resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## - resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - limits: {} - # cpu: 100m - # memory: 100Mi - requests: {} - # memory: 25Mi - # cpu: 25m + resources: {} + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 100Mi + # requests: + # memory: 25Mi + # cpu: 25m ## Node labels for pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## @@ -179,14 +200,26 @@ speaker: # The name of the ServiceAccount to use. If not set and create is # true, a name is generated using the fullname template name: "" + ## Daemonset configuration + ## + daemonset: + ## HTTP Metrics Endpoint + ## + hostPorts: + metrics: 7472 - -## Configure extra options for liveness probe -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) -livenessProbe: - enabled: true - initialDelaySeconds: 180 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 6 - successThreshold: 1 + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 From 5a3ed8d3c5ae3e405d94c6d6faf221961401b6ca Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 23 Mar 2020 13:20:19 +0100 Subject: [PATCH 19/49] Added metallb 0.9.2 changes to the chart --- bitnami/metallb/templates/daemonset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index ea2c0df13f827c..96502906404f44 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -22,7 +22,7 @@ spec: - key: node-role.kubernetes.io/master effect: NoSchedule serviceAccountName: {{ include "metallb.speakerServiceAccountName" . }} - terminationGracePeriodSeconds: 0 + terminationGracePeriodSeconds: 2 hostNetwork: true containers: - name: speaker From 3861669e1c9f6fa49cb6b2edbcbf90db82aa8085 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 23 Mar 2020 13:20:56 +0100 Subject: [PATCH 20/49] Added metallb 0.9.2 changes to the chart --- bitnami/metallb/templates/daemonset.yaml | 15 ++++++ bitnami/metallb/templates/psp.yaml | 69 ++++++++++++++++++++---- bitnami/metallb/templates/rbac.yaml | 10 +++- 3 files changed, 84 insertions(+), 10 deletions(-) diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index 96502906404f44..0efb9a4d84a4c2 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -40,6 +40,21 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP + - name: METALLB_ML_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: METALLB_ML_LABELS + value: "app=metallb,component=speaker" + - name: METALLB_ML_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: METALLB_ML_SECRET_KEY + valueFrom: + secretKeyRef: + name: memberlist + key: secretkey ports: - name: metrics containerPort: {{ .Values.speaker.daemonset.hostPorts.metrics }} diff --git a/bitnami/metallb/templates/psp.yaml b/bitnami/metallb/templates/psp.yaml index 7e7655f607dfab..63bbc4ee55e12f 100644 --- a/bitnami/metallb/templates/psp.yaml +++ b/bitnami/metallb/templates/psp.yaml @@ -1,28 +1,79 @@ {{- if .Values.rbac.create -}} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "metallb.fullname" . }}-controller + labels: {{- include "metallb.labels" . | nindent 4}} +spec: + allowPrivilegeEscalation: false + allowedCapabilities: [] + allowedHostPaths: [] + defaultAddCapabilities: [] + defaultAllowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + runAsUser: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - secret + - emptyDir +--- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ include "metallb.fullname" . }}-speaker labels: {{- include "metallb.labels" . | nindent 4}} spec: + allowPrivilegeEscalation: false + allowedCapabilities: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + allowedHostPaths: [] + defaultAddCapabilities: [] + defaultAllowPrivilegeEscalation: false + fsGroup: + rule: RunAsAny + hostIPC: false hostNetwork: true + hostPID: false hostPorts: - max: {{ .Values.speaker.daemonset.hostPorts.metrics }} min: {{ .Values.speaker.daemonset.hostPorts.metrics }} privileged: true - allowPrivilegeEscalation: false - allowedCapabilities: - - 'NET_ADMIN' - - 'NET_RAW' - - 'SYS_ADMIN' - volumes: - - '*' - fsGroup: - rule: RunAsAny + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL runAsUser: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny + volumes: + - configMap + - secret + - emptyDir {{- end -}} \ No newline at end of file diff --git a/bitnami/metallb/templates/rbac.yaml b/bitnami/metallb/templates/rbac.yaml index f3c64bcf2493dd..ae0eda45363456 100644 --- a/bitnami/metallb/templates/rbac.yaml +++ b/bitnami/metallb/templates/rbac.yaml @@ -28,6 +28,14 @@ rules: verbs: - create - patch + - apiGroups: + - policy + resourceNames: + - controller + resources: + - podsecuritypolicies + verbs: + - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -53,7 +61,7 @@ rules: - create - patch - apiGroups: - - extensions + - policy resourceNames: - speaker resources: From ee4b750743c7bb85acb38e668df41efd918a47b7 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 23 Mar 2020 13:22:04 +0100 Subject: [PATCH 21/49] Added missing EOL --- bitnami/metallb/templates/psp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/metallb/templates/psp.yaml b/bitnami/metallb/templates/psp.yaml index 63bbc4ee55e12f..519d179d99fb05 100644 --- a/bitnami/metallb/templates/psp.yaml +++ b/bitnami/metallb/templates/psp.yaml @@ -76,4 +76,4 @@ spec: - configMap - secret - emptyDir -{{- end -}} \ No newline at end of file +{{- end -}} From 4572be9ee26155fd4598a66a9d83703be90d5d71 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 23 Mar 2020 13:31:14 +0100 Subject: [PATCH 22/49] Fixed the appVersion --- bitnami/metallb/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/metallb/Chart.yaml b/bitnami/metallb/Chart.yaml index b3b2828448a0cd..887838bf6aae5e 100644 --- a/bitnami/metallb/Chart.yaml +++ b/bitnami/metallb/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: metallb description: The Metal LB for Kubernetes -appVersion: 0.92 +appVersion: 0.9.2 keywords: - "load-balancer" - "balancer" From 38f238fcb8cd0deb61bf8478c0617b0098c4b632 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 23 Mar 2020 15:55:37 +0100 Subject: [PATCH 23/49] added secret autogeneration for the members to join --- bitnami/metallb/templates/configmap.yaml | 4 +-- bitnami/metallb/templates/daemonset.yaml | 4 +-- bitnami/metallb/templates/rbac.yaml | 31 +++++++++++++++++++++--- bitnami/metallb/templates/secret.yaml | 11 +++++++++ bitnami/metallb/values.yaml | 2 +- 5 files changed, 44 insertions(+), 8 deletions(-) create mode 100644 bitnami/metallb/templates/secret.yaml diff --git a/bitnami/metallb/templates/configmap.yaml b/bitnami/metallb/templates/configmap.yaml index c9c9fb9e722e4e..511d5771293d65 100644 --- a/bitnami/metallb/templates/configmap.yaml +++ b/bitnami/metallb/templates/configmap.yaml @@ -6,5 +6,5 @@ metadata: labels: {{- include "metallb.labels" . | nindent 4}} data: config: | -{{ toYaml .Values.configInline | indent 4 }} -{{- end }} \ No newline at end of file +{{ include "metallb.tplValue" ( dict "value" .Values.configInline "context" $) | indent 4 }} +{{- end }} diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index 0efb9a4d84a4c2..d796bd021f5843 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -53,7 +53,7 @@ spec: - name: METALLB_ML_SECRET_KEY valueFrom: secretKeyRef: - name: memberlist + name: {{ include "metallb.fullname" . }}-memberlist key: secretkey ports: - name: metrics @@ -93,7 +93,7 @@ spec: - NET_ADMIN - NET_RAW - SYS_ADMIN - nodeSelector: + nodeSelector: {{- if .Values.controller.nodeSelector }} {{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | indent 8 }} {{- end }} diff --git a/bitnami/metallb/templates/rbac.yaml b/bitnami/metallb/templates/rbac.yaml index ae0eda45363456..72ec2bd176fdb8 100644 --- a/bitnami/metallb/templates/rbac.yaml +++ b/bitnami/metallb/templates/rbac.yaml @@ -31,7 +31,7 @@ rules: - apiGroups: - policy resourceNames: - - controller + - {{ include "metallb.fullname" . }}-controller resources: - podsecuritypolicies verbs: @@ -63,7 +63,7 @@ rules: - apiGroups: - policy resourceNames: - - speaker + - {{ include "metallb.fullname" . }}-speaker resources: - podsecuritypolicies verbs: @@ -84,7 +84,19 @@ rules: - list - watch --- - +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "metallb.fullname" . }}-pod-lister + labels: {{- include "metallb.labels" . | nindent 4 }} +rules: +- apiGroups: + - '' + resources: + - pods + verbs: + - list +--- ## Role bindings apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -128,4 +140,17 @@ roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ include "metallb.fullname" . }}-config-watcher +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "metallb.fullname" . }}-pod-lister + labels: {{- include "metallb.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "metallb.fullname" . }}-pod-lister +subjects: +- kind: ServiceAccount + name: {{ include "metallb.speakerServiceAccountName" . }} {{- end -}} \ No newline at end of file diff --git a/bitnami/metallb/templates/secret.yaml b/bitnami/metallb/templates/secret.yaml new file mode 100644 index 00000000000000..14248c5385dd63 --- /dev/null +++ b/bitnami/metallb/templates/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +data: + secretkey: {{ randAlphaNum 256 | b64enc | quote }} +kind: Secret +metadata: + name: {{ include "metallb.fullname" . }}-memberlist + labels: {{- include "metallb.labels" . | nindent 4 }} + component: speaker + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index 46da6039c788f6..8d7b92511decca 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -18,7 +18,7 @@ ## ConfigMap to use as the configuration. Helm will not manage the ## contents of this ConfigMap, it is your responsibility to create it. # -existingConfigMap: metallb-config +# existingConfigMap: metallb-config # ## configInline specifies MetalLB's configuration directly, in yaml ## format. When configInline is used, Helm manages MetalLB's From 7b867330b05f37ecf2f85d599832a908b2f506e8 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 23 Mar 2020 15:57:07 +0100 Subject: [PATCH 24/49] Bumped version accordingly to cellebyte/helm --- bitnami/metallb/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/metallb/Chart.yaml b/bitnami/metallb/Chart.yaml index 887838bf6aae5e..7bfba91164906a 100644 --- a/bitnami/metallb/Chart.yaml +++ b/bitnami/metallb/Chart.yaml @@ -15,7 +15,7 @@ icon: https://metallb.universe.tf/images/logo.png sources: - https://github.com/metallb/metallb - https://github.com/bitnami/bitnami-docker-metallb -version: 0.1.4 +version: 0.1.7 maintainers: - name: cellebyte url: https://github.com/Cellebyte From 14e7d327ddfcfb304e7e81aac5619404e6eab70e Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 23 Mar 2020 15:58:36 +0100 Subject: [PATCH 25/49] Fixed missing EOL --- bitnami/metallb/templates/rbac.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/metallb/templates/rbac.yaml b/bitnami/metallb/templates/rbac.yaml index 72ec2bd176fdb8..5dae49e6648665 100644 --- a/bitnami/metallb/templates/rbac.yaml +++ b/bitnami/metallb/templates/rbac.yaml @@ -153,4 +153,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "metallb.speakerServiceAccountName" . }} -{{- end -}} \ No newline at end of file +{{- end -}} From 968f1f91fc85dc34bd22abaf71d8173c06b6a4d5 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Fri, 27 Mar 2020 13:36:34 +0100 Subject: [PATCH 26/49] Bumped templates to the new versiona and bumped metallb version --- bitnami/metallb/Chart.yaml | 4 +-- bitnami/metallb/templates/daemonset.yaml | 3 +- bitnami/metallb/templates/deployment.yaml | 3 +- bitnami/metallb/templates/rbac.yaml | 2 +- bitnami/metallb/templates/servicemonitor.yaml | 28 ++++++++----------- bitnami/metallb/values.yaml | 11 ++++++-- 6 files changed, 25 insertions(+), 26 deletions(-) diff --git a/bitnami/metallb/Chart.yaml b/bitnami/metallb/Chart.yaml index 7bfba91164906a..317b0ad7ca0b5f 100644 --- a/bitnami/metallb/Chart.yaml +++ b/bitnami/metallb/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: metallb description: The Metal LB for Kubernetes -appVersion: 0.9.2 +appVersion: 0.9.3 keywords: - "load-balancer" - "balancer" @@ -15,7 +15,7 @@ icon: https://metallb.universe.tf/images/logo.png sources: - https://github.com/metallb/metallb - https://github.com/bitnami/bitnami-docker-metallb -version: 0.1.7 +version: 0.1.9 maintainers: - name: cellebyte url: https://github.com/Cellebyte diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index d796bd021f5843..33312efe9cc705 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -16,8 +16,7 @@ spec: {{- if .Values.speaker.podAnnotations }} annotations: {{- toYaml .Values.speaker.podAnnotations | nindent 8 }} {{- end }} - spec: -{{- include "metallb.speaker.imagePullSecrets" . | nindent 6 }} + spec: {{- include "metallb.speaker.imagePullSecrets" . | nindent 6 }} tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index 72493afd9e7ade..b90482c1855e05 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -16,8 +16,7 @@ spec: {{- if .Values.controller.podAnnotations }} annotations: {{- toYaml .Values.controller.podAnnotations | nindent 8 }} {{- end }} - spec: -{{- include "metallb.controller.imagePullSecrets" . | nindent 6 }} + spec: {{- include "metallb.controller.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "metallb.controllerServiceAccountName" . }} terminationGracePeriodSeconds: 0 {{- if .Values.controller.securityContext.enabled }} diff --git a/bitnami/metallb/templates/rbac.yaml b/bitnami/metallb/templates/rbac.yaml index 5dae49e6648665..72ec2bd176fdb8 100644 --- a/bitnami/metallb/templates/rbac.yaml +++ b/bitnami/metallb/templates/rbac.yaml @@ -153,4 +153,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "metallb.speakerServiceAccountName" . }} -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/bitnami/metallb/templates/servicemonitor.yaml b/bitnami/metallb/templates/servicemonitor.yaml index 2bdeb180de619a..96a7067da72070 100644 --- a/bitnami/metallb/templates/servicemonitor.yaml +++ b/bitnami/metallb/templates/servicemonitor.yaml @@ -53,14 +53,12 @@ spec: {{- if .Values.prometheus.serviceMonitor.interval }} interval: {{ .Values.prometheus.serviceMonitor.interval }} {{- end }} -{{- if .Values.prometheus.serviceMonitor.metricRelabelings }} - metricRelabelings: -{{ toYaml .Values.prometheus.serviceMonitor.metricRelabelings | indent 4 }} -{{- end }} -{{- if .Values.prometheus.serviceMonitor.relabelings }} - relabelings: -{{ toYaml .Values.prometheus.serviceMonitor.relabelings | indent 4 }} -{{- end }} + {{- if .Values.prometheus.serviceMonitor.metricRelabelings }} + metricRelabelings: {{ toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 4 }} + {{- end }} + {{- if .Values.prometheus.serviceMonitor.relabelings }} + relabelings: {{ toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 4 }} + {{- end }} --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor @@ -81,12 +79,10 @@ spec: {{- if .Values.prometheus.serviceMonitor.interval }} interval: {{ .Values.prometheus.serviceMonitor.interval }} {{- end }} -{{- if .Values.prometheus.serviceMonitor.metricRelabelings }} - metricRelabelings: -{{ toYaml .Values.prometheus.serviceMonitor.metricRelabelings | indent 4 }} -{{- end }} -{{- if .Values.prometheus.serviceMonitor.relabelings }} - relabelings: -{{ toYaml .Values.prometheus.serviceMonitor.relabelings | indent 4 }} -{{- end }} + {{- if .Values.prometheus.serviceMonitor.metricRelabelings }} + metricRelabelings: {{ toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 4 }} + {{- end }} + {{- if .Values.prometheus.serviceMonitor.relabelings }} + relabelings: {{ toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 4 }} + {{- end }} {{- end }} diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index 8d7b92511decca..cfaa14c29f8cff 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -45,7 +45,7 @@ prometheus: # Prometheus Operator service monitors serviceMonitor: # enable support for Prometheus Operator - enabled: true + enabled: false # Job label for scrape target jobLabel: metallb # Scrape interval. If not set, the Prometheus default scrape interval is used. @@ -63,7 +63,7 @@ controller: image: registry: docker.io repository: bitnami/metallb-controller - tag: 0.9.2-debian-10-r0 + tag: 0.9.3-debian-10-r0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -109,6 +109,7 @@ controller: ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} + serviceAccount: # Specifies whether a ServiceAccount should be created create: true @@ -130,12 +131,14 @@ controller: ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## livenessProbe: + enabled: true failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 readinessProbe: + enabled: true failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 @@ -148,7 +151,7 @@ speaker: image: registry: docker.io repository: bitnami/metallb-speaker - tag: 0.9.2-debian-10-r0 + tag: 0.9.3-debian-10-r0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -212,12 +215,14 @@ speaker: ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## livenessProbe: + enabled: true failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 readinessProbe: + enabled: true failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 From 11f3c286d125e419ddc4deeeca0bcdbab38312d1 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 30 Mar 2020 12:01:34 +0200 Subject: [PATCH 27/49] Fixed some template behaviour --- bitnami/metallb/templates/daemonset.yaml | 3 ++- bitnami/metallb/templates/deployment.yaml | 3 ++- bitnami/metallb/templates/servicemonitor.yaml | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index 33312efe9cc705..85c9f2740bddc4 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -16,7 +16,8 @@ spec: {{- if .Values.speaker.podAnnotations }} annotations: {{- toYaml .Values.speaker.podAnnotations | nindent 8 }} {{- end }} - spec: {{- include "metallb.speaker.imagePullSecrets" . | nindent 6 }} + spec: +{{- include "metallb.speaker.imagePullSecrets" . | indent 6 }} tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index b90482c1855e05..0c9862b4d0072a 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -16,7 +16,8 @@ spec: {{- if .Values.controller.podAnnotations }} annotations: {{- toYaml .Values.controller.podAnnotations | nindent 8 }} {{- end }} - spec: {{- include "metallb.controller.imagePullSecrets" . | nindent 6 }} + spec: +{{- include "metallb.controller.imagePullSecrets" . | indent 6 }} serviceAccountName: {{ include "metallb.controllerServiceAccountName" . }} terminationGracePeriodSeconds: 0 {{- if .Values.controller.securityContext.enabled }} diff --git a/bitnami/metallb/templates/servicemonitor.yaml b/bitnami/metallb/templates/servicemonitor.yaml index 96a7067da72070..dfccf5ddc7fb1a 100644 --- a/bitnami/metallb/templates/servicemonitor.yaml +++ b/bitnami/metallb/templates/servicemonitor.yaml @@ -32,7 +32,6 @@ spec: port: {{ .Values.speaker.daemonset.hostPorts.metrics }} protocol: TCP targetPort: {{ .Values.speaker.daemonset.hostPorts.metrics }} - --- apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor From cd32f7e5afb2ab4dcbb5856be4e6740afe3e687c Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 30 Mar 2020 12:03:08 +0200 Subject: [PATCH 28/49] Bumped chart version --- bitnami/metallb/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/metallb/Chart.yaml b/bitnami/metallb/Chart.yaml index 317b0ad7ca0b5f..4f9ec6ced0a547 100644 --- a/bitnami/metallb/Chart.yaml +++ b/bitnami/metallb/Chart.yaml @@ -15,7 +15,7 @@ icon: https://metallb.universe.tf/images/logo.png sources: - https://github.com/metallb/metallb - https://github.com/bitnami/bitnami-docker-metallb -version: 0.1.9 +version: 0.1.10 maintainers: - name: cellebyte url: https://github.com/Cellebyte From b1b6c69d208dd981387dadbad6b73563da9b20a5 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 30 Mar 2020 12:03:51 +0200 Subject: [PATCH 29/49] Bumped image tags to use the latest version --- bitnami/metallb/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index cfaa14c29f8cff..278607adee9456 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -63,7 +63,7 @@ controller: image: registry: docker.io repository: bitnami/metallb-controller - tag: 0.9.3-debian-10-r0 + tag: 0.9.3-debian-10-r1 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -151,7 +151,7 @@ speaker: image: registry: docker.io repository: bitnami/metallb-speaker - tag: 0.9.3-debian-10-r0 + tag: 0.9.3-debian-10-r1 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images From 4adf30e208f229c616c7e435551551b9deeca408 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Fri, 3 Apr 2020 12:08:21 +0200 Subject: [PATCH 30/49] Run the container as Root because the speaker needs the capability to use root specific network features --- bitnami/metallb/templates/daemonset.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index 85c9f2740bddc4..1d3fe8b6ead1f4 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -84,6 +84,7 @@ spec: resources: {{- toYaml .Values.speaker.resources | nindent 10 }} {{- end }} securityContext: + runAsUser: 0 allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: From cb92295dd7a655850fb2caff62e79ffef8dbe6d5 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 20 Apr 2020 14:13:32 +0200 Subject: [PATCH 31/49] fixed typo and email --- bitnami/metallb/Chart.yaml | 2 +- bitnami/metallb/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bitnami/metallb/Chart.yaml b/bitnami/metallb/Chart.yaml index 4f9ec6ced0a547..10405599cf663c 100644 --- a/bitnami/metallb/Chart.yaml +++ b/bitnami/metallb/Chart.yaml @@ -18,6 +18,6 @@ sources: version: 0.1.10 maintainers: - name: cellebyte - url: https://github.com/Cellebyte + email: cellebyte@gmail.com - name: Bitnami email: containers@bitnami.com diff --git a/bitnami/metallb/README.md b/bitnami/metallb/README.md index 237c3cd0b15ad2..fdeaee7a21ec72 100644 --- a/bitnami/metallb/README.md +++ b/bitnami/metallb/README.md @@ -1,4 +1,4 @@ -# metallb +# MetalLB [MetalLB](https://metallb.universe.tf/faq/) is an open source, rock solid LoadBalancer. It handles the `ServiceType: Loadbalancer`. From e15ed43b12b75cf89429c8af0dbf0d725c78fd1d Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 20 Apr 2020 14:15:47 +0200 Subject: [PATCH 32/49] use bitnami images --- bitnami/metallb/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bitnami/metallb/README.md b/bitnami/metallb/README.md index fdeaee7a21ec72..1574b3179eb27f 100644 --- a/bitnami/metallb/README.md +++ b/bitnami/metallb/README.md @@ -54,7 +54,7 @@ The following tables lists the configurable parameters of the metallb chart and | `global.imageRegistry` | Global Docker image registry | `nil` | | `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | | `controller.image.registry` | MetalLB Controller image registry | `docker.io` | -| `controller.image.repository` | MetalLB Controller image name | `metallb/controller` | +| `controller.image.repository` | MetalLB Controller image name | `bitnami/metallb-controller` | | `controller.image.tag` | MetalLB Controller image tag | `{TAG_NAME}` | | `controller.pullPolicy` | MetalLB Controller image pull policy | `IfNotPresent` | | `controller.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | @@ -67,7 +67,7 @@ The following tables lists the configurable parameters of the metallb chart and | `controller.serviceAccount.create` | create a serviceAccount for the controller pod | `true` | | `controller.serviceAccount.name` | use the serviceAccount with the specified name | "" | | `speaker.image.registry` | MetalLB Speaker image registry | `docker.io` | -| `speaker.image.repository` | MetalLB Speaker image name | `metallb/speaker` | +| `speaker.image.repository` | MetalLB Speaker image name | `bitnami/metallb-speaker` | | `speaker.image.tag` | MetalLB Speaker image tag | `{TAG_NAME}` | | `speaker.pullPolicy` | MetalLB Speaker image pull policy | `IfNotPresent` | | `speaker.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | From f4549f1111873c28a0beff79da9572d87cea45b6 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 20 Apr 2020 14:25:47 +0200 Subject: [PATCH 33/49] added app.kubernetes.io/component app.kubernetes.io/app --- bitnami/metallb/README.md | 2 +- bitnami/metallb/templates/_helpers.tpl | 1 - bitnami/metallb/templates/daemonset.yaml | 9 ++++----- bitnami/metallb/templates/deployment.yaml | 6 +++--- .../templates/prometheus/metallb.alerts.yaml | 6 +----- bitnami/metallb/templates/servicemonitor.yaml | 16 ++++++++-------- .../templates/tests/test-connection.yaml | 18 ------------------ 7 files changed, 17 insertions(+), 41 deletions(-) delete mode 100644 bitnami/metallb/templates/tests/test-connection.yaml diff --git a/bitnami/metallb/README.md b/bitnami/metallb/README.md index 1574b3179eb27f..6285ada440bfc9 100644 --- a/bitnami/metallb/README.md +++ b/bitnami/metallb/README.md @@ -87,7 +87,7 @@ The following tables lists the configurable parameters of the metallb chart and | `livenessProbe.timeoutSeconds` | When the probe times out | `5` | | `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` | | `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `6` | -| `existingConfigMap` | Specify an existing configMapName to use. (this mutually exclusive with existingConfigMap) | `metallb-config` | +| `existingConfigMap` | Specify an existing configMapName to use. (this is mutually exclusive with the configInline option) | `metallb-config` | | `configInline` | Specify the config for metallb as a new configMap inline. | `{}` (does not create configMap) | | `rbac.create` | Specify if an rbac authorization should be created with the necessarry Rolebindings. | `true` | | `prometheus.serviceMonitor.enabled` | Specify if a servicemonitor will be deployed for prometheus-operator. | `true` | diff --git a/bitnami/metallb/templates/_helpers.tpl b/bitnami/metallb/templates/_helpers.tpl index ffa3ce78635cc7..3c69474cb7ac15 100644 --- a/bitnami/metallb/templates/_helpers.tpl +++ b/bitnami/metallb/templates/_helpers.tpl @@ -56,7 +56,6 @@ Also, we can't use a single if because lazy evaluation is not an option Common labels */}} {{- define "metallb.labels" -}} -app: {{ include "metallb.name" . }} app.kubernetes.io/name: {{ include "metallb.name" . }} helm.sh/chart: {{ include "metallb.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index 1d3fe8b6ead1f4..ba6bc48935ec23 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -1,18 +1,17 @@ ---- apiVersion: apps/v1 kind: DaemonSet metadata: name: {{ include "metallb.fullname" . }}-speaker labels: {{- include "metallb.labels" . | nindent 4 }} - component: speaker + app.kubernetes.io/component: speaker spec: selector: matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} - component: speaker + app.kubernetes.io/component: speaker template: metadata: labels: {{- include "metallb.labels" . | nindent 8 }} - component: speaker + app.kubernetes.io/component: speaker {{- if .Values.speaker.podAnnotations }} annotations: {{- toYaml .Values.speaker.podAnnotations | nindent 8 }} {{- end }} @@ -45,7 +44,7 @@ spec: fieldRef: fieldPath: status.podIP - name: METALLB_ML_LABELS - value: "app=metallb,component=speaker" + value: "app.kubernetes.io/name=metallb,app.kubernetes.io/component=speaker" - name: METALLB_ML_NAMESPACE valueFrom: fieldRef: diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index 0c9862b4d0072a..a6060180780bc6 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -3,16 +3,16 @@ kind: Deployment metadata: name: {{ include "metallb.fullname" . }}-controller labels: {{- include "metallb.labels" . | nindent 4 }} - component: controller + app.kubernetes.io/component: controller spec: revisionHistoryLimit: 3 selector: matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} - component: controller + app.kubernetes.io/component: controller template: metadata: labels: {{- include "metallb.labels" . | nindent 8 }} - component: controller + app.kubernetes.io/component: controller {{- if .Values.controller.podAnnotations }} annotations: {{- toYaml .Values.controller.podAnnotations | nindent 8 }} {{- end }} diff --git a/bitnami/metallb/templates/prometheus/metallb.alerts.yaml b/bitnami/metallb/templates/prometheus/metallb.alerts.yaml index d05ba41b3acede..aaa584190fde1d 100644 --- a/bitnami/metallb/templates/prometheus/metallb.alerts.yaml +++ b/bitnami/metallb/templates/prometheus/metallb.alerts.yaml @@ -3,11 +3,7 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: {{ include "metallb.fullname" . }} - labels: - heritage: {{ .Release.Service | quote }} - release: {{ .Release.Name | quote }} - chart: {{ include "metallb.chart" . }} - app: {{ include "metallb.name" . }} + labels: {{ include "metallb.labels" . | nindent 4 }} spec: groups: - name: {{ include "metallb.fullname" . }}.alerts diff --git a/bitnami/metallb/templates/servicemonitor.yaml b/bitnami/metallb/templates/servicemonitor.yaml index dfccf5ddc7fb1a..58401b5ed8bad5 100644 --- a/bitnami/metallb/templates/servicemonitor.yaml +++ b/bitnami/metallb/templates/servicemonitor.yaml @@ -5,11 +5,11 @@ metadata: name: {{ include "metallb.fullname" . }}-controller-metrics labels: {{- include "metallb.labels" . | nindent 4 }} jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel }} - component: controller + app.kubernetes.io/component: controller spec: type: ClusterIP selector: {{- include "metallb.matchLabels" . | nindent 4 }} - component: controller + app.kubernetes.io/component: controller ports: - name: metrics port: {{ .Values.controller.containerPort.metrics }} @@ -22,11 +22,11 @@ metadata: name: {{ include "metallb.fullname" . }}-speaker-metrics labels: {{- include "metallb.labels" . | nindent 4 }} jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel }} - component: speaker + app.kubernetes.io/component: speaker spec: type: ClusterIP selector: {{- include "metallb.matchLabels" . | nindent 4 }} - component: speaker + app.kubernetes.io/component: speaker ports: - name: metrics port: {{ .Values.speaker.daemonset.hostPorts.metrics }} @@ -38,12 +38,12 @@ kind: ServiceMonitor metadata: name: {{ include "metallb.fullname" . }}-controller labels: {{- include "metallb.labels" . | nindent 4 }} - component: controller + app.kubernetes.io/component: controller spec: jobLabel: jobLabel selector: matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} - component: controller + app.kubernetes.io/component: controller namespaceSelector: matchNames: - {{ .Release.Namespace }} @@ -64,12 +64,12 @@ kind: ServiceMonitor metadata: name: {{ include "metallb.fullname" . }}-speaker labels: {{- include "metallb.labels" . | nindent 4}} - component: speaker + app.kubernetes.io/component: speaker spec: jobLabel: jobLabel selector: matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} - component: speaker + app.kubernetes.io/component: speaker namespaceSelector: matchNames: - {{ .Release.Namespace }} diff --git a/bitnami/metallb/templates/tests/test-connection.yaml b/bitnami/metallb/templates/tests/test-connection.yaml deleted file mode 100644 index 67cef93fae71de..00000000000000 --- a/bitnami/metallb/templates/tests/test-connection.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "metallb.fullname" . }}-test-connection" - labels: {{- include "metallb.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget-controller - image: bitnami/minideb:buster - command: ['wget'] - args: ['{{ include "metallb.fullname" . }}-controller-metrics:{{ .Values.controller.containerPort.metrics }}'] - - name: wget-controller - image: bitnami/minideb:buster - command: ['wget'] - args: ['{{ include "metallb.fullname" . }}-speaker-metrics:{{ .Values.speaker.daemonset.hostPorts.metrics }}'] - restartPolicy: Never From ba204e9c820c8f78eb9d6bd287dc52f9191ebbe0 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 20 Apr 2020 14:26:41 +0200 Subject: [PATCH 34/49] Use nindent --- bitnami/metallb/templates/daemonset.yaml | 3 +-- bitnami/metallb/templates/deployment.yaml | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index ba6bc48935ec23..d68d37ed724f1d 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -15,8 +15,7 @@ spec: {{- if .Values.speaker.podAnnotations }} annotations: {{- toYaml .Values.speaker.podAnnotations | nindent 8 }} {{- end }} - spec: -{{- include "metallb.speaker.imagePullSecrets" . | indent 6 }} + spec: {{- include "metallb.speaker.imagePullSecrets" . | nindent 6 }} tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index a6060180780bc6..a840d83c0d026f 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -16,8 +16,7 @@ spec: {{- if .Values.controller.podAnnotations }} annotations: {{- toYaml .Values.controller.podAnnotations | nindent 8 }} {{- end }} - spec: -{{- include "metallb.controller.imagePullSecrets" . | indent 6 }} + spec: {{- include "metallb.controller.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "metallb.controllerServiceAccountName" . }} terminationGracePeriodSeconds: 0 {{- if .Values.controller.securityContext.enabled }} From f2f60f39b87c75b6942c2023f870f72ce214f097 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 20 Apr 2020 14:41:16 +0200 Subject: [PATCH 35/49] Fixed nindent and some old labels --- bitnami/metallb/templates/daemonset.yaml | 5 ++--- bitnami/metallb/templates/deployment.yaml | 7 +++---- bitnami/metallb/templates/prometheus/metallb.alerts.yaml | 2 +- bitnami/metallb/templates/secret.yaml | 2 +- bitnami/metallb/values.yaml | 5 +++++ 5 files changed, 12 insertions(+), 9 deletions(-) diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index d68d37ed724f1d..937bf683801b69 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -93,10 +93,9 @@ spec: - NET_RAW - SYS_ADMIN nodeSelector: - {{- if .Values.controller.nodeSelector }} -{{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | indent 8 }} + {{- if .Values.controller.nodeSelector }} {{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }} {{- end }} - "beta.kubernetes.io/os": linux + "kubernetes.io/os": linux {{- if .Values.speaker.affinity }} affinity: {{- include "metallb.tplValue" (dict "value" .Values.speaker.affinity "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index a840d83c0d026f..8609b67f289995 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "metallb.labels" . | nindent 4 }} app.kubernetes.io/component: controller spec: - revisionHistoryLimit: 3 + revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit }} selector: matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} app.kubernetes.io/component: controller @@ -26,10 +26,9 @@ spec: runAsNonRoot: {{ .Values.controller.securityContext.runAsNonRoot }} {{- end }} nodeSelector: - {{- if .Values.controller.nodeSelector }} -{{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | indent 8 }} + {{- if .Values.controller.nodeSelector }} {{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }} {{- end }} - "beta.kubernetes.io/os": linux + "kubernetes.io/os": linux {{- if .Values.controller.affinity }} affinity: {{- include "metallb.tplValue" (dict "value" .Values.controller.affinity "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/metallb/templates/prometheus/metallb.alerts.yaml b/bitnami/metallb/templates/prometheus/metallb.alerts.yaml index aaa584190fde1d..6dbe316519a787 100644 --- a/bitnami/metallb/templates/prometheus/metallb.alerts.yaml +++ b/bitnami/metallb/templates/prometheus/metallb.alerts.yaml @@ -24,4 +24,4 @@ spec: for: 1m labels: severity: warning -{{- end }} \ No newline at end of file +{{- end }} diff --git a/bitnami/metallb/templates/secret.yaml b/bitnami/metallb/templates/secret.yaml index 14248c5385dd63..7775b4a3dd1518 100644 --- a/bitnami/metallb/templates/secret.yaml +++ b/bitnami/metallb/templates/secret.yaml @@ -5,7 +5,7 @@ kind: Secret metadata: name: {{ include "metallb.fullname" . }}-memberlist labels: {{- include "metallb.labels" . | nindent 4 }} - component: speaker + app.kubernetes.io/component: speaker annotations: "helm.sh/hook": "pre-install" "helm.sh/hook-delete-policy": "before-hook-creation" diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index 278607adee9456..e979cf79a1e5ac 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -122,6 +122,11 @@ controller: runAsUser: 65534 # nobody fsGroup: 65534 + ## Configure the revisionHistoryLimit of the Controller deployment + ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#revision-history-limit + ## + revisionHistoryLimit: 3 + ## Configures the ports the MetalLB Controller listens on for metrics ## containerPort: From db3a5d2bd043e8141237f9ce668adc9f9b27895c Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 20 Apr 2020 14:54:37 +0200 Subject: [PATCH 36/49] added more configurable options --- bitnami/metallb/templates/daemonset.yaml | 5 ++++- bitnami/metallb/templates/rbac.yaml | 2 +- bitnami/metallb/values.yaml | 12 ++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index 937bf683801b69..c3fbf88e12656c 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -20,7 +20,7 @@ spec: - key: node-role.kubernetes.io/master effect: NoSchedule serviceAccountName: {{ include "metallb.speakerServiceAccountName" . }} - terminationGracePeriodSeconds: 2 + terminationGracePeriodSeconds: {{ .Values.speaker.daemonset.terminationGracePeriodSeconds }} hostNetwork: true containers: - name: speaker @@ -53,6 +53,9 @@ spec: secretKeyRef: name: {{ include "metallb.fullname" . }}-memberlist key: secretkey + {{- if .Values.speaker.extraEnvVars }} + {{- include "metallb.tplValue" ( dict "value" .Values.speaker.extraEnvVars "context" $ ) | nindent 8 }} + {{- end }} ports: - name: metrics containerPort: {{ .Values.speaker.daemonset.hostPorts.metrics }} diff --git a/bitnami/metallb/templates/rbac.yaml b/bitnami/metallb/templates/rbac.yaml index 72ec2bd176fdb8..5dae49e6648665 100644 --- a/bitnami/metallb/templates/rbac.yaml +++ b/bitnami/metallb/templates/rbac.yaml @@ -153,4 +153,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "metallb.speakerServiceAccountName" . }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index e979cf79a1e5ac..fc3e00cda1b1a6 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -211,10 +211,22 @@ speaker: ## Daemonset configuration ## daemonset: + ## Configure the grace time period for sig term + ## Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + ## + terminationGracePeriodSeconds: 2 ## HTTP Metrics Endpoint ## hostPorts: metrics: 7472 + + ## An array to add extra env vars + ## For example: + ## extraEnvVars: + ## - name: MY_ENV_VAR + ## value: env_var_value + ## + extraEnvVars: [] ## Liveness and readiness probe values ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes From 79fe7d44311fafe74ae679ba3f5d34a284c27dbc Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 20 Apr 2020 14:56:25 +0200 Subject: [PATCH 37/49] Fixed nindent stuff --- bitnami/metallb/templates/daemonset.yaml | 3 ++- bitnami/metallb/templates/deployment.yaml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index c3fbf88e12656c..bf0d93f92b7330 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -15,7 +15,8 @@ spec: {{- if .Values.speaker.podAnnotations }} annotations: {{- toYaml .Values.speaker.podAnnotations | nindent 8 }} {{- end }} - spec: {{- include "metallb.speaker.imagePullSecrets" . | nindent 6 }} + spec: + {{- include "metallb.speaker.imagePullSecrets" . | nindent 6 }} tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index 8609b67f289995..2b5ac9c7ec7ac8 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -16,7 +16,8 @@ spec: {{- if .Values.controller.podAnnotations }} annotations: {{- toYaml .Values.controller.podAnnotations | nindent 8 }} {{- end }} - spec: {{- include "metallb.controller.imagePullSecrets" . | nindent 6 }} + spec: + {{- include "metallb.controller.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "metallb.controllerServiceAccountName" . }} terminationGracePeriodSeconds: 0 {{- if .Values.controller.securityContext.enabled }} From 38e6d046065753512e16afda10a7c2007f3a30f7 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Mon, 20 Apr 2020 15:01:24 +0200 Subject: [PATCH 38/49] Fixed trim-suffix --- bitnami/metallb/templates/_helpers.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bitnami/metallb/templates/_helpers.tpl b/bitnami/metallb/templates/_helpers.tpl index 3c69474cb7ac15..84a1c5dc61d6fe 100644 --- a/bitnami/metallb/templates/_helpers.tpl +++ b/bitnami/metallb/templates/_helpers.tpl @@ -159,7 +159,7 @@ Create the name of the controller service account to use */}} {{- define "metallb.controllerServiceAccountName" -}} {{- if .Values.controller.serviceAccount.create -}} - {{ default (printf "%s-controller" (include "metallb.fullname" .)) .Values.controller.serviceAccount.name }} + {{ default (printf "%s-controller" (include "metallb.fullname" .)) .Values.controller.serviceAccount.name | trunc 63 | trimSuffix "-" }} {{- else -}} {{ default "default" .Values.controller.serviceAccount.name }} {{- end -}} @@ -170,7 +170,7 @@ Create the name of the speaker service account to use */}} {{- define "metallb.speakerServiceAccountName" -}} {{- if .Values.speaker.serviceAccount.create -}} - {{ default (printf "%s-speaker" (include "metallb.fullname" .)) .Values.speaker.serviceAccount.name }} + {{ default (printf "%s-speaker" (include "metallb.fullname" .)) .Values.speaker.serviceAccount.name | trunc 63 | trimSuffix "-" }} {{- else -}} {{ default "default" .Values.speaker.serviceAccount.name }} {{- end -}} From 73a3da5839c0a43bbd7e92af84abfc75468197d5 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 21 Apr 2020 12:36:55 +0200 Subject: [PATCH 39/49] added templates to handle secrets and configmaps the proper way --- bitnami/metallb/README.md | 20 ++++++++++++++++-- bitnami/metallb/templates/_helpers.tpl | 19 +++++++++++++---- bitnami/metallb/templates/daemonset.yaml | 25 +++++++++++++---------- bitnami/metallb/templates/secret.yaml | 2 ++ bitnami/metallb/values.yaml | 26 ++++++++++++++++++++++-- 5 files changed, 73 insertions(+), 19 deletions(-) diff --git a/bitnami/metallb/README.md b/bitnami/metallb/README.md index 6285ada440bfc9..7b15ef26444eaf 100644 --- a/bitnami/metallb/README.md +++ b/bitnami/metallb/README.md @@ -54,7 +54,7 @@ The following tables lists the configurable parameters of the metallb chart and | `global.imageRegistry` | Global Docker image registry | `nil` | | `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | | `controller.image.registry` | MetalLB Controller image registry | `docker.io` | -| `controller.image.repository` | MetalLB Controller image name | `bitnami/metallb-controller` | +| `controller.image.repository` | MetalLB Controller image name | `bitnami/metallb-controller` | | `controller.image.tag` | MetalLB Controller image tag | `{TAG_NAME}` | | `controller.pullPolicy` | MetalLB Controller image pull policy | `IfNotPresent` | | `controller.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | @@ -66,8 +66,13 @@ The following tables lists the configurable parameters of the metallb chart and | `controller.podAnnotations` | Controller Pod annotations | `{}` | | `controller.serviceAccount.create` | create a serviceAccount for the controller pod | `true` | | `controller.serviceAccount.name` | use the serviceAccount with the specified name | "" | +| `controller.revisionHistoryLimit` | the revision history limit for the deployment. | `3` | +| `controller.securityContext.enabled` | Enable pods' security context | `true` | +| `controller.securityContext.runAsNonRoot` | MetalLB Controller must runs as nonRoot. | `true` | +| `controller.securityContext.runAsUser` | User ID for the pods. | `1001` | +| `controller.securityContext.fsGroup` | Group ID for the pods. | `1001` | | `speaker.image.registry` | MetalLB Speaker image registry | `docker.io` | -| `speaker.image.repository` | MetalLB Speaker image name | `bitnami/metallb-speaker` | +| `speaker.image.repository` | MetalLB Speaker image name | `bitnami/metallb-speaker` | | `speaker.image.tag` | MetalLB Speaker image tag | `{TAG_NAME}` | | `speaker.pullPolicy` | MetalLB Speaker image pull policy | `IfNotPresent` | | `speaker.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | @@ -79,6 +84,17 @@ The following tables lists the configurable parameters of the metallb chart and | `speaker.podAnnotations` | Speaker Pod annotations | `{}` | | `speaker.serviceAccount.create` | create a serviceAccount for the speaker pod | `true` | | `speaker.serviceAccount.name` | use the serviceAccount with the specified name | "" | +| `speaker.daemonset.hostPorts.metrics` | the tcp port to listen on for the openmetrics endpoint. | `7472` | +| `speaker.daemonset.terminationGracePeriodSeconds` | The terminationGracePeriod in seconds for the daemonset to stop | `2` | +| `speaker.securityContext.enabled` | Enable pods' security context | `true` | +| `speaker.securityContext.runAsUser` | User ID for the pods. | `0` | +| `speaker.securityContext.allowPrivilegeEscalation` | Enables privilege Escalation context for the pod. | `false` | +| `speaker.securityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly | `true` | +| `speaker.securityContext.capabilities.drop` | Drop capabilities for the securityContext | `["ALL"]` | +| `speaker.securityContext.capabilities.add` | Add capabilities for the securityContext | `["NET_ADMIN", "NET_RAW", "SYS_ADMIN"]` | +| `speaker.secretName` | References a Secret name for the member secret outside of the helm chart | `nil` | +| `speaker.secretKey` | References a Secret key for the member secret outside of the helm chart | `nil` | +| `speaker.extraEnvVars` | Extra environment variable to pass to the running container. | `[]` | | `nameOverride` | String to partially override metallb.fullname template with a string (will prepend the release name) | `nil` | | `fullnameOverride` | String to fully override metallb.fullname template with a string | `nil` | | `livenessProbe.enabled` | Enable/disable the Liveness probe | `true` | diff --git a/bitnami/metallb/templates/_helpers.tpl b/bitnami/metallb/templates/_helpers.tpl index 84a1c5dc61d6fe..82c1097b4c0e70 100644 --- a/bitnami/metallb/templates/_helpers.tpl +++ b/bitnami/metallb/templates/_helpers.tpl @@ -180,11 +180,22 @@ Create the name of the speaker service account to use Create the name of the settings ConfigMap to use. */}} {{- define "metallb.configMapName" -}} -{{- if .Values.configInline -}} - {{ include "metallb.fullname" . }} -{{- else -}} - {{ .Values.existingConfigMap }} + {{ default ( printf "%s" (include "metallb.fullname" .)) .Values.existingConfigMap | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Create the name of the settings Secret to use. +*/}} +{{- define "metallb.secretName" -}} + {{ default ( printf "%s-memberlist" (include "metallb.fullname" .)) .Values.speaker.secretName | trunc 63 | trimSuffix "-" }} {{- end -}} + + +{{/* +Create the key of the settings Secret to use. +*/}} +{{- define "metallb.secretKey" -}} + {{ default "secretkey" .Values.speaker.secretKey | trunc 63 | trimSuffix "-" }} {{- end -}} {{/* diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml index bf0d93f92b7330..983b8e76d9a8d7 100644 --- a/bitnami/metallb/templates/daemonset.yaml +++ b/bitnami/metallb/templates/daemonset.yaml @@ -52,11 +52,16 @@ spec: - name: METALLB_ML_SECRET_KEY valueFrom: secretKeyRef: - name: {{ include "metallb.fullname" . }}-memberlist - key: secretkey + name: {{ include "metallb.secretName" . }} + key: {{ include "metallb.secretKey" . }} {{- if .Values.speaker.extraEnvVars }} {{- include "metallb.tplValue" ( dict "value" .Values.speaker.extraEnvVars "context" $ ) | nindent 8 }} {{- end }} + envFrom: + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "metallb.tplValue" ( dict "value" .Values.speaker.extraEnvVarsSecret "context" $ ) }} + {{- end }} ports: - name: metrics containerPort: {{ .Values.speaker.daemonset.hostPorts.metrics }} @@ -85,17 +90,15 @@ spec: {{- if .Values.speaker.resources }} resources: {{- toYaml .Values.speaker.resources | nindent 10 }} {{- end }} + {{- if .Values.speaker.securityContext.enabled }} securityContext: - runAsUser: 0 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + runAsUser: {{ .Values.speaker.securityContext.runAsUser }} + allowPrivilegeEscalation: {{ .Values.speaker.securityContext.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.speaker.securityContext.readOnlyRootFilesystem }} capabilities: - drop: - - ALL - add: - - NET_ADMIN - - NET_RAW - - SYS_ADMIN + drop: {{- toYaml .Values.speaker.securityContext.capabilities.drop | nindent 12 }} + add: {{- toYaml .Values.speaker.securityContext.capabilities.add | nindent 12 }} + {{- end }} nodeSelector: {{- if .Values.controller.nodeSelector }} {{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/metallb/templates/secret.yaml b/bitnami/metallb/templates/secret.yaml index 7775b4a3dd1518..e43a5db59ea15f 100644 --- a/bitnami/metallb/templates/secret.yaml +++ b/bitnami/metallb/templates/secret.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.speaker.secretName }} apiVersion: v1 data: secretkey: {{ randAlphaNum 256 | b64enc | quote }} @@ -9,3 +10,4 @@ metadata: annotations: "helm.sh/hook": "pre-install" "helm.sh/hook-delete-policy": "before-hook-creation" +{{- end }} diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index fc3e00cda1b1a6..c2d2fe184aaf54 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -119,8 +119,8 @@ controller: securityContext: enabled: true runAsNonRoot: true - runAsUser: 65534 # nobody - fsGroup: 65534 + runAsUser: 1001 + fsGroup: 1001 ## Configure the revisionHistoryLimit of the Controller deployment ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#revision-history-limit @@ -208,6 +208,7 @@ speaker: # The name of the ServiceAccount to use. If not set and create is # true, a name is generated using the fullname template name: "" + ## Daemonset configuration ## daemonset: @@ -220,6 +221,27 @@ speaker: hostPorts: metrics: 7472 + ## Defines a secret to use outside of the auto generated + ## Default: {{ randAlphaNum 256 | b64enc | quote }} + ## The auto generated has secretName: {{ "metallb.fullname" }}-memberlist + ## and secretKey: secretkey + ## + # secretName: + # secretKey: + + securityContext: + enabled: true + runAsUser: 0 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + ## An array to add extra env vars ## For example: ## extraEnvVars: From 76018ab29753a41ffa67d24872f2b76b41eab269 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 21 Apr 2020 12:38:09 +0200 Subject: [PATCH 40/49] fixed wrong documentation --- bitnami/metallb/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/metallb/README.md b/bitnami/metallb/README.md index 7b15ef26444eaf..6a0b7a859f5a96 100644 --- a/bitnami/metallb/README.md +++ b/bitnami/metallb/README.md @@ -103,7 +103,7 @@ The following tables lists the configurable parameters of the metallb chart and | `livenessProbe.timeoutSeconds` | When the probe times out | `5` | | `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` | | `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `6` | -| `existingConfigMap` | Specify an existing configMapName to use. (this is mutually exclusive with the configInline option) | `metallb-config` | +| `existingConfigMap` | Specify an existing configMapName to use. (this is mutually exclusive with the configInline option) | `nil` | | `configInline` | Specify the config for metallb as a new configMap inline. | `{}` (does not create configMap) | | `rbac.create` | Specify if an rbac authorization should be created with the necessarry Rolebindings. | `true` | | `prometheus.serviceMonitor.enabled` | Specify if a servicemonitor will be deployed for prometheus-operator. | `true` | From ba3b8ba51b13822e9a82c7bda5aa665ba76c1d08 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 21 Apr 2020 12:39:36 +0200 Subject: [PATCH 41/49] Fixed template executing if configInline defined --- bitnami/metallb/templates/configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/metallb/templates/configmap.yaml b/bitnami/metallb/templates/configmap.yaml index 511d5771293d65..3ae6d8e1fcbf6f 100644 --- a/bitnami/metallb/templates/configmap.yaml +++ b/bitnami/metallb/templates/configmap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.configInline }} +{{- if not .Values.existingConfigMap }} apiVersion: v1 kind: ConfigMap metadata: From 5712cfa3bc3b0d4741022480adce9adbbb61f533 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 21 Apr 2020 12:49:17 +0200 Subject: [PATCH 42/49] fixed the psps --- bitnami/metallb/templates/psp.yaml | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/bitnami/metallb/templates/psp.yaml b/bitnami/metallb/templates/psp.yaml index 519d179d99fb05..f304b6676985bd 100644 --- a/bitnami/metallb/templates/psp.yaml +++ b/bitnami/metallb/templates/psp.yaml @@ -13,8 +13,8 @@ spec: defaultAllowPrivilegeEscalation: false fsGroup: ranges: - - max: 65535 - min: 1 + - max: {{ .Values.controller.securityContext.fsGroup }} + min: {{ .Values.controller.securityContext.fsGroup }} rule: MustRunAs hostIPC: false hostNetwork: false @@ -25,15 +25,15 @@ spec: - ALL runAsUser: ranges: - - max: 65535 - min: 1 + - max: {{ .Values.controller.securityContext.runAsUser }} + min: {{ .Values.controller.securityContext.runAsUser }} rule: MustRunAs seLinux: rule: RunAsAny supplementalGroups: ranges: - - max: 65535 - min: 1 + - max: {{ .Values.controller.securityContext.runAsUser }} + min: {{ .Values.controller.securityContext.runAsUser }} rule: MustRunAs volumes: - configMap @@ -46,14 +46,11 @@ metadata: name: {{ include "metallb.fullname" . }}-speaker labels: {{- include "metallb.labels" . | nindent 4}} spec: - allowPrivilegeEscalation: false - allowedCapabilities: - - NET_ADMIN - - NET_RAW - - SYS_ADMIN + allowPrivilegeEscalation: {{ .Values.speaker.securityContext.allowPrivilegeEscalation }} + allowedCapabilities: {{- toYaml .Values.speaker.securityContext.capabilities.add | nindent 2 }} allowedHostPaths: [] - defaultAddCapabilities: [] - defaultAllowPrivilegeEscalation: false + defaultAddCapabilities: {{- toYaml .Values.speaker.securityContext.capabilities.add | nindent 2 }} + defaultAllowPrivilegeEscalation: {{ .Values.speaker.securityContext.allowPrivilegeEscalation }} fsGroup: rule: RunAsAny hostIPC: false @@ -63,9 +60,8 @@ spec: - max: {{ .Values.speaker.daemonset.hostPorts.metrics }} min: {{ .Values.speaker.daemonset.hostPorts.metrics }} privileged: true - readOnlyRootFilesystem: true - requiredDropCapabilities: - - ALL + readOnlyRootFilesystem: {{ .Values.speaker.securityContext.readOnlyRootFilesystem }} + requiredDropCapabilities: {{- toYaml .Values.speaker.securityContext.capabilities.drop | nindent 2 }} runAsUser: rule: RunAsAny seLinux: From 1b28d68e93157d6cf3ef613ea1f6c67042fdb2e8 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 21 Apr 2020 13:00:12 +0200 Subject: [PATCH 43/49] Make psp also autogenerated --- bitnami/metallb/templates/deployment.yaml | 13 ++++++------- bitnami/metallb/templates/psp.yaml | 9 ++++----- bitnami/metallb/values.yaml | 10 ++++++++++ 3 files changed, 20 insertions(+), 12 deletions(-) diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index 2b5ac9c7ec7ac8..d379d85633bb86 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -19,12 +19,16 @@ spec: spec: {{- include "metallb.controller.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "metallb.controllerServiceAccountName" . }} - terminationGracePeriodSeconds: 0 + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} {{- if .Values.controller.securityContext.enabled }} securityContext: runAsUser: {{ .Values.controller.securityContext.runAsUser }} fsGroup: {{ .Values.controller.securityContext.fsGroup }} runAsNonRoot: {{ .Values.controller.securityContext.runAsNonRoot }} + allowPrivilegeEscalation: {{ .Values.controller.securityContext.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.controller.securityContext.readOnlyRootFilesystem }} + capabilities: + drop: {{- toYaml .Values.controller.securityContext.capabilities.drop | nindent 12 }} {{- end }} nodeSelector: {{- if .Values.controller.nodeSelector }} {{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }} @@ -71,9 +75,4 @@ spec: {{- if .Values.controller.resources }} resources: {{- toYaml .Values.controller.resources | nindent 10 }} {{- end }} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true + diff --git a/bitnami/metallb/templates/psp.yaml b/bitnami/metallb/templates/psp.yaml index f304b6676985bd..95a8c5410ca9bc 100644 --- a/bitnami/metallb/templates/psp.yaml +++ b/bitnami/metallb/templates/psp.yaml @@ -6,11 +6,11 @@ metadata: name: {{ include "metallb.fullname" . }}-controller labels: {{- include "metallb.labels" . | nindent 4}} spec: - allowPrivilegeEscalation: false + allowPrivilegeEscalation: {{ .Values.controller.securityContext.allowPrivilegeEscalation }} allowedCapabilities: [] allowedHostPaths: [] defaultAddCapabilities: [] - defaultAllowPrivilegeEscalation: false + defaultAllowPrivilegeEscalation: {{ .Values.controller.securityContext.allowPrivilegeEscalation }} fsGroup: ranges: - max: {{ .Values.controller.securityContext.fsGroup }} @@ -20,9 +20,8 @@ spec: hostNetwork: false hostPID: false privileged: false - readOnlyRootFilesystem: true - requiredDropCapabilities: - - ALL + readOnlyRootFilesystem: {{ .Values.controller.securityContext.readOnlyRootFilesystem }} + requiredDropCapabilities: {{- toYaml .Values.controller.securityContext.capabilities.drop | nindent 2 }} runAsUser: ranges: - max: {{ .Values.controller.securityContext.runAsUser }} diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index c2d2fe184aaf54..15ab76f49b02c8 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -121,12 +121,22 @@ controller: runAsNonRoot: true runAsUser: 1001 fsGroup: 1001 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL ## Configure the revisionHistoryLimit of the Controller deployment ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#revision-history-limit ## revisionHistoryLimit: 3 + ## Configure the grace time period for sig term + ## Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + ## + terminationGracePeriodSeconds: 0 + ## Configures the ports the MetalLB Controller listens on for metrics ## containerPort: From cf67fbe4f1469d7f73f23917b67a15fb52a8fcd9 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 21 Apr 2020 13:00:59 +0200 Subject: [PATCH 44/49] remove one eol --- bitnami/metallb/templates/deployment.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index d379d85633bb86..bf5c897f178365 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -75,4 +75,3 @@ spec: {{- if .Values.controller.resources }} resources: {{- toYaml .Values.controller.resources | nindent 10 }} {{- end }} - From 8ada22afbb73feb419159e35c3dfc54db9854af4 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 21 Apr 2020 13:03:14 +0200 Subject: [PATCH 45/49] Added eol --- bitnami/metallb/templates/service-accounts.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bitnami/metallb/templates/service-accounts.yaml b/bitnami/metallb/templates/service-accounts.yaml index 410dcaeb7d9fc7..42011b4578fdcc 100644 --- a/bitnami/metallb/templates/service-accounts.yaml +++ b/bitnami/metallb/templates/service-accounts.yaml @@ -13,4 +13,4 @@ kind: ServiceAccount metadata: name: {{ include "metallb.speakerServiceAccountName" . }} labels: {{- include "metallb.labels" . | nindent 4 }} -{{- end }} \ No newline at end of file +{{- end }} From 4d687a0ab4b4657a88715069785b2cbfbe016ab1 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 21 Apr 2020 13:07:57 +0200 Subject: [PATCH 46/49] Added the missing doc pieces --- bitnami/metallb/README.md | 129 ++++++++++++++++++------------------ bitnami/metallb/values.yaml | 2 + 2 files changed, 68 insertions(+), 63 deletions(-) diff --git a/bitnami/metallb/README.md b/bitnami/metallb/README.md index 6a0b7a859f5a96..bd77580e6c6d1a 100644 --- a/bitnami/metallb/README.md +++ b/bitnami/metallb/README.md @@ -49,69 +49,72 @@ The command removes all the Kubernetes components associated with the chart and The following tables lists the configurable parameters of the metallb chart and their default values. -| Parameter | Description | Default | -|----------------------------------------------------|--------------------------------------------------------------------------------------------------------|---------------------------------------------------------| -| `global.imageRegistry` | Global Docker image registry | `nil` | -| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `controller.image.registry` | MetalLB Controller image registry | `docker.io` | -| `controller.image.repository` | MetalLB Controller image name | `bitnami/metallb-controller` | -| `controller.image.tag` | MetalLB Controller image tag | `{TAG_NAME}` | -| `controller.pullPolicy` | MetalLB Controller image pull policy | `IfNotPresent` | -| `controller.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `controller.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` (does not add resource limits to deployed pods) | -| `controller.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` (does not add resource limits to deployed pods) | -| `controller.nodeSelector` | Node labels for controller pod assignment | `{}` | -| `controller.tolerations` | Tolerations for controller pod assignment | `[]` | -| `controller.affinity` | Affinity for controller pod assignment | `{}` | -| `controller.podAnnotations` | Controller Pod annotations | `{}` | -| `controller.serviceAccount.create` | create a serviceAccount for the controller pod | `true` | -| `controller.serviceAccount.name` | use the serviceAccount with the specified name | "" | -| `controller.revisionHistoryLimit` | the revision history limit for the deployment. | `3` | -| `controller.securityContext.enabled` | Enable pods' security context | `true` | -| `controller.securityContext.runAsNonRoot` | MetalLB Controller must runs as nonRoot. | `true` | -| `controller.securityContext.runAsUser` | User ID for the pods. | `1001` | -| `controller.securityContext.fsGroup` | Group ID for the pods. | `1001` | -| `speaker.image.registry` | MetalLB Speaker image registry | `docker.io` | -| `speaker.image.repository` | MetalLB Speaker image name | `bitnami/metallb-speaker` | -| `speaker.image.tag` | MetalLB Speaker image tag | `{TAG_NAME}` | -| `speaker.pullPolicy` | MetalLB Speaker image pull policy | `IfNotPresent` | -| `speaker.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | -| `speaker.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` (does not add resource limits to deployed pods) | -| `speaker.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` (does not add resource limits to deployed pods) | -| `speaker.nodeSelector` | Node labels for speaker pod assignment | `{}` | -| `speaker.tolerations` | Tolerations for speaker pod assignment | `[]` | -| `speaker.affinity` | Affinity for speaker pod assignment | `{}` | -| `speaker.podAnnotations` | Speaker Pod annotations | `{}` | -| `speaker.serviceAccount.create` | create a serviceAccount for the speaker pod | `true` | -| `speaker.serviceAccount.name` | use the serviceAccount with the specified name | "" | -| `speaker.daemonset.hostPorts.metrics` | the tcp port to listen on for the openmetrics endpoint. | `7472` | -| `speaker.daemonset.terminationGracePeriodSeconds` | The terminationGracePeriod in seconds for the daemonset to stop | `2` | -| `speaker.securityContext.enabled` | Enable pods' security context | `true` | -| `speaker.securityContext.runAsUser` | User ID for the pods. | `0` | -| `speaker.securityContext.allowPrivilegeEscalation` | Enables privilege Escalation context for the pod. | `false` | -| `speaker.securityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly | `true` | -| `speaker.securityContext.capabilities.drop` | Drop capabilities for the securityContext | `["ALL"]` | -| `speaker.securityContext.capabilities.add` | Add capabilities for the securityContext | `["NET_ADMIN", "NET_RAW", "SYS_ADMIN"]` | -| `speaker.secretName` | References a Secret name for the member secret outside of the helm chart | `nil` | -| `speaker.secretKey` | References a Secret key for the member secret outside of the helm chart | `nil` | -| `speaker.extraEnvVars` | Extra environment variable to pass to the running container. | `[]` | -| `nameOverride` | String to partially override metallb.fullname template with a string (will prepend the release name) | `nil` | -| `fullnameOverride` | String to fully override metallb.fullname template with a string | `nil` | -| `livenessProbe.enabled` | Enable/disable the Liveness probe | `true` | -| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `60` | -| `livenessProbe.periodSeconds` | How often to perform the probe | `10` | -| `livenessProbe.timeoutSeconds` | When the probe times out | `5` | -| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` | -| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `6` | -| `existingConfigMap` | Specify an existing configMapName to use. (this is mutually exclusive with the configInline option) | `nil` | -| `configInline` | Specify the config for metallb as a new configMap inline. | `{}` (does not create configMap) | -| `rbac.create` | Specify if an rbac authorization should be created with the necessarry Rolebindings. | `true` | -| `prometheus.serviceMonitor.enabled` | Specify if a servicemonitor will be deployed for prometheus-operator. | `true` | -| `prometheus.serviceMonitor.jobLabel` | Specify the jobLabel to use for the prometheus-operator | `metallb` | -| `prometheus.serviceMonitor.interval` | Specify the scrape interval if not specified use defaul prometheus scrapeIntervall | `""` | -| `prometheus.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics. | `[]` | -| `prometheus.serviceMonitor.relabelings` | Specify general relabeling. | `[]` | -| `prometheus.serviceMonitor.prometheusRule.enabled` | Enable prometheus alertmanager basic alerts. | `true` | +| Parameter | Description | Default | +|-------------------------------------------------------|--------------------------------------------------------------------------------------------------------|---------------------------------------------------------| +| `global.imageRegistry` | Global Docker image registry | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `controller.image.registry` | MetalLB Controller image registry | `docker.io` | +| `controller.image.repository` | MetalLB Controller image name | `bitnami/metallb-controller` | +| `controller.image.tag` | MetalLB Controller image tag | `{TAG_NAME}` | +| `controller.pullPolicy` | MetalLB Controller image pull policy | `IfNotPresent` | +| `controller.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `controller.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` (does not add resource limits to deployed pods) | +| `controller.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` (does not add resource limits to deployed pods) | +| `controller.nodeSelector` | Node labels for controller pod assignment | `{}` | +| `controller.tolerations` | Tolerations for controller pod assignment | `[]` | +| `controller.affinity` | Affinity for controller pod assignment | `{}` | +| `controller.podAnnotations` | Controller Pod annotations | `{}` | +| `controller.serviceAccount.create` | create a serviceAccount for the controller pod | `true` | +| `controller.serviceAccount.name` | use the serviceAccount with the specified name | "" | +| `controller.revisionHistoryLimit` | the revision history limit for the deployment. | `3` | +| `controller.securityContext.enabled` | Enable pods' security context | `true` | +| `controller.securityContext.runAsNonRoot` | MetalLB Controller must runs as nonRoot. | `true` | +| `controller.securityContext.runAsUser` | User ID for the pods. | `1001` | +| `controller.securityContext.fsGroup` | Group ID for the pods. | `1001` | +| `controller.securityContext.allowPrivilegeEscalation` | This defines if privilegeEscalation is allowed on that container | `false` | +| `controller.securityContext.readOnlyRootFilesystem` | This defines if the container can read the root fs on the host | `true` | +| `controller.securityContext.capabilities.drop` | Drop capabilities for the securityContext | `["ALL"]` | +| `speaker.image.registry` | MetalLB Speaker image registry | `docker.io` | +| `speaker.image.repository` | MetalLB Speaker image name | `bitnami/metallb-speaker` | +| `speaker.image.tag` | MetalLB Speaker image tag | `{TAG_NAME}` | +| `speaker.pullPolicy` | MetalLB Speaker image pull policy | `IfNotPresent` | +| `speaker.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `speaker.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` (does not add resource limits to deployed pods) | +| `speaker.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` (does not add resource limits to deployed pods) | +| `speaker.nodeSelector` | Node labels for speaker pod assignment | `{}` | +| `speaker.tolerations` | Tolerations for speaker pod assignment | `[]` | +| `speaker.affinity` | Affinity for speaker pod assignment | `{}` | +| `speaker.podAnnotations` | Speaker Pod annotations | `{}` | +| `speaker.serviceAccount.create` | create a serviceAccount for the speaker pod | `true` | +| `speaker.serviceAccount.name` | use the serviceAccount with the specified name | "" | +| `speaker.daemonset.hostPorts.metrics` | the tcp port to listen on for the openmetrics endpoint. | `7472` | +| `speaker.daemonset.terminationGracePeriodSeconds` | The terminationGracePeriod in seconds for the daemonset to stop | `2` | +| `speaker.securityContext.enabled` | Enable pods' security context | `true` | +| `speaker.securityContext.runAsUser` | User ID for the pods. | `0` | +| `speaker.securityContext.allowPrivilegeEscalation` | Enables privilege Escalation context for the pod. | `false` | +| `speaker.securityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly | `true` | +| `speaker.securityContext.capabilities.drop` | Drop capabilities for the securityContext | `["ALL"]` | +| `speaker.securityContext.capabilities.add` | Add capabilities for the securityContext | `["NET_ADMIN", "NET_RAW", "SYS_ADMIN"]` | +| `speaker.secretName` | References a Secret name for the member secret outside of the helm chart | `nil` | +| `speaker.secretKey` | References a Secret key for the member secret outside of the helm chart | `nil` | +| `speaker.extraEnvVars` | Extra environment variable to pass to the running container. | `[]` | +| `nameOverride` | String to partially override metallb.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override metallb.fullname template with a string | `nil` | +| `livenessProbe.enabled` | Enable/disable the Liveness probe | `true` | +| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `60` | +| `livenessProbe.periodSeconds` | How often to perform the probe | `10` | +| `livenessProbe.timeoutSeconds` | When the probe times out | `5` | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` | +| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `6` | +| `existingConfigMap` | Specify an existing configMapName to use. (this is mutually exclusive with the configInline option) | `nil` | +| `configInline` | Specify the config for metallb as a new configMap inline. | `{}` (does not create configMap) | +| `rbac.create` | Specify if an rbac authorization should be created with the necessarry Rolebindings. | `true` | +| `prometheus.serviceMonitor.enabled` | Specify if a servicemonitor will be deployed for prometheus-operator. | `true` | +| `prometheus.serviceMonitor.jobLabel` | Specify the jobLabel to use for the prometheus-operator | `metallb` | +| `prometheus.serviceMonitor.interval` | Specify the scrape interval if not specified use defaul prometheus scrapeIntervall | `""` | +| `prometheus.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics. | `[]` | +| `prometheus.serviceMonitor.relabelings` | Specify general relabeling. | `[]` | +| `prometheus.serviceMonitor.prometheusRule.enabled` | Enable prometheus alertmanager basic alerts. | `true` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index 15ab76f49b02c8..e53a3786743cdd 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -116,6 +116,8 @@ controller: # The name of the ServiceAccount to use. If not set and create is # true, a name is generated using the fullname template name: "" + + securityContext: enabled: true runAsNonRoot: true From faaa0251ac7e25e1fdf3b94e4c9733788ccc5c1a Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 21 Apr 2020 13:13:00 +0200 Subject: [PATCH 47/49] added ref for securityContext --- bitnami/metallb/values.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml index e53a3786743cdd..cf4859707b5b58 100644 --- a/bitnami/metallb/values.yaml +++ b/bitnami/metallb/values.yaml @@ -118,6 +118,9 @@ controller: name: "" + ## Pod securityContext + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## securityContext: enabled: true runAsNonRoot: true @@ -241,6 +244,9 @@ speaker: # secretName: # secretKey: + ## Pod securityContext + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## securityContext: enabled: true runAsUser: 0 From bca42228a75083c08ef99617a4afc8a6101c6c12 Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 21 Apr 2020 13:19:28 +0200 Subject: [PATCH 48/49] Fixed securityContext --- bitnami/metallb/templates/deployment.yaml | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml index bf5c897f178365..d4649043940f6f 100644 --- a/bitnami/metallb/templates/deployment.yaml +++ b/bitnami/metallb/templates/deployment.yaml @@ -20,16 +20,6 @@ spec: {{- include "metallb.controller.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "metallb.controllerServiceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if .Values.controller.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.controller.securityContext.runAsUser }} - fsGroup: {{ .Values.controller.securityContext.fsGroup }} - runAsNonRoot: {{ .Values.controller.securityContext.runAsNonRoot }} - allowPrivilegeEscalation: {{ .Values.controller.securityContext.allowPrivilegeEscalation }} - readOnlyRootFilesystem: {{ .Values.controller.securityContext.readOnlyRootFilesystem }} - capabilities: - drop: {{- toYaml .Values.controller.securityContext.capabilities.drop | nindent 12 }} - {{- end }} nodeSelector: {{- if .Values.controller.nodeSelector }} {{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }} {{- end }} @@ -72,6 +62,19 @@ spec: successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} {{- end }} + {{- if .Values.controller.securityContext.enabled }} + securityContext: + allowPrivilegeEscalation: {{ .Values.controller.securityContext.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.controller.securityContext.readOnlyRootFilesystem }} + capabilities: + drop: {{- toYaml .Values.controller.securityContext.capabilities.drop | nindent 12 }} + {{- end }} {{- if .Values.controller.resources }} resources: {{- toYaml .Values.controller.resources | nindent 10 }} {{- end }} + {{- if .Values.controller.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.controller.securityContext.runAsUser }} + fsGroup: {{ .Values.controller.securityContext.fsGroup }} + runAsNonRoot: {{ .Values.controller.securityContext.runAsNonRoot }} + {{- end }} From de23221db103ee450cc12dee4652a775521dfa7f Mon Sep 17 00:00:00 2001 From: Cellebyte Date: Tue, 21 Apr 2020 14:41:24 +0200 Subject: [PATCH 49/49] added some NOTES after the deployment --- bitnami/metallb/templates/NOTES.txt | 36 +++++++++++++++++++++--- bitnami/metallb/templates/configmap.yaml | 2 +- 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/bitnami/metallb/templates/NOTES.txt b/bitnami/metallb/templates/NOTES.txt index 573e3e02492ed2..c48e9b9fc1b480 100644 --- a/bitnami/metallb/templates/NOTES.txt +++ b/bitnami/metallb/templates/NOTES.txt @@ -1,11 +1,39 @@ +MetalLB is now running in the cluster -MetalLB is now running in the cluster. -{{- if .Values.configInline }} LoadBalancer Services in your cluster are now available on the IPs you defined in MetalLB's configuration. To see IP assignments, -try `kubectl get services`. -{{- else }} + + kubectl get services -o wide --all-namespaces | grep --color=never -E 'LoadBalancer|NAMESPACE' + +should be executed. + +To see the currently configured configuration for metallb run + + kubectl get configmaps --namespace {{ .Release.Namespace }} {{ include "metallb.configMapName" . }} -o yaml + +in your preferred shell. + +{{- if .Values.existingConfigMap }} WARNING: you specified a ConfigMap that isn't managed by Helm. LoadBalancer services will not function until you add that ConfigMap to your cluster yourself. + +Ensure you put the configmap in place + + kubectl get configmaps --namespace {{ .Release.Namespace }} | grep --color=never -E "{{ include "metallb.configMapName" . }}|NAME" + +If it is missing create it with: + + kubectl create configmap {{ include "metallb.configMapName" . }} --namespace {{ .Release.Namespace }} --from-file=config +{{- end }} + +{{- if .Values.speaker.secretName }} +WARNING: you specified a secretName that isn't managed by +Helm. The MetalLB speakers will not join without the secret in place. + + kubectl get secrets --namespace {{ .Release.Namespace }} | grep --color=never -E "{{ include "metallb.secretName" .}}|NAME" + +If it is missing create it with: + + kubectl create secret {{ include "metallb.secretName" .}} --from-file={{ include "metallb.secretKey" . }} {{- end }} \ No newline at end of file diff --git a/bitnami/metallb/templates/configmap.yaml b/bitnami/metallb/templates/configmap.yaml index 3ae6d8e1fcbf6f..33f63e698ab393 100644 --- a/bitnami/metallb/templates/configmap.yaml +++ b/bitnami/metallb/templates/configmap.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "metallb.fullname" . }} + name: {{ include "metallb.configMapName" . }} labels: {{- include "metallb.labels" . | nindent 4}} data: config: |