From 31d6a86e1b70fb4dd8c07fd623f14a27b8f074ee Mon Sep 17 00:00:00 2001 From: Marcel Fest Date: Wed, 29 Apr 2020 18:03:24 +0200 Subject: [PATCH] [bitnami/metallb] Adding the MetalLB Helm Chart. (#2068) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * added objectstorageConfig to the sidecar container * Bumped version and added documentation of the added values. * Fixed indentation of environment variables * Rename ConfigMap to Secret and added to production-values * Fixed missing space * added the metallb chart * Update bitnami/metallb/Chart.yaml Co-Authored-By: Carlos Rodríguez Hernández * Update bitnami/metallb/README.md Co-Authored-By: Carlos Rodríguez Hernández * Update bitnami/metallb/templates/tests/test-connection.yaml Co-Authored-By: Carlos Rodríguez Hernández * Update bitnami/metallb/values.yaml Co-Authored-By: Carlos Rodríguez Hernández * Update bitnami/metallb/values.yaml Co-Authored-By: Carlos Rodríguez Hernández * Update README.md * Update bitnami/metallb/README.md Co-Authored-By: Carlos Rodríguez Hernández * fixed `---` * Added templating * Fixed some bugs and added securityContext also bumped metallb appVersion * Bumped versions * Added metallb templates * Added metallb 0.9.2 changes to the chart * Added metallb 0.9.2 changes to the chart * Added missing EOL * Fixed the appVersion * added secret autogeneration for the members to join * Bumped version accordingly to cellebyte/helm * Fixed missing EOL * Bumped templates to the new versiona and bumped metallb version * Fixed some template behaviour * Bumped chart version * Bumped image tags to use the latest version * Run the container as Root because the speaker needs the capability to use root specific network features * fixed typo and email * use bitnami images * added app.kubernetes.io/component app.kubernetes.io/app * Use nindent * Fixed nindent and some old labels * added more configurable options * Fixed nindent stuff * Fixed trim-suffix * added templates to handle secrets and configmaps the proper way * fixed wrong documentation * Fixed template executing if configInline defined * fixed the psps * Make psp also autogenerated * remove one eol * Added eol * Added the missing doc pieces * added ref for securityContext * Fixed securityContext * added some NOTES after the deployment Co-authored-by: Carlos Rodríguez Hernández --- bitnami/metallb/.helmignore | 22 ++ bitnami/metallb/Chart.yaml | 23 ++ bitnami/metallb/README.md | 160 ++++++++++ bitnami/metallb/templates/NOTES.txt | 39 +++ bitnami/metallb/templates/_helpers.tpl | 212 +++++++++++++ bitnami/metallb/templates/configmap.yaml | 10 + bitnami/metallb/templates/daemonset.yaml | 111 +++++++ bitnami/metallb/templates/deployment.yaml | 80 +++++ .../templates/prometheus/metallb.alerts.yaml | 27 ++ bitnami/metallb/templates/psp.yaml | 74 +++++ bitnami/metallb/templates/rbac.yaml | 156 ++++++++++ bitnami/metallb/templates/secret.yaml | 13 + .../metallb/templates/service-accounts.yaml | 16 + bitnami/metallb/templates/servicemonitor.yaml | 87 ++++++ bitnami/metallb/values.yaml | 287 ++++++++++++++++++ 15 files changed, 1317 insertions(+) create mode 100644 bitnami/metallb/.helmignore create mode 100644 bitnami/metallb/Chart.yaml create mode 100644 bitnami/metallb/README.md create mode 100644 bitnami/metallb/templates/NOTES.txt create mode 100644 bitnami/metallb/templates/_helpers.tpl create mode 100644 bitnami/metallb/templates/configmap.yaml create mode 100644 bitnami/metallb/templates/daemonset.yaml create mode 100644 bitnami/metallb/templates/deployment.yaml create mode 100644 bitnami/metallb/templates/prometheus/metallb.alerts.yaml create mode 100644 bitnami/metallb/templates/psp.yaml create mode 100644 bitnami/metallb/templates/rbac.yaml create mode 100644 bitnami/metallb/templates/secret.yaml create mode 100644 bitnami/metallb/templates/service-accounts.yaml create mode 100644 bitnami/metallb/templates/servicemonitor.yaml create mode 100644 bitnami/metallb/values.yaml diff --git a/bitnami/metallb/.helmignore b/bitnami/metallb/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/bitnami/metallb/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/bitnami/metallb/Chart.yaml b/bitnami/metallb/Chart.yaml new file mode 100644 index 0000000000..10405599cf --- /dev/null +++ b/bitnami/metallb/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +name: metallb +description: The Metal LB for Kubernetes +appVersion: 0.9.3 +keywords: + - "load-balancer" + - "balancer" + - "lb" + - "bgp" + - "arp" + - "vrrp" + - "vip" +home: https://metallb.universe.tf +icon: https://metallb.universe.tf/images/logo.png +sources: + - https://github.com/metallb/metallb + - https://github.com/bitnami/bitnami-docker-metallb +version: 0.1.10 +maintainers: + - name: cellebyte + email: cellebyte@gmail.com + - name: Bitnami + email: containers@bitnami.com diff --git a/bitnami/metallb/README.md b/bitnami/metallb/README.md new file mode 100644 index 0000000000..bd77580e6c --- /dev/null +++ b/bitnami/metallb/README.md @@ -0,0 +1,160 @@ +# MetalLB + +[MetalLB](https://metallb.universe.tf/faq/) is an open source, rock solid LoadBalancer. It handles the `ServiceType: Loadbalancer`. + +## TL;DR; + +```console +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/metallb +``` + +## Introduction +Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads. + +This chart bootstraps a [MetalLB Controller](https://metallb.universe.tf/community/) Controller Deployment and a [MetalLB Speaker](https://metallb.universe.tf/community/) Daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications. + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 2.11+ or Helm 3.0-beta3+ +- Virtual IPs for Layer 2 or Route Reflector for BGP setup. + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +$ helm repo add bitnami https://charts.bitnami.com/bitnami +$ helm install my-release bitnami/metallb +``` + +These commands deploy metallb on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` helm release: + +```console +$ helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Parameters + +The following tables lists the configurable parameters of the metallb chart and their default values. + +| Parameter | Description | Default | +|-------------------------------------------------------|--------------------------------------------------------------------------------------------------------|---------------------------------------------------------| +| `global.imageRegistry` | Global Docker image registry | `nil` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `controller.image.registry` | MetalLB Controller image registry | `docker.io` | +| `controller.image.repository` | MetalLB Controller image name | `bitnami/metallb-controller` | +| `controller.image.tag` | MetalLB Controller image tag | `{TAG_NAME}` | +| `controller.pullPolicy` | MetalLB Controller image pull policy | `IfNotPresent` | +| `controller.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `controller.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` (does not add resource limits to deployed pods) | +| `controller.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` (does not add resource limits to deployed pods) | +| `controller.nodeSelector` | Node labels for controller pod assignment | `{}` | +| `controller.tolerations` | Tolerations for controller pod assignment | `[]` | +| `controller.affinity` | Affinity for controller pod assignment | `{}` | +| `controller.podAnnotations` | Controller Pod annotations | `{}` | +| `controller.serviceAccount.create` | create a serviceAccount for the controller pod | `true` | +| `controller.serviceAccount.name` | use the serviceAccount with the specified name | "" | +| `controller.revisionHistoryLimit` | the revision history limit for the deployment. | `3` | +| `controller.securityContext.enabled` | Enable pods' security context | `true` | +| `controller.securityContext.runAsNonRoot` | MetalLB Controller must runs as nonRoot. | `true` | +| `controller.securityContext.runAsUser` | User ID for the pods. | `1001` | +| `controller.securityContext.fsGroup` | Group ID for the pods. | `1001` | +| `controller.securityContext.allowPrivilegeEscalation` | This defines if privilegeEscalation is allowed on that container | `false` | +| `controller.securityContext.readOnlyRootFilesystem` | This defines if the container can read the root fs on the host | `true` | +| `controller.securityContext.capabilities.drop` | Drop capabilities for the securityContext | `["ALL"]` | +| `speaker.image.registry` | MetalLB Speaker image registry | `docker.io` | +| `speaker.image.repository` | MetalLB Speaker image name | `bitnami/metallb-speaker` | +| `speaker.image.tag` | MetalLB Speaker image tag | `{TAG_NAME}` | +| `speaker.pullPolicy` | MetalLB Speaker image pull policy | `IfNotPresent` | +| `speaker.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) | +| `speaker.resources.limits` | Specify resource limits which the container is not allowed to succeed. | `{}` (does not add resource limits to deployed pods) | +| `speaker.resources.requests` | Specify resource requests which the container needs to spawn. | `{}` (does not add resource limits to deployed pods) | +| `speaker.nodeSelector` | Node labels for speaker pod assignment | `{}` | +| `speaker.tolerations` | Tolerations for speaker pod assignment | `[]` | +| `speaker.affinity` | Affinity for speaker pod assignment | `{}` | +| `speaker.podAnnotations` | Speaker Pod annotations | `{}` | +| `speaker.serviceAccount.create` | create a serviceAccount for the speaker pod | `true` | +| `speaker.serviceAccount.name` | use the serviceAccount with the specified name | "" | +| `speaker.daemonset.hostPorts.metrics` | the tcp port to listen on for the openmetrics endpoint. | `7472` | +| `speaker.daemonset.terminationGracePeriodSeconds` | The terminationGracePeriod in seconds for the daemonset to stop | `2` | +| `speaker.securityContext.enabled` | Enable pods' security context | `true` | +| `speaker.securityContext.runAsUser` | User ID for the pods. | `0` | +| `speaker.securityContext.allowPrivilegeEscalation` | Enables privilege Escalation context for the pod. | `false` | +| `speaker.securityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly | `true` | +| `speaker.securityContext.capabilities.drop` | Drop capabilities for the securityContext | `["ALL"]` | +| `speaker.securityContext.capabilities.add` | Add capabilities for the securityContext | `["NET_ADMIN", "NET_RAW", "SYS_ADMIN"]` | +| `speaker.secretName` | References a Secret name for the member secret outside of the helm chart | `nil` | +| `speaker.secretKey` | References a Secret key for the member secret outside of the helm chart | `nil` | +| `speaker.extraEnvVars` | Extra environment variable to pass to the running container. | `[]` | +| `nameOverride` | String to partially override metallb.fullname template with a string (will prepend the release name) | `nil` | +| `fullnameOverride` | String to fully override metallb.fullname template with a string | `nil` | +| `livenessProbe.enabled` | Enable/disable the Liveness probe | `true` | +| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | `60` | +| `livenessProbe.periodSeconds` | How often to perform the probe | `10` | +| `livenessProbe.timeoutSeconds` | When the probe times out | `5` | +| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` | +| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `6` | +| `existingConfigMap` | Specify an existing configMapName to use. (this is mutually exclusive with the configInline option) | `nil` | +| `configInline` | Specify the config for metallb as a new configMap inline. | `{}` (does not create configMap) | +| `rbac.create` | Specify if an rbac authorization should be created with the necessarry Rolebindings. | `true` | +| `prometheus.serviceMonitor.enabled` | Specify if a servicemonitor will be deployed for prometheus-operator. | `true` | +| `prometheus.serviceMonitor.jobLabel` | Specify the jobLabel to use for the prometheus-operator | `metallb` | +| `prometheus.serviceMonitor.interval` | Specify the scrape interval if not specified use defaul prometheus scrapeIntervall | `""` | +| `prometheus.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics. | `[]` | +| `prometheus.serviceMonitor.relabelings` | Specify general relabeling. | `[]` | +| `prometheus.serviceMonitor.prometheusRule.enabled` | Enable prometheus alertmanager basic alerts. | `true` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release \ + --set livenessProbe.successThreshold=5 \ + bitnami/metallb +``` +The above command sets the `livenessProbe.successThreshold` to `5`. + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +To configure [MetalLB](https://metallb.universe.tf) please look into the configuration section [MetalLB Configuration](https://metallb.universe.tf/configuration/). + +### Example Layer 2 configuration + +```yaml +configInline: + # The address-pools section lists the IP addresses that MetalLB is + # allowed to allocate, along with settings for how to advertise + # those addresses over BGP once assigned. You can have as many + # address pools as you want. + address-pools: + - # A name for the address pool. Services can request allocation + # from a specific address pool using this name, by listing this + # name under the 'metallb.universe.tf/address-pool' annotation. + name: generic-cluster-pool + # Protocol can be used to select how the announcement is done. + # Supported values are bgp and layer2. + protocol: layer2 + # A list of IP address ranges over which MetalLB has + # authority. You can list multiple ranges in a single pool, they + # will all share the same settings. Each range can be either a + # CIDR prefix, or an explicit start-end range of IPs. + addresses: + - 10.27.50.30-10.27.50.35 +``` diff --git a/bitnami/metallb/templates/NOTES.txt b/bitnami/metallb/templates/NOTES.txt new file mode 100644 index 0000000000..c48e9b9fc1 --- /dev/null +++ b/bitnami/metallb/templates/NOTES.txt @@ -0,0 +1,39 @@ +MetalLB is now running in the cluster + +LoadBalancer Services in your cluster are now available on the IPs you +defined in MetalLB's configuration. To see IP assignments, + + kubectl get services -o wide --all-namespaces | grep --color=never -E 'LoadBalancer|NAMESPACE' + +should be executed. + +To see the currently configured configuration for metallb run + + kubectl get configmaps --namespace {{ .Release.Namespace }} {{ include "metallb.configMapName" . }} -o yaml + +in your preferred shell. + +{{- if .Values.existingConfigMap }} +WARNING: you specified a ConfigMap that isn't managed by +Helm. LoadBalancer services will not function until you add that +ConfigMap to your cluster yourself. + +Ensure you put the configmap in place + + kubectl get configmaps --namespace {{ .Release.Namespace }} | grep --color=never -E "{{ include "metallb.configMapName" . }}|NAME" + +If it is missing create it with: + + kubectl create configmap {{ include "metallb.configMapName" . }} --namespace {{ .Release.Namespace }} --from-file=config +{{- end }} + +{{- if .Values.speaker.secretName }} +WARNING: you specified a secretName that isn't managed by +Helm. The MetalLB speakers will not join without the secret in place. + + kubectl get secrets --namespace {{ .Release.Namespace }} | grep --color=never -E "{{ include "metallb.secretName" .}}|NAME" + +If it is missing create it with: + + kubectl create secret {{ include "metallb.secretName" .}} --from-file={{ include "metallb.secretKey" . }} +{{- end }} \ No newline at end of file diff --git a/bitnami/metallb/templates/_helpers.tpl b/bitnami/metallb/templates/_helpers.tpl new file mode 100644 index 0000000000..82c1097b4c --- /dev/null +++ b/bitnami/metallb/templates/_helpers.tpl @@ -0,0 +1,212 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "metallb.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper metallb controller image name +*/}} +{{- define "metallb.controller.image" -}} +{{- $registryName := .Values.controller.image.registry -}} +{{- $repositoryName := .Values.controller.image.repository -}} +{{- $tag := .Values.controller.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper metallb speaker image name +*/}} +{{- define "metallb.speaker.image" -}} +{{- $registryName := .Values.speaker.image.registry -}} +{{- $repositoryName := .Values.speaker.image.repository -}} +{{- $tag := .Values.speaker.image.tag | toString -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. +Also, we can't use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} + {{- if .Values.global.imageRegistry }} + {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} + {{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} + {{- end -}} +{{- else -}} + {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "metallb.labels" -}} +app.kubernetes.io/name: {{ include "metallb.name" . }} +helm.sh/chart: {{ include "metallb.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "metallb.matchLabels" -}} +app.kubernetes.io/name: {{ include "metallb.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "metallb.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "metallb.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "metallb.controller.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if .Values.controller.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.controller.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if .Values.controller.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.controller.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "metallb.speaker.imagePullSecrets" -}} +{{/* +Helm 2.11 supports the assignment of a value to a variable defined in a different scope, +but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. +Also, we can not use a single if because lazy evaluation is not an option +*/}} +{{- if .Values.global }} +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- else if .Values.speaker.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.speaker.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- else if .Values.speaker.image.pullSecrets }} +imagePullSecrets: +{{- range .Values.speaker.image.pullSecrets }} + - name: {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the controller service account to use +*/}} +{{- define "metallb.controllerServiceAccountName" -}} +{{- if .Values.controller.serviceAccount.create -}} + {{ default (printf "%s-controller" (include "metallb.fullname" .)) .Values.controller.serviceAccount.name | trunc 63 | trimSuffix "-" }} +{{- else -}} + {{ default "default" .Values.controller.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the speaker service account to use +*/}} +{{- define "metallb.speakerServiceAccountName" -}} +{{- if .Values.speaker.serviceAccount.create -}} + {{ default (printf "%s-speaker" (include "metallb.fullname" .)) .Values.speaker.serviceAccount.name | trunc 63 | trimSuffix "-" }} +{{- else -}} + {{ default "default" .Values.speaker.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the settings ConfigMap to use. +*/}} +{{- define "metallb.configMapName" -}} + {{ default ( printf "%s" (include "metallb.fullname" .)) .Values.existingConfigMap | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Create the name of the settings Secret to use. +*/}} +{{- define "metallb.secretName" -}} + {{ default ( printf "%s-memberlist" (include "metallb.fullname" .)) .Values.speaker.secretName | trunc 63 | trimSuffix "-" }} +{{- end -}} + + +{{/* +Create the key of the settings Secret to use. +*/}} +{{- define "metallb.secretKey" -}} + {{ default "secretkey" .Values.speaker.secretKey | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "metallb.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "metallb.tplValue" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/bitnami/metallb/templates/configmap.yaml b/bitnami/metallb/templates/configmap.yaml new file mode 100644 index 0000000000..33f63e698a --- /dev/null +++ b/bitnami/metallb/templates/configmap.yaml @@ -0,0 +1,10 @@ +{{- if not .Values.existingConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "metallb.configMapName" . }} + labels: {{- include "metallb.labels" . | nindent 4}} +data: + config: | +{{ include "metallb.tplValue" ( dict "value" .Values.configInline "context" $) | indent 4 }} +{{- end }} diff --git a/bitnami/metallb/templates/daemonset.yaml b/bitnami/metallb/templates/daemonset.yaml new file mode 100644 index 0000000000..983b8e76d9 --- /dev/null +++ b/bitnami/metallb/templates/daemonset.yaml @@ -0,0 +1,111 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "metallb.fullname" . }}-speaker + labels: {{- include "metallb.labels" . | nindent 4 }} + app.kubernetes.io/component: speaker +spec: + selector: + matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: speaker + template: + metadata: + labels: {{- include "metallb.labels" . | nindent 8 }} + app.kubernetes.io/component: speaker + {{- if .Values.speaker.podAnnotations }} + annotations: {{- toYaml .Values.speaker.podAnnotations | nindent 8 }} + {{- end }} + spec: + {{- include "metallb.speaker.imagePullSecrets" . | nindent 6 }} + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: {{ include "metallb.speakerServiceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.speaker.daemonset.terminationGracePeriodSeconds }} + hostNetwork: true + containers: + - name: speaker + image: {{ include "metallb.speaker.image" . }} + imagePullPolicy: {{ .Values.speaker.image.pullPolicy }} + args: + - --port={{ .Values.speaker.daemonset.hostPorts.metrics }} + - --config={{ include "metallb.configMapName" . }} + env: + - name: METALLB_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: METALLB_HOST + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: METALLB_ML_BIND_ADDR + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: METALLB_ML_LABELS + value: "app.kubernetes.io/name=metallb,app.kubernetes.io/component=speaker" + - name: METALLB_ML_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: METALLB_ML_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ include "metallb.secretName" . }} + key: {{ include "metallb.secretKey" . }} + {{- if .Values.speaker.extraEnvVars }} + {{- include "metallb.tplValue" ( dict "value" .Values.speaker.extraEnvVars "context" $ ) | nindent 8 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "metallb.tplValue" ( dict "value" .Values.speaker.extraEnvVarsSecret "context" $ ) }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.speaker.daemonset.hostPorts.metrics }} + {{- if .Values.speaker.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /metrics + port: metrics + initialDelaySeconds: {{ .Values.speaker.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.speaker.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.speaker.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.speaker.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /metrics + port: metrics + initialDelaySeconds: {{ .Values.speaker.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.speaker.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.speaker.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.speaker.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.speaker.readinessProbe.failureThreshold }} + {{- end }} + {{- if .Values.speaker.resources }} + resources: {{- toYaml .Values.speaker.resources | nindent 10 }} + {{- end }} + {{- if .Values.speaker.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.speaker.securityContext.runAsUser }} + allowPrivilegeEscalation: {{ .Values.speaker.securityContext.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.speaker.securityContext.readOnlyRootFilesystem }} + capabilities: + drop: {{- toYaml .Values.speaker.securityContext.capabilities.drop | nindent 12 }} + add: {{- toYaml .Values.speaker.securityContext.capabilities.add | nindent 12 }} + {{- end }} + nodeSelector: + {{- if .Values.controller.nodeSelector }} {{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }} + {{- end }} + "kubernetes.io/os": linux + {{- if .Values.speaker.affinity }} + affinity: {{- include "metallb.tplValue" (dict "value" .Values.speaker.affinity "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.speaker.tolerations}} + tolerations: {{- include "metallb.tplValue" (dict "value" .Values.speaker.tolerations "context" $) | nindent 8 }} + {{- end }} diff --git a/bitnami/metallb/templates/deployment.yaml b/bitnami/metallb/templates/deployment.yaml new file mode 100644 index 0000000000..d464904394 --- /dev/null +++ b/bitnami/metallb/templates/deployment.yaml @@ -0,0 +1,80 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "metallb.fullname" . }}-controller + labels: {{- include "metallb.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +spec: + revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit }} + selector: + matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + template: + metadata: + labels: {{- include "metallb.labels" . | nindent 8 }} + app.kubernetes.io/component: controller + {{- if .Values.controller.podAnnotations }} + annotations: {{- toYaml .Values.controller.podAnnotations | nindent 8 }} + {{- end }} + spec: + {{- include "metallb.controller.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "metallb.controllerServiceAccountName" . }} + terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} + nodeSelector: + {{- if .Values.controller.nodeSelector }} {{- include "metallb.tplValue" (dict "value" .Values.controller.nodeSelector "context" $) | nindent 8 }} + {{- end }} + "kubernetes.io/os": linux + {{- if .Values.controller.affinity }} + affinity: {{- include "metallb.tplValue" (dict "value" .Values.controller.affinity "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.controller.tolerations}} + tolerations: {{- include "metallb.tplValue" (dict "value" .Values.controller.tolerations "context" $) | nindent 8 }} + {{- end }} + containers: + - name: controller + image: {{ include "metallb.controller.image" . }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + args: + - --port={{ .Values.controller.containerPort.metrics }} + - --config={{ include "metallb.configMapName" . }} + ports: + - name: metrics + containerPort: {{ .Values.controller.containerPort.metrics }} + {{- if .Values.controller.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /metrics + port: metrics + initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.controller.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /metrics + port: metrics + initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.controller.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }} + {{- end }} + {{- if .Values.controller.securityContext.enabled }} + securityContext: + allowPrivilegeEscalation: {{ .Values.controller.securityContext.allowPrivilegeEscalation }} + readOnlyRootFilesystem: {{ .Values.controller.securityContext.readOnlyRootFilesystem }} + capabilities: + drop: {{- toYaml .Values.controller.securityContext.capabilities.drop | nindent 12 }} + {{- end }} + {{- if .Values.controller.resources }} + resources: {{- toYaml .Values.controller.resources | nindent 10 }} + {{- end }} + {{- if .Values.controller.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.controller.securityContext.runAsUser }} + fsGroup: {{ .Values.controller.securityContext.fsGroup }} + runAsNonRoot: {{ .Values.controller.securityContext.runAsNonRoot }} + {{- end }} diff --git a/bitnami/metallb/templates/prometheus/metallb.alerts.yaml b/bitnami/metallb/templates/prometheus/metallb.alerts.yaml new file mode 100644 index 0000000000..6dbe316519 --- /dev/null +++ b/bitnami/metallb/templates/prometheus/metallb.alerts.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.prometheus.prometheusRule.enabled .Values.prometheus.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "metallb.fullname" . }} + labels: {{ include "metallb.labels" . | nindent 4 }} +spec: + groups: + - name: {{ include "metallb.fullname" . }}.alerts + rules: + - alert: MetalLBStaleConfig + annotations: + message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container_name }} on {{ $labels.instance + }} has a stale config for > 1 minute'`}} + expr: metallb_k8s_client_config_stale_bool{job="{{ .Values.prometheus.serviceMonitor.jobLabel }}"} == 1 + for: 1m + labels: + severity: warning + - alert: MetalLBConfigNotLoaded + annotations: + message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container_name }} on {{ $labels.instance + }} has not loaded for > 1 minute'`}} + expr: metallb_k8s_client_config_loaded_bool{job="{{ .Values.prometheus.serviceMonitor.jobLabel }}"} == 0 + for: 1m + labels: + severity: warning +{{- end }} diff --git a/bitnami/metallb/templates/psp.yaml b/bitnami/metallb/templates/psp.yaml new file mode 100644 index 0000000000..95a8c5410c --- /dev/null +++ b/bitnami/metallb/templates/psp.yaml @@ -0,0 +1,74 @@ +{{- if .Values.rbac.create -}} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "metallb.fullname" . }}-controller + labels: {{- include "metallb.labels" . | nindent 4}} +spec: + allowPrivilegeEscalation: {{ .Values.controller.securityContext.allowPrivilegeEscalation }} + allowedCapabilities: [] + allowedHostPaths: [] + defaultAddCapabilities: [] + defaultAllowPrivilegeEscalation: {{ .Values.controller.securityContext.allowPrivilegeEscalation }} + fsGroup: + ranges: + - max: {{ .Values.controller.securityContext.fsGroup }} + min: {{ .Values.controller.securityContext.fsGroup }} + rule: MustRunAs + hostIPC: false + hostNetwork: false + hostPID: false + privileged: false + readOnlyRootFilesystem: {{ .Values.controller.securityContext.readOnlyRootFilesystem }} + requiredDropCapabilities: {{- toYaml .Values.controller.securityContext.capabilities.drop | nindent 2 }} + runAsUser: + ranges: + - max: {{ .Values.controller.securityContext.runAsUser }} + min: {{ .Values.controller.securityContext.runAsUser }} + rule: MustRunAs + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: {{ .Values.controller.securityContext.runAsUser }} + min: {{ .Values.controller.securityContext.runAsUser }} + rule: MustRunAs + volumes: + - configMap + - secret + - emptyDir +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "metallb.fullname" . }}-speaker + labels: {{- include "metallb.labels" . | nindent 4}} +spec: + allowPrivilegeEscalation: {{ .Values.speaker.securityContext.allowPrivilegeEscalation }} + allowedCapabilities: {{- toYaml .Values.speaker.securityContext.capabilities.add | nindent 2 }} + allowedHostPaths: [] + defaultAddCapabilities: {{- toYaml .Values.speaker.securityContext.capabilities.add | nindent 2 }} + defaultAllowPrivilegeEscalation: {{ .Values.speaker.securityContext.allowPrivilegeEscalation }} + fsGroup: + rule: RunAsAny + hostIPC: false + hostNetwork: true + hostPID: false + hostPorts: + - max: {{ .Values.speaker.daemonset.hostPorts.metrics }} + min: {{ .Values.speaker.daemonset.hostPorts.metrics }} + privileged: true + readOnlyRootFilesystem: {{ .Values.speaker.securityContext.readOnlyRootFilesystem }} + requiredDropCapabilities: {{- toYaml .Values.speaker.securityContext.capabilities.drop | nindent 2 }} + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - configMap + - secret + - emptyDir +{{- end -}} diff --git a/bitnami/metallb/templates/rbac.yaml b/bitnami/metallb/templates/rbac.yaml new file mode 100644 index 0000000000..5dae49e664 --- /dev/null +++ b/bitnami/metallb/templates/rbac.yaml @@ -0,0 +1,156 @@ +{{- if .Values.rbac.create -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "metallb.fullname" . }}:controller + labels: {{- include "metallb.labels" . | nindent 4 }} +rules: + - apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - update + - apiGroups: + - '' + resources: + - services/status + verbs: + - update + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - policy + resourceNames: + - {{ include "metallb.fullname" . }}-controller + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "metallb.fullname" . }}:speaker + labels: {{- include "metallb.labels" . | nindent 4 }} +rules: + - apiGroups: + - '' + resources: + - services + - endpoints + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - policy + resourceNames: + - {{ include "metallb.fullname" . }}-speaker + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "metallb.fullname" . }}-config-watcher + labels: {{- include "metallb.labels" . | nindent 4 }} +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "metallb.fullname" . }}-pod-lister + labels: {{- include "metallb.labels" . | nindent 4 }} +rules: +- apiGroups: + - '' + resources: + - pods + verbs: + - list +--- +## Role bindings +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "metallb.fullname" . }}:controller + labels: {{- include "metallb.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "metallb.controllerServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "metallb.fullname" . }}:controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "metallb.fullname" . }}:speaker + labels: {{- include "metallb.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "metallb.speakerServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "metallb.fullname" . }}:speaker +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "metallb.fullname" . }}-config-watcher + labels: {{- include "metallb.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "metallb.controllerServiceAccountName" . }} +- kind: ServiceAccount + name: {{ include "metallb.speakerServiceAccountName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "metallb.fullname" . }}-config-watcher +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "metallb.fullname" . }}-pod-lister + labels: {{- include "metallb.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "metallb.fullname" . }}-pod-lister +subjects: +- kind: ServiceAccount + name: {{ include "metallb.speakerServiceAccountName" . }} +{{- end -}} diff --git a/bitnami/metallb/templates/secret.yaml b/bitnami/metallb/templates/secret.yaml new file mode 100644 index 0000000000..e43a5db59e --- /dev/null +++ b/bitnami/metallb/templates/secret.yaml @@ -0,0 +1,13 @@ +{{- if not .Values.speaker.secretName }} +apiVersion: v1 +data: + secretkey: {{ randAlphaNum 256 | b64enc | quote }} +kind: Secret +metadata: + name: {{ include "metallb.fullname" . }}-memberlist + labels: {{- include "metallb.labels" . | nindent 4 }} + app.kubernetes.io/component: speaker + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +{{- end }} diff --git a/bitnami/metallb/templates/service-accounts.yaml b/bitnami/metallb/templates/service-accounts.yaml new file mode 100644 index 0000000000..42011b4578 --- /dev/null +++ b/bitnami/metallb/templates/service-accounts.yaml @@ -0,0 +1,16 @@ +{{- if .Values.controller.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "metallb.controllerServiceAccountName" . }} + labels: {{- include "metallb.labels" . | nindent 4 }} +{{- end }} +{{- if .Values.speaker.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "metallb.speakerServiceAccountName" . }} + labels: {{- include "metallb.labels" . | nindent 4 }} +{{- end }} diff --git a/bitnami/metallb/templates/servicemonitor.yaml b/bitnami/metallb/templates/servicemonitor.yaml new file mode 100644 index 0000000000..58401b5ed8 --- /dev/null +++ b/bitnami/metallb/templates/servicemonitor.yaml @@ -0,0 +1,87 @@ +{{- if .Values.prometheus.serviceMonitor.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "metallb.fullname" . }}-controller-metrics + labels: {{- include "metallb.labels" . | nindent 4 }} + jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel }} + app.kubernetes.io/component: controller +spec: + type: ClusterIP + selector: {{- include "metallb.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: controller + ports: + - name: metrics + port: {{ .Values.controller.containerPort.metrics }} + protocol: TCP + targetPort: {{ .Values.controller.containerPort.metrics }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "metallb.fullname" . }}-speaker-metrics + labels: {{- include "metallb.labels" . | nindent 4 }} + jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel }} + app.kubernetes.io/component: speaker +spec: + type: ClusterIP + selector: {{- include "metallb.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: speaker + ports: + - name: metrics + port: {{ .Values.speaker.daemonset.hostPorts.metrics }} + protocol: TCP + targetPort: {{ .Values.speaker.daemonset.hostPorts.metrics }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "metallb.fullname" . }}-controller + labels: {{- include "metallb.labels" . | nindent 4 }} + app.kubernetes.io/component: controller +spec: + jobLabel: jobLabel + selector: + matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: metrics + {{- if .Values.prometheus.serviceMonitor.interval }} + interval: {{ .Values.prometheus.serviceMonitor.interval }} + {{- end }} + {{- if .Values.prometheus.serviceMonitor.metricRelabelings }} + metricRelabelings: {{ toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 4 }} + {{- end }} + {{- if .Values.prometheus.serviceMonitor.relabelings }} + relabelings: {{ toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 4 }} + {{- end }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "metallb.fullname" . }}-speaker + labels: {{- include "metallb.labels" . | nindent 4}} + app.kubernetes.io/component: speaker +spec: + jobLabel: jobLabel + selector: + matchLabels: {{- include "metallb.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: speaker + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + endpoints: + - port: metrics + {{- if .Values.prometheus.serviceMonitor.interval }} + interval: {{ .Values.prometheus.serviceMonitor.interval }} + {{- end }} + {{- if .Values.prometheus.serviceMonitor.metricRelabelings }} + metricRelabelings: {{ toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 4 }} + {{- end }} + {{- if .Values.prometheus.serviceMonitor.relabelings }} + relabelings: {{ toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 4 }} + {{- end }} +{{- end }} diff --git a/bitnami/metallb/values.yaml b/bitnami/metallb/values.yaml new file mode 100644 index 0000000000..cf4859707b --- /dev/null +++ b/bitnami/metallb/values.yaml @@ -0,0 +1,287 @@ +## Default values for metallb. +## This is a YAML-formatted file. +## Declare variables to be passed into your templates. + +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName + +## To configure MetalLB, you must specify ONE of the following two +## options. +# +## existingConfigMap specifies the name of an externally-defined +## ConfigMap to use as the configuration. Helm will not manage the +## contents of this ConfigMap, it is your responsibility to create it. +# +# existingConfigMap: metallb-config +# +## configInline specifies MetalLB's configuration directly, in yaml +## format. When configInline is used, Helm manages MetalLB's +## configuration ConfigMap as part of the release, and +## existingConfigMap is ignored. +## Refer to https://metallb.universe.tf/configuration/ for +## available options. +# +configInline: {} + +## String to partially override metallb.fullname include (will maintain the release name) +## +# nameOverride: + +## String to fully override metallb.fullname template +## +# fullnameOverride: + +rbac: + # create specifies whether to install and use RBAC rules. + create: true + +prometheus: + # Prometheus Operator service monitors + serviceMonitor: + # enable support for Prometheus Operator + enabled: false + # Job label for scrape target + jobLabel: metallb + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: "" + metricRelabelings: [] + relabelings: [] + + # Prometheus Operator alertmanager alerts + prometheusRule: + enabled: true + +## Metallb Controller deployment. +## ref: https://hub.docker.com/r/metallb/controller/tags +controller: + image: + registry: docker.io + repository: bitnami/metallb-controller + tag: 0.9.3-debian-10-r1 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Controller container resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 100Mi + # requests: + # memory: 25Mi + # cpu: 25m + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + + ## Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. If not set and create is + # true, a name is generated using the fullname template + name: "" + + + ## Pod securityContext + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: true + runAsNonRoot: true + runAsUser: 1001 + fsGroup: 1001 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + + ## Configure the revisionHistoryLimit of the Controller deployment + ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#revision-history-limit + ## + revisionHistoryLimit: 3 + + ## Configure the grace time period for sig term + ## Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + ## + terminationGracePeriodSeconds: 0 + + ## Configures the ports the MetalLB Controller listens on for metrics + ## + containerPort: + metrics: 7472 + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + +## Metallb Speaker daemonset. +## ref: https://hub.docker.com/r/metallb/speaker/tags +speaker: + image: + registry: docker.io + repository: bitnami/metallb-speaker + tag: 0.9.3-debian-10-r1 + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + + ## Speaker container resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 100Mi + # requests: + # memory: 25Mi + # cpu: 25m + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + + ## Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. If not set and create is + # true, a name is generated using the fullname template + name: "" + + ## Daemonset configuration + ## + daemonset: + ## Configure the grace time period for sig term + ## Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + ## + terminationGracePeriodSeconds: 2 + ## HTTP Metrics Endpoint + ## + hostPorts: + metrics: 7472 + + ## Defines a secret to use outside of the auto generated + ## Default: {{ randAlphaNum 256 | b64enc | quote }} + ## The auto generated has secretName: {{ "metallb.fullname" }}-memberlist + ## and secretKey: secretkey + ## + # secretName: + # secretKey: + + ## Pod securityContext + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## + securityContext: + enabled: true + runAsUser: 0 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + + ## An array to add extra env vars + ## For example: + ## extraEnvVars: + ## - name: MY_ENV_VAR + ## value: env_var_value + ## + extraEnvVars: [] + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1