Compare commits

...

2 Commits

Author SHA256 Message Date
6ace2c6f09 Add metallb to try things out
Some checks are pending
OBS SCM/CI Workflow Integration started
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2024-11-04 11:10:49 +01:00
d8c8705671 try it
Some checks are pending
OBS SCM/CI Workflow Integration started
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
2024-10-21 10:56:34 +02:00
45 changed files with 6318 additions and 0 deletions

3
.gitmodules vendored
View File

@ -1,3 +1,6 @@
[submodule "obs-service-set_version"]
path = obs-service-set_version
url = https://src.opensuse.org/SLFO-pool/obs-service-set_version.git
[submodule "cmake"]
path = cmake
url = https://src.opensuse.org/SLFO-pool/cmake.git

1
cmake Submodule

@ -0,0 +1 @@
Subproject commit 25b7f229aafb53b9be146947611ab7f2a5a504c87a785a047ac3762fa24e5dfa

23
metallb-chart/Chart.yaml Normal file
View File

@ -0,0 +1,23 @@
#!BuildTag: %%IMG_PREFIX%%metallb-chart:0.14.9
#!BuildTag: %%IMG_PREFIX%%metallb-chart:0.14.9-%RELEASE%
apiVersion: v2
appVersion: v0.14.3
dependencies:
- condition: frrk8s.enabled
name: frr-k8s
repository: file://./charts/frr-k8s
version: 0.0.15
- condition: crds.enabled
name: metallb-crds
repository: file://./charts/metallb-crds
version: 0.14.8
description: A network load-balancer implementation for Kubernetes using standard
routing protocols
home: https://metallb.universe.tf
icon: https://metallb.universe.tf/images/logo/metallb-white.png
kubeVersion: '>= 1.19.0-0'
name: metallb
sources:
- https://github.com/metallb/metallb
type: application
version: 0.14.9

169
metallb-chart/README.md Normal file
View File

@ -0,0 +1,169 @@
# metallb
![Version: 0.14.8](https://img.shields.io/badge/Version-0.14.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.14.8](https://img.shields.io/badge/AppVersion-v0.14.8-informational?style=flat-square)
A network load-balancer implementation for Kubernetes using standard routing protocols
**Homepage:** <https://metallb.universe.tf>
## Source Code
* <https://github.com/metallb/metallb>
## Requirements
Kubernetes: `>= 1.19.0-0`
| Repository | Name | Version |
|------------|------|---------|
| | crds | 0.14.8 |
| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.14 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| controller.affinity | object | `{}` | |
| controller.enabled | bool | `true` | |
| controller.extraContainers | list | `[]` | |
| controller.image.pullPolicy | string | `nil` | |
| controller.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/metallb-controller"` | |
| controller.image.tag | string | `nil` | |
| controller.labels | object | `{}` | |
| controller.livenessProbe.enabled | bool | `true` | |
| controller.livenessProbe.failureThreshold | int | `3` | |
| controller.livenessProbe.initialDelaySeconds | int | `10` | |
| controller.livenessProbe.periodSeconds | int | `10` | |
| controller.livenessProbe.successThreshold | int | `1` | |
| controller.livenessProbe.timeoutSeconds | int | `1` | |
| controller.logLevel | string | `"info"` | Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` |
| controller.nodeSelector | object | `{}` | |
| controller.podAnnotations | object | `{}` | |
| controller.priorityClassName | string | `""` | |
| controller.readinessProbe.enabled | bool | `true` | |
| controller.readinessProbe.failureThreshold | int | `3` | |
| controller.readinessProbe.initialDelaySeconds | int | `10` | |
| controller.readinessProbe.periodSeconds | int | `10` | |
| controller.readinessProbe.successThreshold | int | `1` | |
| controller.readinessProbe.timeoutSeconds | int | `1` | |
| controller.resources | object | `{}` | |
| controller.runtimeClassName | string | `""` | |
| controller.securityContext.fsGroup | int | `65534` | |
| controller.securityContext.runAsNonRoot | bool | `true` | |
| controller.securityContext.runAsUser | int | `65534` | |
| controller.serviceAccount.annotations | object | `{}` | |
| controller.serviceAccount.create | bool | `true` | |
| controller.serviceAccount.name | string | `""` | |
| controller.strategy.type | string | `"RollingUpdate"` | |
| controller.tlsCipherSuites | string | `""` | |
| controller.tlsMinVersion | string | `"VersionTLS12"` | |
| controller.tolerations | list | `[]` | |
| crds.enabled | bool | `true` | |
| crds.validationFailurePolicy | string | `"Fail"` | |
| frrk8s.enabled | bool | `false` | |
| frrk8s.external | bool | `false` | |
| frrk8s.namespace | string | `""` | |
| fullnameOverride | string | `""` | |
| imagePullSecrets | list | `[]` | |
| loadBalancerClass | string | `""` | |
| nameOverride | string | `""` | |
| prometheus.controllerMetricsTLSSecret | string | `""` | |
| prometheus.metricsPort | int | `7472` | |
| prometheus.namespace | string | `""` | |
| prometheus.podMonitor.additionalLabels | object | `{}` | |
| prometheus.podMonitor.annotations | object | `{}` | |
| prometheus.podMonitor.enabled | bool | `false` | |
| prometheus.podMonitor.interval | string | `nil` | |
| prometheus.podMonitor.jobLabel | string | `"app.kubernetes.io/name"` | |
| prometheus.podMonitor.metricRelabelings | list | `[]` | |
| prometheus.podMonitor.relabelings | list | `[]` | |
| prometheus.prometheusRule.additionalLabels | object | `{}` | |
| prometheus.prometheusRule.addressPoolExhausted.enabled | bool | `true` | |
| prometheus.prometheusRule.addressPoolExhausted.labels.severity | string | `"alert"` | |
| prometheus.prometheusRule.addressPoolUsage.enabled | bool | `true` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[0].labels.severity | string | `"warning"` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[0].percent | int | `75` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[1].labels.severity | string | `"warning"` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[1].percent | int | `85` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[2].labels.severity | string | `"alert"` | |
| prometheus.prometheusRule.addressPoolUsage.thresholds[2].percent | int | `95` | |
| prometheus.prometheusRule.annotations | object | `{}` | |
| prometheus.prometheusRule.bgpSessionDown.enabled | bool | `true` | |
| prometheus.prometheusRule.bgpSessionDown.labels.severity | string | `"alert"` | |
| prometheus.prometheusRule.configNotLoaded.enabled | bool | `true` | |
| prometheus.prometheusRule.configNotLoaded.labels.severity | string | `"warning"` | |
| prometheus.prometheusRule.enabled | bool | `false` | |
| prometheus.prometheusRule.extraAlerts | list | `[]` | |
| prometheus.prometheusRule.staleConfig.enabled | bool | `true` | |
| prometheus.prometheusRule.staleConfig.labels.severity | string | `"warning"` | |
| prometheus.rbacPrometheus | bool | `true` | |
| prometheus.rbacProxy.pullPolicy | string | `nil` | |
| prometheus.rbacProxy.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"` | |
| prometheus.rbacProxy.tag | string | `"v0.12.0"` | |
| prometheus.scrapeAnnotations | bool | `false` | |
| prometheus.serviceAccount | string | `""` | |
| prometheus.serviceMonitor.controller.additionalLabels | object | `{}` | |
| prometheus.serviceMonitor.controller.annotations | object | `{}` | |
| prometheus.serviceMonitor.controller.tlsConfig.insecureSkipVerify | bool | `true` | |
| prometheus.serviceMonitor.enabled | bool | `false` | |
| prometheus.serviceMonitor.interval | string | `nil` | |
| prometheus.serviceMonitor.jobLabel | string | `"app.kubernetes.io/name"` | |
| prometheus.serviceMonitor.metricRelabelings | list | `[]` | |
| prometheus.serviceMonitor.relabelings | list | `[]` | |
| prometheus.serviceMonitor.speaker.additionalLabels | object | `{}` | |
| prometheus.serviceMonitor.speaker.annotations | object | `{}` | |
| prometheus.serviceMonitor.speaker.tlsConfig.insecureSkipVerify | bool | `true` | |
| prometheus.speakerMetricsTLSSecret | string | `""` | |
| rbac.create | bool | `true` | |
| speaker.affinity | object | `{}` | |
| speaker.enabled | bool | `true` | |
| speaker.excludeInterfaces.enabled | bool | `true` | |
| speaker.extraContainers | list | `[]` | |
| speaker.frr.enabled | bool | `true` | |
| speaker.frr.image.pullPolicy | string | `nil` | |
| speaker.frr.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/frr"` | |
| speaker.frr.image.tag | string | `"8.4.2"` | |
| speaker.frr.metricsPort | int | `7473` | |
| speaker.frr.resources | object | `{}` | |
| speaker.frrMetrics.resources | object | `{}` | |
| speaker.ignoreExcludeLB | bool | `false` | |
| speaker.image.pullPolicy | string | `nil` | |
| speaker.image.repository | string | `"registry.opensuse.org/isv/suse/edge/metallb/images/metallb-speaker"` | |
| speaker.image.tag | string | `nil` | |
| speaker.labels | object | `{}` | |
| speaker.livenessProbe.enabled | bool | `true` | |
| speaker.livenessProbe.failureThreshold | int | `3` | |
| speaker.livenessProbe.initialDelaySeconds | int | `10` | |
| speaker.livenessProbe.periodSeconds | int | `10` | |
| speaker.livenessProbe.successThreshold | int | `1` | |
| speaker.livenessProbe.timeoutSeconds | int | `1` | |
| speaker.logLevel | string | `"info"` | Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` |
| speaker.memberlist.enabled | bool | `true` | |
| speaker.memberlist.mlBindAddrOverride | string | `""` | |
| speaker.memberlist.mlBindPort | int | `7946` | |
| speaker.memberlist.mlSecretKeyPath | string | `"/etc/ml_secret_key"` | |
| speaker.nodeSelector | object | `{}` | |
| speaker.podAnnotations | object | `{}` | |
| speaker.priorityClassName | string | `""` | |
| speaker.readinessProbe.enabled | bool | `true` | |
| speaker.readinessProbe.failureThreshold | int | `3` | |
| speaker.readinessProbe.initialDelaySeconds | int | `10` | |
| speaker.readinessProbe.periodSeconds | int | `10` | |
| speaker.readinessProbe.successThreshold | int | `1` | |
| speaker.readinessProbe.timeoutSeconds | int | `1` | |
| speaker.reloader.resources | object | `{}` | |
| speaker.resources | object | `{}` | |
| speaker.runtimeClassName | string | `""` | |
| speaker.securityContext | object | `{}` | |
| speaker.serviceAccount.annotations | object | `{}` | |
| speaker.serviceAccount.create | bool | `true` | |
| speaker.serviceAccount.name | string | `""` | |
| speaker.startupProbe.enabled | bool | `true` | |
| speaker.startupProbe.failureThreshold | int | `30` | |
| speaker.startupProbe.periodSeconds | int | `5` | |
| speaker.tolerateMaster | bool | `true` | |
| speaker.tolerations | list | `[]` | |
| speaker.updateStrategy.type | string | `"RollingUpdate"` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0)

15
metallb-chart/_service Normal file
View File

@ -0,0 +1,15 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service name="replace_using_env" mode="buildtime">
<param name="file">values.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Chart.yaml</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
</service>
</services>

View File

@ -0,0 +1,11 @@
apiVersion: v2
appVersion: v0.0.14
description: A cloud native wrapper of FRR
home: https://metallb.universe.tf
icon: https://metallb.universe.tf/images/logo/metallb-white.png
kubeVersion: '>= 1.19.0-0'
name: frr-k8s
sources:
- https://github.com/metallb/frr-k8s
type: application
version: 0.0.15

View File

@ -0,0 +1,96 @@
# frr-k8s
![Version: 0.0.14](https://img.shields.io/badge/Version-0.0.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.14](https://img.shields.io/badge/AppVersion-v0.0.14-informational?style=flat-square)
A cloud native wrapper of FRR
**Homepage:** <https://metallb.universe.tf>
## Source Code
* <https://github.com/metallb/frr-k8s>
## Requirements
Kubernetes: `>= 1.19.0-0`
| Repository | Name | Version |
|------------|------|---------|
| | crds | 0.0.14 |
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| crds.enabled | bool | `true` | |
| crds.validationFailurePolicy | string | `"Fail"` | |
| frrk8s.affinity | object | `{}` | |
| frrk8s.alwaysBlock | string | `""` | |
| frrk8s.disableCertRotation | bool | `false` | |
| frrk8s.frr.image.pullPolicy | string | `nil` | |
| frrk8s.frr.image.repository | string | `"quay.io/frrouting/frr"` | |
| frrk8s.frr.image.tag | string | `"9.1.0"` | |
| frrk8s.frr.metricsBindAddress | string | `"127.0.0.1"` | |
| frrk8s.frr.metricsPort | int | `7573` | |
| frrk8s.frr.resources | object | `{}` | |
| frrk8s.frr.secureMetricsPort | int | `9141` | |
| frrk8s.frrMetrics.resources | object | `{}` | |
| frrk8s.healthPort | int | `8081` | |
| frrk8s.image.pullPolicy | string | `nil` | |
| frrk8s.image.repository | string | `"quay.io/metallb/frr-k8s"` | |
| frrk8s.image.tag | string | `nil` | |
| frrk8s.labels.app | string | `"frr-k8s"` | |
| frrk8s.livenessProbe.enabled | bool | `true` | |
| frrk8s.livenessProbe.failureThreshold | int | `3` | |
| frrk8s.livenessProbe.initialDelaySeconds | int | `10` | |
| frrk8s.livenessProbe.periodSeconds | int | `10` | |
| frrk8s.livenessProbe.successThreshold | int | `1` | |
| frrk8s.livenessProbe.timeoutSeconds | int | `1` | |
| frrk8s.logLevel | string | `"info"` | Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` |
| frrk8s.nodeSelector | object | `{}` | |
| frrk8s.podAnnotations | object | `{}` | |
| frrk8s.priorityClassName | string | `""` | |
| frrk8s.readinessProbe.enabled | bool | `true` | |
| frrk8s.readinessProbe.failureThreshold | int | `3` | |
| frrk8s.readinessProbe.initialDelaySeconds | int | `10` | |
| frrk8s.readinessProbe.periodSeconds | int | `10` | |
| frrk8s.readinessProbe.successThreshold | int | `1` | |
| frrk8s.readinessProbe.timeoutSeconds | int | `1` | |
| frrk8s.reloader.resources | object | `{}` | |
| frrk8s.resources | object | `{}` | |
| frrk8s.restartOnRotatorSecretRefresh | bool | `false` | |
| frrk8s.runtimeClassName | string | `""` | |
| frrk8s.serviceAccount.annotations | object | `{}` | |
| frrk8s.serviceAccount.create | bool | `true` | |
| frrk8s.serviceAccount.name | string | `""` | |
| frrk8s.startupProbe.enabled | bool | `true` | |
| frrk8s.startupProbe.failureThreshold | int | `30` | |
| frrk8s.startupProbe.periodSeconds | int | `5` | |
| frrk8s.tolerateMaster | bool | `true` | |
| frrk8s.tolerations | list | `[]` | |
| frrk8s.updateStrategy.type | string | `"RollingUpdate"` | |
| fullnameOverride | string | `""` | |
| nameOverride | string | `""` | |
| prometheus.metricsBindAddress | string | `"127.0.0.1"` | |
| prometheus.metricsPort | int | `7572` | |
| prometheus.metricsTLSSecret | string | `""` | |
| prometheus.namespace | string | `""` | |
| prometheus.rbacPrometheus | bool | `false` | |
| prometheus.rbacProxy.pullPolicy | string | `nil` | |
| prometheus.rbacProxy.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | |
| prometheus.rbacProxy.tag | string | `"v0.12.0"` | |
| prometheus.scrapeAnnotations | bool | `false` | |
| prometheus.secureMetricsPort | int | `9140` | |
| prometheus.serviceAccount | string | `""` | |
| prometheus.serviceMonitor.additionalLabels | object | `{}` | |
| prometheus.serviceMonitor.annotations | object | `{}` | |
| prometheus.serviceMonitor.enabled | bool | `false` | |
| prometheus.serviceMonitor.interval | string | `nil` | |
| prometheus.serviceMonitor.jobLabel | string | `"app.kubernetes.io/name"` | |
| prometheus.serviceMonitor.metricRelabelings | list | `[]` | |
| prometheus.serviceMonitor.relabelings | list | `[]` | |
| prometheus.serviceMonitor.tlsConfig.insecureSkipVerify | bool | `true` | |
| rbac.create | bool | `true` | |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0)

View File

@ -0,0 +1,462 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: frrconfigurations.frrk8s.metallb.io
spec:
group: frrk8s.metallb.io
names:
kind: FRRConfiguration
listKind: FRRConfigurationList
plural: frrconfigurations
singular: frrconfiguration
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: FRRConfiguration is a piece of FRR configuration.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: FRRConfigurationSpec defines the desired state of FRRConfiguration.
properties:
bgp:
description: BGP is the configuration related to the BGP protocol.
properties:
bfdProfiles:
description: BFDProfiles is the list of bfd profiles to be used
when configuring the neighbors.
items:
description: |-
BFDProfile is the configuration related to the BFD protocol associated
to a BGP session.
properties:
detectMultiplier:
description: |-
Configures the detection multiplier to determine
packet loss. The remote transmission interval will be multiplied
by this value to determine the connection loss detection timer.
format: int32
maximum: 255
minimum: 2
type: integer
echoInterval:
description: |-
Configures the minimal echo receive transmission
interval that this system is capable of handling in milliseconds.
Defaults to 50ms
format: int32
maximum: 60000
minimum: 10
type: integer
echoMode:
description: |-
Enables or disables the echo transmission mode.
This mode is disabled by default, and not supported on multi
hops setups.
type: boolean
minimumTtl:
description: |-
For multi hop sessions only: configure the minimum
expected TTL for an incoming BFD control packet.
format: int32
maximum: 254
minimum: 1
type: integer
name:
description: |-
The name of the BFD Profile to be referenced in other parts
of the configuration.
type: string
passiveMode:
description: |-
Mark session as passive: a passive session will not
attempt to start the connection and will wait for control packets
from peer before it begins replying.
type: boolean
receiveInterval:
description: |-
The minimum interval that this system is capable of
receiving control packets in milliseconds.
Defaults to 300ms.
format: int32
maximum: 60000
minimum: 10
type: integer
transmitInterval:
description: |-
The minimum transmission interval (less jitter)
that this system wants to use to send BFD control packets in
milliseconds. Defaults to 300ms
format: int32
maximum: 60000
minimum: 10
type: integer
required:
- name
type: object
type: array
routers:
description: Routers is the list of routers we want FRR to configure
(one per VRF).
items:
description: Router represent a neighbor router we want FRR
to connect to.
properties:
asn:
description: ASN is the AS number to use for the local end
of the session.
format: int32
maximum: 4294967295
minimum: 0
type: integer
id:
description: ID is the BGP router ID
type: string
imports:
description: Imports is the list of imported VRFs we want
for this router / vrf.
items:
description: Import represents the possible imported VRFs
to a given router.
properties:
vrf:
description: Vrf is the vrf we want to import from
type: string
type: object
type: array
neighbors:
description: Neighbors is the list of neighbors we want
to establish BGP sessions with.
items:
description: Neighbor represents a BGP Neighbor we want
FRR to connect to.
properties:
address:
description: Address is the IP address to establish
the session with.
type: string
asn:
description: ASN is the AS number to use for the local
end of the session.
format: int32
maximum: 4294967295
minimum: 0
type: integer
bfdProfile:
description: |-
BFDProfile is the name of the BFD Profile to be used for the BFD session associated
to the BGP session. If not set, the BFD session won't be set up.
type: string
connectTime:
description: Requested BGP connect time, controls
how long BGP waits between connection attempts to
a neighbor.
type: string
x-kubernetes-validations:
- message: connect time should be between 1 seconds
to 65535
rule: duration(self).getSeconds() >= 1 && duration(self).getSeconds()
<= 65535
- message: connect time should contain a whole number
of seconds
rule: duration(self).getMilliseconds() % 1000 ==
0
disableMP:
default: false
description: To set if we want to disable MP BGP that
will separate IPv4 and IPv6 route exchanges into
distinct BGP sessions.
type: boolean
ebgpMultiHop:
description: EBGPMultiHop indicates if the BGPPeer
is multi-hops away.
type: boolean
enableGracefulRestart:
description: |-
EnableGracefulRestart allows BGP peer to continue to forward data packets along
known routes while the routing protocol information is being restored. If
the session is already established, the configuration will have effect
after reconnecting to the peer
type: boolean
holdTime:
description: |-
HoldTime is the requested BGP hold time, per RFC4271.
Defaults to 180s.
type: string
keepaliveTime:
description: |-
KeepaliveTime is the requested BGP keepalive time, per RFC4271.
Defaults to 60s.
type: string
password:
description: |-
Password to be used for establishing the BGP session.
Password and PasswordSecret are mutually exclusive.
type: string
passwordSecret:
description: |-
PasswordSecret is name of the authentication secret for the neighbor.
the secret must be of type "kubernetes.io/basic-auth", and created in the
same namespace as the frr-k8s daemon. The password is stored in the
secret as the key "password".
Password and PasswordSecret are mutually exclusive.
properties:
name:
description: name is unique within a namespace
to reference a secret resource.
type: string
namespace:
description: namespace defines the space within
which the secret name must be unique.
type: string
type: object
x-kubernetes-map-type: atomic
port:
description: |-
Port is the port to dial when establishing the session.
Defaults to 179.
maximum: 16384
minimum: 0
type: integer
sourceaddress:
description: |-
SourceAddress is the IPv4 or IPv6 source address to use for the BGP
session to this neighbour, may be specified as either an IP address
directly or as an interface name
type: string
toAdvertise:
description: |-
ToAdvertise represents the list of prefixes to advertise to the given neighbor
and the associated properties.
properties:
allowed:
description: |-
Allowed is is the list of prefixes allowed to be propagated to
this neighbor. They must match the prefixes defined in the router.
properties:
mode:
default: filtered
description: |-
Mode is the mode to use when handling the prefixes.
When set to "filtered", only the prefixes in the given list will be allowed.
When set to "all", all the prefixes configured on the router will be allowed.
enum:
- all
- filtered
type: string
prefixes:
items:
type: string
type: array
type: object
withCommunity:
description: |-
PrefixesWithCommunity is a list of prefixes that are associated to a
bgp community when being advertised. The prefixes associated to a given local pref
must be in the prefixes allowed to be advertised.
items:
description: CommunityPrefixes is a list of
prefixes associated to a community.
properties:
community:
description: Community is the community
associated to the prefixes.
type: string
prefixes:
description: Prefixes is the list of prefixes
associated to the community.
format: cidr
items:
type: string
minItems: 1
type: array
type: object
type: array
withLocalPref:
description: |-
PrefixesWithLocalPref is a list of prefixes that are associated to a local
preference when being advertised. The prefixes associated to a given local pref
must be in the prefixes allowed to be advertised.
items:
description: LocalPrefPrefixes is a list of
prefixes associated to a local preference.
properties:
localPref:
description: LocalPref is the local preference
associated to the prefixes.
format: int32
type: integer
prefixes:
description: Prefixes is the list of prefixes
associated to the local preference.
format: cidr
items:
type: string
minItems: 1
type: array
type: object
type: array
type: object
toReceive:
description: ToReceive represents the list of prefixes
to receive from the given neighbor.
properties:
allowed:
description: |-
Allowed is the list of prefixes allowed to be received from
this neighbor.
properties:
mode:
default: filtered
description: |-
Mode is the mode to use when handling the prefixes.
When set to "filtered", only the prefixes in the given list will be allowed.
When set to "all", all the prefixes configured on the router will be allowed.
enum:
- all
- filtered
type: string
prefixes:
items:
description: PrefixSelector is a filter
of prefixes to receive.
properties:
ge:
description: |-
The prefix length modifier. This selector accepts any matching prefix with length
greater or equal the given value.
format: int32
maximum: 128
minimum: 1
type: integer
le:
description: |-
The prefix length modifier. This selector accepts any matching prefix with length
less or equal the given value.
format: int32
maximum: 128
minimum: 1
type: integer
prefix:
format: cidr
type: string
type: object
type: array
type: object
type: object
required:
- address
- asn
type: object
type: array
prefixes:
description: Prefixes is the list of prefixes we want to
advertise from this router instance.
items:
type: string
type: array
vrf:
description: VRF is the host vrf used to establish sessions
from this router.
type: string
required:
- asn
type: object
type: array
type: object
nodeSelector:
description: |-
NodeSelector limits the nodes that will attempt to apply this config.
When specified, the configuration will be considered only on nodes
whose labels match the specified selectors.
When it is not specified all nodes will attempt to apply this config.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
raw:
description: |-
Raw is a snippet of raw frr configuration that gets appended to the
one rendered translating the type safe API.
properties:
priority:
description: |-
Priority is the order with this configuration is appended to the
bottom of the rendered configuration. A higher value means the
raw config is appended later in the configuration file.
type: integer
rawConfig:
description: |-
Config is a raw FRR configuration to be appended to the configuration
rendered via the k8s api.
type: string
type: object
type: object
status:
description: FRRConfigurationStatus defines the observed state of FRRConfiguration.
type: object
type: object
served: true
storage: true
subresources:
status: {}

View File

@ -0,0 +1,65 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: frrnodestates.frrk8s.metallb.io
spec:
group: frrk8s.metallb.io
names:
kind: FRRNodeState
listKind: FRRNodeStateList
plural: frrnodestates
singular: frrnodestate
scope: Cluster
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: FRRNodeState exposes the status of the FRR instance running on
each node.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: FRRNodeStateSpec defines the desired state of FRRNodeState.
type: object
status:
description: FRRNodeStateStatus defines the observed state of FRRNodeState.
properties:
lastConversionResult:
description: LastConversionResult is the status of the last translation
between the `FRRConfiguration`s resources and FRR's configuration,
contains "success" or an error.
type: string
lastReloadResult:
description: LastReloadResult represents the status of the last configuration
update operation by FRR, contains "success" or an error.
type: string
runningConfig:
description: RunningConfig represents the current FRR running config,
which is the configuration the FRR instance is currently running
with.
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

View File

@ -0,0 +1,4 @@
FRR-k8s is now running in the cluster.
Now you can configure it via its CRs. Please refer to the frr-k8s official docs
on how to use the CRs.

View File

@ -0,0 +1,63 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "frrk8s.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "frrk8s.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "frrk8s.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "frrk8s.labels" -}}
helm.sh/chart: {{ include "frrk8s.chart" . }}
{{ include "frrk8s.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "frrk8s.selectorLabels" -}}
app.kubernetes.io/name: {{ include "frrk8s.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the frrk8s service account to use
*/}}
{{- define "frrk8s.serviceAccountName" -}}
{{- if .Values.frrk8s.serviceAccount.create }}
{{- default (printf "%s-controller" (include "frrk8s.fullname" .)) .Values.frrk8s.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.frrk8s.serviceAccount.name }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,431 @@
# FRR expects to have these files owned by frr:frr on startup.
# Having them in a ConfigMap allows us to modify behaviors: for example enabling more daemons on startup.
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "frrk8s.fullname" . }}-frr-startup
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "frrk8s.labels" . | nindent 4 }}
app.kubernetes.io/component: frr-k8s
data:
daemons: |
# This file tells the frr package which daemons to start.
#
# Sample configurations for these daemons can be found in
# /usr/share/doc/frr/examples/.
#
# ATTENTION:
#
# When activating a daemon for the first time, a config file, even if it is
# empty, has to be present *and* be owned by the user and group "frr", else
# the daemon will not be started by /etc/init.d/frr. The permissions should
# be u=rw,g=r,o=.
# When using "vtysh" such a config file is also needed. It should be owned by
# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
#
# The watchfrr and zebra daemons are always started.
#
bgpd=yes
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
pimd=no
ldpd=no
nhrpd=no
eigrpd=no
babeld=no
sharpd=no
pbrd=no
bfdd=yes
fabricd=no
vrrpd=no
#
# If this option is set the /etc/init.d/frr script automatically loads
# the config via "vtysh -b" when the servers are started.
# Check /etc/pam.d/frr if you intend to use "vtysh"!
#
vtysh_enable=yes
zebra_options=" -A 127.0.0.1 -s 90000000"
bgpd_options=" -A 127.0.0.1"
ospfd_options=" -A 127.0.0.1"
ospf6d_options=" -A ::1"
ripd_options=" -A 127.0.0.1"
ripngd_options=" -A ::1"
isisd_options=" -A 127.0.0.1"
pimd_options=" -A 127.0.0.1"
ldpd_options=" -A 127.0.0.1"
nhrpd_options=" -A 127.0.0.1"
eigrpd_options=" -A 127.0.0.1"
babeld_options=" -A 127.0.0.1"
sharpd_options=" -A 127.0.0.1"
pbrd_options=" -A 127.0.0.1"
staticd_options="-A 127.0.0.1"
bfdd_options=" -A 127.0.0.1"
fabricd_options="-A 127.0.0.1"
vrrpd_options=" -A 127.0.0.1"
# configuration profile
#
#frr_profile="traditional"
#frr_profile="datacenter"
#
# This is the maximum number of FD's that will be available.
# Upon startup this is read by the control files and ulimit
# is called. Uncomment and use a reasonable value for your
# setup if you are expecting a large number of peers in
# say BGP.
#MAX_FDS=1024
# The list of daemons to watch is automatically generated by the init script.
#watchfrr_options=""
# for debugging purposes, you can specify a "wrap" command to start instead
# of starting the daemon directly, e.g. to use valgrind on ospfd:
# ospfd_wrap="/usr/bin/valgrind"
# or you can use "all_wrap" for all daemons, e.g. to use perf record:
# all_wrap="/usr/bin/perf record --call-graph -"
# the normal daemon command is added to this at the end.
vtysh.conf: |+
service integrated-vtysh-config
frr.conf: |+
! This file gets overriden the first time the speaker renders a config.
! So anything configured here is only temporary.
frr version 8.0
frr defaults traditional
hostname Router
line vty
log file /etc/frr/frr.log informational
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "frrk8s.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "frrk8s.labels" . | nindent 4 }}
app.kubernetes.io/component: frr-k8s
{{- range $key, $value := .Values.frrk8s.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.frrk8s.updateStrategy }}
updateStrategy: {{- toYaml .Values.frrk8s.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "frrk8s.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: frr-k8s
template:
metadata:
labels:
{{- include "frrk8s.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: frr-k8s
{{- range $key, $value := .Values.frrk8s.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.frrk8s.runtimeClassName }}
runtimeClassName: {{ .Values.frrk8s.runtimeClassName }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "frrk8s.serviceAccountName" . }}
terminationGracePeriodSeconds: 0
hostNetwork: true
volumes:
- name: frr-sockets
emptyDir: {}
- name: frr-startup
configMap:
name: {{ template "frrk8s.fullname" . }}-frr-startup
- name: frr-conf
emptyDir: {}
- name: reloader
emptyDir: {}
- name: metrics
emptyDir: {}
{{- if .Values.prometheus.metricsTLSSecret }}
- name: metrics-certs
secret:
secretName: {{ .Values.prometheus.metricsTLSSecret }}
{{- end }}
initContainers:
# Copies the initial config files with the right permissions to the shared volume.
- name: cp-frr-files
image: {{ .Values.frrk8s.frr.image.repository }}:{{ .Values.frrk8s.frr.image.tag | default .Chart.AppVersion }}
securityContext:
runAsUser: 100
runAsGroup: 101
command: ["/bin/sh", "-c", "cp -rLf /tmp/frr/* /etc/frr/"]
volumeMounts:
- name: frr-startup
mountPath: /tmp/frr
- name: frr-conf
mountPath: /etc/frr
# Copies the reloader to the shared volume between the speaker and reloader.
- name: cp-reloader
image: {{ .Values.frrk8s.image.repository }}:{{ .Values.frrk8s.image.tag | default .Chart.AppVersion }}
command: ["/bin/sh", "-c", "cp -f /frr-reloader.sh /etc/frr_reloader/"]
volumeMounts:
- name: reloader
mountPath: /etc/frr_reloader
# Copies the metrics exporter
- name: cp-metrics
image: {{ .Values.frrk8s.image.repository }}:{{ .Values.frrk8s.image.tag | default .Chart.AppVersion }}
command: ["/bin/sh", "-c", "cp -f /frr-metrics /etc/frr_metrics/"]
volumeMounts:
- name: metrics
mountPath: /etc/frr_metrics
shareProcessNamespace: true
containers:
- name: controller
image: {{ .Values.frrk8s.image.repository }}:{{ .Values.frrk8s.image.tag | default .Chart.AppVersion }}
{{- if .Values.frrk8s.image.pullPolicy }}
imagePullPolicy: {{ .Values.frrk8s.image.pullPolicy }}
{{- end }}
command:
- /frr-k8s
args:
- "--node-name=$(NODE_NAME)"
- "--namespace=$(NAMESPACE)"
- "--metrics-bind-address={{.Values.prometheus.metricsBindAddress}}:{{ .Values.prometheus.metricsPort }}"
{{- with .Values.frrk8s.logLevel }}
- --log-level={{ . }}
{{- end }}
- --health-probe-bind-address={{.Values.prometheus.metricsBindAddress}}:{{ .Values.frrk8s.healthPort }}
{{- if .Values.frrk8s.alwaysBlock }}
- --always-block={{ .Values.frrk8s.alwaysBlock }}
{{- end }}
env:
- name: FRR_CONFIG_FILE
value: /etc/frr_reloader/frr.conf
- name: FRR_RELOADER_PID_FILE
value: /etc/frr_reloader/reloader.pid
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- containerPort: {{ .Values.prometheus.metricsPort }}
name: monitoring
{{- if .Values.frrk8s.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /healthz
port: {{ .Values.frrk8s.healthPort }}
host: {{ .Values.prometheus.metricsBindAddress }}
initialDelaySeconds: {{ .Values.frrk8s.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.frrk8s.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.frrk8s.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.frrk8s.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.frrk8s.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.frrk8s.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /healthz
port: {{ .Values.frrk8s.healthPort }}
host: {{ .Values.prometheus.metricsBindAddress }}
initialDelaySeconds: {{ .Values.frrk8s.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.frrk8s.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.frrk8s.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.frrk8s.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.frrk8s.readinessProbe.failureThreshold }}
{{- end }}
{{- with .Values.frrk8s.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- NET_RAW
volumeMounts:
- name: reloader
mountPath: /etc/frr_reloader
- name: frr
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
- NET_BIND_SERVICE
image: {{ .Values.frrk8s.frr.image.repository }}:{{ .Values.frrk8s.frr.image.tag | default .Chart.AppVersion }}
{{- if .Values.frrk8s.frr.image.pullPolicy }}
imagePullPolicy: {{ .Values.frrk8s.frr.image.pullPolicy }}
{{- end }}
env:
- name: TINI_SUBREAPER
value: "true"
volumeMounts:
- name: frr-sockets
mountPath: /var/run/frr
- name: frr-conf
mountPath: /etc/frr
# The command is FRR's default entrypoint & waiting for the log file to appear and tailing it.
# If the log file isn't created in 60 seconds the tail fails and the container is restarted.
# This workaround is needed to have the frr logs as part of kubectl logs -c frr < controller_pod_name >.
command:
- /bin/sh
- -c
- |
/sbin/tini -- /usr/lib/frr/docker-start &
attempts=0
until [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do
sleep 1
attempts=$(( $attempts + 1 ))
done
tail -f /etc/frr/frr.log
{{- with .Values.frrk8s.frr.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.frrk8s.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /livez
port: {{ .Values.frrk8s.frr.metricsPort }}
host: {{ .Values.frrk8s.frr.metricsBindAddress }}
periodSeconds: {{ .Values.frrk8s.livenessProbe.periodSeconds }}
failureThreshold: {{ .Values.frrk8s.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.frrk8s.startupProbe.enabled }}
startupProbe:
httpGet:
path: /livez
port: {{ .Values.frrk8s.frr.metricsPort }}
host: {{ .Values.frrk8s.frr.metricsBindAddress }}
failureThreshold: {{ .Values.frrk8s.startupProbe.failureThreshold }}
periodSeconds: {{ .Values.frrk8s.startupProbe.periodSeconds }}
{{- end }}
- name: reloader
image: {{ .Values.frrk8s.frr.image.repository }}:{{ .Values.frrk8s.frr.image.tag | default .Chart.AppVersion }}
{{- if .Values.frrk8s.frr.image.pullPolicy }}
imagePullPolicy: {{ .Values.frrk8s.frr.image.pullPolicy }}
{{- end }}
command: ["/etc/frr_reloader/frr-reloader.sh"]
volumeMounts:
- name: frr-sockets
mountPath: /var/run/frr
- name: frr-conf
mountPath: /etc/frr
- name: reloader
mountPath: /etc/frr_reloader
{{- with .Values.frrk8s.reloader.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: frr-metrics
image: {{ .Values.frrk8s.frr.image.repository }}:{{ .Values.frrk8s.frr.image.tag | default .Chart.AppVersion }}
command: ["/etc/frr_metrics/frr-metrics"]
args:
- --metrics-port={{ .Values.frrk8s.frr.metricsPort }}
- --metrics-bind-address={{ .Values.frrk8s.frr.metricsBindAddress }}
ports:
- containerPort: {{ .Values.frrk8s.frr.metricsPort }}
name: monitoring
volumeMounts:
- name: frr-sockets
mountPath: /var/run/frr
- name: frr-conf
mountPath: /etc/frr
- name: metrics
mountPath: /etc/frr_metrics
{{- with .Values.frrk8s.frrMetrics.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: kube-rbac-proxy
image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag }}
imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
args:
- --logtostderr
- --secure-listen-address=:{{ .Values.prometheus.secureMetricsPort }}
- --upstream=http://{{.Values.prometheus.metricsBindAddress}}:{{ .Values.prometheus.metricsPort }}/
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
{{- if .Values.prometheus.metricsTLSSecret }}
- --tls-private-key-file=/etc/metrics/tls.key
- --tls-cert-file=/etc/metrics/tls.crt
{{- end }}
ports:
- containerPort: {{ .Values.prometheus.secureMetricsPort }}
name: metricshttps
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePolicy: FallbackToLogsOnError
{{- if .Values.prometheus.metricsTLSSecret }}
volumeMounts:
- name: metrics-certs
mountPath: /etc/metrics
readOnly: true
{{- end }}
- name: kube-rbac-proxy-frr
image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag | default .Chart.AppVersion }}
imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
args:
- --logtostderr
- --secure-listen-address=:{{ .Values.frrk8s.frr.secureMetricsPort }}
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- --upstream=http://{{ .Values.frrk8s.frr.metricsBindAddress }}:{{ .Values.frrk8s.frr.metricsPort }}/
{{- if .Values.prometheus.metricsTLSSecret }}
- --tls-private-key-file=/etc/metrics/tls.key
- --tls-cert-file=/etc/metrics/tls.crt
{{- end }}
ports:
- containerPort: {{ .Values.frrk8s.frr.secureMetricsPort }}
name: metricshttps
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePolicy: FallbackToLogsOnError
{{- if .Values.prometheus.metricsTLSSecret }}
volumeMounts:
- name: metrics-certs
mountPath: /etc/metrics
readOnly: true
{{- end }}
nodeSelector:
"kubernetes.io/os": linux
{{- with .Values.frrk8s.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.frrk8s.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.frrk8s.tolerateMaster .Values.frrk8s.tolerations }}
tolerations:
{{- if .Values.frrk8s.tolerateMaster }}
- key: node-role.kubernetes.io/master
effect: NoSchedule
operator: Exists
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
operator: Exists
{{- end }}
{{- with .Values.frrk8s.tolerations }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
{{- with .Values.frrk8s.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}

View File

@ -0,0 +1,73 @@
{{- if .Values.rbac.create -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "frrk8s.fullname" . }}-controller
labels: {{- include "frrk8s.labels" . | nindent 4 }}
rules:
- apiGroups: ["frrk8s.metallb.io"]
resources: ["frrconfigurations"]
verbs: ["get", "list", "watch"]
- apiGroups: ["frrk8s.metallb.io"]
resources: ["frrnodestates"]
verbs: ["get", "list", "watch", "create", "delete", "patch", "update"]
- apiGroups: ["frrk8s.metallb.io"]
resources: ["frrnodestates/status"]
verbs: ["get", "patch", "update"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resourceNames: ["frr-k8s-validating-webhook-configuration"]
resources: ["validatingwebhookconfigurations"]
verbs: ["update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "frrk8s.fullname" . }}-controller
labels: {{- include "frrk8s.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "frrk8s.fullname" . }}-controller
subjects:
- kind: ServiceAccount
name: {{ include "frrk8s.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "frrk8s.fullname" . }}-controller
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "frrk8s.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch","update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "frrk8s.fullname" . }}-controller
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "frrk8s.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "frrk8s.fullname" . }}-controller
subjects:
- kind: ServiceAccount
name: {{ include "frrk8s.serviceAccountName" . }}
{{ end -}}

View File

@ -0,0 +1,16 @@
{{- if .Values.frrk8s.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "frrk8s.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "frrk8s.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- with .Values.frrk8s.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,128 @@
{{- if .Values.prometheus.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "frrk8s.fullname" . }}-frr-k8s-monitor
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "frrk8s.labels" . | nindent 4 }}
app.kubernetes.io/component: frr-k8s
{{- if .Values.prometheus.serviceMonitor.additionalLabels }}
{{ toYaml .Values.prometheus.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.prometheus.serviceMonitor.annotations }}
annotations:
{{ toYaml .Values.prometheus.serviceMonitor.annotations | indent 4 }}
{{- end }}
spec:
endpoints:
- port: "metricshttps"
honorLabels: true
{{- if .Values.prometheus.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 8 }}
{{- end -}}
{{- if .Values.prometheus.serviceMonitor.relabelings }}
relabelings:
{{- toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 8 }}
{{- end }}
{{- if .Values.prometheus.serviceMonitor.interval }}
interval: {{ .Values.prometheus.serviceMonitor.interval }}
{{- end -}}
{{ if .Values.prometheus.secureMetricsPort }}
bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
scheme: "https"
{{- if .Values.prometheus.serviceMonitor.tlsConfig }}
tlsConfig:
{{ toYaml .Values.prometheus.serviceMonitor.tlsConfig | indent 8 }}
{{- end }}
{{ end }}
{{ if .Values.frrk8s.frr.secureMetricsPort }}
- port: "frrmetricshttps"
honorLabels: true
{{- if .Values.prometheus.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 8 }}
{{- end -}}
{{- if .Values.prometheus.serviceMonitor.relabelings }}
relabelings:
{{- toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 8 }}
{{- end }}
{{- if .Values.prometheus.serviceMonitor.interval }}
interval: {{ .Values.prometheus.serviceMonitor.interval }}
{{- end }}
bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
scheme: "https"
{{- if .Values.prometheus.serviceMonitor.tlsConfig }}
tlsConfig:
{{ toYaml .Values.prometheus.serviceMonitor.tlsConfig | indent 8 }}
{{- end }}
{{- end }}
jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel | quote }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
name: {{ template "frrk8s.fullname" . }}-frr-k8s-monitor-service
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/scrape: "true"
{{- if .Values.prometheus.serviceMonitor.annotations }}
{{ toYaml .Values.prometheus.serviceMonitor.annotations | indent 4 }}
{{- end }}
labels:
name: {{ template "frrk8s.fullname" . }}-frr-k8s-monitor-service
name: {{ template "frrk8s.fullname" . }}-frr-k8s-monitor-service
namespace: {{ .Release.Namespace | quote }}
spec:
selector:
{{- include "frrk8s.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: frr-k8s
clusterIP: None
ports:
- name: "metricshttps"
port: {{ .Values.prometheus.secureMetricsPort }}
targetPort: {{ .Values.prometheus.secureMetricsPort }}
- name: frrmetricshttps
port: {{ .Values.frrk8s.frr.secureMetricsPort }}
targetPort: {{ .Values.frrk8s.frr.secureMetricsPort }}
sessionAffinity: None
type: ClusterIP
---
{{- if .Values.prometheus.rbacPrometheus }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "frrk8s.fullname" . }}-prometheus
namespace: {{ .Release.Namespace | quote }}
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "frrk8s.fullname" . }}-prometheus
namespace: {{ .Release.Namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "frrk8s.fullname" . }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ required ".Values.prometheus.serviceAccount must be defined when .Values.prometheus.serviceMonitor.enabled == true" .Values.prometheus.serviceAccount }}
namespace: {{ required ".Values.prometheus.namespace must be defined when .Values.prometheus.serviceMonitor.enabled == true" .Values.prometheus.namespace }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,163 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "frrk8s.fullname" . }}-webhook-server
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "frrk8s.labels" . | nindent 4 }}
app.kubernetes.io/component: frr-k8s-webhook-server
{{- range $key, $value := .Values.frrk8s.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/component: frr-k8s-webhook-server
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: frr-k8s-webhook-server
labels:
app.kubernetes.io/component: frr-k8s-webhook-server
spec:
{{- if .Values.frrk8s.runtimeClassName }}
runtimeClassName: {{ .Values.frrk8s.runtimeClassName }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.podSecurityContext }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- end }}
containers:
- command:
- /frr-k8s
args:
{{- with .Values.frrk8s.logLevel }}
- --log-level={{ . }}
{{- end }}
- "--webhook-mode=onlywebhook"
{{- if .Values.frrk8s.disableCertRotation }}
- "--disable-cert-rotation=true"
{{- end }}
{{- if .Values.frrk8s.restartOnRotatorSecretRefresh }}
- "--restart-on-rotator-secret-refresh=true"
{{- end }}
- "--namespace=$(NAMESPACE)"
- --health-probe-bind-address=:8081
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: {{ .Values.frrk8s.image.repository }}:{{ .Values.frrk8s.image.tag | default .Chart.AppVersion }}
{{- if .Values.frrk8s.image.pullPolicy }}
imagePullPolicy: {{ .Values.frrk8s.image.pullPolicy }}
{{- end }}
name: frr-k8s-webhook-server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
{{- if .Values.frrk8s.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: {{ .Values.frrk8s.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.frrk8s.livenessProbe.periodSeconds }}
failureThreshold: {{ .Values.frrk8s.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.frrk8s.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: {{ .Values.frrk8s.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.frrk8s.readinessProbe.periodSeconds }}
failureThreshold: {{ .Values.frrk8s.readinessProbe.failureThreshold }}
{{- end }}
{{- with .Values.frrk8s.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
volumeMounts:
- name: cert
mountPath: /tmp/k8s-webhook-server/serving-certs
readOnly: true
{{- with .Values.frrk8s.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.frrk8s.tolerateMaster .Values.frrk8s.tolerations }}
tolerations:
{{- if .Values.frrk8s.tolerateMaster }}
- key: node-role.kubernetes.io/master
effect: NoSchedule
operator: Exists
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
operator: Exists
{{- end }}
{{- with .Values.frrk8s.tolerations }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
{{- with .Values.frrk8s.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: frr-k8s-webhook-server-cert
serviceAccountName: {{ template "frrk8s.serviceAccountName" . }}
terminationGracePeriodSeconds: 10
---
apiVersion: v1
kind: Secret
metadata:
name: frr-k8s-webhook-server-cert
namespace: {{ .Release.Namespace | quote }}
---
apiVersion: v1
kind: Service
metadata:
name: frr-k8s-webhook-service
namespace: {{ .Release.Namespace | quote }}
spec:
ports:
- port: 443
targetPort: 9443
selector:
app.kubernetes.io/component: frr-k8s-webhook-server
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: frr-k8s-validating-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: frr-k8s-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-frrk8s-metallb-io-v1beta1-frrconfiguration
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: frrconfigurationsvalidationwebhook.metallb.io
rules:
- apiGroups:
- frrk8s.metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- frrconfigurations
sideEffects: None

View File

@ -0,0 +1,387 @@
{
"$schema": "https://json-schema.org/draft-07/schema#",
"title": "Values",
"type": "object",
"definitions": {
"prometheusAlert": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"labels": {
"type": "object",
"additionalProperties": {
"type": "string"
}
}
},
"required": [
"enabled"
]
},
"probe": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"failureThreshold": {
"type": "integer"
},
"initialDelaySeconds": {
"type": "integer"
},
"periodSeconds": {
"type": "integer"
},
"successThreshold": {
"type": "integer"
},
"timeoutSeconds": {
"type": "integer"
}
},
"required": [
"failureThreshold",
"initialDelaySeconds",
"periodSeconds",
"successThreshold",
"timeoutSeconds"
]
},
"component": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"logLevel": {
"type": "string",
"enum": [
"all",
"debug",
"info",
"warn",
"error",
"none"
]
},
"image": {
"type": "object",
"properties": {
"repository": {
"type": "string"
},
"tag": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
]
},
"pullPolicy": {
"anyOf": [
{
"type": "null"
},
{
"type": "string",
"enum": [
"Always",
"IfNotPresent",
"Never"
]
}
]
}
}
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"name": {
"type": "string"
},
"annotations": {
"type": "object"
}
}
},
"resources": {
"type": "object"
},
"nodeSelector": {
"type": "object"
},
"tolerations": {
"type": "array",
"items": {
"type": "object"
}
},
"priorityClassName": {
"type": "string"
},
"runtimeClassName": {
"type": "string"
},
"affinity": {
"type": "object"
},
"podAnnotations": {
"type": "object"
},
"livenessProbe": {
"$ref": "#/definitions/probe"
},
"readinessProbe": {
"$ref": "#/definitions/probe"
}
},
"required": [
"image",
"serviceAccount"
]
}
},
"properties": {
"imagePullSecrets": {
"description": "Secrets used for pulling images",
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
},
"required": [
"name"
],
"additionalProperties": false
}
},
"nameOverride": {
"description": "Override chart name",
"type": "string"
},
"fullNameOverride": {
"description": "Override fully qualified app name",
"type": "string"
},
"rbac": {
"description": "RBAC configuration",
"type": "object",
"properties": {
"create": {
"description": "Enable RBAC",
"type": "boolean"
}
}
},
"prometheus": {
"description": "Prometheus monitoring config",
"type": "object",
"properties": {
"scrapeAnnotations": {
"type": "boolean"
},
"metricsPort": {
"type": "integer"
},
"secureMetricsPort": {
"type": "integer"
},
"rbacPrometheus": {
"type": "boolean"
},
"serviceAccount": {
"type": "string"
},
"namespace": {
"type": "string"
},
"rbacProxy": {
"description": "kube-rbac-proxy configuration",
"type": "object",
"properties": {
"repository": {
"type": "string"
},
"tag": {
"type": "string"
}
}
},
"serviceMonitor": {
"description": "Prometheus Operator ServiceMonitors",
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"jobLabel": {
"type": "string"
},
"interval": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
]
},
"metricRelabelings": {
"type": "array",
"items": {
"type": "object"
}
},
"relabelings": {
"type": "array",
"items": {
"type": "object"
}
}
}
}
},
"frrk8s": {
"allOf": [
{
"$ref": "#/definitions/component"
},
{
"description": "FRR-K8s controller",
"type": "object",
"properties": {
"tolerateMaster": {
"type": "boolean"
},
"updateStrategy": {
"type": "object",
"properties": {
"type": {
"type": "string"
}
},
"required": [
"type"
]
},
"runtimeClassName": {
"type": "string"
},
"secretName": {
"type": "string"
},
"frr": {
"description": "The FRR properties in the controller",
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/component/properties/image"
},
"metricsPort": {
"type": "integer"
},
"secureMetricsPort": {
"type": "integer"
},
"resources:": {
"type": "object"
}
},
"required": [
"enabled"
]
},
"command": {
"type": "string"
},
"reloader": {
"type": "object",
"properties": {
"resources": {
"type": "object"
}
}
},
"frrMetrics": {
"type": "object",
"properties": {
"resources": {
"type": "object"
}
}
}
},
"required": [
"tolerateMaster"
]
}
]
},
"crds": {
"description": "CRD configuration",
"type": "object",
"properties": {
"enabled": {
"description": "Enable CRDs",
"type": "boolean"
},
"validationFailurePolicy": {
"description": "Failure policy to use with validating webhooks",
"type": "string",
"enum": [
"Ignore",
"Fail"
]
}
}
}
},
"frrk8s": {
"allOf": [
{
"$ref": "#/definitions/component"
},
{
"description": "FRRk8s Controller",
"type": "object",
"properties": {
"strategy": {
"type": "object",
"properties": {
"type": {
"type": "string"
}
},
"required": [
"type"
]
},
"command": {
"type": "string"
},
"webhookMode": {
"type": "string"
}
}
}
]
}
},
"required": [
"frrk8s"
]
}

View File

@ -0,0 +1,176 @@
# Default values for frr-k8s.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
nameOverride: ""
fullnameOverride: ""
rbac:
# create specifies whether to install and use RBAC rules.
create: true
podSecurityContext:
seccompProfile:
type: RuntimeDefault
prometheus:
# scrape annotations specifies whether to add Prometheus metric
# auto-collection annotations to pods. See
# https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml
# for a corresponding Prometheus configuration. Alternatively, you
# may want to use the Prometheus Operator
# (https://github.com/coreos/prometheus-operator) for more powerful
# monitoring configuration. If you use the Prometheus operator, this
# can be left at false.
scrapeAnnotations: false
# bind addr frr-k8s will use for metrics
metricsBindAddress: 127.0.0.1
# port frr-k8s will listen on for metrics
metricsPort: 7572
# if set, enables rbac proxy on frr-k8s to expose
# the metrics via tls.
secureMetricsPort: 9140
# the name of the secret to be mounted in the frr-k8s pod
# to expose the metrics securely. If not present, a self signed
# certificate to be used.
metricsTLSSecret: ""
# prometheus doens't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
rbacPrometheus: false
# the service account used by prometheus
# required when " .Values.prometheus.rbacPrometheus == true " and " prometheus.serviceMonitor.enabled=true "
serviceAccount: ""
# the namespace where prometheus is deployed
# required when " .Values.prometheus.rbacPrometheus == true " and " prometheus.serviceMonitor.enabled=true "
namespace: ""
# the image to be used for the kuberbacproxy container
rbacProxy:
repository: "registry.opensuse.org/isv/suse/edge/metallb/images/kube-rbac-proxy"
tag: "v0.18.0"
pullPolicy: IfNotPresent
# Prometheus Operator ServiceMonitors.
serviceMonitor:
# enable support for Prometheus Operator
enabled: false
additionalLabels: {}
# optional additional annotations for the controller serviceMonitor
annotations: {}
# optional tls configuration for the controller serviceMonitor, in case
# secure metrics are enabled.
tlsConfig:
insecureSkipVerify: true
# Job label for scrape target
jobLabel: "app.kubernetes.io/name"
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval:
# metric relabel configs to apply to samples before ingestion.
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# relabel configs to apply to samples before ingestion.
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# target_label: nodename
# replacement: $1
# action: replace
# controller contains configuration specific to the FRRK8s controller
# daemonset.
frrk8s:
# -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
logLevel: info
tolerateMaster: true
image:
repository: "registry.opensuse.org/isv/suse/edge/metallb/images/frr-k8s"
tag: "v0.0.14"
pullPolicy: IfNotPresent
## @param controller.updateStrategy.type FRR-K8s controller daemonset strategy type
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
##
updateStrategy:
## StrategyType
## Can be set to RollingUpdate or OnDelete
##
type: RollingUpdate
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use. If not set and create is
# true, a name is generated using the fullname template
name: ""
annotations: {}
## Defines a secret name for the controller to generate a memberlist encryption secret
## By default secretName: {{ "metallb.fullname" }}-memberlist
##
# secretName:
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
nodeSelector: {}
tolerations: []
priorityClassName: ""
affinity: {}
## Selects which runtime class will be used by the pod.
runtimeClassName: ""
podAnnotations: {}
labels:
app: frr-k8s
healthPort: 8081
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
startupProbe:
enabled: true
failureThreshold: 30
periodSeconds: 5
## A comma separated list of cidrs we want always to block for incoming routes
alwaysBlock: ""
## Specifies whether the cert rotator works as part of the webhook.
disableCertRotation: false
## Specifies whether the pod restarts when the rotator refreshes the cert secret.
## Enabling this proved useful for the webhook's stability when it is redeployed multiple times in succession.
restartOnRotatorSecretRefresh: false
# frr contains configuration specific to the FRR container,
frr:
image:
repository: "registry.opensuse.org/isv/suse/edge/metallb/images/frr"
tag: "8.4"
pullPolicy: IfNotPresent
metricsBindAddress: 127.0.0.1
metricsPort: 7573
resources: {}
secureMetricsPort: 9141
reloader:
resources: {}
frrMetrics:
resources: {}
crds:
validationFailurePolicy: Fail

View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

View File

@ -0,0 +1,10 @@
apiVersion: v2
appVersion: v0.14.9
description: MetalLB CRDs
home: https://metallb.universe.tf
icon: https://metallb.universe.tf/images/logo/metallb-white.png
name: metallb-crds
sources:
- https://github.com/metallb/metallb
type: application
version: 0.14.8

View File

@ -0,0 +1,11 @@
# crds
![Version: 0.14.3](https://img.shields.io/badge/Version-0.14.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.14.3](https://img.shields.io/badge/AppVersion-v0.14.3-informational?style=flat-square)
MetalLB CRDs
**Homepage:** <https://metallb.universe.tf>
## Source Code
* <https://github.com/metallb/metallb>

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,16 @@
package main
# validate serviceAccountName
deny[msg] {
input.kind == "Deployment"
serviceAccountName := input.spec.template.spec.serviceAccountName
not serviceAccountName == "release-name-metallb-controller"
msg = sprintf("controller serviceAccountName '%s' does not match expected value", [serviceAccountName])
}
# validate node selector includes builtin when custom ones are provided
deny[msg] {
input.kind == "Deployment"
not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux"
msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'"
}

View File

@ -0,0 +1,27 @@
package main
# Validate PSP exists in ClusterRole :controller
deny[msg] {
input.kind == "ClusterRole"
input.metadata.name == "metallb:controller"
input.rules[3] == {
"apiGroups": ["policy"],
"resources": ["podsecuritypolicies"],
"resourceNames": ["metallb-controller"],
"verbs": ["use"]
}
msg = "ClusterRole metallb:controller does not include PSP rule"
}
# Validate PSP exists in ClusterRole :speaker
deny[msg] {
input.kind == "ClusterRole"
input.metadata.name == "metallb:speaker"
input.rules[3] == {
"apiGroups": ["policy"],
"resources": ["podsecuritypolicies"],
"resourceNames": ["metallb-controller"],
"verbs": ["use"]
}
msg = "ClusterRole metallb:speaker does not include PSP rule"
}

View File

@ -0,0 +1,30 @@
package main
# validate serviceAccountName
deny[msg] {
input.kind == "DaemonSet"
serviceAccountName := input.spec.template.spec.serviceAccountName
not serviceAccountName == "release-name-metallb-speaker"
msg = sprintf("speaker serviceAccountName '%s' does not match expected value", [serviceAccountName])
}
# validate METALLB_ML_SECRET_KEY (memberlist)
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.containers[0].env[5].name == "METALLB_ML_SECRET_KEY_PATH"
msg = "speaker env does not contain METALLB_ML_SECRET_KEY_PATH at env[5]"
}
# validate node selector includes builtin when custom ones are provided
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.nodeSelector["kubernetes.io/os"] == "linux"
msg = "controller nodeSelector does not include '\"kubernetes.io/os\": linux'"
}
# validate tolerations include the builtins when custom ones are provided
deny[msg] {
input.kind == "DaemonSet"
not input.spec.template.spec.tolerations[0] == { "key": "node-role.kubernetes.io/master", "effect": "NoSchedule", "operator": "Exists" }
msg = "controller tolerations does not include node-role.kubernetes.io/master:NoSchedule"
}

View File

@ -0,0 +1,4 @@
MetalLB is now running in the cluster.
Now you can configure it via its CRs. Please refer to the metallb official docs
on how to use the CRs.

View File

@ -0,0 +1,113 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "metallb.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "metallb.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "metallb.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "metallb.labels" -}}
helm.sh/chart: {{ include "metallb.chart" . }}
{{ include "metallb.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "metallb.selectorLabels" -}}
app.kubernetes.io/name: {{ include "metallb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the controller service account to use
*/}}
{{- define "metallb.controller.serviceAccountName" -}}
{{- if .Values.controller.serviceAccount.create }}
{{- default (printf "%s-controller" (include "metallb.fullname" .)) .Values.controller.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.controller.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the speaker service account to use
*/}}
{{- define "metallb.speaker.serviceAccountName" -}}
{{- if .Values.speaker.serviceAccount.create }}
{{- default (printf "%s-speaker" (include "metallb.fullname" .)) .Values.speaker.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.speaker.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the settings Secret to use.
*/}}
{{- define "metallb.secretName" -}}
{{ default ( printf "%s-memberlist" (include "metallb.fullname" .)) .Values.speaker.secretName | trunc 63 | trimSuffix "-" }}
{{- end -}}
{{- define "metrics.exposedportname" -}}
{{- if .Values.prometheus.secureMetricsPort -}}
"metricshttps"
{{- else -}}
"metrics"
{{- end -}}
{{- end -}}
{{- define "metrics.exposedfrrportname" -}}
{{- if .Values.speaker.frr.secureMetricsPort -}}
"frrmetricshttps"
{{- else -}}
"frrmetrics"
{{- end }}
{{- end }}
{{- define "metrics.exposedport" -}}
{{- if .Values.prometheus.secureMetricsPort -}}
{{ .Values.prometheus.secureMetricsPort }}
{{- else -}}
{{ .Values.prometheus.metricsPort }}
{{- end -}}
{{- end }}
{{- define "metrics.exposedfrrport" -}}
{{- if .Values.speaker.frr.secureMetricsPort -}}
{{ .Values.speaker.frr.secureMetricsPort }}
{{- else -}}
{{ .Values.speaker.frr.metricsPort }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,194 @@
{{- if .Values.controller.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "metallb.fullname" . }}-controller
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- range $key, $value := .Values.controller.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.controller.strategy }}
strategy: {{- toYaml .Values.controller.strategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "metallb.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
template:
metadata:
{{- if or .Values.prometheus.scrapeAnnotations .Values.controller.podAnnotations }}
annotations:
{{- if .Values.prometheus.scrapeAnnotations }}
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.prometheus.metricsPort }}"
{{- end }}
{{- with .Values.controller.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
labels:
{{- include "metallb.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: controller
{{- range $key, $value := .Values.controller.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- with .Values.controller.runtimeClassName }}
runtimeClassName: {{ . | quote }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "metallb.controller.serviceAccountName" . }}
terminationGracePeriodSeconds: 0
{{- if .Values.controller.securityContext }}
securityContext:
{{ toYaml .Values.controller.securityContext | indent 8 }}
{{- end }}
containers:
- name: controller
image: {{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}
{{- if .Values.controller.image.pullPolicy }}
imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
{{- end }}
{{- if .Values.controller.command }}
command:
- {{ .Values.controller.command }}
{{- end }}
args:
- --port={{ .Values.prometheus.metricsPort }}
{{- with .Values.controller.logLevel }}
- --log-level={{ . }}
{{- end }}
{{- if .Values.loadBalancerClass }}
- --lb-class={{ .Values.loadBalancerClass }}
{{- end }}
{{- if .Values.controller.webhookMode }}
- --webhook-mode={{ .Values.controller.webhookMode }}
{{- end }}
{{- if .Values.controller.tlsMinVersion }}
- --tls-min-version={{ .Values.controller.tlsMinVersion }}
{{- end }}
{{- if .Values.controller.tlsCipherSuites }}
- --tls-cipher-suites={{ .Values.controller.tlsCipherSuites }}
{{- end }}
env:
{{- if and .Values.speaker.enabled .Values.speaker.memberlist.enabled }}
- name: METALLB_ML_SECRET_NAME
value: {{ include "metallb.secretName" . }}
- name: METALLB_DEPLOYMENT
value: {{ template "metallb.fullname" . }}-controller
{{- end }}
{{- if .Values.speaker.frr.enabled }}
- name: METALLB_BGP_TYPE
value: frr
{{- end }}
{{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}
- name: METALLB_BGP_TYPE
value: frr-k8s
{{- end }}
ports:
- name: monitoring
containerPort: {{ .Values.prometheus.metricsPort }}
- containerPort: 9443
name: webhook-server
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
{{- if .Values.controller.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /metrics
port: monitoring
initialDelaySeconds: {{ .Values.controller.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.controller.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /metrics
port: monitoring
initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
{{- end }}
{{- with .Values.controller.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
{{- if .Values.prometheus.secureMetricsPort }}
- name: kube-rbac-proxy
image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag }}
imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
args:
- --logtostderr
- --secure-listen-address=:{{ .Values.prometheus.secureMetricsPort }}
- --upstream=http://127.0.0.1:{{ .Values.prometheus.metricsPort }}/
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
{{- if .Values.prometheus.controllerMetricsTLSSecret }}
- --tls-private-key-file=/etc/metrics/tls.key
- --tls-cert-file=/etc/metrics/tls.crt
{{- end }}
ports:
- containerPort: {{ .Values.prometheus.secureMetricsPort }}
name: metricshttps
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePolicy: FallbackToLogsOnError
{{- if .Values.prometheus.controllerMetricsTLSSecret }}
volumeMounts:
- name: metrics-certs
mountPath: /etc/metrics
readOnly: true
{{- end }}
{{ end }}
{{- if .Values.controller.extraContainers }}
{{- toYaml .Values.controller.extraContainers | nindent 6 }}
{{- end }}
nodeSelector:
"kubernetes.io/os": linux
{{- with .Values.controller.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: metallb-webhook-cert
{{- if .Values.prometheus.controllerMetricsTLSSecret }}
- name: metrics-certs
secret:
secretName: {{ .Values.prometheus.controllerMetricsTLSSecret }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,3 @@
{{- if .Values.configInline }}
{{- fail "Starting from v0.13.0 configInline is no longer supported. Please see https://metallb.universe.tf/#backward-compatibility" }}
{{- end }}

View File

@ -0,0 +1,25 @@
{{- if and .Values.speaker.enabled .Values.speaker.excludeInterfaces.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: metallb-excludel2
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
data:
excludel2.yaml: |
announcedInterfacesToExclude:
- ^docker.*
- ^cbr.*
- ^dummy.*
- ^virbr.*
- ^lxcbr.*
- ^veth.*
- ^lo$
- ^cali.*
- ^tunl.*
- ^flannel.*
- ^kube-ipvs.*
- ^cni.*
- ^nodelocaldns.*
{{- end }}

View File

@ -0,0 +1,106 @@
{{- if .Values.prometheus.podMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ template "metallb.fullname" . }}-controller
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- if .Values.prometheus.podMonitor.additionalLabels }}
{{ toYaml .Values.prometheus.podMonitor.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.prometheus.podMonitor.annotations }}
annotations:
{{ toYaml .Values.prometheus.podMonitor.annotations | indent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.prometheus.podMonitor.jobLabel | quote }}
selector:
matchLabels:
{{- include "metallb.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: controller
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
podMetricsEndpoints:
- port: monitoring
path: /metrics
{{- if .Values.prometheus.podMonitor.interval }}
interval: {{ .Values.prometheus.podMonitor.interval }}
{{- end }}
{{- if .Values.prometheus.podMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.prometheus.podMonitor.metricRelabelings | nindent 4 }}
{{- end }}
{{- if .Values.prometheus.podMonitor.relabelings }}
relabelings:
{{- toYaml .Values.prometheus.podMonitor.relabelings | nindent 4 }}
{{- end }}
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: {{ template "metallb.fullname" . }}-speaker
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
{{- if .Values.prometheus.podMonitor.additionalLabels }}
{{ toYaml .Values.prometheus.podMonitor.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.prometheus.podMonitor.annotations }}
annotations:
{{ toYaml .Values.prometheus.podMonitor.annotations | indent 4 }}
{{- end }}
spec:
jobLabel: {{ .Values.prometheus.podMonitor.jobLabel | quote }}
selector:
matchLabels:
{{- include "metallb.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: speaker
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
podMetricsEndpoints:
- port: monitoring
path: /metrics
{{- if .Values.prometheus.podMonitor.interval }}
interval: {{ .Values.prometheus.podMonitor.interval }}
{{- end }}
{{- if .Values.prometheus.podMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.prometheus.podMonitor.metricRelabelings | nindent 4 }}
{{- end }}
{{- if .Values.prometheus.podMonitor.relabelings }}
relabelings:
{{- toYaml .Values.prometheus.podMonitor.relabelings | nindent 4 }}
{{- end }}
---
{{- if .Values.prometheus.rbacPrometheus }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "metallb.fullname" . }}-prometheus
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "metallb.fullname" . }}-prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "metallb.fullname" . }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ required ".Values.prometheus.serviceAccount must be defined when .Values.prometheus.podMonitor.enabled == true" .Values.prometheus.serviceAccount }}
namespace: {{ required ".Values.prometheus.namespace must be defined when .Values.prometheus.podMonitor.enabled == true" .Values.prometheus.namespace }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,84 @@
{{- if .Values.prometheus.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "metallb.fullname" . }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
{{- if .Values.prometheus.prometheusRule.additionalLabels }}
{{ toYaml .Values.prometheus.prometheusRule.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.prometheus.prometheusRule.annotations }}
annotations:
{{ toYaml .Values.prometheus.prometheusRule.annotations | indent 4 }}
{{- end }}
spec:
groups:
- name: {{ template "metallb.fullname" . }}.rules
rules:
{{- if .Values.prometheus.prometheusRule.staleConfig.enabled }}
- alert: MetalLBStaleConfig
annotations:
message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
}} has a stale config for > 1 minute'`}}
expr: metallb_k8s_client_config_stale_bool{job=~"{{ template "metallb.fullname" . }}.*"} == 1
for: 1m
{{- with .Values.prometheus.prometheusRule.staleConfig.labels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.prometheus.prometheusRule.configNotLoaded.enabled }}
- alert: MetalLBConfigNotLoaded
annotations:
message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
}} has not loaded for > 1 minute'`}}
expr: metallb_k8s_client_config_loaded_bool{job=~"{{ template "metallb.fullname" . }}.*"} == 0
for: 1m
{{- with .Values.prometheus.prometheusRule.configNotLoaded.labels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.prometheus.prometheusRule.addressPoolExhausted.enabled }}
- alert: MetalLBAddressPoolExhausted
annotations:
message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
}} has exhausted address pool {{ $labels.pool }} for > 1 minute'`}}
expr: metallb_allocator_addresses_in_use_total >= on(pool) metallb_allocator_addresses_total
for: 1m
{{- with .Values.prometheus.prometheusRule.addressPoolExhausted.labels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.prometheus.prometheusRule.addressPoolUsage.enabled }}
{{- range .Values.prometheus.prometheusRule.addressPoolUsage.thresholds }}
- alert: MetalLBAddressPoolUsage{{ .percent }}Percent
annotations:
message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
}} has address pool {{ $labels.pool }} past `}}{{ .percent }}{{`% usage for > 1 minute'`}}
expr: ( metallb_allocator_addresses_in_use_total / on(pool) metallb_allocator_addresses_total ) * 100 > {{ .percent }}
{{- with .labels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.prometheus.prometheusRule.bgpSessionDown.enabled }}
- alert: MetalLBBGPSessionDown
annotations:
message: {{`'{{ $labels.job }} - MetalLB {{ $labels.container }} on {{ $labels.pod
}} has BGP session {{ $labels.peer }} down for > 1 minute'`}}
expr: metallb_bgp_session_up{job=~"{{ template "metallb.fullname" . }}.*"} == 0
for: 1m
{{- with .Values.prometheus.prometheusRule.bgpSessionDown.labels }}
labels:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- with .Values.prometheus.prometheusRule.extraAlerts }}
{{- toYaml . | nindent 4 }}
{{- end}}
{{- end }}

View File

@ -0,0 +1,212 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "metallb.fullname" . }}:controller
labels:
{{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["services", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list"]
- apiGroups: [""]
resources: ["services/status"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
resourceNames: ["metallb-webhook-configuration"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
resourceNames: ["bfdprofiles.metallb.io","bgpadvertisements.metallb.io",
"bgppeers.metallb.io","ipaddresspools.metallb.io","l2advertisements.metallb.io","communities.metallb.io"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list", "watch"]
{{- if .Values.prometheus.secureMetricsPort }}
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "metallb.fullname" . }}:speaker
labels:
{{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["services", "endpoints", "nodes", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["metallb.io"]
resources: ["servicel2statuses","servicel2statuses/status"]
verbs: ["*"]
{{- if .Values.prometheus.secureMetricsPort }}
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- end }}
{{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}
- apiGroups: ["frrk8s.metallb.io"]
resources: ["frrconfigurations"]
verbs: ["get", "list", "watch","create","update"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "metallb.fullname" . }}-pod-lister
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bfdprofiles"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bgppeers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["l2advertisements"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bgpadvertisements"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["ipaddresspools"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["communities"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "metallb.fullname" . }}-controller
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "metallb.labels" . | nindent 4 }}
rules:
{{- if .Values.speaker.memberlist.enabled }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: [{{ include "metallb.secretName" . | quote }}]
verbs: ["list"]
- apiGroups: ["apps"]
resources: ["deployments"]
resourceNames: ["{{ template "metallb.fullname" . }}-controller"]
verbs: ["get"]
{{- end }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["metallb.io"]
resources: ["ipaddresspools"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bgppeers"]
verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
resources: ["bgpadvertisements"]
verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
resources: ["l2advertisements"]
verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
resources: ["communities"]
verbs: ["get", "list","watch"]
- apiGroups: ["metallb.io"]
resources: ["bfdprofiles"]
verbs: ["get", "list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "metallb.fullname" . }}:controller
labels:
{{- include "metallb.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "metallb.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "metallb.fullname" . }}:controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "metallb.fullname" . }}:speaker
labels:
{{- include "metallb.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "metallb.speaker.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "metallb.fullname" . }}:speaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "metallb.fullname" . }}-pod-lister
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "metallb.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "metallb.fullname" . }}-pod-lister
subjects:
- kind: ServiceAccount
name: {{ include "metallb.speaker.serviceAccountName" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "metallb.fullname" . }}-controller
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "metallb.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "metallb.fullname" . }}-controller
subjects:
- kind: ServiceAccount
name: {{ include "metallb.controller.serviceAccountName" . }}
{{- end -}}

View File

@ -0,0 +1,30 @@
{{- if .Values.controller.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "metallb.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: controller
{{- with .Values.controller.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.speaker.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "metallb.speaker.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
{{- with .Values.speaker.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,194 @@
{{- if .Values.prometheus.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "metallb.fullname" . }}-speaker-monitor
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
{{- if .Values.prometheus.serviceMonitor.speaker.additionalLabels }}
{{ toYaml .Values.prometheus.serviceMonitor.speaker.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.prometheus.serviceMonitor.speaker.annotations }}
annotations:
{{ toYaml .Values.prometheus.serviceMonitor.speaker.annotations | indent 4 }}
{{- end }}
spec:
endpoints:
- port: {{ template "metrics.exposedportname" . }}
honorLabels: true
{{- if .Values.prometheus.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 8 }}
{{- end -}}
{{- if .Values.prometheus.serviceMonitor.relabelings }}
relabelings:
{{- toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 8 }}
{{- end }}
{{- if .Values.prometheus.serviceMonitor.interval }}
interval: {{ .Values.prometheus.serviceMonitor.interval }}
{{- end -}}
{{ if .Values.prometheus.secureMetricsPort }}
bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
scheme: "https"
{{- if .Values.prometheus.serviceMonitor.speaker.tlsConfig }}
tlsConfig:
{{ toYaml .Values.prometheus.serviceMonitor.speaker.tlsConfig | indent 8 }}
{{- end }}
{{ end }}
{{- if .Values.speaker.frr.enabled }}
- port: {{ template "metrics.exposedfrrportname" . }}
honorLabels: true
{{ if .Values.speaker.frr.secureMetricsPort }}
{{- if .Values.prometheus.serviceMonitor.interval }}
interval: {{ .Values.prometheus.serviceMonitor.interval }}
{{- end }}
bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
scheme: "https"
{{- if .Values.prometheus.serviceMonitor.speaker.tlsConfig }}
tlsConfig:
{{ toYaml .Values.prometheus.serviceMonitor.speaker.tlsConfig | indent 8 }}
{{- end }}
{{- end }}
{{- end }}
jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel | quote }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
name: {{ template "metallb.fullname" . }}-speaker-monitor-service
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/scrape: "true"
{{- if .Values.prometheus.serviceMonitor.speaker.annotations }}
{{ toYaml .Values.prometheus.serviceMonitor.speaker.annotations | indent 4 }}
{{- end }}
labels:
name: {{ template "metallb.fullname" . }}-speaker-monitor-service
{{- include "metallb.labels" . | nindent 4 }}
name: {{ template "metallb.fullname" . }}-speaker-monitor-service
namespace: {{ .Release.Namespace | quote }}
spec:
selector:
{{- include "metallb.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: speaker
clusterIP: None
ports:
- name: {{ template "metrics.exposedportname" . }}
port: {{ template "metrics.exposedport" . }}
targetPort: {{ template "metrics.exposedport" . }}
{{- if .Values.speaker.frr.enabled }}
- name: {{ template "metrics.exposedfrrportname" . }}
port: {{ template "metrics.exposedfrrport" . }}
targetPort: {{ template "metrics.exposedfrrport" . }}
{{- end }}
sessionAffinity: None
type: ClusterIP
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "metallb.fullname" . }}-controller-monitor
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
{{- if .Values.prometheus.serviceMonitor.controller.additionalLabels }}
{{ toYaml .Values.prometheus.serviceMonitor.controller.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.prometheus.serviceMonitor.controller.annotations }}
annotations:
{{ toYaml .Values.prometheus.serviceMonitor.controller.annotations | indent 4 }}
{{- end }}
spec:
endpoints:
- port: {{ template "metrics.exposedportname" . }}
{{- if .Values.prometheus.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 8 }}
{{- end -}}
{{- if .Values.prometheus.serviceMonitor.relabelings }}
relabelings:
{{- toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 8 }}
{{- end }}
{{- if .Values.prometheus.serviceMonitor.interval }}
interval: {{ .Values.prometheus.serviceMonitor.interval }}
{{- end }}
honorLabels: true
{{- if .Values.prometheus.secureMetricsPort }}
bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
scheme: "https"
{{- if .Values.prometheus.serviceMonitor.controller.tlsConfig }}
tlsConfig:
{{ toYaml .Values.prometheus.serviceMonitor.controller.tlsConfig | indent 8 }}
{{- end }}
{{- end }}
jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel | quote }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
name: {{ template "metallb.fullname" . }}-controller-monitor-service
---
apiVersion: v1
kind: Service
metadata:
annotations:
prometheus.io/scrape: "true"
{{- if .Values.prometheus.serviceMonitor.controller.annotations }}
{{ toYaml .Values.prometheus.serviceMonitor.controller.annotations | indent 4 }}
{{- end }}
labels:
name: {{ template "metallb.fullname" . }}-controller-monitor-service
name: {{ template "metallb.fullname" . }}-controller-monitor-service
spec:
selector:
{{- include "metallb.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: controller
clusterIP: None
ports:
- name: {{ template "metrics.exposedportname" . }}
port: {{ template "metrics.exposedport" . }}
targetPort: {{ template "metrics.exposedport" . }}
sessionAffinity: None
type: ClusterIP
---
{{- if .Values.prometheus.rbacPrometheus }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "metallb.fullname" . }}-prometheus
namespace: {{ .Release.Namespace | quote }}
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "metallb.fullname" . }}-prometheus
namespace: {{ .Release.Namespace | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "metallb.fullname" . }}-prometheus
subjects:
- kind: ServiceAccount
name: {{ required ".Values.prometheus.serviceAccount must be defined when .Values.prometheus.serviceMonitor.enabled == true" .Values.prometheus.serviceAccount }}
namespace: {{ required ".Values.prometheus.namespace must be defined when .Values.prometheus.serviceMonitor.enabled == true" .Values.prometheus.namespace }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,568 @@
{{- if .Values.speaker.frr.enabled }}
{{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}
{{- fail "speaker.frr.enabled and frrk8s.enabled / external are mutually exclusive!" }}
{{- end }}
{{- end }}
{{- if and .Values.frrk8s.enabled .Values.frrk8s.external }}
{{- fail "frrk8s.enabled frrk8s.external are mutually exclusive!" }}
{{- end }}
{{- if .Values.speaker.frr.enabled }}
# FRR expects to have these files owned by frr:frr on startup.
# Having them in a ConfigMap allows us to modify behaviors: for example enabling more daemons on startup.
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "metallb.fullname" . }}-frr-startup
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
data:
daemons: |
# This file tells the frr package which daemons to start.
#
# Sample configurations for these daemons can be found in
# /usr/share/doc/frr/examples/.
#
# ATTENTION:
#
# When activating a daemon for the first time, a config file, even if it is
# empty, has to be present *and* be owned by the user and group "frr", else
# the daemon will not be started by /etc/init.d/frr. The permissions should
# be u=rw,g=r,o=.
# When using "vtysh" such a config file is also needed. It should be owned by
# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
#
# The watchfrr and zebra daemons are always started.
#
bgpd=yes
ospfd=no
ospf6d=no
ripd=no
ripngd=no
isisd=no
pimd=no
ldpd=no
nhrpd=no
eigrpd=no
babeld=no
sharpd=no
pbrd=no
bfdd=yes
fabricd=no
vrrpd=no
#
# If this option is set the /etc/init.d/frr script automatically loads
# the config via "vtysh -b" when the servers are started.
# Check /etc/pam.d/frr if you intend to use "vtysh"!
#
vtysh_enable=yes
zebra_options=" -A 127.0.0.1 -s 90000000"
bgpd_options=" -A 127.0.0.1 -p 0"
ospfd_options=" -A 127.0.0.1"
ospf6d_options=" -A ::1"
ripd_options=" -A 127.0.0.1"
ripngd_options=" -A ::1"
isisd_options=" -A 127.0.0.1"
pimd_options=" -A 127.0.0.1"
ldpd_options=" -A 127.0.0.1"
nhrpd_options=" -A 127.0.0.1"
eigrpd_options=" -A 127.0.0.1"
babeld_options=" -A 127.0.0.1"
sharpd_options=" -A 127.0.0.1"
pbrd_options=" -A 127.0.0.1"
staticd_options="-A 127.0.0.1"
bfdd_options=" -A 127.0.0.1"
fabricd_options="-A 127.0.0.1"
vrrpd_options=" -A 127.0.0.1"
# configuration profile
#
#frr_profile="traditional"
#frr_profile="datacenter"
#
# This is the maximum number of FD's that will be available.
# Upon startup this is read by the control files and ulimit
# is called. Uncomment and use a reasonable value for your
# setup if you are expecting a large number of peers in
# say BGP.
#MAX_FDS=1024
# The list of daemons to watch is automatically generated by the init script.
#watchfrr_options=""
# for debugging purposes, you can specify a "wrap" command to start instead
# of starting the daemon directly, e.g. to use valgrind on ospfd:
# ospfd_wrap="/usr/bin/valgrind"
# or you can use "all_wrap" for all daemons, e.g. to use perf record:
# all_wrap="/usr/bin/perf record --call-graph -"
# the normal daemon command is added to this at the end.
vtysh.conf: |+
service integrated-vtysh-config
frr.conf: |+
! This file gets overriden the first time the speaker renders a config.
! So anything configured here is only temporary.
frr version 8.0
frr defaults traditional
hostname Router
line vty
log file /etc/frr/frr.log informational
{{- end }}
---
{{- if .Values.speaker.enabled }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "metallb.fullname" . }}-speaker
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
app.kubernetes.io/component: speaker
{{- range $key, $value := .Values.speaker.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.speaker.updateStrategy }}
updateStrategy: {{- toYaml .Values.speaker.updateStrategy | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "metallb.selectorLabels" . | nindent 6 }}
app.kubernetes.io/component: speaker
template:
metadata:
{{- if or .Values.prometheus.scrapeAnnotations .Values.speaker.podAnnotations }}
annotations:
{{- if .Values.prometheus.scrapeAnnotations }}
prometheus.io/scrape: "true"
{{- if not .Values.speaker.frr.enabled }}
prometheus.io/port: "{{ .Values.prometheus.metricsPort }}"
{{- end }}
{{- end }}
{{- with .Values.speaker.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
labels:
{{- include "metallb.selectorLabels" . | nindent 8 }}
app.kubernetes.io/component: speaker
{{- range $key, $value := .Values.speaker.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.speaker.runtimeClassName }}
runtimeClassName: {{ .Values.speaker.runtimeClassName }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "metallb.speaker.serviceAccountName" . }}
terminationGracePeriodSeconds: 0
hostNetwork: true
{{- if .Values.speaker.securityContext }}
securityContext:
{{- toYaml .Values.speaker.securityContext | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
- name: metrics-certs
secret:
secretName: {{ .Values.prometheus.speakerMetricsTLSSecret }}
{{- end }}
{{- if .Values.speaker.memberlist.enabled }}
- name: memberlist
secret:
secretName: {{ include "metallb.secretName" . }}
defaultMode: 420
{{- end }}
{{- if .Values.speaker.excludeInterfaces.enabled }}
- name: metallb-excludel2
configMap:
defaultMode: 256
name: metallb-excludel2
{{- end }}
{{- if .Values.speaker.frr.enabled }}
- name: frr-sockets
emptyDir: {}
- name: frr-startup
configMap:
name: {{ template "metallb.fullname" . }}-frr-startup
- name: frr-conf
emptyDir: {}
- name: reloader
emptyDir: {}
- name: metrics
emptyDir: {}
initContainers:
# Copies the initial config files with the right permissions to the shared volume.
- name: cp-frr-files
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
securityContext:
runAsUser: 100
runAsGroup: 101
command: ["/bin/sh", "-c", "cp -rLf /tmp/frr/* /etc/frr/"]
volumeMounts:
- name: frr-startup
mountPath: /tmp/frr
- name: frr-conf
mountPath: /etc/frr
# Copies the reloader to the shared volume between the speaker and reloader.
- name: cp-reloader
image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
command: ["/cp-tool","/frr-reloader.sh","/etc/frr_reloader/frr-reloader.sh"]
volumeMounts:
- name: reloader
mountPath: /etc/frr_reloader
# Copies the metrics exporter
- name: cp-metrics
image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
command: ["/cp-tool","/frr-metrics","/etc/frr_metrics/frr-metrics"]
volumeMounts:
- name: metrics
mountPath: /etc/frr_metrics
shareProcessNamespace: true
{{- end }}
containers:
- name: speaker
image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
{{- if .Values.speaker.image.pullPolicy }}
imagePullPolicy: {{ .Values.speaker.image.pullPolicy }}
{{- end }}
{{- if .Values.speaker.command }}
command:
- {{ .Values.speaker.command }}
{{- end }}
args:
- --port={{ .Values.prometheus.metricsPort }}
{{- with .Values.speaker.logLevel }}
- --log-level={{ . }}
{{- end }}
{{- if .Values.loadBalancerClass }}
- --lb-class={{ .Values.loadBalancerClass }}
{{- end }}
{{- if .Values.speaker.wanConfig }}
- --ml-wan-config
{{- end }}
{{- if .Values.speaker.ignoreExcludeLB}}
- --ignore-exclude-lb
{{- end }}
{{- if .Values.prometheus.secureMetricsPort }}
- --host=localhost
{{- end }}
{{- if .Values.frrk8s.external }}
- --frrk8s-namespace={{ required "namespace is required when frrk8s is external" .Values.frrk8s.namespace }}
{{- end }}
env:
- name: METALLB_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: METALLB_HOST
valueFrom:
fieldRef:
fieldPath: status.hostIP
{{- if .Values.speaker.memberlist.enabled }}
{{- if .Values.speaker.memberlist.mlBindAddrOverride }}
- name: METALLB_ML_BIND_ADDR
value: "{{ .Values.speaker.memberlist.mlBindAddrOverride }}"
{{ else }}
- name: METALLB_ML_BIND_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
{{ end }}
- name: METALLB_ML_LABELS
value: "app.kubernetes.io/name={{ include "metallb.name" . }},app.kubernetes.io/component=speaker"
- name: METALLB_ML_BIND_PORT
value: "{{ .Values.speaker.memberlist.mlBindPort }}"
- name: METALLB_ML_SECRET_KEY_PATH
value: "{{ .Values.speaker.memberlist.mlSecretKeyPath }}"
{{- end }}
{{- if .Values.speaker.frr.enabled }}
- name: FRR_CONFIG_FILE
value: /etc/frr_reloader/frr.conf
- name: FRR_RELOADER_PID_FILE
value: /etc/frr_reloader/reloader.pid
- name: METALLB_BGP_TYPE
value: frr
{{- end }}
{{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}
- name: METALLB_BGP_TYPE
value: frr-k8s
{{- end }}
- name: METALLB_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
ports:
- name: monitoring
containerPort: {{ .Values.prometheus.metricsPort }}
{{- if .Values.speaker.memberlist.enabled }}
- name: memberlist-tcp
containerPort: {{ .Values.speaker.memberlist.mlBindPort }}
protocol: TCP
- name: memberlist-udp
containerPort: {{ .Values.speaker.memberlist.mlBindPort }}
protocol: UDP
{{- end }}
{{- if .Values.speaker.livenessProbe.enabled }}
livenessProbe:
httpGet:
{{- if .Values.prometheus.secureMetricsPort }}
host: localhost
{{- end }}
path: /metrics
port: monitoring
initialDelaySeconds: {{ .Values.speaker.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.speaker.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.speaker.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.speaker.readinessProbe.enabled }}
readinessProbe:
httpGet:
{{- if .Values.prometheus.secureMetricsPort }}
host: localhost
{{- end }}
path: /metrics
port: monitoring
initialDelaySeconds: {{ .Values.speaker.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.speaker.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.speaker.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.speaker.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.speaker.readinessProbe.failureThreshold }}
{{- end }}
{{- with .Values.speaker.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- NET_RAW
{{- if or .Values.speaker.frr.enabled .Values.speaker.memberlist.enabled .Values.speaker.excludeInterfaces.enabled }}
volumeMounts:
{{- if .Values.speaker.memberlist.enabled }}
- name: memberlist
mountPath: {{ .Values.speaker.memberlist.mlSecretKeyPath }}
{{- end }}
{{- if .Values.speaker.frr.enabled }}
- name: reloader
mountPath: /etc/frr_reloader
{{- end }}
{{- if .Values.speaker.excludeInterfaces.enabled }}
- name: metallb-excludel2
mountPath: /etc/metallb
{{- end }}
{{- end }}
{{- if .Values.speaker.frr.enabled }}
- name: frr
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
- NET_BIND_SERVICE
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
{{- if .Values.speaker.frr.image.pullPolicy }}
imagePullPolicy: {{ .Values.speaker.frr.image.pullPolicy }}
{{- end }}
env:
- name: TINI_SUBREAPER
value: "true"
volumeMounts:
- name: frr-sockets
mountPath: /var/run/frr
- name: frr-conf
mountPath: /etc/frr
# The command is FRR's default entrypoint & waiting for the log file to appear and tailing it.
# If the log file isn't created in 60 seconds the tail fails and the container is restarted.
# This workaround is needed to have the frr logs as part of kubectl logs -c frr < speaker_pod_name >.
command:
- /bin/sh
- -c
- |
/sbin/tini -- /usr/lib/frr/docker-start &
attempts=0
until [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do
sleep 1
attempts=$(( $attempts + 1 ))
done
tail -f /etc/frr/frr.log
{{- with .Values.speaker.frr.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.speaker.livenessProbe.enabled }}
livenessProbe:
httpGet:
{{- if .Values.prometheus.secureMetricsPort }}
host: localhost
{{- end }}
path: livez
port: {{ .Values.speaker.frr.metricsPort }}
initialDelaySeconds: {{ .Values.speaker.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.speaker.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.speaker.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.speaker.startupProbe.enabled }}
startupProbe:
httpGet:
{{- if .Values.prometheus.secureMetricsPort }}
host: localhost
{{- end }}
path: /livez
port: {{ .Values.speaker.frr.metricsPort }}
failureThreshold: {{ .Values.speaker.startupProbe.failureThreshold }}
periodSeconds: {{ .Values.speaker.startupProbe.periodSeconds }}
{{- end }}
- name: reloader
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
{{- if .Values.speaker.frr.image.pullPolicy }}
imagePullPolicy: {{ .Values.speaker.frr.image.pullPolicy }}
{{- end }}
command: ["/etc/frr_reloader/frr-reloader.sh"]
volumeMounts:
- name: frr-sockets
mountPath: /var/run/frr
- name: frr-conf
mountPath: /etc/frr
- name: reloader
mountPath: /etc/frr_reloader
{{- with .Values.speaker.reloader.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: frr-metrics
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
command: ["/etc/frr_metrics/frr-metrics"]
args:
- --metrics-port={{ .Values.speaker.frr.metricsPort }}
{{- if .Values.prometheus.secureMetricsPort }}
- --host=localhost
{{- end }}
env:
- name: VTYSH_HISTFILE
value: /dev/null
ports:
- containerPort: {{ .Values.speaker.frr.metricsPort }}
name: monitoring
volumeMounts:
- name: frr-sockets
mountPath: /var/run/frr
- name: frr-conf
mountPath: /etc/frr
- name: metrics
mountPath: /etc/frr_metrics
{{- with .Values.speaker.frrMetrics.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.prometheus.secureMetricsPort }}
- name: kube-rbac-proxy
image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag }}
imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
args:
- --logtostderr
- --secure-listen-address=:{{ .Values.prometheus.secureMetricsPort }}
- --upstream=http://localhost:{{ .Values.prometheus.metricsPort }}/
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
- --tls-private-key-file=/etc/metrics/tls.key
- --tls-cert-file=/etc/metrics/tls.crt
{{- end }}
ports:
- containerPort: {{ .Values.prometheus.secureMetricsPort }}
name: metricshttps
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePolicy: FallbackToLogsOnError
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
volumeMounts:
- name: metrics-certs
mountPath: /etc/metrics
readOnly: true
{{- end }}
{{ end }}
{{- if .Values.speaker.frr.enabled }}
{{- if .Values.speaker.frr.secureMetricsPort }}
- name: kube-rbac-proxy-frr
image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag | default .Chart.AppVersion }}
imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
args:
- --logtostderr
- --secure-listen-address=:{{ .Values.speaker.frr.secureMetricsPort }}
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- --upstream=http://localhost:{{ .Values.speaker.frr.metricsPort }}/
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
- --tls-private-key-file=/etc/metrics/tls.key
- --tls-cert-file=/etc/metrics/tls.crt
{{- end }}
ports:
- containerPort: {{ .Values.speaker.frr.secureMetricsPort }}
name: frrmetricshttps
env:
- name: METALLB_HOST
valueFrom:
fieldRef:
fieldPath: status.hostIP
resources:
requests:
cpu: 10m
memory: 20Mi
terminationMessagePolicy: FallbackToLogsOnError
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
volumeMounts:
- name: metrics-certs
mountPath: /etc/metrics
readOnly: true
{{- end }}
{{ end }}
{{- end }}
{{- if .Values.speaker.extraContainers }}
{{- toYaml .Values.speaker.extraContainers | nindent 6 }}
{{- end }}
nodeSelector:
"kubernetes.io/os": linux
{{- with .Values.speaker.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.speaker.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or .Values.speaker.tolerateMaster .Values.speaker.tolerations }}
tolerations:
{{- if .Values.speaker.tolerateMaster }}
- key: node-role.kubernetes.io/master
effect: NoSchedule
operator: Exists
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
operator: Exists
{{- end }}
{{- with .Values.speaker.tolerations }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
{{- with .Values.speaker.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,150 @@
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: metallb-webhook-configuration
labels:
{{- include "metallb.labels" . | nindent 4 }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta2-bgppeer
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: bgppeervalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta2
operations:
- CREATE
- UPDATE
resources:
- bgppeers
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta1-ipaddresspool
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: ipaddresspoolvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- ipaddresspools
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta1-bgpadvertisement
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: bgpadvertisementvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- bgpadvertisements
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta1-community
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: communityvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- communities
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta1-bfdprofile
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: bfdprofilevalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- DELETE
resources:
- bfdprofiles
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
name: metallb-webhook-service
namespace: {{ .Release.Namespace }}
path: /validate-metallb-io-v1beta1-l2advertisement
failurePolicy: {{ .Values.crds.validationFailurePolicy }}
name: l2advertisementvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- l2advertisements
sideEffects: None
---
apiVersion: v1
kind: Service
metadata:
name: metallb-webhook-service
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "metallb.labels" . | nindent 4 }}
spec:
ports:
- port: 443
targetPort: 9443
selector:
{{- include "metallb.selectorLabels" . | nindent 4 }}
app.kubernetes.io/component: controller
---
apiVersion: v1
kind: Secret
metadata:
name: metallb-webhook-cert
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "metallb.labels" . | nindent 4 }}

View File

@ -0,0 +1,448 @@
{
"$schema": "https://json-schema.org/draft-07/schema#",
"title": "Values",
"type": "object",
"definitions": {
"prometheusAlert": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"labels": {
"type": "object",
"additionalProperties": { "type": "string" }
}
},
"required": [ "enabled" ]
},
"probe": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"failureThreshold": {
"type": "integer"
},
"initialDelaySeconds": {
"type": "integer"
},
"periodSeconds": {
"type": "integer"
},
"successThreshold": {
"type": "integer"
},
"timeoutSeconds": {
"type": "integer"
}
},
"required": [
"failureThreshold",
"initialDelaySeconds",
"periodSeconds",
"successThreshold",
"timeoutSeconds"
]
},
"component": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"logLevel": {
"type": "string",
"enum": [ "all", "debug", "info", "warn", "error", "none" ]
},
"image": {
"type": "object",
"properties": {
"repository": {
"type": "string"
},
"tag": {
"anyOf": [
{ "type": "string" },
{ "type": "null" }
]
},
"pullPolicy": {
"anyOf": [
{
"type": "null"
},
{
"type": "string",
"enum": [ "Always", "IfNotPresent", "Never" ]
}
]
}
}
},
"serviceAccount": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"name": {
"type": "string"
},
"annotations": {
"type": "object"
}
}
},
"resources": {
"type": "object"
},
"nodeSelector": {
"type": "object"
},
"tolerations": {
"type": "array",
"items": {
"type": "object"
}
},
"priorityClassName": {
"type":"string"
},
"runtimeClassName": {
"type":"string"
},
"affinity": {
"type": "object"
},
"podAnnotations": {
"type": "object"
},
"livenessProbe": {
"$ref": "#/definitions/probe"
},
"readinessProbe": {
"$ref": "#/definitions/probe"
}
},
"required": [
"image",
"serviceAccount"
]
}
},
"properties": {
"imagePullSecrets": {
"description": "Secrets used for pulling images",
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
},
"required": [ "name" ],
"additionalProperties": false
}
},
"nameOverride": {
"description": "Override chart name",
"type": "string"
},
"fullNameOverride": {
"description": "Override fully qualified app name",
"type": "string"
},
"configInLine": {
"description": "MetalLB configuration",
"type": "object"
},
"loadBalancerClass": {
"type":"string"
},
"rbac": {
"description": "RBAC configuration",
"type": "object",
"properties": {
"create": {
"description": "Enable RBAC",
"type": "boolean"
}
}
},
"prometheus": {
"description": "Prometheus monitoring config",
"type": "object",
"properties": {
"scrapeAnnotations": { "type": "boolean" },
"metricsPort": { "type": "integer" },
"secureMetricsPort": { "type": "integer" },
"rbacPrometheus": { "type": "boolean" },
"serviceAccount": { "type": "string" },
"namespace": { "type": "string" },
"rbacProxy": {
"description": "kube-rbac-proxy configuration",
"type": "object",
"properties": {
"repository": { "type": "string" },
"tag": { "type": "string" }
}
},
"podMonitor": {
"description": "Prometheus Operator PodMonitors",
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"additionalMonitors": { "type": "object" },
"jobLabel": { "type": "string" },
"interval": {
"anyOf": [
{ "type": "integer" },
{ "type": "null" }
]
},
"metricRelabelings": {
"type": "array",
"items": {
"type": "object"
}
},
"relabelings": {
"type": "array",
"items": {
"type": "object"
}
}
}
},
"serviceMonitor": {
"description": "Prometheus Operator ServiceMonitors",
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"jobLabel": { "type": "string" },
"interval": {
"anyOf": [
{ "type": "integer" },
{ "type": "null" }
]
},
"metricRelabelings": {
"type": "array",
"items": {
"type": "object"
}
},
"relabelings": {
"type": "array",
"items": {
"type": "object"
}
}
}
},
"prometheusRule": {
"description": "Prometheus Operator alertmanager alerts",
"type": "object",
"properties": {
"enabled": { "type": "boolean" },
"additionalMonitors": { "type": "object" },
"staleConfig": { "$ref": "#/definitions/prometheusAlert" },
"configNotLoaded": { "$ref": "#/definitions/prometheusAlert" },
"addressPoolExhausted": { "$ref": "#/definitions/prometheusAlert" },
"addressPoolUsage": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"thresholds": {
"type": "array",
"items": {
"type": "object",
"properties": {
"percent": {
"type": "integer",
"minimum": 0,
"maximum": 100
},
"labels": {
"type": "object",
"additionalProperties": { "type": "string" }
}
},
"required": [ "percent" ]
}
}
},
"required": [ "enabled" ]
},
"bgpSessionDown": { "$ref": "#/definitions/prometheusAlert" },
"extraAlerts": {
"type": "array",
"items": {
"type": "object"
}
}
},
"required": [
"enabled",
"staleConfig",
"configNotLoaded",
"addressPoolExhausted",
"addressPoolUsage",
"bgpSessionDown"
]
}
},
"required": [ "podMonitor", "prometheusRule" ]
},
"controller": {
"allOf": [
{ "$ref": "#/definitions/component" },
{ "description": "MetalLB Controller",
"type": "object",
"properties": {
"strategy": {
"type": "object",
"properties": {
"type": {
"type": "string"
}
},
"required": [ "type" ]
},
"command" : {
"type": "string"
},
"webhookMode" : {
"type": "string"
},
"extraContainers": {
"type": "array",
"items": {
"type": "object"
}
}
}
}
]
},
"speaker": {
"allOf": [
{ "$ref": "#/definitions/component" },
{ "description": "MetalLB Speaker",
"type": "object",
"properties": {
"tolerateMaster": {
"type": "boolean"
},
"memberlist": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"mlBindPort": {
"type": "integer"
},
"mlBindAddrOverride": {
"type": "string"
},
"mlSecretKeyPath": {
"type": "string"
}
}
},
"excludeInterfaces": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
}
}
},
"ignoreExcludeLB": {
"type": "boolean"
},
"updateStrategy": {
"type": "object",
"properties": {
"type": {
"type": "string"
}
},
"required": [ "type" ]
},
"runtimeClassName": {
"type": "string"
},
"securityContext": {
"type": "object"
},
"secretName": {
"type": "string"
},
"frr": {
"description": "Install FRR container in speaker deployment",
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"image": { "$ref": "#/definitions/component/properties/image" },
"metricsPort": { "type": "integer" },
"secureMetricsPort": { "type": "integer" },
"resources:": { "type": "object" }
},
"required": [ "enabled" ]
},
"command" : {
"type": "string"
},
"reloader": {
"type": "object",
"properties": {
"resources": { "type": "object" }
}
},
"frrMetrics": {
"type": "object",
"properties": {
"resources": { "type": "object" }
}
},
"extraContainers": {
"type": "array",
"items": {
"type": "object"
}
}
},
"required": [ "tolerateMaster" ]
}
]
},
"crds": {
"description": "CRD configuration",
"type": "object",
"properties": {
"enabled": {
"description": "Enable CRDs",
"type": "boolean"
},
"validationFailurePolicy": {
"description": "Failure policy to use with validating webhooks",
"type": "string",
"enum": [ "Ignore", "Fail" ]
}
}
}
},
"required": [
"controller",
"speaker"
]
}

380
metallb-chart/values.yaml Normal file
View File

@ -0,0 +1,380 @@
# Default values for metallb.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# MetalLB supports LoadBalancerClass, which allows multiple load balancer implementations to co-exist.
# In order to set the loadbalancer class MetalLB should be listening for, the --lb-class=<CLASS_NAME>
# parameter must be provided to both the speaker and the controller.
loadBalancerClass: ""
# To configure MetalLB, you must specify ONE of the following two
# options.
rbac:
# create specifies whether to install and use RBAC rules.
create: true
prometheus:
# scrape annotations specifies whether to add Prometheus metric
# auto-collection annotations to pods. See
# https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml
# for a corresponding Prometheus configuration. Alternatively, you
# may want to use the Prometheus Operator
# (https://github.com/coreos/prometheus-operator) for more powerful
# monitoring configuration. If you use the Prometheus operator, this
# can be left at false.
scrapeAnnotations: false
# port both controller and speaker will listen on for metrics
metricsPort: 7472
# if set, enables rbac proxy on the controller and speaker to expose
# the metrics via tls.
# secureMetricsPort: 9120
# the name of the secret to be mounted in the speaker pod
# to expose the metrics securely. If not present, a self signed
# certificate to be used.
speakerMetricsTLSSecret: ""
# the name of the secret to be mounted in the controller pod
# to expose the metrics securely. If not present, a self signed
# certificate to be used.
controllerMetricsTLSSecret: ""
# prometheus doens't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
rbacPrometheus: true
# the service account used by prometheus
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
serviceAccount: ""
# the namespace where prometheus is deployed
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
namespace: ""
# the image to be used for the kuberbacproxy container
rbacProxy:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%kube-rbac-proxy"
tag: "v0.18.0"
pullPolicy: IfNotPresent
# Prometheus Operator PodMonitors
podMonitor:
# enable support for Prometheus Operator
enabled: false
# optional additionnal labels for podMonitors
additionalLabels: {}
# optional annotations for podMonitors
annotations: {}
# Job label for scrape target
jobLabel: "app.kubernetes.io/name"
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval:
# metric relabel configs to apply to samples before ingestion.
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# relabel configs to apply to samples before ingestion.
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# target_label: nodename
# replacement: $1
# action: replace
# Prometheus Operator ServiceMonitors. To be used as an alternative
# to podMonitor, supports secure metrics.
serviceMonitor:
# enable support for Prometheus Operator
enabled: false
speaker:
# optional additional labels for the speaker serviceMonitor
additionalLabels: {}
# optional additional annotations for the speaker serviceMonitor
annotations: {}
# optional tls configuration for the speaker serviceMonitor, in case
# secure metrics are enabled.
tlsConfig:
insecureSkipVerify: true
controller:
# optional additional labels for the controller serviceMonitor
additionalLabels: {}
# optional additional annotations for the controller serviceMonitor
annotations: {}
# optional tls configuration for the controller serviceMonitor, in case
# secure metrics are enabled.
tlsConfig:
insecureSkipVerify: true
# Job label for scrape target
jobLabel: "app.kubernetes.io/name"
# Scrape interval. If not set, the Prometheus default scrape interval is used.
interval:
# metric relabel configs to apply to samples before ingestion.
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# relabel configs to apply to samples before ingestion.
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# target_label: nodename
# replacement: $1
# action: replace
# Prometheus Operator alertmanager alerts
prometheusRule:
# enable alertmanager alerts
enabled: false
# optional additionnal labels for prometheusRules
additionalLabels: {}
# optional annotations for prometheusRules
annotations: {}
# MetalLBStaleConfig
staleConfig:
enabled: true
labels:
severity: warning
# MetalLBConfigNotLoaded
configNotLoaded:
enabled: true
labels:
severity: warning
# MetalLBAddressPoolExhausted
addressPoolExhausted:
enabled: true
labels:
severity: alert
addressPoolUsage:
enabled: true
thresholds:
- percent: 75
labels:
severity: warning
- percent: 85
labels:
severity: warning
- percent: 95
labels:
severity: alert
# MetalLBBGPSessionDown
bgpSessionDown:
enabled: true
labels:
severity: alert
extraAlerts: []
# controller contains configuration specific to the MetalLB cluster
# controller.
controller:
enabled: true
# -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
logLevel: info
# command: /controller
# webhookMode: enabled
image:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%metallb-controller"
tag: "v0.14.8"
pullPolicy: IfNotPresent
## @param controller.updateStrategy.type Metallb controller deployment strategy type.
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
## e.g:
## strategy:
## type: RollingUpdate
## rollingUpdate:
## maxSurge: 25%
## maxUnavailable: 25%
##
strategy:
type: RollingUpdate
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use. If not set and create is
# true, a name is generated using the fullname template
name: ""
annotations: {}
securityContext:
runAsNonRoot: true
# nobody
runAsUser: 65534
fsGroup: 65534
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
nodeSelector: {}
tolerations: []
priorityClassName: ""
runtimeClassName: ""
affinity: {}
podAnnotations: {}
labels: {}
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
tlsMinVersion: "VersionTLS12"
tlsCipherSuites: ""
extraContainers: []
# speaker contains configuration specific to the MetalLB speaker
# daemonset.
speaker:
enabled: true
# command: /speaker
# -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
logLevel: info
tolerateMaster: true
memberlist:
enabled: true
mlBindPort: 7946
mlBindAddrOverride: ""
mlSecretKeyPath: "/etc/ml_secret_key"
excludeInterfaces:
enabled: true
# ignore the exclude-from-external-loadbalancer label
ignoreExcludeLB: false
image:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%metallb-speaker"
tag: "v0.14.8"
pullPolicy: IfNotPresent
## @param speaker.updateStrategy.type Speaker daemonset strategy type
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
##
updateStrategy:
## StrategyType
## Can be set to RollingUpdate or OnDelete
##
type: RollingUpdate
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use. If not set and create is
# true, a name is generated using the fullname template
name: ""
annotations: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
## Defines a secret name for the controller to generate a memberlist encryption secret
## By default secretName: {{ "metallb.fullname" }}-memberlist
##
# secretName:
resources: {}
# limits:
# cpu: 100m
# memory: 100Mi
nodeSelector: {}
tolerations: []
priorityClassName: ""
affinity: {}
## Selects which runtime class will be used by the pod.
runtimeClassName: ""
podAnnotations: {}
labels: {}
livenessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
enabled: true
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
startupProbe:
enabled: true
failureThreshold: 30
periodSeconds: 5
# frr contains configuration specific to the MetalLB FRR container,
# for speaker running alongside FRR.
frr:
enabled: false
image:
repository: "%%IMG_REPO%%/%%IMG_PREFIX%%frr"
tag: "8.4"
pullPolicy: IfNotPresent
metricsPort: 7473
resources: {}
# if set, enables a rbac proxy sidecar container on the speaker to
# expose the frr metrics via tls.
# secureMetricsPort: 9121
reloader:
resources: {}
frrMetrics:
resources: {}
extraContainers: []
crds:
enabled: true
validationFailurePolicy: Fail
# frrk8s contains the configuration related to using an frrk8s instance
# (github.com/metallb/frr-k8s) as the backend for the BGP implementation.
# This allows configuring additional frr parameters in combination to those
# applied by MetalLB.
frrk8s:
# if set, enables frrk8s as a backend. This is mutually exclusive to frr
# mode.
enabled: false
external: false
namespace: ""

View File

@ -0,0 +1,32 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%
#!BuildTag: %%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends metallb-controller; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.metallb
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE Metallb Controller Container Image"
LABEL org.opencontainers.image.description="metallb-controller based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%metallb-controller_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%metallb-controller:v%%metallb-controller_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="l3"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
ENTRYPOINT ["/controller"]

View File

@ -0,0 +1,17 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%metallb-controller_version%%</param>
<param name="package">metallb-controller</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
</services>

View File

@ -0,0 +1,32 @@
# SPDX-License-Identifier: Apache-2.0
#!BuildTag: %%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%
#!BuildTag: %%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%-%RELEASE%
#!BuildVersion: 15.6
ARG SLE_VERSION
FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro
FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base
COPY --from=micro / /installroot/
RUN zypper --installroot /installroot --non-interactive install --no-recommends metallb-speaker; zypper -n clean; rm -rf /var/log/*
FROM micro AS final
# Define labels according to https://en.opensuse.org/Building_derived_containers
# labelprefix=com.suse.application.metallb
LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)"
LABEL org.opencontainers.image.title="SLE Metallb Speaker Container Image"
LABEL org.opencontainers.image.description="metallb-speaker based on the SLE Base Container Image."
LABEL org.opencontainers.image.version="%%metallb-speaker_version%%"
LABEL org.opencontainers.image.url="https://www.suse.com/products/server/"
LABEL org.opencontainers.image.created="%BUILDTIME%"
LABEL org.opencontainers.image.vendor="SUSE LLC"
LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%metallb-speaker:v%%metallb-speaker_version%%-%RELEASE%"
LABEL org.openbuildservice.disturl="%DISTURL%"
LABEL com.suse.supportlevel="l3"
LABEL com.suse.eula="SUSE Combined EULA February 2024"
LABEL com.suse.lifecycle-url="https://www.suse.com/lifecycle"
LABEL com.suse.image-type="application"
LABEL com.suse.release-stage="released"
# endlabelprefix
COPY --from=base /installroot /
ENTRYPOINT ["/speaker"]

View File

@ -0,0 +1,17 @@
<services>
<service mode="buildtime" name="kiwi_metainfo_helper"/>
<service mode="buildtime" name="docker_label_helper"/>
<service name="replace_using_package_version" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="regex">%%metallb-speaker_version%%</param>
<param name="package">metallb-speaker</param>
<param name="parse-version">patch</param>
</service>
<service name="replace_using_env" mode="buildtime">
<param name="file">Dockerfile</param>
<param name="eval">IMG_PREFIX=$(rpm --macros=/root/.rpmmacros -E %{?img_prefix})</param>
<param name="var">IMG_PREFIX</param>
<param name="eval">IMG_REPO=$(rpm --macros=/root/.rpmmacros -E %img_repo)</param>
<param name="var">IMG_REPO</param>
</service>
</services>

23
metallb/_service Normal file
View File

@ -0,0 +1,23 @@
<services>
<service name="obs_scm">
<param name="url">https://github.com/metallb/metallb</param>
<param name="scm">git</param>
<param name="revision">v0.14.8</param>
<param name="version">_auto_</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">kristian.zhelyazkov@suse.com</param>
<param name="match-tag">v*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="without-version">yes</param>
<param name="versionrewrite-replacement">\1</param>
</service>
<service mode="buildtime" name="tar" />
<service mode="buildtime" name="recompress">
<param name="file">*.tar</param>
<param name="compression">gz</param>
</service>
<service name="go_modules">
</service>
<service mode="buildtime" name="set_version" />
</services>

78
metallb/metallb.spec Normal file
View File

@ -0,0 +1,78 @@
#
# spec file for package metallb
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: metallb
Version: 0.14.8
Release: 0.14.8
Summary: Load Balancer for bare metal Kubernetes clusters
License: Apache-2.0
URL: https://github.com/metallb/metallb
Source: %{name}-%{version}.tar.gz
Source1: vendor.tar.gz
BuildRequires: golang(API) = 1.22
ExcludeArch: s390
ExcludeArch: %{ix86}
%description
MetalLB is a load-balancer implementation for bare metal Kubernetes clusters, using standard routing protocols.
%package controller
Summary: MetalLB controller binary
Group: System/Management
%description controller
MetalLB is a load-balancer implementation for bare metal Kubernetes clusters, using standard routing protocols.
This package contains the controller binary.
%package speaker
Summary: MetalLB speaker binary
Group: System/Management
%description speaker
MetalLB is a load-balancer implementation for bare metal Kubernetes clusters, using standard routing protocols.
This package contains the speaker binary.
%prep
%autosetup -p1 -a1
# Add frr-tools/reloader
cp ./frr-tools/reloader/frr-reloader.sh frr-reloader.sh
%build
go install -v -mod vendor -buildmode=pie ./controller ./speaker ./frr-tools/metrics
mv $HOME/go/bin/metrics $HOME/go/bin/frr-metrics
%install
# Install the binary.
mkdir -p %{buildroot}%{_sbindir}/
install -D -m 0755 $HOME/go/bin/controller %{buildroot}/
install -D -m 0755 $HOME/go/bin/speaker %{buildroot}/
install -D -m 0755 $HOME/go/bin/frr-metrics %{buildroot}/
install -D -m 0755 frr-reloader.sh %{buildroot}/
%files controller
%license LICENSE
/controller
%files speaker
%license LICENSE
/speaker
/frr-metrics
/frr-reloader.sh
%changelog