Nicolas Belouin
6ace2c6f09
Some checks are pending
OBS SCM/CI Workflow Integration started
Signed-off-by: Nicolas Belouin <nicolas.belouin@suse.com>
569 lines
21 KiB
YAML
569 lines
21 KiB
YAML
{{- if .Values.speaker.frr.enabled }}
|
|
{{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}
|
|
{{- fail "speaker.frr.enabled and frrk8s.enabled / external are mutually exclusive!" }}
|
|
{{- end }}
|
|
{{- end }}
|
|
|
|
{{- if and .Values.frrk8s.enabled .Values.frrk8s.external }}
|
|
{{- fail "frrk8s.enabled frrk8s.external are mutually exclusive!" }}
|
|
{{- end }}
|
|
|
|
{{- if .Values.speaker.frr.enabled }}
|
|
|
|
# FRR expects to have these files owned by frr:frr on startup.
|
|
# Having them in a ConfigMap allows us to modify behaviors: for example enabling more daemons on startup.
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {{ template "metallb.fullname" . }}-frr-startup
|
|
namespace: {{ .Release.Namespace | quote }}
|
|
labels:
|
|
{{- include "metallb.labels" . | nindent 4 }}
|
|
app.kubernetes.io/component: speaker
|
|
data:
|
|
daemons: |
|
|
# This file tells the frr package which daemons to start.
|
|
#
|
|
# Sample configurations for these daemons can be found in
|
|
# /usr/share/doc/frr/examples/.
|
|
#
|
|
# ATTENTION:
|
|
#
|
|
# When activating a daemon for the first time, a config file, even if it is
|
|
# empty, has to be present *and* be owned by the user and group "frr", else
|
|
# the daemon will not be started by /etc/init.d/frr. The permissions should
|
|
# be u=rw,g=r,o=.
|
|
# When using "vtysh" such a config file is also needed. It should be owned by
|
|
# group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too.
|
|
#
|
|
# The watchfrr and zebra daemons are always started.
|
|
#
|
|
bgpd=yes
|
|
ospfd=no
|
|
ospf6d=no
|
|
ripd=no
|
|
ripngd=no
|
|
isisd=no
|
|
pimd=no
|
|
ldpd=no
|
|
nhrpd=no
|
|
eigrpd=no
|
|
babeld=no
|
|
sharpd=no
|
|
pbrd=no
|
|
bfdd=yes
|
|
fabricd=no
|
|
vrrpd=no
|
|
|
|
#
|
|
# If this option is set the /etc/init.d/frr script automatically loads
|
|
# the config via "vtysh -b" when the servers are started.
|
|
# Check /etc/pam.d/frr if you intend to use "vtysh"!
|
|
#
|
|
vtysh_enable=yes
|
|
zebra_options=" -A 127.0.0.1 -s 90000000"
|
|
bgpd_options=" -A 127.0.0.1 -p 0"
|
|
ospfd_options=" -A 127.0.0.1"
|
|
ospf6d_options=" -A ::1"
|
|
ripd_options=" -A 127.0.0.1"
|
|
ripngd_options=" -A ::1"
|
|
isisd_options=" -A 127.0.0.1"
|
|
pimd_options=" -A 127.0.0.1"
|
|
ldpd_options=" -A 127.0.0.1"
|
|
nhrpd_options=" -A 127.0.0.1"
|
|
eigrpd_options=" -A 127.0.0.1"
|
|
babeld_options=" -A 127.0.0.1"
|
|
sharpd_options=" -A 127.0.0.1"
|
|
pbrd_options=" -A 127.0.0.1"
|
|
staticd_options="-A 127.0.0.1"
|
|
bfdd_options=" -A 127.0.0.1"
|
|
fabricd_options="-A 127.0.0.1"
|
|
vrrpd_options=" -A 127.0.0.1"
|
|
|
|
# configuration profile
|
|
#
|
|
#frr_profile="traditional"
|
|
#frr_profile="datacenter"
|
|
|
|
#
|
|
# This is the maximum number of FD's that will be available.
|
|
# Upon startup this is read by the control files and ulimit
|
|
# is called. Uncomment and use a reasonable value for your
|
|
# setup if you are expecting a large number of peers in
|
|
# say BGP.
|
|
#MAX_FDS=1024
|
|
|
|
# The list of daemons to watch is automatically generated by the init script.
|
|
#watchfrr_options=""
|
|
|
|
# for debugging purposes, you can specify a "wrap" command to start instead
|
|
# of starting the daemon directly, e.g. to use valgrind on ospfd:
|
|
# ospfd_wrap="/usr/bin/valgrind"
|
|
# or you can use "all_wrap" for all daemons, e.g. to use perf record:
|
|
# all_wrap="/usr/bin/perf record --call-graph -"
|
|
# the normal daemon command is added to this at the end.
|
|
vtysh.conf: |+
|
|
service integrated-vtysh-config
|
|
frr.conf: |+
|
|
! This file gets overriden the first time the speaker renders a config.
|
|
! So anything configured here is only temporary.
|
|
frr version 8.0
|
|
frr defaults traditional
|
|
hostname Router
|
|
line vty
|
|
log file /etc/frr/frr.log informational
|
|
{{- end }}
|
|
---
|
|
{{- if .Values.speaker.enabled }}
|
|
apiVersion: apps/v1
|
|
kind: DaemonSet
|
|
metadata:
|
|
name: {{ template "metallb.fullname" . }}-speaker
|
|
namespace: {{ .Release.Namespace | quote }}
|
|
labels:
|
|
{{- include "metallb.labels" . | nindent 4 }}
|
|
app.kubernetes.io/component: speaker
|
|
{{- range $key, $value := .Values.speaker.labels }}
|
|
{{ $key }}: {{ $value | quote }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if .Values.speaker.updateStrategy }}
|
|
updateStrategy: {{- toYaml .Values.speaker.updateStrategy | nindent 4 }}
|
|
{{- end }}
|
|
selector:
|
|
matchLabels:
|
|
{{- include "metallb.selectorLabels" . | nindent 6 }}
|
|
app.kubernetes.io/component: speaker
|
|
template:
|
|
metadata:
|
|
{{- if or .Values.prometheus.scrapeAnnotations .Values.speaker.podAnnotations }}
|
|
annotations:
|
|
{{- if .Values.prometheus.scrapeAnnotations }}
|
|
prometheus.io/scrape: "true"
|
|
{{- if not .Values.speaker.frr.enabled }}
|
|
prometheus.io/port: "{{ .Values.prometheus.metricsPort }}"
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.speaker.podAnnotations }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
labels:
|
|
{{- include "metallb.selectorLabels" . | nindent 8 }}
|
|
app.kubernetes.io/component: speaker
|
|
{{- range $key, $value := .Values.speaker.labels }}
|
|
{{ $key }}: {{ $value | quote }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if .Values.speaker.runtimeClassName }}
|
|
runtimeClassName: {{ .Values.speaker.runtimeClassName }}
|
|
{{- end }}
|
|
{{- with .Values.imagePullSecrets }}
|
|
imagePullSecrets:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
serviceAccountName: {{ template "metallb.speaker.serviceAccountName" . }}
|
|
terminationGracePeriodSeconds: 0
|
|
hostNetwork: true
|
|
{{- if .Values.speaker.securityContext }}
|
|
securityContext:
|
|
{{- toYaml .Values.speaker.securityContext | nindent 8 }}
|
|
{{- end }}
|
|
volumes:
|
|
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
|
|
- name: metrics-certs
|
|
secret:
|
|
secretName: {{ .Values.prometheus.speakerMetricsTLSSecret }}
|
|
{{- end }}
|
|
{{- if .Values.speaker.memberlist.enabled }}
|
|
- name: memberlist
|
|
secret:
|
|
secretName: {{ include "metallb.secretName" . }}
|
|
defaultMode: 420
|
|
{{- end }}
|
|
{{- if .Values.speaker.excludeInterfaces.enabled }}
|
|
- name: metallb-excludel2
|
|
configMap:
|
|
defaultMode: 256
|
|
name: metallb-excludel2
|
|
{{- end }}
|
|
{{- if .Values.speaker.frr.enabled }}
|
|
- name: frr-sockets
|
|
emptyDir: {}
|
|
- name: frr-startup
|
|
configMap:
|
|
name: {{ template "metallb.fullname" . }}-frr-startup
|
|
- name: frr-conf
|
|
emptyDir: {}
|
|
- name: reloader
|
|
emptyDir: {}
|
|
- name: metrics
|
|
emptyDir: {}
|
|
initContainers:
|
|
# Copies the initial config files with the right permissions to the shared volume.
|
|
- name: cp-frr-files
|
|
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
|
|
securityContext:
|
|
runAsUser: 100
|
|
runAsGroup: 101
|
|
command: ["/bin/sh", "-c", "cp -rLf /tmp/frr/* /etc/frr/"]
|
|
volumeMounts:
|
|
- name: frr-startup
|
|
mountPath: /tmp/frr
|
|
- name: frr-conf
|
|
mountPath: /etc/frr
|
|
# Copies the reloader to the shared volume between the speaker and reloader.
|
|
- name: cp-reloader
|
|
image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
|
|
command: ["/cp-tool","/frr-reloader.sh","/etc/frr_reloader/frr-reloader.sh"]
|
|
volumeMounts:
|
|
- name: reloader
|
|
mountPath: /etc/frr_reloader
|
|
# Copies the metrics exporter
|
|
- name: cp-metrics
|
|
image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
|
|
command: ["/cp-tool","/frr-metrics","/etc/frr_metrics/frr-metrics"]
|
|
volumeMounts:
|
|
- name: metrics
|
|
mountPath: /etc/frr_metrics
|
|
shareProcessNamespace: true
|
|
{{- end }}
|
|
containers:
|
|
- name: speaker
|
|
image: {{ .Values.speaker.image.repository }}:{{ .Values.speaker.image.tag | default .Chart.AppVersion }}
|
|
{{- if .Values.speaker.image.pullPolicy }}
|
|
imagePullPolicy: {{ .Values.speaker.image.pullPolicy }}
|
|
{{- end }}
|
|
{{- if .Values.speaker.command }}
|
|
command:
|
|
- {{ .Values.speaker.command }}
|
|
{{- end }}
|
|
args:
|
|
- --port={{ .Values.prometheus.metricsPort }}
|
|
{{- with .Values.speaker.logLevel }}
|
|
- --log-level={{ . }}
|
|
{{- end }}
|
|
{{- if .Values.loadBalancerClass }}
|
|
- --lb-class={{ .Values.loadBalancerClass }}
|
|
{{- end }}
|
|
{{- if .Values.speaker.wanConfig }}
|
|
- --ml-wan-config
|
|
{{- end }}
|
|
{{- if .Values.speaker.ignoreExcludeLB}}
|
|
- --ignore-exclude-lb
|
|
{{- end }}
|
|
{{- if .Values.prometheus.secureMetricsPort }}
|
|
- --host=localhost
|
|
{{- end }}
|
|
{{- if .Values.frrk8s.external }}
|
|
- --frrk8s-namespace={{ required "namespace is required when frrk8s is external" .Values.frrk8s.namespace }}
|
|
{{- end }}
|
|
env:
|
|
- name: METALLB_NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
- name: METALLB_HOST
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.hostIP
|
|
{{- if .Values.speaker.memberlist.enabled }}
|
|
{{- if .Values.speaker.memberlist.mlBindAddrOverride }}
|
|
- name: METALLB_ML_BIND_ADDR
|
|
value: "{{ .Values.speaker.memberlist.mlBindAddrOverride }}"
|
|
{{ else }}
|
|
- name: METALLB_ML_BIND_ADDR
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.podIP
|
|
{{ end }}
|
|
- name: METALLB_ML_LABELS
|
|
value: "app.kubernetes.io/name={{ include "metallb.name" . }},app.kubernetes.io/component=speaker"
|
|
- name: METALLB_ML_BIND_PORT
|
|
value: "{{ .Values.speaker.memberlist.mlBindPort }}"
|
|
- name: METALLB_ML_SECRET_KEY_PATH
|
|
value: "{{ .Values.speaker.memberlist.mlSecretKeyPath }}"
|
|
{{- end }}
|
|
{{- if .Values.speaker.frr.enabled }}
|
|
- name: FRR_CONFIG_FILE
|
|
value: /etc/frr_reloader/frr.conf
|
|
- name: FRR_RELOADER_PID_FILE
|
|
value: /etc/frr_reloader/reloader.pid
|
|
- name: METALLB_BGP_TYPE
|
|
value: frr
|
|
{{- end }}
|
|
{{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}
|
|
- name: METALLB_BGP_TYPE
|
|
value: frr-k8s
|
|
{{- end }}
|
|
- name: METALLB_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
ports:
|
|
- name: monitoring
|
|
containerPort: {{ .Values.prometheus.metricsPort }}
|
|
{{- if .Values.speaker.memberlist.enabled }}
|
|
- name: memberlist-tcp
|
|
containerPort: {{ .Values.speaker.memberlist.mlBindPort }}
|
|
protocol: TCP
|
|
- name: memberlist-udp
|
|
containerPort: {{ .Values.speaker.memberlist.mlBindPort }}
|
|
protocol: UDP
|
|
{{- end }}
|
|
{{- if .Values.speaker.livenessProbe.enabled }}
|
|
livenessProbe:
|
|
httpGet:
|
|
{{- if .Values.prometheus.secureMetricsPort }}
|
|
host: localhost
|
|
{{- end }}
|
|
path: /metrics
|
|
port: monitoring
|
|
initialDelaySeconds: {{ .Values.speaker.livenessProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.speaker.livenessProbe.timeoutSeconds }}
|
|
successThreshold: {{ .Values.speaker.livenessProbe.successThreshold }}
|
|
failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }}
|
|
{{- end }}
|
|
{{- if .Values.speaker.readinessProbe.enabled }}
|
|
readinessProbe:
|
|
httpGet:
|
|
{{- if .Values.prometheus.secureMetricsPort }}
|
|
host: localhost
|
|
{{- end }}
|
|
path: /metrics
|
|
port: monitoring
|
|
initialDelaySeconds: {{ .Values.speaker.readinessProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.speaker.readinessProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.speaker.readinessProbe.timeoutSeconds }}
|
|
successThreshold: {{ .Values.speaker.readinessProbe.successThreshold }}
|
|
failureThreshold: {{ .Values.speaker.readinessProbe.failureThreshold }}
|
|
{{- end }}
|
|
{{- with .Values.speaker.resources }}
|
|
resources:
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
add:
|
|
- NET_RAW
|
|
{{- if or .Values.speaker.frr.enabled .Values.speaker.memberlist.enabled .Values.speaker.excludeInterfaces.enabled }}
|
|
volumeMounts:
|
|
{{- if .Values.speaker.memberlist.enabled }}
|
|
- name: memberlist
|
|
mountPath: {{ .Values.speaker.memberlist.mlSecretKeyPath }}
|
|
{{- end }}
|
|
{{- if .Values.speaker.frr.enabled }}
|
|
- name: reloader
|
|
mountPath: /etc/frr_reloader
|
|
{{- end }}
|
|
{{- if .Values.speaker.excludeInterfaces.enabled }}
|
|
- name: metallb-excludel2
|
|
mountPath: /etc/metallb
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.speaker.frr.enabled }}
|
|
- name: frr
|
|
securityContext:
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- NET_RAW
|
|
- SYS_ADMIN
|
|
- NET_BIND_SERVICE
|
|
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
|
|
{{- if .Values.speaker.frr.image.pullPolicy }}
|
|
imagePullPolicy: {{ .Values.speaker.frr.image.pullPolicy }}
|
|
{{- end }}
|
|
env:
|
|
- name: TINI_SUBREAPER
|
|
value: "true"
|
|
volumeMounts:
|
|
- name: frr-sockets
|
|
mountPath: /var/run/frr
|
|
- name: frr-conf
|
|
mountPath: /etc/frr
|
|
# The command is FRR's default entrypoint & waiting for the log file to appear and tailing it.
|
|
# If the log file isn't created in 60 seconds the tail fails and the container is restarted.
|
|
# This workaround is needed to have the frr logs as part of kubectl logs -c frr < speaker_pod_name >.
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
/sbin/tini -- /usr/lib/frr/docker-start &
|
|
attempts=0
|
|
until [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do
|
|
sleep 1
|
|
attempts=$(( $attempts + 1 ))
|
|
done
|
|
tail -f /etc/frr/frr.log
|
|
{{- with .Values.speaker.frr.resources }}
|
|
resources:
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.speaker.livenessProbe.enabled }}
|
|
livenessProbe:
|
|
httpGet:
|
|
{{- if .Values.prometheus.secureMetricsPort }}
|
|
host: localhost
|
|
{{- end }}
|
|
path: livez
|
|
port: {{ .Values.speaker.frr.metricsPort }}
|
|
initialDelaySeconds: {{ .Values.speaker.livenessProbe.initialDelaySeconds }}
|
|
periodSeconds: {{ .Values.speaker.livenessProbe.periodSeconds }}
|
|
timeoutSeconds: {{ .Values.speaker.livenessProbe.timeoutSeconds }}
|
|
successThreshold: {{ .Values.speaker.livenessProbe.successThreshold }}
|
|
failureThreshold: {{ .Values.speaker.livenessProbe.failureThreshold }}
|
|
{{- end }}
|
|
{{- if .Values.speaker.startupProbe.enabled }}
|
|
startupProbe:
|
|
httpGet:
|
|
{{- if .Values.prometheus.secureMetricsPort }}
|
|
host: localhost
|
|
{{- end }}
|
|
path: /livez
|
|
port: {{ .Values.speaker.frr.metricsPort }}
|
|
failureThreshold: {{ .Values.speaker.startupProbe.failureThreshold }}
|
|
periodSeconds: {{ .Values.speaker.startupProbe.periodSeconds }}
|
|
{{- end }}
|
|
- name: reloader
|
|
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
|
|
{{- if .Values.speaker.frr.image.pullPolicy }}
|
|
imagePullPolicy: {{ .Values.speaker.frr.image.pullPolicy }}
|
|
{{- end }}
|
|
command: ["/etc/frr_reloader/frr-reloader.sh"]
|
|
volumeMounts:
|
|
- name: frr-sockets
|
|
mountPath: /var/run/frr
|
|
- name: frr-conf
|
|
mountPath: /etc/frr
|
|
- name: reloader
|
|
mountPath: /etc/frr_reloader
|
|
{{- with .Values.speaker.reloader.resources }}
|
|
resources:
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
- name: frr-metrics
|
|
image: {{ .Values.speaker.frr.image.repository }}:{{ .Values.speaker.frr.image.tag | default .Chart.AppVersion }}
|
|
command: ["/etc/frr_metrics/frr-metrics"]
|
|
args:
|
|
- --metrics-port={{ .Values.speaker.frr.metricsPort }}
|
|
{{- if .Values.prometheus.secureMetricsPort }}
|
|
- --host=localhost
|
|
{{- end }}
|
|
env:
|
|
- name: VTYSH_HISTFILE
|
|
value: /dev/null
|
|
ports:
|
|
- containerPort: {{ .Values.speaker.frr.metricsPort }}
|
|
name: monitoring
|
|
volumeMounts:
|
|
- name: frr-sockets
|
|
mountPath: /var/run/frr
|
|
- name: frr-conf
|
|
mountPath: /etc/frr
|
|
- name: metrics
|
|
mountPath: /etc/frr_metrics
|
|
{{- with .Values.speaker.frrMetrics.resources }}
|
|
resources:
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.prometheus.secureMetricsPort }}
|
|
- name: kube-rbac-proxy
|
|
image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag }}
|
|
imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
|
|
args:
|
|
- --logtostderr
|
|
- --secure-listen-address=:{{ .Values.prometheus.secureMetricsPort }}
|
|
- --upstream=http://localhost:{{ .Values.prometheus.metricsPort }}/
|
|
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
|
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
|
|
- --tls-private-key-file=/etc/metrics/tls.key
|
|
- --tls-cert-file=/etc/metrics/tls.crt
|
|
{{- end }}
|
|
ports:
|
|
- containerPort: {{ .Values.prometheus.secureMetricsPort }}
|
|
name: metricshttps
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 20Mi
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
|
|
volumeMounts:
|
|
- name: metrics-certs
|
|
mountPath: /etc/metrics
|
|
readOnly: true
|
|
{{- end }}
|
|
{{ end }}
|
|
{{- if .Values.speaker.frr.enabled }}
|
|
{{- if .Values.speaker.frr.secureMetricsPort }}
|
|
- name: kube-rbac-proxy-frr
|
|
image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag | default .Chart.AppVersion }}
|
|
imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }}
|
|
args:
|
|
- --logtostderr
|
|
- --secure-listen-address=:{{ .Values.speaker.frr.secureMetricsPort }}
|
|
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
|
- --upstream=http://localhost:{{ .Values.speaker.frr.metricsPort }}/
|
|
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
|
|
- --tls-private-key-file=/etc/metrics/tls.key
|
|
- --tls-cert-file=/etc/metrics/tls.crt
|
|
{{- end }}
|
|
ports:
|
|
- containerPort: {{ .Values.speaker.frr.secureMetricsPort }}
|
|
name: frrmetricshttps
|
|
env:
|
|
- name: METALLB_HOST
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.hostIP
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 20Mi
|
|
terminationMessagePolicy: FallbackToLogsOnError
|
|
{{- if .Values.prometheus.speakerMetricsTLSSecret }}
|
|
volumeMounts:
|
|
- name: metrics-certs
|
|
mountPath: /etc/metrics
|
|
readOnly: true
|
|
{{- end }}
|
|
{{ end }}
|
|
{{- end }}
|
|
{{- if .Values.speaker.extraContainers }}
|
|
{{- toYaml .Values.speaker.extraContainers | nindent 6 }}
|
|
{{- end }}
|
|
nodeSelector:
|
|
"kubernetes.io/os": linux
|
|
{{- with .Values.speaker.nodeSelector }}
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- with .Values.speaker.affinity }}
|
|
affinity:
|
|
{{- toYaml . | nindent 8 }}
|
|
{{- end }}
|
|
{{- if or .Values.speaker.tolerateMaster .Values.speaker.tolerations }}
|
|
tolerations:
|
|
{{- if .Values.speaker.tolerateMaster }}
|
|
- key: node-role.kubernetes.io/master
|
|
effect: NoSchedule
|
|
operator: Exists
|
|
- key: node-role.kubernetes.io/control-plane
|
|
effect: NoSchedule
|
|
operator: Exists
|
|
{{- end }}
|
|
{{- with .Values.speaker.tolerations }}
|
|
{{- toYaml . | nindent 6 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .Values.speaker.priorityClassName }}
|
|
priorityClassName: {{ . | quote }}
|
|
{{- end }}
|
|
{{- end }}
|